SiuChungL's Blog

CCNA4 CH8

October 27, 2009 by Siu Chung

The designer can use three different methods to test remote connectivity designs:

· Simulation software
· Prototype testing using simulated links
· Pilot testing in the actual environment

Simulating a DSL or Cable Connection

To simulate a DSL or cable WAN connection, an Ethernet connection can be used. Most Ethernet interfaces can be set to provide a 10-Mb connection, which is similar to the type of connectivity provided over DSL or cable.

The routers are connected using an Ethernet crossover cable. Routing protocol metrics can be adjusted to simulate the metrics of a lower-speed link by using the bandwidth command on the interface. Static route preference can be manually configured by adjusting the administrative distance assigned to the route.

Simulating Serial Connectivity

There are two common methods used to simulate serial connectivity:

CSU/DSUs or serial modems

V.35 cables

Every Frame Relay link has at least three components:

The local point-to-point circuit that connects the local CPE router to the TSP Frame Relay switch

The TSP packet-switched network

The remote point-to-point circuit that connects the remote site into the TSP network

The Local Loop

The proposed connection between the stadium CPE router and the Frame Relay switch at the TSP is a T1 circuit. This connection is referred to as a local loop. The local loop connects the provider Frame Relay switch to the CSU/DSU on the stadium premises. The connection then terminates on the serial port of the CPE router. The clock speed (port speed) of the local loop connection to the Frame Relay cloud is known as the local access rate. The local access rate defines the rate at which data can travel into or out of the provider packet-switched network, regardless of other settings.

Data-link Connection Identifier

Each virtual circuit endpoint is identified by a data-link connection identifier (DLCI). A DLCI is usually significant only on the local loop. In other words, DLCI numbers are unique within a single Frame Relay switch. However, because there can be many Frame Relay switches within the network, DLCI numbers can be duplicated on other switches.

8.2.3

Guaranteed Data Rates

Frame Relay providers offer services with guaranteed average data transfer rates through the provider packet-switched network. This committed information rate (CIR) specifies the maximum average data rate that the network delivers under normal conditions. The CIR is less than or equal to the local access rate. A CIR is assigned to each DLCI that is carried on the local loop. If the stadium attempts to send data at a faster rate than the CIR, the provider network flags some frames with a discard eligible (DE) bit in the frame address header. The network attempts to deliver all frames. However, if there is congestion, it discards any frames marked with the DE bit.

Zero CIR

Many inexpensive Frame Relay services are based on a CIR of zero. A zero CIR means that every frame is a DE frame, and the network can throw any frame away when there is congestion. There is no guarantee of service with a CIR set to zero, so these services are not good choices for mission-critical data.

Local Management Interface

Local Management Interface (LMI) is a signaling standard between the router (DTE device) and the local Frame Relay switch (DCE device). LMI is responsible for managing the connection and maintaining status between the router and the Frame Relay switch. For example, LMI uses keepalive messages to monitor the status of network connections. LMI Frame Relay adds a set of enhancements, referred to as extensions, to basic Frame Relay. One important LMI extension is the ability to report the status of the virtual circuit as well as the status of the physical connection. LMI standards can differ between networks. Cisco routers support three LMI types: Cisco, ANSI Annex D, and ITU-T Q.933 Annex A.

Congestion Control

To help manage traffic flows in the network, Frame Relay implements two mechanisms:

Forward-explicit congestion notification (FECN)

Backward-explicit congestion notification (BECN)

FECNs and BECNs are controlled by a single bit contained in the Frame Relay frame header.

FECN

FECN informs the destination device about congestion on the network path. The FECN bit is part of the Address field in the Frame Relay frame header. The FECN mechanism works in the following way:

1. A DTE device sends Frame Relay frames into the network.

2. If the network is congested, the DCE devices (switches) set the value of the FECN bit to 1.

3. The frames reach the remote destination DTE device.

4. The DTE device reads the Address field with the FECN bit set to 1.

5. This setting indicates that the frame experienced congestion in the path from source to destination.

BECN

BECN informs the source device about congestion on the network path. The BECN bit is also part of the Address field in the Frame Relay frame header. A BECN works in the following way:

1. A Frame Relay switch detects congestion in the network.

2. It sets the BECN bit to 1 in frames headed in the opposite direction from the frames marked with the FECN bit.

3. This setting informs the source DTE device that a particular path through the network is congested.

The two possible Frame Relay encapsulations are ietf and cisco

Inverse ARP and Frame Relay Maps

Inverse Address Resolution Protocol (Inverse ARP) provides a mechanism to create dynamic DLCI-to-Layer 3 address maps. Inverse ARP works similarly to ARP on an Ethernet local network. With ARP, the sending device knows the Layer 3 IP address. It sends broadcasts to learn the remote data link MAC address. With Inverse ARP, the router learns the Layer 2 address, which is the DLCI. It sends requests for the remote Layer 3 IP address.

When an interface on a Cisco router is configured to use Frame Relay encapsulation, Inverse ARP is on by default. It is possible to manually configure a static mapping for a specific DLCI. Static mapping is used if the router at the other end does not support Inverse ARP.

To avoid the problems caused by split horizon, the physical interface is divided into logical subinterfaces. The two types of Frame Relay subinterfaces are point to-point and multipoint.

Point-to-point

With point-to-point subinterfaces, a single subinterface is used to establish one permanent virtual circuit (PVC) connection to another physical interface or subinterface on a remote router. Each pair of interfaces is in its own subnet, and each interface has a single DLCI. Broadcasts are not a problem in this environment because the routers are connected in a point-to-point manner and act like leased lines.

Multipoint

With multipoint subinterfaces, a single subinterface is used to establish multiple PVC connections to multiple physical interfaces or subinterfaces on remote routers. This configuration does not solve the problems with split horizon. Split horizon must be turned off for distance vector routing protocols to work with multipoint links.

Split horizon stops routing table updates from going out of the same interface on which they were received.

8.2.5

A floating static route is a static route that has an administrative distance greater than the administrative distance of the corresponding dynamic routes.

show interface serial

use the show frame-relay pvc command: A PVC status of DELETED can indicate that the DLCI configured on the CPE device does not match the DLCI assigned to the circuit.

Verify LMI Operation

Use the show frame-relay lmi command and look for a non-zero value in any of the Invalid counters. Also make sure that the LMI type is correct for the circuit.

Out=sent in=received

The common values of the DLCI status field are:

0×0: Added and inactive – the switch has this DLCI programmed but it is not usable.

0×2: Added and active – the Frame Relay switch has the DLCI and everything is operational.

0×4: Deleted – the Frame Relay switch does not have this DLCI programmed for the router. This status can happen if the DLCIs are reversed on the router or if the PVC was deleted in the Frame Relay cloud.

A type 0 message is a full LMI status message.

A type 1 message indicates a keepalive LMI exchange.

The Cisco EasyVPN Solution

To ensure that the VPN can support the mobile team scouts, ease of deployment is important. There are two components of Cisco EasyVPN:

Cisco EasyVPN Server – This server can be a router or a dedicated VPN gateway, such as a PIX firewall or a VPN concentrator. A VPN gateway using Cisco EasyVPN Server software can terminate remote access VPNs and site-to-site VPN connections.

Cisco EasyVPN Remote – Cisco EasyVPN Remote enables remote devices to receive security policies from a Cisco EasyVPN Server. This minimizes configuration requirements at the remote VPN location. Cisco EasyVPN Remote allows the VPN parameters to be pushed from the server to the remote device. VPN parameters include internal IP addresses, internal subnet masks, and DHCP server addresses.

The Diffie-Hellman (DH) key agreement is a public key exchange method. It provides a way for two peers to establish a shared secret key, which only they recognize, while communicating over an unsecured channel. Diffie-Hellman groups specify the type of cryptography to be used:

l DH GROUP 1 – Uses 768-bit cryptography.

l DH GROUP 2 - Cisco IOS, PIX Firewall, and Cisco Adaptive Security Appliances (ASA) devices only. Specifies to use 1024-bit cryptography.

l DH GROUP 5 – Supported if the software system requirements are met. Specifies to use 1536-bit cryptography.

VPNs have two important components:

l Tunneling to create the virtual network

l Encryption to enable privacy and security

Virtual Network

To build a virtual network, a tunnel is created between the two endpoints. In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway. A gateway can be a router, firewall, VPN concentrator, or security appliance. The gateway is responsible for encapsulating outbound traffic from one site and sending it through a tunnel over a network to a peer gateway at the remote site. A tunnel by itself may not guarantee security. The tunnel simply creates an extension of the local network across the WAN or public network. Tunnels can carry either encrypted or unencrypted content. Upon receipt, the remote peer gateway strips the headers, decrypts the packet, and relays it toward the target host inside its private network. In a remote-access VPN, the VPN client on the user computer contacts the gateway to set up the tunnel.

The most common encryption methods used for VPNs are:

Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), and Rivest, Shamir, and Adleman (RSA).

Keyed Hashed Message Authentication Code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. There are two common HMAC algorithms:

l HMAC-Message Digest 5 (MD5) – This algorithm uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end.

l HMAC-Secure Hash Algorithm 1 (HMAC-SHA-1) – This algorithm uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.

IPSec

IPSec is a framework of open standards. It provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at Layer 3.

IPSec relies on existing algorithms to implement the encryption, authentication, and key exchange. When configuring the VPN server, the following settings must be configured:

l An IPSec protocol – The choices are Encapsulating Security Payload (ESP), Authentication Header (AH), or ESP with AH.

l An encryption algorithm that is appropriate for the desired level of security – The choices are DES, 3DES, or AES.

l An authentication algorithm to provide data integrity – The choices are MD5 or SHA.

l A Diffie-Hellman group – The choices are DH1, DH2, and DH5, if supported.

IPSec can use Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms. IKE can also generate the encryption and authentication keys that IPSec uses.

Encryption algorithms

Data Encryption Standard (DES) algorithm- DES was developed by IBM. DES uses a 56-bit key, ensuring high-performance encryption. 3DES is a symmetric key cryptosystem.

Triple DES (3DES) algorithm- 3DES is a variant of the 56-bit DES. 3DES operates similarly to DES, in that data is broken into 64-bit blocks. 3DES then processes each block three times, each time with an independent 56-bit key. 3DES provides significant encryption strength over 56-bit DES. DES is a symmetric key cryptosystem.

Advanced Encryption Standard (AES) : The National Institute of Standards and Technology (NIST) have recently adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES. It is computationally more efficient than 3DES. AES offers three different key lengths: 128-, 192-, and 256-bit keys.

Rivest, Shamir, and Adleman (RSA) : RSA is an asymmetrical key cryptosystem. It uses a key length of 512, 768, 1024, or larger. IPSec does not use RSA for data encryption. IKE only uses RSA encryption during the peer authentication phase.

VPN Tunnel Protocols

Generic Routing Encapsulation (GRE) tunnels provide a specific pathway across the shared WAN. They encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private. This is because traffic can enter a tunnel only at an endpoint and can leave only at the other endpoint. Tunnels do not provide true confidentiality (like encryption does) but can carry encrypted traffic.

IP Security (IPSec) acts at the Network Layer, protecting and authenticating IP packets between participating IPSec devices (peers). IPSec is not bound to any specific encryption, authentication, security algorithms, or keying technology. IPSec is a framework of open standards.

Layer 2 Forwarding Protocol (L2F) is a protocol developed by Cisco that supports the creation of secure virtual private dialup networks over the Internet by tunneling Layer 2 frames.

Point-to-Point Tunneling Protocol (PPTP) was developed by Microsoft. It is described in RFC2637. PPTP is widely deployed in Windows client software to create VPNs across TCP/IP networks.

Layer 2 Tunneling Protocol (L2TP) is an IETF standard that incorporates the best attributes of PPTP and L2F. L2TP is used to tunnel Point-Point Protocol (PPP) through a public network, such as the Internet, using IP. Since the tunnel occurs on Layer 2, the upper layer protocols are unaware of the tunnel. Like GRE, L2TP can also encapsulate any Layer 3 protocol.

Split tunneling allows users to send only the traffic that is destined for the corporate network across the tunnel. All other traffic is sent out to the Internet via the local LAN of the VPN client. Examples of other traffic include instant messaging, email, and casual web browsing. If split tunneling is configured on the VPN server, Cisco VPN client software can be configured for split tunnels by enabling the Allow Local LAN Access option. Split tunneling increases security risks, because an attack can come from the Internet side of the client into the secured network.

