Cisco
Internetwork Design 3.0
Protocols
Desktop Protocols
Microsoft Protocols were
designed for flat networks where all the clients and servers are sharing
the same media. There are different remedies and methods of encapsulations
for handling these problems. Most noteworthy is NetBEUI, which must be
bridged and cannot be routed unless encapsulated in another protocol such
as NWLINK (NetBIOS over IPX) or NBT (NetBIOS over TCP/IP).
NetBIOS
–
broadcast-based; it does not have logical addressing functionality and
operates primarily at the Session Layer.
NetBEUI
–
broadcast-based; it does not have logical addressing functionality and
operates at the Transport and Network Layers of the OSI Model.
AppleTalk
– versions
include Phase 1 (antiquated does not scale well) and Phase 2 (current
version). Phase 2 allows a greater number of hosts per segment (253) and
supports Token Ring, Ether and FDDI.
IPX (Internetwork Packet eXchange)
– is a routable protocol and has different encapsulations.
Encapsulations must match to see other machines on the network, or,
although it is not recommended, you can run two different encapsulation
methods on the same router interface. Use the ipx route-cache same
interface command. You can also run different encapsulations using
subinterfaces but the two networks cannot see each other. The default for
Novell 3.X protocol support is Raw Ethernet or ETHERNET_802.3
(Novell-Ether). For Novell 4.X protocol support is ETHERNET_802.2
(SAP).
Raw Ethernet
(ETHERNET_802.3) is similar to the IEEE 802.3 frame with no Logical Link
Control and FFFF in the DSAP (Destination Service Access Point) and SSAP
(Source Service Access Point).
TCP/IP (Transmission
Control Protocol/Internet Protocol)
– is a widely used routable
protocol, and its biggest challenge is proper management with addressing,
security and broadcast management.
Private Addressing
–
the usual address prefixes are 10, 172 and 192. Used for private networks
not openly exposed to the Internet (inside a firewall).
Public Addressing
–
assigned by an ISP and not recommended for private networks. Private to
public network communication can be accomplished by NAT through a PIX or
other firewall. Options also include VPN (Virtual Private Networks) or
extranets secured through PPTP (Point-to-Point Tunneling Protocol) and or
L2TP (Layer 2 Tunneling Protocol).
Hierarchical
Addressing
– using address schemes where the different network numbers
determine whether a destination is local or remote. Longer subnets masks
are used at the access layers. The network prefix gets smaller as you move
up the network hierarchy.
Prefix Routing
– this
is how a router forwards packets. The router uses the network number for
routing determination.
Classfull Addressing
– the addressing scheme commonly used where the subnet mask reflects the
number of bits used to calculate the default gateway. (ex. Class A
10.0.0.0 Mask 255.X.0.0, Class B 172.0.0.0 255.255.0.0, Class C 192.0.0.0
255.255.255.0)
VLSM (Variable Length
Subnet Mask)
- classless addressing allows using, for example, a Class
B address with a Class C subnet mask. Usually summarized in this fashion
172.98.98.24/30 (30) or 255.255.255.252 specifies the number of bits used
to calculate the network portion. This allows effective use of your IP
addresses and should only be used with routing protocols that support VSLM
like IEGRP and OSPF.
Secondary Addressing
– Is assigning a second IP gateway address for the same interface on a
router. This is not recommended and should be used only when you have
to.
Encapsulation Protocols
PPP (Point-to-Point
Protocol)
- is an encapsulation standard used over Asynch Serial,
Synch Serial and ISDN.
SLIP (Serial Line
Internet Protocol)
– only supports TCP/IP, and information is passed
in plain text.
NCP (NetWare Core
Protocol)
- is a layer protocol of PPP and encapsulates multiple
protocols. It has built-in security features.
LCP (Link Control
Protocol)
- another component of PPP and is responsible for
authentication, multilink, callback and compression.
Authentication
- CHAP
or PAP: CHAP is encrypted, with PAP, login and password information are
sent in plain text.
Multilink PPP
– also
referred to as MP; allows additional calls or channels to connect to a
host for additional bandwidth. In order to use Multilink with Brand X
routers the routers must comply with RFC1990. Multilink is configured on
the interface.
LCP controls Multilink
-
Works on Cisco 700 series routers.
-
Works on routers running Cisco
IOS.
-
RFC 1990 allows for vendor
compatibility.
-
Allows packet fragmentation across
channels.
-
Sequences packets and performs load
calculation on lines or channels.
-
4-Byte field in header allows for
proper sequencing.
Multilink Multichassis
PPP -
dial-in ISDN channels can be split to different access servers
(a.k.a. stackgroup) or routers. The access servers (stackgroup) or routers
intake the data packets and forward them to a high end MMP process server.
A process server uses SGBP (Stackgroup Bidding Protocol) to do all the
packet reassembly. The advantages are that the stackgroup is very
scaleable and less overhead is required from the access servers.
