Professional Documents
Culture Documents
1.1 Introduction
Centre for Electronic Governance is an Autonomous body of the Government of Rajasthan under the Department of Technical Education. Foundation stone of CEG was laid down on 8th December 2006 at Khaitan Polytechnic College, Jaipur. The Rajasthan is the second state that is running this program after the highly acclaimed and successful program Jawahar Knowledge Centre in Andhra Pradesh. The CEG has been established with a sole aim to provide a conducive environment for creating industry employable IT professionals by the way of arranging seminars lecturers, vocational trainings and industry relevant software trainings. At the same time it provides a readymade platform for interaction between the industry and the trained workforce. Rajasthan is considered to be one of the most peaceful and law abiding state with high growth rate. The state is developing in all fields in general and technical higher education in particular. In last decade itself more than 50 higher technical education institutes in the field of engineering have started operating.
1.2 Features
To promote interaction between the Government, Technical Institutes and the Industries. To provide conducive environment for learning by doing in colleges. To promote the dissemination of knowledge fostering the innovative thoughts of the Students. To empower students living in the rural areas so as to bridge the urban - Rural gap. 1
To organize seminars and lectures of eminent professionals and scientists. To produce readily employable graduates by imparting industry grade skills. To produce industry ready IT professionals. To help in updating the Curriculum as per the needs of the Industries. To perform such other functions and to carry out such other duties as the society may deem proper or as may be assigned to it by the State Government from time to time.
Campus Placement Mission (CPM) Campus Placement Related Skills (CPRS) Graduate Placement Mission (GPM) Training for Students Training for Faculty
CISCO Career Net Consulting V Combined CAD Technology Sun Microsystems India Pvt Ltd NIIT GENPACT BPO, Jaipur QAInfoTech Delhi Oracle India Pvt. Ltd Red hat India Pvt. Ltd
Enhance placement activity. Academic support to various and other Institutions. Establish more number of KDC. Faculty training program on cutting edge technologies. The number of KDC after five years will be increased from 17 to 30. The number of students placed in Companies will be 100%. The intake capacity at each KDCs will be increased from 50 to 100. To establish Various Industry Certification Examination Testing Centre. The Mentors at the KDCs will be trained in new technologies in Industries. The training of the students can be arranged in various companies and industries, apart from CEG. Large number of e-governance projects can be carried out at CEG and KDC as well.
technical schools, colleges, universities, and community-based organizations. Interested educational institutions are given the designation of Networking Academy at the level of training that they will be providing in the program. There are currently three possible tiers of training. Industry experts at Cisco Systems train the Instructor Trainers at the Cisco Academy Training Centers (CATCs), the CATC Instructors train Regional Academy Instructors and the Regional Academy Instructors train the Local Academy Instructors who then educate students. Utilizing this three-tier training model helps to provide instructors the training they need in close proximity to where they are located. Educational institutions may play a role at one or more of these training levels. Cisco's partners from business, government and community organizations form an ecosystem to deliver the range of services and support needed to grow tomorrow's global workforce. Initially created to prepare students for the Cisco Certified Network Associate (CCNA) and Cisco Certified Network Professional (CCNP) degrees, the Academy curriculum has expanded with ecosystem-partner sponsored courses. Optional courses include: IT Essentials: PC Hardware and Software and IT Essentials: Network Operating Systems; and Panduit Network Infrastructure Essentials sponsored by Panduit Corporation. The Internet enables anytime, anywhere learning for all students, regardless of location, socio-economic status, gender, or race. With the United Nations Development Program, the United States Agency for International Development, and the International Telecommunication Union, Cisco has made the Academy program available to students in Least Developed Countries to help them build their country's economies. The Networking Academy program continually raises the bar on e-learning and educational processes. Through community feedback and electronic assessment, the Academy program adapts curriculum to improve outcomes and student achievement. The Academy infrastructure is designed to deliver a rich, interactive, and personalized curriculum to students around the world. The Internet has the power to change the way
people learn, work, and play, and the Cisco Networking Academy Program is in the forefront of this transformation. REGIONAL ACADEMY at CEG is a strong initiative by Government of Rajasthan and Cisco Networking Academy to bring wide awareness and training of valuable Networking Technology skills, opportunities, cutting edge and upcoming trends in the Networking Domain. Through the following curricula, the above efforts will be met: * Cisco Certified Network Associate (CCNA) Discovery Foundational networking
knowledge and practical experience. * Cisco Certified Network Associate (CCNA) Exploration Comprehensive overview
of networking from fundamentals to advanced applications and services. * * IT Essentials: PC Hardware and Software ( Hindi/English) CCNP and CCNA Security
2.1 INTRODUTION
Computer networks have grown in both size and importance in a very short time. If the security of the network is compromised, there could be serious consequences, such as loss of privacy, theft of information, and even legal liability. To make the situation even more challenging, the types of potential threats to network security are always evolving. As e-business and Internet applications continue to grow, finding the balance between being isolated and open is critical. In addition, the rise of mobile commerce and wireless networks demands that security solution become seamlessly integrated, more transparent, and more flexible.
