Access Layer Functionality

This section describes the access layer functions and the interaction of the access layer with the distribution layer and local or remote users. The access layer is the concentration point at which clients access the network. Access layer devices control traffic by localizing service requests to the access media. The purpose of the access layer is to grant user access to network resources. Following are the access layer's characteristics In the campus environment, the access layer typically...

Administrative Distance

Most routing protocols have metric structures and algorithms that are incompatible with other protocols. It is critical that a network using multiple routing protocols be able to seamlessly exchange route information and be able to select the best path across multiple protocols. Cisco routers use a value called administrative distance to select the best path when they learn of two or more routes to the same destination from different routing protocols. Administrative distance rates a routing...

Agencies and Standards Groups

Some of the agencies and standards groups related to WLANs are as follows Institute of Electrical and Electronic Engineers (http www.ieee.org ) Creates and maintains operational standards. European Telecommunications Standards Institute (http www.etsi.org ) Chartered to produce common standards in Europe. Wi-Fi Alliance (http www.wi-fi.com ) Promotes and tests for WLAN interoperability. WLAN Association (http www.wlana.org ) Educates and raises consumer awareness about WLANs. FCC (http...

Analyzing Network Traffic and Applications

Traffic analysis is the third step in characterizing a network. Traffic analysis verifies the set of applications and protocols used in the network and determines the applications' traffic patterns. It might reveal any additional applications or protocols running on the network. Each discovered application and protocol should be described in the following terms Security-related requirements Scope (in other words, the network modules in which the application or protocol is used) Use the...

ANS Components

Figure 3-24 illustrates an example of ANS deployed in offices connected over a WAN, providing LAN-like performance to users in the branch, regional, and remote offices. ANS components are deployed symmetrically in the data center and the distant offices. The ANS components in this example are as follows Cisco Wide Area Application Services (WAAS) software Cisco WAAS software gives remote offices LAN-like access to centrally hosted applications, servers, storage, and multimedia. Cisco Wide Area...

ANS Examples

Table 3-1 illustrates some sample application deployment issues that many IT managers face today and how ANS resolves these issues. Table 3-1 Examples of Application Deployment Issues and Solutions Table 3-1 Examples of Application Deployment Issues and Solutions Consolidation of data centers results in remote employees having slower access to centrally managed applications Wide-area application services in the branch office that compress, cache, and optimize content for remote users so that...

Answers to Review Questions

The Cisco vision for an intelligent information network includes the following Integration of networked resources and information assets that have been largely unlinked Intelligence across multiple products and infrastructure layers Active participation of the network in the delivery of services and applications 2. Evolving to an intelligent information network consists of three phases in which functionality can be added to the infrastructure as required Phase 1 Integrated transport Everything...

Application Requirements of WAN Design

Just as application requirements drive the Enterprise Campus design (as illustrated in Chapter 4, Designing Basic Campus and Data Center Networks), they also affect the Enterprise Edge WAN design. Application availability is a key user requirement the chief components of application availability are response time, throughput, packet loss, and reliability. Table 5-2 analyzes these components, which are discussed in the following sections. Table 5-2 Application Requirements on the WAN Table 5-2...

Applying a Methodology to Network Design

This chapter begins with an introduction to the Cisco vision of intelligent networks and the Service Oriented Network Architecture (SONA) architectural framework. The lifecycle of a network and a network design methodology based on the lifecycle are presented. Each phase of the network design process is explored in detail, starting with how to identify customer requirements, including organizational and technical goals and constraints. Because many customers build on an existing network and at...

Ii

Dynamic IP address assignment is used for assigning IP addresses to end-user devices, including workstations, Cisco IP phones, and mobile devices. DHCP is used to provide dynamic IP address allocation to hosts. DHCP uses a client server model the DHCP server can be a Windows server, a UNIX-based server, or a Cisco IOS device. Cisco IOS devices can also be DHCP relay agents and DHCP clients. Figure 6-15 shows the steps that occur when a DHCP client requests an IP address from a DHCP server. Step...

BGP Implementation Example

In Figure 7-12, BGP is used to interconnect multiple autonomous systems. Because of the multiple connections between autonomous systems and the need for path manipulation, the use of static routing is excluded. AS 65000 is multihomed to three ISPs AS 65500, AS 65250, and AS 64600. Figure 7-12 BGP Is Used to Interconnect Autonomous Systems Figure 7-12 BGP Is Used to Interconnect Autonomous Systems NOTE The AS designator is a 16-bit number with a range of 1 to 65535. RFC 1930, Guidelines for...

Border Gateway Protocol

BGP is an EGP that is primarily used to interconnect autonomous systems. BGP is a successor to EGP, the Exterior Gateway Protocol (note the dual use of the EGP acronym). Because EGP is obsolete, BGP is currently the only EGP in use. BGP-4 is the latest version of BGP. It is defined in RFC 4271, A Border Gateway Protocol (BGP-4). As noted in this RFC, the classic definition of an AS is a set of routers under a single technical administration, using an Interior Gateway Protocol (IGP) and common...

