Access Layer Functionality

This section describes the access layer functions and the interaction of the access layer with the distribution layer and local or remote users. The access layer is the concentration point at which clients access the network. Access layer devices control traffic by localizing service requests to the access media. The purpose of the access layer is to grant user access to network resources. Following are the access layer's characteristics In the campus environment, the access layer typically...

Analyzing Network Traffic and Applications

Traffic analysis is the third step in characterizing a network. Traffic analysis verifies the set of applications and protocols used in the network and determines the applications' traffic patterns. It might reveal any additional applications or protocols running on the network. Each discovered application and protocol should be described in the following terms Security-related requirements Scope (in other words, the network modules in which the application or protocol is used) Use the...

ANS Components

Figure 3-24 illustrates an example of ANS deployed in offices connected over a WAN, providing LAN-like performance to users in the branch, regional, and remote offices. ANS components are deployed symmetrically in the data center and the distant offices. The ANS components in this example are as follows Cisco Wide Area Application Services (WAAS) software Cisco WAAS software gives remote offices LAN-like access to centrally hosted applications, servers, storage, and multimedia. Cisco Wide Area...

ANS Examples

Table 3-1 illustrates some sample application deployment issues that many IT managers face today and how ANS resolves these issues. Table 3-1 Examples of Application Deployment Issues and Solutions Table 3-1 Examples of Application Deployment Issues and Solutions Consolidation of data centers results in remote employees having slower access to centrally managed applications Wide-area application services in the branch office that compress, cache, and optimize content for remote users so that...

Answers to Review Questions

The Cisco vision for an intelligent information network includes the following Integration of networked resources and information assets that have been largely unlinked Intelligence across multiple products and infrastructure layers Active participation of the network in the delivery of services and applications 2. Evolving to an intelligent information network consists of three phases in which functionality can be added to the infrastructure as required Phase 1 Integrated transport Everything...

Ii

For the Enterprise Campus, DHCP and internal DNS servers should be located in the Server Farm these servers should be redundant. For remote locations, Cisco routers can provide DHCP and DNS at the Enterprise Edge. External DNS servers should be redundant for example, at two service provider facilities, or one at a service provider facility and one in a demilitarized zone at the Enterprise Campus or remote data center.

Calculating the Networks for a Subnet Mask

After you identify your subnet mask, you must calculate the ten subnetted network addresses to use with 172.16.0.0 255.255.240.0. One way to do this is as follows Step 1 Write the subnetted address in binary format, as shown at the top of Figure B-7. If necessary, use the decimal-to-binary conversion chart provided in Table B-1. Figure B-7 Calculating the Subnets Shown in Figure B-6 In Binary 10101100.00010000.00000000.00000000 Step 2 On the binary address, draw a line...

Calculating Trunk Capacity or Bandwidth

The trunk capacity for voice calls can be calculated by the following formula Trunk capacity (number of simultaneous calls to be supported) * (bandwidth required per call) The first component of this formula, the number of simultaneous calls to be supported, is the number of circuits required for the known amount of traffic, as calculated from the Erlang tables. NOTE If 100 percent of calls must go through, Erlang tables are not required instead, the maximum number of simultaneous calls...

Case Study 102 ACMC Hospital Network Connecting More Hospitals

This case study is a continuation of ACMC Hospital Case Study 10-1. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative proposals to accomplish the...

Case Study ACMC Hospital Network Upgrade

This case study analyzes the network infrastructure of Acme County Medical Center (ACMC) Hospital, a fictitious small county hospital in the United States. This same case study is used throughout the remainder of the book so that you can continue to evaluate your understanding of the concepts presented. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the...

Case Study ACMC Hospital Network Voice Design

This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative...

Case Study Answers

The following are some of the infrastructure aspects that should be considered Switches and power supplies that support PoE should be recommended. The available building wiring closet power, cooling, and space need to be reviewed. QoS mechanisms should be considered, including in the Campus switches and on the WANs. CAC might be required for calls from the clinics to the main campus. cRTP and LFI can also be considered. The current cabling infrastructure and configuration need to be reviewed,...

Case Study Questions

Step 1 Identify key business security requirements, risks, and threats about which ACMC should be concerned. Step 2 Design the Enterprise Edge modules for ACMC (E-commerce, Internet Connectivity, Remote Access and VPN, and WAN and MAN and Site-to-Site VPN). Determine how they should connect to the rest of the ACMC Hospital network. The design can use a consolidated approach in which devices are shared between modules. Step 3 Design the security for remote clinics, using the Internet with VPN...

Catalyst Services Modules

The following are various security-related modules for the Cisco Catalyst 6500 Series switching platform (and some are also for the Cisco 7600 Series routers) Cisco Catalyst 6500 Series FWSM The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers. Up to four Cisco FWSMs can be installed in a single chassis, providing scalability up to 20 Gbps per chassis. The Cisco FWSM includes many advanced features, such as multiple...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Centralized WLAN Components

As illustrated in Figure 3-23, the four main components in a centralized WLAN deployment are as follows End-user devices A PC or other end-user device in the access layer uses a wireless NIC to connect to an access point (AP) using radio waves. Wireless APs APs, typically in the access layer, are shared devices that function similar to a hub. Cisco APs can be either lightweight or autonomous. Lightweight APs are used in centralized WLAN deployments. A lightweight AP receives control and...