HDLC
– is used for
serial lines and this version is proprietary for Cisco. Do not use if
connecting to a non-Cisco router or with the AutoInstall feature. This is
a connectionless datagram protocol.
SLDC
– used often in
SNA environments, it supports full and half duplex and can be used in
packet or circuit switched environment.
LAPB
– used over
unreliable links and .X25. Connection-oriented with ordering and error
checking.
RDSB
– used to tunnel
SNA over WAN links. ACKs and LLC2 frames are sent over the WAN.
STUN (Serial
Tunneling)
- used to tunnel SNA over WAN links. It supports local ACK
used with SDLC on congested WAN links.
PPTP(Point-to-Point
Tunneling Protocol)
– used to tunnel IP packets securely over the
Internet.
GRE (Generic
Routing Encapsulation)
– used primarily in the backbone. Can be used
to tunnel IPX or AppleTalk. Fast switching supported.
NWLINK
– used to
encapsulate NetBIOS over IPX. Requires type 20 packets to operate
properly. Use the ipx type-20-propogation commands on the
interface.
NBT
– used to
encapsulate NEBIOS over TCP/IP.
AURP (AppleTalk Update
Routing Protocol)
– encapsulated in TCP/IP over WAN links. Sends
updates only, like EIGRP.
IPXWAN
– client- and
server-side software used with PPP to connect servers or clients over a
dial-up connection. It is responsible for establishing a routing metric
once the connection is made. It is dynamic and no configuration is
required.
Remote Access
Design principals are shaped
around the type and numbers of connections that need to be made. The
applications and requirements will depend on the type of users that will
be connecting to the network. Users usually fit into these categories:
-
Mobile Users/Telecommuters
-
not connected all the time. Short connections and low bandwidth
requirements, usually analog.
-
Full Time Telecommuters
-
usually require faster connections. Longer connect times with higher
bandwidth requirements. Use ISDN to run other devices or connections.
-
Home or Small Office
-
requires fast and long connection time. Multi-interface router needed to
support LAN and multiple WAN connections.
Access Methods
Remote Gateway
-
limited access and limited functionality. It can be used only to get email
or access an application.
Remote Node
- most
common access method. It is like dialing into a security server, RAS
server, modem bank or access server stackgroup. This is the preferred
method since it is very flexible and scales well in the Enterprise. Less
overhead and PC appears as if directly connected to the LAN.
Remote Control
- is
when a PC dialing in and taking control of another PC on the LAN. User has
full function of network services. This requires the most overhead due to
the fact that an extra PC, analog line and modem are required. A good
example of this is PCAnywhere.
Remote Access Support Equipment
small - <20, 3600 to 4000
Routers
larger - >20, higher
density, use a PRI on 7500 to 7200 Router
AS5300 Access servers are
recommended because they can combine analog and ISDN and can support
higher densities. External modems are no longer recommended since they do
not scale well.
Enterprise (AS5X00
Servers)
- can be configured from medium to heavy port density and can
support analog and ISDN lines. It is very scalable and servers can use MPP
in stackgroups.
Security for Remote Access
-
CHAP/PAP
-
TACACS+ on Unix or NT
-
RADIUS
-
CiscoSecure
-
PIX Firewalls
-
VPN
Routing Protocols
It is important to
distinguish between routed and routing protocols. Routing protocols use
metrics, hop counts, ticks, etc. to make a routing decision. Since routers
do not forward broadcasts, routers separate networks into different
broadcast domains. Switches and bridges separate media into separate
collision domains. Routers are responsible for:
Protocols
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bandwidth, delay MTU, load |
|
Must use IP and
Classfull IP addresses. Can load balance. |
|
|
|
|
Bandwidth, delay MTU, load |
|
Supports
multi-protocols sends updates only on WAN. Scales well. Converges
quickly |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
More robust than RIP
sends subnet info so it can support VSLM |
|
|
|
|
|
|
Max Hop count is 15,
is chatty and does not scale well |
|
|
|
|
|
|
Uses LSAs to check
on links. Backbone is area 0 Supports VSLM and Discontigous
subnets |
|
|
|
|
|
|
Used to connect
autonomous areas. |
|
Link State Interior
& Exterior |
|
|
|
|
Used to connect
autonomous areas, can be used as an interior
protocol. |
|
|
|
|
|
|
Very chatty not
recommended for WAN traffic or slow links |
|
|
|
|
|
|
Link state for IPX.
Robust and scales well. Used in large IPX networks <400 per
area |
|
|
|
|
|
|
Tunnelled by IP over
WAN links. Sends updates over the WAN and full updates on
LAN |
IPX on the WAN
Use NLSP (NetWare Link State
Protocol) for faster convergence over IPX/RIP and reducing of routing
traffic. It uses cost as calculation metric and is more CPU intensive.
NLSP redistributes RIP, but retains a 15-hop limit. NLSP supports up to
1023 hops and areas of <400 routers.