library should be maintained so that student gets the appropriate information about books. Classroom computers should also have e books to help students.
As security measures have improved over the years, some of the most common types of attacks have diminished in frequency, while new ones have emerged. Conceiving of network security solutions begins with an appreciation of the complete scope of computer crime.
When an enterprise grows to include branch offices, e-commerce services, or global operations, a single LAN network is no longer sufficient to meet its business requirements. Wide area network (WAN) access has become essential for larger businesses today. There are a variety of WAN technologies to meet the different needs of businesses and many ways to scale the network. Adding WAN access introduces other considerations, such as network security and address management. Consequently, designing a WAN and choosing the correct carrier network services is not a simple matter.
Assembling a security policy can be daunting if it is undertaken without guidance. For this reason, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have published a security standard document called ISO/IEC 27002. This document refers specifically to information technology and outlines a code of practice for information security management. ISO/IEC 27002 is intended to be a common basis and practical guideline for developing organizational security standards and effective security management practices. The document consists of 12 sections: Risk assessment Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development, and maintenance Information security incident management Business continuity management Compliance
An integrated approach to security, and the necessary devices to make it happen, follows these building blocks:
2.4.2.1 Threat control- Regulates network access, isolates infected systems, prevents
intrusions, and protects assets by counteracting malicious traffic, such as worms and viruses. Devices that provide threat control solutions are: Cisco ASA 5500 Series Adaptive Security Appliances Integrated Services Routers (ISR) Network Admission Control Cisco Security Agent for Desktops Cisco Intrusion Prevention Systems
10
called the Cisco Adaptive Security Appliance (ASA). The Cisco ASA integrates firewall, voice security, SSL and IPsec VPN, IPS, and content security services in one device.
Identifies the security objectives of the organization. Documents the resources to be protected. Identifies the network infrastructure with current maps and inventories. Identifies the critical resources that need to be protected, such as research and development, finance, and human resources. This is called a risk analysis.
2.5 OBJECTIVE
The security policy is the hub upon which the four steps of the Security Wheel are based. The steps are secure, monitor, test, and improve. Step 1: Secure Secure the network by applying the security policy and implementing the following security solutions: Threat defense Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and services. Intrusion prevention systems-Deploy at the network and host level to actively stop malicious traffic. Vulnerability patching-Apply fixes or measures to stop the exploitation of known vulnerabilities. Disable unnecessary services-The fewer services that are enabled, the harder it is for attackers to gain access. Step 2: Monitor
12
Monitoring security involves both active and passive methods of detecting security violations. The most commonly used active method is to audit host-level log files. Most operating systems include auditing functionality. System administrators must enable the audit system for every host on the network and take the time to check and interpret the log file entries. Passive methods include using IDS devices to automatically detect intrusion. This method requires less attention from network security administrators than active methods. These systems can detect security violations in real time and can be configured to automatically respond before an intruder does any damage. An added benefit of network monitoring is the verification that the security measures implemented in step 1 of the Security Wheel have been configured and are working properly. Step 3: Test In the testing phase of the Security Wheel, the security measures are proactively tested. Specifically, the functionality of the security solutions implemented in step 1 and the system auditing and intrusion detection methods implemented in step 2 are verified. Vulnerability assessment tools such as SATAN, Nessus, or Nmap are useful for periodically testing the network security measures at the network and host level. Step 4: Improve The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases. This analysis contributes to developing and implementing improvement mechanisms that augment the security policy and results in adding items to step 1. To keep a network as secure as possible, the cycle of the Security Wheel must be continually repeated, because new network vulnerabilities and risks are emerging every day.