Characteristics of the OSI Layers

The OSI reference model's seven layers can be divided into two categories upper layers and lower layers. The upper layers contend with application issues and are generally only implemented in software. The highest layer, the application layer, is closest to the end user. Both users and application layer processes interact with software applications that contain a communications component. The term upper layer is sometimes used to refer to any layer above another layer in the OSI model....

Cisco UWN Review

Figure 9-22 reviews the key concepts of the Cisco UWN design. 614 Chapter 9 Wireless Network Design Considerations Figure 9-22 Cisco UWN Third-Party Integrated Applications E911, Asset Tracking, ERP Workflow Automation 614 Chapter 9 Wireless Network Design Considerations Figure 9-22 Cisco UWN Third-Party Integrated Applications E911, Asset Tracking, ERP Workflow Automation Cisco client devices or Cisco Compatible client devices are at the foundation of the UWN, connected to Cisco lightweight...

Configuring Inside Global Address Overloading or PAT

The following procedure configures inside global address overloading Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router. Step 2 Configure dynamic address translation, as described in the Configuring NAT for Basic Local IP Address Translation section earlier in this appendix. When you define the mapping between the access list and the IP NAT pool, add the overload keyword to the command Router(config) ip nat inside source list access-list-number pool...

D

DAI (Dynamic Address Inspection), DoS attacks, 659 dark fiber (cable), 314-315 data availability, 655 Data Center Access layer (Enterprise Data Center networks), 274 Data Center Aggregation layer (Enterprise Data Center networks), 274-275 Data Center Core layer (Enterprise Data Center networks), 275 Data Center modules (Enterprise Architecture), 144, 158 Data Center networks, 268 architecture framework, 269-271 cooling, 276 Data Center Access layer, 274 Data Center Aggregation layer, 274-275...

Data units

A frame is an information unit whose source and destination are data link layer entities. A frame is composed of the data link layer header (and possibly a trailer) and upper-layer data. The header and trailer contain control information that is intended for the destination system's data link layer entity. The data link layer header and trailer encapsulate data from upper-layer entities. Figure C-8 illustrates the basic components of a data link layer frame. Figure C-8 Data from Upper-Layer...

Deploying Security in the Enterprise Campus

Consider an organization that has experienced several incidents in which laptop users on the campus network have brought in viruses from home, some users have attempted to intercept network traffic, and some interns have tried to hack the network infrastructure. To manage the risks, the organization implements identity and access control solutions, threat detection and mitigation solutions, infrastructure protection, and security management. Figure 10-21 illustrates where various security...

Design Considerations for Guest Services in Wireless Networks

Providing wireless guest services with traditional autonomous APs poses significant challenges. To maintain internal corporate network security, guest traffic must be restricted to the appropriate subnet and VLAN these guest VLANs must extend throughout the infrastructure to reach every location where guest access is required. Reconfiguring of the access switches that serve conference rooms, offices, and cubicles to selectively adjust VLANs for guest access can involve many network staff hours....

Designing an Enterprise Campus

The Enterprise Campus network is the foundation for enabling business applications, enhancing productivity, and providing a multitude of services to end users. The following three characteristics should be considered when designing the campus network Network application characteristics The organizational requirements, services, and applications place stringent requirements on a campus network solution for example, in terms of bandwidth and delay. Environmental characteristics The network's...

Designing Remote Connectivity

This chapter discusses the WAN function that provides access to remote sites and the outside world. It details WAN technologies and WAN design considerations. The chapter explores how these technologies are used, including for remote access, with virtual private networks (VPN), for backup, and how the Internet is used as a backup WAN. This chapter describes the Enterprise WAN and metropolitan-area network (MAN) architecture, and the Enterprise Branch and Teleworker architectures. The selection...

Determining an IP Address Class

To accommodate large and small networks, the 32-bit IP addresses are segregated into Classes A through E. The first few bits of the first octet determine the class of an address this then determines how many network bits and host bits are in the address. Figure B-4 illustrates the bits for Class A, B, and C addresses. Each address class allows for a certain number of network addresses and a certain number of host addresses within a network. Table B-2 shows the address format, the address range,...

Distance Vector Versus Link State Versus Hybrid Protocols

There are two main types of routing protocols Distance vector protocol In a distance vector protocol, routing decisions are made on a hop-by-hop basis. Each router relies on its neighbor routers to make the correct routing decisions. The router passes only the results of this decision (its routing table) to its neighbors. Distance vector protocols are typically slower to converge and do not scale well however, they are easy to implement and maintain. Examples of distance vector protocols...