EIGRP for IPX
Increases bandwidth by only
sending updates over the WAN and full updates over the LAN. When a route
goes from IPX/RIP to EIGRP it increases the hop count by two. From EIRGP
to IPX/RIP, the route tick count is unchanged.
OSPF
LSA1 – Router Links LSA –
Sends information about the routers links.
LSA2 – Network Link LSA –
Sent by the DR to all routers in the AS. A list of routers in the
segment.
LSA3 – Summary Link LSA –
Sent by ABR’s list of networks available outside the area.
LSA4 – Summary Link LSA –
Sent by ASBR’s list of networks available outside the area.
LSA5 – External Link LSA –
Sent by ASBR’s list of external network routes.
OSPF recalculates a new
table when a route goes down, so if you have a link flapping you may want
to increase the amount of time to wait; use spf holdtime
command, if not, it could overload the CPU and cause performance
issues.
OSPF Backbone
– try
to stay away from meshing the backbone. Use LAN backbone design and keep
everything to one hop. Use as few routers as possible to keep the diameter
small.
IGRP
– used only for
IP. The entire routing table is sent every 90 seconds, and updates are
triggered on link failures. Flapping links can be detected with a protocol
analyzer, as updates are sent when the link state changes. It does not
support VSLM or summarization. Primary metric is bandwidth and delay.
Complete updates can be changed from 90 seconds. Stay with the defaults
unless a fast network requires faster convergence.
AppleTalk
RTMP
– AppleTalk’s
version of a routing protocol. It is very similar to RIP; broadcasts
entire table in 10 seconds. Max Hop count is still 15, uses split
horizon.
Design Rule
– Use
EIRGP for routing AppleTalk
EIGRP
– Saves
bandwidth because only updates are sent. Fast convergence.
AURP (AppleTalk Update
Routing Protocol)
– Apple’s attempt to create a better WAN-friendly
routing protocol than RTMP. RTMP is encapsulated in IP over an AURP Tunnel
on WAN links. Reduces WAN traffic because only updates are sent over the
wire. Use in an IP only WAN environment.
Network Services and Gateways
Windows computers use LMHOST
files, broadcasts, WINS, DNS and HOSTS files to locate services. By
default they elect a default browser.
DHCP (Dynamic Host
Configuration Protocol)
– a BOOTP server used to assign IP addresses
to requesting clients. Can be configured to specify node type, WINS, DNS
and other information such as subnet mask and default gateway.
There are several options
for DHCP configuration. Cisco offers IOS features to forward DHCP packets.
The ip helper-address command forwards broadcasts to DHCP
servers like an NT server.
CNR (Cisco Network
Registrar)
– a Cisco solution that automates network services and
provides a fully scalable solution for DHCP and DNS. Noted for being able
to integrate network infrastructure software and applications.
Cisco DNS/DHCP
Manager
– similar to CNR, not as robust and will be cancelled
soon.Example:
WINS (Windows
Internet Name Service)
– is a static-addressed server that performs
NetBIOS name to IP address resolution, which takes away the need to ARP
(broadcast) to resolve network names. Acts as a register for Windows
machines. After booting and obtaining a DHCP IP address, the client sends
a unicast packet to the WINS server requesting it to register its NetBIOS
name. DNS servers and WINS servers (sometimes on the same server) work
together to resolve name lookup.
DNS (Domain Name
Services)
- Application server that provides Internet-name to
IP-address conversion. A Windows DNS server can be directed to query a
WINS server for NetBIOS names.
RAS (Remote Access
Server)
– uses PPP and CHAP or PAP to encapsulate the client’s dial-in
multi-protocol support, usually a NT Server. For a larger scalable
solution an AS5X00 is recommended.
IPeXchange Gateway
–
A client and server solution for accessing the Internet in an IPX network.
Primarily used by IPX clients to access the Internet. The gateway server
must run both IPX and TCP/IP. Clients run the client software and servers
are usually dual homed to act as a gateway. The server only needs one IP
address to serve several IPX clients.
Workstations sharing
resources are defined as Workgroups. The presence of an NT server
classifies it as a domain. Domains make the administration of resources
easier.
Single Domain Model
–
services controlled by one PDC for clients.
Master Domain Model
–
is a collection of domains trusting a single master PDC for centralized
administration. Simplifies management of resources.
Multiple Master Domain
Model
– resource domains trusting multiple master domain PDCs.
Complete Trust Domain
Model
– (a.k.a. Cluster Trust) all domains trust all other domains and
resources can be administered and shared across these domains.
Multicast Issues
–
one-to-many services. Class D multicast address needed. Router must be
configured correctly for multicast, or it will forward out all of its
ports. ICMP, CGMP and PIM are often used (PIM scales well in the
Enterprise).
Firewalls
– PIX is
the preferred Cisco solution. It is advisable to turn off all ports, and
then enable ports for only certain services to specific hosts. Protect
yourself from IP from the Internet and configure your outside router to
deny packets shown to have an inside IP address. Do not configure your
routers for rsh or rlogin.