VPN Server Placement

Often, VPN servers are placed at the WAN edge of a network. In these cases, firewalls or ACLs are used to ensure that VPN users have access only to appropriate network resources.

If the stadium management chooses to install a local VPN server, the designer recommends placing the VPN server on the same device that is providing firewall filtering for servers. The remote user traffic can be decrypted and filtered before being sent to the server.

Posted in CCNA4 | Leave a Comment »

CCNa4 – CH7

October 27, 2009 by Siu Chung

There are two common methods used to test a network design:

Building a prototype network – A prototype network consists of only the portion of the network necessary to test a particular function or capability. Prototype networks are separate from the existing network.

Installing a pilot network – A pilot is a test of new functionality or capability using a portion of the existing network.

When to Create a Pilot?

When the prototype is not big enough to test functionality - Testing the operation of a routing protocol in a network with one hundred routers may not be feasible in a prototype.

When the performance of the network is dependent on the operation of a specific device or third-party technology - An example is an expensive video scoreboard or a third-party provided WAN link.

The only major design change that requires a pilot is the installation of the Frame Relay connection to the remote sites. A pilot is a good choice to test this connection because it tests the actual connection quality as well as the device configuration and functionality.

Test plan

The network designer creates a test plan before beginning the process, to ensure that the goals of the test are clear and measurable.

Benefits of Prototyping

It demonstrates to both the customer and the network designer that the network design meets the business goals and technical requirements. It creates an opportunity to compare different design options to see which one performs best.

The designer then works with the NetworkingCompany staff to set up and perform the test plan. They discuss the methods for measuring the prototype network functions under different conditions.

Basic Connectivity

Methods used to verify basic connectivity include:

l Visually inspecting LED indicators on NICs and networking devices.

l Using console connections to devices to verify the status of the interfaces.

l Using show commands to provide information about devices with a direct connection. Router show commands commonly used to see locally attached devices include show cdp neighbors and show ip arp.

There are common tools available for analyzing the performance of the prototype network.

Cisco IOS Commands

l The show commands display the current state of interfaces, protocols, routing tables, CPU and memory utilization, and many other variables.

l The debug commands enable the network designer and the NetworkingCompany staff to view the processing of information in real time.

l Software logging functions save and display valuable information for later analysis.

IP Utilities and Tools

Two of the best-known network connectivity and reachability testing commands are ping and traceroute.

Protocol Analyzers

In a prototype, protocol analyzers verify that packets and frames contain the correct information. Protocol analyzers help detect the presence of certain traffic types, such as broadcast and ARP, that are difficult to identify without examining data at the packet or frame level.

Load Balancing

l Because of STP operation, simple redundant links between Layer 2 switches cannot be used for load balancing.

l Equal cost routed links, and Layer 2 and Layer 3 links configured as part of an EtherChannel, can be used to load balance traffic during normal operation. They can also forward traffic in the event of a link failure.

Some possible design weaknesses and their associated risks include:

Large failure domains - If a single point of failure such as a non-redundant Internet connection, can adversely affect a large portion of the network, the risk that such a failure will have a major impact on the business increases.

Possible bottlenecks - Some areas may be vulnerable to congestion if traffic volumes increase, creating a risk that response time will seriously degrade.

Limited scalability - Areas or devices can present scalability problems if the network grows faster than anticipated. The lack of scalability can require a network redesign or costly upgrade.

Existing staff capabilities - Prototypes sometimes indicate that the network configurations are too complex for the existing staff to support and troubleshoot. In cases like this, a risk exists until staff receives the appropriate training or a new support strategy is in place.

Simulating a Three-Layer Hierarchy

For the purpose of the prototype, the three-layer hierarchy can be simulated using two Layer 2 devices and four Layer 3 devices. The designer chooses Layer 2 switches to simulate the Access Layer and uses Layer 3 switches or routers to simulate the Distribution and Core Layers.

Recording Risks and Weaknesses

In the Conclusion section of the test plan, the network designer and the NetworkingCompany staff record their observations and opinions about the results of the testing. An important part of this section is the analysis of risks and weaknesses in the design.

Baseline Measurements

It is important to develop the baseline measurements of the prototype network. The results observed during the various tests are then compared to the original configuration. In this way, the staff can identify and record any processes or functions that increase processor usage or decrease available bandwidth.

Per VLAN Rapid Spanning Tree Plus

The RSTP (802.1w) standard assumes only one spanning-tree instance for the entire switched network. This is regardless of the number of VLANs. The Cisco implementation of RSTP is Per VLAN Rapid Spanning Tree Plus (PVRST+). PVRST+ defines a Spanning Tree Protocol that has one instance of RSTP per VLAN. Cisco documentation often refers to this implementation as RSTP.

Command:

Spannung-tree mode rapid-pvst

Show spanning-tree vlan vlan# [detail]

Debug spanning-tree pvst+

Port Roles

RSTP defines the following port roles:

Root- A forwarding port elected for every non-root switch that gives the least-cost path to the root switch.

Designated- A forwarding port elected for every switched LAN segment based on the best bridge protocol data unit (BPDU). This port is the least-cost path to the root switch from the LAN segment.

Alternate- An alternate path to the root switch for a non-root switch that is different from the path that the root port takes. This port is blocked for forwarding traffic.

Backup- A backup path that provides a redundant, but less desirable, connection to a segment to which another port on the non-root switch already connects. This port is blocked. (Backup ports can only exist where two ports are connected together in a loopback by a point-to-point link or bridge with two or more connections to a shared LAN segment.)

Disabled- A port that has no role within the operation of spanning tree.

Root and designated port roles include the port in the active topology. Alternate and backup port roles exclude the port from the active topology.

Posted in CCNA4 | Leave a Comment »

CCNA4-Ch6

October 27, 2009 by Siu Chung

The allocation of IP addresses must be planned and documented to:

l Prevent duplication of addresses

l Provide and control access

l Monitor security and performance

l Support a modular design

l Support a scalable solution that uses route aggregation

Using a Hierarchal IP Addressing Scheme

A network with the correct allocation and deployment of IP address blocks has the following characteristics:

l Routing stability

l Service availability

l Network scalability

l Network modularity

Using a hierarchical IP addressing scheme for the stadium network makes it easier to increase the size of the network and also makes it easier to perform route summarization.

Disabling Automatic Summarization

Router(config-router)#no auto-summary

Variable Length Subnet Mask (VLSM)

l Using VLSM eliminates the requirement that all subnets of the same parent network have the same number of host addresses and the same prefix length.

l VLSM affords more efficient use of IP address space.

l VLSM also enables routers to summarize routes on boundaries that are not the same as the classed boundaries.

Classless InterDomain Routing (CIDR)

l When VLSM is used in the IP addressing scheme, the designer must use a routing protocol that supports CIDR.

l Classful routing protocols do not send subnet mask or prefix length information in routing updates. ( depend on the default subnet masks to determine the network portion of the IP addresses.)

l Classless routing protocols send the prefix length along with the route information in routing updates. (determine the network portion of the address without using the default masks.)

CIDR and Summarization

l Route summarization is also known as route aggregation.

l It is the process of advertising a set of contiguous addresses as a single entry with a shorter, less specific subnet mask or prefix.

l CIDR ignores the limitation of classful boundaries, it enables summarization with VLSMs that are shorter than the default classful mask.

l A network address with a prefix length shorter than the default classed prefix length is referred to as a supernet.

l This type of summarization helps reduce the number of entries in routing updates and lowers the number of entries in local routing tables. The result is faster routing table lookups.

When creating an IP addressing scheme, the designer follows these steps:

· Step 1: Plan the entire addressing scheme before assigning any addresses.
· Step 2: Allow for significant growth.
· Step 3: Begin with the Core network summary addresses and work out to the edge.
· Step 4: Identify which machines and devices require statically assigned addresses.
· Step 5: Determine where and how dynamic addressing is implemented.

These considerations apply whether or not the designer is using public or private addressing.

Network address design is determined by several criteria:

· The number of hosts and networking devices that are currently supported on the network.
· How much growth is anticipated.
· The number of hosts that must be reachable from networks that are not part of the local LAN or Intranet.
· The physical layout of the network.
· The routing and security policies that are in place.

Each wiring closet has a minimum of four subnets:

· Data
· IP Voice
· Video surveillance and game video
· Network management services

For each location within the network, the designer records the following information:

Location and Description

The designer identifies each location by documenting the wiring closet or data centre room number and a description of the area of the stadium to which the wiring closet connects.

VLAN or Network Type

· Documenting the type of VLAN or network enables the designer to accurately estimate the potential growth in the number of hosts.
· A data VLAN may increase in size more than a VLAN supporting IP telephones.
· A point-to-point Layer 3 network usually does not expand beyond the two original host addresses.

Number of Networks and Hosts per Network

Next, the designer counts and lists the number of networks and the number of hosts per network that exist in the new design. This count represents the current address requirements. The designer can then estimate the growth in each area to determine the size of the IP network or subnet.

EIGRP Load Balancing

· Redundant and backup links are necessary to meet the availability requirements.
· EIGRP is a good choice because it can support load balancing over these additional links. By default, EIGRP installs up to four equal cost paths to the same destination in the routing table.
· To control the number of routes EIGRP installs, the maximum-paths (between 1 and 6) command is used.
· 1 = disables load balancing, since only 1 route can be installed in the routing table for a specific destination.

Unequal Cost Load Balancing

· The backup links do not always have the same routing cost as the primary links, traffic is not load balanced across the backup links by default.
· A variance is a value that EIGRP uses to determine whether or not to install a specific route in the route table to be available for load balancing.
· The formula EIGRP uses to set the range of acceptable route costs is variance times metric.

Router(config-router)# variance 2(1-128)

Splitting traffic in this way prevents a single path from being overburdened by heavy traffic when alternate paths are available.

Authentication

There are two types of neighbor authentication: plain text authentication and Message Digest Algorithm Version 5 (MD5) authentication. Using MD5 authentication is a recommended security practice, because the key or password cannot be intercepted and read in transit.

Key Management

· RIPv2 and EIGRP routing protocols offer the additional function of managing keys by using key chains..
· Every key definition must specify the time interval when the key is active (its “lifetime”). Then, during a given key’s lifetime, routing update packets are sent with the activated key. It is recommended key activation times overlap to avoid any period of time for which no key is active.
· If a time period occurs during which no key is active, neighbor authentication cannot occur, and therefore routing updates will fail.
· To set the time period during which an authentication key on a key chain is valid to be sent, use the send-lifetime command. The accept-lifetime command sets the time during which the router will accept updates with the key. The default value for both commands is forever.

route summarization occurs at the Layer 3 devices that act as gateways for multiple contiguous IP networks. These summary routes are then advertised toward the Core Layer of the network

EIGRP enables classless summarization with masks that are different from the default classful mask to reduce the number of entries in routing updates and lowers the number of entries in local routing tables.

EIGRP includes an automatic route summarization feature. However, this automatic summarization occurs only at the default classful network boundary. This feature is not appropriate for the stadium network design. To be able to summarize the subnets of the proposed Class B addressing scheme, the automatic route summarization in EIGRP must be disabled.

Arbitrarily

There are two primary types of network names to assign:

· Internal Device Names – These names can only be seen by administrators. Router and switch names are examples of internal devices.
· External Names – These names can be viewed by users on the network. The Windows device name that can be viewed in network neighborhood is an example. DNS names are also external names.

Naming Guidelines

Common sense often dictates a naming scheme. A good naming scheme follows these guidelines:

· Keep the names as short as possible; fewer than twelve characters is recommended.
· Indicate the device type, purpose, and location with codes, rather than words or abbreviations.
· Maintain a consistent scheme. This makes it easier to sort and report on the devices, and to set up management systems.
· Document the names in the IT department files and on the network maps.
· Avoid names that make it easy to find protected resources.

Hackers can sometimes get enough information from just the network names to find targets and exploit known vulnerabilities. A compromise can be made for external DNS names that must be easy to remember and use.

Mobility and Security

Mobility enables people with mobile network devices to move around in networks. Mobile IP is an IETF standard that is available for both IPv4 and IPv6. This standard enables mobile devices to move without breaks in established network connections. IPv4 does not support this kind of mobility. Mobility is an IPv6 feature.

IPSec is the IETF standard for IP network security. It is available for both IPv4 and IPv6. The IP network security functions are essentially identical in both environments. IPSec is more tightly integrated in IPv6 and can be enabled on every IPv6 node.