Documenting the Design

A design document lists the design requirements, documents the existing network and the network design, identifies the proof-of-concept strategy and results, and details the implementation plan. The final design document structure should be similar to the one in Figure 2-26, which includes Introduction Every design document should include an introduction to present the main reasons leading to the network design or redesign. Design requirements Also a mandatory part of any design document, this...

Dynamic IPv6 Address Assignment

IPv6 dynamic address assignment strategies allow dynamic assignment of IPv6 addresses, as Link-local address The host configures its own link-local address autonomously, using the link-local prefix FE80 0 10 and a 64-bit identifier for the interface, in an EUI-64 format. Stateless autoconfiguration A router on the link advertises either periodically or at the host's request network information, such as the 64-bit prefix of the local network and its willingness to function as a default router...

E

E& M (Ear & Mouth) signaling, analog signaling, 491 EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), UWN, 587 EAP-TLS (EAP-Transport Layer Security), UWN, 587 EAP-TTLS (EAP-Tunneled Transport Layer Security), UWN, 587 EBGP (External Border Gateway Protocol), 460 echo cancellers, 528-529 echo trails, 529 hybrid transformers, 528 inverse speech, 529 irritation zones, 529 telephones, 528 voice networks, 527-528 ECN (Explicit Congestion Notification), 329-330 Architecture), 152...

Effl

Stairwells (Reinforced Building Area) KEY In general, an AP can support approximately seven to eight wireless phones or about 20 POINT data-only devices. The facility should be visually inspected to identify potential issues, such as metal racks, elevator shafts, stairwells, and microwave equipment. The next step in the RF site survey process is to identify preliminary AP locations based on the planned coverage area and user density. This step can be supported with several tools. For example,...

Enterprise Branch Architecture

Recall that the Cisco Enterprise Architecture, based on the Cisco SONA, includes branch modules that focus on the remote places in the network. Enterprises are seeking opportunities to protect, optimize, and grow their businesses by increasing security consolidating voice, video, and data onto a single IP network and investing in applications that will improve productivity and operating efficiencies. These services provide enterprises with new opportunities to reduce costs, improve...

Enterprise Campus Design

As discussed in Chapter 3, the Enterprise Campus functional area is divided into the following modules Campus Infrastructure This module includes three layers The Building Distribution layer Edge Distribution (optional) This section discusses the design of each of the layers and modules within the Enterprise Campus and identifies best practices related to the design of each.

Enterprise Edge WAN and MAN Considerations

When selecting Enterprise Edge technologies, consider the following factors Support for network growth Enterprises that anticipate significant growth should choose a technology that allows the network to grow with their business. WAN technologies with high support for network growth make it possible to add new branches or remote offices with minimal configuration at existing sites, thus minimizing the costs and IT staff requirements for such changes. WAN technologies with lower support for...

Enterprise Teleworker Module

The Enterprise Teleworker module provides people in geographically dispersed locations, such as home offices or hotels, with highly secure access to central-site applications and network services. The Enterprise Teleworker module supports a small office with one to several employees or the home office of a telecommuter. Telecommuters might also be mobile users people who need access while traveling or who do not work at a fixed company site. Depending on the amount of use and the WAN services...

Evolution of Enterprise Networks

You do not have to go far back in history to find a time when networks were primarily used for file and print services. These networks were isolated LANs that were built throughout the enterprise organization. As organizations interconnected, these isolated LANs and their functions grew from file and print services to include critical applications the critical nature and complexity of the enterprise networks also grew. As discussed in the previous section, Cisco introduced the hierarchical...

Global Aggregatable Unicast Addresses

IPv6 global aggregatable unicast addresses are equivalent to IPv4 unicast addresses. The structure of global aggregatable unicast addresses enables summarization (aggregation) of routing prefixes so that the number of routing table entries in the global routing table can be reduced. Global unicast addresses used on links are aggregated upward, through organizations, and then to intermediate-level ISPs, and eventually to top-level ISPs. A global unicast address typically consists of a 48-bit...

Gradient of Trust

The gradient of trust determines the trust level between domains, which can be minor to extreme, and determines the extent of security safeguards and attention to monitoring required. The trust relationship between segments should be controlled at defined points, using some form of network firewall or access control, as illustrated in the examples in Figure 10-11. Mastering domains of trust is a key component of good network security design. Figure 10-11 Domains and Gradients of Trust Private...

Guidelines for Creating an Enterprise Network

When creating an Enterprise network, divide the network into appropriate areas, where the Enterprise Campus includes all devices and connections within the main Campus location the Enterprise Edge covers all communications with remote locations and the Internet from the perspective of the Enterprise Campus and the remote modules include the remote branches, teleworkers, and the remote data center. Define clear boundaries between each of the areas. NOTE Depending on the network, an enterprise...

H

Examples of, 507 gatekeepers, 505-506 gateways, 504 MCU, 506 terminals, 504 IPv6 packet headers, 406-407 TCP headers (TCP IP protocol suite, transport layer), 20 UDP headers (TCP IP protocol suite, transport layer), 20 health checklists (networks), network design methodologies, 102-103 HID (Human Interface Device), 164 hierarchical network design access layer, 129 example of, 133 L2 switching, 132-133 multilayer switching, 132-133 role of, 131 backbone layer. See core layer core layer, 129,...

