Exploration 4-chapter 6

Teleworker Benefits:
Organizational benefits:
Continuity of operations
Increased responsiveness
Secure, reliable, and manageable access to information
Cost-effective integration of data, voice, video, and applications
Increased employee productivity, satisfaction, and retention
Social benefits:
Increased employment opportunities for marginalized groups
Less travel and commuter related stress
Environmental benefits:
Reduced carbon footprints, both for individual workers and organizations

• Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote connection solutions. The security of these connections depends on the service provider.
• IPsec Virtual Private Networks (VPNs) offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. This is the most common option for teleworkers, combined with remote access over broadband, to establish a secure VPN over the public Internet. (A less reliable means of connectivity using the Internet is a dialup connection.)
• The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. Transmission is provided by a wide range of technologies, including digital subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology, and satellite. The broadband service data transmission speeds typically exceed 200 kilobits per second (kb/s), or 200,000 bits per second, in at least one direction: downstream (from the Internet to the user’s computer) or upstream (from the user’s computer to the Internet).
To connect effectively to their organization’s networks, teleworkers need two key sets of components: home office components and corporate components. The option of adding IP telephony components is becoming more common as providers extend broadband service to more areas.

• Home Office Components – The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. Additional components might include a wireless access point. When traveling, teleworkers need an Internet connection and a VPN client to connect to the corporate network over any available dialup, network, or broadband connection.
• Corporate Components – Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.
• Dialup access – An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available.
• DSL – Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN.
• Cable modem – Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN.
• Satellite – Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.
Accessing the Internet through a cable network is a popular option used by teleworkers to access their enterprise network.
A cable network is capable of transmitting signals on the cable in either direction at the same time. The following frequency scope is used:

• Downstream – The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). Transmission from source to destination is called the forward path. Downstream frequencies are in the range of 50 to 860 megahertz (MHz).
• Upstream – The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path. Upstream frequencies are in the range of 5 to 42 MHz.
The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs, a non-profit research and development consortium for cable-related technologies.
DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system.
DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:

• Physical layer – For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the way to use the RF signal to convey digital data).
• MAC layer – Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).
Frequency-division multiple access (FDMA) divides access by frequency.
Code division multiple access (CDMA) employs spread-spectrum technology and a special coding scheme in which each transmitter is assigned a specific code.
Two types of equipment are required to send digital modem signals upstream and downstream on a cable system:
• Cable modem termination system (CMTS) at the headend of the cable operator
• Cable modem (CM) on the subscriber end
DSL is a means of providing high-speed connections over installed copper wires.
• Uses high transmission frequencies (up to 1 MHz)
• Technology for delivering high bandwidth over regular copper lines
• Connection between subscriber and CO
ADSL provides higher downstream bandwidth to the user than upload bandwidth. SDSL provides the same capacity in both directions.
The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). A DSLAM is the device located at the central office (CO) of the provider and concentrates connections from multiple DSL subscribers.
• Transceiver – Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use.
• DSLAM – Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet.
• A key feature of ADSL is coexistence with POTS.
• Transmission of voice and data signals is performed on the same wire pair.
• Data circuits are offloaded from the voice switch.
There are two ways to separate ADSL from voice at the customer premises: using a microfilter or using a splitter.

A microfilter is a passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack.
POTS splitters separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. In the event of a power failure, the voice traffic still travels to the voice switch in the CO of the carrier. Splitters are located at the CO and, in some deployments, at the customer premises.
A hotspot is the area covered by one or more interconnected access points. Public gathering places, like coffee shops, parks, and libraries, have created Wi-Fi hotspots, hoping to increase business. By overlapping access points, hotspots can cover many square miles.
WiMAX (Worldwide Interoperability for Microwave Access) is telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. WiMAX operates at higher speeds, over greater distances, and for a greater number of users than Wi-Fi. Because of its higher speed (bandwidth) and falling component prices, it is predicted that WiMAX will soon supplant municipal mesh networks for wireless deployments.
A WiMAX network consists of two main components:
• A tower that is similar in concept to a cellular telephone tower. A single WiMAX tower can provide coverage to an area as large as 3,000 square miles, or almost 7,500 square kilometers.
• A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device.
There are three ways to connect to the Internet using satellites: one-way multicast, one-way terrestrial return, and two-way.