Simpler Header

The header used for IPv6 increases routing efficiency by reducing the number of entries in the routing tables.

No broadcasts are associated with IPv6. With IPv4, the broadcasts created generate a high level of traffic within the network. This traffic creates an event known as a broadcast storm and the entire network ceases to function. IPv6 replaces broadcasts with multicasts and anycasts.

Address Formatting

Colons separate entries in a series of eight 16-bit hexadecimal fields that represent IPv6 addresses. The hexadecimal digits A, B, C, D, E, and F represented in IPv6 addresses are not case-sensitive.

Unlike IPv4, the IPv6 address string format is not fixed. The following guidelines are used for IPv6 address string notations:

· The leading 0s in a field are optional: 09C0 equals 9C0 and 0000 equals 0.
· One or more groups of 0s can be omitted and replaced with “::”. Only one “::” is allowed in an address.
· An unspecified address is written as “::” because it contains only 0s.
· Using the “::” notation greatly reduces the size of most addresses. For example, FF01:0:0:0:0:0:0:1 becomes FF01::1.
· Unicast sends packets to one specific device with one specific address.
· Multicast sends a packet to every member of a group.
· Anycast addresses send a packet to any one member of the group of devices that has an anycast address assigned.
· For efficiency, a packet that is sent to an anycast address is delivered to the closest interface. For that reason, anycast can also be thought of as a one-to-nearest type of address.

The basic types of IPv6 unicast addresses are:

Global Unicast Addresses

l The IPv6 host is the equivalent of a registered IPv4 host address.

l Registered IPv6 host addresses are referred to as global unicast addresses.

l The global unicast address block is structured to enable the aggregation of routing prefixes. This aggregation reduces the number of entries in the routing table.

l Global unicast addresses are aggregated upward through organizations and eventually to the ISPs.

Reserved Addresses

l In contrast to IPv4, IPv6 supports significantly more reserved addresses for various uses.

l The IPv6 reserves 1/256th of the total IPv6 address space.

l Some of the other types of IPv6 addresses come from this block, such as private and loopback addresses.

l IPv6 addresses is set aside for private addresses, have a first octet value of FE in hexadecimal notation. The next hexadecimal digit is a value from 8 to F.

Transition Richness

There are several ways to integrate an IPv6 structure into an existing IPv4 network. The three most common transition methods are:

· Dual stack
· Tunneling
· Proxying and translation

dual stack:

both IPv4 and IPv6 configurations are implemented on a network device. Both protocol stacks run on the same device. This method enables IPv4 and IPv6 to coexist.

Tunneling:

A technique that is becoming more prominent as the adoption of IPv6 grows.

Tunneling is the encapsulation of one protocol packet within another protocol. For example, an IPv6 packet can be encapsulated within an IPv4 protocol.

Cisco IOS Releases 12.3(2)T and later, include Network Address Translation-Protocol Translation (NAT-PT) between IPv6 and IPv4. This translation allows direct communication between hosts that use different versions of the IP protocol.

To activate IPv6 on a router, follow these two basic steps:

Step 1: command ipv6 unicast-routing.

Step 2: Configure interfaces to support IPv6.

Interface identifiers in IPv6 addresses are used to identify interfaces on a link. They can be thought of as the host portion of an IPv6 address. Interface identifiers have to be unique, are always 64 bits, and can be dynamically derived from Layer 2 media and encapsulation.

The IPv6 address command can configure a global IPv6 address:

RouterX(config-if)# ipv6 address 2001:DB8:2222:7272::72/64

Another option is to configure the EUI-64 identifier for the network portion of the address. The host identifier is the host portion of the address in the EUI-64 format on an Ethernet network and is the MAC address of the device.

The EUI-64 method uses the ipv6 address ipv6-prefix/prefix-length eui-64 command:

RouterX(config-if)# ipv6 address 2001:DB8:c18:1::/64 eui-64

Locally resolve host names to IPv6 addresses= ipv6 host name ipv6addr

To specify an external DNS server to resolve IPv6 addresses,= ip name-server address

Configuring name resolution makes convenience of a technician who uses the router to access other devices on the network by name. It does not affect the operation of the router and does not advertise this DNS server name to DHCP clients.

Configuring and Verifying RIPng for IPv6

The syntax used to configure RIPng for IPv6 is similar to IPv4, but there are important differences. IPv4 uses the network command to identify which interfaces are included in the routing update. IPv6 uses the command ipv6 rip tag enable in interface configuration mode to enable RIPng on an interface.

The tag parameter that is used for the ipv6 rip enable command must match the tag parameter in the ipv6 router rip command.

To verify the configuration of RIP use the show ipv6 rip command or show ipv6 route rip command. Enabling RIP on an interface automatically creates a router rip process as needed.

RIPng for IPv6 Configuration

Configuring routers that are directly connected enables the use of the ipv6 rip name enable command.

For example, if two routers are connected on a network, both routers use the tag RT0 to identify the RIPng process. RIPng is enabled on the Ethernet interface of the routers using the ipv6 rip RTO enable command.

Posted in CCNA4 | Leave a Comment »

CCNA4 – Chapter 5

October 27, 2009 by Siu Chung

Determining how to design a network to meet business goals is a multistep process. The designer usually follows these steps:

Step 1: List the business goals that must be met by the new design.

Step 2: Determine what changes or additions are necessary for the business to meet its goals.

Step 3: Decide what technical requirements are necessary to implement each change.

Step 4: Determine how the design can address each of the technical requirements.

Step 5: Decide which design elements must be present in the final design.

Dealing with Constraints

The network designer explores all possible alternatives and selects the best ones to include in the design.

Making Trade-offs

l A trade-off is an exchange of one benefit or advantage for another benefit that is determined to be more desirable.

l Network design constraints often force trade-offs between the ideal design and a design that is realistically achievable.

To support this rapid growth, the network designer develops a strategy to enable the network to scale effectively and easily. Included in the strategy are the following recommendations:

l Design Access Layer modules that can be added as necessary without affecting the design of the Distribution and Core Layers.

l Use expandable, modular equipment or clustered devices that can be easily upgraded to increase capabilities.

l Choose routers or multilayer switches to limit broadcasts and filter other undesirable traffic from the network.

l Plan to use multiple links between equipment, using either EtherChannel or equal cost load balancing, to increase bandwidth.

l Create an IP address strategy that is hierarchical and that supports summarization.

l When possible, keep VLANs local to the wiring closet.

Availability for E-Commerce

To ensure reliability for e-commerce, use the following recommended practices:

l Dual connect the servers on two different Access Layer switches.

l Provide redundant connections at the Distribution Layer.

l Provide secondary DNS servers co-located at the ISP.

l Include additional monitoring locally and through the Internet for devices in the critical path.

l Where possible, include redundant modules and power supplies in critical pieces of equipment.

l Provide UPS and generator power backup.

l Choose a routing protocol strategy that ensures fast convergence and reliable operation.

l Investigate options to provide an additional Internet service provider (ISP) or redundant connectivity to the single ISP.

The Security Monitoring System

The following additional measures are needed for the cameras and surveillance equipment:

l Redundant cameras in critical areas that are connected to separate switches to limit the affect of a failure

l Power over Ethernet (PoE) to the cameras, with UPS and/or generator backup

The IP Telephone System

The designer focuses on the following requirements for providing redundancy and high availability on the Access Layer switches:

l Implement Layer 3 connectivity between the Access Layer and Distribution Layer devices when possible.

l Provide redundant power and UPS backup.

l Create redundant paths from the Access Layer to the Core Layer.

l Reduce the size of failure domains.

l When possible, select equipment that can support redundant components.

l Use a fast, converging routing protocol, such as EIGRP.

Each type of traffic has unique service requirements.

Characteristic features of applications on a typical converged network include:

l Packets of various sizes

l Distinct sets of protocols

l Different tolerances to delay and jitter

Recommended security practices include:

l Use firewalls to separate all levels of the secured corporate network from other unsecured networks, such as the Internet. Configure firewalls to monitor and control the traffic, based on a written security policy.

l Create secured communications by using VPNs to encrypt information before it is sent through third party or unprotected networks.

l Prevent network intrusions and attacks by deploying intrusion prevention systems. These systems scan the network for harmful or malicious behavior and alert network managers.

l Control Internet threats by employing defenses to protect content and users from viruses, spyware, and spam.

l Manage endpoint security to protect the network by verifying the identity of each user before granting access.

l Ensure that physical security measures are in place to prevent unauthorized access to network devices and facilities.

l Secure wireless APs and deploy wireless management solutions.

Access Layer Requirements

The designer creates the following list of Access Layer network requirements for the new network:

l Provide connectivity for existing network devices and add wireless access and IP telephones.

l Create VLANs to separate voice, security surveillance monitoring, wireless access, and normal data devices.

l Restrict VLANs to wiring closets, with the exception of the wireless VLAN, to support future roaming requirements.

l Provide redundant links to the Distribution Layer network.

l Use the 16 existing 2960 switches where possible.

l Provide Power over Ethernet (PoE) to IP phones and wireless access points, if possible.

l Provide QoS classification and marking capabilities.

IP Phones have three ports:

l Port 1 is an external port that connects to the switch or another VoIP device.

l Port 2 is an internal 10/100 interface that carries the IP phone traffic.

l Port 3 is an external access port that connects to a PC or another device.

2960 Switch Capabilities

The 2960 can support most of the following requirements of the Access Layer network:

l Scalability – The 2960 supports Cisco switch clustering; therefore, new switches can easily be added to support additional connectivity.

l Availability – The 2960 supports redundant power supplies. Redundant switch management is available when the switches are configured in a cluster. Two switches can be configured as the command switches. If one fails, the rest of the cluster can still function. Classification and marking capabilities are also available in this model.

l Security – Port security and other switch security options are available.

l Manageability – The switches support Simple Network Management Protocol (SNMP). They can be managed in-band and out-of-band. The 2960 supports the standard Cisco IOS software command set, as well as Cisco Network Assistant GUI configuration and management tools.

Multilayer Switch Capabilities

l Scalability – The modular multilayer switches support additional fiber and copper ports. Using routing at the Distribution Layer avoids many Layer 2 Spanning Tree Protocol (STP) reconfiguration issues. New switch blocks can be added without affecting the existing topology.

l Availability – The midrange multilayer switches support redundant power supplies and fans. More importantly, they support redundant management modules and fast failover technology. If one management module fails, the secondary module takes over, with no perceptible loss of connectivity. The Layer 3 switched design makes the best use of network links by efficient load balancing of the routed traffic. Routing protocols can be configured to converge as fast as STP or faster. Route summarization can occur at the Distribution Layer, reducing the impact of an Access Layer device or link failure on the Core Layer routing.

l Security – Access-list filtering, port security, and firewall feature sets are available on the multilayer switch Cisco IOS. Additional security features prevent unauthorized or unwanted network traffic.

l Manageability - The switches support SNMP. They can be managed both in-band and out-of-band.

In a small business environment, the Distribution and the Core Layers are frequently combined= collapsed Core or a collapsed backbone.

Frame Relay Connection Types

Frame Relay networks transfer data using one of these two connection types:

l switched virtual circuits (SVCs) are temporary connections created for each data transfer and then terminated when the data transfer is complete.

l permanent virtual circuits (PVCs) are permanent connections. This type of connection is to be provided between the stadium network and the remote WAN sites.

Lightweight Access Points (LAPs)

are not standalone devices; they rely on the wireless controller for configuration and security information.

wireless control system software

l offer advanced features, such as centralized management and multiple service levels for different user and client types.

l These systems allow different levels of QoS and security for different types of wireless use.

Adding the wireless controller and management software to the network also simplifies the deployment of wireless roaming features and wireless IP phones. This configuration eliminates the need to create a single end-to-end VLAN for wireless roaming.

Availability Considerations

The availability of a wireless connection is dependent on the following factors:

l Location of the AP

l Signal strength of the AP

l Number of users sharing the AP connectivity

Dynamic Reconfiguration

l wireless LAN controllers automatically determine the signal strength that exists between lightweight APs within the same network.

l When a Cisco LAP boots, it immediately looks for a wireless LAN controller within the network.

l When it detects a wireless LAN controller, the AP sends out encrypted neighbor messages that include the MAC address and signal strength of any neighboring APs.

l In a single wireless LAN controller network, the controller tunes each AP channel for optimal signal strength, coverage, and capacity.

