Network Notes
-
Upload
dhiversanjay -
Category
Documents
-
view
108 -
download
0
Transcript of Network Notes
http://www.e-tutes.com/
Lesson 1: Networking Basics
Lesson 2: OSI Reference Model
Lesson 3: Introduction to TCP/IP
Lesson 4: LAN Basics
Lesson 5: Understanding Switching
Lesson 6: WAN Basics
Lesson 7: Understanding Routing
Lesson 8: What Is Layer 3 Switching?
Lesson 9: Understanding Virtual LANs
Lesson 10: Understanding Quality of Service
Lesson 11: Security Basics
Lesson 12: Understanding Virtual Private Networks
Lesson 13: Voice Technology Basics
Lesson 14: Network Management Basics
Lesson 15: The Internet
Lesson 1: Networking Basic
This lesson covers the very basics of networking. We‘ll start with a little history that describes how the networking industry evolved. We‘ll then move on to a section that
describes how a LAN is built: essentially the necessary components (like NIC cards and cables). We then cover LAN topologies. And finally we‘ll discuss the key
networking devices: hubs, bridges, switches, and routers.
This module is an overview only. It will familiarize you with much of the vocabulary you hear with regards to networking. Some of these concepts are covered in more detail in later lessons
The Agenda
- Networking History
- How a LAN Is Built
- LAN Topologies - LAN/WAN Devices
Networking History
Early networks
From a historical perspective, electronic communication has actually been around a long time, beginning with Samuel Morse and the telegraph. He sent the first
telegraph message May 24, 1844 from Washington DC to Baltimore MD, 37 miles away. The message? ―What hath God wrought.‖
Less than 25 years later, Alexander Graham Bell invented the telephone – beating out
a competitor to the patent office only by a couple of hours on Valentine‘s Day in 1867. This led to the development of the ultimate analog network – the telephone system.
The first bit-oriented language device was developed by Emile Baudot – the printing
telegraph. By bit-oriented we mean the device sent pulses of electricity which were either positive or had no voltage at all. These machines did not use Morse code.
Baudot‘s five-level code sent five pulses down the wire for each character transmitted. The machines did the encoding and decoding, eliminating the need for operators at both ends of the wires. For the first time, electronic messages could be sent by
anyone.
Telephone Network
But it‘s really the telephone network that has had the greatest impact on how businesses communicate and connect today. Until 1985, the Bell Telephone
Company, now known as AT&T, owned the telephone network from end to end. It represented a phenomenal network, the largest then and still the largest today.
Let‘s take a look at some additional developments in the communications industry that had a direct impact on the networking industry today.
Developments in Communication
In 1966, an individual named ―Carter‖ invented a special device that attached to a
telephone receiver that would allow construction workers to talk over the telephone from a two-way radio.
Bell telephone had a problem with this and sued – and eventually lost.
As a result, in 1975, the Federal Communications Commission ruled that devices
could attach to the phone system, if they met certain specifications. Those specifications were approved in 1977 and became known as FCC Part 68. In fact, years ago you could look at the underside of a telephone not manufactured by Bell,
and see the ―Part 68‖ stamp of approval.
This ruling eventually led to the breakup of American Telephone and Telegraph in 1984, thus creating nine regional Bell operating companies like Pacific Bell, Bell
Atlantic, Bell South, Mountain Bell, etc. The break up of AT&T in 1984 opened the door for other competitors in the telecommunications market. Companies like Microwave Communications, Inc. (MCI),
and Sprint. Today, when you make a phone call across the country, it may go through three or four different carrier networks in order to make the connection.
Now, let‘s take a look at what was happening in the computer industry about the
same time.
1960's - 1970's Communication
In the 1960‘s and 1970‘s, traditional computer communications centered around the mainframe host. The mainframe contained all the applications needed by the users,
as well as file management, and even printing. This centralized computing environment used low-speed access lines that tied terminals to the host. These large mainframes used digital signals – pulses of electricity or zeros and ones,
what is called binary -- to pass information from the terminals to the host. The information processing in the host was also all digital.
Problems faced in communication
This brought about a problem. The telephone industry wanted to use computers to
switch calls faster and the computer industry wanted to connect remote users to the mainframe using the telephone service. But the telephone networks speak analog and
computers speak digital. Let‘s take a closer look at this problem.
Digital signals are seen as one‘s and zero‘s. The signal is either on or off. Whereas analog signals are like audio tones – for example, the high-pitched squeal you hear when you accidentally call a fax machine. So, in order for the computer world to use
the services of the telephone system, a conversion of the signal had to occur.
The solution
The solution – a modulator/demodulator or ―modem.‖ The modem takes the digital
signals from the computer and modulates the signal into analog format. In sending information from a desktop computer to a host using POTS or plain old telephone
service, the modem takes the digital signals from the computer and modulates the signal into analog format to go through the telephone system. From the telephone system, the analog signal goes through another modem which converts the signal to
digital format to be processed by the host computer. This helped solve some of the distance problems, at least to a certain extent.
Multiplexing or muxing
Another problem is how to connect multiple terminals to a single cable. The
technology solution is multiplexing or muxing. What we can do with multiplexing is we can take multiple remote terminals, connect
them back to our single central site, our single mainframe at the central site, but we can do it all over a single communications channel, a single line. So what you see is we have some new terminology here in our diagram. Our single
central site we refer to as a broadband connection. That's referred to as a broadband connection because whenever we talk about broadband we're talking about carrying multiple communications channels over a single communication pipe.
So what we're saying here is we have multiple communication channels as in four terminals at the remote site going back to a single central site over one common
channel. But again in the case of our definition of broadband here, we're referring to the fact that we have four communication channels, one for each remote terminal over a
single physical path. Now out at the end stations at the terminals, you see we have the term Baseband and
what we mean by the term Baseband is, in our example, between the terminal and the multiplexer we have a single communication channel per wire, so each of those
wires leading into the multiplexer has a dedicated channel or a dedicated path. Now the function of the multiplexer is to take each of those Baseband paths and
break it up and allocate time slots. What that allows us to do is allocate a time slot per terminal so each terminal has its own time slot across that common Baseband connection between the remote
terminals and the central mainframe site. That is the function of the multiplexer is to allocate the time slots and then also on the other side to put the pieces back together for delivery to the mainframe.
So muxing is our fundamental concept here. Let‘s look at the different ways to do our muxing.
Baseband and broadband
You see again the terms here, Baseband and broadband.
Again, the analogy that they're using here is that in the case of Baseband we said we had a single communications channel per physical path.
An example of some Baseband technology you're probably familiar with is Ethernet for example. Most implementations of Ethernet use Baseband technology.
We have a single communications channel going over a single physical path or a
single physical cable. On the other hand on the bottom part of our diagram you see a reference to
broadband and the analogy here would be multiple trains inside of a single tunnel. Maybe we see that in the real world, we're probably familiar with broadband as
something we do every day, is cable TV. With cable TV we have multiple channels coming in over a single cable. We plug a single cable into the back of our TV and over that single cable certainly we
know we can get 12 or 20 or 40 or 60 or more channels over that single cable. So cable TV is a good example of broadband.
Given the addition of multiplexing and the use of the modem, let‘s see how we can grow our network.
How networks are growing
Example:-
Using all the technology available, companies were able to team up with the phone
company and tie branch offices to the headquarters. The speeds of data transfer were often slow and were still dependent on the speed and capacity of the host computers at the headquarters site.
The phone company was also able to offer leased line and dial-up options. With leased-lines, companies paid for a continuous connection to the host computer.
Companies using dial-up connections paid only for time used. Dial-up connections were perfect for the small office or branch.
Birth of the personal computer
The birth of the personal computer in 1981 really fueled the explosion of the networking marketplace. No longer were people dependent on a mainframe for
applications, file storage, processing, or printing. The PC gave users incredible freedom and power.
The Internet 1970's - 1980's
The 70‘s and 80‘s saw the beginnings of the Internet. The Internet as we know it
today began as the ARPANET — The Advanced Research Projects Agency Network – built by a division of the Department of Defense essentially in the mid ‗60's through grant-funded research by universities and companies. The first actual packet-
switched network was built by BBN. It was used by universities and the federal government to exchange information and research. Many local area networks
connected to the ARPANET with TCP/IP. TCP/IP was developed in 1974 and stands for Transmission Control Protocol / Internet Protocol. The ARPANET was shut down in 1990 due to newer network technology and the need for greater bandwidth on the
backbone. In the late ‗70‘s the NSFNET, the National Science Foundation Network was developed. This network relied on super computers in San Diego; Boulder;
Champaign; Pittsburgh; Ithaca; and Princeton. Each of these six super computers had a microcomputer tied to it which spoke TCP/IP. The microcomputer really
handled all of the access to the backbone of the Internet. Essentially this network was overloaded from the word "go". Further developments in networking lead to the design of the ANSNET -- Advanced
Networks and Services Network. ANSNET was a joint effort by MCI, Merit and IBM specifically for commercial purposes. This large network was sold to AOL in 1995.
The National Science Foundation then awarded contracts to four major network access providers: Pacific Bell in San Francisco, Ameritech in Chicago, MFS in Washington DC and Sprint in New York City. By the mid ‗80's the collection of
networks began to be known as the ―Internet‖ in university circles. TCP/IP remains the glue that holds it together. In January 1992 the Internet Society was formed – a misleading name since the
Internet is really a place of anarchy. It is controlled by those who have the fastest lines and can give customers the greatest service today.
The primary Internet-related applications used today include: Email, News retrieval, Remote Login, File Transfer and World Wide Web access and development.
1990's Globle Internetworking
With the growth and development of the Internet came the need for speed – and bandwidth. Companies want to take advantage of the ability to move information
around the world quickly. This information comes in the form of voice, data and video – large files which increase the demands on the network. In the future, global
internetworking will provide an environment for emerging applications that will require even greater amounts of bandwidth. If you doubt the future of global
internetworking consider this – the Internet is doubling in size about every 11 months.
How a LAN can build
In the previous section, we discussed how networking evolved and some of the problems involved in the transmission of data such as conflict and multiple
terminals. In this section some of the basic elements needed to build local area networks (LANs) will be described.
LAN(Local Area Netwok)
The term local-area network, or LAN, describes of all the devices that communicate
together—printers, file server, computers, and perhaps even a host computer. However, the LAN is constrained by distance. The transmission technologies used in LAN applications do not operate at speed over long distances. LAN distances are in
the range of 100 meters (m) to 3 kilometers (km). This range can change as new technologies emerge.
For systems from different manufacturers to interoperate—be it a printer, PC, and file server—they must be developed and manufactured according to industry-wide protocols and standards.
More details about protocols and standards will be given later, but for now, just keep in mind they represent rules that govern how devices on a network exchange information. These rules are developed by industry-wide special interest groups
(SIGs) and standards committees such as the Institute of Electrical and Electronics Engineers (IEEE).
Most of the network administrator‘s tasks deal with LANs. Major characteristics of
LANs are: - The network operates within a building or floor of a building. The geographic
scope for ever more powerful LAN desktop devices running more powerful applications is for less area per LAN.
- LANs provide multiple connected desktop devices (usually PCs) with access to high-bandwidth media.
- An enterprise purchases the media and connections used in the LAN; the
enterprise can privately control the LAN as it chooses.
- LANs rarely shut down or restrict access to connected workstations; local services are usually always available.
- By definition, the LAN connects physically adjacent devices on the media.
So let‘s look at the components of a LAN.
Components of LAN
- Network operating system(NOS)
In order for computers to be able to communicate with each other, they must first
have the networking software that tells them how to do so. Without the software, the system will function simply as a ―standalone,‖ unable to utilize any of the resources
on the network. Network operating software may by installed by the factory, eliminating the need for you to purchase it, (for example AppleTalk), or you may install it yourself.
111111111111111
Network interface card(NIC)
In addition to network operating software, each network device must also have a network interface card. These cards today are also referred to as adapters, as in
―Ethernet adapter card‖ or ―Token Ring adapter card.‖ The NIC card amplifies electronic signals which are generally very weak within the
computer system itself. The NIC is also responsible for packaging data for
transmission, and for controlling access to the network cable. When the data is packaged properly, and the timing is right, the NIC will push the data stream onto
the cable. The NIC also provides the physical connection between the computer and the
transmission cable (also called ―media‖). This connection is made through the connector port. Examples of transmission media are Ethernet, Token Ring, and FDDI.
- Writing Hub
In order to have a network, you must have at least two devices that communicate with each other. In this simple model, it is a computer and a printer. The printer also has an NIC installed (for example, an HP Jet Direct card), which in turn is plugged
into a wiring hub. The computer system is also plugged into the hub, which facilitates communication between the two devices.
Additional components (such as a server, a few more PCs, and a scanner) may be connected to the hub. With this connection, all network components would have access to all other network components.
The benefit of building this network is that by sharing resources a company can afford higher quality components. For example, instead of providing an inkjet printer for every PC, a company may purchase a laser printer (which is faster, higher
capacity, and higher quality than the inkjet) to attach to a network. Then, all computers on that network have access to the higher quality printer.
- Cables or Transmission Media
The wires connecting the various devices together are referred to as cables.
- Cable prices range from inexpensive to very costly and can comprise of a significant cost of the network itself.
- Cables are one example of transmission media. Media are various physical
environments through which transmission signals pass. Common network media include twisted-pair, coaxial cable, fiber-optic cable, and the atmosphere (through
which microwave, laser, and infrared transmission occurs). Another term for this is ―physical media.‖ *Note that not all wiring hubs support all medium types.
The other component shown in this fig1. is the connector. - As their name implies, the connector is the physical location where the NIC card
and the cabling connect.
- Registered jack (RJ) connectors were originally used to connect telephone lines. RJ connectors are now used for telephone connections and for 10BaseT and other types of network connections. Different connectors are able support different
speeds of transmission because of their design and the materials used in their manufacture.
- RJ-11 connectors are used for telephones, faxes, and modems. RJ-45 connectors are used for NIC cards, 10BaseT cabling, and ISDN lines.
Network Cabling
Cable is the actual physical path upon which an electrical signal travels as it moves
from one component to another. Transmission protocols determine how NIC cards take turns transmitting data onto
the cable. Remember that we discussed how LAN cables (baseband) carry one signal, while WAN cables (broadband) carry multiple signals. There are three primary cable types:
- Twisted-pair (or copper)
- Coaxial cable and
- Fiber-optic cable
Twisted-pair (or copper)
Unshielded twisted-pair (UTP) is a four-pair wire medium used in a variety of networks. UTP does not require the fixed spacing between connections that is
necessary with coaxial-type connections. There are five types of UTP cabling commonly used as shown below:
- Category 1: Used for telephone communications. It is not suitable for transmitting data.
- Category 2: Capable of transmitting data at speeds up to 4 Mbps.
- Category 3: Used in 10BaseT networks and can transmit data at speeds up to 10 Mbps.
- Category 4: Used in Token Ring networks. Can transmit data at speeds up to 16 Mbps.
- Category 5: Can transmit data at speeds up to 100 Mbps.
Shielded twisted-pair (STP) is a two-pair wiring medium used in a variety of network implementations. STP cabling has a layer of shielded insulation to reduce EMI. Token
Ring runs on STP.
Using UTP and STP: - Speed is usually satisfactory for local-area distances.
- These are the least expensive media for data communication. UTP is cheaper than STP.
- Because most buildings are already wired with UTP, many transmission standards
are adapted to use it to avoid costly re-wiring of an alternative cable type.
Coaxial cable
Coaxial cable consists of a solid copper core surrounded by an insulator, a combination shield and ground wire, and an outer protective jacket.
The shielding on coaxial cable makes it less susceptible to interference from outside sources. It requires termination at each end of the cable, as well as a single ground
connection. Coax supports 10/100 Mbps and is relatively inexpensive, although more costly than UTP.
Coaxial can be cabled over longer distances than twisted-pair cable. For example, Ethernet can run at speed over approximately 100 m (300 feet) of twisted pair. Using
coaxial cable increases this distance to 500 m.
Fiber-optic cable
Fiber-optic cable consists of glass fiber surrounded by shielding protection: a plastic
shield, kevlar reinforcing, and an outer jacket. Fiber-optic cable is the most expensive of the three types discussed in this section, but it supports 100+ Mbps line speeds.
There are two types of fiber cable: - Single or mono-mode—Allows only one mode (or wavelength) of light to propagate
through the fiber; is capable of higher bandwidth and greater distances than multimode. Often used for campus backbones. Uses lasers as the light generating
method. Single mode is much more expensive than multimode cable. Maximum cable length is 100 km.
- Multimode—Allows multiple modes of light to propagate through the fiber. Often used for workgroup applications. Uses light-emitting diodes (LEDs) as light
generating device. Maximum cable length is 2 km.
Throughput Needs....!!
Super servers, high-capacity workstations, and multimedia applications have also fueled the need for higher capacity bandwidths.
The examples on abow image shows that the need for throughput capacity grows as a result of a desire to transmit more voice, video, and graphics. The rate at which this
information may be sent (transmission speed) is dependent how data is transmitted and the medium used for transmission. The ―how‖ of this equation is satisfied by a transmission protocol.
Each protocol runs at a different speed. Two terms are used to describe this speed: throughput rate and bandwidth.
The throughput rate is the rate of information arriving at, and possibly passing through, a particular point in a network.
In this chapter, the term bandwidth means the total capacity of a given network medium (twisted pair, coaxial, or fiber-optic cable) or protocol.
- Bandwidth is also used to describe the difference between the highest and the lowest frequencies available for network signals. This quantity is measured in
Megahertz (MHz). - The bandwidth of a given network medium or protocol is measured in bits per
second (bps). Some of the available bandwidth specified for a given medium or protocol is used up
in overhead, including control characters. This overhead reduces the capacity available for transmitting data.
This table shows the tremendous variation in transmission time with different throughput rates. In years past, megabit (Mb) rates were considered fast. In today‘s
modern networks, gigabit (Gb) rates are possible. Nevertheless, there continues to be a focus on greater throughput rates.
LAN Topologies
You may hear the word topology used with respect to networks. ―Topology‖ refers to
the physical arrangement of network components and media within an enterprise networking structure. There are four primary kinds of LAN topologies: bus, tree, star, and ring.
Bus and Tree topology
Bus topology is
- A linear LAN architecture in which transmissions from network components propagate the length of the medium and are received by all other components. - The bus portion is the common physical signal path composed of wires or other
media across which signals can be sent from one part of a network to another. Sometimes called a highway.
- Ethernet/IEEE 802.3 networks commonly implement a bus topology Tree topology is
- Similar to bus topology, except that tree networks can contain branches with
multiple nodes. As in bus topology, transmissions from one component propagate the length of the medium and are received by all other components.
The disadvantage of bus topology is that if the connection to any one user is broken, the entire network goes down, disrupting communication between all users. Because
of this problem, bus topology is rarely used today. The advantage of bus topology is that it requires less cabling (therefore, lower cost) than star topology.
Star topology
Star topology is a LAN topology in which endpoints on a network are connected to a common central switch or hub by point-to-point links. Logical bus and ring
topologies re often implemented physically in a star topology. - The benefit of star topology is that even if the connection to any one user is broken,
the network stays functioning, and communication between the remaining users is not disrupted. - The disadvantage of star topology is that it requires more cabling (therefore, higher
cost) than bus topology.
Star topology may be thought of as a bus in a box.
Ring topology
Ring topology consists of a series of repeaters connected to one another by unidirectional transmission links to form a single closed loop.
- Each station on the network connects to the network at a repeater.
- While logically a ring, ring topologies are most often organized in a closed-loop star. A ring topology that is organized as a star implements a unidirectional closed-loop star, instead of point-to-point links.
- One example of a ring topology is Token Ring.
Redundancy is used to avoid collapse of the entire ring in the event that a connection between two components fails.
LAN/WAN Devices
Let‘s now take a look at some of the devices that move traffic around the network.
The approach taken in this section will be simple. As networking technology continues to evolve, the actual differences between networking devices is beginning to
blur slightly. Routers today are switching packets faster and yielding the performance of switches. Switches, on the other hand, are being designed with more intelligence and able to act more like routers. Hubs, while traditionally not intelligent in terms of
the amount of software they run, are now being designed with software that allows the hub to be ―intelligent‖ acting more like a switch. In this section, we‘ll keep these different types of product separate so that you can
understand the basics. Let‘s start off with the hub.
Hub
Star topology networks generally have a hub in the center of the network that connects all of the devices together using cabling. When bits hit a networking device,
be they hubs, switches, or routers, the devices will strengthen the signal and then
send it on its way. A hub is simple a multiport repeater. There is usually no software to load, and no
configuration required (i.e. network administrators don‘t have to tell the device what to do).
Hubs operate very much the same way as a repeater. They amplify and propagate signals received out all ports, with the exception of the port from which the data arrived.
For example in the above image, if system 125 wanted to print on the printer 128, the message would be sent to all systems on Segment 1, as well as across the hub to all
systems on Segment 2. System 128 would see that the message is intended for it and would process it. Devices on the network are constantly listening for data. When devices sense a frame
of information that is addressed (and we will talk more about addressing later) for it, then it will accept that information into memory found on the network interface card (NIC) and begin processing the data.
In fairly small networks, hubs work very well. However, in large networks the limitations of hubs creates problems for network managers. In this example, Ethernet
is the standard being used. The network is also baseband, only one station can use the network at a time. If the applications and files being used on this network are large, and there are more nodes on the network, contention for bandwidth will slow
the responsiveness of the network down.
Bridges
Bridges improve network throughput and operate at a more intelligent level than do hubs. A bridge is considered to be a store and forward device that uses unique
hardware addresses to filter traffic that would otherwise travel from one segment to another. A bridge performs the following functions:
- Reads data frame headers and records source address/port (segment) pairs - Reads the destination address of incoming frames and uses recorded addresses to
determine the appropriate outbound port for the frame. - Uses memory buffers to store frames during periods of heavy transmission, and
forwards them when the medium is ready.
Let‘s take a look at an example.
The bridge divides this Ethernet LAN into two segments in the above image, each connecting to a hub and then to a bridge port. Stations 123-125 are on segment 1 and stations 126-128 are on segment 2.
When station 124 transmits to station 125, the frame goes into the hub (who repeats it and sends it out all connected ports) and then on to the bridge. The bridge will not forward the frame because it recognizes that stations 124 and 125 are on the same
segment. Only traffic between segments passes through the bridge. In this example, a data frame from station 123, 124, or 125 to any station on segment 2 would be
forwarded, and so would a message from any station on segment 2 to stations on segment 1. When one station transmits, all other stations must wait until the line is silent again
before transmitting. In Ethernet, only one station can transmit at a time, or data frames will collide with each other, corrupting the data in both frames.
Bridges will listen to the network and keep track of who they are hearing. For instance, the bridge in this example will know that system 127 is on Segment 2, and that 125 is on segment 1. The bridge may even have a port (perhaps out to the
Internet) where it will send all packets that it cannot identify a destination for.
Switches
Switches use bridging technology to forward traffic between ports. They provide full dedicated transmission rates between two stations that are directly connected to the
switch ports. Switches also build and maintain address tables just like bridges do. These address tables are known as ―content addressable memory.‖
Let‘s look at an example.
Replacing the two hubs and the bridge with an Ethernet switch provides the users
with dedicated bandwidth. Each station has a full 10Mbps ―pipe‖ to the switch. With a switch at the center of the network, combined with the 100Mbps links, users have greater access to the network.
Given the size of the files and applications on this network, additional bandwidth for access to the sever or to the corporate intranet is possible by using a switch that has
both 10Mbps and 100Mbps Fast Ethernet ports. The 10Mbps links could be used to support all the desktop devices, including the printer, while the 100Mbps switch ports would be used for higher bandwidth needs.
Routers
A router has two basic functions, path determination using a variety of metrics, and
forwarding packets from one network to another. Routing metrics can include load on the link between devices, delay, bandwidth, and reliability, or even hop count (i.e. the
number of devices a packet must go through in order to reach its destination). In essence, routers will do all that bridges and switches will do, plus more. Routers have the capability of looking deeper into the data frame and applying network
services based on the destination IP address. Destination and Source IP addresses are a part of the network header added to a packet encapsulation at the network layer.
- SUMMARY -
* LANs are designed to operate within a limited geographic area * Key LAN components are computers, NOS, NICs, hubs, and cables
* Common LAN topologies include bus, tree, star, and ring
* Common LAN/WAN devices are hubs, bridges, switches, and routers
Lesson 2: OSI Reference Model
This lesson covers the OSI reference model. It is sometimes also called ISO or 7 layer reference model. The model was developed by the International Standards
Organization in the early 1980's. It describes the principles for interconnection of computer systems in an Open System Interconnection environment.
The Agenda
- The Layered Model
- Layers 1 & 2: Physical & Data Link Layers - Layer 3: Network Layer
- Layers 4–7: Transport, Session, Presentation, and Application Layers
The Layered Model
The concept of layered communication is essential to ensuring interoperability of all
the pieces of a network. To introduce the process of layered communication, let‘s take a look at a simple example.
In this image, the goal is to get a message from Location A to Location B. The sender doesn‘t know what language the receiver speaks – so the sender passes the message
on to a translator. The translator, while not concerned with the content of the message, will translate it into a language that may be globally understood by most, if not all translators – thus
it doesn‘t matter what language the final recipient speaks. In this example, the language is Dutch. The translator also indicates what the language type is, and then passes the message to an administrative assistant.
The administrative assistant, while not concerned with the language, or the message, will work to ensure the reliable delivery of the message to the destination. In this
example, she will attach the fax number, and then fax the document to the destination – Location B.
The document is received by an administrative assistant at Location B. The assistant at Location B may even call the assistant at Location A to let her know the fax was
properly received. The assistant at Location B will then pass the message to the translator at her office. The translator will see that the message is in Dutch. The translator, knowing that the
person to whom the message is addressed only speaks French, will translate the message so the recipient can properly read the message. This completes the process
of moving information from one location to another.
Upon closer study of the process employed to communicate, you will notice that communication took place at different layers. At layer 1, the administrative assistants communicated with each other. At layer 2, the translators communicated with each
other. And, at layer 3 the sender was able to communicate with the recipient.
Why a Layered Network Model.........?
That‘s essentially the same thing that goes in networking with the OSI model. This image illustrates the model.
So, why use a layered network model in the first place? Well, a layered network model does a number of things. It reduces the complexity of the problems from one large
one to seven smaller ones. It allows the standardization of interfaces among devices. It also facilitates modular engineering so engineers can work on one layer of the network model without being concerned with what happens at another layer. This
modularity both accelerates evolution of technology and finally teaching and learning by dividing the complexity of internetworking into discrete, more easily learned operation subsets.
Note that a layered model does not define or constrain an implementation; it provides a framework. Implementations, therefore, do not conform to the OSI reference model,
but they do conform to the standards developed from the OSI reference model principles.
Devices Function at Layers
Let‘s put this in some context. You are already familiar with different networking
devices such as hubs, switches, and routers. Each of these devices operate at a different level of the OSI Model.
NIC cards receive information from upper level applications and properly package data for transmission on to the network media. Essentially, NIC cards live at the lower four layers of the OSI Model.
Hubs, whether Ethernet, or FDDI, live at the physical layer. They are only concerned with passing bits from one station to other connected stations on the network. They do not filter any traffic.
Bridges and switches on the other hand, will filter traffic and build bridging and switching tables in order to keep track of what device is connected to what port.
Routers, or the technology of routing, lives at layer 3. These are the layers people are referring to when they speak of ―layer 2‖ or ―layer 3‖
devices. Let‘s take a closer look at the model.
Host Layers & Media Layers
Host Layers :-
The upper four layers, Application, Presentation, Session, and Transport, are responsible for accurate data delivery between computers. The tasks or functions of
these upper four layers must ―interoperate‖ with the upper four layers in the system being communicated with.
Media Layers :-
The lower three layers – Network, Data Link and Physical -- are called the media layers. The media layers are responsible for seeing that the information does indeed
arrive at the destination for which it was intended.
Layer Functions
- Application Layer
If we take a look at the model from the top layer, the Application Layer, down, I think
you will begin to get a better idea of what the model does for the industry.
The applications that you run on a desktop system, such as Power Point, Excel and Word work above the seven layers of the model. The application layer of the model helps to provide network services to the
applications. Some of the application processes or services that it offers are electronic mail, file transfer, and terminal emulation.
- Presentation Layer
The next layer of the seven layer model is the presentation layer. It is responsible for
the overall representation of the data from the application layer to the receiving system. It insures that the data is readable by the receiving system.
- Session Layer
The session layer is concerned with inter-host communication. It establishes, manages and terminates sessions between applications.
- Trasport Layer
Layer 4, the Transport layer is primarily concerned with end-to-end connection reliability. It is concerned with issues such as data transport information flow and fault detection and the recovery.
- Network Layer
The network layer is layer 3. This is the layer that is associated with addressing and looking for the best path to send information on. It provides connectivity and path selection between two systems.
The network layer is essentially the domain of routing. So when we talk about a device having layer 3 capability, we mean that that device is capable of addressing
and best path selection.
- Data Link Layer
The link layer (formally referred to as the data link layer) provides reliable transit of
data across a physical link. In so doing, the link layer is concerned with physical (as opposed to network or logical) addressing, network topology, line discipline (how end systems will use the network link), error notification, ordered delivery of frames, and
flow control.
- Physical Layer
The physical layer is concerned with binary transmission. It defines the electrical, mechanical, procedural, and functional specifications for activating, maintaining, and
deactivating the physical link between end systems. Such characteristics as voltage levels, physical data rates, and physical connectors are defined by physical layer
specifications. Now you know the role of all 7 layers of the OSI model.
Peer-to-Peer Communications
Let‘s see how these layers work in a Peer to Peer Communications Network. In this exercise we will package information and move it from Host A, across network lines to Host B.
Each layer uses its own layer protocol to communicate with its peer layer in the other system. Each layer‘s protocol exchanges information, called protocol data units
(PDUs), between peer layers. This peer-layer protocol communication is achieved by using the services of the layers below it. The layer below any current or active layer provides its services to the
current layer. The transport layer will insure that data is kept segmented or separated from one other data. At the network layer we get packets that begin to be assembled. At the
data link layer those packets become frames and then at the physical layer those frames go out on the wires from one host to the other host as bits
Data Encapsulation
This whole process of moving data from host A to host B is known as data encapsulation – the data is being wrapped in the appropriate protocol header so it
can be properly received. Let‘s say we compose an email that we wish to send from system A to system B. The
application we are using is Eudora. We write the letter and then hit send. Now, the computer translates the numbers into ASCII and then into binary (1s and 0s). If the email is a long one, then it is broken up and mailed in pieces. This all happens by the
time the data reaches the Transport layer.
At the network layer, a network header is added to the data. This header contains
information required to complete the transfer, such as source and destination logical addresses.
The packet from the network layer is then passed to the data link layer where a frame header and a frame trailer are added thus creating a data link frame.
Finally, the physical layer provides a service to the data link layer. This service includes encoding the data link frame into a pattern of 1s and 0s for transmission on
the medium (usually a wire).
Layers 1 & 2: Physical & Data Link Layers
Now let‘s take a look at each of the layers in a bit more detail and with some context. For Layers 1 and 2, we‘re going to look at physical device addressing, and the
resolution of such addresses when they are unknown.
Physical and Logical Addressing
Locating computer systems on an internetwork is an essential component of any network system – the key to this is addressing. Every NIC card on the network has its own MAC address. In this example we have a
computer with the MAC address 000.0C12.3456. The MAC address is a hexadecimal number so the numbers in this address here don‘t go just from zero to nine, but go from zero to nine and then start at "A" and go through "F". So, there are actually
sixteen digits represented in this counting system. Every type of device on a network has a MAC address, whether it is a Macintosh computer, a Sun Work Station, a hub
or even a router. These are known as physical addresses and they don‘t change. Logical addresses exist at Layer 3 of the OSI reference model. Unlike link-layer addresses, which usually exist within a flat address space, network-layer addresses
are usually hierarchical. In other words, they are like mail addresses, which describe a person‘s location by providing a country, a state, a zip code, a city, a street, and
address on the street, and finally, a name. One good example of a flat address space is the U.S. social security numbering system, where each person has a single, unique security number.
MAC Address
For multiple stations to share the same medium and still uniquely identify each other, the MAC sub layer defines a hardware or data link address called the MAC
address. The MAC address is unique for each LAN interface. On most LAN-interface cards, the MAC address is burned into ROM—hence the term,
burned-in address (BIA). When the network interface card initializes, this address is copied into RAM. The MAC address is a 48-bit address expressed as 12 hexadecimal digits. The first 6
hexadecimal digits of a MAC address contain a manufacturer identification (vendor code) also known as the organizationally unique identifier (OUI). To ensure vendor uniqueness the Institute of Electrical and Electronic Engineers (IEEE) administers
OUIs. The last 6 hexadecimal digits are administered by each vendor and often represent the interface serial number.
Layer 3: Network Layer
Now let‘s take a look a layer 3--the domain of routing.
Network Layer: Path Determination
Which path should traffic take through the cloud of networks? Path determination occurs at Layer 3. The path determination function enables a router to evaluate the available paths to a destination and to establish the preferred handling of a packet.
Data can take different paths to get from a source to a destination. At layer 3, routers really help determine which path. The network administrator configures the router
enabling it to make an intelligent decision as to where the router should send information through the cloud. The network layer sends packets from source network to destination network.
After the router determines which path to use, it can proceed with switching the packet: taking the packet it accepted on one interface and forwarding it to another
interface or port that reflects the best path to the packet‘s destination.
To be truly practical, an internetwork must consistently represent the paths of its
media connections. As the graphic shows, each line between the routers has a number that the routers use as a network address. These addresses contain information about the path of media connections used by the routing process to pass
packets from a source toward a destination. The network layer combines this information about the path of media connections–
sets of links–into an internetwork by adding path determination, path switching, and route processing functions to a communications system. Using these addresses, the network layer also provides a relay capability that interconnects independent
networks. The consistency of Layer 3 addresses across the entire internetwork also improves
the use of bandwidth by preventing unnecessary broadcasts which tax the system.
Addressing—Network and Node
Each device in a local area network is given a logical address. The first part is the network number – in this example that is a single digit – 1. The second part is a node number, in this example we have nodes 1, 2, and 3. The router uses the network
number to forward information from one network to another.
Protocol Addressing Variations
The two-part network addressing scheme extends across all the protocols covered in
this course. How do you interpret the meaning of the address parts? What authority allocates the addresses? The answers vary from protocol to protocol.
For example, in the TCP/IP address, dotted decimal numbers show a network part and a host part. Network 10 uses the first of the four numbers as the network part and the last three numbers–8.2.48 as a host address. The mask is a companion
number to the IP address. It communicates to the router the part of the number to interpret as the network number and identifies the remainder available for host
addresses inside that network. The Novell Internet Package Exchange or IPX example uses a different variation of
this two-part address. The network address 1aceb0b is a hexadecimal (base 16) number that cannot exceed a fixed maximum number of digits. The host address 0000.0c00.6e25 (also a hexadecimal number) is a fixed 48 bits long. This host
address derives automatically from information in hardware of the specific LAN device. These are the two most common Layer 3 address types.
Network Layer Protocol Operations
Let‘s take a look at the flow of packets through a routed network. For examples sake, let‘s say it is an Email message from you at Station X to your mother in Michigan
who is using System Y. The message will exit Station X and travel through the corporate internal network until it gets to a point where it needs the services of an Internet service provider. The
message will bounce through their network and eventually arrive at Mom‘s Internet provider in Dearborn. Now, we have simplified this transmission to three routers,
when in actuality, it could travel through many different networks before it arrives at its destination. Let‘s take a look, from the OSI models reference point, at what is happening to the
message as it bounces around the Internet on its way to Mom‘s.
As information travels from Station X it reaches the network level where a network
address is added to the packet. At the data link layer, the information is encapsulated in an Ethernet frame. Then it goes to the router – here it is Router A – and the router de-encapsulates and examines the frame to determine what type of
network layer data is being carried. The network layer data is sent to the appropriate network layer process, and the frame itself is discarded.