13
With the information collected from the monitoring and testing phases, IDSs can be used to implement improvements to the security. The security policy should be adjusted as new security vulnerabilities and risks are discovered.
14
We have a few options, typically: dial-up asynchronous connections, leased lines up to 1.544Mbps, Frame Relay, and ISDN, which are the most popular WAN technologies. However, xDSL is the new front-runner to take over as the fastest, most reliable, cheapest WAN technology. We need to consider our usage before buying and implementing a technology. For example, if our users at a remote branch are connected to the office more than three to four hours a day, then we need either Frame Relay or a leased line. If they connect infrequently, then we might get away with ISDN or dial-up connectivity.
A) Hubs
Before we buy any hub, we need to know which users can use a shared 10Mbps or shared 100Mbps network. The lower-end model of hubs Cisco offers supports only 10Mbps,while the middle-of-the-road one offers both 10- and 100Mbps auto-ensingports. The higher-end hubs offer network-management port and console connections. If we are going to spend enough to buy a high-end hub, we should consider just buying a switch. different hub products Cisco offers. Cisco 1500 Micro Hub Cisco 1528 Micro Hub 10/100 Cisco FastHub100 Cisco FastHub200 Cisco FastHub300 Cisco FastHub400 Any of these hubs can be stacked together to give us more port density. These are the selection issues we need to know: Business requirements for 10- or 100Mbps Port density Management Ease of operation 15
B) Routers
A key criterion when selecting router products is knowing what feature sets us need to meet our requirements. For example, do we need IP, Frame Relay, and VPN support? How about IPX, AppleTalk, and DECnet? The other features we need to think about when considering different product-selection criteria are port density and interface speeds. As we get Fig 2.1 BOOTING OF ROUTER
16
into the higher-end models, we see more ports and faster speeds. For example, the new 12000 series model is Ciscos first gigabit switch and has enormous capability and functionality. Cisco 700/800 series Cisco 1600/1700 series Cisco 2500 series Cisco 2600 series Cisco 3600 series Cisco 4000 series Cisco 7000 series Cisco 12000 GSR series AS 5000 series We can tell how much a product is going to cost by looking at the model number. A stripped-down 12000 series switch with no cards or power supplies starts at about $12,000. The price can end up at well over $100,000 for a loaded system. The Cisco 800 series router has mostly replaced the Cisco 700 series because the 700 series does not run the Cisco IOS. In fact, I hope Cisco will soon stop selling the 700 series routers altogether. They are difficult to configure and maintain. The main selections involved in choosing Cisco routers are listed below: Scale of routing features needed Port density and variety requirements Capacity and performance Common user interface
Table 2.1
17
Comparison between Hub, Bridge, Switch & Router Feature Number of broadcast domains Number of collision domains Forwards LAN broadcasts? Forwards LAN multicasts OSI layer used when making forwarding decision Internal processing variants Frame/packet fragmentation allowed? Multiple concurrent equal-cost paths to same destination allowed? N/A No No Yes N/A N/A N/A Layer 2 Storeandforward No Layer 2 Store-and-forward, cut-through, FragmentFree No Layer 3 Store-andforward Yes 1 1 N/A Segment 1 1 per bridge port Yes Yes 1 per switch port Yes Yes; can be optimized for less forwarding 1 Hub Bridge Switch Router 1 per router interface 1 per router interface No No
C) Switches
It seems like switch prices are dropping almost daily. About four years ago a 12-port 10/100 switch card for the Catalyst 5000 series switch was about $15,000. Now we can buy a complete Catalyst 5000 with a 10/100 card and supervisor module for about $7500 or so. My point is that with switch prices becoming reasonable,It is now easier to install switches in our network. We must consider whether we need 10/100 or 1000Mbps for each desktop or to connect between switches. ATM (asynchronous transfer mode) is also a consideration; however,
18
with Gigabit Ethernet out and 10Gbps links just around the corner, who needs ATM? The next criteria to consider are port density. The lower-end models start at 12 ports, and the higher-end models can provide hundreds of switched ports per switch.
19
network together. Ill discuss the different unshielded twisted-pair cabling used today in an Ethernet LAN.
20
21
1000BaseLX Single-mode fiber that uses a 9-micron core, 1300-nanometer laser and can go from 3 km up to 10 km. 100VG-AnyLAN is a twisted-pair technology that was the first 100Mbps LAN.