Campus Design
Common campus issues are
Media, Protocols and Transport. Media issues are caused by high network
loads and media contention. Use LAN switching to solve this problem.
Another protocol problem is that some do not scale well and are prone to
excessive broadcasts. To solve this problem, use routers to segment your
network. Transport problems occur when there is not enough bandwidth to
support high bandwidth applications. Use ATM, Gigabit Ethernet and/or QOS
OIS features to solve these problems.
Cut-through Switching
– a packet is forwarded once the destination is read. No CRC check.
Store and Forward
Switching
– the entire packet is processed, the CRC checked and then
forwarded out the appropriate interface.
VLANS
– 802.1Q is a
VLAN standard. VLANS help separate broadcast domains, since a router is
required for communication between VLANS. Switching separate collision
domains.
Distributed Backbone
– Each floor or building would be isolated by its own router and switch.
This setup is more expensive and often requires costly upgrades to
scale.
Collapsed Backbone –
all floors are wired into a single switch and router. More cost effective,
but creates a single point of failure.
Hierarchical Networks
- are designed for scalability, and this model is easier to troubleshoot.
ATM
ATM (Asynchronous
Transfer Mode)
– like Frame Relay and X.25, it uses PVCs and SVCs to
establish connectivity. Used for high-speed data, video and voice. It uses
cells to transport information in 53 byte cells. ATM Features:
-
5 bytes for header, 48 for data
-
QOS is effective for managing ATM
-
Flexible multiplexing and switching
technology
-
Low latency due to small cells and
high speed media
-
Supports high performance
applications
-
Uses SNAP encapsulation to multiplex
several protocols
-
SVC are disconnected once
transmission is complete
-
Operates primarily at the Data Link
Layer of the OSI model
AAL (ATM Adaptation
Layer)
– operates at the Data Link Layer, and its primary function is
to hide what it is doing to the frames from the higher OSI Layers.
Abstraction is right.
ATM Layer
–
establishes connections and passes cells through the ATM network.
ATM Physical
–
manages the physical transmission of the cells. Does the bit to cell
conversion.
AAL1 Used for
voice/video applications |
|
AAL3/4 Used for SDMS
Applications
Message, sequence,
CRC added |
|
AAL5 used for data,
non SDMS data
|
AAL1
–
connection-oriented; needs time sequencing from source to destination and
vise versa.
AAL3/4
–
connectionless-oriented; used to transfer SDMS. It loses some payload
capacity due to added CRC, MIDs (Message Identifier) and the sequence
number. There is a slightly increased delay attributed to the SAR
(Sequence Assembly Reassembly). Requires the use of a SDSU for SAR.
AAL5
– connection-
and connectionless-oriented. Used for data transport. Uses SEAL for SAR.
ATM uses prefix routing
in private networks.
PNNI (Private Network
Node Interface)
– hierarchical routing protocol used for ATM routing.
It is dynamic and requires little configuration. Scalable, but
complex.
IISP (Interim
Inter-Switch Signaling Protocol)
– is a static routing on ATM network.
Uses SVCs when routes go down.
LANE (LAN Emulation)
– emulation of a LAN over an ATM network.
LEC (LAN Emulation
Client)
– sends its MAC address to the LECS server. It can be a
workstation or a router. It is responsible for endpoint functions, address
resolution and data forwarding.
LES (LAN Emulation
Server)
– pseudo-WINS server for ATM. Acts as a register to store the
multicast or unicast MAC address information of the LE clients. It accepts
LE-ARP requests for destination MAC addresses.
LECS (LAN Emulation
Configuration Server)
– serves multiple ELANS and maintains a database
of all the LEC’s MAC addresses. LECS respond to LEC’s requests by sending
the appropriate ELAN information (identifier). Used like DHCP to assign
LECs to certain ELANS. This is a one-per-ATM switch.
BUS (Broadcast and
Unknown Server)
- multicast and broadcast server. Sends traffic to
clients of the ELAN is it responsible for.
X.25
X.25 is a packet-switched
Layer 2 protocol that operates at the Data Link Layer of the OSI model.
This protocol works by encapsulating the layer 3 protocols. X.25 was
engineered for strong error checking and flow control at layers 2 and 3.
X.25 uses LAPB and it is very reliable. It also uses sliding windows (much
like TCP/IP) for flow control. Suffers from lower throughput and higher
latency than Frame Relay. X.25 uses SVCs (Switched Virtual Circuits) and
PVCs (Permanent Virtual Circuits). PVCs are always connected. X.25 treats
connection as a reliable data link; Frame Relay does not.
Subinterfaces solve the
problem of split horizon and forwarding updates on NBMA.
Datagram encapsulation
Network Function
-
X.25 is highly available and used worldwide.