• One-way multicast satellite Internet systems are used for IP multicast-based data, audio, and video distribution. Even though most IP protocols require two-way communication, for Internet content, including web pages, one-way satellite-based Internet services can be “pushed” pages to local storage at end-user sites by satellite Internet. Full interactivity is not possible.
• One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite.
• Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each location needs precise positioning to avoid interference with other satellites.
Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network.
Virtual: information within a private network is transported over a public network.
Private: The traffic is encrypted to keep the data confidential.
Organizations using VPNs benefit from increased flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it.
Consider these benefits when using VPNs:

• Cost savings – Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth.
• Security – Advanced encryption and authentication protocols protect data from unauthorized access.
• Scalability – VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.

• Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure.
• Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.
VPNs use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over the Internet.

• Data confidentiality – A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption.
• Data integrity – Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust. Hashes are explained in the next topic.
• Authentication – Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.
Some of the more common encryption algorithms and the length of keys they use are as follows:

• Data Encryption Standard (DES) algorithm – Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below.
• Triple DES (3DES) algorithm – A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
• Advanced Encryption Standard (AES) – The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
• Rivest, Shamir, and Adleman (RSA) – An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

Symmetric Encryption

Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer.

Asymmetric Encryption

Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.
IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms.
There are two main IPsec framework protocols.

• Authentication Header (AH) – Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features.
• Encapsulating Security Payload (ESP) – Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.

Exploration 4-chapter 5

The ACL can extract the following information from the packet header, test it against its rules, and make “allow” or “deny” decisions based on:

• Source IP address
• Destination IP address
• ICMP message type

The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:

• TCP/UDP source port
• TCP/UDP destination port
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.
Here are some guidelines for using ACLs:

• Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
• Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
• Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
• Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
ACLs perform the following tasks:

• Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance.
• Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
• Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users.
• Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
• Control which areas a client can access on a network.
• Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
How ACLs Work
ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.

• Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
• Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
There are two types of Cisco ACLs, standard and extended.
Standard ACLs
Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter.
Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.
Wildcard Masking
ACLs statements include masks, also called wildcard masks. A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function.
• Wildcard mask bit 0 – Match the corresponding bit value in the address
• Wildcard mask bit 1 – Ignore the corresponding bit value in the address
What are Dynamic ACLs?

Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.
Some common reasons to use dynamic ACLs are as follows:

• When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period.
• When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts.
Benefits of Dynamic ACLs

Dynamic ACLs have the following security benefits over standard and static extended ACLs:

• Use of a challenge mechanism to authenticate individual users.
• Simplified management in large internetworks.
• In many cases, reduction of the amount of router processing that is required for ACLs.
• Reduction of the opportunity for network break-ins by network hackers.
• Creation of dynamic user access through a firewall, without compromising other configured security restrictions.

What are Reflexive ACLs?

Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.
Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named ACLs or with other protocol ACLs. Reflexive ACLs can be used with other standard and static extended ACLs.
Benefits of Reflexive ACLs

Reflexive ACLs have the following benefits:

• Help secure your network against network hackers and can be included in a firewall defense.
• Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
• Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.
What are Time-based ACLs?

Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week. You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.

Time-based ACLs have many benefits, such as:

• Offers the network administrator more control over permitting or denying access to resources.
• Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.

Exploration 4-chapter 4

Some of the most common terms are as follows:

• White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. They are ethically opposed to the abuse of computer systems. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them.
• Hacker-A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.
• Black hat-Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat.
• Cracker-A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent.
• Phreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls.
• Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages.
• Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.
A closed network does not allow a connection to public networks. Because there is no outside connectivity, networks designed in this way are considered safe from outside attacks. However, internal threats still exist. A closed network does little to prevent attacks from within the enterprise.
The four classes of physical threats are:

• Hardware threats-Physical damage to servers, routers, switches, cabling plant, and workstations
• Environmental threats-Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
• Electrical threats-Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
• Maintenance threats-Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling

Structured Threats
Structured threats come from individuals or groups that are more highly motivated and technically competent. These people know system vulnerabilities and use sophisticated hacking techniques to penetrate unsuspecting businesses.
Social Engineering