However, since it was incompatible with Ethernet signaling techniques (it used a polling media access method), it was not typically used and is essentially dead.
3.3.4 Straight-Through
In a UTP implementation of a straight-through cable, the wires on both cable ends are in the same order. We can determine that the wiring is a straight-through cable by holding both ends of the UTP cable side by side and seeing that the order of the wires on both ends is identical.
22
We can use a straight-through cable for the following tasks: Connecting a router to a hub or switch Connecting a server to a hub or switch Connecting workstations to a hub or switch
3.3.5 Crossover
In the implementation of a crossover, the wires on each end of the cable are crossed. Transmit to Receive and Receive to Transmit on each side, for both tip and ring. Pin 1 on one side connects to pin 3 on the other side, and pin 2 connects to pin 6 on the opposite end. We can use a crossover cable for the following tasks: Connecting uplinks between switches Connecting hubs to switches Connecting a hub to another hub Connecting a router interface to another router interface Connecting two PCs together without a hub or switch When trying to determine the type of cable needed for a port, look at the port and see if it is marked with an X. Use a straight-through cable when only one port is designated with an X. Use a crossover when both ports are designated with an X or when neither port has an X.
23
Point-to-Point Protocol (PPP), Integrated Services Digital Network (ISDN), and Frame Relay. Typical speeds are anywhere from 2400bps to 1.544Mbps (T1). HDLC, PPP, and Frame Relay can use the same Physical layer specifications, but ISDN has different pinouts and specifications at the Physical layer.
24
fine up to the demarc and that the problem must be the CPE, or Customer Premise Equipment, which is our responsibility. The idea behind a WAN is to be able to connect two DTE networks together through a DCE network. The DCE network includes the CSU/DSU, through the providers wiring and switches, all the way to the CSU/DSU at the other end. The networks DCE device provides clocking to the DTE connected interface (the routers serial interface).
Primary Rate Interface (PRI) provides T1 speeds (1.544Mbps) in the U.S. and E1 speeds (2.048) in Europe. The ISDN BRI interface uses an RJ-45, category 5, straight-through cable. It is important to avoid plugging a console cable or other LAN cable into a BRI interface on a router, because it will probably ruin the interface.
3.4.1Console Connections
All Cisco devices are shipped with console cables and connectors, which allow us to connect to a device and configure, verify, and monitor it. The cable used to connect between a PC is a rollover cable with RJ-45 connectors. The pinouts for a rollover cable are as follows: 18 27 36 45 54 63 72 81 We can see that we just take a straight-through RJ-45 cable, cut the end off, flip it over, and reattach a new connector.
26
Typically, we will use the DB9 connector to attach to our PC and use a com port to communicate via HyperTerminal. Most Cisco devices now support RJ-45 console connections. However, the Catalyst 5000 series switch still uses a DB25 connector. Set up the terminal emulation program to run 9600bps, 8 data bits, no parity, 1 stop bit, and no flow control. On some routers, we need to verify that the terminal emulation program is emulating a VT100 dumb-terminal mode, not an auto-sense mode, or it wont work. Most routers also have an aux port, which is an auxiliary port used to connect a modem. we can then dial this modem and connect the router to the aux port. This will give us console access to a remote router that might be down and that we cannot telnet into.
27
messages are delivered to the correct recipient. The elements of networks are connected by rules to deliver a message.
28
wireless networking is available in public hotspots, such as coffee shops, businesses, hotel rooms, and airports. Ethernet is the most common wired networking technology. The wires, called cables, connect the computers and other devices that make up the networks. Wired networks are best for moving large amounts of data at high speeds, such as are required to support professional-quality multimedia.
4.2 The OSI Model:Initially the OSI model was designed by the International Organization for Standardization (ISO) to provide a framework on which to build a suite of open systems protocols. The vision was that this set of protocols would be used to develop an international network that would not be dependent on proprietary systems. Unfortunately, the speed at which the TCP/IP based Internet was adopted, and the rate at which it expanded, caused the OSI Protocol Suite development and acceptance to lag behind. Although few of the protocols developed using the OSI specifications are in
29
widespread use today, the seven-layer OSI model has made major contributions to the development of other protocols and products for all types of new networks. As a reference model, the OSI model provides an extensive list of functions and services that can occur at each layer. It also describes the interaction of each layer with the layers directly above and below it. The protocols that make up the TCP/IP protocol suite can be described in terms of the OSI reference model. In the OSI model, the Network Access layer and the Application layer of the TCP/IP model are further divided to describe discreet functions that need to occur at these layers. At the Network Access Layer, the TCP/IP protocol suite does not specify which protocols to use when transmitting over a physical medium; it only describes the handoff from the Internet Layer to the physical network protocols. The OSI Layers 1 and 2 discuss the necessary procedures to access the media and the physical means to send data over a network.