PAD (Packet
Assembler Disassembler)
- can also be a router. It collects the data
transmissions from the terminals and gathers them into a X.25 data stream
and vice versa. PAD acts like a multiplexer for the terminals. During
configuration of the X.25 you specify whether the interface will act as a
DCE or DTE. When configured as a DCE the router behaves as an X.25
switch.
X.121
- is the
addressing standard. Static mappings must be made manually. X.25 does not
support ARP. The addressing standard is a 4-digit country code. The
following 8 to 11 digits are assigned by the X.25 service provider.
|
|
DCE (switch
or concentrator) |
Options for X.25
-
windows and packet sizes must match on both sides on the connection. Use
the x25 ips command for incoming packet size and x25
ops for outgoing packet size. Window size uses a counter for when
to send an acknowledgement. x25 win and x25
wout commands are used. The modulo controls the size of the window
8 or 128 are used to specify the number of packets.
Satellites use X.25 as well.
To increase performance, they use modulo 128 which sets the window size
higher.
|
Window Parameters #
of packets
window sends ack
after 7 packets inbound or out |
(config-if)# x25
modulo 8
|
Frame
Relay
Frame Relay
Interfaces - Frame Relay requires the use of a CSU/DSU. Like X.25,
Frame Relay uses SVCs and PVCs. PVCs are used for frequent and long
connection times. SVCs are for sporadic, infrequent traffic.
Frame Relay Bandwidth
- maximum throughput is up to T3 speed. Frame Relay is a layer 2 protocol.
It uses the upper layer for error correction and is faster than x.25.
LMI (Line
Management Interface)
- is the standard for signaling. There are 3
types:
Cisco is the default. The
service provider will specify the LMI in use.
-
LMIs control data keep-alives and
verify the dataflow.
-
Use multicast mechanism to provide
network server the DCLI.
-
Use multi cast addressing so DLCI
has global significance.
-
Verifies the DLCIs in use and status
to the local Frame-Relay switch.
LMI Autoconfigure
- a
router with IOS 11.2 and newer does not need to be configured for the LMI.
The newer routers will send a signal to the FR switch to determine the LMI
in use.
DLCI (Data Link
Connection Identifier)
- verifies the logical circuits in use and the
status from the CPE to the Frame Relay switch.
Encapsulation Types
-
are Cisco and IETF. Cisco is the default. If the router is a non-Cisco
router, use IETF. This designation can be made per DLCI. Even if all the
routers are Cisco, you can communicate with a location with a non-Cisco
router. Specify the IETF encapsulation and DLCI. You can use this with the
map command. In short, encapsulation can be set to per interface or per
destination.
Split Horizon and Routing
Updates
- since routing updates should not be sent out from the same
interface you receive the update from (as this causes routing loops), the
solution to fixing this problem is creating subinterfaces with different
DLCIs.
Each subinterface has its
own DLCI-enabled multipoint connection. Routing updates will now work
properly.
Frame Relay Map
–
command is used to configure the next hop address on an interface.
Inverse ARP
– takes
care of all the mappings for you. It builds a Frame-Relay map by querying
the Frame-Relay switch during the LMI exchange. It sends an Inverse ARP
request for the protocols that are specified on the interface. The
downside for the automatic set up is troubleshooting can be a pain.
Frame Relay
Topologies
NBMA Model (Non-Broadcast
Multi-Access Model)
– mesh between peer routers. Routers are
configured as a simulated LAN and are configured as one logical subnet.
The downside is processor overhead: each broadcast packet must be
processed.
Broadcasts are sent out each
virtual circuit.
Performance degradation on
the link.
To control the amount of
bandwidth used on an interface use the frame-relay
broadcast-queue command.
Virtual Circuit
Routing
– Uses subinterfaces to conquer the split horizon issues. This
simulates several point-to-point links.
Icons from Cisco ConfigMaker.
MBNA Full Mesh,
Subinterfaces with Full Mesh, Hub and Spoke. X.25 and Frame- Relay
interfaces can be backed up with an option called a floating static map
using an analog or ISDN line.
NAT
Network Address
Translation
- can be used to merge two large networks without having
to re-address the whole network. Another function of NAT is overloading
inside global addresses. This process contains several inside addresses
using a single IP address. NAT can also use a pool of addresses or
multiple interfaces. NAT is supported by IOS 11.2 and higher. (Easily
remembered by “meet me at 11 toNAT” instead of tonight. 11.2 toNAT, it is
corny but effective!)
Description and Interfaces
TE1- has an ISDN
Interface. DS0=64Kbps=Digital Signal Level 0
TE2
- does not have
an ISDN interface; requires a TA (Terminal Adapter). The TA is typically
an ISDN Modem. The TA converts the signal to ISDN standards.
DS0=64Kbps
ISDN PRI US T1
-
requires different connectors. Uses DB15 and RJ48 connections.
DS1=1.54Mbps contains 24 DS0s considered in band.