H323

H.323 is an ITU-T standard for packet-based audio, video, and data communications across IP-based networks. The ITU-T H.323 standard is a foundation for audio, video, and data communications across IP-based networks, including the Internet. By complying with the H.323 standard, multimedia products and applications from multiple vendors can interoperate, thereby allowing users to communicate without concern for compatibility. The H.323 standard is broad in scope and includes standalone devices...

Hierarchical Network Model

The hierarchical network model provides a framework that network designers can use to help ensure that the network is flexible and easy to implement and troubleshoot. As shown in Figure 3-1, the hierarchical network design model consists of three layers The access layer provides local and remote workgroup or user access to the network. The distribution layer provides policy-based connectivity. The core (or backbone) layer provides high-speed transport to satisfy the connectivity and transport...

Hierarchical Routing in the WAN

Figure 3-7 shows an example of hierarchical routing in the WAN portion of a network. Figure 3-7 Hierarchical Routing in the WAN Figure 3-7 Hierarchical Routing in the WAN In Figure 3-7, a typical packet between access sites follows these steps Step 1 The packet is Layer 3-forwarded toward the distribution router. Step 2 The distribution router forwards the packet toward a core interface. Step 3 The packet is forwarded across the WAN core. Step 4 The receiving distribution router forwards the...

IEEE 80211 Operational Standards

In September 1999 the IEEE ratified the IEEE 802.11a standard (5 GHz at 54 Mbps) and the IEEE 802.11b standard (2.4 GHz at 11 Mbps). In June 2003, the IEEE ratified the 802.11g standard (2.4 GHz at 54 Mbps) this standard is backward-compatible with 802.11b systems, because both use the same 2.4-GHz bandwidth. The following are the existing IEEE 802.11 standards for wireless communication 802.11a 54 Mbps at 5 GHz, ratified in 1999 802.11b 11 Mbps 2.4 GHz, ratified in 1999 802.11d World mode,...

IEEE 8021x and IBNS

Recall from Chapter 9 that IEEE 802.1X is an open standards-based protocol for authenticating network clients (or ports) based on a user ID or on the device. 802.1X runs between end devices or users (called supplicants) trying to connect to ports, and an Ethernet device, such as a Cisco Catalyst switch or Cisco wireless access point (AP) (called the authenticator). Authentication and authorization are achieved with back-end communication to an authentication server such as Cisco Secure Access...

IGP and EGP Example

Figure 7-2 shows three interconnected autonomous systems (domains). Each AS uses an IGP for intra-AS (intra-domain) routing. Figure 7-2 Interior Protocols Are Used Inside and Exterior Protocols Are Used Between Autonomous Systems Figure 7-2 Interior Protocols Are Used Inside and Exterior Protocols Are Used Between Autonomous Systems The autonomous systems require some form of interdomain routing to communicate with each other. Static routes are used in simple cases typically, an EGP is used....

Information Exchange Process

The information exchange process occurs between peer OSI layers. Each layer in the source system adds control information to data, and each layer in the destination system analyzes and removes the control information from that data. For example, if System A sends data from a software application to System B, the data is passed to System A's application layer. System A's application layer then communicates any control information required by System B's application layer by prepending a header to...

Integrated ISIS Terminology

ISO specifications call routers intermediate systems. Thus, IS-IS is a router-to-router protocol, allowing routers to communicate with other routers. IS-IS routing takes place at two levels within an AS Level 1 (L1) and Level 2 (L2). L1 routing occurs within an IS-IS area and is responsible for routing inside an area. All devices in an L1 routing area have the same area address. Routing within an area is accomplished by looking at the locally significant address portion, known as the system ID,...

Integrated Security Within Network Devices

The section explains the security features integrated in Cisco network devices. To design and implement a secure network, it is necessary to integrate security in every part of the network environment. Cisco network devices supporting integrated security include the following Security appliances, including Cisco PIX security appliances Endpoint security solutions The following sections describe these devices. Devices based on Cisco IOS software incorporate various security features to create an...

Interaction Between OSI Model Layers

A given OSI layer generally communicates with three other OSI layers the layer directly above it, the layer directly below it, and its peer layer in other networked computer systems. For example, System A's data link layer communicates with System A's network layer, System A's physical layer, and System B's data link layer. Figure C-3 illustrates this interaction example. Figure C-3 OSI Model Layer Communicates with Three Other Layers

Interface Identifiers in IPv6 Addresses

In IPv6, a link is a network medium over which network nodes communicate using the link layer. Interface IDs in IPv6 addresses are used to identify a unique interface on a link. They can also be thought of as the host portion of an IPv6 address. Interface IDs are required to be unique on a link and can also be unique over a broader scope. When the interface identifier is derived directly from the data link layer address of the interface, the scope of that identifier is assumed to be universal...

