Post on 30-Oct-2014
transcript
CHAPTER-1
ORGANIZATION PROFILE
1.1 Introduction
Centre for Electronic Governance is an Autonomous body of the Government of
Rajasthan under the Department of Technical Education. Foundation stone of CEG was
laid down on 8th December 2006 at Khaitan Polytechnic College, Jaipur. The Rajasthan
is the second state that is running this program after the highly acclaimed and successful
program “Jawahar Knowledge Centre” in Andhra Pradesh.
The CEG has been established with a sole aim to provide a conducive environment for
creating industry employable IT professionals by the way of arranging seminars lecturers,
vocational trainings and industry relevant software trainings. At the same time it provides
a readymade platform for interaction between the industry and the trained workforce.
Rajasthan is considered to be one of the most peaceful and law abiding state with high
growth rate. The state is developing in all fields in general and technical higher education
in particular. In last decade itself more than 50 higher technical education institutes in the
field of engineering have started operating.
1.2 Features
To promote interaction between the Government, Technical Institutes and the
Industries.
To provide conducive environment for learning by doing in colleges.
To promote the dissemination of knowledge fostering the innovative thoughts of
the Students.
1
To empower students living in the rural areas so as to bridge the urban - Rural
gap.
To organize seminars and lectures of eminent professionals and scientists.
To produce readily employable graduates by imparting industry grade skills.
To produce industry ready IT professionals.
To help in updating the Curriculum as per the needs of the Industries.
To perform such other functions and to carry out such other duties as the society
may deem proper or as may be assigned to it by the State Government from time
to time.
1.3 Aims and Objectives
Campus Placement Mission (CPM)
Campus Placement Related Skills (CPRS)
Graduate Placement Mission (GPM)
Training for Students
Training for Faculty
1.4 Collaborating Partners of CEG
CISCO
Career Net Consulting
V Combined CAD Technology
Sun Microsystems India Pvt Ltd
NIIT
GENPACT BPO, Jaipur
QAInfoTech Delhi
Oracle India Pvt. Ltd
Red hat India Pvt. Ltd
1.5 Future Plans
Enhance more training for economical week section SC/ST/ OBC
2
Signing more MOU with industries / organization.
Enhance placement activity.
Academic support to various and other Institutions.
Establish more number of KDC.
Faculty training program on cutting edge technologies.
The number of KDC after five years will be increased from 17 to 30.
The number of students placed in Companies will be 100%.
The intake capacity at each KDCs will be increased from 50 to 100.
To establish Various Industry Certification Examination Testing Centre.
The Mentors at the KDCs will be trained in new technologies in Industries.
The training of the students can be arranged in various companies and industries,
apart from CEG.
Large number of e-governance projects can be carried out at CEG and KDC as
well.
1.6 ORGANIZATION STRUCTURE
Marching with a vision to excel, CEG, Jaipur took an initiative and has a MoU with
Cisco Systems Inc., USA. CEG , since its inception has been catering to the needs of the
Industry by and large, in continuation to the MoU, took a step ahead to start a Regional
Academy to promote the Networking related Training Programmes at the CEG centre.
The main objective of this MoU is to groom Networking Professionals in tune with the
Industry and Academic perspectives.
Cisco Systems Inc. USA is a worldwide leader in networking for the Internet and is
committed to working with educational institutions around the globe to ensure that
today’s students master the necessary skills for success in the Internet driven global
context.
Launched in October 1997 with 64 educational institutions in seven states, the
Networking Academy has spread to more than 150 countries. Since its inception, over 1.6
Million students have enrolled at more than 10,000 Academies located in high schools,
3
technical schools, colleges, universities, and community-based organizations.
Interested educational institutions are given the designation of Networking Academy at
the level of training that they will be providing in the program. There are currently three
possible tiers of training. Industry experts at Cisco Systems train the Instructor Trainers at
the Cisco Academy Training Centers (CATCs), the CATC Instructors train Regional
Academy Instructors and the Regional Academy Instructors train the Local Academy
Instructors who then educate students. Utilizing this three-tier training model helps to
provide instructors the training they need in close proximity to where they are located.
Educational institutions may play a role at one or more of these training levels.
Cisco's partners from business, government and community organizations form an
ecosystem to deliver the range of services and support needed to grow tomorrow's global
workforce. Initially created to prepare students for the Cisco Certified Network Associate
(CCNA) and Cisco Certified Network Professional (CCNP) degrees, the Academy
curriculum has expanded with ecosystem-partner sponsored courses. Optional courses
include: IT Essentials: PC Hardware and Software and IT Essentials: Network Operating
Systems; and Panduit Network Infrastructure Essentials sponsored by Panduit
Corporation.
The Internet enables anytime, anywhere learning for all students, regardless of location,
socio-economic status, gender, or race. With the United Nations Development Program,
the United States Agency for International Development, and the International
Telecommunication Union, Cisco has made the Academy program available to students
in Least Developed Countries to help them build their country's economies.
The Networking Academy program continually raises the bar on e-learning and
educational processes. Through community feedback and electronic assessment, the
Academy program adapts curriculum to improve outcomes and student achievement. The
Academy infrastructure is designed to deliver a rich, interactive, and personalized
curriculum to students around the world. The Internet has the power to change the way
4
people learn, work, and play, and the Cisco Networking Academy Program is in the
forefront of this transformation.
REGIONAL ACADEMY at CEG is a strong initiative by Government of Rajasthan
and Cisco Networking Academy to bring wide awareness and training of valuable
Networking Technology skills, opportunities, cutting edge and upcoming trends in the
Networking Domain. Through the following curricula, the above efforts will be met:
* Cisco Certified Network Associate (CCNA) Discovery – Foundational networking
knowledge and practical experience.
* Cisco Certified Network Associate (CCNA) Exploration – Comprehensive overview
of networking from fundamentals to advanced applications and services.
* IT Essentials: PC Hardware and Software ( Hindi/English)
* CCNP and CCNA Security
5
CHAPTER-2
PROJECT DESCRIPTION
2.1 INTRODUTION
Computer networks have grown in both size and importance in a very short time. If the
security of the network is compromised, there could be serious consequences, such as
loss of privacy, theft of information, and even legal liability. To make the situation even
more challenging, the types of potential threats to network security are always evolving.
As e-business and Internet applications continue to grow, finding the balance between
being isolated and open is critical. In addition, the rise of mobile commerce and wireless
networks demands that security solution become seamlessly integrated, more transparent,
and more flexible.
2.2 EXISTING SYSTEM
The current system has many deficiencies and is inefficient. It does not provide facilities
for proper monitoring. Good monitoring mechanisms are the basis of successful
development programs and schemes.
The student block is presently not connected to the network. Thus they are not getting
facilities of the internet. The library is also facing the same problem. The database of the
6
library should be maintained so that student gets the appropriate information about books.
Classroom computers should also have e books to help students.
2.3 PROBLEM DEFINITION
Deficiencies with current System
Insider abuse of network access
Virus
Mobile device theft
Phishing where an organization is fraudulently represented as the sender
Instant messaging misuse
Denial of service
Unauthorized access to information
Bots within the organization
Theft of employee data
Abuse of wireless network
System penetration
Financial fraud
Password sniffing
Key logging
Website defacement
As security measures have improved over the years, some of the most common types of
attacks have diminished in frequency, while new ones have emerged. Conceiving of
network security solutions begins with an appreciation of the complete scope of computer
crime.
When an enterprise grows to include branch offices, e-commerce services, or global
operations, a single LAN network is no longer sufficient to meet its business
7
requirements. Wide area network (WAN) access has become essential for larger
businesses today.
There are a variety of WAN technologies to meet the different needs of businesses and
many ways to scale the network. Adding WAN access introduces other considerations,
such as network security and address management. Consequently, designing a WAN and
choosing the correct carrier network services is not a simple matter.
2.4 PROPOSED SYSTEM
2.4.1 AIM:-Developing a Security Policy
The first step any organization should take to protect its data and itself from a liability
challenge is to develop a security policy. A policy is a set of principles that guide
decision-making processes and enable leaders in an organization to distribute authority
confidently. RFC2196 states that a "security policy is a formal statement of the rules by
which people who are given access to an organization's technology and information
assets must abide." A security policy can be as simple as a brief Acceptable Use Policy
for network resources, or it can be several hundred pages long and detail every element of
connectivity and associated policies.