Building a Prototype or Pilot Network

It is often desirable to verify a design before implementation. A design can be tested in an existing, or live, network this is called a pilot or, preferably, in a prototype network that does not affect the existing network. A successful design implementation in either a pilot or prototype network can be used as a proof of concept in preparation for full implementation and can be used as input to the implementation steps. A pilot network tests and verifies the design before the network is...

C

CA (Certification Authorities), IKE digital dark fiber, 314-315 Enterprise Campus networks, 230 comparison table, 233-234 copper cabling, 231 example of, 234-235 multimode fiber cabling, 232 optical fiber cabling, 232 single-mode fiber cabling, 232 wireless cabling, 232 modems, 308 WAN CATV transmissions, 309 data flows, 309 uBR, 308 CAC (Call Admission Control), voice networks location-based CAC, 541-542 RSVP with, 543 calculating subnet masks, 816-819 call agents (MGCP), 521 call centers, 487...

Calculating a Subnet Mask

When contiguous 1s are added to the default mask, making the all-1s field in the mask longer, the definition of the network part of an IP address is extended to include subnets. Adding bits to the network part of an address decreases the number of bits in the host part. Thus, creating additional networks (subnets) is done at the expense of the number of host devices that can occupy each network segment. The number of subnetworks created is calculated by the formula 2s, where s is the number of...

Calculating the Networks for a Subnet Mask

After you identify your subnet mask, you must calculate the ten subnetted network addresses to use with 172.16.0.0 255.255.240.0. One way to do this is as follows Step 1 Write the subnetted address in binary format, as shown at the top of Figure B-7. If necessary, use the decimal-to-binary conversion chart provided in Table B-1. Figure B-7 Calculating the Subnets Shown in Figure B-6 In Binary 10101100.00010000.00000000.00000000 Step 2 On the binary address, draw a line...

Calculating Trunk Capacity or Bandwidth

The trunk capacity for voice calls can be calculated by the following formula Trunk capacity (number of simultaneous calls to be supported) * (bandwidth required per call) The first component of this formula, the number of simultaneous calls to be supported, is the number of circuits required for the known amount of traffic, as calculated from the Erlang tables. NOTE If 100 percent of calls must go through, Erlang tables are not required instead, the maximum number of simultaneous calls...

Case Study 101 ACMC Hospital Network Security Design

This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2, Applying a Methodology to Network Design. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a...

Case Study 102 ACMC Hospital Network Connecting More Hospitals

This case study is a continuation of ACMC Hospital Case Study 10-1. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative proposals to accomplish the...

Case Study ACMC Hospital Network Upgrade

This case study analyzes the network infrastructure of Acme County Medical Center (ACMC) Hospital, a fictitious small county hospital in the United States. This same case study is used throughout the remainder of the book so that you can continue to evaluate your understanding of the concepts presented. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the...

Case Study ACMC Hospital Network Voice Design

This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative...

Case Study Additional Information

Figure 5-30 shows the existing WAN links and the planned campus infrastructure. Figure 5-30 Case Study ACMC Hospital WAN Links and Planned Campus Infrastructure Figure 5-30 Case Study ACMC Hospital WAN Links and Planned Campus Infrastructure The ACMC Hospital CIO realizes that WAN performance to the remote clinics is poor and that some new applications will require more bandwidth. These applications include programs that allow doctors at the central site to access medical images, such as...

Case Study Answers

The following are some of the infrastructure aspects that should be considered Switches and power supplies that support PoE should be recommended. The available building wiring closet power, cooling, and space need to be reviewed. QoS mechanisms should be considered, including in the Campus switches and on the WANs. CAC might be required for calls from the clinics to the main campus. cRTP and LFI can also be considered. The current cabling infrastructure and configuration need to be reviewed,...

Case Study Questions

Step 2 Document any information that you think is missing from the case study scenario and that you consider necessary for the design. Before beginning the design, you will need this information. Assume that you have talked to the customer about the missing information, and document any assumptions you make. You don't need to assume that all the missing information is provided by the customer some might never be available. However, you do need to assume...

Catalyst Services Modules

The following are various security-related modules for the Cisco Catalyst 6500 Series switching platform (and some are also for the Cisco 7600 Series routers) Cisco Catalyst 6500 Series FWSM The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers. Up to four Cisco FWSMs can be installed in a single chassis, providing scalability up to 20 Gbps per chassis. The Cisco FWSM includes many advanced features, such as multiple...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Centralized WLAN Components

As illustrated in Figure 3-23, the four main components in a centralized WLAN deployment are as follows End-user devices A PC or other end-user device in the access layer uses a wireless NIC to connect to an access point (AP) using radio waves. Wireless APs APs, typically in the access layer, are shared devices that function similar to a hub. Cisco APs can be either lightweight or autonomous. Lightweight APs are used in centralized WLAN deployments. A lightweight AP receives control and...

Characteristics of the OSI Layers

The OSI reference model's seven layers can be divided into two categories upper layers and lower layers. The upper layers contend with application issues and are generally only implemented in software. The highest layer, the application layer, is closest to the end user. Both users and application layer processes interact with software applications that contain a communications component. The term upper layer is sometimes used to refer to any layer above another layer in the OSI model....