Internal Security

Strongly protecting the internal Enterprise Campus by including security functions in each individual element is important for the following reasons If the security established at the Enterprise Edge fails, an unprotected Enterprise Campus is vulnerable. Deploying several layers of security increases the protection of the Enterprise Campus, where the most strategic assets usually reside. Relying on physical security is not enough. For example, as a visitor to the organization, a potential...

Introduction to Integrated Networks

Figure 8-14 illustrates a typical enterprise WAN with separate data and voice networks. Integrating data, voice, and video in a network enables vendors to introduce new features. The unified communications network model enables distributed call routing, control, and application functions based on industry standards. Enterprises can mix and match equipment from multiple vendors and geographically deploy these systems wherever they are needed. One means of creating an integrated network is to...

Introduction to WANs

This section defines a WAN and describes its primary design objectives. A WAN is a data communications network that covers a relatively broad geographic area. A WAN typically uses the transmission facilities provided by service providers (SP) (also called carriers), such as telephone companies. Switches, or concentrators, connect the WAN links, relay information through the WAN, and enable the services it provides. A network provider often charges users a fee, called a tariff, for the services...

Introduction to Wireless Technology

NOTE As noted in the introduction to this book, we assume that you understand the wireless networking material in the Cisco Press title Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide), 4th Edition, ISBN 1-58705-273-3. This section includes some material from that book as an introduction to wireless technology. Refer to that Cisco Press BCMSN title for more detailed information. A wireless communication system uses radio frequency (RF) energy to transmit data...

IP Standard Access Lists

Standard access lists permit or deny packets based only on the packet's source IP address, as shown in Figure B-9. The access list number range for standard IP access lists is 1 to 99 or from 1300 to 1999. Standard access lists are easier to configure than their more robust counterparts, extended access lists. Figure B-9 Standard IP Access Lists Filter Based Only on the Source Address A standard access list is a sequential collection of permit and deny conditions that apply to source IP...

IP Telephony Components

An IP telephony network contains four main voice-specific components IP phones IP phones are used to place calls in an IP telephony network. They perform voice-to-IP (and vice versa) coding and compression using special hardware. IP phones offer services such as user directory lookups and Internet access. The phones are active network devices that require power to operate power is supplied through the LAN connection using PoE or with an external power supply. Switches with inline power Switches...

Pv4 Access Lists

Figure B-8 Access Lists Control Packet Movement Through a Network Transmission of Packets on an Interface Table B-5 shows the available types of IP access lists on a Cisco router and their access list numbers. Named access lists are also available for IP. This section covers IP standard and extended access lists. For information on other types of access lists, refer to the technical documentation on the Cisco website at http www.cisco.com. WARNING Cisco IOS Release 10.3 introduced substantial...

Pv4 Addresses and Subnetting Job

Figure B-1 is a job aid to help you with various aspects of IP addressing, including how to distinguish address classes, the number of subnets and hosts available with various subnet masks, and how to interpret IP addresses. Net First Standard Mask Class Host Octet Binary A N.H.H.H 1-126 1111 1111 0000 0000 0000 0000 0000 0000 B N.N.H.H 128-191 1111 1111 1111 1111 0000000000000000 C N.N.N.H 192-223 1111 1111 1111 1111 1111 1111 00000000 Address 172.16.5.72 1010 1100 0001 0000 0000 0101 0100...

Pv6 Address Format

Rather than using dotted-decimal format, IPv6 addresses are written as hexadecimal numbers with colons between each set of four hexadecimal digits (which is 16 bits) we like to call this the coloned hex format. The format is x x x x x x x x, where x is a 16-bit hexadecimal field. A sample address is as follows Fortunately, you can shorten the written form of IPv6 addresses. Leading 0s within each set of four hexadecimal digits can be omitted, and a pair of colons ( ) can be used, once within an...

Pv6 Routing Protocols

The routing protocols available in IPv6 include interior gateway protocols (IGP) for use within an autonomous system and exterior gateway protocols (EGP) for use between autonomous systems. As with IPv4 CIDR, IPv6 uses the same longest-prefix match routing. Updates to the existing IPv4 routing protocols were necessary for handling longer IPv6 addresses and different header structures. Currently, the following updated routing protocols or draft proposals are available Integrated IS-IS version 6...

J K L

Jitters (voice video applications), 318, 526 L2 (Layer 2) switching, 132-133, 137-138 L3 (Layer 3) switching. See multilayer switches Label Distribution Protocol, 302 LAN (Local Area Networks), 4, 11 OSI model, 7 protocols, 6 standards, 11 switches, 15 VLAN, 47 membership in, 48 routing, 51 STP, 49-50 trunks, 49 WLAN, 565-566 571-577 absorption (RF), 567 agencies and standards groups, 570-571 antennas, 570, 573 AP power, 578-579 AP, BSS, 579 AP, SSID, 579 autonomous AP, 578 centralized...

LANs and WANs

LANs were first used between PCs when users needed to connect with other PCs in the same building to share resources. A LAN is a high-speed, yet relatively inexpensive, network that allows connected computers to communicate. LANs have limited reach (hence the term local-area network), typically less than a few hundred meters, so they can connect only devices in the same room or building, or possibly within the same campus. A LAN is an always-on connection in other words, you don't have to dial...