A security policy meets these goals:
Informs users, staff, and managers of their obligatory requirements for protecting
technology and information assets
Specifies the mechanisms through which these requirements can be met
Provides a baseline from which to acquire, configure, and audit computer systems
and networks for compliance with the policy
8
Assembling a security policy can be daunting if it is undertaken without guidance. For
this reason, the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) have published a security standard document called
ISO/IEC 27002. This document refers specifically to information technology and outlines
a code of practice for information security management.
ISO/IEC 27002 is intended to be a common basis and practical guideline for developing
organizational security standards and effective security management practices. The
document consists of 12 sections:
Risk assessment
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Compliance
2.4.2 Common Security Appliances and Applications
Security is a top consideration whenever planning a network. In the past, the one device
that would come to mind for network security was the firewall. A firewall by itself is no
longer adequate for securing a network. An integrated approach involving firewall,
intrusion prevention, and VPN is necessary.
An integrated approach to security, and the necessary devices to make it happen, follows
these building blocks:
9
2.4.2.1 Threat control- Regulates network access, isolates infected systems, prevents
intrusions, and protects assets by counteracting malicious traffic, such as worms and
viruses. Devices that provide threat control solutions are:
Cisco ASA 5500 Series Adaptive Security Appliances
Integrated Services Routers (ISR)
Network Admission Control
Cisco Security Agent for Desktops
Cisco Intrusion Prevention Systems
2.4.2.2 Secure communications-Secures network endpoints with VPN. The
devices that allow an organization to deploy VPN are Cisco ISR routers with Cisco IOS
VPN solution, and the Cisco 5500 ASA and Cisco Catalyst 6500 switches.
2.4.2.3 Network admission control (NAC)-Provides a roles-based method of
preventing unauthorized access to a network. Cisco offers a NAC appliance.
2.4.2.4 Cisco IOS Software on Cisco Integrated Services Routers (ISRs)
Cisco provides many of the required security measures for customers within the Cisco
IOS software. Cisco IOS software provides built-in Cisco IOS Firewall, IPsec, SSL VPN,
and IPS services.
2.4.2.5 Cisco ASA 5500 Series Adaptive Security Appliance
At one time, the PIX firewall was the one device that a secure network would deploy.
The PIX has evolved into a platform that integrates many different security features,
called the Cisco Adaptive Security Appliance (ASA). The Cisco ASA integrates firewall,
voice security, SSL and IPsec VPN, IPS, and content security services in one device.
10
2.4.2.6 Cisco IPS 4200 Series Sensors
For larger networks, an inline intrusion prevention system is provided by the Cisco IPS
4200 series sensors. This sensor identifies, classifies, and stops malicious traffic on the
network.
2.4.2.7 Cisco NAC Appliance
The Cisco NAC appliance uses the network infrastructure to enforce security policy
compliance on all devices seeking to access network computing resources.
2.4.2.8 Cisco Security Agent (CSA)
Cisco Security Agent software provides threat protection capabilities for server, desktop,
and point-of-service (POS) computing systems. CSA defends these systems against
targeted attacks, spyware, rootkits, and day- zero attacks
To assist with the compliance of a security policy, the Security Wheel, a continuous
process, has proven to be an effective approach. The Security Wheel promotes retesting
and reapplying updated security measures on a continuous basis.
To begin the Security Wheel process, first develop a security policy that enables the
application of security measures. A security policy includes the following:
Identifies the security objectives of the organization.
11
Documents the resources to be protected.
Identifies the network infrastructure with current maps and inventories.
Identifies the critical resources that need to be protected, such as research and
development, finance, and human resources. This is called a risk analysis.
2.5 OBJECTIVE
The security policy is the hub upon which the four steps of the Security Wheel are based.
The steps are secure, monitor, test, and improve.
Step 1: Secure
Secure the network by applying the security policy and implementing the following
security solutions:
Threat defense
Stateful inspection and packet filtering-Filter network traffic to allow only valid
traffic and services.
Intrusion prevention systems-Deploy at the network and host level to actively
stop malicious traffic.
Vulnerability patching-Apply fixes or measures to stop the exploitation of known
vulnerabilities.
Disable unnecessary services-The fewer services that are enabled, the harder it is
for attackers to gain access.
Step 2: Monitor
Monitoring security involves both active and passive methods of detecting security
violations. The most commonly used active method is to audit host-level log files. Most
operating systems include auditing functionality. System administrators must enable the
12
audit system for every host on the network and take the time to check and interpret the
log file entries.
Passive methods include using IDS devices to automatically detect intrusion. This
method requires less attention from network security administrators than active methods.
These systems can detect security violations in real time and can be configured to
automatically respond before an intruder does any damage.
An added benefit of network monitoring is the verification that the security measures
implemented in step 1 of the Security Wheel have been configured and are working
properly.
Step 3: Test
In the testing phase of the Security Wheel, the security measures are proactively tested.
Specifically, the functionality of the security solutions implemented in step 1 and the
system auditing and intrusion detection methods implemented in step 2 are verified.
Vulnerability assessment tools such as SATAN, Nessus, or Nmap are useful for
periodically testing the network security measures at the network and host level.
Step 4: Improve
The improvement phase of the Security Wheel involves analyzing the data collected
during the monitoring and testing phases. This analysis contributes to developing and
implementing improvement mechanisms that augment the security policy and results in
adding items to step 1. To keep a network as secure as possible, the cycle of the Security
Wheel must be continually repeated, because new network vulnerabilities and risks are
emerging every day.
13
With the information collected from the monitoring and testing phases, IDSs can be used
to implement improvements to the security. The security policy should be adjusted as
new security vulnerabilities and risks are discovered.
CHAPTER-3
SYSTEM REQUIREMENTS & SPECIFICATIONS
3.1 SELECTING HARDWARE PRODUCTS
We can use the Cisco three-layer model to determine what type of product to buy for our
internetwork. By understanding the services required at each layer and what functions the
internetworking devices perform.
We can then match Cisco products to your academic requirements. To select the correct
Cisco products for our network, start by gathering information about where devices need
to operate in the internetworking hierarchy, and then consider issues like ease of
installation, port-capacity requirements and other features.
If we have remote offices or other WAN needs, we need to first find out what type of
service is available? It won’t do us any good to design a large Frame Relay network only
to discover that Frame Relay is only supported in half the locations we need. After our
research and find out about the different options available through our service provider,
we can choose the Cisco product that fits your requirements.
14
We have a few options, typically: dial-up asynchronous connections, leased lines up to
1.544Mbps, Frame Relay, and ISDN, which are the most popular WAN technologies.
However, xDSL is the new front-runner to take over as the fastest, most reliable, cheapest
WAN technology. We need to consider our usage before buying and implementing a
technology. For example, if our users at a remote branch are connected to the office more
than three to four hours a day, then we need either Frame Relay or a leased line. If they
connect infrequently, then we might get away with ISDN or dial-up connectivity.
A) Hubs
Before we buy any hub, we need to know which users can use a shared 10Mbps or shared
100Mbps network. The lower-end model of hubs Cisco offers supports only
10Mbps,while the middle-of-the-road one offers both 10- and 100Mbps auto-ensingports.
The higher-end hubs offer network-management port and console connections. If we are
going to spend enough to buy a high-end hub, we should consider just buying a switch.
different hub products Cisco offers.
Cisco 1500 Micro Hub
Cisco 1528 Micro Hub 10/100
Cisco FastHub100
Cisco FastHub200
Cisco FastHub300
Cisco FastHub400
Any of these hubs can be stacked together to give us more port density. These are the
selection issues we need to know:
Business requirements for 10- or 100Mbps
Port density
Management
Ease of operation
15
B) Routers
A key criterion when selecting router products is knowing what feature sets us need to
meet our requirements. For example, do we need IP, Frame Relay, and VPN support?
How about IPX, AppleTalk, and DECnet?
The other features we need to think about when considering different
product-selection criteria are port density and interface speeds. As we get
Fig 2.1 BOOTING OF ROUTER
16
into the higher-end models, we see more ports and faster speeds. For example, the new
12000 series model is Cisco’s first gigabit switch and has enormous capability and
functionality.
Cisco 700/800 series
Cisco 1600/1700 series
Cisco 2500 series
Cisco 2600 series
Cisco 3600 series
Cisco 4000 series
Cisco 7000 series
Cisco 12000 GSR series
AS 5000 series
We can tell how much a product is going to cost by looking at the model number. A
stripped-down 12000 series switch with no cards or power supplies starts at about
$12,000. The price can end up at well over $100,000 for a loaded system.
The Cisco 800 series router has mostly replaced the Cisco 700 series because the 700
series does not run the Cisco IOS. In fact, I hope Cisco will soon stop selling the 700
series routers altogether. They are difficult to configure and maintain.