The easiest hack involves no computer skill at all. If an intruder can trick a member of an organization into giving over valuable information, such as the location of files or passwords, the process of hacking is made much easier. This type of attack is called social engineering, and it preys on personal vulnerabilities that can be discovered by talented attackers.
Phishing is a type of social engineering attack that involves using e-mail or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher masquerades as a trusted party that has a seemingly legitimate need for the sensitive information.
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked. It is mitigated primarily through the use of proper trust models. Antivirus software and host-based IDS can help detect and prevent an attacker installing port redirecting utilities on the host.
Man-in-the-Middle Attack

A man-in-the-middle (MITM) attack is carried out by attackers that manage to position themselves between two legitimate hosts. The attacker may allow the normal transactions between hosts to occur, and only periodically manipulate the conversation between the two.
In a transparent proxy attack, an attacker may catch a victim with a phishing e-mail or by defacing a website. Then the URL of a legitimate website has the attackers URL added to the front of it (prepended).
The Smurf attack uses spoofed broadcast ping messages to flood a target system. It starts with an attacker sending a large number of ICMP echo requests to the network broadcast address from valid spoofed source IP addresses. A router could perform the Layer 3 broadcast-to-Layer 2 broadcast function, most hosts will each respond with an ICMP echo reply, multiplying the traffic by the number of hosts responding.
Host and Server Based Security
Device Hardening

• When a new operating system is installed on a computer, the security settings are set to the default values. In most cases, this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:

• Default usernames and passwords should be changed immediately.
• Access to system resources should be restricted to only the individuals that are authorized to use those resources.
• Any unnecessary services and applications should be turned off and uninstalled, when possible.

Antivirus software does this in two ways:

• It scans files, comparing their contents to known viruses in a virus dictionary. Matches are flagged in a manner defined by the end user.
• It monitors suspicious processes running on a host that might indicate infection. This monitoring may include data captures, port monitoring, and other methods.
Operating System Patches

The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS).
Intrusion Detection and Prevention

Intrusion detection systems (IDS) detect attacks against a network and send logs to a management console. Intrusion prevention systems (IPS) prevent attacks against the network and should provide the following active defense mechanisms in addition to detection:
• Prevention-Stops the detected attack from executing.
• Reaction-Immunizes the system from future attacks from a malicious source.
Host-based Intrusion Detection Systems

Host-based intrusion is typically implemented as inline or passive technology, depending on the vendor.
The security policy is the hub upon which the four steps of the Security Wheel are based. The steps are secure, monitor, test, and improve.

Step 1. Secure

Secure the network by applying the security policy and implementing the following security solutions:

• Threat defense
• Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and services.

• intrusion prevention systems-Deploy at the network and host level to actively stop malicious traffic.
• Vulnerability patching-Apply fixes or measures to stop the exploitation of known vulnerabilities.
• Disable unnecessary services-The fewer services that are enabled, the harder it is for attackers to gain access.
Secure connectivity

• VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious individuals.
• Trust and identity-Implement tight constraints on trust levels within a network. For example, systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall.
• Authentication-Give access to authorized users only. One example of this is using one-time passwords.
• Policy enforcement-Ensure that users and end devices are in compliance with the corporate policy.

Step 2. Monitor

Monitoring security involves both active and passive methods of detecting security violations. The most commonly used active method is to audit host-level log files.
Step 3. Test

In the testing phase of the Security Wheel, the security measures are proactively tested. Specifically, the functionality of the security solutions implemented in step 1 and the system auditing and intrusion detection methods implemented in step 2 are verified.
Step 4. Improve

The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases. This analysis contributes to developing and implementing improvement mechanisms that augment the security policy and results in adding items to step 1.
Functions of a Security Policy

A comprehensive security policy fulfills these essential functions:

• Protects people and information
• Sets the rules for expected behavior by users, system administrators, management, and security personnel
• Authorizes security personnel to monitor, probe, and investigate
• Defines and authorizes the consequences of violations