Cisco Security Management Technologies

The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including configuration, monitoring, analysis, and response. The key components of this suite include the following Cisco Security Manager Cisco Security Manager is a powerful but easy-to-use solution for...

Cisco Self Defending Network Phases

As shown in Figure 10-8, the Cisco Self-Defending Network contains three characteristic phases that together provide continuous, intelligent, future-proofed security, from the network through to the application layer Integrated security Security defense technologies are incorporated across all network elements, including routing, switching, wireless, and security platforms so that every point in the network can defend itself. These security features include firewalls, VPNs, and trust and...

Cisco UWN Review

Figure 9-22 reviews the key concepts of the Cisco UWN design. 614 Chapter 9 Wireless Network Design Considerations Figure 9-22 Cisco UWN Third-Party Integrated Applications E911, Asset Tracking, ERP Workflow Automation 614 Chapter 9 Wireless Network Design Considerations Figure 9-22 Cisco UWN Third-Party Integrated Applications E911, Asset Tracking, ERP Workflow Automation Cisco client devices or Cisco Compatible client devices are at the foundation of the UWN, connected to Cisco lightweight...

Clearing NAT Translation Entries

To clear a dynamic translation entry, use the commands shown in Table D-3. Table D-3 Commands to Clear NAT Translation Entries Clears all dynamic translation entries. clear ip nat translation inside global-ip local-ip outside local-ip global-ip Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation. clear ip nat translation outside local-ip global-ip Clears a simple dynamic translation entry that contains an outside translation....

Comparison of Routing Protocol Convergence

As shown in Figure 7-8, different routing protocols need different amounts of time to converge in a given network. Although the convergence depends on the network's topology and structure, pure distance vector protocols are slower to converge than link-state protocols. The use of periodic updates and the hold-down mechanism are the main reasons for slow convergence. As a result, the fast-converging protocols should be used when the network's convergence time is crucial. Figure 7-8 Routing...

Configuring Inside Global Address Overloading or PAT

The following procedure configures inside global address overloading Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router. Step 2 Configure dynamic address translation, as described in the Configuring NAT for Basic Local IP Address Translation section earlier in this appendix. When you define the mapping between the access list and the IP NAT pool, add the overload keyword to the command Router(config) ip nat inside source list access-list-number pool...

Contents

Chapter 1 Network Fundamentals Review 3 Introduction to Networks 3 Protocols and the OSI Model 4 The OSI Model 5 Protocols 6 The OSI Layers 6 Physical Layer Layer 1 7 Data Link Layer Layer 2 7 Network Layer Layer 3 7 Transport Layer Layer 4 8 Upper Layers Layers 5 Through 7 9 Communication Among OSI Layers 9 LANs and WANs 11 Network Devices 13 Terminology Domains, Bandwidth, Unicast, Broadcast, and Multicast 13 Hubs 14 Switches 14 Routers 16 Introduction to the TCP IP Suite 17 TCP IP Transport...

Contents at a Glance

Chapter 1 Network Fundamentals Review 3 Chapter 2 Applying a Methodology to Network Design 57 Chapter 3 Structuring and Modularizing the Network 129 Chapter 4 Designing Basic Campus and Data Center Networks 221 Chapter 5 Designing Remote Connectivity 293 Chapter 6 Designing IP Addressing in the Network 377 Chapter 7 Selecting Routing Protocols for the Network 429 Chapter 8 Voice Network Design Considerations 479 Chapter 9 Wireless Network Design Considerations 565 Chapter 10 Evaluating Security...

Creating a Draft Design Document

After thoroughly examining the existing network, the designer creates a draft design document. Figure 2-17 illustrates a draft design document's index (not yet fully developed), including the section that describes the existing network. The Design Requirements and Existing Network Infrastructure chapters of the design document are closely related examining the existing network can result in changes to the design requirements. Data from both chapters directly influences the network's design....

D

DAI (Dynamic Address Inspection), DoS attacks, 659 dark fiber (cable), 314-315 data availability, 655 Data Center Access layer (Enterprise Data Center networks), 274 Data Center Aggregation layer (Enterprise Data Center networks), 274-275 Data Center Core layer (Enterprise Data Center networks), 275 Data Center modules (Enterprise Architecture), 144, 158 Data Center networks, 268 architecture framework, 269-271 cooling, 276 Data Center Access layer, 274 Data Center Aggregation layer, 274-275...

Data units

A frame is an information unit whose source and destination are data link layer entities. A frame is composed of the data link layer header (and possibly a trailer) and upper-layer data. The header and trailer contain control information that is intended for the destination system's data link layer entity. The data link layer header and trailer encapsulate data from upper-layer entities. Figure C-8 illustrates the basic components of a data link layer frame. Figure C-8 Data from Upper-Layer...