The network layer process examines the header to determine the destination network. The packet is again encapsulated in the data-link frame for the selected interface and
queued for delivery. This process occurs each time the packet switches through another router. At the router connected to the network containing the destination host – in this case, C --
the packet is again encapsulated in the destination LAN‘s data-link frame type for delivery to the protocol stack on the destination host, System Y.
Multiprotocol Routing
Routers are capable of understanding address information coming from many
different types of networks and maintaining associated routing tables for several routed protocols concurrently. This capability allows a router to interleave packets from several routed protocols over the same data links.
As the router receives packets from the users on the networks using IP, it builds a routing table containing the addresses of the network of these IP users. Now some Macintosh AppleTalk users are adding to the traffic on this link of the
network. The router adds the AppleTalk addresses to the routing table. Routing tables can contain address information from multiple protocol networks.
In addition to the AppleTalk and IP users, there is also some IPX traffic from some Novell NetWare networks.
Finally, we see some DEC traffic from the VAX minicomputers attached to the Ethernet networks. Routers can pass traffic from these (and other) protocols across the common Internet.
The various routed protocols operate separately. Each uses routing tables to determine paths and switches over addressed ports in a ―ships in the night‖ fashion; that is, each protocol operates without knowledge of or coordination with any of the
other protocol operations. Now, we have spent some time with routed protocols; let‘s take some time talking
about routing protocols.
Routed Versus Routing Protocol
It is easy to confuse the similar terms routed protocol and routing protocol: Routed protocols are what we have been talking about so far. They are any network
protocol suite that provides enough information in its network layer address to allow a packet to direct user traffic. Routed protocols define the format and use of the fields
within a packet. Packets generally are conveyed from end system to end system. The Internet protocol IP and Novell‘s IPX are examples of routed protocols.
Routing protocol support a routed protocol by providing mechanisms for sharing
routing information. Routing protocol messages move between the routers. A routing protocol allows the routers to communicate with other routers to update and
maintain tables. Routing protocol messages do not carry end-user traffic from network to network. A routing protocol uses the routed protocol to pass information
between routers. TCP/IP examples of routing protocols are Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), and Open Shortest Path
First (OSPF).
Static Versus Dynamic Routes
Routers must be aware of what links, or lines, on the network are up and running, which ones are overloaded, or which ones may even be down and unusable. There are two primary methods routers use to determine the best path to a destination:
static and dynamic Static knowledge is administered manually: a network administrator enters it into the
router‘s configuration. The administrator must manually update this static route entry whenever an internetwork topology change requires an update. Static knowledge is private–it is not conveyed to other routers as part of an update process.
Dynamic knowledge works differently. After the network administrator enters configuration commands to start dynamic routing, route knowledge is updated automatically by a routing process whenever new topology information is received
from the internetwork. Changes in dynamic knowledge are exchanged between routers as part of the update process.
Static Route : Uses a protocol route that a network administrator enters into the
router
Dynamic Route : Uses a route that a network protocol adjusts automatically for topology or traffic changes
Dynamic routing tends to reveal everything known about an internetwork. For security reasons, it might be appropriate to conceal parts of an internetwork. Static
routing allows an internetwork administrator to specify what is advertised about restricted partitions. When an internetwork partition is accessible by only one path, a static route to the
partition can be sufficient. This type of partition is called a stub network. Configuring static routing to a stub network avoids the overhead of dynamic routing.
Adapting to Topology Change
The internetwork shown in the graphic adapts differently to topology changes depending on whether it uses statically or dynamically configured knowledge. Static knowledge allows the routers to properly route a packet from network to
network. The router refers to its routing table and follows the static knowledge there to relay the packet to Router D. Router D does the same and relays the packet to
Router C. Router C delivers the packet to the destination host.
But what happens if the path between Router A and Router D fails? Obviously Router
A will not be able to relay the packet to Router D. Until Router A is reconfigured to relay packets by way of Router B, communication with the destination network is impossible.
Dynamic knowledge offers more automatic flexibility. According to the routing table generated by Router A, a packet can reach its destination over the preferred route
through Router D. However, a second path to the destination is available by way of Router B. When Router A recognizes the link to Router D is down, it adjusts its routing table, making the path through Router B the preferred path to the
destination. The routers continue sending packets over this link. When the path between Routers A and D is restored to service, Router A can once
again change its routing table to indicate a preference for the counter-clockwise path through Routers D and C to the destination network.
LAN-to-LAN Routing
Example 01:-
The next two examples will bring together many of the concepts we have discussed.
The network layer must relate to and interface with various lower layers. Routers must be capable of seamlessly handling packets encapsulated into different lower-level frames without changing the packets‘ Layer 3 addressing.
Let‘s look at an example of this in a LAN-to-LAN routing situation. Packet traffic from source Host 4 on Ethernet network 1 needs a path to destination Host 5 on Token
Ring Network 2. The LAN hosts depend on the router and its consistent network addressing to find the best path. When the router checks its router table entries, it discovers that the best path to
destination Network 2 uses outgoing port To0, the interface to a Token Ring LAN.
Although the lower-layer framing must change as the router switches packet traffic from the Ethernet on Network 1 to the Token Ring on Network 2, the Layer 3 addressing for source and destination remains the same - in this example it is Net 2,
Host 5 despite the different lower-layer encapsulations. The packet is then reframed and sent on to the destination Token Ring network.
LAN-to-WAN Routing
Now, let‘s look at an example using a Wide Area Network.
Example 02:-
The network layer must relate to and interface with various lower layers for LAN-to-
WAN traffic, as well. As an internetwork grows, the path taken by a packet might encounter several relay points and a variety of data-link types beyond the LANs. For example, in the graphic, a packet from the top workstation at address 1.3 must
traverse three data links to reach the file server at address 2.4 shown on the bottom: The workstation sends a packet to the file server by encapsulating the packet in a Token Ring frame addressed to Router A.
When Router A receives the frame, it removes the packet from the Token Ring frame, encapsulates it in a Frame Relay frame, and forwards the frame to Router B.
Router B removes the packet from the Frame Relay frame and forwards the packet to
the file server in a newly created Ethernet frame. When the file server at 2.4 receives the Ethernet frame, it extracts and passes the packet to the appropriate upper-layer process through the process of de-
encapsulation. The routers enable LAN-to-WAN packet flow by keeping the end-to-end source and
destination addresses constant while encapsulating the packet at the port to a data link that is appropriate for the next hop along the path.
Layers 4–7: Transport, Session, Presentation, and Application Layers
Let‘s look at the upper layers of the OSI seven layer model now. Those layers are the transport, session, presentation, and application layers.
Transport Layer
Transport services allow users to segment and reassemble several upper-layer applications onto the same transport layer data stream. It also establishes the end-to-end connection, from your host to another host. As the
transport layer sends its segments, it can also ensure data integrity. Essentially the transport layer opens up the connection from your system through a network and then through a wide area cloud to the receiving system at the other end.
- Segments upper-layer applications
- Establishes an end-to-end connection - Sends segments from one end host to another
- Optionally, ensures data reliability
Transport Layer— Segments Upper-Layer Applications
The transport layer has several functions. First, it segments upper layer application information. You might have more than one application running on your desktop at a
time. You might be sending electronic mail open while transferring a file from the Web, and opening a terminal session. The transport layer helps keep straight all of the information coming from these different applications.
Transport Layer— Establishes Connection
Another function of the transport layer is to establish the connection from your
system to another system. When you are browsing the Web and double-click on a link your system tries to establish a connection with that host. Once the connection
has been established, there is some negotiation that happens between your system and the system that you are connected to in terms of how data will be transferred. Once the negotiations are completed, data will begin to transfer. As soon as the data
transfer is complete, the receiving station will send you the end message and your browser will say done. Essentially, the transport layer is responsible then for
connecting and terminating sessions from your host to another host.
Transport Layer— Sends Segments with Flow Control
Another important function of the transport layer is to send segments and maintain the sending and receiving of information with flow control. When a connection is established, the host will begin to send frames to the receiver.
When frames arrive too quickly for a host to process, it stores them in memory temporarily. If the frames are part of a small burst, this buffering solves the problem.
If the traffic continues, the host or gateway eventually exhausts its memory and must discard additional frames that arrive. Instead of losing data, the transport function can issue a not ready indicator to the
sender. Acting like a stop sign, this indicator signals the sender to discontinue sending segment traffic to its peer. After the receiver has processed sufficient segments that its buffers can handle additional segments, the receiver sends a ready
transport indicator, which is like a go signal. When it receives this indicator, the sender can resume segment transmission.
Transport Layer— Reliability with Windowing
In the most basic form of reliable connection-oriented data transfer, a sequence of data segments must be delivered to the recipient in the same sequence that they were transmitted. The protocol here represents TCP. It fails if any data segments are lost,
damaged, duplicated, or received in a different order. The basic solution is to have a receiving system acknowledge the receipt of every data segment.
If the sender had to wait for an acknowledgment after sending each segment, throughput would be low. Because time is available after the sender finishes
transmitting the data segment and before the sender finishes processing any received acknowledgment, the interval is used for transmitting more data. The number of data
segments the sender is allowed to have outstanding–without yet receiving an acknowledgment– is known as the window.
In this scenario, with a window size of 3, the sender can transmit three data segments before expecting an acknowledgment. Unlike this simplified graphic, there is a high probability that acknowledgments and packets will intermix as they
communicate across the network.
Transport Layer— An Acknowledgement Technique
Reliable delivery guarantees that a stream of data sent from one machine will be delivered through a functioning data link to another machine without duplication or
data loss. Positive acknowledgment with retransmission is one technique that guarantees reliable delivery of data streams. Positive acknowledgment requires a
receiving system or receiver to communicate with the source, sending back an acknowledgment message when it receives data. The sender keeps a record of each packet it sends and waits for an acknowledgment before sending the next packet.
In this example, the sender is transmitting packets 1, 2, and 3. The receiver acknowledges receipt of the packets by requesting packet number 4. The sender, upon receiving the acknowledgment sends packets 4, 5, and 6. If packet number 5
does not arrive at the destination, the receiver acknowledges with a request to resend packet number 5. The sender resends packet number 5 and must receive an
acknowledgment to continue with the transmission of packet number 7.
Transport to Network Layer
The transport layer assumes it can use the network as a given ―cloud‖ as segments cross from sender source to receiver destination. If we open up the functions inside the ―cloud,‖ we reveal issues like, ―Which of several
paths is best for a given route?‖ We see the role that routers perform in this process, and we see the segments of Layer 4 transport further encapsulated into packets.
Session Layer
- Network File System (NFS)
- Structured Query Language (SQL) - Remote-Procedure Call (RPC) - X Window System
- AppleTalk Session Protocol (ASP) - DEC Session Control Protocol (SCP)
The session layer establishes, manages, and terminates sessions among applications. This layer is primarily concerned with coordinating applications as they interact on
different hosts. Some popular session layer protocols are listed here, Network File Systems (NFS), Structured Query Language or SQL, X Window Systems; even
AppleTalk Session Protocol is part of the session layer.
Presentation Layer
The presentation layer is primarily concerned with the format of the data. Data and text can be formatted as ASCII files, as EBCDIC files or can even be Encrypted. Sound may become a Midi file. Video files can be formatted as MPEG video files or
QuickTime files. Graphics and visual images can be formatted as PICT, TIFF, JPEG, or even GIF files. So that is really what happens at the presentation layer.
Application Layer
The application layer is the highest level of the seven layer model. Computer
applications that you use on your desktop everyday, applications like word processing, presentation graphics, spreadsheets files, and database management, all sit above the application layer. Network applications and internetwork applications
allow you, as the user, to move computer application files through the network and through the internetwork.
Examples:-
COMPUTER APPLICATIONS
- Word Processor - Presentation Graphics - Spreadsheet - Database
- Design/Manufacturing - Project Planning - Others
NETWORK APPLICATIONS
- Electronic Mail - File Transfer
- Remote Access - Client-Server Process - Information Location - Network Management - Others
INTERNETWORK APPLICATIONS - Electronic Data Interchange - World Wide Web - E-Mail Gateways - Special-Interest Bulletin Boards - Financial Transaction Services - Internet Navigation Utilities - Conferencing (Voice, Video, Data) - Others
- SUMMARY -
- OSI reference model describes building blocks of functions for program-to-program
communications between similar or dissimilar hosts - Layers 4–7 (host layers) provide accurate data delivery between computers
- Layers 1–3 (media layers) control physical delivery of data over the network
The OSI reference model describes what must transpire for program to program
communications to occur between even dissimilar computer systems. Each layer is responsible to provide information and pointers to the next higher layer in the OSI Reference Model.
The Application Layer (which is the highest layer in the OSI model) makes available network services to actual software application programs.
The presentation layer is responsible for formatting and converting data and ensuring that the data is presentable for one application through the network to another application.
The session layer is responsible for coordinating communication interactions between applications. The reliable transport layer is responsible for segmenting and multiplexing information, keeping straight all the various applications you might be
using on your desktop, the synchronization of the connection, flow control, error recovery as well as reliability through the process of windowing. The network layer is
responsible for addressing and path determination. The link layer provides reliable transit of data across a physical link. And finally the physical layer is concerned with binary transmission.
This lesson provides an introduction to TCP/IP. I am sure you‘ve heard of TCP/IP… though you may wonder why you need to understand it. Well, TCP/IP is the language
that governs communications between all computers on the Internet. A basic understanding of TCP/IP is essential to understanding Internet technology and how
it can bring benefits to an organization. We‘re going to explain what TCP/IP is and the different parts that make it up. We‘ll also discuss IP addresses.
The Agenda
- What Is TCP/IP?
- IP Addressing
What Is TCP/IP?
TCP/IP is shorthand for a suite of protocols that run on top of IP. IP is the Internet Protocol, and TCP is the most important protocol that runs on top of IP. Any
application that can communicate over the Internet is using IP, and these days most internal networks are also based on TCP/IP.
Protocols that run on top of IP include: TCP, UDP and ICMP. Most TCP/IP implementations support all three of these protocols. We‘ll talk more about them later.
Protocols that run underneath IP include: SLIP and PPP. These protocols allow IP to run across telecommunications lines. TCP/IP protocols work together to break data into packets that can be routed
efficiently by the network. In addition to the data, packets contain addressing, sequencing, and error checking information. This allows TCP/IP to accurately
reconstruct the data at the other end. Here‘s an analogy of what TCP/IP does. Say you‘re moving across the country. You pack your boxes and put your new address on them. The moving company picks
them up, makes a list of the boxes, and ships them across the country using the most efficient route. That might even mean putting different boxes on different trucks. When the boxes arrive at your new home, you check the list to make sure
everything has arrived (and in good shape), and then you unpack the boxes and ―reassemble‖ your house.
- A suite of protocols - Rules that dictate how packets of information are sent across - multiple networks
- Addressing - Error checking
IP
Let‘s start with IP, the Internet Protocol.
Every computer on the Internet has at least one address that uniquely identifies it from all other computers on the Internet (aptly called it‘s IP address!). When you send
or receive data—say an email message or web page—the message gets divided into little chunks called packets or data grams. Each of these packets contains both the
source IP address and the destination IP address. IP looks at the destination address to decide what to do next. If the destination is on the local network, IP delivers the packet directly. If the destination is not on the local
network, then IP passes the packet to a gateway—usually a router. Computers usually have a single default gateway. Routers frequently have several gateways from which to choose. A packet may get passed through several gateways
before reaching one that is on a local network with the destination. Along the way, any router may break the IP packet into several smaller packets based
on transmission medium. For example, Ethernet usually allows packets of up to 1500 bytes, but it is not uncommon for modem-based PPP connections to only allow packets of 256 bytes. The last system in the chain (the destination) reassembles the
original IP packet.
TCP/IP Transport Layer
- 21 FTP—File Transfer Protocol - 23 Telnet
- 25 SMTP—Simple Mail Transfer Protocol - 37 Time - 69 TFTP—Trivial File Transfer Protocol
- 79 Finger - 103 X400
- 161 SNMP—Simple Network Management Protocol - 162 SNMPTRAP
After TCP/IP was invented and deployed, the OSI layered network model was accepted as a standard. OSI neatly divides network protocols into seven layers; the
bottom four layers are shown in this diagram. The idea was that TCP/IP was an interesting experiment, but that it would be replaced by protocols based on the OSI
model. As it turned out, TCP/IP grew like wildfire, and OSI-based protocols only caught on
in certain segments of the manufacturing community. These days, while everyone uses TCP/IP, it is common to use the OSI vocabulary.
TCP/IP Applications
- Application layer - File Transfer Protocol (FTP)
- Remote Login (Telnet) - E-mail (SMTP)
- Transport layer
- Transport Control Protocol (TCP) - User Datagram Protocol (UDP)
- Network layer
- Internet Protocol (IP) - Data link & physical layer
- LAN Ethernet, Token Ring, FDDI, etc.
- WAN Serial lines, Frame Relay, X.25, etc. Roughly, Ethernet corresponds to both the physical layer and the data link layer.
Other media (T1, Frame Relay, ATM, ISDN, analog) and other protocols (SLIP, PPP) are down here as well. Roughly, IP corresponds to the network layer.
Roughly, TCP and UDP correspond to the transport layer. TCP is the most important of all the IP protocols. Most Internet applications you can
think of use TCP, including: Telnet, HTTP (Web), POP & SMTP (email) and FTP (file transfer).
TCP Transmission Control Protocol
TCP stands for Transmission Control Protocol.
TCP establishes a reliable connection between two applications over the network. This means that TCP guarantees accurate, sequential delivery of your data. If something goes wrong, TCP reports an error, so you always know whether your data
arrived at the other end. Here‘s how it works:
Every TCP connection is uniquely identified by four numbers: - source IP address
- source port - destination IP address - destination port
Typically, a client will use a random port number, but a server will use a ―well
known‖ port number, e.g. 25=SMTP (email), 80=HTTP (Web) and so on. Because every TCP connection is unique, even though many people may be making requests to the same Web server, TCP/IP can identify your packets among the crowd.
In addition to the port information, each TCP packet has a sequence number. Packets may arrive out of sequence (they may have been routed differently, or one may have
been dropped), so the sequence numbers allow TCP to reassemble the packets in the correct order and to request retransmission of any missing packets. TCP packets also include a checksum to verify the integrity of the data. Packets that
fail checksum get retransmitted.
UDP User Datagram Protocol
- Unreliable - Fast
- Assumes application will retransmit on error - Often used in diskless workstations
UDP is a fast, unreliable protocol that is suitable for some applications.
Unreliable means there is no sequencing, no guaranteed delivery (no automatic retransmission of lost packets) and sometimes no checksums.
Fast means there is no connection setup time, unlike TCP. In reality, once a TCP session is established, packets will go just as fast over a TCP connection as over UDP.
UDP is useful for applications such as streaming audio that don‘t care about dropped packets and for applications such as TFTP that inherently do their own sequencing and checksums. Also, applications such as NFS that usually run on very reliable
physical networks and which need fast, connectionless transactions use UDP.
ICMP Ping
Ping is an example of a program that uses ICMP rather than TCP or UDP. Ping sends
an ICMP echo request from one system to another, then waits for an ICMP echo reply. It is mostly used for testing.
IPv4 Addressing
Most IP addresses today use IP version 4—we‘ll talk about IP version 6 later. IPv4 addresses are 32 bits long and are usually written in ―dot‖ notation. An example
would be 192.1.1.17. The Internet is actually a lot of small local networks connected together. Part of an IP
address identifies which local network, and part of an IP address identifies a specific system or host on that local network. What part of an IP address is for the ―network‖ and what part is for the ―host‖ is
determined by the class or the subnet.
IP Addressing—Three Classes
- Class A: NET.HOST.HOST.HOST - Class B: NET.NET.HOST.HOST - Class C: NET.NET.NET.HOST
Before the introduction of subnet masks, the only way to tell the network part of an
IP address from the host part was by its class. Class A addresses have 8 bits (one octet) for the network part and 24 bits for the host
part. This allows for a small number of large networks. Class B addresses have 16 bits each for the network and host parts.
Class C addresses have 24 bits for the network and 8 bits for the host. This allows for a fairly large number of networks with up to 254 systems on each.
To summarize: IPv4 addresses are 32 bits with a network part and a host part.
Unless you are using subnets, you divide an IP address into the network and host parts based on the address class.
The network part of an address is used for routing packets over the Internet. The host part is used for final delivery on the local net.
IP Addressing—Class A
Here‘s an example of a class A address. Any IPv4 address in which the first octet is less than 128 is by definition a class A address.
This address is for host #222.135.17 on network #10, although the host is always referred to by its full address.
Examlpe:- 10.222.135.17
- Network # 10 - Host # 222.135.17
- Range of class A network IDs: 1–126 - Number of available hosts: 16,777,214
IP Addressing—Class B
Here‘s an example of a class B address. Any IPv4 address in which the first octet is
between 128 and 191 is by definition a class B address Examlpe:- 128.128.141.245
- Network # 128.128
- Host # 141.245 - Range of class B network IDs: 128.1–191.254
- Number of available hosts: 65,534
IP Addressing—Class C
Here‘s an example of a class C address. Most IPv4 addresses in which the first octet is 192 or higher are class C addresses, but some of the higher ranges are reserved for
multicast applications. Examlpe:- 192.150.12.1
-Network # 192.150.12
-Host # 1 -Range of class C network IDs: 192.0.1–223.255.254 -Number of available hosts: 254
IP Subnetting
As it turns out, dividing IP addresses into classes A, B and C is not flexible enough. In particular, it does not make efficient use of the available IP addresses and it does
not give network administrators enough control over their internal LAN configurations.
In this diagram, the class B network 131.108 is split (probably into 256 subnets), and a router connects the 131.108.2 subnet to the 131.108.3 subnet.
IP Subnet Mask
A subnet mask tells a computer or a router how to divide a range of IP addresses into the network part and the host part.
Given:
Address = 131.108.2.160
Subnet Mask = 255.255.255.0
Subnet = 131.108.2.0
In this example, without a subnet mask the address would be treated as class B and
the network number would be 131.108. But because someone supplied a subnet mask of 255.255.255.0, the network number is actually 131.108.2.
These days, routers and computers always use subnet masks if they are supplied. If there is no subnet mask for an address, then the class A, B, C scheme is used.
Remember that a network mask determines which portion of an IP address identifies the network and which portion identifies the host, while a subnet mask describes
which portion of an address refers to the subnet and which part refers to the host.
IP Address Assignment
- ISPs assign addresses to customers - IANA assigns addresses to ISPs
- CIDR block: bundle of addresses
Historically, an organization was assigned a class A, B or C address and carried that address around. This is no longer the case.
Usually an organization is assigned IP addresses by its ISP. If an organization changes ISPs, it changes IP addresses. This is usually not a problem, since most people refer to IP addresses using the DNS. For example, www.acme.com might point
to 192.1.1.1 today and point to 128.7.7.7 tomorrow, but nobody other than the system administrator at acme.com has to worry about it. IANA—the Internet Assigned Numbers Authority—assigns IP addresses to ISPs. These
days no one gets a class A or a class B network—they are pretty much all gone. Usually the IANA bundles 8 or 16 or 32 class C networks together and calls it a CIDR
(pronounced ―cider‖) block. CIDR stands for Class Independent Routing, and it greatly simplifies routing among the Internet backbones. CIDR blocks are sometimes called supernets (as opposed to subnets).
IPv6 Addressing
- 128-bit addresses
- 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses Example1:- 5F1B:DF00:CE3E:E200:0020:0800:5AFC:2B36 Example2:- 0:0:0:0:0:0:192.1.1.17 With the explosive growth of the Internet, there are not enough IPv4 addresses to go
around. IPv6 is now released, and many organizations are already migrating. While IPv6 has a number of nice features, its biggest claim to fame is a huge number
of IP addresses. IPv4 was only 32 bits; IPv6 is 128 bits. To ease migration, IPv6 completely contains all of IPv4, as shown in the second
example above. Most network applications will have to be modified slightly to accommodate IPv6.
- SUMMARY -
- TCP/IP is a suite of protocols
- TCP/IP defines communications between computers on the Internet
- IP determines where packets are routed based on their destination address - TCP ensures packets arrive correctly at their destination address
Lesson 4: LAN Basics
In this lesson, we will cover the fundamentals of LAN technologies. We‘ll look at
Ethernet, Token Ring, and FDDI. For each one, we‘ll look at the technology as well as its operations.
The Agenda
- Ethernet
- Token Ring
- FDDI
Common LAN Technologies
The three LAN technologies shown here account for virtually all deployed LANs: The most popular local area networking protocol today is Ethernet. Most network
administrators building a network from scratch use Ethernet as a fundamental technology.
Token Ring technology is widely used in IBM networks.
FDDI networks are popular for campus LANs – and are usually built to support high
bandwidth needs for backbone connectivity.
Let‘s take a look at Ethernet in detail.
Ethernet
Ethernet and IEEE 802.3
Ethernet was initially developed by Xerox. They were later joined by Digital Equipment Corporation (DEC) and Intel to define the Ethernet 1 specification in 1980. There have been further revisions including the Ethernet standard (IEEE
Standard 802.3) which defines rules for configuring Ethernet as well as specifying how elements in an Ethernet network interact with one another. Ethernet is the most popular physical layer LAN technology because it strikes a good
balance between speed, cost, and ease of installation. These strong points, combined with wide acceptance in the computer marketplace and the ability to support
virtually all popular network protocols, make Ethernet an ideal networking technology for most computer users today. The Fast Ethernet standard (IEEE 802.3u) has been established for networks that
need higher transmission speeds. It raises the Ethernet speed limit from 10 Mbps to 100 Mbps with only minimal changes to the existing cable structure. Incorporating
Fast Ethernet into an existing configuration presents a host of decisions for the network manager. Each site in the network must determine the number of users that
really need the higher throughput, decide which segments of the backbone need to be reconfigured specifically for 100BaseT and then choose the necessary hardware to
connect the 100BaseT segments with existing 10BaseT segments. Gigabit Ethernet is an extension of the IEEE 802.3 Ethernet standard. It increases
speed tenfold over Fast Ethernet, to 1000 Mbps, or 1 Gbps.
Benefits and background - Ethernet is the most popular physical layer LAN technology because it strikes a
good balance between speed, cost, and ease of installation - Supports virtually all network protocols - Xerox initiated, then joined by DEC & Intel in 1980
Revisions of Ethernet specification
- Fast Ethernet (IEEE 802.3u) raises speed from 10 Mbps to 100 Mbps - Gigabit Ethernet is an extension of IEEE 802.3 which increases speeds to 1000
Mbps, or 1 Gbps
One thing to keep in mind in Ethernet is that there are several framing variations that exist for this common LAN technology.
These differences do not prohibit manufacturers from developing network interface cards that support the common physical layer, and software that recognizes the differences between the two data links
Ethernet Protocol Names
Ethernet protocol names follow a fixed scheme. The number at the beginning of the name indicates the wire speed. If the word ―base‖ appears next, the protocol is for
baseband applications. If the word ―broad‖ appears, the protocol is for broadband applications. The alphanumeric code at the end of the name indicates the type of
cable and, in some cases, the cable length. If a number appears alone, you can determine the maximum segment length by multiplying that number by 100 meters. For example 10Base2 is a protocol with a maximum segment length of approximately
200 meters (2 x 100 meters).
Ethernet and Fast Ethernet
This chart give you an idea of the range of Ethernet protocols including their data rate, maximum segment length, and medium.
Ethernet has survived as an essential media technology because of its tremendous flexibility and its relative simplicity to implement and understand. Although other
technologies have been touted as likely replacements, network managers have turned to Ethernet and its derivatives as effective solutions for a range of campus implementation requirements. To resolve Ethernet‘s limitations, innovators (and
standards bodies) have created progressively larger Ethernet pipes. Critics might dismiss Ethernet as a technology that cannot scale, but its underlying transmission scheme continues to be one of the principal means of transporting data for
contemporary campus applications. The most popular today is 10BaseT and 100BaseT… 10Mbps and 100Mbps
respectively using UTP wiring. Let‘s take a look at how Ethernet works.
Ethernet Operation
Example:-
Let‘s say in our example here that station A is going to send information to station D. Station A will listen through its NIC card to the network. If no other users are using the network, station A will go ahead and send its message out on to the network.
Stations B and C and D will all receive the communication.
At the data link layer it will inspect the MAC address. Upon inspection station D will see that the MAC address matches its own and then will process the information up through the rest of the layers of the seven layer model.
As for stations B & C, they too will pull this packet up to their data link layers and inspect the MAC addresses. Upon inspection they will see that there is no match
between the data link layer MAC address for which it is intended and their own MAC address and will proceed to dump the packet.
Ethernet Broadcast
Broadcasting is a powerful tool that sends a single frame to many stations at the same time. Broadcasting uses a data link destination address of all 1s. In this example, station A transmits a frame with a destination address of all 1s, stations B,
C, and D all receive and pass the frame to their respective upper layers for further processing. When improperly used, however, broadcasting can seriously impact the performance
of stations by interrupting them unnecessarily. For this reason, broadcasts should be used only when the MAC address of the destination is unknown or when the
destination is all stations.
Ethernet Reliability
Ethernet is known as being a very reliable local area networking protocol. In this example, A is transmitting information and B also has information to transmit. Let‘s
say that A & B listen to the network, hear no traffic and broadcast at the same time. A collision occurs when these two packets crash into one another on the network. Both transmissions are corrupted and unusable.
When a collision occurs on the network, the NIC card sensing the collision, in this case, station C sends out a jam signal that jams the entire network for a designated
amount of time.
Once the jam signal has been received and recognized by all of the stations on the
network, stations A and D will both back off for different amounts of time before they try to retransmit. This type of technology is known as Carrier Sense Multiple Access With Collision Detection – CSMA/CD.
High-Speed Ethernet Options
- Fast Ethernet - Fast EtherChannel®
- Gigabit Ethernet - Gigabit EtherChannel
We‘ve mentioned that Ethernet also has high speed options that are currently
available. Fast Ethernet is used widely at this point and provides customers with 100 Mbps performance, a ten-fold increase. Fast EtherChannel is a Cisco value-added feature that provides bandwidth up to 800 Mbps. There is now a standard for Gigabit
Ethernet as well and Cisco provides Gigabit Ethernet solutions with 1000 Mbps performance.
Let‘s look more closely at Fast EtherChannel and Gigabit Ethernet.
What Is Fast EtherChannel?
Grouping of multiple Fast Ethernet interfaces into one logical transmission path
- Scalable bandwidth up to 800+ Mbps - Using industry-standard Fast Ethernet
- Load balancing across parallel links - Extendable to Gigabit Ethernet
Fast EtherChannel provides a solution for network managers who require higher bandwidth between servers, routers, and switches than Fast Ethernet technology can
currently provide. Fast EtherChannel is the grouping of multiple Fast Ethernet interfaces into one logical transmission path providing parallel bandwidth between switches, servers,
and Cisco routers. Fast EtherChannel provides bandwidth aggregation by combining parallel 100-Mbps Ethernet links (200-Mbps full-duplex) to provide flexible, incremental bandwidth between network devices.
For example, network managers can deploy Fast EtherChannel consisting of pairs of full-duplex Fast Ethernet to provide 400+ Mbps between the wiring closet and the
data center, while in the data center bandwidths of up to 800 Mbps can be provided between servers and the network backbone to provide large amounts of scalable incremental bandwidth.
Cisco‘s Fast EtherChannel technology builds upon standards-based 802.3 full-duplex Fast Ethernet. It is supported by industry leaders such as Adaptec, Compaq, Hewlett-
Packard, Intel, Micron, Silicon Graphics, Sun Microsystems, and Xircom and is scalable to Gigabit Ethernet in the future.
What Is Gigabit Ethernet?
In some cases, Fast EtherChannel technology may not be enough.
The old 80/20 rule of network traffic (80 percent of traffic was local, 20 percent was over the backbone) has been inverted by intranets and the World Wide Web. The rule
of thumb today is to plan for 80 percent of the traffic going over the backbone.
Gigabit networking is important to accommodate these evolving needs. Gigabit Ethernet builds on the Ethernet protocol but increases speed tenfold over
Fast Ethernet, to 1000 Mbps, or 1 Gbps. It promises to be a dominant player in high-speed LAN backbones and server connectivity. Because Gigabit Ethernet significantly leverages on Ethernet, network managers will be able to leverage their existing
knowledge base to manage and maintain Gigabit networks.
The Gigabit Ethernet spec addresses three forms of transmission media though not all are available yet:
- 1000BaseLX: Long-wave (LW) laser over single-mode and multimode fiber - 1000BaseSX: Short-wave (SW) laser over multimode fiber
- 1000BaseCX: Transmission over balanced shielded 150-ohm 2-pair STP copper cable - 1000BaseT: Category 5 UTP copper wiring Gigabit Ethernet allows Ethernet to
scale from 10 Mbps at the desktop, to 100 Mbps to the workgroup, to 1000 Mbps in the data center. By leveraging the current Ethernet standards as well as the installed base of Ethernet and Fast Ethernet switches and routers, network
managers do not need to retrain and relearn a new technology to provide support for Gigabit Ethernet.
Token Ring (IEEE 802.5)
The Token Ring network was originally developed by IBM in the 1970s. It is still
IBM‘s primary LAN technology and is second only to Ethernet in general LAN popularity. The related IEEE 802.5 specification is almost identical to and completely
compatible with IBM‘s Token Ring network. Collisions cannot occur in Token Ring networks. Possession of the token grants the
right to transmit. If a node receiving the token has no information to send, it passes the token to the next end station. Each station can hold the token for a maximum
period of time. Token-passing networks are deterministic, which means that it is possible to calculate the maximum time that will pass before any end station will be able to
transmit. This feature and several reliability features make Token Ring networks ideal for applications where delay must be predictable and robust network operation is important. Factory automation environments are examples of such applications.
Token Ring is more difficult and costly to implement. However, as the number of users in a network rises, Token Ring‘s performance drops very little. In contrast,
Ethernet‘s performance drops significantly as more users are added to the network.
Token Ring Bandwidth
Here are some of the speeds associated with Token Ring. Note that Token Ring runs at 4 Mbps or 16 Mbps. Today, most networks operate at 16 Mbps. If a network
contains even one component with a maximum speed of 4 Mbps, the whole network must operate at that speed. When Ethernet first came out, networking professionals believed that Token Ring
would die, but this has not happened. Token Ring is primarily used with IBM networks running Systems Network Architecture (SNA) networking operating
systems. Token Ring has not yet left the market because of the huge installed base of IBM mainframes being used in industries such as banking. The practical difference between Ethernet and Token Ring is that Ethernet is much
cheaper and simpler. However, Token Ring is more elegant and robust.
Token Ring Topology
The logical topology of an 802.5 network is a ring in which each station receives signals from its nearest active upstream neighbor (NAUN) and repeats those signals
to its downstream neighbor. Physically, however, 802.5 networks are laid out as stars, with each station connecting to a central hub called a multistation access unit
or MAU. The stations connect to the central hub through shielded or unshielded twisted-pair wire. Typically, a MAU connects up to eight Token Ring stations. If a Token Ring network
consists of more stations than a MAU can handle, or if stations are located in different parts of a building–for example on different floors–MAUs can be chained together to create an extended ring. When installing an extended ring, you must
ensure that the MAUs themselves are oriented in a ring. Otherwise, the Token Ring will have a break in it and will not operate.
Token Ring Operation
Station access to a Token Ring is deterministic; a station can transmit only when it receives a special frame called a token. One station on a token ring network is designated as the active monitor. The active monitor will prepare a token. A token is
usually a few bits with significance to each one of the network interface cards on the network. The active monitor will pass the token into the multistation access unit. The multistation access unit then will pass the token to the first downstream neighbor.
Let‘s say in this example that station A has something to transmit. Station A will seize the token and append its data to the token. Station A will then send its token
back to the multistation access unit. The MAU will then grab the token and push it to
the next downstream neighbor. This process is followed until the token reaches the destination for which it is intended.
If a station receiving the token has no information to send, it simply passes the token to the next station. If a station possessing the token has information to transmit, it
claims the token by altering one bit of the frame, the T bit. The station then appends the information it wishes to transmit and sends the information frame to the next
station on the Token Ring.