ISDN PRI EUROPE E1
-
requires four connections DB15 before the CSU/DSU, and four RJ45 and/or
DB15 connections to the switch. 30 X DS0 is considered out of band.
In Europe, the ISDN service
provider provides the NT1. In the US, the customer supplies the NT1. In
the USA, T1’s D channel is in band. In Europe, it is considered
out-of-band signaling.
Logical Interfaces
RSTUV-Logical Reference Points
Rate Reference Point-
located between the Non-ISDN router interface and the Terminal Adapter
(TA).
System Reference Point
- is the reference point between the router with an ISDN Interface and
the NT2 or TA and NT2. Non-U.S. demarcation.
Terminal Reference
Point
- the reference point between the TE1 and NT1 and/or TA. If
there is an NT2 (Customer Switching Equipment), the reference point is
included to the NT1 as well. This point is Non-U.S. demarcation.
User Reference Point-
This reference point is a U.S. demarcation. It references the point
between the NT1 and the LT.
V Reference Point -
Located between the LT and the ET. Also referred to as the Local
Exchange.
SNA
SNA is a hierarchal network
structure. There are several components and possible configurations for
configuring a SNA network.
NAUs – Network
Addressable Units
– all devices that can communicate in an SNA
network.
LU – Logical Unit
–
the software end unit. Software that provides the interaction for the
users.
PU – Physical Unit
–
controls resources on the node. Loads software and provides the
communication with the SSCP.
SSCP – System Services
Control Point
– software for the mainframe that is responsible for
establishing the lines of communication and controlling resources.
SNA Gateways
–
handling direct communication with the mainframe for a dumb terminal or PC
would be quite rough without a gateway.
LU Gateway
– SDLC
uses polling to communicate. Sending polling traffic over the LAN may
convince you to establish a gateway. LU gateways are good because the
Mainframe has a SSCP session to PU session to the LU gateway. The clients
only connect to the LU gateway though NetBIOS, so the Mainframe maintains
fewer connections.
PU Gateways
– have a
larger amount of overhead and administrative burden. The PCs attached to
the PU have to be manually configured on the VTAM.
DSPU
DSPU
– Downstream PU – is a Cisco router acting as a PU 2.0 device. To
PCs it looks like the mainframe and is very robust.
Connecting and Routing with SNA
DLSW – Data Link
Switching
– recommended as a scalable solution for traffic over a WAN
link. It is compatible with other vendors. Responsible for multiplexing
LLC connections over the WAN link. They are encapsulated in TCP/IP.
RDSB – Remote Source
Route Bridging
– older method of SNA tunneling. Prone to timeouts over
slow WAN links. Tends to be chatty. Local ACK is used to solve this
problem. It is much like IPX Spoofing and prevents time outs.
STUN – Serial
Tunneling
- older method of SNA tunneling. Prone to timeouts over slow
WAN links. It performs very well over serial lines and supports direct
serial connections. Has fewer options than RDSB but is more robust.
Supports local ACK is routable.
VPN Design Fundamentals
VPN stands for Virtual
Private Network.
VPN is “any network built
upon a public network and partitioned for use by individual customers”.
A VPN will allow you or your
company to use a public media such as the Internet to provide end-to-end
connection. This allows you to design a cost effective solution for your
clients but you must be aware of all the major design considerations that
follow. Your main issue of course will be Security and Encryption. VPNs
use encryption and tunneling to establish secure connections.
There are three different
corporate or business uses of VPNs
-
Remote Access
-
Intranet
-
Extranet
Basic VPN Design
Remote Access VPN Design
Remote Access VPNs provide
remote access to mobile or remote site users.
A Remote Access VPN solution
will allow a connection to a corporate Intranet or extranet over a public
infrastructure.
Access VPNs enable mobile or
remote users to access resources at company headquarters locations.
Access VPNs encompass many
technologies including:
Intranet VPN Design
Intranet VPNs provide a link
over a shared infrastructure using mostly dedicated connections.
They connect
-
Corporate headquarters
-
Remote offices
-
Branch offices
An Intranet will connect
entities together and most of them are trusted entities. When you let your
doors open to un-trusted or less trusted entities, you begin to create a
Extranet based VPN.
Extranet VPN Design
Extranet VPNs provide a link
to a corporate Intranet over a shared infrastructure using mostly
dedicated connections.
They connect
Now external customers can
take part in your Intranet solution. This would be a typical design if you
wanted to have an external business partner take part in some of your web
server transactions or access a database. This of course puts a new twist
into your design where you need to start thinking about intrusion
detection systems or ways to monitor access.
Notice that in the above
scenario you are allowing access to your Intranet over the VPN
Solution
For more Documentation on
VPN Strategies from Cisco, visit these links
Read VPN: Your Guide to the New World Opportunity
Read VPN Overview By Cisco (Design Examples)
Factors to Consider When Designing Your VPN Solution
What are the advantages of
having a VPN strategy as part of your network design?