Deploying Security in the Enterprise Campus

Consider an organization that has experienced several incidents in which laptop users on the campus network have brought in viruses from home, some users have attempted to intercept network traffic, and some interns have tried to hack the network infrastructure. To manage the risks, the organization implements identity and access control solutions, threat detection and mitigation solutions, infrastructure protection, and security management. Figure 10-21 illustrates where various security...

Design Considerations for Guest Services in Wireless Networks

Providing wireless guest services with traditional autonomous APs poses significant challenges. To maintain internal corporate network security, guest traffic must be restricted to the appropriate subnet and VLAN these guest VLANs must extend throughout the infrastructure to reach every location where guest access is required. Reconfiguring of the access switches that serve conference rooms, offices, and cubicles to selectively adjust VLANs for guest access can involve many network staff hours....

Designing an Enterprise Campus

The Enterprise Campus network is the foundation for enabling business applications, enhancing productivity, and providing a multitude of services to end users. The following three characteristics should be considered when designing the campus network Network application characteristics The organizational requirements, services, and applications place stringent requirements on a campus network solution for example, in terms of bandwidth and delay. Environmental characteristics The network's...

Designing Link Redundancy

It is often necessary to provision redundant media in locations where mission-critical application traffic travels. In Layer 2-switched networks, redundant links are permitted as long as STP is running. STP guarantees one, and only one, active path within a broadcast domain, avoiding problems such as broadcast storms (when a broadcast continuously loops). The redundant path automatically activates when the active path goes down. Because WAN links are often critical pieces of the internetwork,...

Designing Remote Connectivity

This chapter discusses the WAN function that provides access to remote sites and the outside world. It details WAN technologies and WAN design considerations. The chapter explores how these technologies are used, including for remote access, with virtual private networks (VPN), for backup, and how the Internet is used as a backup WAN. This chapter describes the Enterprise WAN and metropolitan-area network (MAN) architecture, and the Enterprise Branch and Teleworker architectures. The selection...

Determining an IP Address Class

To accommodate large and small networks, the 32-bit IP addresses are segregated into Classes A through E. The first few bits of the first octet determine the class of an address this then determines how many network bits and host bits are in the address. Figure B-4 illustrates the bits for Class A, B, and C addresses. Each address class allows for a certain number of network addresses and a certain number of host addresses within a network. Table B-2 shows the address format, the address range,...

Differences Between IPv4 and IPv6

Regardless of which protocol is used, the communication between IPv4 and IPv6 domains must be transparent to end users. The major differences to consider between IPv4 and IPv6 include the following IPv4 addresses are 32 bits long, whereas IPv6 addresses are 128 bits long. An IPv6 packet header is different from an IPv4 packet header. The IPv6 header is longer and simpler (new fields were added to the IPv6 header, and some old fields were removed). IPv6 has no concept of broadcast addresses...

Distance Vector Example

A distance vector router's understanding of the network is based on its neighbor's perspective of the topology consequently, the distance vector approach is sometimes referred to as routing by rumor. Routers running traditional distance vector protocols periodically send their complete routing tables to all connected neighbors. Convergence might be slow because triggered updates are not typically used (RIPv2 is an exception) and loop detection timers are long. In large networks, running a...

Documenting the Design

A design document lists the design requirements, documents the existing network and the network design, identifies the proof-of-concept strategy and results, and details the implementation plan. The final design document structure should be similar to the one in Figure 2-26, which includes Introduction Every design document should include an introduction to present the main reasons leading to the network design or redesign. Design requirements Also a mandatory part of any design document, this...

Documenting the Security Policy

Figure 10-5 illustrates a sample security policy and how it can be divided into multiple documents that are applicable to the network segments. Figure 10-5 Network Security Policy Documents Corporate Information Security Policy Identify Areas of Protection Define Responsibilities A general document describes the overall risk-management policy, identifies the corporation's assets, and identifies where protection must be applied. It also documents how risk management responsibility is distributed...

Domains of Trust

To segment a network into parts, based on similar policy and concerns, domains of trust are established. The required system security in a network can vary in terms of importance to the business and the likelihood of being attacked. Consistent security controls should be applied within a segment, and trust relationships should be defined between segments. Segments can have different trust models, depending on the security needed. Figure 10-10 illustrates two domains of trust examples. Case 1...

Dual Stack Transition Mechanism

As shown in Figure 6-24, a dual-stack node enables both IPv4 and IPv6 stacks. Applications communicate with both IPv4 and IPv6 stacks the IP version choice is based on name lookup and application preference. This is the most appropriate method for campus and access networks during the transition period, and it is the preferred technique for transitioning to IPv6. A dual-stack approach supports the maximum number of applications. Operating systems that support the IPv6 stack include FreeBSD,...

Dynamic IPv6 Address Assignment

IPv6 dynamic address assignment strategies allow dynamic assignment of IPv6 addresses, as Link-local address The host configures its own link-local address autonomously, using the link-local prefix FE80 0 10 and a 64-bit identifier for the interface, in an EUI-64 format. Stateless autoconfiguration A router on the link advertises either periodically or at the host's request network information, such as the 64-bit prefix of the local network and its willingness to function as a default router...