The information frame circulates the ring until it reaches the destination station, where the frame is copied by the station and tagged as having been copied. The information frame continues around the ring until it returns to the station that
originated it, and is removed. Because frames proceed serially around the ring, and because a station must claim the token before transmitting, collisions are not expected in a Token Ring network.
Broadcasting is supported in the form of a special mechanism known as explorer packets. These are used to locate a route to a destination through one or more source
route bridges.
- Token Ring Summary -
- Reliable transport, minimized collisions
- Token passing/token seizing
- 4- or 16-Mbps transport - Little performance impact with increased number of users
- Popular at IBM-oriented sites such as banks and automated factories
FDDI - Fiber Distributed Data Interface
FDDI is an American National Standards Institute (ANSI) standard that defines a dual Token Ring LAN operating at 100 Mbps over an optical fiber medium. It is used primarily for corporate and carrier backbones.
Token Ring and FDDI share several characteristics including token passing and a ring architecture which were explored in the previous section on Token Ring.
Copper Distributed Data Interface (CDDI) is the implementation of FDDI protocols over STP and UTP cabling. CDDI transmits over relatively short distances (about 100 meters), providing data rates of 100 Mbps using a dual-ring architecture to provide
redundancy. While FDDI is fast, reliable, and handles a lot of data well, its major problem is the
use of expensive fiber-optic cable. CDDI addresses this problem by using UTP or STP. However, notice that the maximum segment length drops significantly. FDDI was developed in the mid-1980s to fill the needs of growing high-speed
engineering workstation capacity and network reliability. Today, FDDI is frequently used as a high-speed backbone technology because of its support for high bandwidth and greater distances than copper.
FDDI Network Architecture
FDDI uses a dual-ring architecture. Traffic on each ring flows in opposite directions (called counter-rotating). The dual-rings consist of a primary and a secondary ring. During normal operation, the primary ring is used for data transmissions, and the
secondary ring remains idle. The primary purpose of the dual rings is to provide superior reliability and robustness.
One of the unique characteristics of FDDI is that multiple ways exist to connect devices to the ring. FDDI defines three types of devices: single-attachment station
(SAS) such as PCs, dual attachment station (DAS) such as routers and servers, and a concentrator.
- Dual-ring architecture - Primary ring for data transmissions
- Secondary ring for reliability and robustness
- Components - Single attachment station (SAS)—PCs
- Dual attachment station (DAS)—Servers - Concentrator
- FDDI concentrator
- Also called a dual-attached concentrator (DAC) - Building block of an FDDI network - Attaches directly to both rings and ensures that any SAS failure or power-down
does not bring down the ring
Example:-
An FDDI concentrator (also called a dual-attachment concentrator [DAC]) is the building block of an FDDI network. It attaches directly to both the primary and
secondary rings and ensures that the failure or power-down of any single attachment station (SAS) does not bring down the ring. This is particularly useful when PCs, or similar devices that are frequently powered on and off, connect to the ring.
- FDDI Summary -
- Features
- 100-Mbps token-passing network - Single-mode (100 km), double-mode (2 km)
- CDDI transmits at 100 Mbps over about 100 m - Dual-ring architecture for reliability
- Optical fiber advantages versus copper - Security, reliability, and performance are enhanced because it does not emit
electrical signals - Much higher bandwidth than copper
- Used for corporate and carrier backbones
- Summary -
- LAN technologies include Ethernet, Token Ring, and FDDI
- Ethernet
- Most widely used - Good balance between speed, cost, and ease of installation
- 10 Mbps to 1000 Mbps - Token Ring
- Primarily used with IBM networks - 4 Mbps to 16 Mbps
- FDDI
- Primarily used for corporate backbones - Supports longer distances
- 100 Mbps
Lesson 5: Understanding LAN Switching
This lession covers an introduction to switching technology.
The Agenda
- Shared LAN Technology
- LAN Switching Basics
- Key Switching Technologies
We'll begin by looking at traditional shared LAN technologies. We'll then look at LAN switching basics, and then some key switching technologies, such as spanning tree and multicast controls.
Let's begin our discussion by reviewing shared LAN technologies.
Shared LAN Technology
Early Local Area Networks
The earliest Local Area Network technologies that were installed widely were either thick Ethernet or thin Ethernet infrastructures. And it's important to understand some of he limitations of these to see where we're at today with LAN switching.With
thick Ethernet installations there were some important limitations such as distance, for example. Early thick Ethernet networks were limited to only 500 meters before the
signal degraded.In order to extend beyond the 500 meter distance, they required to install repeaters to boost and amplify that signal.There were also limitations on the number of stations and servers we could have on our network, as well as the
placement of those workstations on the network. The cable itself was relatively expensive, it was also large in diameter, which made it
difficult or more challenging to install throughout the building, as we pulled it through the walls and ceilings and so on. As far as adding new users, it was relatively
simple.There could use what was known as a non-intrusive tap to plug in a new station anywhere along the cable.And in terms of the capacity that was provided by this thick Ethernet network, it provided 10 megabits per second, but this was shared
bandwidth, meaning that that 10 megabits was shared amongst all users on a given segment.
A slight improvement to thick Ethernet was thin Ethernet technology, commonly
referred to as cheaper net.This was less expensive and it required less space in terms of installation than thick Ethernet because it was actually thinner in diameter, which is where the name thin Ethernet came from.It was still relatively challenging to
install, though, as it sometimes required what we call home runs, or a direct run from a workstation back to a hub or concentrator.And also adding users required a momentary interruption in the network, because we actually had to cut or make a
break in a cable segment in order to add a new server or workstation. So those are some of the limitations of early thin and thick Ethernet networks.An improvement on
thin and thick Ethernet technology was adding hubs or concentrators into our network. And this allowed us to use something known as UTP cabling, or Unshielded
Twisted Pair cabling.
As you can see indicated in the diagram on the left, Ethernet is fundamentally what we call a shared technology.And that is, all users of a given LAN segment are fighting for the same amount of bandwidth. And this is very similar to the cars you see in our
diagram, here, all trying to get onto the freeway at once.This is really what our frames, or packets, do in our network as we're trying to make transmissions on our
Ethernet network. So, this is actually what's occurring on our hub.Even though each device has its own cable segment connecting into the hub, we're still all fighting for the same fixed amount of bandwidth in the network.Some common terms that we
hear associated with the use of hubs, sometimes we call these Ethernet concentrators, or Ethernet repeaters, and they're basically self-contained Ethernet
segments within a box.So while physically it looks like everybody has their own segment to their workstation, they're all interconnected inside of this hub, so it's still a shared Ethernet technology.Also, these are passive devices, meaning that they're
virtually transparent to the end users, the end users don't even know that those devices exist, and they don't have any role in terms of a forwarding decision in the network whatsoever, they also don't provide any segmentation within the network
whatsoever.And this is basically because they work at Layer 1 in the OSI framework.
Collisions: Telltale Signs
A by-product that we have in any Ethernet network is something called collisions.
And this is a result of the fundamental characteristic of how any Ethernet network
works.Basically, what happens in an Ethernet network is that many stations are sharing the same segment. So what can happen is any one of these stations can
transmit at any given time.And if 2 or more stations try to transmit at the same time, it's going to result in what we call a collision. And this is actually one of the early tell-
tale signs that your Ethernet network is becoming too congested. Or we simply have too many users on the same segment.And when we get to a certain number of collisions in the network, where they become excessive, this is going to cause
sluggish network response times, and a good way to measure that is by the increasing number of user complaints that are reported to the network manager.
Other Bandwidth Consumers
It's also important to understand fundamentally how transmissions can occur in the network. There's basically three different ways that we can communicate in the
network. The most common way is by way of unicast transmissions.And when we make a unicast transmission, we basically have one transmitter that's trying to reach
one receiver, which is by far the most common, or hopefully the most common form of communication in our network.
Another way to communicate is with a mechanism known as a broadcast. And that is when one transmitter is trying to reach all receivers in the network.So, as you can see in the diagram, in the middle, our server station is sending out one message, and
it's being received by everyone on that particular segment.
The last mechanism we have is what is known as a multicast.And a multicast is when one transmitter is trying to reach, not everyone, but a subset or a group of the
entire segment.So as you can see in the bottom diagram, we're reaching two stations, but there's one station that doesn't need to participate, so he's not in our multicast group. So those are the three basic ways that we can communicate within our Local
Area Network.
Broadcasts Consume Bandwidth
Now, in terms of broadcast, it's relatively easy to broadcast in a network, and that's a transmission mechanism that many different protocols use to communicate certain
information, such as address resolution, for example.Address resolution is something that all protocols need to do in order to map Layer 2 MAC addresses up to logical layer, or Layer 3, addresses. For example, in an IP network we do something known
as an ARP, an Address Resolution Protocol.And this allows us to map Layer 3 IP addresses down to Layer 2 MAC-layer addresses. Also, in terms of distributing routing protocol information, we do this by way of broadcasting, and also some key
network services in our networks rely on broadcast mechanisms as well.
And it doesn't really matter what our protocol is, whether it's AppleTalk or Novell IPX,
or TCP IP, for example, all of these different Layer 3 protocols rely on the broadcast mechanism. So, in other words, all of these protocols produce broadcast traffic in a network.
Broadcasts Consume Processor Performance
Now, in addition to consuming bandwidth on the network, another by-product of broadcast traffic in the network is that they consume CPU cycles as well.Since
broadcast traffic is sent out and received by all stations on the network, that means that we must interrupt the CPU of all stations connected to the network.So here in
this diagram you see the results of a study that was performed with several different CPUs on a network. And it shows you the relative level of CPU degradation as the number of broadcasts on a network increases.
So you can see, we did this study based on a SPARC2 CPU, a SPARC5 CPU and also
a Pentium CPU. And as the number of broadcasts increased, the amount of CPU cycles consumed, simply by processing and listening to that broadcast traffic, increased dramatically.So, the other thing we need to recognize is that a lot of times
the broadcast traffic in our network is not needed by the stations that receive it.So what we have then in shared LAN technologies is our broadcast traffic running throughout the network, needlessly consuming bandwidth, and needlessly
consuming CPU cycles.
Hub-Based LANs
So hubs are introduced into the network as a better way to scale our thinand thick Ethernet networks. It's important to remember, though, that these are still shared
Ethernet networks, even though we're using hubs.
Basically what we have is an individual desktop connection for each individual workstation or server in the network, and this allows us to centralize all of our
cabling back to a wiring closet for example. There are still security issues here, though.It's still relatively easy to tap in and monitor a network by way of a hub. In
fact it's even easier to do that because all of the resources are generally located centrally.If we need to scale this type of network we're going to rely on routers to scale this network beyond the workgroup, for example.
It's makes adds, moves and changes easier because we can simply go to the wiring
closet and move cables around, but we'll see later on with LAN switching that it's even easier with LAN switching.Also, in terms of our workgroups, in a hub or concentrator based network, the workgroups are determined simply by the physical
hub that we plug into. And once again we'll see later on with LAN switching how we can improve this as well.
Bridges
Another way is to add bridges. In order to scale our networks we need to do something known as segmentation. And bridges provide a certain level of
segmentation in our network.And bridges do this by adding a certain amount of intelligence into the network. Bridges operate at Layer 2, while hubs operate at Layer
1. So operating at Layer 2 gives us more intelligence in order to make an intelligent forwarding decision.
That's why we say that bridges are more intelligent than a hub, because they can actually listen in, or eavesdrop on the traffic going through the bridge, they can look
at source and destination addresses, and they can build a table that allows them to make intelligent forwarding decisions.
They actually collect and pass frames between two network segments and while
they're doing this they're making intelligent forwarding decisions. As a result, they can actually provide greater control of the traffic within our network.
Switches—Layer 2
To provide even better control we're going to look to switches to provide the most control in our network, at least at Layer 2. And as you can see in the diagram, have
improved the model of traffic going through our network.
Getting back to our traffic analogy, as you can see looking at the highway here, we've actually subdivided the main highway so that each particular car has it's own lane
that they can drive on through the network. And fundamentally, this is what we can provide in our data networks as well.So that when we look at our network we see that physically each station has its own cable into the network, well, conceptually we can
think of this as each workstation having their own lane through the highway.Basically there is something known as micro-segmentation. That's a fancy
way simply to say that each workstation gets its own dedicated segment through the network.
Switches versus Hubs
If we compare that with a hub or with a bridge, we're limited on the number of simultaneous conversations we can have at a time.Remember that if two stations
tried to communicate in a hubbed environment, that caused something known as collisions. Well, in a switched environment we're not going to expect collisions
because each workstation has its own dedicated path through the network.What that means in terms of bandwidth, and in terms of scalability, is we have dramatically more bandwidth in the network. Each station now will have a dedicated 10 megabits
per second worth of bandwidth.
So when we look at our switches versus our hubs, and the top diagram, remember that we're looking at a hub. And this is when all of our traffic was fighting for the
same fixed amount of bandwidth.Looking at the bottom diagram you can see that we've improved our traffic flow through the network, because we've provided a
dedicated lane for each workstation.
The Need for Speed: Early Warning Signs
Now, how can you tell if you have congestion problems in your network? Well, some early things to look at, some early things to watch out for, include increased delay on our file transfers.If basic file transfers are taking a long, long time in the network,
that means we may need more bandwidth. Also, another thing to watch out for is print jobs that take a very long time to print out.From the time we queue them from
our workstation, till the time they actually get printed, if that's increasing, that's an indication that we may have some LAN congestion problems.Also, if your organization is looking to take advantage of multimedia applications, you're going to need to move
beyond basic shared LAN technologies, because those shared LAN technologies don't have the multicast controls that we're going to need for multimedia applications.
Typical Causes of Network Congestion
Some causes of this congestion, if we're seeing those early warning signs some things
we might want to look for, if we have too many users on a shared LAN segment. Remember that shared LAN segments have a fixed amount of bandwidth.As we add users, proportionally, we're degrading the amount of bandwidth per user. So we're
going to get to a certain number of users and it's going to be too much congestion, too many collisions, too many simultaneous conversations trying to occur all at the same time.
And that's going to reduce our performance. Also, when we look at the newer technologies that we're using in our workstations. With early LAN technologies the
workstations were relatively limited in terms of the amount of traffic they could dump on the network.Well, with newer, faster CPUs, faster busses, faster peripherals and
so on, it's much easier for a single workstation to fill up a network segment.So by virtue of the fact that we have much faster PCs, we can also do more with the applications that are on there, we can more quickly fill up the available bandwidth
that we have.
Network Traffic Impact from Centralization of Servers
Also, the way the traffic is distributed on our network can have an impact as well. A very common thing to do in many networks is to build what's known as a server farm
for example.Well, in a server farm effectively what we're doing is centralizing all of the resources on our network that need to be accessed by all of the workstations in our
network.So what happens here is we cause congestion on those centralized segments within the network. So, when we start doing that, what we're going to do is cause congestion on those centralized or backbone resources.
Servers are gradually moving into a central area (data center) versus being located throughout the company to:
- Ensure company data integrity
- Maintain the network and ensure operability - Maintain security - Perform configuration and administrative functions
More centralized servers increase the bandwidth demands on campus and workgroup backbones
Today’s LANs
- Mostly switched resources; few shared
- Routers provide scalability - Groups of users determined by physical location
When we look at today's LANs, the ones that are most commonly implemented today, we're looking at mostly switched infrastructures, because of the price point of
deploying switches, many companies are bypassing the shared hub technologies and
moving directly to switches.Even within switched networks, at some point we still need to look to routers to provide scalability. And also we see that in terms of the
grouping of users, they're largely determined by the physical location.So that's a quick look at traditional shared LAN technologies. What we want to do now, since we
know those limitations, we want to look at how we can fix some of those issues. We want to see how we can deploy LAN switches to take advantage of some new, improved technologies.
LAN Switching Basics
- Enables dedicated access
- Eliminates collisions and increases capacity - Supports multiple conversations at the same time
First of all, it's important to understand the reason that we use LAN switching. Basically, they do this to provide what we called earlier as micro-segmentation. Again, micro-segmentation provides dedicated bandwidth for each user on the
network.What this is going to do is eliminate collisions in our network, and it's going to effectively increase the capacity for each station connected to the network.It'll also
support multiple, simultaneous conversations at any given time, and this will dramatically improve the bandwidth that's available, and it'll dramatically improve the scalability in our network.
LAN Switch Operation
So let's take a look at the fundamental operation of a LAN switch to see what it can
do for us. As you can see indicated in the diagram, we have some data that we need to transmit from Station A to Station B.
Now, as we watch this traffic go through the network, remember that the switch
operates at Layer 2. What that means is the switch has the ability to look at the MAC-layer address, the Media Access Control address, that's on each frame as it goes
through the network.
And we're going to see that the switch actually looks at the traffic as it goes through to pick off that MAC address and store it in an address table.So, as the traffic goes
through, you can see that we've made an entry into this table in terms of which station and the port that it's connected to on the switch.
Now what happens, once that frame of data is in the switch, we have no choice but to flood it to all ports. The reason that we flood it to all ports is because we don't know
where the destination station resides.
Once that address entry is made into the table, though, when we have a response coming back from Station B, going back to Station A, we now know where Station A
is connected to the network.
So what we do is we transmit our data into the switch,but notice the switch doesn't
flood that traffic this time, it sends it only out port number 3. The reason is because we know exactly where Station A is on the network, because of that original transmission we made.On that original transmission we were able to note where that
MAC address came from. That allows us to more efficiently deliver that traffic in the network.
Switching Technology: Full Duplex
Another concept that we have in LAN switching that allows us to dramatically
improve the scalability, is something known as full duplex transmission. And that effectively doubles the amount of bandwidth between nodes.This can be important, for example, between high bandwidth consumers such as between a switch and a
server connection, for example. It provides essentially collision free transmissions in the network.
And what this provides, for example, in 10 megabit per second connections, it effectively provides 10 meg of transmit capacity, and 10 megabit of receive capacity, for effectively 20 megabits of capacity on a single connection.Likewise, for a 100
megabit per second connection, we can get effectively 200 megabits per second of throughput
Switching Technology: Two Methods
Another concept that we have in switching is that we have actually two different
modes of switching. And this is important because it can actually effect the performance or the latency of the switching through our network.
Cut-through
First of all we have something known as cut through switching. What cut through switching does, is, as the traffic flows through the switch, the switch simple reads the destination MAC address, in other words we find out where the traffic needs to go
through, go to.And as the data flows through the switch we don't actually look at all of the data. We simply look at that destination address, and then, as the name implies, we cut it through to its destination without continuing to read the rest of the
frame.
Store-and-forward
And that allows to improve performance over another method known as store and forward. With store and forward switching, what we do is we actually read, not only
the destination address, but we read the entire frame of data.As we read that entire
frame we then make a decision on where it needs to go, and send it on it's way. The obvious trade-off there is, if we're going to read the entire frame it takes longer to do
that.
But the reason that we read the entire frame is that we can do some error correction, or error detection, on that frame, that may increase the reliability if we're having
problems with that in a switched network.So cut through switching is faster, but the trade-off is that we can't do any error detection in our switched network.
Key Switching Technologies
let's look at some key technologies within LAN switching.
- 802.1d Spanning-Tree Protocol
- Multicasting
The Need for Spanning Tree
Specifically we'll look at the Spanning Tree Protocol, and also some multicasting controls that we have in our network.As we build out large networks, one of the
problems we have at Layer 2 in the OSI model, is if we're just making forwarding decisions at Layer 2, that means that we cannot have any Physical Layer loops in our
network.
So if we have a simple network, as we see in the diagram here, what these switches are going to do is that anytime they have any multicast, broadcast traffic, or any
unknown traffic, that's going to create storms of traffic that are going to get looped endlessly through our network.So in order to prevent that situation we need to cut
out any of the loops.
802.1d Spanning-Tree Protocol (STP)
Spanning Tree Protocol, or STP. This is actually an industry standard that's defined by the IEEE standards committee, it's known as the 802.1d Spanning Tree
Protocol.This allows us to have physical redundancy in the network, but it logically disconnects those loops.
It's important to understand that we logically disconnect the loops because that
allows us to dynamically re-establish a connection if we need to, in the event of a failure within our network.The way that the switches do this, and actually bridges can do this as well, is that they simply communicate by way of a protocol, back and
forth. The basically exchange these little hello messages.
If they stop hearing a given communication from a certain device on the network, we know that a network device has failed. And when a network failure occurs we have to
re-establish a link in order to maintain that redundancy.technically, these little exchanges are known as BPDUs or Bridge Protocol Data Units.
Now, Spanning Tree protocol works just fine, but one of the issues with Spanning Tree is that it can take anywhere from half a minute to a full minute in order for the
network to fully converge, or in order for all devices to know the status of the network.So in order to improve on this, there are some refinements that Cisco has introduced, such as PortFast and UplinkFast, and this allows your Spanning Tree
protocol to converge even faster.
Multicasting
Now, another issue that we have in Layer 2 networks, or switched networks, is control of our multicast traffic. There's a lot of new applications that are emerging
today such as video based applications, desktop conferencing, and so on, that take advantage of multicasting
But without special controls in the network, multicasting is going to quickly congest our network. Okay, so what we need is to add intelligent multicasting in the network.
Multipoint Communications
Now, again, let's understand that there are a few fundamental ways that we have in
order to achieve multipoint communications, because effectively, that's what we're trying to do with our video based applications or any of our multimedia type
applications that use this mechanism.
One way is to broadcast our traffic. And what that does is it effectively sends our messages everywhere. The problem, and the obvious down side there is that not everybody necessarily needs to hear these communications.So while it will get the job
done, it's not the most efficient way to get the job done. So the better way to do this is by way of multicasting.
And that is, the applications will use a special group address to communicate to only
those stations or group of stations that need to receive these transmissions.And that's what we mean by multipint communications. That's going to be the more effective way to do that.
Multicast
This also needs to be done dynamically because these multicast groups are going to
change over time at any given moment. So, in order to do this, we need some special protocols in our network. First of all, in the Wide Area, we need something known as
multicast routing protocols.Certainly, in our Wide Area we already have routing protocols such as RIP, the Routing Information Protocol, or OSPF, or IGRP, for example, but what we need to do is add multicast extensions so that these routing
protocols need, understand how to handle the need for our multicast groups.
An example of a multicast routing protocol would be PIM, or Protocol Independent multicasting, for example. This is simply an extension of the existing routing
protocols in our network.Another protocol we have is known as IGMP, or the Internet Group Management Protocol. And IGMP simply allows us to identify the group membership of the IP stations that want to participate in a given multicast
conversation.
So as you can see indicated by the red traffic in our network, we have channel #1 being multicast through the network. And by way of IGMP, the workstations can signal back to the original video servers that they want to participate.And by way of
the multicast routing protocols are added, we can efficiently deliver our traffic in the Wide Area.Now, another challenge that we have is once our traffic gets to the Local
Area Network, or the switch, by default that traffic is going to be flooded to all stations in the network.
End-to-End Multicast
And that's because IGMP works at Layer 3,, but our LAN switch works at Layer 2. So the switch has no concept of our Layer 3 group membership. So what we need to do
is add some intelligence to our switch.The intelligence that going to add is a protocol such as CGMP, for example, or Cisco Group Management Protocol. Another similar
technology that we could add, is called IGMP Snooping, which has the same effect in the Local Area Network.
And that effect is, as you see in the diagram, to limit our multicast traffic to only
those stations that want to participate in the group. So now, as you can see, the red channel, or channel number 1, is delivered to only station #1 and station #3.
The station 2 does not receive this content because he doesn't wish to participate.So the advantage of adding protocols such as IGMP, CGMP, IGMP Snooping, and Protocol Independent multicasting into our network, that achieved bandwidth savings
for our multicast traffic.
Why Use Multicast?
What we see indicated in the red is, as we add stations to our multicast group, the amount of bandwidth we need to do that is going to increase in a linear fashion.But
by adding multicast controls, you can see the amount of bandwidth is reduced dramatically. Because these intelligent multicast controls can better make, can make better use of the bandwidth in our network.So by adding multicast controls that's
going to also reduce the cost of networking as well because we've reduced the bandwidth that we need, so that's going to provide a dramatic improvement to our
Local Area Network.
- Summary -
- Switches provide dedicated access - Switches eliminate collisions and increase capacity
- Switches support multiple conversations at the same time
- Switches provide intelligence for multicasting
Lesson 6: WAN Basics
In this Lesson, we‘ll discuss the WAN. We‘ll start by defining what a WAN is, and then move on to talking about basic technology such as WAN devices and circuit and
packet switching. also cover transmission options from POTS (plain old telephone service) to Frame
Relay, to leased lines, and more. Finally, we‘ll discuss wide area requirements including a section on minimizing WAN charges with bandwidth optimization features.
The Agenda
- WAN Basics
- Transmission Options
- WAN Requirements & Solutions
WAN Basics
What Is a WAN?
So, what is a WAN? A WAN is a data communications network that serves users
across a broad geographic area and often uses transmission facilities provided by common carriers such as telephone companies. These providers are companies like MCI, AT&T, UuNet, and Sprint. There are also many small service providers that
provide connectivity to one of the larger carriers‘ networks and may even have email servers to store clients mail until it is retrieved.
- Telephone service is commonly referred to as plain old telephone service (POTS).
- WAN technologies function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer.
Common WAN network components include WAN switches, access servers, modems, CSU/DSUs, and ISDN Terminals.
WAN Devices
A WAN switch is a multiport internetworking device used in carrier networks. These devices typically switch traffic such as Frame Relay, X.25, and SMDS and operate at
the data link layer of the OSI reference model. These WAN switches can share bandwidth among allocated service priorities, recover from outages, and provide
network design and management systems. A modem is a device that interprets digital and analog signals, enabling data to be
transmitted over voice-grade telephone lines. At the source, digital signals are converted to analog. At the destination, these analog signals are returned to their digital form.
An access server is a concentration point for dial-in and dial-out connections.
A channel service unit/digital service unit (CSU/DSU) is a digital interface device that adapts the physical interface on a data terminal equipment device (such as a
terminal) to the interface of a data circuit terminating (DCE) device (such as a switch) in a switched-carrier network. The CSU/DSU also provides signal timing for
communication between these devices. An ISDN terminal is a device used to connect ISDN Basic Rate Interface (BRI)
connections to other interfaces, such as EIA/TIA-232. A terminal adapter is essentially an ISDN modem.
WAN Terminating Equipment
The WAN physical layer describes the interface between the data terminal equipment (DTE) and the data circuit-terminating equipment (DCE). Typically, the DCE is the service provider, and the DTE is the attached device (the customer‘s device). In this
model, the services offered to the DTE are made available through a modem or channel service unit/data service unit (CSU/DSU).
CSU/DSU (Channel Service Unit / Data Service Unit) Device that connects the end-user equipment to the local digital telephone loop or to the service providers data transmission loop. The DSU adapts the physical interface on a DTE device to a
transmission facility such as T1 or E1. Also responsible for such functions as signal timing for synchronous serial transmissions.
Unless a company owns (literally) the lines over which they transport data, they must utilize the services of a Service Provider to access the wide area network.
Circuit Switching
- Dedicated physical circuit established, maintained, and terminated through a
carrier network for each communication session - Datagram and data stream transmissions
- Operates like a normal telephone call
- Example: ISDN
Service providers typically offer both circuit switching packet switching services. Circuit switching is a WAN switching method in which a dedicated physical circuit is
established, maintained, and terminated through a carrier network for each communication session. Circuit switching accommodates two types of transmissions:
datagram transmissions and data-stream transmissions. Used extensively in telephone company networks, circuit switching operates much like a normal telephone call. Integrated Services Digital Network (ISDN) is an example of a circuit-
switched WAN technology.
Packet Switching
Packet switching is a WAN switching method in which network devices share a single point-to-point link to transport packets from a source to a destination across a
carrier network. Statistical multiplexing is used to enable devices to share these circuits. Asynchronous Transfer Mode (ATM), Frame Relay, Switched Multimegabit
Data Service (SMDS), and X.25 are examples of packet-switched WAN technologies.
- Network devices share a point-to-point link to transport packets from a source to a destination across a carrier network
- Statistical multiplexing is used to enable devices to share these circuits - Examples: ATM, Frame Relay, SMDS, X.25
WAN Virtual Circuits
- A logical circuit ensuring reliable communication between two devices - Switched virtual circuits (SVCs)
- Dynamically established on demand
- Torn down when transmission is complete - Used when data transmission is sporadic
- Permanent virtual circuits (PVCs) - Permanently established
- Save bandwidth for cases where certain virtual circuits must exist all the time
- Used in Frame Relay, X.25, and ATM A virtual circuit is a logical circuit created to ensure reliable communication between
two network devices. Two types of virtual circuits exist: switched virtual circuits (SVCs) and permanent virtual circuits (PVCs). Virtual circuits are used in Frame Relay and X.25 and ATM.
SVCs are dynamically established on demand and are torn down when transmission is complete. SVCs are used in situations where data transmission is sporadic.
PVCs are permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time.
WAN Protocols
The OSI model provides a conceptual framework for communication between
computers, but the model itself is not a method of communication. Actual communication is made possible by using communication protocols. A protocol
implements the functions of one or more of the OSI layers. A wide variety of
communication protocols exist, but all tend to fall into one of the following groups:
- LAN protocols: operate at the physical and data link layers and define communication over the various LAN media
- WAN protocols: operate at the lowest three layers and define communication over the various wide-area media.
- Network protocols: are the various upper-layer protocols in a given protocol suite.
- Routing protocols: network-layer protocols responsible for path determination and traffic switching.
SDLC:-
Synchronous Data Link Control. IBM‘s SNA data link layer communications protocol. SDLC is a bit-oriented, full-duplex serial protocol that has spawned numerous similar protocols, including HDLC and LAPB.
HDLC:-
High-Level Data Link Control. Bit-oriented synchronous data link layer protocol developed by ISO. Specifies a data encapsulation method on synchronous serial links using frame characters and checksums.
LAPB:-
Link Access Procedure, Balanced. Data link layer protocol in the X.25 protocol stack. LAPB is a bit-oriented protocol derived from HDLC.
PPP:- Point-to-Point Protocol. Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits with built-in security features. Works
with several network layer protocols, such as IP, IPX, & ARA.
X.25 PTP:- Packet level protocol. Network layer protocol in the X.25 protocol stack. Defines how connections are maintained for remote terminal access and computer
communications in PDNs. Frame Relay is superseding X.25.
ISDN:- Integrated Services Digital Network. Communication protocol, offered by telephone
companies, that permits telephone networks to carry data, voice, and other source traffic.
Frame Relay:- Industry-standard, switched data link layer protocol that handles multiple virtual circuits using HDLC encapsulation between connected devices. Frame Relay is more
efficient than X.25, and generally replaces it.
There are a number of transmission options available today. They fall either into the analog or digital category. Next let‘s take a brief look at each of these transmission
types.
POTS Using Modem Dialup
Analog modems using basic telephone service are asynchronous transmission-based, and have the following benefits:
- Available everywhere
- Easy to set up - Dial anywhere on demand - The lowest cost alternative of any wide-area service
Integrated Services Digital Network (ISDN)
ISDN is a digital service that can use asynchronous or, more commonly, synchronous transmission. ISDN can transmit data, voice, and video over existing copper phone lines. Instead of leasing a dedicated line for high-speed digital transmission, ISDN
offers the option of dialup connectivity—incurring charges only when the line is active.
ISDN provides a high-bandwidth, cost-effective solution for companies requiring light or sporadic high-speed access to either a central or branch office. ISDN can transmit data, voice, and video over existing copper phone lines.
Instead of leasing a dedicated line for high-speed digital transmission, ISDN offers the option of dialup connectivity —incurring charges only when the line is active. Companies needing more permanent connections should evaluate leased-line
connections.
- High bandwidth - Up to 128 Kbps per basic rate interface - Dial on demand
- Multiple channels - Fast connection time
- Monthly rate plus cost-effective, usage-based billing - Strictly digital
ISDN comes in two flavors, Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI provides two ―B‖ or bearer channels of 64 Kbps each and one additional signaling channel called the ―D‖ or delta channel.
While it requires only one physical connection, ISDN provides two channels that remote telecommuters use to connect to the company network. PRI provides up to 23 bearer channels of 64 Kbps each and one D channel for
signaling. That‘s 23 channels but with only one physical connection, which makes it an elegant solution- there‘s no wiring mess (PRI service typically provides 30 bearer
channels outside the U.S. and Canada). You‘ll want to use PRI at your central site if you plan to have many ISDN dial-in clients.
Leased Line
Leased lines are most cost-effective if a customer‘s daily usage exceeds four to six
hours. Leased lines offer predictable throughput with bandwidth typically 56 Kbps to 1.544 Mbps. They require one connection per physical interface (namely, a
synchronous serial port).
- One connection per physical interface - Bandwidth: 56 kbps–1.544 Mbps - T1/E1 and fractional T1/E1
- Cost effective at 4–6 hours daily usage - Dedicated connections with predictable throughput
- Permanent - Cost varies by distance
Frame Relay
Frame Relay provides a standard interface to the wide-area network for bridges, routers, front-end processors (FEPs), and other LAN devices. A Frame Relay interface
is designed to act like a wide-area LAN- it relays data frames directly to their destinations at very high speeds. Frame Relay frames travel over predetermined virtual circuit paths, are self-routing, and arrive at their destination in the correct
order. Frame Relay is designed to handle the LAN-type bursty traffic efficiently. The guaranteed bandwidth (known as committed information rate or CIR) is typically
between 56 Kbps and 1.544 Mbps. The cost is normally not distance-sensitive.
Connecting Offices with Frame Relay
Companies who require office-to-office communications, usually choose between a
dedicated leased-line connection or a packet-based service, such as Frame Relay or X.25. As a rule, higher connect times make leased-line solutions more cost-effective. Like ISDN, Frame Relay requires only one physical connection to the Frame Relay
network, but can support many Permanent Virtual Circuits, or PVCs.
Frame Relay service is often less expensive than leased lines, and the cost is based on:
- The committed information rate (CIR), which can be exceeded up to the port speed when the capacity is available on your carrier‘s network.
- Port speed - The number of permanent virtual circuits (PVCs) you require; a benefit to users
who need reliable, dedicated connections to resources simultaneously.
X.25
X.25 networks implement the internationally accepted ITU-T standard governing the operation of packet switching networks. Transmission links are used only when needed. X.25 was designed almost 20 years ago when network link quality was
relatively unstable. It performs error checking along each hop from source node to destination node.
The bandwidth is typically between 9.6Kbps and 64Kbps. X.25 is widely available in many parts of the world including North America, Europe, and Asia.
There is a large installed base of X.25 devices.
Digital Subscriber Line (xDSL)
- DSL is a pair of ―modems‖ on each end of a copper wire pair
- DSL converts ordinary phone lines into high-speed data conduits - Like dial, cable, wireless, and T1, DSL by itself is a transmission technology, not a
complete solution - End-users don‘t ―buy‖ DSL, they ―buy‖ services, such as high-speed Internet access, intranet, leased line, voice, VPN, and video on demand
- Service is limited to certain geographical areas
Digital subscriber line (DSL) technology is a high-speed service that, like ISDN, operates over ordinary twisted-pair copper wires supplying phone service to
businesses and homes in most areas. DSL is often more expensive than ISDN in markets where it is offered today. Using special modems and dedicated equipment in the phone company's switching
office, DSL offers faster data transmission than either analog modems or ISDN service, plus-in most cases-simultaneous voice communications over the same lines. This means you don't need to add lines to supercharge your data access speeds. And
since DSL devotes a separate channel to voice service, phone calls are unaffected by data transmissions.
DSL Modem Technology
DSL has several flavors. ADSL delivers asymmetrical data rates (for example, data
moves faster on the way to your PC than it does on the way out to Internet). Other DSL technologies deliver symmetrical data (same speeds traveling in and out of your
PC). The type of service available to you will depend on the carriers operating in your area. Because DSL works over the existing telephone infrastructure, it should be easy to
deploy over a wide area in a relatively short time. As a result, the pursuit of market share and new customers is spawning competition between traditional phone
companies and a new breed of firms called competitive local exchange carriers (CLECs).