Exploration 4-chapter 3

Frame Relay reduces network costs by using less equipment, less complexity, and an easier implementation. Moreover, Frame Relay provides greater bandwidth, reliability, and resiliency than private or leased lines. With increasing globalization and the growth of one-to-many branch office topologies, Frame Relay offers simpler network architecture and lower cost of ownership.
primarily because it is inexpensive compared to dedicated lines. In addition, configuring user equipment in a Frame Relay network is very simple. Frame Relay connections are created by configuring CPE routers or other devices to communicate with a service provider Frame Relay switch.
Virtual Circuits
The connection through a Frame Relay network between two DTEs is called a virtual circuit (VC). The circuits are virtual because there is no direct electrical connection from end to end. The connection is logical, and data moves from end to end, without a direct electrical circuit.
There are two ways to establish VCs:
• SVCs, switched virtual circuits, are established dynamically by sending signaling messages to the network (CALL SETUP, DATA TRANSFER, IDLE, CALL TERMINATION).
• PVCs, permanent virtual circuits, are preconfigured by the carrier, and after they are set up, only operate in DATA TRANSFER and IDLE modes. Note that some publications refer to PVCs as private VCs.
Multiple VCs

Frame Relay is statistically multiplexed, meaning that it transmits only one frame at a time, but that many logical connections can co-exist on a single physical line. The Frame Relay Access Device (FRAD) or router connected to the Frame Relay network may have multiple VCs connecting it to various endpoints. Multiple VCs on a single physical line are distinguished because each VC has its own DLCI.
Star topology
In a star topology, the location of the hub is usually chosen by the lowest leased-line cost.
FR Star
The lines going out from the cloud represent the connections from the Frame Relay service provider and terminate at the customer premises.
Full Mesh Topology
Full mesh topology using dedicated lines. A full mesh topology suits a situation in which the services to be accessed are geographically dispersed and highly reliable access to them is required. A full mesh topology connects every site to every other site. Using leased-line interconnections, additional serial interfaces and lines add costs.
FR Full Mesh
Using Frame Relay, a network designer can build multiple connections simply by configuring additional VCs on each existing link. This software upgrade grows the star topology to a full mesh topology without the expense of additional hardware or dedicated lines. Multiple VCs on an access link generally make better use of Frame Relay than single VCs.
Inverse ARP
The Inverse Address Resolution Protocol, also called Inverse ARP, obtains Layer 3 addresses of other stations from Layer 2 addresses, such as the DLCI in Frame Relay networks. It is primarily used in Frame Relay and ATM networks, where Layer 2 addresses of VCs are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before these VCs can be used.
Dynamic Mapping
Dynamic address mapping relies on Inverse ARP to resolve a next hop network protocol address to a local DLCI value. The Frame Relay router sends out Inverse ARP requests on its PVC to discover the protocol address of the remote device connected to the Frame Relay network.
Inverse ARP is enabled by default for all protocols enabled on the physical interface. Inverse ARP packets are not sent out for protocols that are not enabled on the interface.
Dynamic Inverse ARP relies on the presence of a direct point-to-point connection between two ends.
Static Mapping
The user can choose to override dynamic Inverse ARP mapping by supplying a manual static mapping for the next hop protocol address to a local DLCI. A static map works similarly to dynamic Inverse ARP by associating a specified next hop protocol address to a local Frame Relay DLCI
Local Management Interface (LMI)
The LMI is a keepalive mechanism that provides status information about Frame Relay connections between the router (DTE) and the Frame Relay switch (DCE). Every 10 seconds or so, the end device polls the network, either requesting a dumb sequenced response or channel status information. If the network does not respond with the requested information, the user device may consider the connection to be down.
Three types of LMIs are supported by Cisco routers:

• Cisco – Original LMI extension
• Ansi – Corresponding to the ANSI standard T1.617 Annex D
• q933a – Corresponding to the ITU standard Q933 Annex A
Using the Broadcast Keyword
Frame Relay, ATM, and X.25 are nonbroadcast multiaccess (NBMA) networks. NBMA networks allow only data transfer from one computer to another over a VC or across a switching device. NBMA networks do not support multicast or broadcast traffic, so a single packet cannot reach all destinations.
Because NBMA does not support broadcast traffic, using the broadcast keyword is a simplified way to forward routing updates. The broadcast keyword allows broadcasts and multicasts over the PVC and, in effect, turns the broadcast into a unicast so that the other node gets the routing updates.
Split Horizon

By default, a Frame Relay network provides NBMA connectivity between remote sites. NBMA clouds usually use a hub-and-spoke topology.
split horizon is a technique used to prevent a routing loop in networks using distance vector routing protocols. Split horizon updates reduce routing loops by preventing a routing update received on one interface to be forwarded out the same interface.
Problem: Broadcast traffic must be replicated for each active connection.
Frame Relay Subinterfaces