30
The key parallels between the two network models occur at the OSI model Layers 3 and 4. OSI Model Layer 3, the Network layer, almost universally is used to discuss and document the range of processes that occur in all data networks to address and route messages through an internetwork. The Internet Protocol (IP) is the TCP/IP suite protocol that includes the functionality described at Layer 3. Layer 4, the Transport layer of the OSI model, is often used to describe general services or functions that manage individual conversations between source and destination hosts. These functions include acknowledgement, error recovery, and sequencing. At this layer, the TCP/IP protocols Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) provide the necessary functionality.
31
The TCP/IP Application layer includes a number of protocols that provide specific functionality to a variety of end user applications. The OSI model Layers 5, 6 and 7 are used as references for application software developers and vendors to produce products that need to access networks for communications.
32
In recent years, the network number field has been referred to as the network prefix because the leading portion of each IP address identifies the network number. All hosts on a given network share the same network prefix but must have a unique host number. Similarly, any two hosts on different networks must have different network prefixes but may have the same host number.
33
Class B is used for medium-sized networks. A good example is a large college campus. IP addresses with a first octet from 128 to191 are part of this class. Class B addresses also include the second octet as part of the Net identifier. The other two octets are used to identify each host Class C Networks (/24 Prefixes) Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0 and a 21-bit network number, followed by an 8-bit host number. Class C networks are now referred to as /24s since they have a 24-bit network prefix. A maximum of 2,097,152 (221 ) /24 networks can be defined with up to 254 (28-2) hosts per network. Since the entire /24 address block contains 229 (536,870,912) addresses, it represents 12.5 percent (or one eighth) of the total IPv4 unicast address space. Other Classes In addition to the three most popular classes, there are two additional classes. Class D addresses have their leading four bits set to 1-1-1-0 and are used to support IP Multicasting. Class E addresses have their leading four bits set to 1-1-1-1 and are reserved for experimental use.
4.4 Subnetting
Basically it is a process of subdividing networks into smaller subnets. In case we have 2-3 small networks but we cant buy IP address for each and every network. So here we use the basic concept of SUBNETTING i.e using one public IP address we will give them IP address and make them independent networks. For this we take some bits of host address and use them for network address so we have different independent networks Address Format when Subnetting Is Used (class A,B,C resp.): 8 Network 24-x Subnet x Host
34
16 Network 24
x Host x
Network Subnet Host And due to this mask changes to subnet mask and now the network address also includes subnet address. Example If subnet mask is 255.255.240.0 And an IP address for a computer is given as 142.16.52.4 142.16.0.0 is network address 0.0.48.0 is the subnet address 0.0.4.4 is the host address of the computer 10001110.00010000.00110100.00000100 is ANDed with 11111111.11111111.11110000.00000000 and output is 10001110.00010000.00110000.00000000 here first two octets represents Network address and third octet represents subnet address. It can be compared with a postal address as there is only one ZIP code (Network address), different streets (Subnet address), and different house number (Host address). The size of the global Internet routing table does not grow because the site administrator does not need to obtain additional address space and the routing advertisements for all of the subnets are combined into a single routing table entry.
35
exactly six subnets. For this example, the network administrator must define a block of 8 (23) and have two unused subnets that can be reserved for future growth. Since 8 = 23, three bits are required to enumerate the eight subnets in the block. In this example, the organization is subnetting a /24 so it will need three more bits, or a /27, as the extended network prefix. A 27-bit extended network prefix can be expressed in dotted-decimal notation as 255.255.255.224. A 27-bit extended network prefix leaves 5 bits to define host addresses on each subnet. This means that each subnetwork with a 27-bit prefix represents a contiguous block of 25 (32) individual IP addresses. However, since the all-0s and all-1s host addresses cannot be allocated, there are 30 (25-2) assignable host addresses on each subnet.