Asynchronous Transfer Mode (ATM)
ATM is short for Asynchronous Transfer Mode, and it is a technology capable of
transferring voice, video and data through private and public networks. It uses VLSI technology to segment data at high speeds into units called cells. Basically it carves
up Ethernet or Token ring packets and creates cells out of them.
Each cell contains 5 bites of header information, 48 bites of payload for 53 bites total
in every cell. Each cell contains identifiers that specify the data stream to which they belong. ATM is capable of T3 speeds, E3 speeds in Europe as well as Fiber speed, like
Sonet which is asynchronous optical networking speeds of OC-1 and up. ATM technology is primarily used in enterprise backbones or in WAN links.
How to choose Service?
Analog services are the least expensive type of service. ISDN costs somewhat more but improves performance over even the fastest current analog offerings. Leased lines are the costliest of these three options, but offer dedicated, digital service for more
demanding situations. Which is right? You‘ll need to answer a few questions:
- Will employees use the Internet frequently? - Will the Internet be used for conducting business (for example, inventory
management, online catalog selling or account information or bidding on new jobs)? - Do you anticipate a large volume of traffic between branch offices of the business? - Is there a plan to use videoconferencing or video training between locations?
- Who will use the main office‘s connection to the Internet - individual employees at the central office, telecommuting workers dialing in from home, mobile workers
dialing in from the road? The more times the answer is ―yes‖, the more likely that leased line services are
required. It is also possible to mix and match services. For example, small branch offices or individual employees dialing in from home might connect to the central office using ISDN, while the main connection from the central office to the Internet
can be a T1. Which service you select also depends on what the Internet Service Provider (is using.
If the ISP‘s maximum line speed is 128K, as with ISDN, it wouldn‘t make sense to connect to that ISP with a T1 service. It is important to understand that as the bandwidth increases, so do the charges, both from the ISP and the phone company.
Keep in mind that rates for different kinds of connections vary from location to location.
Let‘s compare our technology options, assuming all services are available in our region. To summarize:
- A leased-line service provides a dedicated connection with a fixed bandwidth at a
flat rate. You pay the same monthly fee regardless how much or how little you use the connection.
- A packet-switched service typically provides a permanent connection with specific, guaranteed bandwidth (Frame Relay). Temporary connections (such as X.25) may
also be available. The cost of the line is typically a flat rate, plus an additional charge based on actual usage.
- A circuit-switched service provides a temporary connection with variable bandwidth, with cost primarily based on actual usage.
Wide-Area Network Requirements
- Minimize bandwidth costs
- Maximize efficiency - Maximize performance - Support new/emerging applications
- Maximize availability - Minimize management and maintenance
Manage Bandwidth to Control Cost
Because transmission costs are by far the largest portion of a network‘s cost, there
are a number of bandwidth optimization features you should be aware of that enable the cost-effective use of WAN links. These include dial-on-demand routing, bandwidth-on-demand, snapshot routing, IPX protocol spoofing, and compression.
Dial-on-demand ensures that you‘re only paying for bandwidth when it‘s needed for switched services such as ISDN and asynchronous modem (and switched 56Kb in the
U.S. and Canada only). Bandwidth-on-demand gives you the flexibility to add additional WAN bandwidth when it‘s needed to accommodate heavy network loads such as file transfers.
Snapshot routing prevents unnecessary transmissions. It inhibits your switched network from being dialed solely for the purpose of exchanging routing updates at
short intervals (e.g.: 30 seconds). Many of you are familiar with compression, which is also a good method of optimization.
Lets take a close look at a few features that will keep your WAN costs down.
- Dial-on-Demand Routing
Dial-on-demand routing allows a router to automatically initiate and close a circuit-
switched session. With dial-on-demand routing, the router dials up the WAN link only when it senses ―interesting‖ traffic. Interesting traffic might be defined as any traffic destined for the
remote network, or only traffic related to a specific host address or service. Equally important, dial-on-demand routing enables the router to take down the connection when it is no longer needed, ensuring that the user will not have
unnecessary WAN usage charges.
- Bandwidth-on-Demand
Bandwidth-on-demand works in a similar way. When the router senses that the traffic level on the primary link has reached a
certain threshold—say, when a user starts a large file transfer—it automatically dials up additional bandwidth through the PSTN to accommodate the increased load. For example, if you‘re using ISDN, you may decide that when the first B channel
reaches 75% saturation for more than one minute, your router will automatically dial up a second B channel. When the traffic load on the second B channel falls below
40%, the channel is automatically dropped.
- Snapshot Routing
By default, routing protocols such as RIP exchange routing tables every 30 seconds.
If placed as calls, these routine updates will drive up WAN costs unnecessarily, and Snapshot Routing limits these calls to the remote site. A remote router with this feature only requests a routing update when the WAN link
is already up for the purpose of transferring user application data. Without Snapshot Routing, your ISDN connection would be dialed every 30 seconds;
this feature ensures that the remote router always has the most up-to-date routing information but only when needed.
- IPX Protocol Spoofing
Protocol spoofing allows the user to improve performance while providing the ability to use lower line speeds over the WAN.
- Compression
Compression reduces the space required to store data, thus reducing the bandwidth required to transmit. The benefit of these compression algorithms is that users can utilize lower line speeds if needed to save costs. Compression also provides the ability
to move more data over a link than it would normally bear.
- Three types Header
Link Payload
- Van Jacobson header compression RFC 1144 Reduces header from 40 to ~5 bytes
- Dial Backup
Dial backup addresses a customer‘s need for reliability and guaranteed uptime. Dial backup capability offers users protection against WAN downtime by allowing them to
configure a backup serial line via a circuit-switched connection such as ISDN. When the software detects the loss of a signal from the primary line device or finds that the
line protocol is down, it activates the secondary line to establish a new session and continue the job of transmitting traffic over the backup line.
- Summary -
- The network operates beyond the local LAN‘s geographic scope. It uses the services
of carriers like regional bell operating companies (RBOCs), Sprint, and MCI. - WANs use serial connections of various types to access bandwidth over wide-area
geographies. - An enterprise pays the carrier or service provider for connections used in the WAN;
the enterprise can choose which services it uses; carriers are usually regulated by tariffs.>
- WANs rarely shut down, but since the enterprise must pay for services used, it might restrict access to connected workstations. All WAN services are not available
in all locations.
Lesson 7: Understanding Routing
The objective of this lesson is to explain routing. We‘ll start by first defining what routing is. We‘ll follow that with a discussion on addressing.
There is a section on routing terminology which covers subjects like routed vs. routing protocols and dynamic and static routing.
Finally, we‘ll talk about routing protocols.
The Agenda - What Is Routing?
- Network Addressing
- Routing Protocols
What Is Routing?
Routing is the process of finding a path to a destination host and of moving information across an internetwork from a source to a destination. Along the way, at
least one intermediate node typically is encountered. Routing is very complex in large networks because of the many potential intermediate destinations a packet might
traverse before reaching its destination host. A router is a device that forwards packets from one network to another and determines the optimal path along which network traffic should be forwarded.
Routers forward packets from one network to another based on network layer information. Routers are occasionally called gateways (although this definition of gateway is becoming increasingly outdated).
Routers—Layer 3
A router is a more sophisticated device than a hub or a switch.. It determines the appropriate network path to send the packet along by keeping an up-to-date network topology in memory, its routing table.
A router keeps a table of network addresses and knows which path to take to get to
each network. Routers keep track of each other‘s routes by alternately listening, and periodically
sending, route information. When a router hears a routing update, it updates its routing table. Routing is often contrasted with bridging, which might seem to accomplish precisely the same thing to the causal observer. The primary difference
between the two is that bridging occurs at Layer 2 (the data link layer) of the OSI reference model, whereas routing occurs at Layer 3 (the network layer). This distinction provides routing and bridging with different information to use in the
process of moving information from source to destination, so that the two functions accomplish their tasks in different ways.
In addition, bridges can‘t block a broadcast (where a data packet is sent to all nodes on a network). Broadcasts can consume a great deal of bandwidth. Routers are able to block broadcasts, so they provide security and assist in bandwidth control.
You might ask, if bridging is faster than routing, why do companies move from a bridged/switched network to a routed network?
There are many reasons, but LAN segmentation is a key reason. Also, routers increase scalability and control broadcast transmissions.
Where are Routers Used?
A router can perform LAN-to-LAN routing through its ability to route packet traffic from one network to another. It checks its router table entries to determine the best
path to the destination network. A router can perform LAN-to-WAN and remote access routing through its ability to
route packet traffic from one network to another while handling different WAN services in between. Popular WAN service options include Integrated Services Digital Network, or ISDN, leased lines, Frame Relay, and X.25.
Let‘s look at routing in more detail.
LAN-to-LAN Connectivity
This illustrates the flow of packets through a routed network using the example of an
e-mail message being sent from system X to system Y. The message exits system X and travel through an organization‘s internal network
until it gets to a point where it needs an Internet service provider. The message will bounce through their network and eventually arrive at system Y‘s
internet provider. While this example shows three routers, the message could actually travel through many different networks before it arrives at its destination.
From the OSI model reference point of view, when the e-mail is converted into packets and sent to a different network, a data-link frame is received on one of a router's interfaces.
- The router de-encapsulates and examines the frame to determine what type of network layer data is being carried. The network layer data is sent to the
appropriate network layer process, and the frame itself is discarded.
- The network layer process examines the header to determine the destination network and then references the routing table that associates networks to outgoing interfaces.
- The packet is again encapsulated in the link frame for the selected interface and
sent on. This process occurs each time the packet transfers to another router. At the router
connected to the network containing the destination host, the packet is encapsulated in the destination LAN‘s data-link frame type for delivery to the protocol stack on the destination host.
Path Determination
Routing involves two basic activities: determining optimal routing paths and transporting information groups (typically called packets) through an internetwork.
In the context of the routing process, the latter of these is referred to as switching. Although switching is relatively straightforward, path determination can be very
complex. During path determination, routers evaluate the available paths to a destination and to establish the preferred handling of a packet.
- Routing services use internetwork topology information (such as metrics) when
evaluating network paths. This information can be configured by the network administrator or collected through dynamic processes running in the internetwork.
- After the router determines which path to use, it can proceed with switching the
packet: Taking the packet it accepted on one interface and forwarding it to another interface or port that reflects the best path to the packet‘s destination.
Multiprotocol Routing
Routers can support multiple independent routing algorithms and maintain
associated routing tables for several routed protocols concurrently. This capability allows a router to interleave packets from several routed protocols over the same data links.
The various routed protocols operate separately. Each uses routing tables to determine paths and switches over addressed ports in a ―ships in the night‖ fashion;
that is, each protocol operates without knowledge of or coordination with any of the other protocol operations. In the example above, as the router receives packets from the users on the networks
using IP, it begins to build a routing table containing the addresses of the network of these IP users. As the router receives packets from Macintosh AppleTalk users. Again, the router adds the AppleTalk addresses. Routing tables can contain address
information from multiple protocol networks. This process may continue with IPX traffic from Novell NetWare networks and Digital traffic from VAX minicomputers
attached to Ethernet networks.
Routing Tables
To aid the process of path determination, routing algorithms initialize and maintain routing tables, which contain route information. Route information varies depending on the routing algorithm used. Routing algorithms fill routing tables with a variety of
information. Two examples are destination/next hop associations and path desirability.
- Destination/next hop associations tell a router that a particular destination is linked to a particular router representing the ―next hop‖ on the way to the final
destination. When a router receives an incoming packet, it checks the destination address and attempts to associate this address with a next hop.
- With path desirability, routers compare metrics to determine optimal routes.
Metrics differ depending on the routing algorithm used. A metric is a standard of measurement, such as path length, that is used by routing algorithms to determine
the optimal path to a destination.
Routers communicate with one another and maintain their routing tables through the transmission of a variety of messages.
- Routing update messages may include all or a portion of a routing table. By analyzing routing updates from all other routers, a router can build a detailed picture of network topology.
- Link-state advertisements inform other routers of the state of the sender‘s link so
that routers can maintain a picture of the network topology and continuously determine optimal routes to network destinations.
Routing Algorithm Goals
Routing tables contain information used by software to select the best route. But how, specifically, are routing tables built? What is the specific nature of the
information they contain? How do routing algorithms determine that one route is preferable to others?
Routing algorithms often have one or more of the following design goals: Optimality - the capability of the routing algorithm to select the best route,
depending on metrics and metric weightings used in the calculation. For example, one algorithm may use a number of hops and delays, but may weight delay more
heavily in the calculation. Simplicity and low overhead - efficient routing algorithm functionality with a
minimum of software and utilization overhead. Particularly important when routing algorithm software must run on a computer with limited physical resources.
Robustness and stability - routing algorithm should perform correctly in the face of unusual or unforeseen circumstances, such as hardware failures, high load
conditions, and incorrect implementations. Because of their locations at network junctions, failures can cause extensive problems.
Rapid convergence - Convergence is the process of agreement, by all routers, on
optimal routes. When a network event causes changes in router availability, recalculations are need to restablish networks. Routing algorithms that converge slowly can cause routing loops or network outages.
Flexibility - routing algorithm should quickly and accurately adapt to a variety of
network circumstances. Changes of consequence include router availability, changes in network bandwidth, queue size, and network delay.
Routing Metrics
Routing algorithms have used many different metrics to determine the best route. Sophisticated routing algorithms can base route selection on multiple metrics,
combining them in a single (hybrid) metric. All the following metrics have been used:
Path length - The most common metric. The sum of either an assigned cost per network link or hop count, a metric specify the number of passes through network devices between source and destination.
Reliability - dependability (bit-error rate) of each network link. Some network links
might go down more often than others. Also, some links may be easier or faster to repair after a failure.
Delay - The length of time required to move a packet from source to destination through the internetwork. Depends on bandwidth of intermediate links, port
queues at each router, network congestion, and physical distance. A common and useful metric.
Bandwidth - available traffic capacity of a link.
Load - Degree to which a network resource, such as a router, is busy (uses CPU utilization or packets processed per second).
Communication cost - operating expenses of network links (private versus public lines).
Now let‘s talk a little about network addressing.
Network Addressing
Network and Node Addresses
Each network segment between routers is is identified by a network address. These
addresses contain information about the path used by the router to pass packets from a source to a destination.
For some network layer protocols, a network administrator assigns network
addresses according to some preconceived internetwork addressing plan. For other network layer protocols, assigning addresses is partially or completely dynamic.
Most network protocol addressing schemes also use some form of a node address. The node address refers to the device‘s port on the network. The figure in this slide
shows three nodes sharing network address 1 (Router 1.1, PC 1.2, and PC 1.3). For LANs, this port or device address can reflect the real Media Access Control or MAC address of the device.
Unlike a MAC address that has a preestablished and usually fixed relationship to a device, a network address contains a logical relationship within the network topology..
The hierarchy of Layer 3 addresses across the entire internetwork improves the use of bandwidth by preventing unnecessary broadcasts. Broadcasts invoke unnecessary
process overhead and waste capacity on any devices or links that do not need to receive the broadcast. By using consistent end-to-end addressing to represent the path of media connections, the network layer can find a path to the destination
without unnecessarily burdening the devices or links on the internetwork with broadcasts.
Examples:-
For TCP/IP, dotted decimal numbers show a network part and a host part. Network
10 uses the first of the four numbers as the network part and the last three numbers—8.2.48-as a host address. The mask is a companion number to the IP
address. It communicates to the router the part of the number to interpret as the network number and identifies the remainder available for host addresses inside that network.
For Novell IPX, the network address 1aceb0b is a hexadecimal (base 16) number that cannot exceed a fixed maximum number of digits. The host address 0000.0c00.6e25
(also a hexadecimal number) is a fixed 48 bits long. This host address derives automatically from information in the hardware of the specific LAN device.
Subnetwork Addressing
Subnetworks or subnets are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while
shielding the subnetwork from the addressing complexity of attached networks. Subnetting allows single routing entries to refer either to the larger block or to its individual constituents. This permits a single, general routing entry to be used
through most of the Internet, more specific routes only being required for routers in the subnetted block.
A subnet mask is a 32-bit number that determines how an IP address is split into network and host portions, on a bitwise basis. For example, 131.108.0.0 is a standard Class B subnet mask; the first two bytes identify the network and the last
two bytes identify the host. A subnet mask is a 32-bit address mask used in IP to indicate the bits of an IP address that are being used for the subnet address. Sometimes referred to simply as
mask. The term mask derives from the fact that the non-host portions of the IP address bits are masked by 0‘s to form the subnet mask.
Subnetting helps to organize the network, allows rules to be developed and applied to the network, and provides security and shielding. Subnetting also enables scalability by controlling the size of links to a logical grouping of nodes that have reason to
communicate with each other (such as within Human Resources, R&D, or Manufacturing).
Routing Algorithm Types
Routing algorithms can be classified by type. Key differentiators include:
- Single-path versus multi-path: Multi-path routing algorithms support multiple paths
to the same destination and permit traffic multiplexing over multiple lines. Multi-path routing algorithms can provide better throughput and reliability.
- Flat versus hierarchical: In a flat routing system, the routers are peers of all others.
In a hierarchical routing system, some routers form what amounts to a routing backbone. In hierarchical systems, some routers in a given domain can communicate with routers in other domains, while others can communicate only
with routers in their own domain.
- Host-intelligent versus router-intelligent: In host-intelligent routing algorithms, the source end- node determines the entire route and routers act simply as store-and-forward devices. In router- intelligent routing algorithms, host are assumed to know
nothing about routes and routers determine the optimal path.
- Intradomain versus interdomain: Some routing algorithms work only within domains; others work within and between domains.
- Static versus dynamic - this classification will be discussed in the following two slides.
- Link state versus distance vector: will be discussed after static versus dynamic
routing.
Static Routing
Static routing knowledge is administered manually: a network administrator enters it into the router‘s configuration. The administrator must manually update this static
route entry whenever an internetwork topology change requires an update. Static knowledge is private—it is not conveyed to other routers as part of an update process.
Static routing has several useful applications when it reflects a network administrator‘s special knowledge about network topology. When an internetwork partition is accessible by only one path, a static route to the
partition can be sufficient. This type of partition is called a stub network. Configuring static routing to a stub network avoids the overhead of dynamic routing.
Dynamic Routing
After the network administrator enters configuration commands to start dynamic
routing, route knowledge is updated automatically by a routing process whenever new topology information is received from the internetwork. Changes in dynamic
knowledge are exchanged between routers as part of the update process. Dynamic routing tends to reveal everything known about an internetwork. For security reasons, it might be appropriate to conceal parts of an internetwork. Static
routing allows an internetwork administrator to specify what is advertised about restricted partitions. In the illustration above, the preferred path between routers A and C is through
router D. If the path between Router A and Router D fails, dynamic routing determines an alternate path from A to C. According to the routing table generated by
Router A, a packet can reach its destination over the preferred route through Router D. However, a second path to the destination is available by way of Router B. When Router A recognizes that the link to Router D is down, it adjusts its routing table,
making the path through Router B the preferred path to the destination. The routers continue sending packets over this link. When the path between Routers A and D is restored to service, Router A can once
again change its routing table to indicate a preference for the counterclockwise path through Routers D and C to the destination network.
Distance Vector versus Link State
Distance vector versus link state is another possible routing algorithm classification.
- Link state algorithms (also known as shortest path first algorithms) flood routing information about its own link to all network nodes. The link-state (also called
shortest path first) approach recreates the exact topology of the entire internetwork (or at least the partition in which the router is situated).
- Distance vector algorithms send all or some portion of their routing table only to neighbors. The distance vector routing approach determines the direction (vector)
and distance to any link in the internetwork.
- A third classification in this course, called hybrid, combines aspects of these two basic algorithms.
There is no single best routing algorithm for all internetworks. Network administrators must weigh technical and non-technical aspects of their network to
determine what‘s best.
state routing protocol based on IS-IS. IS-IS - Intermediate System-to-Intermediate System. OSI link-state hierarchical
routing protocol based on DECnet Phase V routing, whereby ISs (routers) exchange routing information based on a single metric, to determine network topology.
Hybrid
EIGRP - Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco. Provides superior convergence properties and operating
efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
RIP and IGRP
RIP takes the path with the least number of hops, but does not account for the speed
of the links. It only counts hops. The limitation of RIP is about 15 hops. This creates a scalability issue when routing in large, heterogeneous networks.
IGRP was developed by Cisco and works only with Cisco products (although it has been licensed to some other vendors). It accounts for the varying speeds of each link. Additionally, IRGP can handle 224 to 252 hops, depending on the IOS version.
However, IGRP only supports IP.
OSPF and EIGRP
OSPF - Open Shortest Path First. Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in the Internet community. OSPF features include
least-cost routing, multipath routing, and load balancing. OSPF was derived from an early version of the IS-IS protocol.
EIGRP - Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance
vector protocols.
- Summary -
- Routers move data across networks from a source to a destination
- Routers determine the optimal path for forwarding network traffic
- Routing protocols communicate reachability information between routers
Lesson 8: Layer 3 Switching
The term Layer 3 switching makes many people‘s eyes glaze over. In this module, we‘ll explain what Layer 3 switching is and how it compares with Layer 2 switching
and routing.
The Agenda
- What Is Layer 3 Switching?
- What is the Difference Between Layer 2 Switching, Layer 3 Switching, and Routing?
What Is Layer 3 Switching?
Recently, the industry has been bombarded with terminology such as Layer 3
switching, Layer 4 switching, multilayer switching, routing switches, switching routers, and gigabit routers. This ―techno-jargon‖ can be confusing to customers and resellers alike.
For purposes of this discussion, all these terms essentially represent the same function, and, as such, the term Layer 3 switching is used to represent them all. While the performance aspect of Layer 3 switching makes most of the headlines,
higher performance in switching packets does not, by itself, promise that all problems are solved in a network. There must be a recognition that application
design, mix of network protocols, placement of servers, placement of networking devices, management, as well as the implementation of end-to-end intelligent network services are at least as important—maybe more so—than simply adding
more bandwidth and switching capability to the network.
Why Do We Need Layer 3 Switching?
So, why do we need Layer 3 switching? Enterprise networks face unprecedented challenges today. Desktop computing power has tripled in the past two years and
shows no sign of leveling off. The proliferation of network-dependent intranet and multimedia applications has increased traffic volumes in many campus networks by an order of magnitude over the past several years. Network managers have responded
to this need to move data at greater speeds by moving more desktops to switched 10/100 Mbps and deploying LAN switching at unprecedented levels, both in the data
center and in the wiring closets to scale their end-to-end bandwidth. To effectively utilize the increased capacity, they must scale their Layer 3 performance to handle changing traffic patterns. Conventional wisdom that 80 percent of the traffic stays
local to the subnet and 20 percent or less traverses across subnets no longer holds. More than half of the traffic volume travels across subnet boundaries. Two factors contribute to these changing traffic patterns.
With Web-based computing, a PC can be both a subscriber and a publisher of information. As a result, information can now come from anywhere in the network,
creating massive amounts of traffic that must travel across subnet boundaries. Users hop transparently between servers across the entire enterprise by using hyperlinks,
without the need to know where the data is located. The second factor leading to the loss of locality is the move toward server
consolidation. Enterprises are deploying centralized server farms because of the reduced cost of ownership and ease of management. All traffic from the client subnets to these servers must travel across the campus backbone, exacerbating
performance problems. Because of the rising levels of anywhere-to-everywhere communication, Layer 3 switching that can scale with increasing link speeds has become an imperative. Layer
3 switching is required to meet the demands of both client/server and peer-to-peer traffic on the intranet.
What Is Layer 2 Switching?
What is the difference between a Layer 2 switch, a Layer 3 switch, and a router?
A Layer 2 switch is essentially a multiport bridge. Switching and filtering are based on the Layer 2 MAC addresses, and, as such, a Layer 2 switch is completely transparent to network protocols and users‘ applications.
Layer 2 switching is the number one choice for providing plug-and-play performance.
What Is Routing?
In contrast to Layer 3 switches, routers make Layer 3 routing decisions by
implementing complex routing algorithms and data structures in software. Keep in mind this has little to do with the forwarding aspects of routing. Routing has two basic functions, path determination, using a variety of metrics, and
forwarding packets from one network to another. The path determination function enables a router to evaluate the available paths to a
destination and to establish the preferred handling of a packet. Data can take different paths to get from a source to a destination. At Layer 3, routers really help determine which path. The network administrator configures the
router enabling it to make an intelligent decision as to where the router should send information through the cloud.
The network layer sends packets from source network to destination network. After the router determines which path to use, it can proceed with switching the
packet: taking the packet it accepted on one interface and forwarding it to another interface or port that reflects the best path to the packet‘s destination.
Packet Manipulation at Layer 3
How does Layer 3 switching differ from Layer 2 switching? Layer 3 switching requires rewriting the packet. This implies decrementing the TTL field, modifying the MAC
addresses, changing the VLAN-ID and recomputing the FCS. Doing all these actions at wire speed is difficult which is why an ASIC is necessary. True Layer 3 switching has all the advantage of routing, therefore it is rich in feature
and performance. Layer 2 switching, on the contrary, does not require packet rewriting. Without packet rewriting, no matter how you call it (e.g. virtual routing) it is NOT routing.
What Is Layer 3 Switching?
Layer 3 switching is hardware-based routing. The packet forwarding is handled by specialized hardware, usually ASICs.
A Layer 3 switch can make switching and filtering decisions on both Layer 2 and Layer 3 addresses and can dynamically decide whether to route or switch incoming
traffic. Multilayer switching combines the ease of use of Layer 2 switching with the stability and security of Layer 3 routing.
To make Layer 3 switching decisions, routing table information must be assembled and exchanged between routing entities. Route calculation is performed by one or more route processors that reside in routers
or other devices. These route processors periodically distribute their routing tables to multilayer LAN switches to allow them to make very fast switching decisions.
Layer 3 switching is the favorite for highly scalable, resilient networking.
A Layer 3 Switch Has Two Distinct Components
ASICs:
- High-performance, hardware-based Layer 3 switching and services with consistent
low latency Routing software:
- Routing protocols to provide scalability
- Backbone redundancy
- Dynamic load balancing and fast convergence in the backbone - Reachability information
- Multiprotocol support for the campus
What Is the Difference Between Layer 3 Switching and Routing?
Layer 3 switches tend to have packet switching throughputs in the millions of packets per second (pps), while traditional general-purpose routers have evolved from
the 100,000 pps range to over a million pps. Aggregate performance is one of the key differences between Layer 3 switches and traditional routers. Traditional routers still offer key features used typically in WAN environments.
However, many of those features, such as multicast routing, multiprotocol routing, IBM feature sets, routing protocol stability, are still key for Layer 3 switches/campus routers.
A Layer 3 or a Layer 2 Switch?— Scalability Advantages
Let‘s look more closely at when a customer might choose a Layer 3 switch over a traditional Layer 2 switch. Layer 3 switches offer considerable advantages depending
on the customer‘s requirements. Scalability— For customers with large networks that need increased performance to
handle the changing traffic patterns of today‘s new applications, Layer 3 switches offer increased scalability. Clearly a network of hubs does not scale. While bridges
helped, they were not sufficient to handle networks of many thousands of users and devices. Routers were the solution as they kept broadcasts local to a segment. Layer
3 switches avoid the problems associated with flat bridged or switched designs using traditional routing mechanisms allowing customers to scale their network infrastructure.
Layer 3 switches also utilize routing protocols thus avoiding the slow convergence problem of Spanning Tree Protocol and lack of load-balancing across multiple paths. Advanced services— Layer 3 switches also offer the benefit of broader intelligent
network services. These services permit applications to run on the network as well as
enable the creation of a cost-effective, operational environment to support day-to-day operations and management of the enterprise intranet.
Other Advantages
Other advantages include: Security—Layer 3 switches provide enhanced security functions to protect corporate
information while allowing appropriate access. Access control lists are supported by
Layer 3 switches with no performance degradation. Layer 3 switching is able to enforce the multiple levels of security traditionally only found on routers on every packet of the flow at wire speed. Management—Networks that use a multilayer model are by nature hierarchical. This
type of infrastructure is easier to manage as problems are more easily isolated.
Redundancy/resiliency—Some Layer 3 switches offer significant redundancy and
resiliency options not available with Layer 2 switches. Default gateway redundancy is
provided by HSRP that enables Cisco switches to transparently switch over to the hot standby backup router instantly when the primary router goes off line, eliminating a
single point of failure in the network. UplinkFast provides alternative paths when a primary link fails. Load balancing is achieved by intelligent Layer 3 routing protocols.
While there are obvious advantages to a Layer 3 switch over a Layer 2 switch, other factors needed to be considered as well. Layer 3 switches are more expensive than Layer 2 switches and are more complex. Depending on the size of a customer‘s
network, the cost and complexity may not justify a Layer 3 switch. However, for customers with larger networks in need of enhanced scalability, Layer 3 switches will
actually simplify network infrastructure.
Not All Layer 3 Switches Are Created Equal
At its most basic, Layer 3 packet switching or forwarding is common across all vendors platforms, with perhaps exceptions in their multicast or DHCP services behavior.
The more scalable, flexible, and adaptable Layer 3 switches also offer a variety of routing protocols and services for topology discovery, load balancing, and resiliency.
Buying a Layer 3 switch without the richness and depth of routing protocols is somewhat akin to a driverless car. The car can certainly travel very fast in the direction that it is pointed, but the intelligence lies in the driver, who needs to make
all the decisions about where it should go and when to stop and turn. The more flexible and resilient these capabilities, the better reliability and adaptability the
switch offers. Finally, there are services. All the queuing, filtering, classification, multiprotocol, route summarization and redistribution functions, plus additional debugging,
statistics gathering and event logging services is what lets network managers deploy solutions that rise to the future challenges of mobility, multiservice, multimedia, and service level agreements for business critical applications.
- Summary -
- Layer 3 switching is ASIC-based routing - Traditional routers are better for WAN aggregation
- Layer 3 switches are more appropriate for scaling Layer 3 performance
- Layer 2 switches are more appropriate when the additional cost and complexity are not warranted
Lesson 9: Understanding Virtual LANs
This lesson covers virtual LANs or VLANs. We‘ll start by defining what a VLAN is and then explaining how it works. We‘ll conclude the lesson by talking about some key
VLAN technologies such as ISL and VTP.
The Agenda
- What Is a VLAN?
- VLAN Technologies
What Is a VLAN?
Well, the reality of the work environment today is that personnel is always changing. Employees move departments; they switch projects. Keeping up with these changes
can consume significant network administration time. VLANs address the end-to-end mobility needs that businesses require. Traditionally, routers have been used to limit the broadcast domains of workgroups.
While routers provide well-defined boundaries between LAN segments, they introduce the following problems:
- Lack of scalability (e.g., restrictive addressing on subnets) - Lack of security (e.g., within shared segments)
- Insufficient bandwidth use (e.g., extra traffic results when segmentation of the network is based upon physical location and not necessarily by workgroups or interest group)
- Lack of flexibility (e.g., cost reconfigurations are required when users are moved)
Virtual LAN, or VLAN, technology solves these problems because it enables switches and routers to configure logical topologies on top of the physical network infrastructure. Logical topologies allow any arbitrary collection of LAN segments
within a network to be combined into an autonomous user group, appearing as a single LAN.
Virtual LANs
A VLAN can be defined as a logical LAN segment that spans different physical LANs. VLANs provide traffic separation and logical network partitioning.
VLANs logically segment the physical LAN infrastructure into different subnets (broadcast domains for Ethernet) so that broadcast frames are switched only between
ports within the same VLAN. A VLAN is a logical grouping of network devices (users) connected to the port(s) on a LAN switch. A VLAN creates a single broadcast domain and is treated like a subnet.
Unlike a traditional segment or workgroup, you can create a VLAN to group users by their work functions, departments, the applications used, or the protocols shared irrespective of the users‘ work location (for example, an AppleTalk network that you
want to separate from the rest of the switched network). VLAN implementation is most often done in the switch software.
Remove the Physical Boundaries
Conceptually, VLANs provide greater segmentation and organizational flexibility. VLAN technology allows you to group switch ports and the users connected to them
into logically defined communities of interest. These groupings can be coworkers within the same department, a cross-functional product team, or diverse users
sharing the same network application or software (such as Lotus Notes users). Grouping these ports and users into communities of interest—referred to as VLAN organizations—can be accomplished within a single switch, or more powerfully,
between connected switches within the enterprise. By grouping ports and users together across multiple switches, VLANs can span single building infrastructures or
interconnected buildings. As shown here, VLANs completely remove the physical constraints of workgroup communications across the enterprise. Additionally, the role of the router evolves beyond the more traditional role of
firewalls and broadcast suppression to policy-based control, broadcast management, and route processing and distribution. Equally as important, routers remain vital for switched architectures configured as VLANs because they provide the communication
between logically defined workgroups (VLANs). Routers also provide VLAN access to shared resources such as servers and hosts, and connect to other parts of the
network that are either logically segmented with the more traditional subnet approach or require access to remote sites across wide-area links. Layer 3
communication, either embedded in the switch or provided externally, is an integral part of any high-performance switching architecture.
VLAN Benefits
VLANs provide many internetworking benefits that are compelling.
Reduced administrative costs—Members of a VLAN group can be geographically dispersed. Members might be related because of their job functions or type of data
that they use rather than the physical location of their workspace. - The power of VLANs comes from the fact that adds, moves, and changes can be
achieved simply by configuring a port into the appropriate VLAN. Expensive, time-consuming recabling to extend connectivity in a switched LAN environment, or host
reconfiguration and re-addressing is no longer necessary, because network management can be used to logically ―drag and drop‖ a user from one VLAN group to another.
Better management and control of broadcast activity—A VLAN solves the scalability problems often found in a large flat network by breaking a single broadcast domain
into several smaller broadcast domains or VLAN groups. All broadcast and multicast traffic is contained within each smaller domain.
Tighter network security with establishment of secure user groups:
- High-security users can be placed in a separate VLAN group so that non-group members do not receive their broadcasts and cannot communicate with them.
- If inter-VLAN communication is necessary, a router can be added, and the traditional security and filtering functions of a router can be used. - Workgroup servers can be relocated into secured, centralized locations.
Scalability and performance—VLAN groups can be defined based on any criteria; therefore, you can determine a network‘s traffic patterns and associate users and
resources logically. For example, an engineer making intensive use of a networked CAD/CAM server can be put into a separate VLAN group containing just the engineer
and the server. The engineer does not affect the rest of the workgroup. The engineer‘s dedicated LAN increases throughput to the CAD/CAM server and helps performance for the rest of the group by not affecting its work.
VLAN Components
There are five key components within VLANs:
Switches — For determining VLAN membership. This is where users/systems attach to the network.
Trunking — For exchanging VLAN information throughout the network. This is essential for larger environments that comprise several switches, routers, and
servers.
Multiprotocol routing — For supporting inter-VLAN communications. Remember that while all members within the same VLAN can communicate directly with one
another, routers are required for exchanging information between different VLANs.
Servers — Servers are not required within VLAN environments specifically; however, they are a staple within any network. Within a VLAN environment, users can utilize servers in several different ways, and we‘ll discuss them momentarily. Because
VLANs are used throughout the network, users from multiple VLANs will most likely need their services.
Management — For security, control, and administration within the network. Effective management and administration is essential within any network
environment, and it becomes even more imperative for networks using VLANs. The network management system appropriately recognize and administer logical
segments within the switched network. Let‘s look at some of these components in more detail.
Establishing VLAN Membership
Switches provide the means for users to access a network and join a VLAN. Various approaches exist for establishing VLAN membership.
each of these methods has its positive and negative points.
Membership by Port
Let‘s look at the first method for determining or assigning VLAN membership:
Port-based — In this case, the port is assigned to a specific VLAN independent of the user or system attached to the port. This VLAN assignment is typically done by the network administrator and is not dynamic. In other words, the port cannot be
automatically changed to another VLAN without the personal supervision and processing of the network administrator. This approach is quite simple and fast, in that no complex lookup tables are required
to achieve this VLAN segregation. If this port-to-VLAN association is done via ASICs, the performance is very good.
This approach is also very easy to manage, and a Graphical user Interface, or GUI, illustrating the VLAN-to-port association is normally intuitive for most users. As in other VLAN approaches, the packets within this port-based method do not leak
into other VLAN domains on the network. The port is assigned to one and only one VLAN at any time, and no other packets from other VLANs will ―bleed‖ into or out of
this port.