Cost Savings
-
When designing and implementing a
VPN you can sell the fact that organizations no longer have to use
expensive leased or frame relay lines to provide end to end connectivity
in every situation. Now, remote users can connect to their corporate
networks via a local ISP.
-
Calculate your savings with Cisco's
Remote Access VPN Savings Calculator.
Security
-
VPNs can provide a high level of
security using advanced encryption techniques and authentication
protocols
-
Some of these protocols are
PPTP and L2TP which are Tunneling Protocols that provide
encryption
Scalability
-
VPNs give flexibility to companies
to have a remote access infrastructure (some cannot afford expensive
lines)
-
Corporations are able to add a
virtually unlimited amount of capacity without adding significant
infrastructure. You must remember that the following should be taken
into your design: although it will scale, you will not get a dedicated
rate of bandwidth nor will you be able to fully rely on its
dependability.
Compatibility with
Broadband Technology
-
VPNs allow mobile workers,
telecommuters and day extenders to take advantage of high-speed,
broadband connectivity, such as DSL and Cable, when gaining access to
their corporate networks. This provides workers with significant
flexibility and efficiency.
-
Note that this is also a security
problem. Design your VPN’s with security taking a high priority.
Remember:
You get
what you pay for. If you are designing a network for a client, you will
need to take into account that although you are saving money, you may not
be able to provide the most redundancy or offer a guarantee of bandwidth.
A VPN solution should be implemented into an infrastructure with much
thought and planning.
Security and Encryption
Three Phases of Securing a Network
-
Setting up a security policy that
will define the security goals of an enterprise
-
Using a “Defense in Depth” approach
in your design. This entails Implementing network security with a
multi-layered design so that the enterprise does not fully depend or
rely on one type of technology or one layer of defense to solve all
security related issues
-
Consistent auditing of the network
to make sure that the security policy is being enforced. You can use the
results of the audits to modify the security policy and the technology
implementation as you develop your design. The CiscoSecure ACS (TACACS+)
does a fantastic job of performing router login auditing amongst other
things. This would be a product that you could incorporate into your
design as a Layer one defense
Cisco Network Security Solutions
Note: Know how to leverage
these products in your network design.
|
Determines whether
network traffic crossing in either direction is
authorized |
|
Is an add-on module
to Cisco IOS software It provides advanced firewall capabilities,
security technology such as intrusion detection and
authentication |
|
Detects unauthorized
activity on the network, responds to it, and send alarms back to the
management console |
|
Is software that
scans networks to find security vulnerabilities and provides
recommendations to correct them (Cisco’s Port/ Vulnerability
Scanner) |
|
Enables deployment
of network policies on the network and centrally manages policies on
PIX firewalls, VPNs, and Cisco Secure IDS systems |
|
Offer comprehensive
security posture assessments by highly experienced teams of Cisco
Network Security Engineers |
|
Has been developed
as a central warehouse of security knowledge to provide Cisco
security professionals with an interactive database of security
vulnerability information |
|
Delivers easy-to-use
authentication, authorization, and accounting services for both
small and large access environments |
|
Is a program
designed to deliver comprehensive, interoperable security solutions
for Cisco networks to its customers and its associates
customers |
Five Key Elements of Network Security
Five Key Elements
-
Identity
-
Perimeter Security
-
Data Privacy
-
Security Monitoring
-
Policy Management
Identity
-
Defined as the accurate and positive
identification of network users, hosts, applications, services, and
resources
-
Technologies used to perform solid
identification are:
-
Authentication protocols such as
RADIUS and TACACS+
-
Kerberos (and a TGS -Ticket
Granting Server)
-
One-time password
tools
-
New technologies are beginning to
emerge which perform increasingly important roles in identification
solutions
-
Digital certificates
-
Smart cards
-
Directory services
Perimeter
Security
-
Perimeter security provides a means
to control access to critical resources such as network applications,
data, and services
-
The goal is to control access so
only legitimate users and information can traverse your network
-
Routers and switches with ACL’s
(access control lists) provide this control by filtering by IP / Port
-
Other tools that perform Perimeter
Security
-
Firewalls
-
Virus scanners
-
Content filters
Data Privacy
-
Effective data privacy can be
provided by several methods including:
-
Tunneling
-
Data separation
-
GRE (generic routing encapsulation)
or L2TP (Layer 2 Tunneling Protocol) provide data separation and
tunneling
-
Other implementations are by using
protocols such as IPSec for digital encryption
-
This added protection is
especially important when designing VPNs
Security
Monitoring
-
How do you know your design worked?
Any good designer must look at and test their design regularly at
periodic intervals to ENSURE that the design works. You have to test
your design and monitor it
-
Network vulnerability scanners
(Cisco Secure Scanner) can denote weak areas
-
Intrusion detection systems (Cisco
Secure IDS) can monitor and respond to security events in
real-time
Policy Management
-
As you continue to design and grow
your network, how do you manage it?