36
Routing is used for taking a packet from one device and sending it through the network to another device on a different network. If our network has no routers, then we are not routing. Routers route traffic to all the networks in our internetwork. To be able to route packets, a router must know, at a minimum, the following: Destination address Neighbor routers from which it can learn about remote networks Possible routes to all remote networks The best route to each remote network How to maintain and verify routing information
Dynamic routing is the process of routing protocols running on the router communicating with neighbor routers. The routers then update each other about all the networks they know about. If a change occurs in the network, the dynamic routing protocols automatically inform all routers about the change. If static routing is used, the administrator is responsible for updating all changes by hand into all routers.
37
The following parameters are used: Network-address - Destination network address of the remote network to be added to the routing table Subnet-mask - Subnet mask of the remote network to be added to the routing table. The subnet mask can be modified to summarize a group of networks. The ip-address parameter is commonly referred to as the "next-hop" router's IP address. The actual next-hop router's IP address is commonly used for this parameter. However, the ip-address parameter could be any IP address, as long as it is resolvable in the routing table. This is beyond the scope of this course, but we've added this point to maintain technical accuracy. 2. Installing a Static Route in the Routing Table R#debug ip routing R#config terminal R (config) #ip route 172.16.1.0 255.255.255.0 172.16.2.2 Let's examine each element in this output: ip route - Static route command 172.16.1.0 - Network address of remote network 255.255.255.0 - Subnet mask of remote network 172.16.2.2 - Serial 0/0/0 interface IP address on Router, which is the "next-hop" to this network 3. Verifying the Static RouteThe output from debug ip routing shows that this route has been added to the routing table. 00:20:15: RT: add 172.16.1.0/24 via 172.16.2.2, static metric [1/0] Entering show ip route on R shows the new routing table. Output:
38
S - Routing table code for static route 172.16.1.0 - Network address for the route /24 - Subnet mask for this route; this is displayed in the line above, known as the parent route [1/0] - Administrative distance and metric for the static route via 172.16.2.2 - IP address of the next-hop router, the IP address of Routers Serial 0/0/0 interface Any packets with a destination IP address that have the 24 left-most bits matching 172.16.1.0 will use this route.
39
1.show ip route Static routes with exit interfaces have been added to the routing table and that the previous static routes with next-hop addresses have been deleted. 2.ping The ultimate test is to route packets from source to destination. Using the ping command, we can test that packets from each router are reaching their destination and that the return path is also working properly.
4.6.4.1.2 IGRP Interior Gateway Routing Protocol (IGRP) is a proprietary protocol developed by Cisco. IGRP has the following key design characteristics: Bandwidth, delay, load and reliability are used to create a composite metric. Routing updates are broadcast every 90 seconds, by default. IGRP is the predecessor of EIGRP and is now obsolete.
4.6.4.1.3 EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary distance vector routing protocol. EIGRP has these key characteristics: It can perform unequal cost load balancing. It uses Diffusing Update Algorithm (DUAL) to calculate the shortest path.
41
There are no periodic updates as with RIP and IGRP. Routing updates are sent only when there is a change in the topology.
4.6.4.2 Link state routing protocols:4.6.4.2.1 OSPF OSPF was designed by the IETF (Internet Engineering Task Force) OSPF Working Group, which still exists today. The development of OSPF began in 1987 and there are two current versions in use: OSPFv2: OSPF for IPv4 networks (RFC 1247 and RFC 2328) OSPFv3: OSPF for IPv6 networks (RFC 2740) 4.6.4.2.2 IS-IS IS-IS was designed by ISO (International Organization for Standardization) and is described in ISO 10589. The first incarnation of this routing protocol was developed at DEC (Digital Equipment Corporation) and is known as DECnet Phase V. Radia Perlman was the chief designer of the IS-IS routing protocol. IS-IS was originally designed for the OSI protocol suite and not the TCP/IP protocol suite. Later, Integrated IS-IS, or Dual IS-IS, included support for IP networks. Although IS-IS has been known as the routing protocol used mainly by ISPs and carriers, more enterprise networks are beginning to use IS-IS. 4.6.4.2.3 OSPF Open Shortest Path First (OSPF) is a recent entry into the Internet interior routing scene. OSPF is specifically designed to operate with larger networks. It does not impose a hopcount restriction and permits its domain to be subdivided for easier management. OSPF is a classless routing protocol. Therefore, we will configure the mask as part of our OSPF configuration. OSPF's major advantages over RIP are its fast convergence and its scalability to much larger network implementations.