Membership by MAC Addresses
The other methods for determining VLAN membership provide more flexibility and are
more ―user-centric‖ than the port-based model. However, these methods are conducted with software in the switch and require more processing power and
resources within the switches and the network. These solutions require a packet-by-packet lookup method that decreases the overall performance of the switch. (Software solutions do not run as fast as hardware/ASIC-based solutions.)
In the MAC-based model, the VLAN assignment is linked to the physical media address or MAC address of the system accessing the network. This approach provides
enhanced security benefits of the more ―open‖ port-based approach, because all MAC addresses are unique. From an administrative aspect, the MAC-based approach requires slightly more work,
because a VLAN membership table must be created for all of the users within each VLAN on the network. As a user attaches to a switch, the switch must verify and confirm the MAC address with a central/main table and place it into the proper
VLAN. The network address and user ID approaches are also more flexible than the port-
based approach, but they also require even more overhead than the MAC-based method, because tables must exist throughout the network for all the relevant network protocols, subnets, and user addresses. With the user ID method, another
large configuration/policy table must exist containing all authorized user login IDs. Within both of these methods, the switches typically do not have enough resources
(CPU, memory) to accommodate such large tables. Therefore, these tables must exist within servers located elsewhere in the network. Additionally, the latencies resulting from the lookup process would be more significant in these approaches.
From an administrative aspect, the network and user ID-based approaches require more resources (memory and bandwidth) to use distributed tables on several switches or servers throughout the network. These two approaches also require
slightly more bandwidth to share this information between switches and servers.
Multiple VLANs per Port
When addressing these various methods for implementing VLANs, customers always
question the use of multiple VLANs per switch port. Can this be done? Does this make sense? The means for implementing this type of design is based on using shared hubs off of
switch ports. Members using the hub belong to different VLANs, and thus, the switch port must also support multiple VLANs.
While this method does offer the flexibility of having VLANs completely port independent, this method also violates one of the general principle of implementing VLANs: broadcast containment. An incoming broadcast on any VLAN would be sent
to all hub ports — even though they may belong to a different VLAN. The switch, hub, and all endstations will have to process this broadcast even if it belongs to a different VLAN. This ―bleeding‖ of VLAN information does not provide true segmentation nor
does it effectively use resources.
Communicating Between VLANs
Another key component of VLANs is the router. Routers provide inter-VLAN communications and are essential for sharing VLAN information in large
environments. The Layer 3 routing capabilities provide additional security between networks (access lists, protocol filtering, and so on).
In general, there are two approaches to using routers as communication points for VLANs:
- Logical connection method— Using ISL within the router, a trunk can be established between the switch and the router. One high- speed port is used, and
multiple VLAN information runs across this trunk link. (We‘ll explain ISL in just a minute.)
- Physical connection method— Multiple independent links are used between the router and the switch. Each link contains its own VLAN. This scenario does not
require ISL to be implemented on the router and also allows lower-speed links to be used.
The proper method to implement depends on the customer‘s needs and requirements.
(Does the customer need to conserve router and switch ports? Does the customer need a high-speed ISL port?) In both instances, the router still supports inter-VLAN
communication.
Server Connectivity
The network server is another key component of VLANs. Servers provide file, print, and storage services to users throughout the network regardless of VLANs. To optimize their network environments many customers deploy centralized server
farms in their networks.
This eases administration of the servers and Network Operating System, or NOS, significantly. These server farms contain servers that support the entire network, but
each server supports a specific VLAN or number of VLANs.
As in the use of routers within VLANs, there are two approaches to using servers as common access within a VLAN environment: Logical connection method
Using a server adapter (NIC) running ISL, a trunk can be established between the switch and the server. One high-speed port is used and information for multiple
VLANs runs across this trunk link. This method offers greater flexibility as well as a high-performance solution that is easy to administer. (that is one NIC to setup and
monitor). Note: ISL is now supported in several vendors‘ server NIC cards: Intel, CrossPoint. These adapters support up to 64 VLANs per port and cost approximately
US$500. Physical Connection method
Multiple independent links are used between the server and the switch. Each link
contains its own VLAN. This method does not require ISL to be implemented on the server and also allows lower-speed links to be used.
The proper method to implement depends on the customer‘s needs and requirements. (Does the customer need to conserve switch ports? Does the customer need a high-speed ISL port? Does the customer want to use ISL server adapters?) In both
methods, the server still supports multiple VLANs.
VLAN Technologies
Let‘s take a look at some technologies that are essential for VLAN implementations.
Inter-Switch Link
Cisco developed the Inter-Switch Link, or ISL, mechanism to support high-speed trunking between switches and switches, routers, or servers in Fast Ethernet
environments.
Cisco‘s Inter-Switch Link protocol (ISL) enables VLAN traffic to cross LAN segments. ISL is used for interconnecting multiple switches and maintaining VLAN information
as traffic goes between switches. ISL uses ―packet tagging‖ to send VLAN packets between devices on the network without impacting switching performance or requiring the use and exchange of complex filtering tables. Each packet is tagged
depending on the VLAN to which it belongs.
The benefits of packet tagging include manageable broadcast domains that span the campus; bandwidth management functions such as load distribution across
redundant backbone links and control over spanning tree domains; and a substantial cost reduction in the number of physical switch and router ports required to
configure multiple VLANs. The ISL protocol enables in excess of 1000 VLANs concurrently without requiring any
fragmentation or re assembly of the packets. Additionally, ISL wraps a 48-byte ―envelope‖ around the packet that handles processing, priority, and quality-of-service, or QoS, features. ISL is not limited to Fast
Ethernet/Ethernet packet sizes (1518 bytes) and can even accommodate large packet sizes up to 16000 bytes — which is appropriate for Token Ring. It is important to
understand that ISL (and 802.1q—a format used by some other vendors, for that matter) are both just packet-tagging formats. Neither sets up a standard for administration.
VLAN Standardization
While Cisco was first to market with its revolutionary packet tagging schemes for
Fast Ethernet and FDDI, they are proprietary solutions. Other vendors implemented their own unique methods for sharing VLAN information across the network. As a
result, a standards body was created within the IEEE to provide one common VLAN communication standard. This ultimately benefits customers using switches from various vendors in the marketplace.
Within the 802.1Q standard, packet tagging is the exchange vehicle for VLAN information.
Because ISL is so widely deployed in our installed customer base, Cisco will continue to support both ISL and 802.1Q. It is important to note that Cisco‘s dual mode support of both methods will be implemented via hardware ASICs, which will provide
tremendous performance.
VLAN Standard Implementation
This diagram illustrates a typical customer implementation of the 802.1Q VLAN
standard. This scenario is based upon a customer network composed of two separate campuses based on different vendors‘ technology (Cisco and vendor X).
If the customer already has Cisco switches deployed, it can maintain its use of ISL. Also, it can maintain its use of the VLAN trunking scheme used by vendor X. However, the new joined network must use the 802.1Q standard to share VLAN
information between switches within the campus.
Virtual Trunk Protocol (VTP)
In addition to the ISL packet tagging method, Cisco also created the Virtual Trunking Protocol, or VTP, for dynamically configuring VLAN information across the network
regardless of media type (for example Fast Ethernet, ATM, FDDI, and so on). This VTP protocol is the software that makes ISL usable.
VTP enables VLAN communication from a centralized network management platform,
thus minimizing the amount of administration that is required when adding or changing VLANs anywhere within the network. VTP completely eliminates the need to administer VLANs on a per-switch basis, an essential characteristic as the number of
a network‘s switches and VLANs grows and reaches a point where changes can no longer be reliably administered on individual components. VTP allows for greater
scalability because it eliminates complex VLAN administration tasks across every
switch.
Conceptually, VTP works like this: When you add a new VLAN to the network, let's say VLAN 1, VTP automatically goes out and configures the trunk interfaces across
the backbone for that VLAN. This includes the mapping of ISL to LANE or to 802.1Q. Adding a second VLAN is just as easy. VTP sends out new advertisements and maps the VLAN across the appropriate interfaces. The important thing to remember about
this second VLAN, is that VTP keeps track of the VLANs that already exist and eliminates any cross configurations between these two, especially if this configuration were to be done manually.
- Summary -
- VLANs enable logical (instead of physical) groups of users on a switch - VLANs address the needs for mobility and flexibility
- VLANs reduce administrative overhead, improve security, and provide more
efficient bandwidth utilization
Lesson 10: Understanding Quality of Service
QoS is important to many network applications. Voice/data integration is not possible without. Nor is effective multimedia… or even VPNs. In this module, we‘ll
discuss what QoS is and some of its building blocks. Will also look at some specific examples of how QoS can be used.
The Agenda
- What Is QoS?
- QoS Building Blocks
- QoS in Action
What Is Quality of Service (QoS)?
Basically, QoS comprises the mechanisms that give network managers the ability to
control the mix of bandwidth, delay, variances in delay (jitter), and packet loss in the network in order to deliver a network service such as voice over IP; define different service-level agreements (SLAs) for divisions, applications, or organizations; or simply
prioritize traffic across a WAN.
QoS provides the ability to prioritize traffic and allocate resources across the network to ensure the delivery of mission-critical applications, especially in heavily loaded environments. Traffic is usually prioritized according to protocol.
So what does this really mean...
An analogy is the carpool lane on the highway. For business applications, we want to give high priority to mission-critical applications. All other traffic can receive equal
treatment.
Mission-critical applications are given the right of way at all times. Multimedia applications take a lower priority. Bandwidth-consuming applications, such as file
transfers, can receive an even lower priority.
What Is Driving the Need for QoS?
There are two broad application areas that are driving the need for QoS in the network:
- Mission-critical applications need QoS to ensure delivery and that their traffic is not impacted by misbehaving applications using the network.
- Real-time applications such as multimedia and voice need QoS to guarantee
bandwidth and minimize jitter. This ensures the stability and reliability of existing applications when new applications are added.
Voice and data convergence is the first compelling application requiring delay-sensitive traffic handling on the data network. The move to save costs and add new features by converging the voice and data networks--using voice over IP, VoFR, or
VoATM--has a number of implications for network management:
- Users will expect the combined voice and data network to be as reliable as the voice network: 99.999% availability
- To even approach such a level of reliability requires a sophisticated management capability; policies come into play again
So what are mission critical applications?
Enterprise Resource Planning (ERP) applications
- Order entry - Finance - Manufacturing
- Human resources - Supply-chain management
- Sales-force automation What else is mission critical?
- SNA applications
- Selected physical ports - Selected hosts/clients
QoS Benefits
QoS provides tremendous benefits. It allows network managers to understand and control which resources are being used by application, users, and departments.
It ensures the WAN is being used efficiently by the mission-critical applications and
that other applications get ―fair‖ service, but take a back seat to mission-critical traffic.
It also provides an infrastructure that delivers the service levels needed by new mission-critical applications, and lays the foundation for the ―rich media‖ applications of today and tomorrow.
Where Is QoS Important?
QoS is required wherever there is congestion. QoS has been a critical requirement for the WAN for years. Bandwidth, delay, and delay variation requirements are at a premium in the wide area.
LAN QoS requirements are emerging with the increased reliance on mission critical applications and the growing popularity of voice over LAN and WAN.
The importance of end-to-end QoS is increasing due to the rapid growth of intranets and extranet applications that have placed increased demands on the entire network.
QoS Example
Hopefully this Image provides a little context. It demonstrates a real example of how QoS could be used to manage network applications.
QoS Building Blocks
Let‘s now take a look at some of the building blocks of QoS.
There are a wide range of QoS services. Queuing, traffic shaping, and filtering are essential to traffic prioritization and congestion control, determining how a router or
switch handles incoming and outgoing traffic. QoS signaling services determine how network nodes communicate to deliver the
specific end-to-end service required by applications, flows, or sets of users. Let‘s take a look at a few of these.
Classification
- IP Precedence - Committed Access Rate (CAR)
- Diff-Serv Code Point (DSCP) - IP-to-ATM Class of Service - Network-Based Application Recognition (NBAR)
- Resource Reservation Protocol (RSVP)
Policing
- Committed Access Rate (CAR) - Class-Based Weighted Fair Queuing (CB WFQ) - Weighted Fair Queuing (WFQ)
Shaping
- Generic Traffic Shaping (GTS)
- Distributed Traffic Shaping (DTS) - Frame Relay Traffic Shaping (FRTS)
Congestion Avoidance
- Weighted Random Early Detection (WRED) - Flow-Based WRED (Flow RED)
Congestion Management— Fancy Queuing
Weighted fair queuing is another queuing mechanism that ensures high priority for
sessions that are delay sensitive, while ensuring that other applications also get fair treatment.
For instance, in the Cisco network, Oracle SQLnet traffic, which consumes relatively low bandwidth, jumps straight to the head of the queue, while video and HTTP are
serviced as well. This works out very well because these applications do not require a lot of bandwidth as long as they meet their delay requirements.
A sophisticated algorithm looks at the size and frequency of packets to determine
whether a specific session has a heavy traffic flow or a light traffic flow. It then treats the respective queues of each session accordingly.
Weighted fair queuing is self-configuring and dynamic. It is also turned on by default when routers are shipped.
Other options include:
- Priority queuing assigns different priority levels to traffic according to traffic types or source and destination addresses. Priority queuing does not allow any traffic of a lower priority to pass until all packets of high priority have passed. This works
very well in certain situations. For instance, it has been very successfully implemented in Systems Network Architecture (SNA) environments, which are very sensitive to delay.
- Custom queuing provides a guaranteed level of bandwidth to each application, in
the same way that a time-division multiplexer (TDM) divides bandwidth among channels. The advantage of custom queuing is that if a specific application is not using all the bandwidth it is allotted, other applications can use it. This assures
that mission-critical applications receive the bandwidth they need to run efficiently, while other applications do not time out either.
This has been implemented especially effectively in applications where SNA leased lines have been replaced to provide guaranteed transmission times for very time-
sensitive SNA traffic. What does ―no bandwidth wasted‖ mean?Traffic loads are redirected when and if space becomes available. If there is space and there is traffic, the bandwidth is used.
Random Early Detection (RED)
Random Early Detection (RED) is a congestion avoidance mechanism designed for
packet switched networks that aims to control the average queue size by indicating to the end hosts when they should temporarily stop sending packets. RED takes
advantage of TCP‘s congestion control mechanism. By randomly dropping packets prior to periods of high congestion, RED tells the packet source to decrease its transmission rate.
Assuming the packet source is using TCP, it will decrease its transmission rate until all the packets reach their destination, indicating that the congestion is cleared. You
can use RED as a way to cause TCP to back off traffic. TCP not only pauses, but it also restarts quickly and adapts its transmission rate to the rate that the network
can support. RED distributes losses in time and maintains normally low queue depth while
absorbing spikes. When enabled on an interface, RED begins dropping packets when congestion occurs at a rate you select during configuration.
RED is recommended only for TCP/IP networks. RED is not recommended for protocols, such as AppleTalk or Novell Netware, that respond to dropped packets by retransmitting the packets at the same rate.
Weighted RED
Cisco‘s implementation of RED, called Weighted Random Early Detection (WRED),
combines the capabilities of the RED algorithm with IP Precedence. This combination provides for preferential traffic handling for higher priority packets. It can selectively
discard lower priority traffic when the interface begins to get congested, and provide differentiated performance characteristics for different classes of service. WRED differs from other congestion management techniques such as queuing strategies
because it attempts to anticipate and avoid congestion rather than controlling congestion once it occurs.
WRED is useful on any output interface where you expect to have congestion. However, WRED is usually used in the core routers of a network, rather than the
network‘s edge. Edge routers assign IP precedences to packets as they enter the network. WRED uses these precedences to determine how it treats different types of
traffic. WRED provides separate thresholds and weights for different IP precedences, allowing you to provide different qualities of service for different traffic. Standard traffic may be dropped more frequently than premium traffic during periods of
congestion. Let‘s take a look at how WRED works.
By randomly dropping packets prior to periods of high congestion, WRED tells the packet source to decrease its transmission rate. Assuming the packet source is using
TCP, it will decrease its transmission rate until all the packets reach their destination, indicating that the congestion is cleared. WRED generally drops packets selectively based on IP Precedence. Packets with a higher IP Precedence are less likely
to be dropped than packets with a lower precedence. Thus, higher priority traffic is delivered with a higher probability than lower priority traffic. However, you can also configure WRED to ignore IP precedence when making drop decisions so that non
weighted RED behavior is achieved. WRED is also RSVP-aware, and can provide integrated services controlled-load QoS service.
WRED reduces the chances of tail drop by selectively dropping packets when the output interface begins to show signs of congestion. By dropping some packets early
rather than waiting until the buffer is full, WRED avoids dropping large numbers of packets at once and minimizes the chances of global synchronization. Thus, WRED
allows the transmission line to be used fully at all times. In addition, WRED statistically drops more packets from large users than small. Therefore, traffic sources that generate the most traffic are more likely to be slowed down than traffic
sources that generate little traffic.
QoS Signalling Resource Reservation Protocol
RSVP is the first significant industry-standard protocol for dynamically setting up end-to-end QoS across a heterogeneous network. RSVP provides transparent operation through routers that do not support RSVP.
Explained simply, RSVP is the ability for an end station or host to request a certain level of QoS across a network. RSVP carries the request through the network, visiting each node that the network uses to carry the stream. At each node, RSVP attempts to
make a resource reservation for the data stream. RSVP is designed to utilize the robustness of current IP routing algorithms. This protocol does not perform its own
routing; instead, it uses underlying routing protocols to determine where it should carry reservation requests.
Example: No Quality of Service
Here‘s an example of how RSVP works. Let‘s first look at what the problem would be without RSVP.
In this example, the video traffic still gets through, but it is impacted by a large file
transfer in progress. This causes a negative effect on the quality of the video and the picture comes out all jittery.
What we need is a method to reserve bandwidth from end-to-end on a per-application basis. RSVP can do this.
This figure explains how RSVP actually works. RSVP reserves bandwidth from end-to-end on a per-application basis for each user.
This is especially important for delay-sensitive applications, such as video.
As shown here, with RSVP, the client‘s application requests bandwidth be reserved at each of the network elements on the path. These elements will reserve the requested bandwidth using priority and queuing mechanisms.
Once the server receives the OK, bandwidth has been reserved across the whole path, and the video stream can start being transmitted. RSVP ensures clear video
reception. The good news is that RSVP is becoming widely accepted by industry leaders, such as
Microsoft and Intel, who are implementing RSVP support in their applications. These applications include Intel‘s Proshare and Microsoft‘s NetShow. To provide support on a network, Cisco routers also run RSVP.
End-to-End QoS
End-to-end QoS is essential. Following image provides a context for the different QoS features we looked at.
QoS in Action
Example 1: Prioritization of IP Telephony
Example 2: ERP Application
- SUMMARY -
The goal of QoS is to provide better and more predictable network service by
providing dedicated bandwidth, controlled jitter and latency, and improved loss characteristics. QoS achieves these goals by providing tools for managing network congestion, shaping network traffic, using expensive wide-area links more efficiently,
and setting traffic policies across the network.
- QoS provides guaranteed availability
- Prioritization of mission-critical versus noncritical applications - Interactive and time-sensitive applications - Voice, video, and data integration
- Key QoS building blocks
- classification - policing
- shaping - congestion avoidance
Lesson 11: Security Basics
Welcome to the Lesson 11.Our goal here is to give you the terminology, the words that your customers are going to want you to know and want you to be able to
converse with.
The Agenda
- Why Security?
- Security Technology - Identity
- Integrity - Active Audit
All Networks Need Security
Security is very important. The Internet is a wonderful tool. Meteoric growth like that of Cisco from nowhere to a multi-billion dollar company in a decade would not be possible without leveraging the tools available with the internet and intranet.
But without well defined security, the Internet can be a dangerous place. The good
news is that the tools are available to make the Internet a safe place for your business. Some people think that only large sites are hacked. In reality, even small company sites are hacked.
There‘s a false impression from many small company owners that, "Hey, who would want to break into my company? I‘m a nobody.
I‘m not a big corporation like IBM or the Pentagon or something like that, so why would somebody want to break into my company?" The reality is that even small companies are hacked into very, very often.
Why Security?
Why network security? There‘s three primary reasons to explore network security.
- One is policy vulnerabilities.
- Another one, configuration vulnerabilities. - Lastly, there‘s technology vulnerabilities.
And the bottom line is there are people that are willing and eager to take advantage of these vulnerabilities.
Security Threats
So these are some of the different things that we need to protect against: Loss of privacy: Without encryption, every message sent may be read by an
unauthorized party. This is probably the largest inhibitor of business-to-business
communications today.
Impersonation: You must also be careful to protect your identity on the Internet.
Many security systems today rely on IP addresses to uniquely identify users.
Unfortunately this system is quite easy to fool and has led to numerous break-ins.
Denial of service:And you must ensure that your systems are available. Over the
last several years, attackers have found deficiencies in the TCP/IP protocol suite that allows them to arbitrarily cause computer systems to crash.
Loss of integrity:Even for data that is not confidential, one must still take measures
to ensure data integrity. For example, if you were able to securely identify yourself to the your bank using digital certificates, you would still want to ensure that the
transaction itself is not modified in some way, such as by changing the amount of the deposit.
Security Objective: Balance Business Needs with Risks
Objectives for security need to balance the risks of providing access with the need to protect network resources. Creating a security policy involves evaluating the risks, defining what‘s valuable, and determining whom you can trust. The security policy
plays three roles to help you specify what must be done to secure company assets.
-It specifies what is being protected and why, and the responsibility for that protection. -It provides grounds for interpreting and resolving conflicts in implementation,
without listing specific threats, machines, or individuals. A well-designed policy does not change much over time.
-It addresses scalability issues Employees expect access but an enterprise requires security. It is important to plan
with scalability and deployment of layered technologies in mind. Security policies that inhibit productivity may be too restrictive.
Security Technology
Security technology typically falls into one of three categories. Identity:
Links user authentication and authorization on the network infrastructure; verifies
the identity of those requesting access and prescribe what users are allowed to do. Integrity:
Provides data confidentiality through firewalls, management control, routing, privacy and encryption, and access control. Active Audit:
Provides data on network activities and assist network administrators to account for
network usage, discover unauthorized activities, and scan the network for security vulnerabilities.
Identity
Let‘s start by looking at some Identity technologies. Again, identity is the recognition
of each individual user, and mapping of their identity, location and the time to policy; authorization of their network services and what they can do on the network.
Why is identity important? With IP addresses no longer being static (because of exhaustion of address space) and with solutions such as NAT and DHCP, etc., people are no longer tied to addresses. Ideally, we should be able to gain appropriate access
based on who we are.
Identity can be determined by a number of technologies — user name and password, token card, digital certificate—each can be configured for a policy setting that
indicates the degree of trust. Administrators can also configure access by time of day—identity authorizations can
also include a time metric for future time-based access capability.
The key to centralized identity and security policy management is the ―combination‖ of all key authentication mechanisms, from SecurID and DES Dial cards to MS Login, and their internetworking with one common identity repository.
To truly be centralized and configured once only, the identity mechanism must also be media independent; equally applicable to dial-users and campus users for example.
Let‘s look at some of these technologies.
Username/Password
For basic security, user id‘s and passwords can be used to authenticate remote users.
First, a remote user dials into the network access server. The NAS, or network access
server, negotiates data link setup with the user using (most likely) PPP. As part of this negotiation, the user must send a password to the NAS. This is usually handled
by either the PAP or CHAP protocols, which we‘ll cover in more detail in a little bit. Next, the NAS forwards the user‘s password to a AAA server to verify that it is
legitimate. The protocol used between the NAS and AAA server is (most likely) either TACACS+ or RADIUS. I‘ll be covering these protocols in more detail in a minute.
When the AAA server gets the user id and password, it checks its database of legitimate users and looks for a match. If a match is found, the AAA server sends the
NAS a call accept message. If not, the AAA server sends the NAS a call reject message. If the call is accepted, the user is connected to the campus network.
PAP and CHAP Authentication
Now let‘s back up for a minute and explain a little more about the process of dial in
connections.
Many of you have probably heard of PPP (Point-to-Point Protocol) before. PPP is used primarily on dial-in connections since it provides a standard mechanism for passing
authentication information such as a password from a remote user to the NAS. Two protocols are supported to carry the authentication information: PAP (Password
Authentication Protocol) and CHAP (Challenge/Handshake Authentication Protocol). These protocols are well documented in IETF RFCs and widely implemented in
vendor products. PAP provides a simple password protocol. User ID and password are sent at the beginning of the call, then validated by the access server using a central PAP
database. The PAP password database is encrypted, but the password is sent in clear text through the public network. A AAA server may be used to hold the password database.
The problem with PAP is that it is subject to sniffing and replay attacks. Hacker could
intercept communication and use information to spoof a legitimate user. CHAP provides an improved authentication protocol. The Access Server periodically
challenges remote access devices such as a router to provide a proper password. The initial CHAP authentication is performed during login; network administration can
specify the rate of subsequent authentication. These repeated challenges limit the time of exposure of any single attack. Password is sent encrypted. Both sides can use the challenge/response mechanism supported by CHAP to authenticate the device at
the other end.
One-Time Password
For a more restrictive security policy, a one-time password would be used.
One-time passwords are a unique combination of something a person knows (like a
PIN or password) and something a person possesses (like a token card). A one-time password is more secure than a simple password since it changes every time the user tries to login, and it can only be used once—therefore, it is safe against
spoofing and replay attacks. There are three commonly used ways to create one-time passwords:
- Token cards are the most common way. The 2 most common token cards are the
SecurID card by Security Dynamics and the DES Gold card by Enigma Logic. In one, the user enters a PIN into the card and the card displays the one-time
password, which the user types in at their terminal. In the other, the user appends a PIN to the random number displayed on the token card, and enters this
new password at their terminal. - Soft tokens are the same as token cards except the user doesn‘t have to carry
around a physical card. Software runs on the user‘s PC that performs the same function as the token card, and the user need only enter a PIN.
- S-key is a PC application that presents a dialog box to the user upon login into which the user must enter the correct combination of six key words.
The process used to send the one-time password to the NAS is virtually the same as that used for the password example described in the previous slide. When the NAS
receives the one-time password, it forwards it to the AAA server using either TACACS+ or RADIUS protocol. When the AAA server receives the one-time password,
it forwards it to a token server for authentication. The accept or reject message flows back to the NAS through the AAA server.
Authentication, Authorization, and Accounting (AAA)
We‘ve mentioned AAA servers. What does this mean. AAA stands for Authentication, authorization, and accounting.
Authentication is to provide exact end user verification. I need to know exactly who this person is, and how they prove it to me
Authorization is the second step. Now that I know who you are, what can you do. I need to assign IP addresses, provide routes, block access to certain resources. All the
things I can do to a local user, I should be able to control with a remote user. Accounting is the last step. I need to create an accurate record of the transactions of
this user. How long were they connected? How much data did they FTP? What was the cause of there disconnection. This allows me to not only bill my customers
accurately, but understand my user base.
AAA Services
A AAA server provides a centralized security database that offers per-user access
control.It supports services such as TACACS+ and RADIUS that we‘ll discuss in a minute as well as service such as:
- Per-User access-lists - load per user acls after authentication - Per-User static routes
- Lock&Key - AutoCommand - links user to user profile, so preferences take effect - adds
efficiency and provides limits to their access/use.
RADIUS
RADIUS is an access server authentication and accounting protocol that has gained wide support.
The RADIUS authentication server maintains user authentication and network access information. RADIUS clients run on access servers and send authentication requests to the RADIUS authentication server.
TACACS+ Authentication
With TACACS authentication, when a user requests to log in to a terminal server or a router, the device will ask for a user login name and password. The device will then
send a request for validation to the TACACS server in its configuration. The server will validate the login and password pair with a TACACS password file. If the name and the password is validated, the login is successful.
There are two flavors of TACACS: an original TACACS and extended TACACS or TACACS+. The primary difference between the two is that TACACS+ provides more
information when a user logs in, thus allowing more control than the original TACACS.
Lock-and-Key Security
Lock and Key challenges users to respond to a login and password prompt before
loading a unique access list into the local or remote router.
In this example, Lock and Key security allows only authorized users to access services beyond the firewall at the corporate site.
Calling Line Identification
Caller ID is another security mechanism for dial-in access. It allows routers to look at the ISDN number of a calling device and compare it with a list of known callers. If the
number is not in the list, the call is rejected and no charges are incurred by the calling party.
User Authentication with Kerberos
Kerberos is another technology. It is one that has been broken into historically; however, it provides a good level of security. With Kerberos you create a ticket that‘s
going to have a specific time allocated to it.
So with Kerberos, once a ticket is issued to me, the knowledge that that ticket was
sent plus my login itself is going to ensure that I have access to that system. So the tickets or credentials are issued by a trusted Kerberos server that you allow on with some specific ID that you have.
How Public Key Works
You‘ll hear a term called a Public Key. This is how a Public Key works. A Public Key works in conjunction with something called a Private Key.
This is technology that was actually developed back in the ‘70s. The Private Key is going to be something that you‘re going to keep to yourself. The Private Key is going to be something that exists perhaps on your PC or perhaps
as a piece of code that you have. A Public Key is going to be something that you publish to the outside world. What
you‘ll do is take your document and send it out with your Public Key that‘s going to be able to be accessed by a user that‘s going to receive your document, but you‘re
going to encrypt it using your Private Key. So by using these two things together, another user that‘s going to receive your
document can utilize your Public Key to ensure that, in fact, the document that you send is the document that you thought it was.
So the two keys together, in essence, create a unique key, something that‘s uniquely known by the combination of the private and the Public Key.
Digital Signatures
Now, Digital Signatures takes us a little bit further. With Digital Signatures what we‘re going to do is take the original document and run it along with the Private Key
and we‘re going to create something called the Hash. This is going to be another unique document that‘s created with a Digital Signature.
Now, that unique document is going to be sent along, and your Public Key is going to be able to be used in conjunction with that new smaller document. If that Public Key
winds up with that document, then you know the confidentiality of the original document is in place.
So here we‘ve ensured both the user that‘s sending the document as well as the document itself as being something that‘s truthful and, in fact, the document that we thought was sent out. So in this way, we know that the document hasn‘t been
altered.
Certificate Authority
You might want to ensure that important documents come out with some kind of encryption or data signatures so you know they are exactly what the sender
intended. Certificate Authority allows you to do just that. It relies on a third party to issue those kinds of certificates that are going to ensure that you are who you say you are.
Why would you want a third party to do that? Well, there‘s a number of reasons. One may be cost. Maybe it‘s more cost effective to have a third party do it rather than
issue Certificate Authority yourself. But another reason is if you‘re involved with third parties. Say I‘m a manufacturer and I have a supplier. Well, that same supplier may
issue supplies to a competitor of mine. So I don‘t want to issue certificates from my corporate database to the supplier
because it could be used maliciously by somebody at my competitor‘s site. So I want a trusted third party; somebody that everybody trusts equally. So the Certificate
Authority will verify identity. He knows who all the different players are. They‘ll sign the digital certificate containing the device‘s Public Key. So this becomes the equivalent of an ID card. Now, there‘s a number of different partners that we use with
this. These include Verisign, Entrust, Netscape, and Baltimore Technologies.
Network Address Translation
Let‘s explore another methodology of making sure that your system is safe. This is different than the other ones we‘ve been touching on. Network Address Translation
means security through obscurity. It means by not advertising my IP address to the outside world, I can ensure that nobody can come in and pretend that they‘re me or
pretend that they‘re somebody trusted to me. So the way that that would work is your device, it might be a firewall, might be a
router, is going to have a pool of IP addresses that you want to utilize to go to the outside world. So whatever the address is on the inside, it‘s never seen. It‘s always changed when it gets to whatever your perimeter device is.
So through Network Address Translation we can provide increased security.
In addition to Network Address Translation, there‘s another technology you‘ll hear about called port address translation. With port address translation, that particular
device, be it a router or a firewall, that‘s issuing that IP address to the outside world, the IP address that the outside world is going to see, is going to put all its requests out along one single IP address.
The way it does that is by putting the different requests on a different port number, keeping track of that information, and changing the port number when it comes
back. The reason that you might want to implement port address translation is if you have difficulty getting enough IP addresses for all of the users on your network.
There can be some limitations. For an example, many multimedia applications require multiple ports on a single IP address. So it may not be appropriate for every
installation.
Integrity
Let's look at some of the different integrity solutions.
Integrity—Network Availability
One of the functions of integrity is making sure the network is up. You need to guarantee that data in fact gets where it‘s supposed to This is job 1! Your network
isn‘t worth a thing if your routers go down. If network infrastructure isn‘t reliable, business doesn‘t happen. Let‘s look at a few features.
TCP Intercept
TCP Intercept is designed to prevent a SYN flooding Denial of Service attack by tracking, optionally intercepting and validating TCP connection requests. A SYN
flooding attack involves flooding a server with a barrage of requests for connection. However, since these messages have invalid return addresses, the connections can
never be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests. TCP Intercept is capable of operating in two different modes - intercept mode and monitor
mode. When used in intercept mode (the default setting), it checks for incoming TCP connection requests and will proxy-answer on behalf of the destination server to ensure that the request is valid before connecting to the server. In monitor mode,
TCP Intercept passively watches the connection requests flowing through, and, if a connection fails to get established in a configurable interval, it will intervene and
terminate the connection attempt.
Route Authentication
A common hacking technique is to instruct devices to send traffic along an alternate route, a less secure route, that opens up a doorway for the hacker to get in.
Route authentication enables routers to identify one another and verify each other‘s legitimacy before accepting route updates. So route authentication ensures that you have trusted devices talking to trusted devices.
Integrity—Perimeter Security
Integrity also means ensuring the safety of the network devices and the flows of
information between them, including payload data, configuration and configuration updates.
Everyone is connecting to the Internet, so networks are vulnerable: you need to defend your perimeters. There are several kinds of network perimeter, and you may
need some kind of firewall protection at each perimeter access point to reflect your security policy. Perimeter security gives customers the ability to leverage the Internet
as a business resource, while protecting internal resources. The key to network integrity is that it be implemented across all types of devices with
full internetworking, so that every device in the network can participate and not be a weak link in the security implementation chain.
Let‘s look at some of these technologies.
Access Lists
So Access Control Lists are often the first wave of defense. Security is a multi-step
thing, and Access Control Lists can play an important part in this. Standard Access Control Lists can filter addresses.
So you can say, "Hey, I don't want traffic from particular places," maybe people that are known spammers or something like that. It may be anything. It's not part of your
extranet. So you can do permit and denies on an entire protocol suite. Maybe you don't want to see a particular class of service flowing through this particular router. There's also extended Access Control Lists where we can filter the
source and destination address. So if you have a list of people that you don't want to be making connections, you can tell that to your ACL, as Access Control Lists are called.
You can sort these both on inbound and outbound, on port number. For an example, maybe you want to create a demilitarized zone, or DMZ, and you only want traffic
that's on the Web port where HTML traffic goes, which is port 80. So this would be an example of using a port number to restrict traffic to a particular
part of the network. You can have permit and deny of specific protocols. Reflexive; in other words, Access Control Lists that can change based on certain criteria.
And also time based. Maybe you have a different set of rules during business hours
as opposed to after business hours.
Policy Enforcement Using Access Control Lists
Now we're going to look at policy enforcement using Access Control Lists.
We want the ability to stop and reroute traffic based on packet characteristics, based on the information that's flowing across the network.
We can do this with access control lists on incoming or outgoing interfaces. In other words, depending on if this is going to be your connection to the outside world, or to
an intranet, you can define where this control is going to be. You can do this together with NetFlow to provide high-speed enforcement on network access points.
NetFlow is basically a way of making information travel faster by identifying a lot of different packets are going to have similar characteristics. You can also do violation logging. You can keep something called a Syslog file that will keep track of violations
to your Security Policy.
If you had an Access Control List that simply dropped packets that were unacceptable but without a way of logging that and telling you about it, then you may miss some alerts today to potentially more malicious behavior in the future. And
so it's very important to have logs that you review periodically. Let‘s take a look at firewalls next.