E

E& M (Ear & Mouth) signaling, analog signaling, 491 EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), UWN, 587 EAP-TLS (EAP-Transport Layer Security), UWN, 587 EAP-TTLS (EAP-Tunneled Transport Layer Security), UWN, 587 EBGP (External Border Gateway Protocol), 460 echo cancellers, 528-529 echo trails, 529 hybrid transformers, 528 inverse speech, 529 irritation zones, 529 telephones, 528 voice networks, 527-528 ECN (Explicit Congestion Notification), 329-330 Architecture), 152...

Effl

Stairwells (Reinforced Building Area) KEY In general, an AP can support approximately seven to eight wireless phones or about 20 POINT data-only devices. The facility should be visually inspected to identify potential issues, such as metal racks, elevator shafts, stairwells, and microwave equipment. The next step in the RF site survey process is to identify preliminary AP locations based on the planned coverage area and user density. This step can be supported with several tools. For example,...

Enterprise Branch Architecture

Recall that the Cisco Enterprise Architecture, based on the Cisco SONA, includes branch modules that focus on the remote places in the network. Enterprises are seeking opportunities to protect, optimize, and grow their businesses by increasing security consolidating voice, video, and data onto a single IP network and investing in applications that will improve productivity and operating efficiencies. These services provide enterprises with new opportunities to reduce costs, improve...

Enterprise Campus Design

As discussed in Chapter 3, the Enterprise Campus functional area is divided into the following modules Campus Infrastructure This module includes three layers The Building Distribution layer Edge Distribution (optional) This section discusses the design of each of the layers and modules within the Enterprise Campus and identifies best practices related to the design of each.

Enterprise Campus Requirements

As shown in Table 4-3, each Enterprise Campus module has different requirements. For example, this table illustrates how modules located closer to the users require a higher degree of scalability so that the Campus network can be expanded in the future without redesigning the complete network. For example, adding new workstations to a network should result in neither high investment cost nor performance degradations. Table 4-3 Enterprise Campus Design Requirements Table 4-3 Enterprise Campus...

Enterprise Data Center Module

The Enterprise Data Center module has an architecture that is similar to the campus Server Farm module discussed earlier. The Enterprise Data Center network architecture allows the network to evolve into a platform that enhances the application, server, and storage solutions and equips organizations to manage increased security, cost, and regulatory requirements while providing the ability to respond quickly to changing business environments. The Enterprise Data Center module may include the...

Enterprise Edge WAN and MAN Considerations

When selecting Enterprise Edge technologies, consider the following factors Support for network growth Enterprises that anticipate significant growth should choose a technology that allows the network to grow with their business. WAN technologies with high support for network growth make it possible to add new branches or remote offices with minimal configuration at existing sites, thus minimizing the costs and IT staff requirements for such changes. WAN technologies with lower support for...

Enterprise Teleworker Module

The Enterprise Teleworker module provides people in geographically dispersed locations, such as home offices or hotels, with highly secure access to central-site applications and network services. The Enterprise Teleworker module supports a small office with one to several employees or the home office of a telecommuter. Telecommuters might also be mobile users people who need access while traveling or who do not work at a fixed company site. Depending on the amount of use and the WAN services...

Evolution of Enterprise Networks

You do not have to go far back in history to find a time when networks were primarily used for file and print services. These networks were isolated LANs that were built throughout the enterprise organization. As organizations interconnected, these isolated LANs and their functions grew from file and print services to include critical applications the critical nature and complexity of the enterprise networks also grew. As discussed in the previous section, Cisco introduced the hierarchical...

External Threats

When designing security in an enterprise network, the Enterprise Edge is the first line of defense at which potential outside attacks can be stopped. The Enterprise Edge is like a wall with small doors and strong guards that efficiently control any access. The following four attack methods are commonly used in attempts to compromise the integrity of the enterprise network from the outside IP spoofing An IP spoofing attack occurs when a hacker uses a trusted computer to launch an attack from...

Firewall Filtering Using ACLs

Figure 10-13 illustrates the use of a network firewall to control (or filter) access this is a common network authorization implementation. An enterprise network is usually divided into separate security domains (also called perimeters or zones) such as the untrusted Internet zone, the trusted Enterprise Campus zone, public and semipublic server zones, and so forth to allow a network firewall to control all traffic that passes between the perimeters. Because all traffic must pass through the...

Flat Routing Protocols

Flat routing protocols have no means of limiting route propagation in a major network (within a Class A, B, or C network) environment. These protocols are typically classful distance vector protocols. Recall from Chapter 6 that classful means that routing updates do not include subnet masks and that the protocol performs automatic route summarization on major network (class) boundaries. Summarization cannot be done within a major network. These protocols support only fixed-length subnet masking...

Frame RelayATM Module

The Frame Relay ATM module covers all WAN technologies for permanent connectivity with remote locations. Traditional Frame Relay and ATM are still used however, despite the module's name, it also represents many modern technologies. The technologies in this module include the following Frame Relay is a connection-oriented, packet-switching technology designed to efficiently transmit data traffic at data rates of up to those used by E3 and T3 connections. Its capability to connect multiple...