The main selections involved in choosing Cisco routers are listed below:
Scale of routing features needed
Port density and variety requirements
Capacity and performance
Common user interface
Table 2.1
17
Comparison between Hub, Bridge, Switch & Router
Feature Hub Bridge Switch Router
Number of broadcast
domains Segment 1 1
1 per
router
interface
Number of collision
domains 1
1 per
bridge
port 1 per switch port
1 per
router
interface
Forwards LAN
broadcasts? 1 Yes Yes No
Forwards LAN
multicasts N/A Yes
Yes; can be optimized
for less forwarding No
OSI layer used when
making forwarding
decision N/A Layer 2 Layer 2 Layer 3
Internal processing
variants N/A
Store-
and-
forward
Store-and-forward,
cut-through,
FragmentFree
Store-and-
forward
Frame/packet
fragmentation allowed? N/A No No Yes
Multiple concurrent
equal-cost paths to same
destination allowed? N/A No No Yes
C) Switches
It seems like switch prices are dropping almost daily. About four years ago a 12-port
10/100 switch card for the Catalyst 5000 series switch was about $15,000. Now we can
buy a complete Catalyst 5000 with a 10/100 card and supervisor module for about $7500
or so. My point is that with switch prices becoming reasonable,It is now easier to install
switches in our network.
18
We must consider whether we need 10/100 or 1000Mbps for each desktop or to connect
between switches. ATM (asynchronous transfer mode) is also a consideration; however,
with Gigabit Ethernet out and 10Gbps links just around the corner, who needs ATM? The
next criteria to consider are port density. The lower-end models start at 12 ports, and
the higher-end models can provide hundreds of switched ports per switch.
3.2 Different switches available
Cisco 1548 Micro Switch 10/100
Catalyst 1900/2820 series
Catalyst 2900 series XL
Catalyst 2900 series
Catalyst 3000 series
Catalyst 8500 series
Catalyst 5000 series
The selection issues you need to know when choosing a Cisco switch are
listed below:
_ Business requirements for 10,100 or even 1000Mbps
_ Need for trunking and interswitch links
_ Workgroup segmentation (VLANs)
_ Port density needs
_ Different user interfaces
3.3 Assembling and Cabling Devices
To understand the types of cabling used to assemble and cable Cisco devices, we need to
understand the LAN Physical layer implementation of Ethernet.
19
Ethernet is a media access method that is specified at the Data Link layer and uses
specific Physical layer cabling and signaling techniques. It is important to be able to
differentiate between the types of connectors that can be used to connect an Ethernet
network together. I’ll discuss the different unshielded twisted-pair cabling used today in
an Ethernet LAN.
3.3.1 Cabling the Ethernet Local Area Network
Ethernet was first implemented by a group called DIX (Digital, Intel, and Xerox). They
created and implemented the first Ethernet LAN specification, which the IEEE used to
create the IEEE 802.3 committee. This was a 10Mbps network that ran on coax, twisted-
pair, and fiber physical media. The IEEE extended the 802.3 committee to two new
committees known as 802.3u (FastEthernet) and 802.3q (Gigabit Ethernet). These are
both specified on twisted-pair and fiber physical media.
When designing our LAN, it is important to understand the different types of Ethernet
media available. It would certainly be great to run Gigabit Ethernet to each desktop and
10Gbps between switches. By mixing and matching the different types of Ethernet media
methods today, we can create a cost-effective network that works great.
The following bullet points provide a general understanding of where we can use the
different Ethernet media in your hierarchical network:
Use 10Mbps switches at the access layer to provide good performance
at a low price. 100Mbps links can be used for high-bandwidth–
consuming clients or servers. No servers should be at 10Mbps if
possible.
Use Fast Ethernet between access layer and distribution layer switches.10Mbps
links would create a bottleneck.
Use Fast Ethernet (or Gigabit if applicable) between distribution layer switches
and the core. Also, we should be implementing the fastest media we can afford
20
between the core switches. Dual links between distribution and core switches are
recommended for redundancy and load balancing.
3.3.2 Ethernet Media and Connector Requirements
It’s important to understand the difference between the media access speeds Ethernet
provides. However, it’s also important to understand the connector requirements for each
implementation before making any decision. The EIA/TIA (Electronic Industries
Association and the newer Telecommunications Industry Association) is the standards
body that creates the Physical layer specifications for Ethernet. The EIA/TIA specifies
that Ethernet use a registered jack (RJ) connector with a 4 5 wiring sequence on
unshielded twisted-pair (UTP) cabling (RJ-45). The following bullet points
outline the different Ethernet media requirements:
10Base2 50-ohm coax, called thinnet. Up to 185 meters and 30 hosts
per segment. Uses a physical and logical bus with AUI connectors.
10Base5 50-ohm coax called thicknet. Up to 500 meters and 208 users
per segment. Uses a physical and logical bus with AUI connectors. Up to 2500
meters with repeaters and 1024 users for all segments.
10BaseT EIA/TIA category 3, 4, or 5, using two-pair unshielded
twisted-pair (UTP) wiring. One user per segment; up to 100 meters
long. Uses an RJ-45 connector with a physical star topology and a logical bus.
100BaseTX EIA/TIA category 5, 6, or 7 UTP two-pair wiring. One user per
segment; up to 100 meters long. Uses an RJ-45 MII connector with a physical star
topology and a logical bus.
100BaseFX Uses fiber cabling 62.5/125-micron multimode fiber. Point-to-point
topology up to 400 meters long. Uses an ST or SC connector, which are duplex
media-interface connectors.
1000BaseCX Copper shielded twisted-pair that can only run up to 25 meters.
1000BaseT Category 5, four-pair UTP wiring up to 100 meters long.
21
1000BaseSX MMF using 62.5 and 50-micron core; uses a 780-nanometer laser
and can go up to 260 meters.
1000BaseLX Single-mode fiber that uses a 9-micron core, 1300-nanometer laser
and can go from 3 km up to 10 km.
100VG-AnyLAN is a twisted-pair technology that was the first 100Mbps LAN.
However, since it was incompatible with Ethernet signaling techniques (it used a polling
media access method), it was not typically used and is essentially dead.
3.3.3 UTP Connections (RJ-45)
The RJ-45 connector is clear so we can see the eight colored wires that connect to the
connector’s pins. These wires are twisted into four pairs. Four wires (two pairs) carry the
voltage and are considered tip. The other four wires are grounded and are called ring. The
RJ-45 connector is crimped onto the end of the wire, and the pin locations of the
connector are numbered from the left, 8 to 1.
The UTP cable has twisted wires inside that eliminate cross talk. Unshielded cable can be
used since digital signal protection comes from the twists in the wire. The more twists per
inch, the farther the digital signal can Supposedly travel without interference. For
example, categories 5 and 6 have many more twists per inch than category 3 UTP does.
Different types of wiring are used when building internetworks. We will
need to use either a straight-through or crossover cable.
3.3.4 Straight-Through
In a UTP implementation of a straight-through cable, the wires on both cable
ends are in the same order.
22
We can determine that the wiring is a straight-through cable by holding both ends of the
UTP cable side by side and seeing that the order of the wires on both ends is identical.
We can use a straight-through cable for the following tasks:
Connecting a router to a hub or switch
Connecting a server to a hub or switch
Connecting workstations to a hub or switch
3.3.5 Crossover
In the implementation of a crossover, the wires on each end of the cable are crossed.
Transmit to Receive and Receive to Transmit on each side, for both tip and ring.
Pin 1 on one side connects to pin 3 on the other side, and pin 2 connects to pin 6 on the
opposite end.
We can use a crossover cable for the following tasks:
Connecting uplinks between switches
Connecting hubs to switches
Connecting a hub to another hub
Connecting a router interface to another router interface
Connecting two PCs together without a hub or switch
When trying to determine the type of cable needed for a port, look at the port and see if it
is marked with an “X.” Use a straight-through cable when only one port is designated
with an “X.” Use a crossover when both ports are designated with an “X” or when neither
port has an “X.”
3.3.6 Cabling the Wide Area Network
23
To connect our wide area network (WAN), we need to understand the WAN Physical
layer implementation provided by Cisco as well as the different WAN serial connectors.
Cisco serial connections support almost any type of WAN service. The typical WAN
connections are dedicated leased lines using High-Level Data Link Control (HDLC),
Point-to-Point Protocol (PPP), Integrated Services Digital Network (ISDN), and Frame
Relay. Typical speeds are anywhere from 2400bps to 1.544Mbps (T1). HDLC, PPP, and
Frame Relay can use the same Physical layer specifications, but ISDN has different
pinouts and specifications at the Physical layer.