Link State Example

Both OSPF and Integrated IS-IS use the Hello protocol for establishing neighbor relationships. Those relationships are stored in a neighbor table (also called an adjacencies database). Each router learns a complete network topology from information shared through these neighbor relationships. That topology is stored in the router's link-state database (LSDB), also called the topology table or topology database. Each router uses this topology and the SPF algorithm to create a shortest-path tree...

NAC Framework and Cisco NAC Appliance

NAC allows network access only to compliant and trusted wired or wireless endpoint devices, such as PCs, laptops, servers, and personal digital assistants (PDA), and it can restrict the access of noncompliant devices. Two NAC options are available the NAC framework and the NAC appliance. The NAC framework is an industrywide initiative led by Cisco that uses the network infrastructure and third-party software to enforce security policy compliance on all endpoints. The NAC framework is sold...

Name Resolution

Names are used to identify different hosts and resources on the network and to provide user-friendly interaction with computers a name is much easier to remember than an IP address. This section covers the purpose of name resolution, provides information about different available name resolution strategies, and discusses Domain Name System (DNS) name resolution. Hosts (computers, servers, printers, and so forth) identify themselves to each other using various naming schemes. Each computer on...

NAT and PAT Operation

NAT can be used to perform several functions, including the following Static address translation Establishes a one-to-one mapping between inside local and global addresses. Dynamic source address translation Establishes a dynamic mapping between the inside local and global addresses by associating the local addresses to be translated with a pool of addresses from which to allocate global addresses. The router creates translations as needed. Address overloading Can conserve addresses in the...

Net Flow Versus RMON Information Gathering

NetFlow can be configured on individual interfaces, thereby providing information on traffic that passes through those interfaces and collecting the following types of information Source and destination interfaces and IP addresses Input and output interface numbers TCP UDP source port and destination ports Number of bytes and packets in the flow Source and destination autonomous system numbers (for BGP) Compared to using SNMP with RMON MIB, NetFlow's information-gathering benefits include...

Objectives of This Book

The goal of this book is to provide you with the knowledge you need to gather internetworking requirements, identify solutions, and design the network infrastructure and services to ensure basic functionality, using the principles of hierarchical network design to structure and modularize a converged enterprise network design. Design tasks might include understanding the design methodology structuring and modularizing the network design using the Cisco Enterprise Architecture designing the...

OSI Layer Services

One OSI layer communicates with another layer to make use of the services provided by that other layer. The services provided by adjacent layers help a given OSI layer communicate with its peer layer in other computer systems. Layer services involve three basic elements the service user, the service provider, and the service access point (SAP). In this context, the service user is the OSI layer that requests services from an adjacent OSI layer. The service provider is the OSI layer that...

OSI Models Data Link Layer

The data link layer reliably transits data across a physical network link. Different data link layer specifications define different network and protocol characteristics, including physical addressing, network topology, error notification, frame sequencing, and flow control. Physical addressing (as opposed to network addressing) defines how devices are addressed at the data link layer. A network topology consists of the data link layer specifications that often define how devices are to be...

OSI Models Presentation Layer

The presentation layer provides a variety of coding and conversion functions that are applied to application layer data. These functions ensure that information sent from one system's application layer is readable by another system's application layer. Some examples of presentation layer coding and conversion schemes include common data representation formats, conversion of character representation formats, common data compression schemes, and common data encryption schemes. Common data...

OSPF Characteristics

OSPF is a link-state protocol that has the following characteristics for deployment in enterprise networks Fast convergence OSPF achieves fast convergence times using triggered link-state updates that include one or more link-state advertisements (LSA). LSAs describe the state of links on specific routers and are propagated unchanged within an area. Therefore, all routers in the same area have identical topology tables each router has a complete view of all links and devices in the area....

Overloading Inside Global Addresses

Figure D-3 illustrates NAT operation when a single inside global address simultaneously represents multiple inside local addresses overloading addresses is also known as PAT. Figure D-3 PAT Overloading Inside Global Addresses Figure D-3 PAT Overloading Inside Global Addresses The following describes the process of overloading inside global addresses, as depicted in Step 1 The user at Host 10.1.1.1 opens a connection to Host B. Step 2 The first packet the router receives from Host 10.1.1.1...

P

P2P VPN (Peer-to-Peer Virtual Private Networks), WAN design, 337 packet sniffers, Edge Distribution module, 263 packet-switched networks, 12, 296-298 packets, 856 BER, WAN design, 318 classification, 242, 538 delays, voice networks, 521-523 FEC, 301 filtering, ACL extended, 830-837, 839 standard, 821-829 IPv6, packet headers, 406-407 loss voice networks, 527 WAN design, 318 marking, 242, 538 switching, 27 unicast packets, 16 PAgP (Port Aggregation Protocol), managing in Enterprise Campus...