Centralization Load Balances Users

l Through encrypted over-the-air messages, Cisco wireless LAN controllers detect the entire network. These controllers also detect signal strength between APs.

l When a client looks for an AP, a probe is sent to the controller from each AP that hears the request from the client.

l The controller determines which AP should respond to the probe from the client, based on its signal strength, or Receiver Signal Strength Indicator (RSSI).

l These measures improve the availability of wireless services within the WLAN.

IP Addressing in a WLAN

Layer 3 Roaming

When using the wireless controllers and lightweight APs, Layer 3 roaming can be introduced into a network. It is not necessary to extend VLANs to all of the APs in the network to keep a flat wireless subnet.

With the wireless controller, the lightweight APs are installed in the normal subnet infrastructure and are given an IP address that is local to the subnet to which they are deployed. All traffic that comes from wireless clients is placed into a packet that is tunneled through the underlying network to the wireless LAN controller.

Client devices receive their IP addresses from the controller, not the subnet in the area of a building where they reside. The underlying IP infrastructure is hidden from the client. The controller manages all roaming and tunneling, so that clients can keep the same IP address as they roam.

The primary categories of security services include:

Infrastructure Protection

Network security begins with securing the network devices themselves. This involves securing Cisco IOS software-based routers, switches, and appliances from direct as well as indirect attacks. This protection helps to ensure availability of the network for data transport.

Secure Connectivity

It is critical to prevent unauthorized users from accessing the network. This can be done by ensuring that the physical network is secure, and by requiring authentication to gain access to wireless services. user should be assigned to different SSIDs and WLANs. Securing the data while it is in transit can be done using VPNs or data encryption.

Threat Detection, Defense, and Mitigation

Firewalls, IDS, IPS and ACLs provide protection from threats and attackers. ACLs and firewall rules filter traffic to permit only desirable traffic through the network.

Implementing Security Services

Security services are not effective if they are not implemented at the correct locations throughout the network. Firewalls and filters placed at the enterprise edge do not protect servers from attacks from within the LAN.

The network designer analyzes the traffic flow diagrams that were created earlier that show:

l Resources that are accessed by internal users

l Resources that are accessed by external users

l Paths that this access takes through the network

Using Integrated Services

Wherever possible, the network designer uses integrated services, such as IOS-based firewall features and IDS modules to eliminate the need for additional security devices. In a larger network, it is necessary to use separate devices because the additional processing can cause routers and switches to become overloaded.

Examples of firewall rule sets include these statements:

l Deny all inbound traffic with network addresses matching internal-registered IP addresses – Inbound traffic should not originate from network addresses matching internal addresses.

l Deny all inbound traffic to server external addresses – This rule includes denying server translated addresses, with the exception of permitted ports.

l Deny all inbound ICMP echo request traffic – This rule prevents internal network hosts from receiving ping requests generated from outside the trusted network.

l Deny all inbound Microsoft Domain Local Broadcasts, Active Directory, and SQL server ports – Microsoft domain traffic should be carried over VPN connections.

l Allow DNS (UDP 53) to DNS server – Permit external DNS lookups.

l Allow web traffic (TCP 80/443) from any external address to the web server address range.

l Allow traffic (TCP 21) to FTP server address ranges – If FTP services are provided to external users, this rule permits access to the FTP server. As a reminder, when using FTP services, user account and password information is transmitted in clear text. Use of passive FTP (PASV) negotiates a random data port versus the use of TCP port 20.

l Allow traffic (TCP 25) to SMTP server – Permit external SMTP users and servers access to internal SMTP mail server.

l Allow traffic (TCP 143) to internal IMAP server – Permit external IMAP clients access to internal IMAP server.

Rule Sets and Access Control Lists

Firewall rule sets are used to create the ACL statements that are implemented on the routers and firewall appliances. Each firewall rule set may require more than one ACL statement and may require both inbound and outbound placement.

The design documentation includes all firewall rule sets and ACLs and defines where they are implemented.

Documenting the firewall rule sets and the ACL placement offers these benefits:

l Provides evidence that the security policy is implemented on the network

l Ensures that when changes are necessary, all instances of a permit or deny condition are known and evaluated

l Assists in troubleshooting problems with access to applications or segments of the network

Posted in CCNA4 | Leave a Comment »

CCNA4 – Chapter 4

October 27, 2009 by Siu Chung

For end users, application performance is based on:

Availability-Is the application working when they need it?

Responsiveness-Is the application responding as quickly as expected?

application characterization

Collecting information about network bandwith and usage of an appliaction.
involves looking at the following aspects of network applications:

l How the applications work on the network

l The technical requirements of the application

l How applications interact with each other on the network

To determines which applications are considered business-critical.

The network designer recognizes four main types of application communication:

Client-to-client – From a end station to another end station on a network.

Client-to-distributed server – From a end station to a server.

Client-to-server farm – From a end station to a number of server.

Client-to-enterprise edge – From a end station to the perimeter of the enterprise before entering the network.

first step in characterizing applications is to gather information includes information like:

Organizational input

consists of existing documentation about the network and verbal input from personnel.
During the early phases of design, obtaining input is easy but not always reliable.

Network audit

A network audit gathers information about network devices, monitors traffic, and reveals details of the current network configuration.

Traffic analysis

Traffic analysis provides information about how the applications and protocols use the network. It can reveal shortcomings in the network.

As part of application characterization, it is necessary to determine the internal and external traffic flows on the network.

l Diagramming internal traffic flows can show areas where high bandwidth connections are needed, identify possible bottlenecks where traffic might become congested.

l These diagrams assist the designer to select the appropriate equipment and infrastructure to support the traffic volumes.

l Some types of external traffic, such as emergency services or financial services, require redundancy and present additional security concerns.

l The designer diagrams this traffic in order to determine the location of firewalls and DMZ networks, as well as the Internet connectivity requirements.

The designer analyzes internal and external traffic flows using NBAR and Netflow. To ensure that network bandwidth is used efficiently, NBAR can be used to identify and classify types of traffic in order to apply QoS mechanisms.

Hardware delays can be caused by:

l Processing time that a router takes to forward traffic

l Older switches that are not able to handle traffic loads generated by modern applications

One way to ensure high performance is to use the top-down approach. The top-down approach adapts the design of the physical infrastructure to the needs of the network applications. Network devices are chosen only after a thorough technical requirements analysis.

Network applications on a modern network produce a range of packets. These packets are of various sizes, with distinct sets of protocols, different tolerances to delay, and other characteristics. When the service requirements of these different applications conflict with one another, performance problems can result. When adding a new application, the network designer needs to consider the impact on the performance of existing applications. The designer should consider the predicted application performance under varying configurations and network conditions.

Some of the more common application types include:

l Transaction-processing applications

l Real-time streaming applications

l File transfer and email applications

l HTTP and web applications

l Microsoft domain services

Transaction-Processing Applications

A type of processing in which the computer responds immediately to user requests. Each request generated by the user is a transaction. These transactions can require additional operations to take place in response to the original request. For this reason, application transactions are a unique consideration in network design.

This single transaction generates all the following operations on the network:

l Web traffic from the client to the network

l Database transactions

l Customer order transaction

l Order processing transaction

l Shipping/delivery transaction

A valid transaction must meet the following criteria:

l It must be atomic.

l It must be consistent.

l It must be isolated.

l It must be durable

Atomic Transaction(void)

An atomic transaction guarantees that either all the tasks of a transaction are performed or none of them are. If the transaction is not fully processed, then the entire transaction is void.

Consistent Transaction(gobck)

A consistent transaction ensures that incomplete transactions are not allowed. If an incomplete transaction occurs, the system returns to the state that it was in before the transaction began.

Isolated Transaction(secure)

An isolated transaction is kept secure from all the other transactions on the network. Security is a major network design consideration. Security options include the addition of access control lists (ACLs), encryption, and firewalls to the network topology.

Durable Transaction

A durable transaction guarantees that once the transaction is completed, the transaction will not be undone – even after a system failure. A durable design for transaction processes requires redundancy at multiple levels. These levels include the Physical Layer connections, servers, switching devices, and routers.

Networks with redundancy eliminate the problem of single points of failure.

Network devices can also be configured for redundancy. Two common protocols are:

l Rapid Spanning Tree Protocol (RSTP)

l Hot Standby Routing Protocol (HSRP)

RSTP prevents Layer 2 switching loops that can occur with redundant switches.

HSRP can provide Layer 3 redundancy in the network. HSRP provides immediate or link-specific failover and a recovery mechanism.

Real-time Applications

These considerations include the physical elements of the infrastructure:

l Hardware devices and connections

l Network topology

l Physical redundancy

Logical considerations include how the configuration of QoS and security solutions affect traffic. All of these considerations affect how the designer will implement network solutions, such as IP telephony services.

Infrastructure

To support the existing and proposed real-time applications, the infrastructure must accommodate the characteristics of each type of traffic.

VoIP

VoIP uses voice-enabled routers which convert analog voice from traditional telephone signals into IP packets.

IP Telephony

In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within the enterprise network.\

Real-time Video Protocols

l To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery.

l Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) are two protocols that support this requirement.

RTP and RTCP enable control and scalability of the network resources by allowing QoS mechanisms to be incorporated to provide valuable tools for minimizing latency issues for real-time streaming applications. These tools include priority queuing, custom queuing, low latency queuing, and class-based weighted fair queuing.

Some of the characteristics of file transfer traffic include:

Unpredictable bandwidth usage - this type of traffic is usually user initiated and therefore cannot be reliably predicted.

Large packet size – FTP and other file transfer traffic uses large packet sizes for efficient transfer. These large packets can cause delay for other types of traffic when the network becomes congested

Email

Two common Application Layer protocols are Post Office Protocol (POP) and Simple Mail Transfer Protocol (SMTP).

Email Client Processes

The email client enables users to compose and send messages, then places received messages into the user’s mailbox.

Email Server Processes

The email server also transfers and delivers mail to the email client.

Supporting File Transfer and Email Applications

To help ensure this availability, the network designer takes the following steps:

l Securing file and mail servers in a centralized location, such as a server farm.

l Protecting the location from unauthorized access by physical and logical security measures.

l Creating redundancy in the server farm that ensures that if one device fails, all files are not lost.

l Configuring redundant paths to the servers.

HTTP(Hypertext Transfer Protoco)and Web Traffic

l one of the protocols in the TCP/IP suite that was originally developed to publish and retrieve web pages.

l HTTP is used across the World Wide Web for data transfer.

l HTTP specifies a request/response protocol between a client, typically a web browser, and a server.

l When a client sends a request message to a server, the HTTP protocol defines the message types used by the client. The protocol also specifies the message types that the server uses to respond.

l for e-commerce or to store customer information, the security and redundancy issues become even more important.

Ports used by Microsoft Domain Services

l Microsoft servers and clients communicate using a set of TCP and UDP ports.

l These ports are used for various Microsoft services, including authentication and authorization.

l Common TCP and UDP ports that must be open for Microsoft Domain Services to operate correctly include:

UDP 53	DNS Services
UDP 67	DHCP
UDP 123	Windows Time Service
TCP 135	Remote Procedure Call (RPC)
UDP 137	NetBIOS Name Resolution
UDP 138	NetBIOS Datagram Service
TCP 139	NetBIOS Session Service
TCP 389 and UDP 389	LDAP Service
TCP 445	Server Message Blocks (SMB)
TCP 1433	Microsoft SQL over TCP

The primary goal of QoS is to provide priority, including dedicated bandwidth, controlled jitter and latency, and reduced packet loss.

Users perceive service quality based on two criteria:

l The speed with which the network reacts to their requests

l The availability of the applications they want to use

Some applications are extremely sensitive to bandwidth requirements, packet delays, network jitter, and possible packet loss which like:

IP Telephony Requirements

l The quality of the transmissions is extremely important. When delays occur, voices break up and words become distorted.

l To avoid substandard transmission quality, IP telephony requires that QoS mechanisms be in place.

l Voice packets must not have a one-way delay greater than 150 ms.

l It is critical that voice packets have low latency and low jitter at each hop along a given path.

Streaming Video Requirements

l Streaming video is a video feed that is usually sent from prerecorded files. It can be distributed in a live broadcast converting the video into a compressed digital signal and then transmitted by a special web server.

l This media stream is sent as a multicast so multiple users can view the stream at the same time.

Voice and Data Traffic

l Data from real-time applications, such as IP telephony, must be processed at the same rate as it is sent, and there is no time to retransmit packets with errors. Therefore, VoIP uses UDP as a best-effort transport protocol.

l These packets use the error-checking and retransmission features of TCP to survive delays and packet drops.

l It is possible to retransmit part of a dropped data file, but it is not feasible to retransmit part of a voice conversation.