3.3.7 Serial Transmission
WAN serial connectors use serial transmission, which is one bit at a time, over a single
channel. Parallel transmission can pass at least 8 bits at a time. All WANs use serial
transmission.
Cisco routers use a proprietary 60-pin serial connector, which we must buy from Cisco or
a provider of Cisco equipment. The type of connector we have on the other end of the
cable depends on our service provider or end-device requirements. The different ends
available are EIA/TIA-232, EIA/TIA-449, V.35 (used to connect to a CSU/DSU), X.21
(used in X.25), and EIA-530.
Serial links are described in frequency or cycles-per-second (hertz). The amount of data
that can be carried within these frequencies is called bandwidth. Bandwidth is the amount
of data in bits-per-second that the serial channel can carry.
3.3.8 Data Terminal Equipment and Data Communication Equipment
Router interfaces are, by default, Data Terminal Equipment (DTE) and connect into Data
Communication Equipment (DCE), for example, a Channel Service Unit/Data Service
24
Unit (CSU/DSU). The CSU/DSU then plugs into a demarcation location (demarc) and is
the service provider’s last responsibility.
Typically, the demarc is a jack that has an RJ-45 female connector located close to our
equipment. If we report a problem to our service provider,they’ll always tell us it tests
fine up to the demarc and that the problem must be the CPE, or Customer Premise
Equipment, which is our responsibility.
The idea behind a WAN is to be able to connect two DTE networks together through a
DCE network. The DCE network includes the CSU/DSU, through the provider’s wiring
and switches, all the way to the CSU/DSU at the other end. The network’s DCE device
provides clocking to the DTE connected interface (the router’s serial interface).
3.3.9 Fixed and Modular Interfaces
The fixed routers, such as the 2500 series, have set interfaces that can’t be changed. The
2501 router has two serial connections and one 10BaseT AUI interface However, the
1600, 1700, 2600, 3600, and higher routers have modular interfaces that allow us to buy
what we need now and add almost any type of interface we may need later. The 1600 and
1700 are limited and have both fixed and modular ports, but the 2600 and up provide
many serials, FastEthernet, and even voice-module availability.
3.4 Integrated Services Digital Network (ISDN) Connections
Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) is two B (Bearer)
channels of 64k each and one D (Data) channel of 16k for signaling and clocking.
ISDN BRI routers come with either a U interface or what is known as an S/T interface.
The difference between the two is that the U interface is already a two-wire ISDN
convention that can plug right into the ISDN local loop. The S/T interface is a four-wire
25
interface and needs a Network Termination type 1 (NT 1) to convert from a four-wire to
the two-wire ISDN specification.
The U interface has a built-in NT 1 device. If our service provider uses an NT 1 device,
then we need to buy a router that has an S/T interface. Most Cisco router BRI interfaces
are marked with a U or an S/T.
Primary Rate Interface (PRI) provides T1 speeds (1.544Mbps) in the U.S. and E1 speeds
(2.048) in Europe. The ISDN BRI interface uses an RJ-45, category 5, straight-through
cable.
It is important to avoid plugging a console cable or other LAN cable into a BRI interface
on a router, because it will probably ruin the interface.
3.4.1Console Connections
All Cisco devices are shipped with console cables and connectors, which allow us to
connect to a device and configure, verify, and monitor it. The cable used to connect
between a PC is a rollover cable with RJ-45 connectors.
The pinouts for a rollover cable are as follows:
1–8
2–7
3–6
4–5
5–4
6–3
26
7–2
8–1
We can see that we just take a straight-through RJ-45 cable, cut the end off, flip it over,
and reattach a new connector.
Typically, we will use the DB9 connector to attach to our PC and use a com port to
communicate via HyperTerminal. Most Cisco devices now support RJ-45 console
connections. However, the Catalyst 5000 series switch still uses a DB25 connector.
Set up the terminal emulation program to run 9600bps, 8 data bits, no parity, 1 stop bit,
and no flow control. On some routers, we need to verify that the terminal emulation
program is emulating a VT100 dumb-terminal mode, not an auto-sense mode, or it won’t
work.
Most routers also have an aux port, which is an auxiliary port used to connect a modem.
we can then dial this modem and connect the router to the aux port. This will give us
console access to a remote router that might be down and that we cannot telnet into.
CHAPTER -4
SYSTEM DESIGNING
4.1 ELEMENTS OF THE NETWORK
Human beings often seek to send and receive a variety of message using computer
applications; these applications require services be provided by the network. Some of
these services include the World Wide Web, e-mail, instant messaging, and IP
Telephony. Devices interconnected by medium to provide services must be governed by
27
rules, or protocols. Protocols are the rules that the networked devices use to communicate
with each other. The industry standard in networking today is a set of protocols called
TCP/IP (Transmission Control Protocol/Internet Protocol). TCP/IP is used in home and
business networks, as well as being the primary protocol of the Internet. It is TCP/IP
protocols that specify the formatting, addressing and routing mechanisms that ensure our
messages are delivered to the correct recipient. The elements of networks are connected
by rules to deliver a message.
4.1.1 The Messages
In the first step of its journey from the computer to its destination, our instant message
gets converted into a format that can be transmitted on the network. All types of
messages must be converted to bits, binary coded digital signals, before being sent to
their destinations. No matter what the original message format was: text, video, voice, or
computer data. Once our instant message is converted to bits, it is ready to be sent onto
the network for delivery.
4.1.2 The Devices
There are numerous components that make it possible for our instant message to be
directed across the miles of wires, underground cables, airwaves and satellite stations that
might exist between the source and destination devices. One of the critical components in
any size network is the router. A router joins two or more networks, like a home network
and the Internet, and passes information from one network to another. Routers in a
network work to ensure that the message gets to its destination in the most efficient and
quickest manner.
4.1.3 The Medium
28
To send instant message to its destination, the computer must be connected to a wired or
wireless local network. Local networks can be installed in homes or businesses, where
they enable computers and other devices to share information with each other and to use
a common connection to the Internet. Wireless networks allow the use of networked
devices anywhere in an office or home, even outdoors. Outside the office or home,
wireless networking is available in public hotspots, such as coffee shops, businesses,
hotel rooms, and airports.
Ethernet is the most common wired networking technology. The wires, called cables,
connect the computers and other devices that make up the networks. Wired networks are
best for moving large amounts of data at high speeds, such as are required to support
professional-quality multimedia.
4.1.4 The Services
Network services are computer programs that support the human network. Distributed on
devices throughout the network, these services facilitate online communication tools such
as e-mail, bulletin/discussion boards, chat rooms, and instant messaging.
4.1.5 The Rules
Important aspects of networks that are neither devices nor media are rules, or protocols.
These rules are the standards and protocols that specify how the messages are sent, how
they are directed through the network, and how they are interpreted at the destination
devices. For example, in the case of Jabber instant messaging, the XMPP, TCP, and IP
protocols are all important sets of rules that enable our communication to occur.
4.2 The OSI Model:-
Initially the OSI model was designed by the International Organization for
Standardization (ISO) to provide a framework on which to build a suite of open systems
29
protocols. The vision was that this set of protocols would be used to develop an
international network that would not be dependent on proprietary systems.
Unfortunately, the speed at which the TCP/IP based Internet was adopted, and the rate at
which it expanded, caused the OSI Protocol Suite development and acceptance to lag
behind. Although few of the protocols developed using the OSI specifications are in
widespread use today, the seven-layer OSI model has made major contributions to the
development of other protocols and products for all types of new networks.
As a reference model, the OSI model provides an extensive list of functions and services
that can occur at each layer. It also describes the interaction of each layer with the layers
directly above and below it.
The protocols that make up the TCP/IP protocol suite can be described in terms of the
OSI reference model. In the OSI model, the Network Access layer and the Application
layer of the TCP/IP model are further divided to describe discreet functions that need to
occur at these layers.
At the Network Access Layer, the TCP/IP protocol suite does not specify which protocols
to use when transmitting over a physical medium; it only describes the handoff from the
Internet Layer to the physical network protocols. The OSI Layers 1 and 2 discuss the
necessary procedures to access the media and the physical means to send data over a
network.
Fig 4.1 Troubleshooting Application layer Problems
30
The key parallels between the two network models occur at the OSI model Layers 3 and
4. OSI Model Layer 3, the Network layer, almost universally is used to discuss and
document the range of processes that occur in all data networks to address and route
messages through an internetwork. The Internet Protocol (IP) is the TCP/IP suite protocol
that includes the functionality described at Layer 3.