Global Aggregatable Unicast Addresses

IPv6 global aggregatable unicast addresses are equivalent to IPv4 unicast addresses. The structure of global aggregatable unicast addresses enables summarization (aggregation) of routing prefixes so that the number of routing table entries in the global routing table can be reduced. Global unicast addresses used on links are aggregated upward, through organizations, and then to intermediate-level ISPs, and eventually to top-level ISPs. A global unicast address typically consists of a 48-bit...

Gradient of Trust

The gradient of trust determines the trust level between domains, which can be minor to extreme, and determines the extent of security safeguards and attention to monitoring required. The trust relationship between segments should be controlled at defined points, using some form of network firewall or access control, as illustrated in the examples in Figure 10-11. Mastering domains of trust is a key component of good network security design. Figure 10-11 Domains and Gradients of Trust Private...

Guidelines for Creating an Enterprise Network

When creating an Enterprise network, divide the network into appropriate areas, where the Enterprise Campus includes all devices and connections within the main Campus location the Enterprise Edge covers all communications with remote locations and the Internet from the perspective of the Enterprise Campus and the remote modules include the remote branches, teleworkers, and the remote data center. Define clear boundaries between each of the areas. NOTE Depending on the network, an enterprise...

H

Examples of, 507 gatekeepers, 505-506 gateways, 504 MCU, 506 terminals, 504 IPv6 packet headers, 406-407 TCP headers (TCP IP protocol suite, transport layer), 20 UDP headers (TCP IP protocol suite, transport layer), 20 health checklists (networks), network design methodologies, 102-103 HID (Human Interface Device), 164 hierarchical network design access layer, 129 example of, 133 L2 switching, 132-133 multilayer switching, 132-133 role of, 131 backbone layer. See core layer core layer, 129,...

H323

H.323 is an ITU-T standard for packet-based audio, video, and data communications across IP-based networks. The ITU-T H.323 standard is a foundation for audio, video, and data communications across IP-based networks, including the Internet. By complying with the H.323 standard, multimedia products and applications from multiple vendors can interoperate, thereby allowing users to communicate without concern for compatibility. The H.323 standard is broad in scope and includes standalone devices...

Hierarchical Network Model

The hierarchical network model provides a framework that network designers can use to help ensure that the network is flexible and easy to implement and troubleshoot. As shown in Figure 3-1, the hierarchical network design model consists of three layers The access layer provides local and remote workgroup or user access to the network. The distribution layer provides policy-based connectivity. The core (or backbone) layer provides high-speed transport to satisfy the connectivity and transport...

Hierarchical Routing in the WAN

Figure 3-7 shows an example of hierarchical routing in the WAN portion of a network. Figure 3-7 Hierarchical Routing in the WAN Figure 3-7 Hierarchical Routing in the WAN In Figure 3-7, a typical packet between access sites follows these steps Step 1 The packet is Layer 3-forwarded toward the distribution router. Step 2 The distribution router forwards the packet toward a core interface. Step 3 The packet is forwarded across the WAN core. Step 4 The receiving distribution router forwards the...

How CDP Works

As illustrated in Figure 3-35, CDP information is sent only between devices. In this figure, the person connected to Switch A can see the directly attached to Switch A other devices are not visible via CDP. would have to log in to Switch B to see Router C with CDP. Figure 3-35 CDP Provides Information About Neighboring Cisco Devices Figure 3-35 CDP Provides Information About Neighboring Cisco Devices directly connected Cisco router and the two switches For example, the person Cisco devices...

Identity and Access Control Deployment

Figure 10-15 illustrates examples of where authentication can take place in the Cisco Enterprise Architectures, including the following locations Dialup access points, where any subject can establish a dialup connection to the network authentication is necessary to distinguish between trusted and untrusted subjects. WAN and VPN infrastructures, where network devices authenticate each other on WAN or VPN links, thereby mitigating the risk of infrastructure compromise or misconfiguration. WAN...

IEEE 80211 Operational Standards

In September 1999 the IEEE ratified the IEEE 802.11a standard (5 GHz at 54 Mbps) and the IEEE 802.11b standard (2.4 GHz at 11 Mbps). In June 2003, the IEEE ratified the 802.11g standard (2.4 GHz at 54 Mbps) this standard is backward-compatible with 802.11b systems, because both use the same 2.4-GHz bandwidth. The following are the existing IEEE 802.11 standards for wireless communication 802.11a 54 Mbps at 5 GHz, ratified in 1999 802.11b 11 Mbps 2.4 GHz, ratified in 1999 802.11d World mode,...

IEEE 8021x and IBNS

Recall from Chapter 9 that IEEE 802.1X is an open standards-based protocol for authenticating network clients (or ports) based on a user ID or on the device. 802.1X runs between end devices or users (called supplicants) trying to connect to ports, and an Ethernet device, such as a Cisco Catalyst switch or Cisco wireless access point (AP) (called the authenticator). Authentication and authorization are achieved with back-end communication to an authentication server such as Cisco Secure Access...