QoS Mechanisms

l Mechanisms must be in place to provide QoS priority.

l The priorities for traffic can be high, medium, normal, and low.

l Traffic queues are only one of the QoS mechanisms available for prioritizing traffic on the network.

l Traffic queues assist in providing secure, predictable, and guaranteed services.

Hardware and Software Queues

Queues are used to manage traffic flow with QoS. Hardware queues store traffic as it is received and send packets out in the order received, on a first-come first-served basis. The hardware queue is sometimes referred to as the transmit queue, or TxQ. This is the physical queue where packets wait for forwarding based on their priority.

Software queues allow the packets to be sent out based on the priority set by the network designer or administrator. The queues are based on the QoS requirements. Priority queuing (PQ) and custom queuing (CQ) are examples of software queues.

Implementing QoS in Traffic Queues

To implement QoS on a network, the designer follows three basic steps to ensure that traffic is properly prioritized:

Step 1: Identify Traffic Requirements

Identufy traffic such as voice, mission-critical applications, and which low priority traffic can be marked as best-effort.

Step 2: Define Traffic Classes

After traffic has been identified, it can be placed in appropriate classes(high medium normal low)

Step 3: Define QoS Policies

The last step is to define the QoS policies to be applied to each class. These policies include scheduling traffic queues and rules for managing congestion.

PQ works by high, medium, normal, and low – each serving a different level of priority. These queues are configurable for the following characteristics:

l Queue type

l Traffic assignment

l Size

QoS can be implemented at the Access, Distribution, and Core Layers of a network.

Layer 2 Devices

l Layer 2 switches at the Access Layer can support QoS based on IEEE 802.1p Class of Service (CoS).

l The Layer 2 switch QoS uses classification and scheduling to prioritize sending frames from the switch into the network.

Layer 3 Devices

l Layer 3 devices can support QoS based on physical interface, IP addresses, logical port numbers, and QoS bits in the IP packet.

l QoS in Distribution and Core Layer devices must be supported in both directions of traffic flow.

Classification and Marking

Classification is the process by which traffic is grouped. Classifications are made based on how traffic is marked or by protocol.

Traffic can be marked by Layer 2 class of service, an IP precedence, or a Differentiated Services Code Point (DSCP) value:

l Class of service (CoS) is the first 3 bits of an 802.1q VLAN tag.

l IP precedence is the first 3 bits of the Type of Service (ToS) byte in the IP header.

l DSCP can be assigned by the router or switch. It is the first 6 bits in the ToS byte in the header.

Classification and marking allow the partitioning of traffic into multiple priority levels, or classes of service.

Managing Converged Networks

Control methods for voice and video traffic on converged networks are different from control methods for other traffic, such as web-based (HTTP) traffic.

Quality of Service (QoS) on Converged Networks

All networks perform better when QoS controls:

l Delay and jitter

l Bandwidth provisioning

l Packet loss parameters

Converged networks require strong performance and security features to manage the conflicting requirements of their traffic. For this reason, QoS mechanisms are mandatory.

IP Telephony Design Considerations

The proposed network design must include:

l Power and capacity planning

l Identifying contending traffic flows

l Selecting the components for the IP telephony solution

The components of an IP telephony solution can include:

l IP phones

l Gateway

l Multipoint control unit (MCU)

l Call agent

l Application servers

l Video endpoint

l Software telephone

isolating Traffic

If both the client PC and the IP phone are on the same VLAN, each will try to use the available bandwidth without considering the other device. The simplest method to avoid a conflict is to use separate VLANs for IP telephony traffic and data traffic.

Benefits of Separate VLANs

Using separate VLANs provides these benefits:

l QoS can prioritize the IP telephony traffic as it crosses the network.

l Network administrators can identify and troubleshoot network problems more easily when phones are on separate IP subnets and VLANs.

Traditional Telephony

l Traditional business telephone systems are typically built around a central control unit, called a private branch exchange (PBX).

l The PBX routes voice calls via analog or digital lines, depending on the type of device.

l In traditional telephony, the physical address of the phone is dependent on the wire to which it is connected.

l Consequently adding, moving, or changing telephones requires a significant amount of manual configuration.

l Most businesses have a separate wiring infrastructure to support their telephone network in addition to the infrastructure that supports their data network.

VoIP

l Cisco uses the term VoIP when using voice-enabled routers to convert analog voice from traditional telephones into IP packets and route those packets between locations. Within the IT industry, VoIP is used interchangeably with IP telephony.

l With VoIP, the PBX connects to a voice-enabled router.

l Businesses use VoIP to reduce costs by consolidating WAN links, decreasing long distance calling charges and reducing the number of support staff.

IP telephony replaces traditional phones with IP phones and uses Cisco Unified Communications Manager, which is a server for call control and signaling.

IP telephony has the following features:

l Integrates voice and voice-messaging applications that connect via the IP network rather than via the analog or digital systems.

l Uses an IP phone to perform voice-to-IP conversion.

l Creates peer-to-peer relationships between the phones involved in a conversation rather than centrally routing calls as a PBX does.

Live Video

l Live video, or streaming video, enables users to see content before all the media packets are inside their computer system.

l Streaming media files do not have a waiting period for viewing; they are available immediately as a continuous stream of data packets.

l Streaming video eliminates the need to store large media files or to allocate storage space for the files before playing them.

l A live video feed is often sent using multicast packets to many users at the same time.

VoD

l With VoD, users can either stream or download all of the content to their computer cache before they view it.

l Downloading the complete video file before viewing is also called store-and-forward.

l VoD is sent using unicast packets to the specific user requesting the video.

WAN connections at telecommuter sites can have the following features:

l Asynchronous dialup

l ISDN BRI

l Cable modems

l DSL

l Wireless and satellite

l VPN

The network designer generally uses a design program, such as MS Visio, to create a diagram that shows the identified applications and the logical topology of the network.

All traffic flows, from both the internal and external networks, must be carefully assessed when designing a new network or proposing upgrades for an existing network. This assessment poses unique challenges for the network designer:

l Traffic within the internal network is easy to identify. This traffic can be used to estimate utilization of the network.

l Traffic from external sources is difficult to characterize. The designer needs to estimate the bandwidth requirements for external traffic flows.

Posted in CCNA4 | Leave a Comment »

CCNP_Chapter2

September 7, 2009 by Siu Chung

Enhanced Interior Gateway Routing Protocol (EIGRP)

l Cisco-proprietary routing protocol

l hybrid routing protocol(combination of distance vector routing protocols with link-state algorithms)

l offering rapid convergence, lower bandwidth utilization, support for multiple routed protocols and support for classless interdomain routing (CIDR) and variable length subnet masking (VLSM).

l To achieve some of these benefits, EIGRP relies on features commonly associated with link-state protocols. For example, EIGRP uses the best traits of Open Shortest Path First (OSPF) Protocol, such as partial updates and neighbor discovery.

EIGRP includes the following key features:

l Fast convergence: A router running EIGRP stores all its neighbors’ routing tables so that it can quickly adapt to alternate routes if a preferred route disappears. If an appropriate route does not exist, EIGRP queries its neighbors to discover an alternate route. These queries propagate until an alternate route is found.

l VLSM support: Support for VLSM allows for different subnetmasks within the same network and support for non-contiguous subnetworks. EIGRP routes are automatically summarized at the major network number boundary.

l Partial updates: EIGRP does not send periodic updates. Instead, it sends partial triggered updates. The updates are sent only when the path or the metric changes for a route, and they contain only information about the changed routes. Propagation of partial updates is automatically bounded so that only those routers that need the information are updated. Partial updates are handled by using multicast and unicast packets instead of broadcast packets. As a result, EIGRP consumes significantly less bandwidth than IGRP. This behavior is different than link-state protocols, in which an update is transmitted to all link-state routers within an area.

l Multiple network-layer protocol support: EIGRP supports IP, AppleTalk, and Novell NetWare IPX through the use of protocol-dependent modules. These modules are responsible for protocol requirements specific to the network layer. The rapid convergence and sophisticated metric structure of EIGRP offers superior performance and stability when implemented in IPX and AppleTalk networks.

Other EIGRP features include the following:

Seamless connectivity across all data link layer protocols and topologies: EIGRP does not require special configuration to work across any Layer 2 protocols. Other routing protocols, such as OSPF, use different configurations for different Layer 2 protocols, such as Ethernet and Frame Relay. EIGRP operates effectively in both LAN and WAN environments. WAN support for dedicated point-to-point links and nonbroadcast multiaccess (NBMA) topologies is standard for EIGRP. EIGRP accommodates differences in media types and speed when neighbor adjacencies form across WAN links and can be configured to limit the amount of bandwidth that the protocol uses on WAN links.
Sophisticated metric: The EIGRP metric is based on bandwidth and delay. However, it can also be configured to consider reliability, load, and maximum transmission unit (MTU).
Multicast and unicast: To establish neighbor relationships, EIGRP uses multicast and unicast addressing rather than broadcast addressing to send and acknowledge routing updates. The EIGRP multicast address is 224.0.0.10. The use of multicast and unicast also helps reduce bandwidth requirements.

EIGRP employs four key components that differentiate it from other routing technologies:

EIGRP employs four key components that differentiate it from other routing technologies :

l Protocol-dependent modules

l Reliable Transport Protocol (RTP) – allows eigrp multicast and unicast to different peers at the same time, allowing for maximum efficiency.

l Neighbor discovery and recovery – It enables EIGRP routers to build their neighbor table, discover routes, and choose the best routes.

l Diffusing Update Algorithm (DUAL) finite-state machine -

DUAL uses distance information, known as a metric or cost, to select efficient, loop-free paths.
The lowest cost route is calculated by adding the cost between the next-hop router and the destination.
advertised distance (AD) = the cost between the next-hop router to the dest. The sum of these costs is called the feasible distance (FD).
A current successor, is a neighboring router that has a least cost path to a destination (the lowest FD). forwarding packets.
feasible Successors=back up route.
Every destination for which one or more feasible successors exists is recorded in a topology table.
Multiple successors can exist if they have the same FD(up to six per destination).
A feasible successor must have an AD less than the FD of the current successor route.
If the route via the successor becomes invalid, DUAL checks for feasible successors to the destination route.
If a suitable feasible successor does not exist, the route must be recomputed to determine the new successor.

l A destination is in passive state when the router is not performing a recomputation.

l It is in active state when the router is performing a recomputation

five generic packet types

Hello: 1.Establish neighloe relationships.

2.Are sent as multicasts and no acknoeledgement reguried.

Update: 1.Send routing updates.

2. either unicast or multicast.

Query: 1.Ask neighbors about routing information.(route computation)

2.normally mul,could be uni

Reply: Respond to query packet about information. uni

Ack: Acknowledge areliable packet.

to indicate that it received an EIGRP packet during a reliable exchange.

Uni and contain a nonzero ack num

EIGRP multicast IP address 224.0.0.10.

By default, the hold time is three times the hello interval,

Although the metric can be based on five criteria, EIGRP uses only two of these criteria by default:

Bandwidth: Smallest bandwidth between source and destination.
Delay: Cumulative interface delay along the path.

Three other criteria can be used, but are not recommended, because they typically result in frequent recalculation of the topology table:

Reliability: Worst reliability between source and destination, based on keepalives.
Loading: Worst load on a link between source and destination, based on the packet rate and the configured bandwidth of the interface.
MTU: Smallest MTU in the path. MTU is included in the EIGRP routing update, but is not actually used in the metric calculation.

l EIGRP assigns K values to represent each metric. The K values are carried in EIGRP hello packets.

l The default values are K1 = K3 = 1, and K2 = K4 = K5 = 0.(can verify the K values by show ip protocols)

Metric = (K1 * bandwidth) + [(K2 * bandwidth) / (256 – load)] + (K3 * delay)

If these K values are equal to their defaults, the formula becomes the following:

Metric = (1 * bandwidth) + [(0 * bandwidth) / (256 – load)] + (1 * delay)
Metric = bandwidth + delay

If K5 is not equal to 0, then Metric = metric * [K5 / (reliability + K4)]

show ip route = metric values assigned for the network.

show interface = the bandwidth and delay values.