Layer 4, the Transport layer of the OSI model, is often used to describe general services
or functions that manage individual conversations between source and destination hosts.
These functions include acknowledgement, error recovery, and sequencing. At this layer,
the TCP/IP protocols Transmission Control Protocol (TCP) and User Datagram Protocol
(UDP) provide the necessary functionality.
31
The TCP/IP Application layer includes a number of protocols that provide specific
functionality to a variety of end user applications. The OSI model Layers 5, 6 and 7 are
used as references for application software developers and vendors to produce products
that need to access networks for communications.
Fig 4.2 OSI MODEL
4.3 Classful IP Addressing
When IP was first standardized in September 1981, the specification required that each
system attached to an IP-based Internet be assigned a unique, 32-bit Internet address
value. Systems that have interfaces to more than one network require a unique IP address
for each network interface. The first part of an Internet address identifies the network on
which the host resides, while the second part identifies the particular host on the given
network. This creates the two-level addressing hierarchy.
32
In recent years, the network number field has been referred to as the network prefix
because the leading portion of each IP address identifies the network number. All hosts
on a given network share the same network prefix but must have a unique host number.
Similarly, any two hosts on different networks must have different network prefixes but
may have the same host number.
4.3.1 Primary Address Classes
To provide the flexibility required to support networks of varying sizes, the Internet
designers decided that the IP address space should be divided into three address classes-
Class A, Class B, and Class C. This is often referred to as classful addressing. Each class
fixes the boundary between the network prefix and the host number at a different point
within the 32-bit address. One of the fundamental features of classful IP addressing is
that each address contains a self-encoding key that identifies the dividing point between
the network prefix and the host number. For example, if the first two bits of an IP address
are 1-0, the dividing point falls between the 15th and 16th bits. This simplified the
routing system during the early years of the Internet because the original routing
protocols did not supply a deciphering key or mask with each route to identify the length
of the network prefix.
Class A Networks (/8 Prefixes)
This class is for very large networks, such as a major international company. IP addresses
with a first octet from 1 to 126 are part of this class. The other three octets are each used
to identify each host.
Net Host or Node
54. 24.54.43
Class B Networks (/16 Prefixes)
33
Class B is used for medium-sized networks. A good example is a large college campus.
IP addresses with a first octet from 128 to191 are part of this class. Class B addresses also
include the second octet as part of the Net identifier. The other two octets are used to
identify each host
Class C Networks (/24 Prefixes)
Each Class C network address has a 24-bit network prefix, with the three highest order
bits set to 1-1-0 and a 21-bit network number, followed by an 8-bit host number. Class C
networks are now referred to as “/24s” since they have a 24-bit network prefix.
A maximum of 2,097,152 (221 ) /24 networks can be defined with up to 254 (28-2) hosts
per network. Since the entire /24 address block contains 229 (536,870,912) addresses, it
represents 12.5 percent (or one eighth) of the total IPv4 unicast address space.
Other Classes
In addition to the three most popular classes, there are two additional classes. Class D
addresses have their leading four bits set to 1-1-1-0 and are used to support IP
Multicasting. Class E addresses have their leading four bits set to 1-1-1-1 and are
reserved for experimental use.
4.4 Subnetting
Basically it is a process of subdividing networks into smaller subnets.
In case we have 2-3 small networks but we cant buy IP address for each and every
network. So here we use the basic concept of SUBNETTING i.e using one public IP
address we will give them IP address and make them independent networks. For this we
take some bits of host address and use them for network address so we have different
independent networks
Address Format when Subnetting Is Used (class A,B,C resp.):
8 24-x x
Network Subnet Host
34
16 16-x x
Network Subnet Host
24 8-x x
Network Subnet Host
And due to this mask changes to subnet mask and now the network address also includes
subnet address.
Example
If subnet mask is 255.255.240.0 And an IP address for a computer is given as 142.16.52.4
142.16.0.0 is network address
0.0.48.0 is the subnet address
0.0.4.4 is the host address of the computer
10001110.00010000.00110100.00000100 is ANDed with
11111111.11111111.11110000.00000000
and output is 10001110.00010000.00110000.00000000
here first two octets represents Network address and third octet represents subnet address.
It can be compared with a postal address as there is only one ZIP code (Network
address), different streets (Subnet address), and different house number (Host address).
• The size of the global Internet routing table does not grow because the site administrator
does not need to obtain additional address space and the routing advertisements for all of
the subnets are combined into a single routing table entry.
4.4.1 Defining the Subnet Mask / Extended Prefix Length
The first step in defining the subnet mask is to determine the number of bits required to
define the six subnets. Since a network address can only be subnetted along binary
boundaries, subnets must be created in blocks of powers of two [2 (21), 4 (22), 8 (23), 16
(24), and so on]. Thus, it is impossible to define an IP address block such that it contains
35
exactly six subnets. For this example, the network administrator must define a block of 8
(23) and have two unused subnets that can be reserved for future growth.
Since 8 = 23, three bits are required to enumerate the eight subnets in the block. In this
example, the organization is subnetting a /24 so it will need three more bits, or a /27, as
the extended network prefix. A 27-bit extended network prefix can be expressed in
dotted-decimal notation as 255.255.255.224.
A 27-bit extended network prefix leaves 5 bits to define host addresses on each subnet.
This means that each subnetwork with a 27-bit prefix represents a contiguous block of 25
(32) individual IP addresses. However, since the all-0s and all-1s host addresses cannot
be allocated, there are 30 (25-2) assignable host addresses on each subnet.
4.5 Variable Length Subnet Masks (VLSM)
In 1987, RFC 1009 specified how a subnetted network could use more than one subnet
mask. When an IP network is assigned more than one subnet mask, it is considered a
network with (VLSM) since the extended network prefixes have different lengths.
RIP-1 Permits Only a Single Subnet Mask
When using RIP-1, subnet masks have to be uniform across the entire network prefix.
RIP-1 allows only a single subnet mask to be used within each network number because
it does not provide subnet mask information as part of its routing table update messages.
In the absence of this information, RIP-1 is forced to make assumptions about the mask
that should be applied to any of its learned routes.
How does a RIP-1 based router know what mask to apply to a route when it learns a new
route from a neighbor? If the router has a subnet of the same network number assigned to
a local interface, it assumes that the learned subnetwork was defined using the same mask
as the locally configured interface.
4.6 Routing Protocols
36
Routing is used for taking a packet from one device and sending it
through the network to another device on a different network. If our network
has no routers, then we are not routing. Routers route traffic to all the
networks in our internetwork. To be able to route packets, a router must
know, at a minimum, the following:
Destination address
Neighbor routers from which it can learn about remote networks
Possible routes to all remote networks
The best route to each remote network
How to maintain and verify routing information
Dynamic routing is the process of routing protocols running on the router communicating
with neighbor routers. The routers then update each other about all the networks they
know about. If a change occurs in the network, the dynamic routing protocols
automatically inform all routers about the change. If static routing is used, the
administrator is responsible for updating all changes by hand into all routers.
4.6.1 Routing:- Static and Dynamic
1. The ip route command-
The command for configuring a static route is ip route. The complete syntax for
configuring a static route is:
Router (config) #ip route prefix mask {ip-address | interface-type interface-number [ip-
address]} [distance] [name] [permanent] [tag]
37
Router (config) #ip route network-address subnet-mask {ip-address | exit-interface}
The following parameters are used:
Network-address - Destination network address of the remote network to be
added to the routing table
Subnet-mask - Subnet mask of the remote network to be added to the routing
table. The subnet mask can be modified to summarize a group of networks.
The ip-address parameter is commonly referred to as the "next-hop" router's IP address.
The actual next-hop router's IP address is commonly used for this parameter. However,
the ip-address parameter could be any IP address, as long as it is resolvable in the routing
table. This is beyond the scope of this course, but we've added this point to maintain
technical accuracy.
2. Installing a Static Route in the Routing Table
R#debug ip routing
R#config terminal
R (config) #ip route 172.16.1.0 255.255.255.0 172.16.2.2
Let's examine each element in this output:
ip route - Static route command
172.16.1.0 - Network address of remote network
255.255.255.0 - Subnet mask of remote network
172.16.2.2 - Serial 0/0/0 interface IP address on Router, which is the "next-hop" to this
network
3. Verifying the Static Route-
The output from debug ip routing shows that this route has been added to the routing
table.
00:20:15: RT: add 172.16.1.0/24 via 172.16.2.2, static metric [1/0]
Entering show ip route on R shows the new routing table.