IGP and EGP Example

Figure 7-2 shows three interconnected autonomous systems (domains). Each AS uses an IGP for intra-AS (intra-domain) routing. Figure 7-2 Interior Protocols Are Used Inside and Exterior Protocols Are Used Between Autonomous Systems Figure 7-2 Interior Protocols Are Used Inside and Exterior Protocols Are Used Between Autonomous Systems The autonomous systems require some form of interdomain routing to communicate with each other. Static routes are used in simple cases typically, an EGP is used....

Implementation Considerations

Some things to consider before implementing NAT include the following Translation introduces delays into the switching paths. NAT makes some applications that use IP addresses difficult or impossible to use. For example, public web pages that have links expressed using local IP addresses rather than DNS names are not usable by outside hosts. NAT hides the hosts' real identity. All packets that need to be translated must go through the NAT router, which might place limitations on the network...

Information Exchange Process

The information exchange process occurs between peer OSI layers. Each layer in the source system adds control information to data, and each layer in the destination system analyzes and removes the control information from that data. For example, if System A sends data from a software application to System B, the data is passed to System A's application layer. System A's application layer then communicates any control information required by System B's application layer by prepending a header to...

Integrated ISIS Characteristics

IS-IS is a popular IP routing protocol in the ISP industry. The simplicity and stability of IS-IS make it robust in large internetworks. Integrated IS-IS characteristics include the following VLSM support As a classless routing protocol, Integrated IS-IS supports VLSM. Fast convergence Similar to OSPF, Integrated IS-IS owes its fast convergence characteristics to its link-state operation (including flooding of triggered link-state updates). Another feature that guarantees fast convergence and...

Integrated ISIS Terminology

ISO specifications call routers intermediate systems. Thus, IS-IS is a router-to-router protocol, allowing routers to communicate with other routers. IS-IS routing takes place at two levels within an AS Level 1 (L1) and Level 2 (L2). L1 routing occurs within an IS-IS area and is responsible for routing inside an area. All devices in an L1 routing area have the same area address. Routing within an area is accomplished by looking at the locally significant address portion, known as the system ID,...

Integrated Security Within Network Devices

The section explains the security features integrated in Cisco network devices. To design and implement a secure network, it is necessary to integrate security in every part of the network environment. Cisco network devices supporting integrated security include the following Security appliances, including Cisco PIX security appliances Endpoint security solutions The following sections describe these devices. Devices based on Cisco IOS software incorporate various security features to create an...

Interaction Between OSI Model Layers

A given OSI layer generally communicates with three other OSI layers the layer directly above it, the layer directly below it, and its peer layer in other networked computer systems. For example, System A's data link layer communicates with System A's network layer, System A's physical layer, and System B's data link layer. Figure C-3 illustrates this interaction example. Figure C-3 OSI Model Layer Communicates with Three Other Layers

Interactive Services

Since the inception of packet-based communications, networks have always offered a forwarding service. Forwarding is the fundamental activity within an internetwork. In IP, this forwarding service was built on the assumption that end nodes in the network were intelligent, and that the network core did not have intelligence. With advances in networking software and hardware, the network can offer an increasingly rich, intelligent set of mechanisms for forwarding information. Interactive services...

Interface Identifiers in IPv6 Addresses

In IPv6, a link is a network medium over which network nodes communicate using the link layer. Interface IDs in IPv6 addresses are used to identify a unique interface on a link. They can also be thought of as the host portion of an IPv6 address. Interface IDs are required to be unique on a link and can also be unique over a broader scope. When the interface identifier is derived directly from the data link layer address of the interface, the scope of that identifier is assumed to be universal...

Interior Versus Exterior Routing Protocols

An autonomous system (AS), also known as a domain, is a collection of routers that are under a common administration, such as a company's internal network or an Internet service provider's (ISP's) network. Because the Internet is based on the AS concept, two types of routing protocols are required Interior gateway protocols (IGP) are intra-AS (inside an AS) routing protocols. Examples of IGPs include Routing Information Protocol (RIP) version 1 (RIPv1), RIP version 2 (RIPv2), Open Shortest Path...

Internal Security

Strongly protecting the internal Enterprise Campus by including security functions in each individual element is important for the following reasons If the security established at the Enterprise Edge fails, an unprotected Enterprise Campus is vulnerable. Deploying several layers of security increases the protection of the Enterprise Campus, where the most strategic assets usually reside. Relying on physical security is not enough. For example, as a visitor to the organization, a potential...

Introduction to Integrated Networks

Figure 8-14 illustrates a typical enterprise WAN with separate data and voice networks. Integrating data, voice, and video in a network enables vendors to introduce new features. The unified communications network model enables distributed call routing, control, and application functions based on industry standards. Enterprises can mix and match equipment from multiple vendors and geographically deploy these systems wherever they are needed. One means of creating an integrated network is to...