Bandwidth = (10⁷ / least bandwidth in kbps) * 256

Delay = [(delay A → B) + (delay B → C) + (delay C → D)] * 256

Metric = bandwidth + delay

If you do not change the bandwidth for serial interfaces, EIGRP assumes that the bandwidth on the link is the default T1 speed.

You can create an EIGRP default route with the ip default-network

Router eigrp

Network 0.0.0.0

You can display the EIGRP IP neighbor table with the show ip eigrp neighbors command, as shown in Figure . This table includes the following key elements:

l H (handle): A number used internally by the Cisco IOS software to track a neighbor. It records the order in which the neighbors were learned.

l Address: Network-layer address of the neighbor router.

l Interface: Interface on this router through which the neighbor can be reached.

l Hold (hold time): Maximum time, in seconds, that the router waits to hear from the neighbor before considering the link unavailable. Originally, the expected packet was a hello packet, but in current Cisco IOS software releases, any EIGRP packets received after the first hello from that neighbor resets the timer.

l Uptime: Elapsed time, in hours, minutes, and seconds, since the neighbor was added to the table.

l SRTT (smoothed round-trip time): Average number of milliseconds it takes for an EIGRP packet to be sent to this neighbor and for the local router to receive an acknowledgment of that packet. This timer determines the retransmit interval, also known as the retransmission timeout (RTO).

l RTO (retransmission timeout): Amount of time, in milliseconds, that the router waits for an acknowledgment before retransmitting a reliable packet from the retransmission queue to a neighbor. If an EIGRP update, query, or reply is sent, a copy of the packet is queued. If the RTO expires before an acknowledgment is received, another copy of the queued packet is sent.

l Q Cnt (queue count): Number of packets waiting in the queue to be sent out. If this value is constantly higher than 0, a congestion problem might exist. A value of 0 indicates that no EIGRP packets are in the queue.

l Seq Num: Sequence number of the last update, query, or reply packet that was received from this neighbor. Used to detect out-of-order packets.

show ip route eigrp command, which displays only the EIGRP routes in the IP routing table

D 172.17.0.0/16 [90/40293802] via 192.168.1.102, 00:07:01, serial 0/0/1

D=eigrp route D EX=eigrp external /

[administrative distance/Metric] ad of eigrp = 90, ex eigrp = 170, rip = 120/

last advertised this network to this router / output is the interface

The routing table includes routes to null0 for the advertised routes=summary routes and are automatically placed in the table when automatic summarization is enabled. Null0 is a directly connected, software-only interface. The null0 interface prevents the router from trying to forward traffic to other routers in search of a more precise, longer match.

The show ip protocols command gives information about all dynamic routing protocols running on the router.

The show ip eigrp interfaces command displays information about interfaces configured for EIGRP. sample output generated by the command:

l Interface: Interface over which EIGRP is configured.

l Peers: Number of directly connected EIGRP neighbors.

l Xmit Queue Un/Reliable: Number of packets remaining in the Unreliable and Reliable transmit queues.

l Mean SRTT: Mean SRTT interval, in milliseconds.

l Pacing Time Un/Reliable: Pacing time used to determine when EIGRP packets should be sent out the interface (unreliable and reliable packets).

l Multicast Flow Timer: Maximum number of seconds in which the router sends multicast EIGRP packets.

l Pending Routes: Number of routes in the packets in the transmit queue waiting to be sent.

Another command used to verify EIGRP operations is the show ip eigrp topology command The output uses the following codes:

P (Passive): Network is available, and installation can occur in the routing table. Passive is the correct state for a stable network.
A (Active): Network is currently unavailable, and installation cannot occur in the routing table. Active means that there are outstanding queries for this network.
U (Update): Network is being updated (placed in an update packet). This code also applies if the router is waiting for an acknowledgment for this update packet.
Q (Query): Outstanding query packet for this network. This code also applies if the router is waiting for an acknowledgment for a query packet. Basically, this code indicates that the router has sent a query packet to a neighbor router.
R (Reply status): Router is generating a reply for this network or is waiting for an acknowledgment for the reply packet.
S (Stuck-in-active status): EIGRP convergence problem for the network with which it is associated.

The number of successors available for a route is indicated in the command output. In this example, all networks have one successor. If there were equal-cost paths to the same network, a maximum of six paths would be shown. The number of successors corresponds to the number of best routes with equal cost.

For each network, the FD is displayed, followed by the next-hop address, which is followed by a field similar to (40514560/28160) in the figure. The first number in this field is the FD for that network through this next-hop router, and the second number is the advertised distance from the next-hop router to the destination network.

display the number of various EIGRP packets sent and received, use the show ip eigrp traffic command

you may not want automatic summarization to occur in discontiguous networks, you need to disable automatic summarization to minimize router confusion.

ip summary-address eigrp command = manually create a summary route

Load balancing increases the use of network segments and increases effective network bandwidth.

performs load balancing is controlled with the variance (num) command,

l EIGRP – point-to-point links.

l multipoint nonbroadcast multiaccess (NBMA) – both point-to-point links and miltipoint links.

l EIGRP may use up to 50 percent of the bandwidth of an interface or subinterface for routing traffic.

as-number is the autonomous system number

Simple password authentication is supported: IS-IS, OSPF, and RIPv2.

MD5: RIPv2, OSPF, Border Gateway Protocol (BGP), and EIGRP.

For MD5 authentication, a key ID and an authenticating key

Key chains are used to manage keys

To configure MD5 authentication for EIGRP, complete the following steps:

Step 1	Int s X/X/X
Step 2	ip authentication mode eigrp (AS) md5
Step 3	ip authentication key-chain eigrp (AS) (name-of-chain)
Step 4	key chain (name-of-chain)
Step 5	key (key-id) .
Step 6	key-string (text)
Step 7	accept-lifetime (start-T {infinite\| end-T \|duration seconds} )
Step 8	Optionally, specify the time period during which this key can be used for sending packets using the send-lifetime command, as shown in the Figure . Figure displays the parameters for this command. debug eigrp packets command for troubleshooting MD5 authentication The most common reasons for SIA routes are as follows: The router is too busy to answer the query because of high CPU usage or memory problems, and cannot allocate the memory to process the query or build the reply packet. The link between the two routers is not good; therefore, some packets are lost between the routers. While the router receives enough packets to maintain the neighbor relationship, the router does not receive all queries or replies. A failure causes traffic on a link to flow in only one direction—this is called a unidirectional link. Too many alternate paths through the network can create EIGRP convergence problems. This complexity creates an ideal condition for a router to become SIA as it waits for a response to queries that are being propagated through these many alternate paths.

In a hub-and-spoke topology, the remote router forwards all traffic that is not local to a hub router; the remote router does not need to retain a complete routing table.

To configure a router as an EIGRP stub, use the eigrp stub command

eigrp stub [receive-only|connected|static|summary]

Posted in Uncategorized | Leave a Comment »

CCNA4_Chapter3

June 20, 2009 by Siu Chung

the 1st step in installing a new network the designer take a detailed look at the existing network to:

Determine if the design goals are realistic and feasible
Determine if the existing network meets the expectations for scalability, availability, security, and manageability
Identify where new equipment, infrastructure upgrades, and new services can be integrated
Ensure that old and new network devices, media, and functions can work together.

The NetworkingCompany designer reviews the existing network documentation which contains most of the information that the designer needs concerning network organization and services.

The network documentation should include:

Logical and physical diagrams of the network
Floor plans showing the location of wiring closets and wiring runs
Inventory lists of installed network equipment
Current network configuration files
Inventory lists of network applications

The Cisco IOS software offers useful commands to gain information from a router to create a network diagram. Some of these commands are:

show version
show running-config
show ip route
show cdp neighbors detail
show controllers
show tech-support

show tech-support command collect a large amount of information about a router. The output varies depending on the router or switch and configuration.

Many of these same commands are used to gain information on a Cisco switch. Other useful switch commands include:

show vlan
show vtp
show spanning-tree

Creating Network Segment Diagrams

Next, the designer creates diagrams for the logical and physical layouts of the networks installed at each of the various sites.

Each diagram shows:

The location of the network equipment and wiring closets
The logical addressing information
The naming information

The designer identifies where topology or equipment changes are needed and evaluates the traffic flows and addressing structures by those diagrams.

The designer creates a logical network diagram that shows the major pieces of networking equipment and how they interconnect.

Routers and switches
Wireless Access Points
Critical telecommunications equipment (CSU/DSU, modems, etc.)
Firewalls and intrusion detection devices (IDS)
Management stations
Servers and server farms

modular block diagram

Illustration of the major functions of a network in modular form.
Helps designer to determine the underlying architecture.

After reviewing the diagrams and the existing equipment inventories, the network designer lists the strengths and weaknesses of the current stadium network:

Overcoming Weaknesses in Preparation for the Network Upgrade

The designer focuses on finding ways to overcome the weaknesses of the existing network. The designer proposes updating the network design with the necessary enhancements.
Equipment that will not be replaced during the upgrade is also evaluated.
It is important to know that the hardware is working properly and that the software is up-to-date to ensure easy integration of new features into the network.

Testing the Upgrade Process

To avoid problems, the NetworkingCompany obtains a 2960 switch and an 1841 router to test the upgrade process before they upgrade the equipment.
there can be significant differences from one IOS version or hardware component to another.
Using test equipment ensure the updated system will operate as expected.

Using Feature Navigator

is a web-based tool that helps to determine which features are supported by a specific IOS software image or to do the opposite.

Feature Navigator allows searches by feature or release version.

each device has enough flash memory and RAM to support the new IOS files

the new IOS can then be stored on a Trivial File Transfer Protocol server.(It enables to upgrade devices by load the software easily from TFTP.)

upgrades must be done manually by the following steps:

Step 1: Select a IOS Software Image

The following factors need to be considered when selecting an IOS version:

Memory Requirement – If the router does not have enough memory, the router may have problems when it boots under the new IOS.
Interface and Module Support – Ensure that the new IOS supports all the current and new interfaces and modules to be installed in the router.
Software Feature Support – Compare the new IOS features with those used with the old IOS. Any new features required for the network upgrade need to be included.

The NetworkingCompany staff uses Feature Navigator to find the appropriate IOS versions for the installed equipment. They download and copy the IOS files to the download directory on the TFTP server. They also read the release notes to ensure that there are no unexpected changes or known issues with the release.

Step 2: Identify the Device File System to Copy the Image

Either this command or the dir [file_system] command can be used to find the free space available to store the new IOS images.

Step 3: Verify that the TFTP Server Has IP Connectivity to the Device

The TFTP server must have a network connection to the device(It must be able to ping).

Step 4: Back Up the Current Configurations to Prepare for the Upgrade

The configuration files and current IOS from the router should be backed up before upgrading.
The running configuration >startup configuration.
The startup configuration and the current IOS image >TFTP server.
Some of the IOS releases add default configurations may conflict with the current configuration.

Step 5: Copy the IOS Image to the Device

ensures that the TFTP server software is running then copy the IOS software image into flash memory.
To upgrade the IOS from a TFTP server, the staff uses the copy tftp flash command.
The dir flash command is used to check that the file has been transferred successfully.
reboots the device and observes the device bootup process.
The staff performs the upgrade on the test network devices. After completing the upgrade, they compare the resulting configurations to the saved configurations.

The bootup process has three stages:

1. Performing the POST and Loading the Bootstrap Program

The power-on self test (POST) is a process, After the POST, the bootstrap program is loaded to locates the Cisco IOS and loads it into RAM.

2. Locating and Loading the IOS Software

The locationscould be:

Flash memory
A TFTP server
Another location indicated in the startup configuration file

To load the IOS normally from flash, the configuration register setting should be set to 0×2102.

3. Locating and Executing the Startup Configuration File or Entering Setup Mode

After the IOS is loaded, the bootstrap program searches for the startup configuration file in NVRAM. The startup configuration contains:

Interface addresses
Routing information
Passwords
Other configuration parameters

If no configuration file is located, the router prompts the user to enter setup mode to begin the configuration process.

If a startup configuration file is found, a prompt containing a hostname will display.

After updating the IOS, the designer needs to know what hardware upgrades can be performed so that they meet the new requirements.

Upgrades may be needed that include high-speed or high-density modules and other available hardware options, such as rack mount kits.

Cisco.com offers datasheet to create a list of the possible options for each device.