Physical Security Guidelines

The traditional method of managing the risk of physical compromise is to deploy physical access controls using techniques such as locks or alarms. It is also important to identify how a physical security breach might interact with network security mechanisms. For example, there could be a significant risk if an attacker physically accesses a switch port located in a corporate building and from there has unrestricted access to the corporate network. If, during the development of the security...

Private and Public IPv4 Addresses

Recall from Chapter 1 that the IP address space is divided into public and private spaces. Private addresses are reserved IP addresses that are to be used only internally within a company's network, not on the Internet. Private addresses must therefore be mapped to a company's external registered address when sending anything on the Internet. Public IP addresses are provided for external communication. Figure 6-1 illustrates the use of private and public addresses in a network. Figure 6-1...

R

RAP (Rooftop AP), outdoor wireless network design considerations, 632-633 RDP (Remote Desktop Protocol), 171 REAP (Remote Edge Access Protocols), 639-641 REAP mode (lightweight AP), 601 reconnaissance (networks) Edge Distribution module, Campus Core layer, 263 RED (Random Early Detection), 329 redesigning networks (network design methodologies), 119-120 redirect servers, SIP, 518 redundancy building distribution layer, Enterprise Campus networks, 253-255 deterministic WLC redundancy, 624 N + 1...

Recommended Practices for Infrastructure Protection

The following are some recommended practices for infrastructure protection Allow only SSH, instead of Telnet, to access devices. Enable AAA and role-based access control (using RADIUS or TACACS+) for access to the command-line interface (CLI) and privileged mode access on all devices. Collect and archive syslog messages (event notification messages) from network devices on a syslog server. When using Simple Network Management Protocol (SNMP), use SNMP version 3 (SNMPv3) and its authentication...

Remote Access Network Design

When you're designing remote-access networks for teleworkers and traveling employees, the type of connection drives the technology selection, such as whether to choose a data link or a network layer connection. By analyzing the application requirements and service provider offerings, you can choose the most suitable of a wide range of remote-access technologies. Typical remoteaccess requirements include the following Data link layer WAN technologies from remote sites to the Enterprise Edge...

Restricting Virtual Terminal Access

This section discusses how you can use standard access lists to limit virtual terminal access. Standard and extended access lists block packets from going through the router. They are not designed to block packets that originate within the router. An outbound Telnet extended access list does not prevent router-initiated Telnet sessions by default. For security purposes, users can be denied virtual terminal (vty) access to the router, or they can be permitted vty access to the router but denied...

Review Questions

Answer the following questions, and then refer to Appendix A for the answers. 1. Figure 3-38 presents a sample hierarchically structured network. Some of the devices are marked with letters. Map the marked devices to the access, distribution, and core layers in this figure. 2. Describe the role of each layer in the hierarchical network model. 3. True or false Each layer in the hierarchical network model must be implemented with distinct physical devices. 4. Which two statements are true a....

RIPv2 Convergence Example

RIPv2 is a distance vector protocol that periodically propagates its routing information. Distance vector protocols use the principle of hold-down to prevent routing loops. Putting a route in hold-down after the route has failed (perhaps due to a link failure) means that if a routing update arrives with the same or a worse metric, the new route is not installed until the hold-down timer expires. Even though the destination might no longer be reachable, a route in hold-down is still used to...

Routers Work at the Lower Three OSI Layers

The router doesn't care what is in the higher layers what kind of data is in the packet. The router is just responsible for sending the packet the correct way. The router does have to be concerned with the data link and physical layers, though, because it might have to receive and send data on different media. For example, a packet received on an Ethernet LAN might have to be sent out on a Frame Relay WAN, requiring the router to know how to communicate on both these types of media. In terms of...

Routing in the Enterprise Edge Modules

In the Enterprise Edge modules, the underlying physical topology, IP addressing, and the deployed equipment also drive the choice of routing protocol. The routing protocols in the Enterprise Edge modules are typically OSPF, EIGRP, BGP, and static routing. NOTE Routing protocols running in the enterprise edge module are referred to as edge routing protocols. EIGRP gives an administrator more influence on routing and is suitable for NBMA environments in which there is a split-horizon issue...

Routing Protocol Convergence

Whenever a change occurs in a network's topology, all the routers in that network must learn the new topology. This process is both collaborative and independent the routers share information with each other, but they must calculate the impact of the topology change independently. Because they must mutually develop an independent agreement on the new topology, they are said to converge on this consensus. Convergence properties include the speed of propagation of routing information and the...

Security Services in a Modular Network Design

Security is an infrastructure service that increases the network's integrity by protecting network resources and users from internal and external threats. Without a full understanding of the threats involved, network security deployments tend to be incorrectly configured, too focused on security devices, or lacking appropriate threat response options. Security both in the Enterprise Campus (internal security) and at the Enterprise Edge (from external threats) is important. An enterprise should...

Service Provider Modules

Figure 3-13 shows the modules within the Service Provider functional area. The enterprise itself does not implement these modules however, they are necessary to enable communication with other networks, using a variety of WAN technologies, and with Internet service providers (ISP). The modules within the Service Provider functional area are as follows The following sections describe each of these modules.