Importance of Firewalls
What is a firewall? Why do I want one? Firewalls are used to build trusted perimeters around information and services. Your
Internet security solution must be able to allow employees to access Internet resources, while keeping out unauthorized traffic. The most common way of
protecting the internal network is by using a firewall between the intranet and the Internet.
What Is a Firewall?
So what are the basic requirements of an Internet firewall? First, a firewall needs to be able to analyze all the traffic passing between the internal user community and
the external network. In this way it can ensure that only authorized traffic, as defined by the security policy, is permitted through. It can also ensure that content which
could be potentially harmful to the internal network is filtered out.
A firewall also needs to be designed to resist attacks, since once a hacker gains
control of the firewall, the internal network could be compromised. And finally, it should be able to hide the addresses of the internal network from the outside world, making the life of a potential hacker much more difficult.
Importantly, a firewall needs to support all these requirements and have the ability to support the constantly increasing Internet connection speeds and traffic loads, so
that it doesn‘t become a bottleneck.
Packet-Filtering Routers
There are a few different types of firewalls. Here‘s a little history.
The traditional approach was access routers. Using access control lists to control network access.. A low cost, high performance solution. Didn‘t need UNIX expertise, transparent to user - no requirements for user to change their behavior or
configuration.
Issues though were that internal addresses were exposed to the Internet. If you were logging onto servers that were suspect to attacks or snooping, someone could then
see the host addresses. This is often the first step to finding holes in the network. By finding out the host address, you can then start attacking the host, leaving you
vulnerable to attacks. Important to hide the addresses. In most cases, it was possible to spoof in. Basically, spoofing means someone
represents themselves as a trusted host in the network, thus having free access to the network. ACLs are also tough to negotiate if they‘re complex; thus it‘s easy to
make a mistake. This brought about the development of proxy servers, which brought about statefulness, which we‘ll discuss in more detail later.
Proxy Service
Proxy servers are also sometimes known as ―bastion hosts‖. As its name suggests, this kind of firewall acts as a ―proxy‖ for internal computers accessing the Internet.
To the outside world, it appears as if all sessions terminate at a single host, which is carefully configured for maximum security.
Proxy servers hide IP addresses, so they are not exposed to the outside world. Certain
proxy servers also can examine content, so they can limit what can or can not be done, such as FTP gets, or going higher in the application and determining what you can or can not do. They can also run other services (e.g. run your mail services).
Problem is that you‘re buying a box dedicated for that, plus software, plus maintaining the operating system. Must follow CERT alerts and make changes
quickly. Hackers can follow alerts and use those techniques to break in before you make changes. This requires a lot of administration and time spent monitoring such advisories. Difficult to do in today‘s busy environment.
This was also a very intrusive method for users as well, since users have to tell apps they‘re using a firewall and going through 2-3 step logins to gain access - not at all
transparent to user.
Stateful Sessions
Many Firewalls talk about being stateful, but what does this mean and why is this important? If you know what traffic to expect on your network, you can ensure that
that is the volume of traffic you get. For example, when Mary sends a web request to a homepage (www.e-tutes.com), a stateful firewall will remember this. When a page comes back from e-tutes.com to Mary, the firewall will expect it and let the traffic
pass.
Stateful filtering, or stateful network address translation, is a security scheme that
provides very high performance with a high degree of security. Stateful means it
allows the firewall to maintain session state connection flows, tracking the source and destination ports plus addresses, TCP sequence numbers, and additional TCP
flags.
Each time a TCP connection is established from an inside host accessing the Internet through the firewall, the information about the connection is logged in a stateful session flow table. The table contains the source and destination addresses, port
numbers, TCP sequencing information, and additional flags for each TCP connection associated with that particular host.
This information temporarily creates a connection block in the firewall. Inbound packets are compared against session flows in the connection table and are permitted
through only if they can be validated. The block is then terminated until the next packet is received.
Performance Requirements
High performance in a firewall is critical. This is driven not only by your end user community, but by some of the applications people plan to use. Today‘s performance
is being driven by the new technologies.
For instance, some of the multimedia applications like video or audio over the
Internet require a high performance firewall. In the future, as new business applications continue to place increasing demands on
networks, performance of your security system will be a critical success factor.
Integrity—Privacy
Next let's look at some of the different privacy requirements people might have. So following are some of the different methodologies that used to ensure privacy on the
network.
- VPNs IPSec, IKE, encryption, DES, 3DES, digital certificates, CET, CEP
Encryption and Decryption
Encryption is the masking of secret or sensitive information such that only an authorized party may view (or decrypt) it.
Encryption and authentication controls can be implemented at several layers in your computing infrastructure.
Encryption can be performed at the application layer by specific applications at client workstations and serving hosts. This has the advantage of operating on a complete
end-to-end basis, but not all applications support encryption and it is usually subject to being evoked by individual users, so it is not reliable from a network administrator‘s perspective.
Encryption can also be performed at the network layer by general networking devices
for specific protocols. This has the advantage of operating transparently between subnet boundaries and being reliably enforceable from a network administrator‘s perspective.
Finally, encryption can be performed at the link layer by specific encryption devices for a given media or interface type. This has the advantage of being protocol
independent, but has to be performed on a link-by-link basis. Institutions such as the military have been using link-level encryption for years. With
this scheme, every communications link is protected with a pair of encrypting devices-one on each end of the link. While this system provides excellent data protection, it is quite difficult to provision and manage. It also requires that each end
of every link in the network is secure, because the data is in clear text at these points. Of course, this scheme doesn‘t work at all in the Internet, where possibly
none of the intermediate links are accessible to you or trusted.
What Is IPSec?
IPSec provides network layer encryption. IPSec is a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the IETF, IPSec ensures confidentiality, integrity, and authenticity of
data communications across a public network. IPSec provides a necessary component of a standards-based, flexible solution for deploying a network-wide
security policy.
Privacy, integrity and authenticity technologies protect information transfer across links with network encryption, digital certification, and device authentication. Some of the benefits that you get from these are privacy, integrity, and authenticity for
network commerce. Implemented transparently in the network infrastructure. In other words, you can just set it up at the router level or the level that makes sense
to you, and your users don't necessarily have to know that they're implementing IPSec.
You can just define all of the transactions between my company and this company that happens between, say, ordering and manufacturing that is going to across IPSec and other traffic will not. It's an end-to-end security solution that's going to
incorporate routers, firewalls, PCs and servers.
IPSec Everywhere!
IPSec can be in any device with an IPStack, as shown in the picture. This is an important point, as customers can deploy IPSec where they are most comfortable:
On the gateway/router: Much easier to install and manage, as only dealing with a limited set of devices. The network infrastructure provides the security. On the host/server. Best end-to-end security, but the hardest to install and manage.
Good for applications that really need this level of control.
IKE—Internet Key Exchange
IPSec assumes that a security association or SA is in place, but does have a mechanism for creating that association. The IETF chose to break the process into
two parts: IPSec provides the packet level processing while IKE negotiates security associations. IKE is the mechanism IPSec uses to set up SAs.
IKE can be used for more than just IPSec. IPSec is its first application. It can also be used with S/Mime, SSL, etc.
IKE does several things: - Negotiates its own policy. IKE has several methods it can use for authentication
and encryption. It is very flexible. Part of this is to positively identify the other side of the connection.
- Once it has negotiated an IKE policy, it will perform an exchange of key-material using authenticated Diffie-Hellman.
- After the IKE SA is established, it will negotiated the IPSec SA. It can derive the
IPSec key material with a new Diffie Hellman or by a permutation of existing key material.
Summarize that IKE does these 3 things:
- Identification - Negotiation of policy - Exchange key material
How IPSec Uses IKE
This is how IPSec and IKE work together.
Sam is trying to securely communicate with Alice. Alice sends her data toward Sam.
When Alice‘s router sees the packet, it checks its security policy and realizes that the packet should be encrypted. The pre-configured security policy also says that Sam‘s
router will be the other endpoint of the IPSec tunnel. Alice‘s router looks to see if it has an existing IPSec SA with Sam‘s router. If not, then it requests one from IKE. If the two routers already share an IKE SA, then the IPSec SA can be quickly and
immediately generated. If they do not share an IKE SA, then one must first be created before negotiation of the IPSec SAs. As part of this, the two routers exchange digital certificates. The certificates had to have been signed beforehand by a certificate
authority that both Sam and Alice‘s routers trust. Once the IKE session is active, now the two routers can negotiate the IPSec security association. After the IPSec SA is set
up, both routers have agreed on an encryption algorithm (e.g., DES), an authentication algorithm (e.g., MD5), and have a shared session key. Now, Alice‘s router can encrypt Alice‘s IP packet, place it into a new IPSec packet and send it to
Sam‘s router. When Sam‘s router receives the IPSec packet, it will look up the IPSec SA, properly process and unpack the original datagram, and forward it on to Sam.
While this sounds complicated, it all happens automatically and transparently to both Alice and Sam.
Encryption—DES and 3DES
So the encryption that we're utilizing here with IPSec, DES and Triple DES are widely adopted standards.
They encrypt plain text, which then becomes a cipher text. DES performs 16 rounds of encryption. Triple DES is going to do a lot more than that.
We're going to do that encryption again and again and again until you wind up with 168-bit encryption. So you can do this on the client, on the server, on the router, or
on the firewall. Now, obviously, when you're doing 168 different bits of encryption, you're going to
introduce some latency. You need to consider performance implications when using Triple DES.
Breaking DES Keys
How secure is DES? The common way to break it is to do just an exhaustive search.
You just try different possibilities until you find the way to break into it. So on a general-purpose computer, this could take literally hundreds of years to
break into a 56-bit DES. Some people speculate, though it hasn't actually been done, that you can make a
specialized computer for about a million dollars that could crack into DES in probably 35 minutes. And so that possibility exists. Now, there are a lot of smart people out there, though, and one of the things that
those smart people did is say, "Hey, well, if it takes one computer a long time, maybe it would take less time for a lot of computers."
So they took a big network that had some CRAYs on it, a whole bunch of PCs, and
instead of a screen saver, they put in this little program that, tried passwords when the PC was not active. This led to more thinking that the Internet was made up of lots of computers that could work on the problem simultaneously.
In fact, the Electronic Frontier Foundation and distributed.net did just this. They cracked a 56-bit DES challenge in just 22 hours and 15 minutes. So if DES is not currently insecure, it'll soon be insecure. So this is why we need to start thinking
about Triple DES.
Now, does this mean for your client who has a local hardware shop that he's doing his encryption at 56-bit DES isn't safe enough? It probably is safe enough. Again, you need to take into account the particular costs that you have and how
motivated someone's going to be to break into your particular stream.
Active Audit
Why Active Audit?
Why is active audit necessary? Many companies rely on their perimeter security. Perimeter can be breached most of the network and its systems are virtually
unprotected. First, hackers are quite likely to be employees or may have breached the security
perimeter through a business partner or a modem. Because they are considered ‗trusted‘ they have already breached most network security, such as firewalls,
encryption, and authentication. Note: the company network is usually considered the ‗trusted‘ network while the Internet is ‗untrusted‘. However, with up to 80% of security breaches occurring in the ‗trusted‘ network companies may want to rethink
their strategies for protecting systems and data. Second, the defense may be ineffective. Aging, mismanaged security is no match for
today‘s hacker, who is constantly improving techniques. Third, most security breaks down due to human error. People make mistakes on
programming firewalls, they allow services to the network and forget to turn them off, they are no efficient at changing passwords, they add modems and forget to turn them off -- the list goes on and on.
Fourth, the network is always growing and changing, Every change is a new
opportunity for the patient hacker, who may spend months or even years waiting for an opening. Firewalls , authorization, and encryption provide policy enforcement, but do not monitor behavior. And with hacking, it is the behavior that is the problem.
These problems can be alleviated by creating a security process that includes visibility into the network.
Network security is often viewed in terms of point security technologies, such as
firewalls, authentication and authorization, and encryption. While very necessary to a network defense they do not have the capability to analyze and discover two items
essential for network security: 1)User behaviors -- are your employees, business partners, and anyone else
misusing the network? 2)System vulnerabilities -- if a ‗bad guy‘ gets into your network, have your
systems been secured to lock him out?
This is where a strong firewall gives a false sense of security. You must consider what would happen if your firewall is compromised.
The most effective and security strategy for your network defense includes a ‗defense in depth‘ or ‗layered defense‘. This includes augmenting your point solutions with
dynamic systems that monitor users as they use the network and measure the network resources for changes and vulnerabilities. And these technologies should be used to help better secure the network perimeter as well as the intranet.
Often organizations have a tactical approach to network security and do not treat it with the same importance as network operations. However, more companies today
are taking a strategic approach to network security and treating it as part of the network operation. This includes development of processes that constantly measure,
monitor and improve the security posture.
Active Audit—Network Vulnerability Assessment
Active Audit is the systematic implementation of the security policy, to actively audit, verify, detect intrusion and anomalies and report findings For true security policy management enterprise-wide, Active Audit capability must be
in place and be applicable for all access ports, devices and media. Proactive network auditing tools provide preventative maintenance by detecting
security weak points before they can be exploited by intruders.
Active Audit—Intrusion Detection System
Intrusion detection tools recognize when the security of the network is in jeopardy. Intrusion detection provides the burglar alarms that notify you in real-time when break-in attempts are detected.
For example, you want to be able to see a bunch of port scans are happening on your
system. There's some IP address that they are originating from. That somebody who
could be potentially doing bad things to your network.
You want to be able to watch suspect behavior. You also want to be able to watch things like, hey, does that person in data entry, are they going back into the data
warehouse? Are they going into our accounting system? IDS architecture is going to consist of several different parts. There's going to be some
IDS engine, something that's analogous to a sniffer that's watching the line, looking for violations in policy. There's going to go some security management system, someplace where you give the instructions about what adheres to your security policy
and what doesn't. And there will be kind of real time alarm notification, some way to tell the people within the organization, hey, this is what's going on in your network.
Something bad is about to happen. Something bad is happening. It's time to take action.
IDS Attack Detection
Some of the different kinds of things that an Intrusion Detection System or IDS might
detect would be looking in the context of the data, looking for attacks on your network for denial of service.
For an example, a Ping of Death shares this following parameters: It's going to be a
ping, but it's going to have a super large packet size. So you can watch for that kind of traffic and take appropriate action against it.
Things like Port Sweeps. I can think of no reason, other than testing your network, to do a Port Sweep other than trying to find ways to break into your system.
SYN attacks and TCP hijacking fall into that same category. There would be no reason to do those other than to do malicious activity on your network. So you want
to be able to watch for those. For the content itself, you want to be able to look at DNS attacks. Internet Explorer
attacks would be an example of content attack. And you want to do composite scans. You want to look for telnet attacks and character mode attacks. So these are all the
kinds of things that we can be looking for on the network.
Active Audit
Authentication and authorization occur on the front end. Equally as important is the ―back-end‖ side of security. Accounting is the systematic and dynamic verification
that the security policy as defined is properly implemented. It provides assurance that the security policy is consistent and operating correctly.
Accounting enables customers to detect intrusion and network anomalies, misuse, and attacks. It also includes reporting the findings of the audit process.
Accounting should be handled by a system that is totally separate from the network security solutions that are installed. Currently, there aren‘t many tools available for active audit, which explains why many companies hire outside auditors to check
their security implementations.
For true security policy management on an company-wide basis, accounting capabilities must be in place and be applicable for all access ports, devices and media.
- SUMMARY -
- Security is a mission-critical business requirement for all networks - Security requires a global, corporate-wide policy
- Security requires a multilayered implementation
VPNs are a common topic today. Just about everyone is talking about implementing one. This module explains what a VPN is and covers the basic VPN technology. We‘ll
also go through some examples of VPNs including a return on investment analysis.
The Agenda
- What Are VPNs?
- VPN Technologies - Access, Intranet, and Extranet VPNs
- VPN Examples
What Are VPNs?
Simply defined, a VPN is an enterprise network deployed on a shared infrastructure
employing the same security, management, and throughput policies applied in a private network.
A VPN can be built on the Internet or on a service provider‘s IP, Frame Relay, or ATM infrastructure. Businesses that run their intranets over a VPN service enjoy the same
security, QoS, reliability, and scalability as they do in their own private networks. VPNs based on IP can naturally extend the ubiquitous nature of intranets over wide-
area links, to remote offices, mobile users, and telecommuters. Further, they can support extranets linking business partners, customers, and suppliers to provide
better customer satisfaction and reduced manufacturing costs. Alternatively, VPNs can connect communities of interest, providing a secure forum for common topics of discussion.
Virtual Private Networks
Building a virtual private network means you use the ―public‖ Internet (or a service
provider‘s network) as your ―private‖ wide-area network.
Since it‘s generally much less expensive to connect to the Internet than to lease your own data circuits, a VPN may allow to you connect remote offices or employees who
wouldn‘t ordinarily justify the cost of a regular WAN connection. VPNs may be useful for conducting secure transactions, or transferring highly
confidential data between offices that have a WAN connection. Some of the technologies that make VPNs possible are:
- Tunneling
- Encryption - QoS - Comprehensive security
Why Build a VPN?
Why should customers consider a VPN?
- Company information is secured
-VPNs allow vital company information to be secure against unwanted intrusion - Reduce costs
- Internet-based VPNs offer low-cost connectivity from anywhere in the world, and can be considered a viable replacement for leased-line or Frame Relay services
Using the Internet as a replacement for expensive WAN services can cut costs by as much as 60 percent, according to Forrester Research - Also lower remote costs by connecting a mobile user over the Internet. (Often
referred to as a virtual private dial-up networking, or VPDN).
- Wider connectivity options for users
- A VPN can provide more connectivity options (for example, over cable, DSL,
telephone, or Ethernet)
- Increased speed of deployment
- Extranets can be created more easily (you don‘t wait for suppliers). This keeps the customer in control of their own destiny.
However, for an Internet-based VPN to be considered as a viable replacement for leased-line or Frame Relay service, it must be able to offer a comparable level of
security, quality of service, and reliability.
What’s Driving VPN Offerings?
The strain on today's corporate networks is greater than ever before. Network managers must continually find ways to connect geographically dispersed work
groups in an efficient, cost-effective manner. Increasing demands from feature-rich applications used by a widely dispersed workforce are causing businesses of all sizes to rethink their networking strategies. As companies expand their networks to link
up with partners, and as the number of telecommuters and remote users continues to grow, building a distributed enterprise becomes ever more challenging. To meet this challenge, VPNs have emerged, enabling organizations to outsource
network resources on a shared infrastructure. Access VPNs in particular appeal to a highly mobile work force, enabling users to connect to the corporate network
whenever, wherever, or however they require.
Networked Applications
The traditional drivers of network deployment are also driving the deployment of VPNs.
New networked applications, such as videoconferencing, distance learning, advanced publishing, and voice applications, offer businesses the promise of improved
productivity and reduced costs. As these networked applications become more prevalent, businesses are increasingly looking for intelligent services that go beyond transport to optimize the security, quality of service, management and
scalability/reliability of applications end to end.
Example of a VPN
This what a VPN might look like for a company with offices in Munich, New York, Paris, and Milan.
VPN Technologies
Let‘s take a look at some of the technologies that are integral to virtual private
networks. VPN Technology Building Blocks
Business-ready VPNs rely on both security and QoS technologies. Let‘s take a look at both of these in more detail.
Security
Deploying WANs on a shared network makes security issues paramount. Enterprises
need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized users gaining access to network resources and proprietary information. Encryption,
authentication, and access control guard against these security breaches.
Key components of VPN security are as follows: - Tunnels and encryption
- Packet authentication - Firewalls and intrusion detection
- User authentication These mechanisms complement each other, providing security at different points
throughout the network. VPN solutions must offer each of these security features to be considered a viable solution for utilizing a public network infrastructure. Let‘s start by looking at tunnels and encryption. We‘re going to look in detail at Layer
2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), for tunnel support, as well as the strongest standard encryption technologies available--- IPSec,
DES and 3DES.
Tunneling: L2F/L2TP
Layer 2 Forwarding (L2F) enables remote clients to gain access to corporate networks through existing public infrastructures, while retaining control of security and
manageability. Cisco has submitted this new technology to the IETF for approval as a standard. It supports scalability and reliability features as discussed in later sections
of this document. L2F achieves private network access through a public system by building a secure
"tunnel" across a public infrastructure to connect directly to a home gateway. The service requires only local dialup capability, reducing user costs and providing the same level of security found in private networks.
Using L2F tunneling, service providers can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network
access server at the POP exchanges PPP messages with the remote users and communicates by L2F requests and responses with the customer's home gateway to
set up tunnels. L2F passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection.
Frames from remote users are accepted by the service provider POP, stripped of any linked framing or transparency bytes, encapsulated in L2F, and forwarded over the
appropriate tunnel. The customer's home gateway accepts these L2F frames, strips the L2F encapsulation, and processes incoming frames for the appropriate interface.
Layer 2 Tunneling Protocol (L2TP) is an extension to PPP. It is a draft IETF standard derived from Cisco L2F and Microsoft Point-to-Point Tunneling Protocol (PPTP). L2TP delivers a full range of security control and policy management features, including
end-user security policy control. Business customers have ultimate control over permitting and denying users, services, or applications.
Tunneling: Generic Route Encapsulation (GRE)
GRE, or Generic Routing Encapsulation, is the standard solution for Service Providers that have an established IP network and want to provide managed IP VPN
services.
One of the most significant advantages of this approach is that Service Providers can offer application-level QoS. This is possible because the routers still have visibility into the additional IP header information needed for fine-grained QoS (this is hidden
in an IPSec packet). Traffic is restricted to a single provider‘s network, allowing end-to-end QoS control.
This restriction of ―on-net only‖ traffic also allows the GRE tunnels to remain secure without using encryption. Customers who require greater levels of security can still
use ―on-demand‖ application-level encryption such as secure connections in a web browser. The entire connection may be encrypted, but at the cost of QoS granularity.
In summary, GRE offers:
- Encryption-optional tunneling.
- Fine-grained QoS service capabilities, including application-level QoS. - IP-level visibility makes this the platform of choice for building value-added services such as application-level bandwidth management.
What Is IPSec?
IPSec provides IP network-layer encryption.
IPSec is a standards-based technology that governs security management in IP
environments. Originally conceived to solve scalable security issues in the Internet, IPSec establishes a standard that lets hardware and software products from many
vendors interoperate more smoothly to create end-to-end security. IPSec provides a standard way to exchange public cryptography keys, specify an encryption method
(e.g., data encryption standard (DES) or RC4), and specify which parts of packet headers are encrypted.
What is Internet Key Exchange (IKE)?
IPSec assumes that a security association is in place, but does have a mechanism for
creating that association. The IETF chose to break the process into two parts: IPSec provides the packet level processing while IKE negotiates security associations. IKE is the mechanism IPSec uses to set up SAs
IKE can be used for more than just IPSec. IPSec is its first application. It can also be used with S/Mime, SSL, etc.
IKE does several things:
- Negotiates its own policy. IKE has several methods it can use for authentication and encryption. It is very flexible. Part of this is to positively identify the other side
of the connection. - Once it has negotiated an IKE policy, it will perform an exchange of key-material using authenticated Diffie-Hellman.
- After the IKE SA is established, it will negotiate the IPSec SA. It can derive the IPSec key material with a new Diffie Hellman or by a permutation of existing key material.
Summarize that IKE does these 3 things:
- Identification
- Negotiation of policy - Exchange key material
IPSec VPN Client Operation
Now that you understand both IPSec and IKE, let‘s look at what really happens from the client‘s perspective.
An IPSec client is a software component that allows a desktop user to create an IPSec tunnel to a remote site. IPSec provides privacy, integrity, and authenticity for VPN
client operations. With IPSec, no one can see what data you are sending and no one can change it.
What‘s input by a remote user dialing in via the public Internet is encrypted all the way to corporate headquarters with an IPSec client to a router at the home gateway.
Here‘s how it works.
First, the remote user dials into the corporate network. The client uses either an X.509 or one-time password with a AAA server to negotiate an Internet Key
Exchange. Only after it‘s authenticated is a secure tunnel created. Then all data is encrypted.
IPSec is transparent tot he network infrastructure and is scalable from very small applications to very large networks. As you can see, this is an ideal way to connect remote users or telecommuters to corporate networks in a safe and secure
environment.
L2TP and IPSec Are Complementary
Another thing that people often get confused about is the relationship between L2TP and IPSec. Remember that L2TP is Layer 2 Tunneling Protocol. Some people think
that the two technologies are exclusive of each other. In fact, they are complementary.
So you can use both of these together. IPSec can create remote tunnels. L2TP can
provide tunnel and end-to-end authentication. So IPSec is going to maintain the encryption, but often times you want to tunnel non-
IP traffic in addition to IP traffic. L2TP can be useful for that.
Encryption: DES and 3DES
DES stands for Data Encryption Standard. It is a widely adopted standard created to
protect unclassified computer data and communications. DES has been incorporated into numerous industry and international standards since its approval in the late 1970s.
DES and 3DES are strong forms of encryption that allow sensitive information to be
transmitted over untrusted networks. They enable customers to utilize network layer encryption.
The encryption algorithm specified by DES is a symmetric, secret-key algorithm. Thus it uses one key to encrypt and decrypt messages, on which both the sending and receiving parties must agree before communicating. It uses a 56-bit key, which
means that a user must correctly employ 56 binary numbers, or bits, to produce the key to decode information encrypted with DES.
DES is extremely secure, however, it has been cracked on several occasions by chaining hundreds of computers together at the same time; but even then, it took a
very long time to break. This led to the development of Triple DES which uses a 168-bit algorithm.
Firewalls
A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security
policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service.
Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted.
User Authentication
A key component of VPN security is making sure authorized users gain access to
enterprise computing resources they need, while unauthorized users are shut out of the network entirely. AAA services (that stands for authentication, authorization, and accounting) provide the foundation to authenticate users, determine access levels,
and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs.
VPNs and Quality of Service
So how does QoS play a role in VPNs? Well, the goal of QoS is to control the
utilization of bandwidth so that you can support mission critical applications. Here‘s how it works. The customer premises equipment or CPE assigns packet priority based on the network policy. Packets are marked and bandwidth is managed so that
the VNP WAN links don‘t choke out the important traffic. One example of this could be an employee watching television off the Internet to his
PC where the video traffic clogs a small 56K WAN line making it impossible for mission critical financial application data to pass. With QoS, you can take advantage of the service providers differentiated services to
maximize network resources and minimize congestion at peak times. For example, e-mail traffic doesn‘t care about latency, but video and mission-critical
applications do. Some components of bandwidth management/QoS that apply to VPNs are as follows:
- Packet classification---assigns packet priority based on enterprise network policy
- Committed access rate (CAR)---provides policing and manages bandwidth based on applications and/or users according to enterprise network policy
- Weighted Random Early Detection (WRED)---complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable
throughput rates
These QoS features complement each other, working together in different parts of the VPN to create a comprehensive bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be effective;
single point solutions cannot ensure predictable performance.
Access, Intranet, and Extranet VPNs
Let‘s look now at the three types of VPNs.
Three Types of VPNs
As previously stated, VPN is defined as customer connectivity deployed on a shared
infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. Cisco defines three types of virtual private networks according to how businesses and
organizations use VPNs:
Access VPNs provide remote connectivity to telecommuters and mobile users. They‘re
typically an alternative to dedicated dial or ISDN connections. They offer users a
range of connectivity options as well as a much lower cost solution. Intranet VPNs link corporate headquarters, remote offices, and branch offices over a
shared infrastructure using dedicated connections. The VPN typically is an alternative to a leased line. It provides the benefit of extended connectivity and lower cost.
Extranet VPNs link customers, suppliers, partners, or communities of interest to a
corporate intranet over a shared infrastructure using dedicated connections. In this example, the VPN is often an alternative to fax, snail mail, or EDI. The extranet VPN facilitates e-commerce.
Access VPNs Let‘s look at the Access VPN in more detail.
Access VPNs
Remote access VPNs extend the corporate network to telecommuters, mobile workers,
and remote offices with minimal WAN traffic. They enable users to connect to their corporate intranets or extranets whenever, wherever, or however they require. Remote access VPNs provide connectivity to a corporate intranet or extranet over a
shared infrastructure with the same policies as a private network. Access methods are flexible---asynchronous dial, ISDN, DSL, mobile IP, and cable technologies are
supported. Migrating from privately managed dial networks to remote access.
VPNs offers several advantages, most notably:
- Reduced capital costs associated with modem and terminal server equipment
- Ability to utilize local dial-in numbers instead of long distance or 800 numbers,
thus significantly reducing long distance telecommunications costs
- Greater scalability and ease of deployment for new users added to the network - Restored focus on core corporate business objectives instead of managing and
retaining staff to operate the dial network
Access VPN Operation Overview
In an Access VPN environment, the most important aspect of security revolves around identifying a user as a member of an approved customer company and
establishing a tunnel to its home gateway, which handles per-user authentication, authorization, and accounting (AAA).
User authentication is a critical characteristic of an Access VPN. Through a local point of presence (POP), a client establishes communication with the service provider network (1), and secondarily establishes a connection with the customer network (2).
The Access VPN tunnel end points authenticate each other (3). Next, the user connects to the customer premises equipment (CPE) home gateway
server (local network server) using PPP or SLIP (4) and is authenticated through a username/password handling protocol such as PAP, CHAP, or TACACS+. The home gateway maintains a relationship with an access control server (ACS), also
known as an AAA server, using TACACS+ or RADIUS protocols. At this point, authorization is set up using the policies stored in the ACS and communicated to the home gateway at the customer premises (5).
Often, the customer administrates the ACS server, providing ultimate and centralized control of who can access its network as well as which servers can be accessed. User
profiles define what the user can do on the network. Using authorization profiles, the
network creates a "virtual interface" for each user. Access policies are enforced using Cisco IOS software specific to each interface.
Access VPN Basic Components
An access VPN has two basic components: L2TP Network Server (LNS): A device such as a Cisco router located in the customer
premises. Remote dial users access the home LAN as if they were dialed into the home gateway directly, although their physical dialup is via the ISP network access
server. Home gateway is the Cisco term for LNS. An LNS operates on any platform capable of PPP termination. LNS handles the server
side of the L2TP protocol. Because L2TP relies only on the single media over which L2TP tunnels arrive, LNS may have only a single LAN or WAN interface, yet still be able to terminate calls arriving at any LAC's full range of PPP interfaces (async,
synchronous ISDN, V.120, and so on). LNS is the initiator of outgoing calls and the receiver of incoming calls. LNS is also known as HGW in L2F terminology. L2TP Access Concentrator (LAC): A device such as a Cisco access server attached to
the switched network fabric (for example, PSTN or ISDN) or colocated with a PPP end
system capable of handling the L2TP protocol. An LAC needs to only implement the media over which L2TP is to operate to pass traffic to one or more local network
servers (LNSs). It may tunnel any protocol carried within PPP. LAC is the initiator of incoming calls and the receiver of outgoing calls. LAC is also known as NAS in L2F.
Client-Initiated Access VPN
There are two types of Access VPNs. Essentially they are dedicated or dial.
With a dedicated or client-initiated Access VPNs, users establish an encrypted IP tunnel from their clients across a service provider's shared network to their corporate
network. With a client-initiated architecture, businesses manage the client software tasked with initiating the tunnel. Client-initiated VPNs ensure end-to-end security from the
client to the host. This is ideal for banking applications and other sensitive business transactions over the Internet. With client-initiated VPN Access, the end user has IPSec client software installed at
the remote site, which can terminate into a firewall for termination into the corporate network. IPSec and IKE and certificate authority are used to generate the encryption,
authentication, and certificate keys to be used to ensure totally secure VPN solutions.
Client-Initiated VPNs
An advantage of a client-initiated model is that the "last mile" service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system
embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more
robust security, a drawback to this approach is that it entails installing and maintaining tunneling/encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale.
NAS-Initiated Access VPN
In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider's POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate
network from the POP using L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence resides in the service provider network---there is no end-user client software for the corporation to maintain, thus eliminating client management
burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network.
In a remote access VPN implementation, these security/management trade-offs must be balanced.
NAS-Initiated VPNs
Pros: NAS-initiated Access VPNs require no specialized client software, allowing
greater flexibility for companies to choose the access software that best fits their
requirements. NAS solutions use robust tunneling protocols such as Cisco L2F or L2TP.
IPSec provides encryption only, in contrast with the client-initiated model where IPSec enables both tunneling and encryption. Premium service examples include
reserved modem ports, guarantees of modem availability, and priority data transport. The NAS can simultaneously be used for Internet as well as VPN access.
All traffic to a given destination travels over a single tunnel from a NAS, making
larger deployments more scalable and manageable. Con: NAS-initiated Access VPN connections are restricted to POPs that can support
VPNs.
The Intranet VPN
Intranet VPNs: Link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Businesses enjoy the same
policies as a private network, including security, quality of service (QoS), manageability, and reliability.
The benefits of an intranet VPN are as follows:
- Reduced WAN bandwidth costs - Connect new sites easily
- Increased network uptime by enabling WAN link redundancy across service providers
Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN technology. Service levels, however, are generally not guaranteed
on the Internet. When implementing an intranet VPN, corporations need to assess which trade-offs they are willing to make between guaranteed service levels, network
ubiquity, and transport cost. Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service provider's end-to-end IP network, or, potentially, Frame Relay or ATM.
The Extranet VPN
Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections
must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partner's site. When dial access is employed, the situation is equally complicated
because separate dial domains must be established and managed. Due to the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business
relationships.
One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs.
The primary difference is the access permission extranet users are granted once connected to their partner's network.
Intranet and Extranet VPNs
Intranet and extranet VPN services based on IPSec, GRE, and mobile IP create secure
tunnels across an IP network. These technologies leverage industry standards to establish secure, point-to-point connections in a mesh topology that is overlaid on the service provider's IP network or the Internet. They also offer the option to
prioritize applications. An IPSec architecture, however, includes the IETF proposed standard for IP-based encryption and enables encrypted tunnels from the access
point to and across the intranet or extranet.
An alternative approach to intranet and extranet VPNs is to establish virtual circuits across an ATM or Frame Relay backbone. With this architecture, privacy is accomplished with permanent virtual circuits (PVCs) instead of tunnels. Encryption
is available for additional security as an optional feature, but more commonly, it is applied as needed by individual applications. Virtual circuit architectures provide prioritization through quality of service for ATM and committed information rate for
Frame Relay.
Finally, in addition to IP tunnels and virtual circuits, intranet and extranet VPNs can be deployed with a Tag Switching/MPLS architecture. Tag Switching is a switching mechanism created by Cisco Systems and introduced to the IETF under the name
MPLS. MPLS has been adopted as an industry standard for converging IP and ATM technologies.
A VPN built with Tag Switching/MPLS affords broad scalability and flexibility across any backbone choice whether IP, ATM, or multivendor. With Tag Switching/MPLS,
packets are forwarded based on a VPN-based address that is analogous to mail forwarded with a postal office zip code. This VPN identifier in the packet header isolates traffic to a specific VPN. Tag Switching/MPLS solves peer adjacency
scalability issues that occur with large virtual circuit topologies. It also offers granularity to the application for priority and bandwidth management, and it
facilitates incremental multiservice offerings such as Internet telephony, Internet fax, and videoconferencing.
Comparing the Types
Access VPNs are differentiated from intranet and extranet VPNs primarily by the
connectivity method into the network. While an access VPN refers to dialup (or part-time) connectivity, an intranet or extranet VPN may contain both dialup and dedicated links.
The distinction between intranet and extranet VPNs is essentially in the users that will be connecting to the network and the security restrictions that each will be
subject to.
VPN Examples
Let‘s look at some real examples of VPNs.
Health Care Company Intranet Deployment
Here we have a health care company that's deploying an intranet.
Well, why would they care so much about security? Your health records are something that you want to be secure. This is information that you don't want non-authorized personnel to have access to.
So you can see on the figger, the company has a number of remote centers.
In this case, these are like doc-in-the-box, those little new medical clinics that are springing up. So those are relayed back to a primary network and back to the
association where the primary hospital that these different medical centers are associated with resides.