42
OSPF packet typesEach packet serves a specific purpose in the OSPF routing process: 1. Hello - Hello packets are used to establish and maintain adjacency with other OSPF routers. 2. DBD - The Database Description (DBD) packet contains an abbreviated list of the sending router's link-state database and is used by receiving routers to check against the local link-state database. 3. LSR - Receiving routers can then request more information about any entry in the DBD by sending a Link-State Request (LSR). 4. LSU - Link-State Update (LSU) packets are used to reply to LSRs as well as to announce new information. LSUs contain seven different types of Link-State Advertisements (LSAs). 5. LSAck - When an LSU is received, the router sends a Link-State Acknowledgement (LSAck) to confirm receipt of the LSU.
CHAPTER -5
43
TESTING OF NETWORK
5.1 INTRODUCTION
To efficiently diagnose and correct network problems, a network engineer needs to know how a network has been designed and what the expected performance for this network should be under normal operating conditions. This information is called the network baseline and is captured in documentation such as configuration tables and topology diagrams. Network configuration documentation provides a logical diagram of the network and detailed information about each component. This information should be kept in a single location, either as hard copy or on the network on a protected website. Network documentation should include these components: Network configuration table End-system configuration table Network topology diagram
When we document our network, we may have to gather information directly from routers and switches. Commands that are useful to the network documentation process include: The ping command is used to test connectivity with neighboring devices before logging in to them. Pinging to other PCs in the network also initiates the MAC address auto-discovery process. The telnet command is used to log in remotely to a device for accessing configuration information. 44
The show ip interface brief command is used to display the up or down status and IP address of all interfaces on a device. The show ip route command is used to display the routing table in a router to learn the directly connected neighbors, more remote devices (through learned routes), and the routing protocols that have been configured.
The show cdp neighbor detail command is used to obtain detailed information about directly connected Cisco neighbor devices.
45
It may also reveal areas in the network that are underutilized and quite often can lead to network redesign efforts based on quality and capacity observations.
46
Stage 3 Correct the problem - Having isolated and identified the cause of the problem, the network administrator works to correct the problem by implementing, testing, and documenting a solution. If the network administrator determines that the corrective action has created another problem, the attempted solution is documented, the changes are removed, and the network administrator returns to gathering symptoms and isolating the problem. A troubleshooting policy should be established for each stage. A policy provides a consistent manner in which to perform each stage. Part of the policy should include documenting every important piece of information.
47
the most likely possibility, and use knowledge and experience to determine if the problem is more likely a hardware or software configuration problem. Step 5. Document symptoms - Sometimes the problem can be solved using the documented symptoms. If not, begin the isolating phase of the general troubleshooting process.
48
A network analysis module (NAM) can be installed in Cisco Catalyst 6500 series switches and Cisco 7600 series routers to provide a graphical representation of traffic from local and remote switches and routers. The NAM is a embedded browser-based interface that generates reports on the traffic that consumes critical network resources. In addition, the NAM can capture and decode packets and track response times to pinpoint an application problem to the network or the server.
Cable analyzers are multifunctional handheld devices that are used to test and certify copper and fiber cables for different services and standards. The more sophisticated tools include advanced troubleshooting diagnostics that measure distance to performance
defect (NEXT, RL), identify corrective actions, and graphically display crosstalk and impedance behavior. Cable analyzers also typically include PC-based software. Once field data is collected the handheld device can upload its data and up-to-date and accurate reports can be created.
CHAPTER -6 SECURITY
50
6.1 Introduction
Computer networks have grown in both size and importance in a very short time. If the security of the network is compromised, there could be serious consequences, such as loss of privacy, theft of information, and even legal liability. To make the situation even more challenging, the types of potential threats to network security are always evolving. As e-business and Internet applications continue to grow, finding the balance between being isolated and open is critical. In addition, the rise of mobile commerce and wireless networks demands that security solution become seamlessly integrated, more transparent, and more flexible.
51
Hacker-A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent. Black hat-Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat. Cracker-A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent. Phreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls. Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages. Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.