38
Output:
S - Routing table code for static route
172.16.1.0 - Network address for the route
/24 - Subnet mask for this route; this is displayed in the line above, known as the parent
route
[1/0] - Administrative distance and metric for the static route
via 172.16.2.2 - IP address of the next-hop router, the IP address of Routers Serial 0/0/0
interface
Any packets with a destination IP address that have the 24 left-most bits matching
172.16.1.0 will use this route.
4.6.2 Configuring a Static Route with an Exit Interface
Let's investigate another way to configure the same static routes. Currently, R's static
route for the 192.168.2.0/24 network is configured with the next-hop IP address of
172.16.2.2. In the running configuration, note the following line:
ip route 192.168.2.0 255.255.255.0 172.16.2.
This static route requires a second routing table lookup to resolve the 172.16.2.2 next-
hop IP address to an exit interface. However, most static routes can be configured with an
exit interface, which allows the routing table to resolve the exit interface in a single
search instead of two searches.
Verifying the Static Route Configuration
Whenever changes are made to static routes - or to other aspects of the network - verify
that the changes took effect and that they produce the desired results.
Verifying Static Route Changes
We deleted and reconfigured the static routes for all three routers. The running
configuration contains the current router configuration - the commands and parameters
that the router is currently using. Verify the changes by examining the running
configuration.
39
1.show ip route
Static routes with exit interfaces have been added to the routing table and that the
previous static routes with next-hop addresses have been deleted.
2.ping
The ultimate test is to route packets from source to destination. Using the ping command,
we can test that packets from each router are reaching their destination and that the return
path is also working properly.
4.6.3 Configuring a Summary Route
To implement the summary route, we must first delete the three current static routes:
R (config) #no ip route 172.16.1.0 255.255.255.0 serial0/0/1
R (config) #no ip route 172.16.2.0 255.255.255.0 serial0/0/1
R (config) #no ip route 172.16.3.0 255.255.255.0 serial0/0/1
Next, we will configure the summary static route:
R (config) #ip route 172.16.0.0 255.255.252.0 serial0/0/1
Routing protocols can be classified into different groups according to their
characteristics. The most commonly used routing protocols are:
1.RIP - A distance vector interior routing protocol
2.IGRP - The distance vector interior routing developed by Cisco (deprecated from 12.2
IOS and later)
3.OSPF - A link-state interior routing protocol
4.IS-IS - A link-state interior routing protocol
5.EIGRP - The advanced distance vector interior routing protocol developed by Cisco
6.BGP - A path vector exterior routing protocol
40
4.6.4 Routing protocols are two types
1. Distance vector routing protocols
2. Link state routing protocols
4.6.4.1 Distance vector routing protocols
Dynamic routing protocols help the network administrator overcome the time-consuming
and exacting process of configuring and maintaining static routes. Dynamic routing is the
most common choice for large networks. Distance vector routing protocols include RIP,
IGRP, and EIGRP.
4.6.4.1.1 RIP
RIP has the following key characteristics:-
Hop count is used as the metric for path selection.
If the hop count for a network is greater than 15, RIP cannot supply a route to that
network.
Routing updates are broadcast or multicast every 30 seconds, by default.
4.6.4.1.2 IGRP
Interior Gateway Routing Protocol (IGRP) is a proprietary protocol developed by Cisco.
IGRP has the following key design characteristics:-
Bandwidth, delay, load and reliability are used to create a composite metric.
Routing updates are broadcast every 90 seconds, by default.
IGRP is the predecessor of EIGRP and is now obsolete.
4.6.4.1.3 EIGRP
Enhanced IGRP (EIGRP) is a Cisco proprietary distance vector routing protocol. EIGRP
has these key characteristics: -
It can perform unequal cost load balancing.
It uses Diffusing Update Algorithm (DUAL) to calculate the shortest path.
41
There are no periodic updates as with RIP and IGRP. Routing updates are sent
only when there is a change in the topology.
4.6.4.2 Link state routing protocols:-
4.6.4.2.1 OSPF
OSPF was designed by the IETF (Internet Engineering Task Force) OSPF Working
Group, which still exists today. The development of OSPF began in 1987 and there are
two current versions in use:
OSPFv2: OSPF for IPv4 networks (RFC 1247 and RFC 2328)
OSPFv3: OSPF for IPv6 networks (RFC 2740)
4.6.4.2.2 IS-IS
IS-IS was designed by ISO (International Organization for Standardization) and is
described in ISO 10589. The first incarnation of this routing protocol was developed at
DEC (Digital Equipment Corporation) and is known as DECnet Phase V. Radia Perlman
was the chief designer of the IS-IS routing protocol.
IS-IS was originally designed for the OSI protocol suite and not the TCP/IP protocol
suite. Later, Integrated IS-IS, or Dual IS-IS, included support for IP networks. Although
IS-IS has been known as the routing protocol used mainly by ISPs and carriers, more
enterprise networks are beginning to use IS-IS.
4.6.4.2.3 OSPF
Open Shortest Path First (OSPF) is a recent entry into the Internet interior routing scene.
OSPF is specifically designed to operate with larger networks. It does not impose a hop-
count restriction and permits its domain to be subdivided for easier management. OSPF is
a classless routing protocol. Therefore, we will configure the mask as part of our OSPF
configuration. OSPF's major advantages over RIP are its fast convergence and its
scalability to much larger network implementations.
42
OSPF packet types-
Each packet serves a specific purpose in the OSPF routing process:
1. Hello - Hello packets are used to establish and maintain adjacency with other OSPF
routers.
2. DBD - The Database Description (DBD) packet contains an abbreviated list of the
sending router's link-state database and is used by receiving routers to check against the
local link-state database.
3. LSR - Receiving routers can then request more information about any entry in the
DBD by sending a Link-State Request (LSR).
4. LSU - Link-State Update (LSU) packets are used to reply to LSRs as well as to
announce new information. LSUs contain seven different types of Link-State
Advertisements (LSAs).
5. LSAck - When an LSU is received, the router sends a Link-State Acknowledgement
(LSAck) to confirm receipt of the LSU.
CHAPTER -5
43
TESTING OF NETWORK
5.1 INTRODUCTION
To efficiently diagnose and correct network problems, a network engineer needs to know
how a network has been designed and what the expected performance for this network
should be under normal operating conditions. This information is called the network
baseline and is captured in documentation such as configuration tables and topology
diagrams.
Network configuration documentation provides a logical diagram of the network and
detailed information about each component. This information should be kept in a single
location, either as hard copy or on the network on a protected website. Network
documentation should include these components:
Network configuration table
End-system configuration table
Network topology diagram
When we document our network, we may have to gather information directly from
routers and switches. Commands that are useful to the network documentation process
include:
The ping command is used to test connectivity with neighboring devices before
logging in to them. Pinging to other PCs in the network also initiates the MAC
address auto-discovery process.
44
The telnet command is used to log in remotely to a device for accessing
configuration information.
The show ip interface brief command is used to display the up or down status
and IP address of all interfaces on a device.
The show ip route command is used to display the routing table in a router to
learn the directly connected neighbors, more remote devices (through learned
routes), and the routing protocols that have been configured.
The show cdp neighbor detail command is used to obtain detailed information
about directly connected Cisco neighbor devices.
5.2 TESTING NETWORK PERFORMANCE
Establishing a network performance baseline requires collecting key performance data
from the ports and devices that are essential to network operation. This information helps
to determine the "personality" of the network and provides answers to the following
questions:
1. How does the network perform during a normal or average day?
2. Where are the underutilized and over-utilized areas?
3. Where are the most errors occurring?
4. What thresholds should be set for the devices that need to be monitored?
5. Can the network deliver the identified policies?
Measuring the initial performance and availability of critical network devices and links
allows a network administrator to determine the difference between abnormal behavior
and proper network performance as the network grows or traffic patterns change. The
baseline also provides insight into whether the current network design can deliver the
required policies. Without a baseline, no standard exists to measure the optimum nature
of network traffic and congestion levels.
45
In addition, analysis after an initial baseline tends to reveal hidden problems. The
collected data reveals the true nature of congestion or potential congestion in a network.
It may also reveal areas in the network that are underutilized and quite often can lead to
network redesign efforts based on quality and capacity observations.
5.2.1 Measuring Network Performance Data
Sophisticated network management software is often used to baseline large and complex
networks. For example, the Fluke Network Super Agent module enables administrators to
automatically create and review reports using its Intelligent Baselines feature. This
feature compares current performance levels with historical observations and can
automatically identify performance problems and applications that do not provide
expected levels of service.