Installing Option Interface Cards in an 1841 Router

install these cards is as follows:

Step 1: Turn Off Power to the Router

The 1841 router option slots do not support hot-swappable

Step 2: Remove the Blank Faceplate from the Slot

Step 3: Install the Option Module

Step 4: Turn on Power to the Router and Check the New Configuration

Performing a site survey consists of the following steps:

Step 1: Define Customer Requirements

Step 2: Identify Coverage Areas

estimates the number of potential users in each coverage area.
More importantly, determines the expected peak usage during major events.

Step 3: Determine Preliminary AP Locations

The staff reviews the stadium plans and suggests possible AP locations.
Then they determine how coverage can be provided, which areas need power, and how the APs will connect to the wired network.

Step 4: Measure Signal Strength

The staff temporarily installs an AP in a proposed location then they measure the received RF strength and possible causes of interference.

The staff uses a laptop computer equipped with a site survey utility on a wireless NIC to perform the test.

The NetworkingCompany staff performs the following steps:

Step 1: Measure the signal strength and speed of a link as they walk away from the AP.

Step 2: Record the readings and measure the distances to the AP when the quality or link speed changes.

Step 3: Mark the areas where signals are acceptable on a floor plan.

The network designer uses the marked floor plan to determine the location of the APs and the wired network jacks that connect them to the network. Upon completing the third step, the designer must ensure compliance with all local, state, and national fire and electrical codes.

A Design Requirements document

A summary of all major business and technical requirements for the new network design.

It contains the specifications for the proposed network upgrade.

The 4 sections of the Design Requirements document are:

Overall Project Goal

This section states the overall goals of the upgrade.
benifit of the outcomes to the customer.

Project Scope

This section outlines the affected resources and user group.
list out of scope resources and user group.

Network Requirements

This section details all of the

Business Goals – lists the goals in order of priority.
Technical Requirements – Scalability, Availability, Security, Manageability.
Users – the different user groups and their access requirements are listed.
Applications – describes the types of applications the network must support..

State of the Network

This section details the existing network and includes:

Logical and physical diagrams
Equipment lists
Applications
Strengths and weaknesses

The Company reviews the Design Requirements document to ensure that there are no misunderstandings before proceeding with the design project.

The final section of the Design Requirements document includes the following information:

All of the network diagrams that the NetworkingCompany creates to illustrate the existing network
The names and IP addresses of servers and important networking components
The existing network strengths and weaknesses and how they impact the business goals

Posted in CCNA4 | Leave a Comment »

CCNA4_Chapter 2

June 11, 2009 by Siu Chung

The six phases of the Cisco Lifecycle Services are:

The Prepare Phase
The Plan Phase
The Design Phase
The Implement Phase
The Operate Phase
The Optimize Phase

*This process is often referred to as PPDIOO

The Prepare Phase

During the Prepare Phase define the business goals.
These goals provide a foundation for a business case to justify the financial investment required to implement the technology change.
The company considers possible business constraints, including budget, personnel, company policies, and schedule limitations.

After the business case is accepted, the NetworkingCompany staff assists in the development of the high-level technology strategy and solution.

This strategy identifies:

Advanced technologies that support the new network solution
Current and planned network applications and services, and their priorities based on business goals
People, processes, and tools required to support the operations and management of the technology solution

RFP & RFQ

The Prepare Phase is typically done before a company issues a Request For Proposal (RFP) or Request For Quotation (RFQ).
RFPs and RFQs describe the requirements for the new network. They include information about the process that the company uses to purchase and install networking technologies.

The Plan Phase

l The network designer performs a comprehensive site and operations assessment to evaluates the current network, operations, and network management infrastructure.
l The NetworkingCompany staff identifies all physical, environmental, and electrical modifications.
l They assess the ability of the current operations and network management infrastructure to support the new technology solution.
l All changes to infrastructure, personnel, processes, and tools must be completed before the implementation of the new technology solution.
l Custom applications that add to the feature and functionality requirements for the new network are also identified in this phase.
l The NetworkingCompany staff creates a document that contains all of the design requirements.

The Project Plan

In this phase create a plan to help manage the project. The project plan includes:

l Tasks

l Timelines and critical milestones

l Risks and constraints

l Responsibilities

l Resources required

The plan needs to be within the scope, cost, and resource limits established in the original business goals.

The Design Phase

In the Design Phase, the NetworkingCompany staff uses the initial requirements determined during the Plan Phase to direct its work.

The design requirements document supports the specifications identified in the Prepare and Plan phases for:

l Availability

l Scalability

l Security

l Manageability

The design must be flexible enough to allow for changes or additions as new goals or needs emerge. The technology must be integrated into the current operations and network management infrastructure.

Planning the Installation

At the end of the Design Phase, the network designer creates plans that guide the installation and ensure that the end result is what the customer requested. Plans include:

l Configuring and testing connectivity

l Implementing the proposed system

l Demonstrating the functionality of the network

l Migrating network applications

l Validating network operation

l Training end users and support personnel

Any new equipment and technologies are specified and tested. A review of the proposed design confirms that the business goals are met. A final proposal is generated to continue with the implementation of the network upgrade.

The Implement Phase

The Implement Phase begins after the NetworkingCompany completes the design and the customer approves it. The network is built according to the approved design specification. The Implement Phase verifies the success or failure of the network design.

Testing the New Network

Testing all or part of a new network solution in a controlled environment helps to identify and resolve any implementation issues before the actual installation.

After the issues have been resolved, the NetworkingCompany staff installs the new solution and integrates it into the existing network. When the installation is complete, additional testing is done.

System-level acceptance testing checks that the new network meets the business goals and design requirements. The results of this test are recorded and become part of the documentation provided to the customer. Any training required for the staff needs to be completed during this phase.

The Operate Phase

The Operate and Optimize phases are ongoing.

They represent the day-to-day operations of a network.

This monitoring helps the company achieve maximum scalability, availability, security and manageability.

After the new network is installed, stadium personnel manage the network to ensure that it is performing to the design specifications outlined in the Prepare and Plan phases.

Defining Policies and Procedures

Policies and procedures are needed to handle network issues, such as:

l Security incidents

l Configuration changes

l Equipment purchases

Updating these policies and procedures after an upgrade reduces downtime, operating costs, and change-related issues. If there are no policies and procedures in place, it is important to create them.

The Optimize Phase

Optimizing the network is a continuous process. Its purpose is to improve network performance and reliability by identifying and resolving potential network problems before they happen. Doing this ensures that the business goals and requirements of the company are maintained.

Common network problems that could be discovered in the Optimize Phase include:

l Feature incompatibilities

l Insufficient link capacity

l Device performance problems when multiple features are enabled

l Scalability of protocols

As business goals change, the technology strategy and operations may not adapt. At some point, a redesign may be required and the PPDIOO cycle starts again.

When a business or organization decides to upgrade or replace their existing network, they usually generate a (RFP) or (RFQ). In the PPDIOO model, this occurs at the end of the Prepare phase.

Responding to the Request

l response document should be as detailed as possible.

l The response should be written with the target audience in mind.

l Technical terms and concepts need to be explained where necessary.

l To ensure that the response document is easy to read, a table of contents is used to organize the material. An introductory letter is included to introduce the material.

Pre-bid Meeting

Prior to the deadline for submitting RFP responses, the customer may schedule an informational meeting(referred to as a pre-bid meeting or pre-submittal conference).

The purpose of the meeting is to provide:

An opportunity to review the project scope with the customer

Additional information and documentation identified, but not included in the original RFP

Clarification of formatting and project timeline details not included in the original RFP

The meeting enables the contractor to get an estimate of the number of other companies that are interested in submitting a bid on the project.

The RFP

Businesses usually send a copy of the RFP to contractors.
Responses to an RFP help the customer compare services, products, pricing, and support offered by the different contractors.

Typically an RFP for a network project includes:

l Business goals for the project

l Anticipated project scope

l Information on the existing network and applications

l Requirements for the new network.

l Business, technical, or environmental constraints

l Preliminary schedule with milestones and deliverables

l Legal contractual terms and conditions

When responding to an RFP, it is important that every item listed on the RFP is answered. The company that sent out the RFP may reject an incomplete proposal.

The RFQ

Businesses use an RFQ instead of an RFP when the technical specifications of the project are already known.
staff can write an RFQ to obtain the costs for the necessary services and equipment.
An RFQ is usually much simpler to respond to than an RFP, because the costs associated with an RFQ can easily be obtained or estimated.
An RFQ can vary in content but will generally have three main parts. Like an RFP, the RFQ response may have formatting requirements. Proposal deadlines may be strictly enforced.

most account managers are responsible for:

l Meeting their assigned sales and revenue goals

l Communicating information about new products or technologies to customers and potential customers

l Directing local sales, service and support teams

l Planning and budgeting for sales and support projects

l Responding to customer requests for proposals, demonstrations, quotations and information

l Negotiating and maintaining sales or service contracts

These engineers, as well as network technicians who work with them, are responsible for:

l Evaluating the customer’s current network

l Determining if a network upgrade or addition can meet the technical requirements

l Ensuring that the proposed changes can be integrated into the existing customer network

l Testing and evaluating proposed solutions

A network designer is responsible for:

l Analyzing customer goals and constraints in order to determine the technical requirements for the new design

l Evaluating the current installed network

l Selecting the technologies and equipment capabilities to meet the defined network requirements

l Diagramming the placement and interconnection of various network devices and services

l Designing and supervising proof-of-concept testing

l Assisting the account manager in preparing presentations to the customer

Responsibilities of the post-sales field engineer include:

l Provide installation assistance and acceptance testing.

l Support and organize troubleshooting of components or systems.

l Resolve technical problems the customer may encounter.

l Provide customer training and assistance with managing and configuring devices.

The following skills are essential when working with clients:

l Listening and accurately summarizing information

l Corresponding with clients in a style, format, and level of detail appropriate for the intended audience

l Presenting well-organized technical material in a logical fashion

network project, business managers analyze the feasibility of the project based on how it contributes to business success. They must consider:

Profitability – Can the project reduce costs or help the business avoid costs in the future?
Business growth and market share – Can the project help the business grow more efficiently or create competitive advantages?
Customer satisfaction - Can the project improve the customer experience and increase customer loyalty?

Prioritizing Goals

In consultation with the stadium management, the designer prioritizes the business goals. The priorities are based on which goals present the best opportunities to contribute to the success of the business.

After the NetworkingCompany obtains the list of the prioritized business goals, the Plan Phase begins.

Technical requirements include, but are not limited to:

l Improving network scalability

l Increasing network availability and performance

l Enhancing network security

l Simplifying network management and support

This list provides direction for the following decisions:

l Selecting network equipment

l Choosing protocols

l Designing network services

Every company wants to have the most advanced and efficient network available. In reality, various business constraints affect network design. Common constraints include:

l Budget - Limited resources may require some compromises in design due to the costs of equipment, software, or other components.

l Company policies – The design must take into account the customer’s existing policies regarding protocols, standards, vendors, and applications.

l Scheduling - The project time frame should be aligned with the customer schedules.

l Personnel - The availability of trained personnel at the implementation and operation phases might be a design consideration.

Top-Down

The top-down approach adapts the network infrastructure to the needs of the organization. Top-down design clarifies the design goals and initiates the design from the perspective of the required applications and network solutions, such as IP telephony, content networking, and video conferencing. The PPDIOO methodology uses the top-down approach.

Bottom-Up

A common approach – but one that is not recommended – is the bottom-up design. In this approach, the network designer selects network devices and technologies based on previous experience rather than from an understanding of the organization. Because this approach does not include information on the business goals, the proposed network design may not be able to support the required applications.

A typical network management architecture consists of the following elements:

l Network Management System (NMS) – A system that uses an application to monitor and control managed network devices, such as CiscoWorks

l Network Management Protocol – A protocol that facilitates the exchange of information between network devices and the NMS, such as the Simple Network Management Protocol version 3 (SNMPv3)

l Managed Devices - Network devices that are managed by an NMS, such as a router or switch

l Management Agents - Software on managed devices that collect and store network management information

l Management Information – Data collected by the NMS

CiscoWorks LAN Management Solution (LMS) is a suite of powerful management tools that simplify the configuration, administration, monitoring, and troubleshooting of Cisco networks. It integrates these capabilities into a best-in-class solution that provides the following benefits:

l Improves the accuracy and efficiency of the network operations staff

l Increases the overall availability of the network by simplifying configuration and quickly identifying and fixing network problems

l Maximizes network security through integration with access control services and audit of network-level changes

SNMP is the most common network management protocol to use. The protocol enables network administrators to gather data about the network and corresponding devices.