So a lot of more sophisticated databases, etc., can be back at the hospital, and they can share the Internet and, with confidence, share medical data that they don't want
to have published to the outside world.
Branch Office or Telecommuters
Another example would be branch offices or perhaps telecommuters.
So the challenge is getting a cost-effective means to connect those small offices that maybe can't afford a leased line or a leased line wouldn't be appropriate for. And so
with IPSec, you can encrypt the traffic from the remote sites to the enterprise.
It doesn't matter what applications the users are using. This isn't just encrypting mail or just encrypting the database or something like that.
You can encrypt all traffic if you want to. And so that's something that you can set up right into the router in terms of what traffic you want to encrypt right into your client.
So using this, telecommuters can have full access safely to the corporation.
Traditional Dialup Versus Access VPN
To illustrate the savings an Access VPN can provide, compare the cost of
implementing one with that of supporting a dial-up remote access application. Suppose a small manufacturing firm must support 20 mobile users dialing into the corporate network to access the company database and e-mail for approximately 90
minutes per day (per user).
In the traditional dial-up model, the 20 mobile workers use a modem to dial long distance directly into their corporate remote access server. Most of the cost in this scenario comes from the monthly toll chares and the time and effort required to
manage modem pools (access server) that accrue on an on-going basis over the life of the application.
By using an access VPN, the manufacturing firm‘s monthly toll charges can be significantly reduced. The mobile users will dial into a service provider‘s local point of
presence (POP) and initiate a tunnel back to the corporate headquarters over the Internet. Instead of paying long distance/800 toll charges, users pay only the cost equivalent to making a local call to the ISP. The initial investment in equipment and
installation of an access VPN may be recaptured quickly by the savings in monthly toll charges.
How long will it take the manufacturing firm to realize a payback of the initial capital
investment, then realize recurring monthly savings?
VPN Payback
This chart shows us the return on investment. You can see that the payback is right about three months.
So you can see that VPNs save money in the long run.
- Summary -
- VPNs reduce costs
- VPNs improve connectivity - VPNs maintain security
- VPNs offer flexibility
- VPNs are reliable
Lower cost: VPNs save money because they use the Internet, not costly leased lines,
to transmit information to and from authorized users. Prior to VPNs, many
companies with remote offices communicated through wide area networks (WANs), or by having remote workers make long-distance calls to connect to the main-office server. Both can be expensive propositions. WANs require establishing dedicated and
inflexible leased lines between various business locations, which can be costly or impractical for smaller offices.
Improved communications: A VPN provides a robust level of connectivity
comparable to a WAN. With increased geographic coverage, remote offices, mobile
employees, clients, vendors, telecommuters, and even international business partners can use a VPN to access information on a company's network. This level of
interconnectivity allows for a more effective flow of information between a large number of people. The VPN provides access to both extranets and wide-area intranets, which opens the door for improved client service, vendor support, and
company communications. Security: VPNs maintain privacy through the use of tunneling protocols and
standard security procedures. A secure VPN encrypts data before it travels through the public network and decrypts it at the receiving end. The encrypted information
travels through a secure "tunnel‖ that connects to a company's gateway. The gateway then identifies the remote user and lets the user access only the information he or she is authorized to receive.
Increased flexibility: With a VPN, customers, suppliers and remote users can be
added to the network easily and quickly. Some VPN solutions simplify the process of administering the network by allowing the system's manager to implement changes from any desktop computer. Once the equipment is installed, the company simply
signs up with a service provider that activates the network by giving the company a slice of its bandwidth. This is much easier than establishing a WAN, which must be designed, built and managed by the company that creates it. VPNs also easily adapt
to a company's growth. These systems can connect 2,000 people as easily as 25. Reliability: A secure VPN can be used for the authorization of orders from suppliers,
the forwarding of revised legal documents, and many other confidential business processes. Recent improvements in VPN technology have also increased the system's
reliability. Many service providers will guarantee 99% VPN uptime and will offer credits for unanticipated outages.
Lesson 13: Voice Technology Basics
Welcome to the Voice Technology Basics lesson. Combined voice and data networks
are definitely a hot topic these days. In this module, we‘ll start by discussing the convergence of voice and data. We‘ll present a bit of history as well so that you understand how this all came about.
We‘ll then move into discussing actual voice technology. There‘s a lot to cover here and a lot of vocabulary you‘ll need to be familiar with. We‘ll start with understanding
the traditional telephony equipment. We‘ll also discuss voice quality issues as well as enabling technologies such as compression that are making voice/data networks
possible. After we cover the technology, we‘ll discuss Voice over IP, Voice over Frame Relay,
and Voice over ATM. We‘ll then cover some of the new applications that are possible
on combined voice/data networks. Finally, we‘ll look at how a company might migrate from traditional telephony to an
integrated voice/data network.
The Agenda
- Convergence of Voice and Data
- Voice Technology Basics - Voice over Data Transports
- Applications
- Sample Migration
Convergence of Voice and Data
Today, voice and data typically exist in two different networks. Data networks use packet-switching technology, which sends packets across a network. All packets
share the available network bandwidth. At the same time, voice networks use circuit switching, which seizes a trunk or line for dedicated use. But this is all changing...
Data/Voice Convergence—Why?
There is a lot of talk today about merging voice and data networks. You may hear this
referred to as multiservice networking or data/voice/video integration or just voice/data integration. They all refer to the same thing. Merging multiple infrastructures into one that carries all data, regardless of type.
In this new world order, voice is just plain data. The trends driving this integration
are cost initially--saving money. Significant amounts of money can be saved by doing away with parallel infrastructures. In the long run, though, new business applications are what will drive the integration of data and voice. Applications such
as: - Integrated messaging
- Voice-enabled desktop applications - Internet telephony
- Desktop video (Intel ProShare, Microsoft NetMeeting, etc.) So, how does a combined network save money?
Data, Voice, and Video Integration Benefits
The place where you can realize the greatest savings is in the wide-area network (WAN), where the bandwidth and services are very expensive.
The concept here is that at some point, you want voice data ―to ride for free.‖ If you
look at the overall bandwidth requirements of voice compared to the rest of the network, it is miniscule. If you had to charge per-packet or per-kilobit, voice is basically ―free.‖
Companies should experience several kinds of cost savings. Traditionally, the overall telecom budget includes three basic sections: capital equipment, support overhead
such as wages and salaries, and facilities. The majority of costs are incurred in the facilities. Facilities charges are recurring, such as leased-line charges which occur
every month, as opposed to capital equipment, which can be amortized over a couple of years.
Because facilities are the largest expense, this can also be the place where the most money can be saved. The largest part of the facilities charge is the telecom budget. If
the telecom budget can be reduced, money can be leveraged out of that to pay for network expansion.
People tell Cisco, ―We have to leverage our budget to converge data, voice, and video. We have exponential applications that demand growth and we don‘t know how to finance that.‖ Cisco advises customers to look at their established budgets and see if
there is any way to squeeze money out of them by putting in a more efficient infrastructure with features such as compression, and move all traffic over a single
transport mechanism. On average, users can expect a 30 to 50 percent reduction in their IT budgets with convergence.
New applications that include voice are becoming increasingly important as they drive competitive advantage.
Before we get into the nuts and bolts of voice technology, let‘s take a look at just a couple of these applications that multiservice networks enable.
Voice Technology Basics
There is a lot of technology and a lot of issues that are important to understand with
voice/data integration. There‘s also a lot of jargon and vocabulary. Pace yourself as we move through this section.
We‘ll start by looking at TDM versus packet-based networks. Then we‘ll cover the traditional telephony equipment. Voice quality issues are essential and we‘ll discuss
these, along with the technologies that are making voice/data convergence a possibility.
Traditional Separate Networks
So let‘s go back to looking at where most companies are today?
Many organizations operate multiple separate networks, because when they were created that was the best way to provide various types of communication services
that were both affordable and at a level of quality acceptable to the user community. For example, many organizations currently operate at least three wide-area networks,
one for voice, one for SNA, and another for LAN-to-LAN data communications. This traffic can be very ―bursty.‖
The traditional model for voice transport has been time-division multiplexing (TDM), which employs dedicated circuits.
Dedicated TDM circuits are inefficient for the transport of ―bursty‖ traffic such as LAN-to-LAN data. Let‘s look at TDM in more detail so that you can understand why.
Traditional TDM Networking
TDM relies on the allocation of bandwidth on an end-to-end basis. For example, a pulse code modulated (PCM) voice channel requires 64 kbps to be allocated from end
to end. TDM wastes bandwidth, because bandwidth is allocated regardless of whether there is an actual phone conversation taking place.
So again, dedicated TDM circuits are inefficient for the transport of ―bursty‖ traffic
because:
- LAN traffic can typically be supported by TDM in the WAN only by allocating enough bandwidth to support the peak requirement of each connection or traffic type. The trade-off is between poor application response time and expensive
bandwidth. - Regardless of whether single or multiple networks are involved, bandwidth is
wasted. TDM traffic is transmitted across time slots. Varying traffic types, mainly voice and data, take dedicated bandwidth, regardless of whether the time slot is
idle or active. Bandwidth is not shared.
After: Integrated Multiservice Networks—Data/Voice/Video
With a multiservice network, all data is run over the same infrastructure. We no longer have three or four separate networks, some TDM, some packet. One packet-
based network carries all the data. How does this work? Let‘s look at packet-based networking.
Packet-Based Networking
As we have just seen, TDM networking allocates time slots through the network.
In contrast, packet-based networking is statistical, in that it relies on the laws of
probability for servicing inbound traffic. A common trait of this type of networking is that the sum of the inbound bandwidth often exceeds the capacity of the trunk.
Data traffic by nature is very bursty. At any instant in time, the average amount of offered traffic may be well below the peak rate. Designing the network to more closely
match the average offered traffic ensures that the trunk is more efficiently utilized.
However, this efficiency is not without its cost. In our effort to increase efficiency, we run the risk of a surge in offered traffic that exceeds our trunk.
In that case, there are two options: we can discard the traffic or buffer it. Buffering helps us reduce the potential of discarded data traffic, but increases the delay of the data. Large amounts of oversubscription and large amounts of buffering can result in
long variable delays.
Traditional Telephony
You can‘t really understand voice/data integration unless you understand telephony. This section covers that.
Voice Systems Rely on Public Switched Telephone Networks
In a typical voice/analog telephone network, users make an outside phone call from
the phone on their desk. The call then connects to the company‘s internal phone system or directly to the Public Switched Telephone Network (PSTN) over a basic
telephone service analog trunk or a T1/E1 digital trunk. From the PSTN, the call is routed to the recipient, such as an individual at home.
If a call connects to a company‘s internal phone system, the call may be routed internally to another phone on the corporate voice network without ever going
through a PSTN. The PSTN may contain a variety of transmission media, including copper cable, fiber-
optic cable, microwave communications, and satellite communications.
Traditional Telephony Equipment
A telephone set is simply a telephone.
KTS: Key telephone systems, found commonly in small business environments, enhance the functionality of telephone sets. The telephones have multiple buttons
and require the user to select central-office phone and intercom lines. EKTS: Electronic key telephone systems improve upon KTS systems. EKTSs often
provide switching capabilities and impressive functionality, crossing into the PBX world.
PBX: A private branch exchange system allows the sharing of pooled trunks (outside lines) to which the user typically gains access by dialing an access digit such as ―9.‖
Software in the PBX manages contention for pooled lines. The PBX system has many features, including simultaneous voice call and data screen, automated dial-outs from computer databases, and transfers to experts based on responses to questions
rather than phone numbers.
The historical differences between a PBX and a key system have blurred, and both product lines offer comparable feature sets for station-to-station calling, voice mail, and so on. Either the customer owns the PBX or it can be owned and operated by a
third party as a service to the end customer. To blur things further, key systems are beginning to offer selected trunk interfaces.
The major differences between a PBX and a key system are the following:
- A PBX looks to the network like another switch—it connects via trunk (PBX-to-PBX) interfaces to the network. - A key system looks like a phone set (station) and connects via lines (station to
PBX). - PBXs serve the high end of the market.
- Key systems serve the low end of the market. CO: The central office is the phone company facility that houses the switches.
Switch: An electromechanical device, a switch performs the central switching function of a traditional telephony network. Today, it can include both analog and
digital hardware and software.
Toll switch: This switch is used to handle long-distance traffic.
Traditional Telephony Signaling, Addressing, and Routing
We will now consider how phone calls are created and sent through the traditional telephone network Signaling
- Off-hook signaling - how a phone call gets started
- Signaling paths - Signaling types
Addressing
- Very different from data network schemes - These differences must be resolved in order to implement integrated data/voice/video (DVV)
Routing
- Dependent on the resolution of the addressing issue
Signaling in a Voice System Sets Up and Tears Down Calls
In any telephone system, some form of signaling mechanism is required to set up and tear down calls. When a caller from an office desk calls someone across the country
at another office desk, many forms of signaling are used, including the following: - Between the telephone and PBX
- Between the PBX and CO - Between two COs
All of these signaling forms may be different. Simple examples of signaling include ringing of a telephone, dial tone, ringing, and so on.
There are five basic categories of signals commonly used in a telecommunications network:
Supervisory—Used to indicate the various operating states of circuit combinations.
Also used to initiate and terminate charging on a call. Information—Inform the customer or operator about the progress of a call. These
are generally in the form of universally understood audible tones (for example, dial
tone, busy, ringing) or recorded announcement (for example, intercept, all circuits busy). Address—Provides information about the desired destination of the call. This is
usually the dialed digits of the called telephone number or access codes. Typical types of address signals are Dial Pulse (DP), DTMF, and MF.
Control—Interface signals that are used to announce, start, stop, or modify a call.
Controls signals are used in interoffice trunk signaling. Alert—Ringing signal put on subscriber access lines to indicate an incoming call.
Signals such as ringing and receiver off-hook are transmitted over the loop to notify the customer of some activity on the line.
Signaling Between the Telephone and PBX
A telephone can be in one of two states: off-hook or on-hook. A line is seized when
the phone goes off-hook.
Off-hook—A telephone is off-hook when the telephone handset is lifted from its
cradle. When you lift the handset, the hook switch is moved by a spring and alerts the PBX that the user wants to receive an incoming call or dial an outgoing call. A
dial tone indicates ―Give me an order.‖ On-hook—A telephone is on-hook when its handset is resting in the cradle and the
phone is not connected to a line. Only the bell is active, that is, it will ring if a call comes in.
The phone company can provision a Private Line, Automatic Ringdown (PLAR) between two devices. A PLAR is a leased voice circuit that connects two single
instruments. When either handset is lifted, the other instrument automatically rings. Typical PLAR applications include a telephone at a bank ATM, phones at an airport that ring a selected hotel, and emergency phones.
Signaling Between the PBX and CO
A telephone system ―starts‖ (seizes) a trunk, or the CO seizes a trunk by giving it a supervisory signal. There are three ways to seize a trunk:
- Loop start—A signaling method in which a line is seized by bridging through a
resistance at the tip and ring (both wires) of a telephone line.
- Ground start—A signaling method in which one side of the two-wire line
(typically the ―ring‖ conductor of the tip and ring) is momentarily grounded to get dial tone. - Wink—A wink signal is sent between two telecommunications devices as part of a
handshaking protocol. It is a momentary interruption in the single frequency tone
indicating that one device is ready to receive the digits that have just been dialed. With a DID trunk, a wink signal from the CO indicates that additional digits will be
sent. After the PBX acknowledges the wink, the DID digits are sent by the CO. PBXs work best on ground start trunks, though many will work on both loop start
and ground start. Normal single-line phones and key systems typically work on loop start trunks.
Signaling Between Switches
Common channel signaling (CCS) is a form of signaling where a group of circuits
share a signaling channel.
Signaling system 7 (SS7) provides three basic functions:
- Supervisory signaling - Alerting
- Addressing SS7 is an ITU-T standard adopted in 1987. It is required by telecommunications
administrations worldwide for their networks. The major parts of SS7 are the Message Transfer Part (MTP) and the Signaling Connection Control Part (SCCP). SCCP works out-of-band, thereby providing a lower incidence of errors and fraud,
and faster call setup and take-down.
SS7 provides two major capabilities: - Fast call setup via high-speed circuit-switched connections.
- Transaction capabilities that deal with remote data-base interactions. SS7 information can tell the called party who‘s calling and, more important, tell the
called party‘s computer. SS7 is an integral part of ISDN. It enables companies to extend full PBX and Centrex-
based services—such as call forwarding, call waiting, call screening, call transfer, and so on—outside the switch to the full international network.
Signaling in a Computer Telephony System
Foreign Exchange (FX) trunk signaling can be provided over analog or T1/E1 links.
Connecting basic telephone service telephones to a computer telephony system via T1 links requires a channel band configured with FX type connections.
To generate a call from the basic telephone service set to a computer telephony system, a foreign exchange office (FXO) connection must be configured. To generate a
call from the computer telephony system to the basic telephone service set, a foreign exchange station (FXS) connection must be configured.
When two PBXs communicate over a tie trunk, they use E&M signaling (stands for
Earth and Magneto or Ear and Mouth). E&M is generally used for two-way (either side may initiate actions) switch-to-switch or switch-to-network connections. It is
also frequently used for the computer telephony system to switch connections.
Dialing Within a Phone System
Calls within a phone system are considered on-net or off-net, as follows: - On-net calling refers to calls that stay on a customer‘s private network, traveling
by private line from beginning to end.
- A call to an off-premise extension connected by a tie trunk is considered an on-net call. The off- premise telephone is located in a different office or building from the main phone system, but acts as if it is in the same location as the main phone
system and can use its full capabilities.
- Off-net calling refers to phone calls that are carried in part on a network but are destined for a phone that is not on the network. That is, some part of the conversation‘s journey will be over the PSTN or someone else‘s network.
Voice Network Addressing
Voice addressing is determined by a combination of international and national
standards, local telephone company practices and internal customer-specific codes. Voice addressing historically has had a geographical connotation, but the
introduction of wireless and portable services will render that impossible to maintain. International and national numbering plans are described by the ITU‘s E.164
recommendation. It is expected that the local telephone company adheres to this recommendation.
E.164 is only the public network addressing system. There are also private dialing plans, which are nonstandardized and can be considered highly effective by their
users. This slide depicts a trunk group that bypasses the PSTN. Selection of this trunk has
been predefined and mapped to the number 8. The access number could be part of the E.164 addressing scheme or part of a private dialing plan.
Alternate numbering schemes are employed by users and providers of PSTN service for specific reasons. An example of a of non-E.164 plan is carrier identification code
(CIC), used for selecting different long-distance carriers, tie lines, trunk groups, WATS lines, and private numbering plans, such as seven-digit dialing.
For integrating voice and data networks, each of these areas must be considered.
Voice Routing
Routing is closely related to the numbering plan and signaling that we just described.
At its most basic level, routing enables the establishment of a call from the source telephone to the destination telephone. However, most routing is much more
sophisticated and allows subscribers to select specific services. In terms of implementation, routing is a result of establishing a set of tables or rules within each switch. As a call comes in, the path to the desired destination and the
type of features available will be derived from these tables or rules. It is important to know how routing is done in the telephone network, because this function will be required in an integrated data/voice network.
Voice over Data Networks
Now that you understand how today‘s voice networks work, let‘s take a look at how real-time voice over a data network works.
Voice over Packet Networks Allow Real-Time Voice on Data Networks
Voice over packet networks provide techniques for sending real-time voice over data networks, including IP, Frame Relay, and Asynchronous Transfer Mode (ATM)
networks.
Analog voice is converted into digital voice packets, sent over the data network as
data packets, and converted to analog voice on the other end.
Converting from Voice to Data
Analog voice packets are converted to digital data packets with the following steps:
1. A person speaking into the telephone is an analog voice signal. 2. Coder-decoder (CODEC) software converts the signal from analog to digital data
packets suitable for transmission over a TCP/IP network. 3. A digital signal processor (DSP) chip compresses the packets for transmission over the data network.
The data network can be an IP LAN, or a leased-line, ATM, or Frame Relay network.
Converting from Data Back to Voice
Digital data packets are converted to Analog voice packets with the following steps:
4. DSP chip uncompresses the packets 5. CODEC software converts the signal from digital data packets back to analog
voice 6. Recipient listens to the voice on their telephone
The ―Enabling‖ Technologies
What‘s made this all possible is that in the last ten years, a lot of things have happened in voice technology:
Access price/performance: Access products and services have increased in price
performance. Processing: Digital signal processors (DSPs) specialize in processing analog wave
forms, which voice or video inherently are. Today, DSPs are cheaper and higher powered, enabling more advanced algorithms to compress, synthesize, and process voice and video signals. CPUs within the devices have increased in power as well.
Voice compression: Voice compression is used to save bandwidth. A variety of voice
compression schemes provide a variety of levels of bandwidth usage and voice quality. These compression methods often do not interoperate. Modem, fax, and dual tone multifrequency (DTMF) functionality are all impacted by voice-compression
methods.
Standards: Advances have been made over the past few years that enable the
transmission of voice traffic over traditional public networks, such as Frame Relay
(Voice over Frame Relay). Standards, such as G.729 for voice compression, FRF.11 and FRF.12 for voice over
Frame Relay, and the long list of ATM standards enable different types of traffic to come together in a nonproprietary network. Additionally, the support of Asynchronous Transfer Mode (ATM) for different traffic
types, and the ATM Forum‘s recent completion of the Voice and Telephony over ATM specification, will speed up the availability of industry-standard solutions for voice over ATM.
Higher-speed infrastructure: In general, the infrastructures to support voice in
corporate environments and in the public network environments are much higher-speed now, so they can carry more voice traffic and effectively take on the voice tasks for the corporation.
Voice Technologies Compression
What makes voice compression possible is the power of Digital Signal Processors.
DSPs have continued to increase in performance and decrease in price over time, and as they have, it has made it possible to use new compression schemes that offer
better quality and use less bandwidth. The power of the DSP makes it possible to combine this traffic onto a line that formerly supported perhaps only a LAN connection, but now can support voice, data, and LAN integration.
Looking at this chart, quality and bandwidth tend to trade off. PCM is the standard
64Kbps scheme for coding voice; it is the standard for toll quality. The other compression schemes - ADPCM at 32Kbps, 24Kbps and 16Kbps - offer less quality but more bandwidth efficiency. The newer compression schemes -LDCELP at 16Kbps
and CS-ACELP at 8Kbps - offer even higher efficiency but with very high quality very acceptable in a business environment.
ADPCM—Adaptive Differential Pulse Code Modulation: consumes only 32 Kbps
compared to the 64 Kbps of a traditional voice call; often used on long-distance connections.
LPC—Linear predictive code: a second group of standards that provide better voice
compression and, at the same time, better quality. In these standards, the voice coding uses a special algorithm, called linear predictive code (LPC), that models the
way human speech actually works. Because LPC can take advantage of an understanding of the speech process, it can be much more efficient without sacrificing voice quality.
CELP—Code-Excited Linear Predictive voice compression: uses additional
knowledge of speech to improve quality.
CS ACELP: Further improvements known as conjugate structure algebraic
compression enable voice to be coded into 8-kbps streams. There are two forms of this standard, both providing speech quality as good as that of 32-kbps ADPCM.
Voice Quality Guidelines
Silence Suppression by Voice Activity Detection
Voice activity detection (VAD) provides for additional savings beyond that achieved by voice compression.
Telephone conversations are half duplex by nature , because we listen and pause
between sentences. Sixty percent of a 64-kbps voice channel typically contains silence. VAD enables traffic from other voice channels or data circuits to make use of
this silence. The benefits of VAD increase with the addition of more channels, because the statistical probability of silence increases with the number of voice conversations
being combined.
QoS Also Plays a Role in Voice Quality
The advantages of reduced cost and bandwidth savings of carrying voice over packet networks are associated with some quality of service issues that are unique to packet
networks. In a circuit-switched or TDM environment, bandwidth is dedicated, making QoS—quality of service—implicit, whereas, in a packet-switched environment, all kinds of
traffic are mixed in a store-and-forward manner. So, in a packet-switched environment, there is the need to devise schemes to prioritize real-time traffic.
So… in an integrated voice data network, QoS is essential to ensure the same high quality as voice transmissions in the traditional circuit-switched environment.
QoS and Voice Quality
Some of the quality of service issues customers face include the following:
Delay—Delay causes two problems: echo and talker overlap. Echo is cased by the
signal reflections of the speaker‘s voice from the far-end telephone equipment back
into the speaker‘s ear. Echo becomes a significant problem when the round-trip delay becomes greater than 50 milliseconds (ms). Talker overlap becomes significant if the
one-way delay becomes greater than 250 ms. Jitter—Jitter relates to variable inter-packet timing caused by the network that a
packet traverses. Removing jitter requires collecting packets and holding them long enough to allow the slowest packets to arrive in time to be played in the correct
sequence, which causes additional delay. Lost packets—Depending on the type of packet network, lost packets can be a
severe problem. Because IP networks do not guarantee service, they will usually exhibit a much higher incidence of lost voice packets than ATM networks. Echo—Echo is present even in a conventional circuit-switched telephone network,
but is acceptable because the round-trip delays through the network are smaller
than 50 ms and the echo is masked by the normal side tone that every telephone generates. Echo is a problem in voice over packet networks because the round-trip
delay through the network is almost always greater than 50 ms. For this reason, echo cancellation techniques must be used.
Solutions to Voice Quality Issues
Quality of service issues for voice may be handled by the H.323, VoIP, VoATM, or
VoFR standards, or by an internetworking device. Following are some solutions to quality of service issues:
Delay—Minimize the end-to-end delay budget, including the accumulation delay,
processing delay, and network delay.
Jitter—Adjust the jitter buffer size to minimize jitter. On an ATM network, the
approach is to measure the variation of packet levels over a period of time and incrementally adapt the buffer size to match the calculated jitter. On an IP network, the approach is to count the number of packets successfully processed and adjust
the jitter buffer to target a predetermined allowable late packet ratio. Lost packets—While dropped packets are not a problem for data (due to
retransmission), they cause a significant problem for voice applications. To compensate, voice over packet software can interpolate for lost speech packets by
replaying the last packet, or can send redundant information at the expense of bandwidth utilization. Echo—Echo cancellation techniques are used to compare voice data received from
the packet network with voice data being transmitted to the packet network. The
echo from the telephone network hybrid is removed by a digital filter on the transmit path into the packet network.
Effect of QoS on Voice Quality
With all of the ―marketing hype‖ around QoS today, many customers have become skeptical of the claims some vendors are making.
Here‘s one way to look at the actual effect of Cisco QoS technologies on voice quality.
The blue line represents the total network data load. The green line represents voice
quality without QoS. As you can see, the quality of a voice call rises and falls in response to varying levels of background traffic.
The red line represents voice quality with QoS enabled, showing that high voice quality remains constant as background traffic fluctuates.
Voice over Data Transports
We‘ve covered the building blocks for voice/data integration. Now, let‘s take a look at
the different transports customers can consider. The most widely used is Voice over IP. Voice over Frame Relay and Voice over ATM
are also important so we‘ll cover these as well.
Standards— VoIP, VoFR, and VoATM
VoIP:
- International Telecommunications Union (ITU) —International standards body for
telephony - ITU-T H.323—International Telecommunications Union recommendation for
multimedia (including voice) networking over IP - International Multimedia Teleconferencing Consortium (IMTC) —International standards body providing recommendations for multimedia networking over IP,
including VoIP - Internet Engineering Task Force (IETF) —Internet standards body VoFR:
- FRF.11—Implementation agreement, ratified in May 1997 by the Frame Relay Forum, that defines the transport of voice over Frame Relay - FRF.12—Provides an industry-standard approach to implement small frame sizes
(Frame Relay fragmentation) to help reduce delay and delay variation - Other related FRF standards —FRF.6 - Customer Network Management, FRF.7 -
Multicast, FRF.8 - FR/ATM Service Interworking, FRF.9 - Data Compression, FRF.10 - Frame Relay Network to Network VoATM:
- ATM Forum:
- Traffic Management Specification Version 4.0—af-tm-0056.000 - Circuit Emulation Service 2.0—af-vtoa-0078.000
- ATM UNI Signaling, Version 4.0—af-sig-0061.0000 - PNNI V1.0—af-pnni-0055.000
Voice over Data Transports
All types of packetized voice implementations lend themselves well to both corporate and service provider use.
The Voice over IP (VoIP) approach provide Internet service providers (ISPs) with a competitive weapon against telecommunications companies, while
telecommunications companies prefer a virtual circuit environment using Voice over Frame Relay (VoFR) or Voice over ATM (VoATM).
VoIP, VoFR, and VoATM Quality
In terms of quality, voice over Frame Relay (VoFR), voice over ATM (VoATM), and voice over IP (VoIP differ). However, they also differ in terms of cost and in terms of general
usability.
Frame Relay‘s variance does have an impact on voice quality, but Frame Relay can maintain a business-quality level of communication at lower cost. Therefore, VoFR is slightly lower cost than VoATM, but VoFR provides some usually undetectable
variations in quality.
VoIP can go anywhere from utility quality, if used over the Internet to toll quality, if used over an intranet with QoS mechanisms enabled. Yet it will generally provide the lowest cost for connectivity. Thus, VoIP in intranets is highly viable for the business
user today and provides the most attractive cost option of the three.
VoATM, meaning voice over real-time variable bit rate (RT-VBR) or constant bit rate (RT-CBR), is fully deterministic in terms of QoS. Voice quality never varies. However, VoATM is generally more costly to implement than is, say, VoFR.
All three options offer significantly lower costs than the costs of building a private or using a PSTN, and usually require a fraction of the bandwidth.
Voice over IP Components
The Voice over IP standard incorporates other components, including:
- G. standards, which specify analog-to-digital conversion and compression (as described earlier in this chapter).
- H.323 standard, which specifies call setup and interoperability between devices and applications. - Realtime Transport Protocol (RTP), which manages end-to-end connections to
minimize the effect of packets lost or delayed in transit on the network. - Internet Protocol or IP, which is responsible for routing packets on the network.
ITU-T H.323 Standard
ITU-T H.323 is a standard approved by the ITU-T that defines how audiovisual
conferencing data is transmitted across networks. H.323 provides a foundation for audio, video, and data communications across IP networks, including the Internet.
H.323-compliant multimedia products and applications can interoperate, allowing users to communicate without concern for compatibility.
H.323 provides important building blocks for a broad new range of collaborative, LAN-based applications for multimedia communications.
H.323 sets multimedia standards for the existing infrastructure (for example, IP-based networks). Designed to compensate for the effect of highly variable LAN latency, H.323 allows customers to use multimedia applications without changing
their network infrastructure.
By providing device-to-device, application-to-application, and vendor-to-vendor interoperability, H.323 allows customer‘s products to interoperate with other H.323-compliant products. PCs are becoming more powerful multimedia platforms due to
faster processors, enhanced instruction sets, and powerful multimedia accelerator chips.
Applications enabled by the H.323 standard include the following:
- Internet phones - Desktop conferencing
- Multimedia Web sites - Internet commerce - And many others
H.323 Infrastructure
The H.323 standard specifies four kinds of components, which when networked
together, provide the point-to-point and point-to-multipoint multimedia communication services: terminals, gateways, gatekeepers, multipoint control units (MCUs).
H.323 terminals are used for real-time bidirectional multimedia communications. An H.323 terminal can either be a PC or a standalone device running an H.323 and the
multimedia applications. It supports audio communications and can optionally support video or data communications.
An H.323 gateway provides connectivity between an H.323 network and a non-H.323 network. For example, a gateway can connect and provide communication between
an H.323 terminal and the Public Switched Telephone Network (PSTN). This connectivity of dissimilar networks is achieved by translating protocols for call setup
and release, converting media formats between different networks, and transferring information between the networks connected by the gateway. A gateway is not required, however, for communication between two terminals on an H.323 network.
A gatekeeper can be considered the ―brain‖ of the H.323 network. Although they are not required, gatekeepers provide important services such as addressing,
authorization, and authentication of terminals and gateways, bandwidth management, accounting, billing, and charging. Gatekeepers may also provide call-
routing services.
MCUs provide support for conferences of three or more H.323 terminals. All terminals
participating in the conference establish a connection with the MCU. The MCU manages conference resources, negotiates between terminals for the purpose of
determining the audio or video CODEC to use, and may handle the media stream. The gatekeepers, gateways, and MCUs are logically separate components of the H.323 standard, but can be implemented as a single physical device.
H.323 Gatekeeper Functionality
Gatekeepers provide call control services to network endpoints. A gatekeeper can
provide the following services: Address translation—Performs alias address to transport address translation.
Gatekeepers typically use a translation table to perform the address translation. Admissions control—Authorizes LAN access based on call authorization, bandwidth,
or other criteria. Call control signaling—The gatekeeper chooses to complete call signaling with
endpoints or may process the call signaling itself. Alternatively, the gatekeeper may
instruct endpoints to connect call signaling channel directly to another to bypass handling a signal channel. Call authorization—A gatekeeper may reject calls from a terminal upon
authorization failure.
Bandwidth management—Controls the number of terminals that are permitted
simultaneous access to a LAN. Call management—Maintains a list of active calls.
H.323 Interoperability
VoIP works with a company‘s existing telephony architecture, including its private branch exchanges (PBXs) and analog phones.
VoIP and H.323 enables companies to complete office-to-office telephone and fax calls
across data networks, significantly reducing tolls. New applications are available, including unified messaging that integrates e-mail with voice mail and fax.
Choosing VoIP
Customers may choose VoIP as their voice transport medium when they need a
solution that is simple to implement, offers voice and fax capabilities, and handles phone-to-computer voice communications. IP networks are proliferating throughout the marketplace. Thus, many customers can use VoIP today.
Integrating Voice and Data on the WAN
The Voice over IP and H.323 standards define how analog voice is converted to data packets and back again. The next step is to use a company‘s existing wide-area network (WAN) to transport voice traffic with data traffic.
Serial (Leased Line) Services
T1 is a private-line digital service, operating at 1.544 Mbps in a full-duplex, TDM mode. The 1.544-Mbps transmission rate provides the equivalent capacity of 24
channels running at 64 Kbps each.
The full-duplex feature of T1 allows the simultaneous operation of independent transmit and receive paths. Each data path operates at a transmission rate of 1.544 Mbps. Companies that need less bandwidth can deploy fractional T1 trunks, using
any number of channels needed. A fractional service is tariffed on a linear pricing schedule, depending on the number of T1 channels and the distance covered.
The TDM feature allows logical channels to be defined within the T1 serial bit stream. The T1 bit stream may be channelized in many different ways, as follows:
- A single 1.544-Mbps digital channel (non-channelized) between the user‘s premises and the central office (CO) - 24 independent channels, each providing 64 Kbps of bandwidth
- Any variation of 64-Kbps channel combinations
Each logical channel may be independently transmitted and switched. A combination of voice, video, and data may be transmitted over a single T1 line. Ideal Applications for T1 Services T1 service is ideal for applications that require
continuous high-speed transmission capabilities. Some common T1 applications include the following:
- High-volume LAN interconnection
- Integrated voice, data, video, and imaging transmission - Compressed video transmission - Bulk data transfer
Frame Relay Services
Frame Relay is a packet-switching WAN technology that has achieved widespread support among vendors, users, and communications carriers. Its development has been spurred by the need to internetwork LANs at high speeds while maintaining the
lower costs associated with packet-switching networks.
Frame Relay offers very high access speeds. In North America, initial Frame Relay access rates start at 56 Kbps and go up to 1.544 Mbps. In Europe, the initial Frame Relay access rates start at 64 Kbps and go up to 2.048 Mbps. Companies can
contract with their service provider for a committed information rate (CIR). The Frame Relay standard today uses permanent virtual circuits (PVCs). All traffic for
a PVC uses the same path through the Frame Relay network. The endpoints of the PVC are defined by a data-link connection identifier (DLCI). The CIR, DLCIs, and
PVCs are defined when the user initially subscribes to a Frame Relay service. Frame Relay allows remote host access for applications such as the following:
- Remote host connectivity - Credit card authorization
- Online information services - Remote order entry
Frame Relay supports multiple virtual connections over a single physical interface. This means that Frame Relay is often the ideal solution to provide many users with
simultaneous access to a remote location. In these cases, the Frame Relay connection helps optimize the return on investment of the host system.