-
You can use Cisco Security Policy
Management tools to provide such management
-
Know how to implement overall
management products into a design especially for large enterprise size
companies
Basic Three Part Firewall Design
Note:
Connecting to
the External Network is the “Unknown” Network.
Designing for Security
Before Looking at this
overview, download and read SUN Network Security Policy Design.
Network assets can include
-
Network hosts (including the hosts'
operating systems, applications, and data)
-
Internetworking devices (such as
routers and switches)
-
Network data that traverses the
network
-
Intellectual property
-
Trade secrets
-
The company’s reputation
Note: Protecting these
assets is the intent of network security design measures.
Analyzing Security Design
Decisions
-
When analyzing the design you need
to achieve a balance between certain factors. These factor include:
-
Affordability
-
Usability
-
Performance
-
Availability
-
Security adds to the overall
workload by adding responsibility for maintaining user login IDs,
passwords, and audit logs
Security Design
Considerations
-
Designing and implementing network
security will affect network performance.
-
Packet filters and data encryption
will take a toll on CPU power and memory.
-
Encryption can use more than 15
percent of available CPU power.
-
If you design a network with a
dedicated device to do the encryption it will still add latency because
packets still have to be encrypted or decrypted and this adds delay.
-
Availability is affected and this
happens when you create a choke point that forces all your data traffic
out one point. (This is the device doing the encrypting and decrypting.)
-
This also creates one point of
failure.
-
Cisco recommends that “to
maximize performance and minimize security complexity, a router that is
running encryption probably should not offer load balancing. So instead,
implement load balancing on the routers between the pair of devices
offering encryption” This advice should be taken into consideration
when planning your design.
Load balance scenario
AAA
View this Case study
Provided by Cisco: Cisco AAA Implementation Case Study.
Authentication
-
Identifies who is requesting
services on the network.
-
Most security policies state that
“to access a network and its services a user must enter a name and
password that are authenticated by a security server”.
-
One Time Passwords:
-
Enhance security greatly because
once the password is used it is changed
-
Make it nearly impossible to guess
or be susceptible to a well-focused dictionary attack
-
Are often accomplished through a
software application
-
Can also be implemented with a
security card (resembles a credit card). With this, a user enters a
PIN (personal identification number) that enables him to use the
software unlocked by the card
-
The passwords are synchronized
with a centralized security server
Authorization
-
Authentication controls “who”
can access network resources.
-
Authorization controls “what”
they can do when they have access.
-
Authorization grants privileges to
processes and users.
-
Authorization lets a security
administrator control parts of a network such as directories and files
on servers.
Accounting
-
Collecting data for accountability
is called accounting and is better known as auditing.
-
If you have designed a strict
security policy, you will probably be auditing all attempts to
achieve authentication and authorization by any person. (If you have
used the CiscoSecure ACS product you can set this up on routers so that
any attempt to access the router is audited and logged.) This is highly
recommended in any Network Security design.
-
It is most important to log
"anonymous" or "guest" access to public servers.
-
What is even better to implement
into your design is a Honey Pot. A Honey Pot is a nice little trap you
can implement. Its design follows.
Basic Attack and how to
get accountability
CiscoSecure ACS
The CiscoSecure ACS
application will allow you to set up a login into a router so you can both
audit and fully monitor activity into your routers and what changes take
place.
When you set up users and
groups you can audit activity with your routers and switches.
Data Encryption
-
Encryption is enabled to protect
data from being read by anyone except who you intended to receive and
view it.
-
An encryption device encrypts data
before placing it on a network.
-
A decryption device decrypts the
data before passing it to an application.
-
An encryption or decryption device
can be a router, server, end system, or dedicated device.
-
Encrypted data is sometimes called
ciphered data.
-
Data that is not encrypted is called
plain text or clear text.
-
You may want to encrypt data for
many reasons. One main reason that you can explain to your clients when
you go over your design is the major need for encryption in the first
place. If you think about it, Telnet and SNMP send passwords, strings,
and any other form of authentication in clear text. If you telnet to a
router and an attacker play man in the middle, you could be jeopardizing
your security. Instead, incorporate encryption into your design so that
if the attacker does capture your data, they probably will not be able
to crack the encryption and use your data against you.
-
Another reason for including
encryption in your design is that VPN (the transport of data over a
public medium) uses encryption-based protocols.
PIX Firewall Products
Cisco Secure PIX Firewall Overview, Firewalls
Overview
Note: Be familiar with the
PIX product and how to leverage it into your designs.
Last Tips for Advanced Design
Please visit and use Cisco’s
site, paying particular attention to the following links. Good Luck!
External Security with NT
-
This Document deals with NT-based
products external security design.
-
This excellent document will help
you get a feel for how to implement servers into your design when
dealing with Bastion hosts, the DMZ, and many other factors that you
SHOULD incorporate into your design.
-
You are expected to be familiar with
this technology when you implement and plan an advanced design for your
clients.
|