Frame Relay can partition a physical interface into multiple virtual interfaces called subinterfaces. A subinterface is simply a logical interface that is directly associated with a physical interface.
A partially meshed network can be divided into a number of smaller, fully meshed, point-to-point networks.
Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode:

• Point-to-point – A single point-to-point subinterface establishes one PVC connection to another physical interface or subinterface on a remote router. In this case, each pair of the point-to-point routers is on its own subnet, and each point-to-point subinterface has a single DLCI. In a point-to-point environment, each subinterface is acting like a point-to-point interface. Typically, there is a separate subnet for each point-to-point VC. Therefore, routing update traffic is not subject to the split horizon rule.
• Multipoint – A single multipoint subinterface establishes multiple PVC connections to multiple physical interfaces or subinterfaces on remote routers. All the participating interfaces are in the same subnet. The subinterface acts like an NBMA Frame Relay interface, so routing update traffic is subject to the split horizon rule. Typically, all multipoint VCs belong to the same subnet.
In a subinterface configuration, each VC can be configured as a point-to-point connection. This allows each sub interface to act similarly to a leased line.
A great advantage of Frame Relay is that any network capacity that is being unused is made available or shared with all customers, usually at no extra charge.
Bursting

A great advantage of Frame Relay is that any network capacity that is being unused is made available or shared with all customers, usually at no extra charge.
Bursting allows devices that temporarily need additional bandwidth to borrow it at no extra cost from other devices not using it.
Various terms are used to describe burst rates including the Committed Burst Information Rate (CBIR) and Excess Burst (BE) size.
The CBIR is a negotiated rate above the CIR which the customer can use to transmit for short burst. It allows traffic to burst to higher speeds, as available network bandwidth permits.
The BE is the term used to describe the bandwidth available above the CBIR up to the access rate of the link. Unlike the CBIR, it is not negotiated. Frames may be transmitted at this level but will most likely be dropped.
Frame Relay reduces network overhead by implementing simple congestion-notification mechanisms rather than explicit, per-VC flow control. These congestion-notification mechanisms are the Forward Explicit Congestion Notification (FECN) and the Backward Explicit Congestion Notification (BECN).
FECN and BECN are each controlled by a single bit contained in the frame header. They let the router know that there is congestion and that the router should stop transmission until the condition is reversed.
BECN is a direct notification. FECN is an indirect one.
The frame header also contains a Discard Eligibility (DE) bit, which identifies less important traffic that can be dropped during periods of congestion.
In periods of congestion, the provider’s Frame Relay switch applies the following logic rules to each incoming frame based on whether the CIR is exceeded:

• If the incoming frame does not exceed the CIR, the frame is passed.
• If an incoming frame exceeds the CIR, it is marked DE.
• If an incoming frame exceeds the CIR plus the BE, it is discarded.
show frame-relay lmi command. In the output, look for any non-zero “Invalid” items. This helps isolate the problem to a Frame Relay communications issue between the carrier’s switch and your router.
Use the show frame-relay pvc [interfaceinterface] [dlci] command to view PVC and traffic statistics. This command is also useful for viewing the number of BECN and FECN packets received by the router.
The show frame-relay pvc command displays the status of all the PVCs configured on the router. You can also specify a particular PVC.
Use the debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properly.
These states are active state, inactive state, and deleted state

• ACTIVE States indicates a successful end-to-end (DTE to DTE) circuit.
• INACTIVE State indicates a successful connection to the switch (DTE to DCE) without a DTE detected on the other end of the PVC. This can occur due to residual or incorrect configuration on the switch.
• DELETED State indicates that the DTE is configured for a DLCI the switch does not recognize as valid for that interface.