5.2.2 The stages of the general testing process are:
Stage 1 Gather symptoms - Troubleshooting begins with the process of gathering and
documenting symptoms from the network, end systems, and users. In addition, the
network administrator determines which network components have been affected and
how the functionality of the network has changed compared to the baseline. Symptoms
may appear in many different forms, including alerts from the network management
system, console messages, and user complaints.
While gathering symptoms, questions should be used as a method of localizing the
problem to a smaller range of possibilities.
Stage 2 Isolate the problem - The problem is not truly isolated until a single problem, or
a set of related problems, is identified. To do this, the network administrator examines the
characteristics of the problems at the logical layers of the network so that the most likely
46
cause can be selected. At this stage, the network administrator may gather and document
more symptoms depending on the problem characteristics that are identified.
Stage 3 Correct the problem - Having isolated and identified the cause of the problem,
the network administrator works to correct the problem by implementing, testing, and
documenting a solution. If the network administrator determines that the corrective action
has created another problem, the attempted solution is documented, the changes are
removed, and the network administrator returns to gathering symptoms and isolating the
problem.
A troubleshooting policy should be established for each stage. A policy provides a
consistent manner in which to perform each stage. Part of the policy should include
documenting every important piece of information.
5.3 Gathering Symptoms
To determine the scope of the problem gather (document) the symptoms. Each step in
this process is briefly described here:
Step 1. Analyze existing symptoms - Analyze symptoms gathered from the trouble ticket,
users, or end systems affected by the problem to form a definition of the problem.
Step 2. Determine ownership - If the problem is within our system, we can move onto the
next stage. If the problem is outside the boundary of our control, for example, lost
Internet connectivity outside of the autonomous system, we need to contact an
administrator for the external system before gathering additional network symptoms.
Step 3. Narrow the scope - Determine if the problem is at the core, distribution, or access
layer of the network. At the identified layer, analyze the existing symptoms and use our
knowledge of the network topology to determine which pieces of equipment are the most
likely cause.
47
Step 4. Gather symptoms from suspect devices - Using a layered troubleshooting
approach, gather hardware and software symptoms from the suspect devices. Start with
the most likely possibility, and use knowledge and experience to determine if the problem
is more likely a hardware or software configuration problem.
Step 5. Document symptoms - Sometimes the problem can be solved using the
documented symptoms. If not, begin the isolating phase of the general troubleshooting
process.
Fig 5.1 Command List
5.4 Hardware Testing Tools
48
5.4.1 Network Analysis Module
A network analysis module (NAM) can be installed in Cisco Catalyst 6500 series
switches and Cisco 7600 series routers to provide a graphical representation of traffic
from local and remote switches and routers. The NAM is a embedded browser-based
interface that generates reports on the traffic that consumes critical network resources. In
addition, the NAM can capture and decode packets and track response times to pinpoint
an application problem to the network or the server.
5.4.2 Digital Multimeters
Digital multimeters (DMMs) are test instruments that are used to directly measure
electrical values of voltage, current, and resistance. In network troubleshooting, most of
the multimedia tests involve checking power-supply voltage levels and verifying that
network devices are receiving power.
5.4.3 Cable Testers
Cable testers are specialized, handheld devices designed for testing the various types of
data communication cabling. Cabling testers can be used to detect broken wires, crossed-
over wiring, shorted connections, and improperly paired connections. These devices can
be inexpensive continuity testers, moderately priced data cabling testers, or expensive
time-domain reflectometers (TDRs).
TDRs are used to pinpoint the distance to a break in a cable. These devices send signals
along the cable and wait for them to be reflected. The time between sending the signal
and receiving it back is converted into a distance measurement. The TDR function is
normally packaged with data cabling testers. TDRs used to test fiber optic cables are
known as optical time-domain reflectometers (OTDRs).
49
Fig 5.2 TOPOLOGY DIAGRAM OF NETWORK
5.4.4 Cable Analyzers
Cable analyzers are multifunctional handheld devices that are used to test and certify
copper and fiber cables for different services and standards. The more sophisticated tools
include advanced troubleshooting diagnostics that measure distance to performance
defect (NEXT, RL), identify corrective actions, and graphically display crosstalk and
impedance behavior. Cable analyzers also typically include PC-based software. Once
field data is collected the handheld device can upload its data and up-to-date and accurate
reports can be created.
CHAPTER -6
50
SECURITY
6.1 Introduction
Computer networks have grown in both size and importance in a very short time. If the
security of the network is compromised, there could be serious consequences, such as
loss of privacy, theft of information, and even legal liability. To make the situation even
more challenging, the types of potential threats to network security are always evolving.
As e-business and Internet applications continue to grow, finding the balance between
being isolated and open is critical. In addition, the rise of mobile commerce and wireless
networks demands that security solution become seamlessly integrated, more transparent,
and more flexible.
6.2 The Increasing Threat to Security
Over the years, network attack tools and methods have evolved. In 1985 an attacker had
to have sophisticated computer, programming, and networking knowledge to make use of
rudimentary tools and basic attacks. As time went on, and attackers' methods and tools
improved, attackers no longer required the same level of sophisticated knowledge. This
has effectively lowered the entry-level requirements for attackers. People who previously
would not have participated in computer crime are now able to do so.
As the types of threats, attacks, and exploits have evolved, various terms have been
coined to describe the individuals involved. Some of the most common terms are as
follows:
White hat - An individual who looks for vulnerabilities in systems or networks and then
reports these vulnerabilities to the owners of the system so that they can be fixed. They
51
are ethically opposed to the abuse of computer systems. A white hat generally focuses on
securing IT systems, whereas a black hat (the opposite) would like to break into them.
Hacker - A general term that has historically been used to describe a computer
programming expert. More recently, this term is often used in a negative way to describe
an individual that attempts to gain unauthorized access to network resources with
malicious intent.
Black hat-Another term for individuals who use their knowledge of computer systems to
break into systems or networks that they are not authorized to use, usually for personal or
financial gain. A cracker is an example of a black hat.
Cracker-A more accurate term to describe someone who tries to gain unauthorized
access to network resources with malicious intent.
Phreaker-An individual who manipulates the phone network to cause it to perform a
function that is not allowed. A common goal of phreaking is breaking into the phone
network, usually through a payphone, to make free long distance calls.
Spammer-An individual who sends large quantities of unsolicited e-mail messages.
Spammers often use viruses to take control of home computers and use them to send out
their bulk messages.
Phisher-Uses e-mail or other means to trick others into providing sensitive information,
such as credit card numbers or passwords. A phisher masquerades as a trusted party that
would have a legitimate need for the sensitive information.
6.2.1 Types of Computer Crime
As security measures have improved over the years, some of the most common types of
attacks have diminished in frequency, while new ones have emerged. Conceiving of
network security solutions begins with an appreciation of the complete scope of computer
crime. These are the most commonly reported acts of computer crime that have network
security implications:
1. Insider abuse of network access
2. Virus
3. Mobile device theft
52
4. Phishing where an organization is fraudulently represented as the sender
5. Instant messaging misuse
6. Denial of service
7. Unauthorized access to information
8. Bots within the organization
9. Theft of customer or employee data
10. Abuse of wireless network
11. System penetration
12. Financial fraud
13. Password sniffing
14. Key logging
15. Website defacement
16. Misuse of a public web application
17. Theft of proprietary information
18. Exploiting the DNS server of an organization
19. Telecom fraud
20. Sabotage
Note: In certain countries, some of these activities may not be a crime, but are still a
problem.
6.3 Secure connectivity
VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or
malicious individuals.
Trust and identity-Implement tight constraints on trust levels within a network.
For example, systems on the outside of a firewall should never be absolutely
trusted by systems on the inside of a firewall.
Authentication-Give access to authorized users only. One example of this is using
one-time passwords.
53
Policy enforcement-Ensure that users and end devices are in compliance with the
corporate policy.
6.3.1 The Role of Routers in Network Security
We know that we can build a LAN by connecting devices with basic Layer 2 LAN
switches. We can then use a router to route traffic between different networks based on
Layer 3 IP addresses.
Router security is a critical element in any security deployment. Routers are definite
targets for network attackers. If an attacker can compromise and access a router, it can be
a potential aid to them. Knowing the roles that routers fulfill in the network helps us
understand their vulnerabilities.
Routers fulfill the following roles:
Advertise networks and filter who can use them.
Provide access to network segments and subnetworks.
6.4 ACL
An ACL is a router configuration script that controls whether a router permits or denies
packets to pass based on criteria found in the packet header. ACLs are among the most
commonly used objects in Cisco IOS software. ACLs are also used for selecting types of
traffic to be analyzed, forwarded, or processed in other ways.