Introduction to IPv6

IPv6 is a technology developed to overcome the limitations of the current standard, IPv4, which allows end systems to communicate and forms the foundation of the Internet as we know it today. This section on IPv6-specific design considerations provides an overview of IPv6 features and addressing and explains the various IPv6 address types. The address assignment and name resolution strategies for IPv6 are explored. The transition from IPv4 to IPv6 is discussed, and the section concludes with a...

Introduction to the Tcpip Suite

As mentioned earlier, TCP IP is the most widely used protocol suite. The relationship between the five layers of the TCP IP protocol suite and the seven layers of the OSI model is illustrated in Figure 1-4. The five layers of the TCP IP suite are the application layer, transport layer, Internet layer, data link layer, and physical layer. NOTE The data link and physical layers are sometimes grouped as one layer, called the The TCP IP application layer includes the functionality of the OSI...

Introduction to WANs

This section defines a WAN and describes its primary design objectives. A WAN is a data communications network that covers a relatively broad geographic area. A WAN typically uses the transmission facilities provided by service providers (SP) (also called carriers), such as telephone companies. Switches, or concentrators, connect the WAN links, relay information through the WAN, and enable the services it provides. A network provider often charges users a fee, called a tariff, for the services...

Introduction to Wireless Technology

NOTE As noted in the introduction to this book, we assume that you understand the wireless networking material in the Cisco Press title Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide), 4th Edition, ISBN 1-58705-273-3. This section includes some material from that book as an introduction to wireless technology. Refer to that Cisco Press BCMSN title for more detailed information. A wireless communication system uses radio frequency (RF) energy to transmit data...

IP Access List Overview

Packet filtering helps control packet movement through the network, as shown in Figure B-8. Such control can help limit network traffic and restrict network use by certain users or devices. To permit packets to cross or deny packets from crossing specified router interfaces, Cisco provides access lists. An IP access list is a sequential collection of permit and deny conditions that apply to IP addresses or upper-layer IP protocols. Figure B-8 Access Lists Control Packet Movement Through a...

IP Standard Access Lists

Standard access lists permit or deny packets based only on the packet's source IP address, as shown in Figure B-9. The access list number range for standard IP access lists is 1 to 99 or from 1300 to 1999. Standard access lists are easier to configure than their more robust counterparts, extended access lists. Figure B-9 Standard IP Access Lists Filter Based Only on the Source Address A standard access list is a sequential collection of permit and deny conditions that apply to source IP...

IP Telephony Components

An IP telephony network contains four main voice-specific components IP phones IP phones are used to place calls in an IP telephony network. They perform voice-to-IP (and vice versa) coding and compression using special hardware. IP phones offer services such as user directory lookups and Internet access. The phones are active network devices that require power to operate power is supplied through the LAN connection using PoE or with an external power supply. Switches with inline power Switches...

Pv4 Access Lists

Figure B-8 Access Lists Control Packet Movement Through a Network Transmission of Packets on an Interface Table B-5 shows the available types of IP access lists on a Cisco router and their access list numbers. Named access lists are also available for IP. This section covers IP standard and extended access lists. For information on other types of access lists, refer to the technical documentation on the Cisco website at http www.cisco.com. WARNING Cisco IOS Release 10.3 introduced substantial...

Pv4 Addresses and Subnetting Job

Figure B-1 is a job aid to help you with various aspects of IP addressing, including how to distinguish address classes, the number of subnets and hosts available with various subnet masks, and how to interpret IP addresses. Net First Standard Mask Class Host Octet Binary A N.H.H.H 1-126 1111 1111 0000 0000 0000 0000 0000 0000 B N.N.H.H 128-191 1111 1111 1111 1111 0000000000000000 C N.N.N.H 192-223 1111 1111 1111 1111 1111 1111 00000000 Address 172.16.5.72 1010 1100 0001 0000 0000 0101 0100...

Pv4 Supplement

This Internet Protocol Version 4 (IPv4) supplement provides job aids and supplementary information intended for your use when working with IPv4 addresses. NOTE In this appendix, the term IP refers to IPv4. This appendix includes an IP addressing and subnetting job aid and a decimal-to-binary conversion chart. The information in the sections IPv4 Addressing Review and IPv4 Access Lists should serve as a review of the fundamentals of IP addressing and of the concepts and configuration of access...

Pv6 Address Format

Rather than using dotted-decimal format, IPv6 addresses are written as hexadecimal numbers with colons between each set of four hexadecimal digits (which is 16 bits) we like to call this the coloned hex format. The format is x x x x x x x x, where x is a 16-bit hexadecimal field. A sample address is as follows Fortunately, you can shorten the written form of IPv6 addresses. Leading 0s within each set of four hexadecimal digits can be omitted, and a pair of colons ( ) can be used, once within an...

Pv6 Address Scope Types

Similar to IPv4, a single source can address datagrams to either one or many destinations at the same time in IPv6. NOTE RFC 4291, IPv6 Addressing Architecture, defines the IPv6 addressing architecture. Following are the types of IPv6 addresses Unicast (one-to-one) Similar to an IPv4 unicast address, an IPv6 unicast address is for a single source to send data to a single destination. A packet sent to a unicast IPv6 address goes to the interface identified by that address. The IPv6 unicast...