Services Within Modular Networks

Businesses that operate large enterprise networks strive to create an enterprise-wide networked infrastructure and interactive services to serve as a solid foundation for business and collaborative applications. This section explores some of the interactive services with respect to the modules that form the Cisco Enterprise Architecture. A network service is a supporting and necessary service, but not an ultimate solution. For example, security and QoS are not ultimate goals for a network they...

Static Routing

The term static routing denotes the use of manually configured or injected static routes for traffic forwarding purposes. Using a static route might be appropriate in the following circumstances When it is undesirable to have dynamic routing updates forwarded across slow bandwidth links, such as a dialup link When the administrator needs total control over the routes used by the router When a backup to a dynamically learned route is necessary When it is necessary to reach a network that is...

Summary of Interior Routing Protocol Features

There is no best or worst routing protocol. The decision about which routing protocol to implement (or whether multiple routing protocols should indeed be implemented in a network) can be made only after you carefully consider the design goals and examine the network's physical topology in detail. Table 7-2 summarizes some characteristics of IP routing protocols discussed in this chapter. Although they are no longer recommended enterprise protocols, RIPv1, RIPv2, and IGRP are also included in...

Summary of the Contents

The chapters and appendixes of this book are as follows Chapter 1, Network Fundamentals Review, introduces some fundamental concepts and terminology that are the foundation for the material in the rest of the book. Chapter 2, Applying a Methodology to Network Design, introduces the Cisco vision of intelligent networks and the Service Oriented Network Architecture (SONA) architectural framework. The lifecycle of a network and a network design methodology based on the lifecycle are presented, and...

SWitCh PSTN

PSTN switches interconnect business PBXs and public and private telephones. Large PSTN switches are located at COs, which provide circuits throughout the telephony network. PSTN switches are deployed in hierarchies to provide resiliency and redundancy to the PSTN network and avoid a single point of failure. PSTN signaling traditionally supported only basic features such as caller ID and direct inward dialing. Modern PSTN switches now support, on a fee basis, many traditional PBX services,...

TCPIP Internet Layer Protocols

The TCP IP Internet layer corresponds to the OSI network layer and includes the IP-routed protocol, as well as a protocol for message and error reporting. The protocols at this layer include the following IP Provides connectionless, best-effort delivery of datagrams through the network. A unique IP address a logical address is assigned to each interface of each device in the network. IP and IP addresses are introduced later in this chapter and are described in more detail in Appendix B, IPv4...

Technical Requirements Bandwidth

KEY Bandwidth is the amount of data transmitted or received per unit time, such as 100 Mbps. POINT In a qualitative sense, the required bandwidth is proportional to the data's complexity for a given level of system performance. For example, downloading a photograph in 1 second takes more bandwidth than downloading a page of text in 1 second. Large sound files, computer programs, and animated videos require even more bandwidth for acceptable system performance. One of the main issues involved in...

The Enterprise Data Center

This section describes technology and trends influencing the Enterprise Data Center. For large enterprises with a significant number of servers, a dedicated Enterprise Data Center provides employees, partners, and customers with access to data and resources to effectively work, collaborate, and interact. Historically, most Enterprise Data Centers grew rapidly as organizational requirements expanded. Applications were implemented as needed, often resulting in underutilized, isolated...

The OSI Layers

The following sections briefly describe each of the seven layers of the OSI model, starting at the lowest layer. Appendix C, Open System Interconnection (OSI) Reference Model, delves deeper into the details of the OSI model. The OSI physical layer defines specifications such as the electrical and mechanical conditions necessary for activating, maintaining, and deactivating the physical link between devices. Specifications include voltage levels, maximum cable lengths, connector types, and...

Threat Detection and Mitigation Solution Deployment Locations

Threat detection and mitigation solutions can be deployed throughout the network, as illustrated in Figure 10-17. Figure 10-17 Threat Detection and Mitigation Solution Deployment Locations 1. Network load increases (spotted by either SNMP or NetFlow). 3. Specific nature of attack can be determined with deep packet inspection via IPS. 1. Network load increases (spotted by either SNMP or NetFlow). 3. Specific nature of attack can be determined with deep packet inspection via IPS. 2. Attack type...

Threat Detection and Mitigation Technologies

The following are some of the threat detection and mitigation technologies available Network-based intrusion prevention systems (NIPS), such as the ASA, IPS appliances, and Cisco IOS IPS Host-based intrusion prevention systems (HIPS), such as Cisco Security Agent Event-correlation systems, such as Cisco Security Monitoring, Analysis, and Response System (MARS) Cisco Traffic Anomaly Detector Module These threat detection and mitigation technologies provide many network security functions,...

Time Estimates for Performing Network Characterization

This section provides some guidelines to estimate how long it may take to characterize the network. The time required to characterize a network varies significantly, depending on factors such as the following The experience of the network engineer The quality of documentation provided by the customer and the quality of the communication with the customer The size and complexity of network The efficiency of network management and discovery tools Whether or not the network devices are carefully...