As each packet comes through an interface with an associated ACL, the ACL is checked
from top to bottom, one line at a time, looking for a pattern matching the incoming
packet. The ACL enforces one or more corporate security policies by applying a permit
or deny rule to determine the fate of the packet. ACLs can be configured to control access
to a network or subnet.
54
By default, a router does not have any ACLs configured and therefore does not filter
traffic. Traffic that enters the router is routed according to the routing table. If we do not
use ACLs on the router, all packets that can be routed through the router pass through the
router to the next network segment.
Here are some guidelines for using ACLs:
Use ACLs in firewall routers positioned between our internal network and an
external network such as the Internet.
Use ACLs on a router positioned between two parts of our network to control
traffic entering or exiting a specific part of our internal network.
Configure ACLs on border routers-routers situated at the edges of our networks.
This provides a very basic buffer from the outside network, or between a less
controlled area of our own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router
interfaces. We can configure ACLs on an interface to filter inbound traffic,
outbound traffic, or both.
6.4.1 The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the three
Ps. We can configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be
defined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an
interface. Two separate ACLs must be created to control inbound and outbound
traffic.
One ACL per interface-ACLs control traffic for an interface, for example, Fast
Ethernet 0/0.
55
Writing ACLs can be a challenging and complex task. Every interface can have multiple
protocols and directions defined. The router in the example has two interfaces configured
for IP: AppleTalk and IPX. This router could possibly require 12 separate ACLs-one
ACL for each protocol, times two for each direction, times two for the number of ports.
6.4.2 How ACLs Work
ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound interfaces
of the router. ACLs do not act on packets that originate from the router itself.
ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.
Inbound ACLs-Incoming packets are processed before they are routed to the
outbound interface. An inbound ACL is efficient because it saves the overhead of
routing lookups if the packet is discarded. If the packet is permitted by the tests, it
is then processed for routing.
Outbound ACLs-Incoming packets are routed to the outbound interface, and
then they are processed through the outbound ACL.
ACL statements operate in sequential order. They evaluate packets against the ACL, from
the top down, one statement at a time.
A final implied statement covers all packets for which conditions did not test true. This
final test condition matches all other packets and results in a "deny" instruction. Instead
of proceeding into or out of an interface, the router drops all of these remaining packets.
This final statement is often referred to as the "implicit deny any statement" or the "deny
all traffic" statement. Because of this statement, an ACL should have at least one permit
statement in it; otherwise, the ACL blocks all traffic.
56
We can apply an ACL to multiple interfaces. However, there can be only one ACL per
protocol, per direction, and per interface.
If the outbound interface is not grouped to an outbound ACL, the packet is sent
directly to the outbound interface.
If the outbound interface is grouped to an outbound ACL, the packet is not sent
out on the outbound interface until it is tested by the combination of ACL
statements that are associated with that interface. Based on the ACL tests, the
packet is permitted or denied.
For outbound lists, "to permit" means to send the packet to the output buffer, and
"to deny" means to discard the packet.
6.4.2.1 ACL Routing and ACL Processes on a Router
If the frame address is accepted, the frame information is stripped off and the
router checks for an ACL on the inbound interface. If an ACL exists, the packet is
now tested against the statements in the list.
If the packet matches a statement, the packet is either accepted or rejected. If the
packet is accepted in the interface, it is then checked against routing table entries
to determine the destination interface and switched to that interface.
Next, the router checks whether the destination interface has an ACL. If an ACL
exists, the packet is tested against the statements in the list.
If the packet matches a statement, it is either accepted or rejected.
If there is no ACL or the packet is accepted, the packet is encapsulated in the new
Layer 2 protocol and forwarded out the interface to the next device.
The Implied "Deny All Traffic" Criteria Statement
57
At the end of every access list is an implied "deny all traffic" criteria statement. It is also
sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does
not match any of the ACL entries, it is automatically blocked. The implied "deny all
traffic" is the default behavior of ACLs and cannot be changed.
6.4.2.2 There are two types of Cisco ACLs, standard and extended.
6.4.2.2.1 Standard ACLs
Standard ACLs allow us to permit or deny traffic from source IP addresses. The
destination of the packet and the ports involved do not matter. The example allows all
traffic from network 192.168.30.0/24 network. Because of the implied "deny any" at the
end, all other traffic is blocked with this ACL. Standard ACLs are created in global
configuration mode.
6.4.2.2.2 Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protocol type,
source and IP address, destination IP address, source TCP or UDP ports, destination TCP
or UDP ports, and optional protocol type information for finer granularity of control. For
example, ACL 103 permits traffic originating from any address on the 192.168.30.0/24
network to any destination host port 80 (HTTP). Extended ACLs are created in global
configuration mode.
A standard ACL is a sequential collection of permit and deny conditions that apply to IP
addresses. The destination of the packet and the ports involved are not covered.
Cisco IOS software tests addresses against the conditions one by one. The first match
determines whether the software accepts or rejects the address. Because the software
stops testing conditions after the first match, the order of the conditions is critical. If no
58
conditions match, the address is rejected.The two main tasks involved in using ACLs are
as follows:
Step 1. Create an access list by specifying an access list number or name and access
conditions.
Step 2. Apply the ACL to interfaces or terminal lines.
Using numbered ACLs is an effective method for determining the ACL type on smaller
networks with more homogeneously defined traffic. However, a number does not inform
us the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, we can
use a name to identify a Cisco ACL.
Regarding numbered ACLs, in case we are wondering why numbers 200 to 1299 are
skipped, it is because those numbers are used by other protocols. This course focuses
only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers
800 to 899 are used by IPX.
The proper placement of an ACL to filter undesirable traffic makes the network operate
more efficiently. ACLs can act as firewalls to filter packets and eliminate unwanted
traffic. Where we place ACLs can reduce unnecessary traffic. For example, traffic that
will be denied at a remote destination should not use network resources along the route to
that destination.
Every ACL should be placed where it has the greatest impact on efficiency. The basic
rules are:
Locate extended ACLs as close as possible to the source of the traffic denied. This way,
undesirable traffic is filtered without crossing the network infrastructure.
Because standard ACLs do not specify destination addresses, place them as close to the
destination as possible.
59
FIG 6.1 DFD SHOWING HOW ACL WORKS
Standard ACL Logic
Chapter -7
CONCLUSION
60
The network designed using simulators fully meets the objectives of the system. The
system has reached a steady state where all the bugs have been eliminated. The system is
operating at the high level of efficiency and all the packets are reaching to its correct
destination. The network traffic is also maintained through analyzers. The project
developed is within the state of art and the defects can easily be reduced to a level
matching the application’s needs. Network designing has been designed by keeping user
friendliness in top priority i.e. the system is very easy to operate and work with the
system solves the problem it was intended to solve as the requirement specification
phase.
Thus, in the end we would like to conclude that a network design has become a need for
every organization and sooner or later everyone will be compelled to apply it due to its
numerous advantages.
Key Learning
In the present day’s market of jobs, the established competitive state of affairs makes it
tricky for every individual to acquire a job easily. In such situations, it turns out to be
crucial to be well educated and have professional qualifications for making a successful
career. Therefore, if you are arranging for a career in networking, which is considered as
the one of the most sought after fields all over the world, it is important for you to clear
the certification of CCNA. To acquire the certification of CCNA, it is suggested that you
register for CISCO CCNA training, which is offered by several institutions around the
UK. After this, you might be needed to prepare for and clear the examinations of CCNA
for being CCNA certified.
Cisco Certified Network Associate (CCNA) is the basic level of the certification of
CISCO. By registering for the examination of CCNA, you will learn regarding the
networking basics like installation, design, troubleshooting, configuration, management
and maintenance of IP and non-IP networks. Furthermore, as the course of CCNA is the
basis of three level of Cisco certified network associate, there are no requirements for
61
taking the CCNA examinations. The level of CCNA is appropriate for assisting field
technicians and desk engineer
Advantages :
1. Understand the basic fuctioning of CISCO router, switch, hub.
2. Have the Professional approach towards networking.
3. Potential to configure any network.
4. Industry-Oriented
REFERENCES
62
www.sybex.com ,
http://compnetworking.about.com
www.cisco.com
http://www.networktutorials.info
www.networktutorials.info
BOOKS REFERRED
Cisco Certified Network Associate
Study Guide By: - Todd Lammle
Interconnecting Cisco Network Devices
By:-ICND Pub.
Data Communications and Networking, Tata McGraw Hill
By: - Behrouz A Forouzan.
Internetworking With TCP/IP: Principles, Protocols, And Architecture
By Douglas E. Comer
Data and Network Communications, Thomson Learning.
BY: - M.A. Miller
63