Voice over Frame Relay
Voice over Frame Relay (VoFR) technology consolidates voice and voice-band data
(including fax and analog modems) with data services over a Frame Relay network. The VoFR standard is specified in FRF.11 by the Frame Relay Forum.
VoFR allows PBXs to be connected using Frame Relay PVCs. The goal is to replace leased lines and lower costs. With VoFR, customers can easily increase their link
speeds to their Frame Relay service or their CIR to support additional voice, fax, and data traffic.
How VoFR Works
A voice-capable router connects both a PBX and a data network to a public Frame Relay network. A voice-capable router includes a Voice Frame Relay Adapter (VFRAD)
or a voice/fax module that supports voice traffic on the data network.
Choosing VoFR
Frame Relay provides another popular transport for multiservice networks since Frame Relay networks are common in many areas. Frame Relay is a cost-effective service that supports bursty traffic well.
Frame Relay enables customers to prioritize voice frames over data frames to
guarantee quality of service (QoS).
Asynchronous Transfer Mode (ATM) Services
Asynchronous Transfer Mode (ATM) is a technology that can transmit voice, video, data, and graphics across LANs, metropolitan-area networks (MANs), and WANs. ATM is an international standard defined by ANSI and ITU-T that implements a high-
speed, connection-oriented, cell-switching, and multiplexing technology that is designed to provide users with virtually unlimited bandwidth. Many in the
telecommunications industry believe that ATM will revolutionize the way networks are designed and managed.
Today‘s networks are running out of bandwidth. Network users are constantly demanding more bandwidth than their network can provide. In the mid 1980s,
researchers in the telecommunications industry began to investigate the technologies that would serve as the basis for the next generation of high-speed voice, video, and data networks. The researchers took an approach that would take advantage of the
anticipated advances in technology and enable support for services that might be required in the future. The result of this research was the development of the ATM standard.
How VoATM Works
Using a WAN switch for ATM, customers can connect their PBX network and data network to a public or private ATM network.
One attractive aspect of ATM is its ability to support different QoS, as appropriate for various applications. The QoS spectrum ranges from circuit-style service, where
bandwidth, latency, and other parameters are guaranteed for each connection, to packet-style service, where best-effort delivery allocates bandwidth for each active
connection. The ATM Forum developed a set of terms for describing requirements placed on the
network by particular types of traffic. These five terms (AAL1 through AAL5) are referred to as adaptation layers, and are used as a common language for discussing what kinds of traffic requirements an application will present to the network.
- AAL1—Connection-oriented, constant bit rate, commonly used for emulating
traditional circuit connections. - AAL2—Connection-oriented, variable bit rate, used for packet video and audio services.v - AAL3/4—Connection-oriented, variable bit rate.
- AAL5—Connectionless, variable bit rate, commonly used for IP traffic as it provides packetization similar to that done with IP.
Choosing VoATM
VoATM is an ideal transport for multiservice networks, particularly for customers
who already have an ATM network installed. ATM handles voice, video, and data equally well.
One attractive aspect of ATM is its ability to support different QoS features as appropriate for various applications.
The ATM Forum has defined a number of QoS types, including:
Constant bit rate (CBR)—An ATM service type for nonvarying, continuous streams of
bits or cell payloads. Applications, such as voice circuits, generate CBR traffic patterns. The ATM network guarantees to meet the transmitter‘s bandwidth and
other QoS requirements. Many voice and circuit emulation applications can use CBR. Variable bit rate (VBR)—An ATM service type for information flows with irregular
but fully characterized traffic patterns. VBR is divided into real-time VBR and non-real-time VBR, in which the ATM network guarantees to meet the bandwidth
and other QoS requirements. Many applications, particularly compressed video, can use VBR service. It is fairly common in real networks that will never receive the ceiling value.
Unspecified bit rate (UBR)—An ATM service type that provides ―best effort‖ delivery
of transmitted data. It is similar to the datagram service available from today‘s internetworks. Many data applications can use UBR service. Available bit rate (ABR)—An ATM service type that provides ―best effort‖ delivery of
transmitted data. ABR differs from other ―best effort‖ service types, such as UBR, because it employs feedback to notify users to reduce their transmission rate to
alleviate congestion. Hence, ABR offers a qualitative guarantee to minimize undesirable cell loss. Many data applications can use ABR service.
How Packet Technologies Stack Up for Voice
Because Frame Relay technology was originally designed and optimized as a data solution, you could dedicate a public or private Frame Relay network to data and pay
separate dialup or Virtual Private Network (VPN) rates for intracompany phone calls. Provided you can afford the different types of equipment, services, and staff resources
required to manage both networks, this choice assures you of the highest quality for each type of traffic today. This option is most likely desirable for sites that are very data-heavy.
Another option is to achieve some level of integration by using one piece of circuit- switching equipment, such as a time-division multiplexer (TDM), to connect both the
PBX and LAN server to a wide-area network. Customers gain economies by running all WAN traffic over a single service (rather than receiving multiple WAN bills) and
avoiding paying phone company rates for intra-enterprise phone calls. The costly downside is that within the network, bandwidth is likely to be wasted,
because you are still reserving circuits for certain types of traffic, and those circuits sit idle when nothing travels across them.
Applications
Now let‘s put it all together. How does it actually work? Let‘s look at the voice
applications on an integrated voice/data network that replace traditional telephony.
Applications for Integrated Voice and Data Networks
Integrated voice and data networks support a variety of applications, all of which are designed to replace leased lines and lower costs. Each of the applications listed above
are discussed on the following pages.
- Inter-office calling - Toll bypass
- On-net to off-net call rerouting - PLAR replacement - Tie trunk replacement
On-Net Call, Intra-Office
A voice-capable router can function as a local phone system for intra-office calls. In the example, a user dials a phone extension, which is located in the same office. The voice-capable router routes the call to the appropriate destination.
Toll Bypass—On-Net Call, Inter-Office
A voice-capable router can function as a phone system for inter-office calls to route calls within an enterprise network.
In the example, a user dials a phone extension, which is located in another office location. Notice that the extension number begins with a different leading number
than the on-net, intra-office call. The voice-capable router routes the call to another voice-capable router over an ATM, Frame Relay, or HDLC network. The receiving router then routes the call to the PBX, which routes the call to the appropriate phone
extension.
This solution eliminates the need for tie trunks between office locations, or eliminates long-distance toll charges between locations.
Toll Bypass—On-Net to Off-Net Dialing
A voice-capable router can provide off-net dialing to a location outside the local office,
through the PSTN. In the example, a user dials 9 to indicate an outbound call, then dials the remaining 7-digit number (this is a local phone call). The voice-capable router routes the call to
another voice-capable router over a Frame Relay or HDLC network. The receiving router recognizes that this is an outbound call and routes it to the company‘s PBX in
New York. Finally, the PBX routes the call to the PSTN and the call is routed to the appropriate destination. This solution places the call on-net as far as possible, allowing a local PBX to place a
local call. This saves significantly on toll charges.
On-Net to Off-Net Call Rerouting
1. Call attempted on-net 2. Remote system rejects call
3. Call rerouted off-net
At times, on-net resources within an enterprise may be busy. However, telephone calls must still be routed. Using a voice-capable router that deploys Ear and Mouth
(E&M) signaling, a router can route calls to a PBX, and ultimately to the PSTN over a Frame Relay or HDLC network.
Keep in mind that a PBX cannot reroute a call after a line is ―seized.‖ Therefore, a voice-capable router can seize an off-net trunk and route a call. This solution
guarantees that a phone call is placed, regardless of the load on the network.
PLAR—Automatically Dials Extension
A voice-capable router can replace a Private Line, Automatic Ringdown (PLAR) service from a telephone service provider.
In the example, a user takes the phone off-hook, causing another telephone extension to ring. The voice-capable router recognizes that the phone is off-hook, and
routes the call over an ATM, Frame Relay, or HDLC network to the remote router. The remote router then routes the call to the PBX, which rings the appropriate extension. This solution eliminates the need for dedicated PLAR lines.
Tie Trunk Replacement PBX to PBX
Voice-capable routers on a WAN can replace tie trunks between remote locations, thereby saving the cost of tie trunks. In essence, the voice-capable router on either
side of the ATM, Frame Relay, or HDLC WAN connection is configured as a tie trunk. The router then routes incoming and outgoing calls through the PBX.
The next slides graphically illustrate the migration from traditional circuit-switched voice networking to the new packet-switched integrated data/voice/video networking. Here you see two offices… one in Vancouver and one in Toronto. Each has a PBX to
handle the office but all calls inter-office go through the PSTN.
By adding voice-capable routers to the existing data network, connecting them to the existing PBXs, the company can first do toll bypass. This represents bandwidth no
longer needed for voice traffic that is now going through the routers.
The PBX tie line also goes away now that its function has been replaced by a path between the voice-capable routers.
You can see here the end result. A much simplified network and considerable cost
savings.
- Summary -
As we have seen today, companies are interested in data/voice/video integration for very basic business reasons:
Reduce costs: Phone toll charges; cost of multiple management methods and
multiple types of expertise required to support multiple types of networks; capital
expenditures on multiple networks
Enable the new applications needed for business growth: Multimedia
(data/voice/video) applications require technologies based on multimedia standards
Simplify network design: Through strategic convergence of data, voice, and video
networks
And decision-makers have come to the conclusion that recent technical advancements have brought the benefits of voice/data integration within reach, such
as: H.323 standards; gateways; voice-compression, silence-suppression, and quality-of-service technologies.
customers like to have networkes which with new technologies like Performing ad hoc device management on evolving networks and technologies. Struggling with the
transition to proactive, business-oriented service-level management.
Network Management Process
The following figger gives you the clear view of how should be the Management Process done.
There are some three staps which are more importance when we conducting a Management Segment
Plan / Design:
- Build history - Baseline
- Trend analysis - Capacity planning
- Procurement - Topology design
Implement / Deploy
- Installation and configuration - Address management - Adds, moves, changes
- Security - Accounting/billing
- Assets/inventory - User management - Data management
Oparate / Maintain
- Define thresholds - Monitor exceptions
- Notify - Correlate - Isolate problems
- Troubleshoot - Bypass/resolve - Validate and report
Network Management Basics
Let's take a close look of Network Management Basics.
Network Management Architecture
In a network management system, the system manages the argent which are dirived
from the main system like Management Database, with the help of Network Management Protocol,which are cleared by the figger.
Network Management Building Blocks
Following are the Management Building Bloks of Natwork Management System.
Simple Network Management Protocol (SNMP)
this is a protocol which is comming under the management building blocks. this use
to provide status massages and problemreports across a network to the Management system. SNMP uses Use DAtagram Protocol as a transport mechanism. It employs
different terms from TCP/IP, working with managers and agents instead of clients, and servers. An agent usually provides information about a device, the manager communicates across a network with the agents.
there are two vertions of SNMP they: SNMP V2
- Addressed performance issues SNMP V3
- Multilingual implementations (coexistence of versions) - Enhanced security
SNMP Message Types
SNMP messages are the request and responses between the Manager and Agent. Once the Agent gets a request from the manager as a MIB variable, then Agent gives
manager a response as the same variable. And also Trap for the unsolicited alarm conditions.
Management Information Base (MIB)
MIB is a database of objects for a specific device within the network agent.
Types of MIBs:
MIB I - 114 standard objects - Objects included are considered essential for either fault or configuration
management
MIB II - Extends MIB I - 185 objects defined
Other standard MIBs
- RMON, host, router, ...
Proprietary MIBs - Extensions to standard MIBs
Sample MIB Variables
Network Management System (NMS)
NMS playies the important rall at the Management system, That is it Polls agents on network and Receives traps, Gathers and displays information about the status around the Network and it is the Platform for integration
Example: HP OpenView
Campus Agent Technologies
This is an technology which is comming under the NMS to manage the agents and this going to provaid the customers the industry standards like
SNMP: Device get and sets
RMON, RMON2: Traffic monitoring ILMI: ATM discovery
which most related with the cisco extensions like, CDP: Adjacent neighbor discovery
ISL: VLAN trunking DISL: Error-free ISL enablement
VTP: Automated VLAN setup VQP: Dynamic station ID
Management Traffic Overhead
If a NMS faced a problem with the Traffic Overhead then there should be some reasion, to reduce this the NMS should set polling interval wisely betwen the agents
and the bandwidth issues should lower than befor on lower-speed links
Example:
1 manager, multiple managed devices
64-Kb access link 1 request = 1-KB packet (avg.) 1 poll = getreq + getresp = 2 KB
Assume 1 object polled/managed device
Remote MONitoring (RMON)
RMON or Remote MONitoring MIB was designed to manage the network itself. MIB I/II could be used to check each machines network performance, but would lead to
large amounts of bandwidth for management traffic. Using RMON you see the wire view of the network and not just a single host‘s view. RMON has the capability to set performance thresholds and only report if the threshold is breached, again helping to
reduce management traffic (effectively distributing the network management smarts!).
RMON agents can reside in routers, switches, and dedicated boxes. The agents will gather up to 19 groups of statistics. The agents then forward this information upon
request from a client.
Because RMON agents must look at every frame on the network, performance is a must. Early RMON agent‘s performance could be classified based on processing power and memory.
Network Monitoring with RMON
Cisco Discovery Protocol (CDP)
Automatic Network Discovery. and the following are the activities of CDP:
- CDP agent polls neighbor devices - Physical interface, IP address, chassis type exchanged - Each device maintains ―CDP‖ cache table
- Tables are read by management application
- Applicable across frame networks - ILMI for ATM networks
Inter-Switch Link (ISL)
Maintains Switch-to-Switch Performance and the following are the activities of ISL:
- Establishes membership through ASICs - Eliminates lookups and tables
- Labels each packet as received (i.e., ―packet tagging‖) - Transports multiple VLANs across links - Maps effectively across mixed backbones
- Protocol, end-station independent
Virtual Trunking Protocol (VTP)
Activities of VTP:
- Assigns virtual interfaces across backbone - Maintains and manages global mapping table - Based on Layer 2 periodic advertisements
- Reduces setup time and improves reliability - VTP pruning enhances VLAN efficiencies
Management Intranet Basics
Traditional Management Model Can’t Keep Pace
Here are the reasons, Why the Traditional Management Model can not keep pace when the management Intranet Basics
- Focused point products - Hierarchical platforms - Minimal integration
- Proprietary solutions and APIs - Product conflicts—What works with what?
New Model of Integration— Management Intranet
Multiple Web-accessible management tools can be hyperlinked, and management information shared easily with the DMTF's Common Information Model (CIM)
standard. Cisco's approach to Web-based enterprise management goes beyond mere browser access to embrace the total rearchitecting and reengineering of its
management products as true network-based applications. It also includes leadership in creation and adoption of standards such as CIM for multivendor management data integration. Cisco is aggressively applying Internet technologies
and standards to create comprehensive enterprise management that easily integrates with leading third-party tools and enterprise system and service management
frameworks through the Cisco Management Connection.
CIM Data Exchange
For the Web model to deliver substantial value for the management software
industry, however, the vendors must agree on content standards for sharing of management information. Such a set of Web-oriented standards for exchanging basic management information is being defined under the Web-Based Enterprise
Management (WBEM) initiative, spearheaded by vendors such as Cisco, HP, Intel, Compaq, BMC, Microsoft, IBM/Tivoli and others. The Desktop Management Task
Force (DMTF) is now leading the effort to standardize the technologies of WBEM. The first of these, the CIM provides an extensible data model of the enterprise computing environment. Recent work by the DMTF makes the CIM model the basis for Web-
based integration using XML (see sidebar on Web-Based Enterprise Management Standards for details).
Under the emerging Web-based management architecture, separate tools and
management applications can be integrated via a common browser interface that supports hyperlinking and the exchange of management data via CIM. Leading vendors, including Microsoft, Computer Associates, IBM/Tivoli, and Cisco have
announced or released products that implement the early versions of CIM standards. Already, Cisco and IBM/Tivoli have demonstrated use of CIM for two-way device data exchange between their management software packages. In addition to CIM-based
data exchange, tools can be hyperlinked to provide easy shifting within the browser from tool to tool as an operator executes a task such as isolating and solving a
problem. In this way, the most basic launch-level integration, popular for many years in existing management platforms, becomes available with minimal effort for practically any tool. Cisco is exploiting this technique to link its growing body of
management tools and distributed management data collection infrastructure with third-party ISV packages. It already has available Web-linking to more than 30
leading third-party applications and is making it easy for its customers to create a "management intranet"
Role of Directories
- Single-user identity
- User profiles, applications, and network services - Integrated policies
- Common information model
Directory Enabled Networks (DEN) Standards
The future of the Directory Enabled Network is to extend the directory throughout the elements of the network. We can then provide a unified view of all the network resources at our disposal. From
a user perspective, you'll not need to be authenticated on a half a dozen different devices just to get your job done.
Policy Management Basics
Need for Policy
Poicy management iis mast important one, Which coming under natwork
management.
Aligning Network Resources with Business Objectives
- Application-aware network
- Intelligent network services - Network-wide service policy - Control by application & user
What Is a Network Policy?
The network Plicy is a set of high-level business directives that control the
deployment of network services (e.g., security and QoS). And areated on the basis and in terms of established business practices
Example: Allow all members of the Engineering department access to corporate
resources using Telnet, FTP, HTTP, and e-mail, 24 x 7
Role of QoS
Quality of service should be used wherever applications share network resources.
There are two broad application areas where QoS technologies are needed: - Mission-critical applications need QoS to ensure delivery and that their traffic is
not impacted by misbehaving applications using the network. - Real-time applications such as multimedia and voice need QoS to guarantee
bandwidth and minimize jitter. This ensures the stability and reliability of existing applications when new applications are added.
Voice and data convergence is the first compelling application requiring delay-sensitive traffic handling on the data network. The move to save costs and add new features by converging the voice and data networks--using voice over IP, VoFR, or
VoATM--has a number of implications for network management:
- Users will expect the combined voice and data network to be as reliable as the voice network: 99.999% availability - To even approach such a level of reliability requires a sophisticated management
capability; policies come into play again
Cisco‘s unique service is the ability to offer products that let network managers prioritize applications in today‘s evolving networks. Let‘s take a look at QoS in more detail.
What Is Quality of Service (QoS)?
The ability of the network to provide better or ―special‖ service to users/applications.
Where Is QoS Important?
Exactly where the QoS need LAN or WAN..
QoS Building Blocks
The following atre the important building blocks of QoS:
- Classification - Policing - Shaping
- Congestion avoidance
QoS and Network/Policy Management
Here we going to know QoS with the Network Policy management.
Role of Security
Enterprises are more aware of security issues than ever before, with business
globalization, growing numbers of remote users, and especially the press buzz about the Internet and VPNs forcing security to their attention. Security needs to be tied to policies, so that it can be applied consistently, without leaving hidden holes subject
to hacker penetration.
Followig are the Activities: Authentication and authorization
- Employees, partners, customers Firewalls - Protect corporate resources
- Enable safe Internet use Encryption
- Ensure data confidentiality - Secure Virtual Private Networks
- SUMMARY -
- SNMP, MIBs, RMON, and network management systems are the building blocks
of network management tools - The management intranet promises greater integration and easier-to-use tools
- Policy-based management will allow enterprises to align network resources with business objectives
Lesson 15: The Internet
In this lesson, we‘re going to discuss the Internet. We‘ll cover how the Internet has created a new business model that‘s changing how companies do business today.
We‘ll look at intranets, extranets, and e-commerce. Finally, we‘ll look at the technology implications of the new Internet applications such as the need for higher
bandwidth technologies and security.
The Agenda - What Is the Internet?
- The New Business Model
- Intranets
- Extranets - E-Commerce
- Technology Implications of Internet Applications
The Internet: A Network of Networks
What is the Internet? The Internet is the following:
- A flock of independent networks flying in loose formation, owned by no one and connecting an unknown number of users
- A grass roots cultural phenomenon started 30 years ago by a group of graduate students in tie-dyed shirts and ponytails
- Ma Bell‘s good old telephone networks dressed up for the 1990s A new way to transmit information that is faster and cheaper than a phone call, fax, or the post office
Some Internet facts:
- The number of hosts (or computers) connected to the Internet has grown from a handful in 1989 to hundreds of millions today.
- The MIT Media Lab says that the size of the World Wide Web is doubling every 50 days, and that a new home page is created every 4 seconds.
Internet Hierarchy
The Internet has three components: information, wires, and people.
- The ―wires‖ are arranged in a loose hierarchy, with the fastest wires located in the middle of the cloud on one of the Internet‘s many ―backbones.‖
- Regional networks connect to the Internet backbone at one of several Network Access Points (NAPs), including MAE-EAST, in Herndon, Virginia; and MAE-WEST, in Palo Alto, California.
- Internet service providers (ISPs) administer or connect to the regional networks, and serve customers from one or more points of presence (POPs).
- Dynamic adaptive routing allows Internet traffic to be automatically rerouted around circuit failures. - Dataquest estimates that up to 88 percent of all traffic on the Internet touches a
Cisco router at some point.
The New Business Model
The Internet Is Changing the Way Everyone Does Business
From simple electronic mail to extensive intranets that include online ordering and extranet services, the Internet is changing the way everyone does business. Small
and medium-sized companies seeking to remain competitive into the next century must leverage the Internet as a business asset.
The Internet is forcing companies adopt technology faster. You‘ll discover several themes that are driving the new Internet economy, as follows.
Compression—Everything happens faster: business cycles are shorter, and time and
distances are less relevant to your customers.
Time—Some companies have reported a 92 percent reduction in processing time
when an item is ordered via an online system. Distance—Using networked commerce, BankAmerica has widened its customer base
so that now 30 percent of customers are outside the traditional geographic reach. Business cycles—Adaptec, a manufacturing firm in California, used networked
commerce to reduce their manufacturing cycle from 12 to 8 weeks, slashing their
inventory costs by $10 million a year. Market turbulence—Customers suddenly have more choices. They can shop farther
afield in search of good values. You have to compete even harder to retain customers. Networked business—Many deem that networked commerce applications will ―make
or break‖ companies in the next century. The ability to solicit and sustain business relationships with customers, employees, partners, and suppliers using networked
commerce applications is critical to success. Rapid transformation—Building relationships, business processes, and operating
models that can quickly adjust to accommodate shifting market forces is essential. This requires an infrastructure that provides the ability to change rapidly.
Forces Driving Change
Shorter product life cycles are required to stay competitive.
Industry and geographical borders are changing rapidly:
- Companies today must be able to swiftly ―go to market‖ in new and expanded locations.
- Moreover, the rigid border or boundaries of manufacturers are changing: manufacturers are becoming retailers and distributors.
The need to ―do more with less‖ is essential to accommodate narrowing margins, intensifying competition, and industry convergence. The network must raise the
productivity of the workforce.
Traditional Business Model Versus New Business Model
The Internet is transforming the way companies can use information and information systems. Historically, businesses have ―protected‖ company information and allowed
limited sharing of systems.
Creating these ―silos‖ of information has meant that each ―link‖ of the ―extended‖ traditional business has lacked access to relevant information to make profit maximizing decisions. That means your employees, suppliers, customers, and
partners were kept from information, not always by intention, but because limited access created barriers to sharing it. The result was:
- Closely held knowledge base - Limited access to relevant and timely information
- Costly duplication of effort - Limited transaction hours to conduct business
The Internet and networked applications have changed all that. They allow all companies, no matter the size, to break the information barriers—to ―let loose the
power of information.‖ Now we are experiencing a transition to a new business paradigm. In order to
compete effectively in this rapidly expanding Internet economy, we must reshape our business practices.
Companies today are now:
- Sharing knowledge with suppliers and partners - Ensuring that relevant and timely information is available to all employees - Removing redundancies
- Conducting business 24 hours a day, 7 days a week (24x7)
Accelerating this shift is the explosive growth and rapid adoption of Internet usage.
Today’s Internet Business Solutions
Let‘s take a look at some of the Internet business solutions that companies are driven to implement in order to improve their productivity and stay competitive. These include:
- Intranets
- Extranets - E-commerce
Intranets
What Is an Intranet?
An intranet is an internal network based on Internet and World Wide Web technology that delivers immediate, up-to-date information and services to networked employees
anytime, anywhere.
Whether providing capabilities to download the latest sales presentation, arrange travel, or report a defective disk drive to the technical assistance center, an intranet
offers a common, platform-independent interface that is consistent, easy to implement, and easy to use.
Initially, organizations used intranets almost exclusively as publishing platforms for delivering up-to-the-minute information to employees worldwide. Increasingly,
however, organizations are broadening the scope of their intranets to encompass interactive services that streamline business processes and reduce the time employees spend on routine, paper-based tasks.
Intranet applications are platform-independent, so they are less costly to deploy than
traditional client/server applications, and they bear no installation and upgrade costs since employees access them from the network using a standard Web browser. Finally, and perhaps most important, intranets enhance employees‘ productivity by
equipping them with powerful, consistent tools.
Typical Intranet Applications
Most companies can benefit from an intranet. Here are some sample applications:
Employee self-service—Employee self-service provides your employees with the
ability to access information at any time from anywhere they want. It enables
employees to independently access vital company information. Employee self-service allows companies to save on labor costs as well as increase employee productivity
and communication. We‘ll look at this in more detail. Distance learning—Employee training becomes more accessible through distance
learning over the data network, which can draw employees from many sites into a single virtual classroom, saving them travel time and keeping them more productive. Technical support—Companies with limited IS staff can deploy an intranet server to
answer frequently asked technical questions, house software that users can
download, and provide documentation on a variety of subjects. Users gain instant access to key technical assistance, while IS staff can concentrate on other matters. Videoconferencing—A proven way to bring team members together without calling
for travel, video conferencing is now possible over a data network, bypassing the need
for an expensive parallel network. Intranets can make videoconferences easier to set up and use.
Example: Employee Self-Service
These are some of the employee self-service applications.
Let‘s take a look at one in detail. By posting HR benefits information on an intranet, employees can look up routine information without taking up the time of a benefits
administrator, thus reducing total headcount requirements. By giving employees the ability to look this information up anytime they wish, they are not confined to making their inquiries during regular business hours. And, they don‘t have to wait on hold
while another employee is being assisted, resulting in saved time. In addition, by posting general benefits information on the internal Web site, HR is
able to spend their time in more productive, strategic ways that ultimately benefit the company, as well as reduce the costs of having an administrator available on the
phone all day. Another example is corporate travel. Many employees travel frequently. New intranet
applications that store an employee‘s travel preferences can make it easy for employees to request or even book travel arrangements at any time of the day or night, enabling companies to provide this vital service at a lower cost.
As you can see, intranet applications are a win/win for both employees and the company.
Benefits of Intranets
Intranets are rapidly gaining wide acceptance because they make network applications much easier to access and use. Intranets enable self-service.
Intranets allow you to:
- Improve design productivity and compress time-to-market, for example, by providing engineers with immediate access to online parts information and requisitions.
- Increase productivity through greater employee collaboration.
- Share or access vital information at any time, from any location. For example, you can extend intranets around the world, for instance, to sales offices in London
and Tokyo. Now sales teams or manufacturing plants in Asia can quickly access information on servers at the central office in the United States—and it‘s easier to use.
- Minimize downtime and cut maintenance costs by providing work teams with
complete electronic work packages. - Lower administrative costs by automating common tasks, such as forms and
benefit paperwork.
Extranets
What Is an Extranet?
An extranet allows you to extend your company intranet to your supply chain.
Extranets are an extension of the company network—a collaborative Internet connection to customers and trading partners designed to provide access to specific company information, and facilitate closer working relationships.
The way you extend your company network to your extranet partners can vary. For instance, you can use a private network for real-time communication. Or you can
leverage virtual private networks (VPNs) over the Internet for cost savings. You can also use a combination of both. However, it‘s important to realize that each solution has different benefits and security solutions.
A typical extranet solution requires a router at each end, a firewall, authentication software, a server, and a dedicated WAN line or VPN over the Internet.
Typical Extranet Applications
- Supply-chain management
- Customer communications - Distributor promotions
- Online continuing education/training - Customer service
- Order status inquiry - Inventory inquiry
- Account status inquiry - Warranty registration - Claims
- Online discussion forums
Extranet applications are as varied as intranet applications. Some examples are listed above. Extranets are advantageous anywhere that day-to-day operations processes that are being done by hand can be automated. Companies can save time
and money in development, production, order processing, and distribution. Improving productivity increases customer satisfaction, which drives business
growth.
Example: Supply Chain Management
The traditional business fulfillment model is linear, with communication flowing from supplier to manufacturers in a step-by-step process. Communication does not
transcend down the supply chain resulting in inefficiencies and time consuming processes.
Effectively managing the supply chain is more critical now than ever. Customers today are looking for a total solution—they want ease of purchase and implementation, they want customized products, and they want them yesterday.
Today, in order to better service and retain customers, companies realize that they
need to improve their business processes in order to deliver products to customers in reduced time. One effective way to do this is to improve the system processes that make up the overall supply chain.
With an extranet, companies can:
- Enable suppliers to see real-time market demand and inventory levels, thus
providing them with the necessary information to alter their production mix accordingly.
- Give suppliers access to customer order information, so they can fulfill those
orders directly without having to route product through you. - Using the network, demand forecasts can be updated in real time, and
manufacturing line statuses, and product fulfillment can be queried by any member of the supply chain.
- Use the network to hold online meetings where product design teams work together with suppliers to discuss prototype development, resulting in reduced
cycle times.
Benefits of Extranets
What are the benefits of using extranets? You can decrease inventories and cycle times, while improving on-time delivery.
You can increase customer satisfaction and, at the same time, more effectively manage the supply chain.
You can improve sales channel performance by providing dealers and distributors with product and promotional information online, while it‘s hot. You can reduce costs by automating everyday processes.
You can improve customer satisfaction by streamlining processes and improving productivity.
E-Commerce
E-Commerce Market Growing Rapidly
When we think of e-commerce, most of us think of business-to-consumer e-
commerce, for example, Amazon.com. However, the revenues that business-to-consumer companies are realizing are just
the tip of the iceberg. The bulk of business on the Internet is actually business-to-business e-commerce which, as you can see by this chart, is skyrocketing.
In the last two years alone, the amount of business conducted over the Internet has gone from $1 billion to $30 billion, with an 80 to 20 business-to-business and
business-to-consumer mix. The projections for the next two years and beyond are even more dramatic. Internet commerce will likely reach from $350 to $400 billion in 2002. Some estimates are even more aggressive and place the size of Internet
commerce by 2002 at almost a trillion dollars.
And, most of us generally think that only big businesses are conducting e-commerce.
In fact, over 97 percent of businesses conducting electronic commerce are companies with 499 employees or less, and 71 percent of those companies have less than 49
employees. As you can see, e-business has become a critical component of many businesses.
Typical E-Commerce Applications
Now let‘s take a look at what you can do with e-commerce.
A few examples of e-commerce are:
- Online catalog - Order entry
- Configuration - Pricing - Order verification
- Credit authorization - Invoicing - Payment and receivables
For example, by allowing customers to do their own online ordering, long-distance
phone and fax service can be reduced. In addition, fewer people are required to take customer orders and do timely order entry. Finally, online electronic order forms eliminate data entry and shipment errors.
Benefits of E-Commerce
E-commerce can expand and improve business.When we think of e-commerce, we
immediately think of selling online. We quickly realize the benefits of increasing revenue by supplying customers and prospects with valuable information at any time
and providing them the opportunity to purchase online. We also recognize how online ordering can cut costs significantly by reducing the
staff needed to man an 800 number or physically write up orders.
Additionally, we understand that the Internet allows companies to extend their reach and sell into new markets without incurring global headcount costs
What most of us don‘t realize is that these are only a few of the benefits of e-commerce.
Lets take a look at the following two more compelling benefits:
- You can manage your inventory levels better. For example, an automobile manufacturer has its suppliers linked via the Web for online ordering. A supplier can place an order directly and can see immediately if the part is in stock or will
need to be back ordered.
- By putting valuable information on your Web site, customers can get answers quickly to most of their questions at any time of the day, from any location.
Customer satisfaction soars when customers can get critical information at any time, from any location. It allows them to do business when they want to, not during the traditional 8 to 5 business day.
Technology Implications of Internet Applications
There are real technology implications to these new Internet applications.
First is the need for increased bandwidth. Internets, intranets, and extranets have
totally reversed the 80/20 rule so that now 80% of the traffic is going over the backbone and only 20% is local. Everyone is clamoring for Fast Ethernet and even Gigabit Ethernet connections.
The need for security is obvious once a company is connected to the Internet. You
cannot read the paper without hearing about the latest hacking job. The Internet makes VPNs possible.
And finally, EDI to enable electronic commerce. We‘ll look at each of these briefly.
Applications Need Bandwidth
The type of connection necessary depends on the bandwidth required:
- Individual users connecting to the Internet for e-mail or casual Web browsing can usually get by using a simple modem.
- Power users or small offices should consider ISDN or Frame Relay.
- Larger offices or businesses that expect high levels of Internet traffic should look
into Frame Relay or leased lines. - New technologies like asymmetric digital subscriber line (ADSL) and high-data-
rate digital subscriber line (HDSL) will make high-speed Internet access even more affordable in the future.
Internet Security Solutions
One of the most vulnerable point in a customer‘s network is its connection to the
Internet. To secure the communication between a corporate headquarters and the Internet, a customer needs all the integrity security tools at its disposal. These tools
include firewalls, Network Address Translation (NAT), and encryption, token cards, and others.
Virtual Private Network
Virtual Private Networks (VPNs) can bring the power of the Internet to the local enterprise network. Here is where the distinction between Internet and intranet starts to blur. By building a VPN, an enterprise can use the ―public‖ Internet as its own
―private‖ WAN. Because it is generally much less expensive to connect to the Internet than it is to
lease data circuits, a VPN may allow companies to connect remote offices or employees when they could not ordinarily justify the cost of a regular WAN
connection. Some of the technologies that make VPNs possible are:
- Tunneling
- Encryption - Resource Reservation Protocol (RSVP)
Electronic Data Interchange (EDI)
Electronic commerce can streamline regular business activities in new ways. Have any of you used a fax machine to send purchase orders to vendors?
A fax machine turns your PO into bits, transmits them across a network, and then
turns them back into atoms on the other end. The disadvantage is that the atoms on the other end can only be read by a human being, who probably has to retype the
data into another computer. EDI provides a way for many companies to reduce their operating costs by
eliminating the atoms and keeping the bits. What advantages does EDI provide your customer?
- Ensures accurate data transmission
- Provides fast customer response - Enables automatic data transfer—no need to re-key
For example, RJR Nabisco reduced PO processing costs from $70 to 93 cents by replacing its paper-based system with EDI.
Public key/private key encryption is created by the PGP program (Pretty Good Privacy). It creates a public key and a private key. Anyone can encrypt a file with your
public key, but only you can decrypt the file. To ensure security, an enterprise may issue a public key to its customers, but only the enterprise will be able to decrypt a message using the private key.
- SUMMARY -
The Internet has created the capability for almost ANY computer system to communicate with any other. With Internet business solutions, companies can redefine how they share relevant information with the key constituents in their
business—not just their internal functional groups, but also customers, partners, and suppliers.
This ―ubiquitous connectivity‖ created by Internet business solutions creates tighter relationships across the company‘s ―extended enterprise,‖ and can be as much of a
competitive advantage for the company as its core products and services. For example, by allowing customers and employees access to self-service tools, businesses can cost effectively scale their customer support operations without
having to add huge numbers of support personnel. Collaborating with suppliers on new product design can improve a company‘s competitive agility, accelerate time-to-
market for its products, and lower development costs. And perhaps most importantly, integrating customers so that they have access to on-time, relevant information can increase their levels of satisfaction significantly. Recapping:
- Internet access can take a business into new markets, decrease costs, and
increase revenue through e-commerce applications. It can attract retail customers by providing them with company information and the ability to order online.
- Intranets can provide your employees with access to information and help
compress business cycles. - Extranets enable effective management of your supply chain and transform
relationships with key partners, suppliers, and customers. - Voice/data integration can save companies significant amounts of money and, at
the same time, enable new applications.
- All of these applications reduce costs and increase revenue.