6. Denial of service 7. Unauthorized access to information 8. Bots within the organization 9. Theft of customer or employee data 10. Abuse of wireless network 11. System penetration 12. Financial fraud 13. Password sniffing 14. Key logging 15. Website defacement 16. Misuse of a public web application 17. Theft of proprietary information 18. Exploiting the DNS server of an organization 19. Telecom fraud 20. Sabotage Note: In certain countries, some of these activities may not be a crime, but are still a problem.
53
6.4 ACL
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco IOS software. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet. ACLs can be configured to control access to a network or subnet. By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If we do not
54
use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment. Here are some guidelines for using ACLs: Use ACLs in firewall routers positioned between our internal network and an external network such as the Internet. Use ACLs on a router positioned between two parts of our network to control traffic entering or exiting a specific part of our internal network. Configure ACLs on border routers-routers situated at the edges of our networks. This provides a very basic buffer from the outside network, or between a less controlled area of our own network and a more sensitive area of your network. Configure ACLs for each network protocol configured on the border router interfaces. We can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
for IP: AppleTalk and IPX. This router could possibly require 12 separate ACLs-one ACL for each protocol, times two for each direction, times two for the number of ports.
56
If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface. If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACL statements that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.
For outbound lists, "to permit" means to send the packet to the output buffer, and "to deny" means to discard the packet.
57
not match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is the default behavior of ACLs and cannot be changed.
6.4.2.2 There are two types of Cisco ACLs, standard and extended. 6.4.2.2.1 Standard ACLs Standard ACLs allow us to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. The example allows all traffic from network 192.168.30.0/24 network. Because of the implied "deny any" at the end, all other traffic is blocked with this ACL. Standard ACLs are created in global configuration mode. 6.4.2.2.2 Extended ACLs Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. For example, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP). Extended ACLs are created in global configuration mode. A standard ACL is a sequential collection of permit and deny conditions that apply to IP addresses. The destination of the packet and the ports involved are not covered. Cisco IOS software tests addresses against the conditions one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected.The two main tasks involved in using ACLs are as follows:
58
Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines. Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform us the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, we can use a name to identify a Cisco ACL. Regarding numbered ACLs, in case we are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. This course focuses only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX. The proper placement of an ACL to filter undesirable traffic makes the network operate more efficiently. ACLs can act as firewalls to filter packets and eliminate unwanted traffic. Where we place ACLs can reduce unnecessary traffic. For example, traffic that will be denied at a remote destination should not use network resources along the route to that destination. Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. FIG 6.1 DFD SHOWING HOW ACL WORKS
59
Chapter -7 CONCLUSION
The network designed using simulators fully meets the objectives of the system. The system has reached a steady state where all the bugs have been eliminated. The system is
60
operating at the high level of efficiency and all the packets are reaching to its correct destination. The network traffic is also maintained through analyzers. The project developed is within the state of art and the defects can easily be reduced to a level matching the applications needs. Network designing has been designed by keeping user friendliness in top priority i.e. the system is very easy to operate and work with the system solves the problem it was intended to solve as the requirement specification phase. Thus, in the end we would like to conclude that a network design has become a need for every organization and sooner or later everyone will be compelled to apply it due to its numerous advantages.
Key Learning
In the present days market of jobs, the established competitive state of affairs makes it tricky for every individual to acquire a job easily. In such situations, it turns out to be crucial to be well educated and have professional qualifications for making a successful career. Therefore, if you are arranging for a career in networking, which is considered as the one of the most sought after fields all over the world, it is important for you to clear the certification of CCNA. To acquire the certification of CCNA, it is suggested that you register for CISCO CCNA training, which is offered by several institutions around the UK. After this, you might be needed to prepare for and clear the examinations of CCNA for being CCNA certified. Cisco Certified Network Associate (CCNA) is the basic level of the certification of CISCO. By registering for the examination of CCNA, you will learn regarding the networking basics like installation, design, troubleshooting, configuration, management and maintenance of IP and non-IP networks. Furthermore, as the course of CCNA is the basis of three level of Cisco certified network associate, there are no requirements for taking the CCNA examinations. The level of CCNA is appropriate for assisting field technicians and desk engineer
61
Advantages : 1. Understand the basic fuctioning of CISCO router, switch, hub. 2. Have the Professional approach towards networking. 3. Potential to configure any network. 4. Industry-Oriented
REFERENCES
www.sybex.com, http://compnetworking.about.com
62
Study Guide
Data Communications and Networking, Tata McGraw Hill By: - Behrouz A Forouzan.
63