SNMP has four main components:

l Management station

l Management agents

l Management Information Base (MIB)

l Network management protocol

As part of a network management system, SNMP tools can respond to network errors or failures in several ways. Generally, when a network fault occurs, or when predefined thresholds are met, the SNMP tools can react by:

Sending an alert on the network

Sending a message to a pager

Sending an email to an administrator

Posted in CCNA4 | Leave a Comment »

CCNA4 – Chapter 1

June 5, 2009 by Siu Chung

5 steps to design a good network

Verify the business and technical needs.
Determine the features and functions requried for the needs.
Perform a network readiness assessment.
Create a solution and site acceptence test plan.
Create a project plan.

Fundamental Design Goals

Scalability - Scalable network designs are able to grow to include any update or features.

Availability – reliable performance, redundancy.

Security – location of security devices, filters, and firewall features is critical.

Manageability – network staff must be able to manage and support the network.

Hierarchical Network Design

Core Layer – Connects Distribution Layer devices

Distribution Layer – Interconnects the smaller local networks

Access Layer – Provides connectivity for network hosts and end devices

Cisco Enterprise Architectures

Enterprise Campus:

This area contains the network elements required for independent operation within a single campus or branch location.

Server Farm :

part of the enterprise campus.
The data center server farm protects the server resources and provides redundant, reliable high-speed connectivity.

Enterprise Edge :

This area filters traffic from the external and routes it into internal network.
It contains all the elements required for efficient and secure communication between the enterprise campus and external traffic.

three distinct steps for Large network design projects

Identifying Network Requirements

The network designer works closely with the customer, goals are usually separated into

two categories:

Business goals – Focus on how the network can make the business more successful

Technical requirements – Focus on how the technology is implemented within the network.

Characterizing the Existing Network

Information about the current network and services is gathered and analyzed.
Compare the functionality of the existing network with the defined goals of the new project.
determines whether any existing thing can be re-used and what new thing are needed.

Designing the Network Topology

A common strategy for network design is to take a top-down approach.
In this approach, the network is designed to support the identified network applications and service requirements.
When the design is complete, a prototype or proof-of-concept test is performed.

Requirements that may only affect a portion of the network include:

Improving Internet connectivity and adding bandwidth
Updating Access Layer LAN cabling
Providing redundancy for key services
Supporting wireless access in defined areas
Upgrading WAN bandwidth

Goals of the Core Layer

Provide 100% uptime
Maximize throughput
Facilitate network growth

Core Layer Technologies

Routers or multilayer switches that combine routing and switching in the same device
Redundancy and load balancing
High-speed and aggregate links
Routing protocols that scale well and converge quickly, such as EIGRP & OSPF

Mesh Topology

A full mesh topology is one in which every device has a connection to every other device.
Full mesh topologies provide a fully redundant network, they can be difficult to wire and manage and are more costly.
In partial mesh topology, each device is connected to at least two others, creating sufficient redundancy without the complexity of a full mesh.

Convergence

Network convergence occurs when all routers have complete and accurate information about the network.
The faster the convergence time, the quicker a network can react to a change in topology. Factors that affect convergence time include:
The speed at which the routing updates reach all of the routers in the network
The time that it takes each router to perform the calculation to determine the best paths

Selecting a Routing Protocol

In larger networks, protocols like RIPv2 may converge too slowly to prevent disruption of network services if a link fails.
large enterprise network: EIGRP or OSPF

Design Considerations

Most networks contain a combination of dynamic and static routes.
Network designers need to consider the number of routes to ensure that all destinations are reachable.
Large routing tables can take significant time to converge.
The design of network addressing and summarization affects how well the routing protocol can react to a failure.

Distribution Layer Routing

The Distribution Layer is built using Layer 3 devices(Routers or multilayer switches).
critical for meeting the goals of the network design include:
1. Filtering and managing traffic flows
2. Enforcing access control policies
3. Summarizing routes before advertising the routes to the Core
4. Isolating the Core from Access Layer failures or disruptions
5. Routing between Access Layer VLANs
6. Distribution Layer devices are also used to manage queues and prioritize traffic before transmission through the campus core.

Distribution Layer Topology

Distribution Layer networks are usually wired in a partial mesh topology.
Distribution Layer devices are interconnected using Gigabit links when they are in the same wiring closet or data center.
When the devices are separated by longer distances, fiber cable is used.
multiple high speed fiber connections can be expensive on switches, so careful planning to ensure that enough fiber ports are available to provide the desired bandwidth and redundancy.

Limiting the Size of Failure Domains

failures at the Core Layer have a large impact, designer often concentrates on prevent failures.
it is easiest and usually least expensive to control the size of a failure domain in the Distribution Layer.
In the Distribution Layer, network errors can be contained to a smaller area, thus affecting fewer users.
At the Distribution Layer, every router functions as a gateway for a limited number of Access Layer users.

Switch Block Deployment

Routers, or multilayer switches, are usually deployed in pairs, with Access Layer switches evenly divided between them(building or departmental switch block).
Each switch block acts independently of the others.
As a result, the failure of a single device does not cause the network to go down.
Even the failure of an entire switch block does not impact a significant number of end users.

Complex ACLs

Dynamic ACL – requires a user to use Telnet to connect to the router and authenticate. Once authenticated, traffic from the user is permitted. Dynamic ACLs are sometimes referred to as “lock and key” because the user is required to login in order to obtain access.

Reflexive ACL - allows outbound traffic and then limits inbound traffic to only responses to those permitted requests. This is similar to the established keyword used in extended ACL statements, except that these ACLs can also inspect UDP and ICMP traffic, in addition to TCP.

Time-based ACL – permits and denies specified traffic based on the time of day or day of the week.

Route Summarization

Route summarization has several advantages for the network, such as:

甲、One route represents many other routes, creating smaller routing tables

乙、Less routing update traffic on the network

丙、Lower overhead on the router

Summarization can be performed manually or automatically, depending routing protocols.
Classless routing protocols such as RIPv2, EIGRP, OSPF, and IS-IS, support route summarization based on subnet addresses on any boundary.
Classful routing protocols such as RIPv1, automatically summarize routes on the classful network boundary only

Access Layer Physical Considerations

The Access Layer of the campus infrastructure uses Layer 2 switching technology to provide access into the network.
The access can be either through a permanent wired infrastructure or through wireless Access Points.
Ethernet over copper wiring poses distance limitations. Therefore, one of the primary concerns when designing the Access Layer of a campus infrastructure is the physical location of the equipment..

Designing for Manageability

The designer needs to consider:

甲、Naming structures

乙、VLAN architecture

丙、Traffic patterns

丁、Prioritization strategies

Configuring and using network management systems for a large converged network is very important. It is also important to standardize configurations and equipment when possible.
Following good design principles improves the manageability and on-going support of the network by:

甲、Ensuring that the network does not become too complex

乙、Allowing easy troubleshooting when there is a problem

丙、Making it easier to add new features and services in the future

Access Layer Management

Improving the manageability of the Access Layer is a major concern for the network designer. Access Layer management is crucial due to:

The increase in the number and types of devices connecting at the Access Layer
The introduction of wireless access points into the LAN

The advantages of a star topology include:

Easy installation
Minimal configuration

The disadvantages of a star topology are significant:

The central device represents a single point of failure.
The capabilities of the central device can limit overall performance for access to the network.
The topology does not recover in the event of a failure when there are no redundant links.

Ethernet star topologies usually have a combination of the following wiring:

Twisted pair wiring to connect to the individual end devices
Fiber to interconnect the access switches to the Distribution Layer devices

VLANs in the Past

With the introduction of Layer 2 switching, VLANs were used to create end-to-end workgroup networks. The networks connected across buildings or even across the entire infrastructure. End-to-end VLANs are no longer used in this way. The increased number of users and the volume of network traffic that these users generate is too high to be supported.

VLANs Now

Today VLANs are used to separate and classify traffic streams and to control broadcast traffic within a single wiring closet or building. Although large VLANs that span entire networks are no longer recommended, they may be required to support special applications, such as wireless roaming and wireless IP phones.

The recommended approach is to contain VLANs within a single wiring closet. This approach increases the number of VLANs in a network, which also increases the number of individual IP subnets. It is recommended practice to associate a single IP subnet with a single VLAN. IP addressing at the Access Layer becomes a critical design issue that affects the scalability of the entire network.

Server Farms

Managing and securing numerous distributed servers at various locations within a business network is difficult.
Recommended practice centralizes servers in server farms.
It located in computer rooms and data centers.

Creating a server farm has the following benefits:

Network traffic enters and leaves the server farm at a defined point. This arrangement makes it easier to secure, filter, and prioritize traffic.
Redundant, high-capacity links can be installed to the servers as well as between the server farm network and the main LAN. This configuration is more cost-effective than attempting to provide a similar level of connectivity to servers distributed throughout the network.
Load balancing and failover can be provided between servers and between networking devices.
The number of high-capacity switches and security devices is reduced, helping to lower the cost of providing services.

Such an approach takes advantage of the strengths of the following network products that can be deployed in a server farm:

Firewalls
LAN switch security features
Host-based and network-based intrusion detection and prevention systems
Load balancers
Network analysis and management devices

Demilitarized Zones

In the traditional network firewall design, servers that needed to be accessed from external networks were located on a demilitarized zone (DMZ).
Users accessing these servers from the Internet or other untrusted external networks were prevented from seeing resources located on the internal LAN.
LAN users were treated as trusted users and usually had few restrictions imposed when they accessed servers on the DMZ.

Protecting Against Internal Attacks

Attacks originating on the internal network are now more common than attacks from external sources.
A layer of firewall features and intrusion protection is required between the servers and the internal networks, as well as between the servers and the external users.
An additional security layer between the servers may also be required.
The sensitivity of data stored on the servers and contained in the transactions traveling the network determines the appropriate security policy for the design of the server farm.

Virtualization

Many separate logical servers can be located on one physical server. The physical server uses an operating system specifically designed to support multiple virtual images. This feature is known as virtualization. This technology reduces the cost of providing redundant services, load balancing, and failover for critical network services.

Physical Network Design

In typical wireless network designs, most of the effort focuses on the physical coverage areas of the network.

The network designer conducts a site survey to determine the coverage areas for the network and to find the optimum locations for mounting wireless Access Points. The site survey results help determine the Access Point hardware, types of antennas, and the desired wireless feature sets. The designer determines that roaming between overlapping coverage areas can be supported.

Logical Network Design

Designing the logical network usually causes network designers the most difficulty.
Customers often want to provide different levels of access to different types of wireless users. In addition, wireless networks must be both easy to use and secure.
Resolving both the desired features and the constraints presents many different ways to design and configure wireless LANs.

An example of a complex wireless network design is a business that needs to offer the following services:

Open wireless access for their visitors and vendors
Secured wireless access for their mobile employees
Reliable connectivity for wireless IP phones

Secured Employee Access

Some WLAN devices do not support isolated guest access. To secure employee access, use an entirely separate WLAN infrastructure that does not include guest access. The recommended practice is to separate the internal users on a different VLAN.

Other wireless implementation recommended practices include:

Non-broadcast SSID
Strong encryption
User authentication
Virtual private network (VPN) tunneling for sensitive data
Firewall and intrusion prevention

In areas where secured wireless is restricted to a few devices, MAC address filtering can be used to limit access.

Traditional WAN technologies include:

Leased lines
Circuit-switched networks
Packet-switched networks, such as Frame Relay networks
Cell-switched networks such as Asynchronous Transfer Mode (ATM) networks

In many locations, newer WAN technologies are available, such as:

Digital Subscriber Line (DSL)
Metro Ethernet
Cable modem
Long-range wireless
Multiprotocol Label Switching (MPLS)

Most WAN technologies are leased on a monthly basis from a telecommunications service provider. Depending on the distances, this type of connectivity can be quite expensive. WAN contracts often include service level agreements (SLAs). These agreements guarantee the service level offered by the service provider. SLAs support critical business applications, such as IP telephony and high-speed transaction processing to remote locations.

Posted in CCNA4 | Leave a Comment »

Hello world!

May 29, 2009 by Siu Chung

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Posted in Uncategorized | 1 Comment »

SiuChungL's Blog

CCNA4 CH8

CCNa4 – CH7

CCNA4-Ch6

CCNA4 – Chapter 5

CCNA4 – Chapter 4

CCNP_Chapter2

CCNA4_Chapter3

CCNA4_Chapter 2

CCNA4 – Chapter 1

Hello world!

Pages

Archives

Categories

Blogroll

Meta