short defined
.DLCI – Data Link Connection Identifier
VCs are identified by DLCIs, and the DLCI values are assigned by the Frame Relay service provider.
Frame Relay DLCIs have local significance and no significance beyond the single link.
A DLCI identifies a VC to the equipment at an endpoint.
.LMI – Local Management Interface
LMI is a keepalive mechanism that provides status information about Frame Relay connections between the router (DTE) and the Frame Relay switch (DCE).
.Three types of LMIs are supported by Cisco routers: Cisco, ANSI, and q933a.
.Inverse ARP
Inverse Address Resolution Protocol (ARP) obtains Layer 3 addresses of other stations from Layer 2 addresses, such as the DLCI in Frame Relay networks (which is the reverse of what ARP does).
It is primarily used in Frame Relay and ATM networks, where Layer 2 addresses of VCs are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before these VCs can be used.
.Access rate (or port speed)
The capacity of the local loop.
This line is charged based on the port speed between the DTE to the DCE (customer to service provider).
.CIR – Committed Information Rate
The capacity through the local loop guaranteed by the provider.
Customers normally choose a CIR lower than the access rate to allow them to take advantage of bursts.
.CBIR – Committed Burst Information Rate
Negotiated maximum which a frame is allowed to burst above the CIR.
.Frames are marked as discard eligible (DE).
It cannot exceed the access rate of the link.
.BE – Excess Burst
Amount of data above the CBIR up to the access rate which frames may use to burst with no guarantee.
Frames are also marked as discard eligible (DE) and cannot exceed the access rate of the link.

Exploration 4-chapter 2

• With a serial connection, information is sent across one wire, one data bit at a time. The 9-pin serial connector on most PCs uses two loops of wire, one in each direction, for data communication, plus additional wires to control the flow of information. In any given direction, data is still flowing over a single wire.
• A parallel connection sends the bits over more wires simultaneously. In the case of the 25-pin parallel port on your PC, there are eight data-carrying wires to carry 8 bits simultaneously. Because there are eight wires to carry the data, the parallel link theoretically transfers data eight times faster than a serial connection. So based on this theory, a parallel connection sends a byte in the time a serial connection sends a bit.
In a parallel connection, it is wrong to assume that the 8 bits leaving the sender at the same time arrive at the receiver at the same time. Rather, some of the bits get there later than others. This is known as clock skew.
Interface
At higher frequencies,crosstalk causes bytes to be dropped.
Parallel wires are physically bundled in a parallel cable, and signals can imprint themselves on each other. The possibility of crosstalk across the wires requires more processing, especially at higher frequencies.
There are three key serial communication standards affecting LAN-to-WAN connections:

RS-232 – Most serial ports on personal computers conform to the RS-232C or newer RS-422 and RS-423 standards. Both 9-pin and 25-pin connectors are used. A serial port is a general-purpose interface that can be used for almost any type of device, including modems, mice, and printers. Many network devices use RJ-45 connectors that also conform to the RS-232 standard. The figure shows an example of an RS-232 connector.
V.35 – Typically used for modem-to-multiplexer communication, this ITU standard for high-speed, synchronous data exchange combines the bandwidth of several telephone circuits. In the U.S., V.35 is the interface standard used by most routers and DSUs that connect to T1 carriers. V.35 cables are high-speed serial assemblies designed to support higher data rates and connectivity between DTEs and DCEs over digital lines. There is more on DTEs and DCEs later in this section.
HSSI – A High-Speed Serial Interface (HSSI) supports transmission rates up to 52 Mb/s. Engineers use HSSI to connect routers on LANs with WANs over high-speed lines such as T3 lines. Engineers also use HSSI to provide high-speed connectivity between LANs, using Token Ring or Ethernet. HSSI is a DTE/DCE interface developed by Cisco Systems and T3plus Networking to address the need for high-speed communication over WAN links.
Time Division Multiplexing

Bell Laboratories invented time-division multiplexing (TDM) to maximize the amount of voice traffic carried over a medium. Before multiplexing, each telephone call required its own physical link. This was an expensive and unscalable solution.
Statistical time-division multiplexing (STDM
Statistical time-division multiplexing (STDM) was developed to overcome this inefficiency. STDM uses a variable time slot length allowing channels to compete for any free slot space. It employs a buffer memory that temporarily stores the data during periods of peak traffic. STDM does not waste high-speed line time with inactive channels using this scheme.
TDM Examples – ISDN and SONET
On a larger scale, the telecommunications industry uses the SONET or SDH standard for optical transport of TDM data.
Demarcation Point
The demarcation point marks the point where your network interfaces with the network owned by another organization. In telephone terminology, this is the interface between customer-premises equipment (CPE) and network service provider equipment. The demarcation point is the point in the network where the responsibility of the service provider ends.
DTE-DCE
Serial connection has a DTE device at one end of the connection and a DCE device at the other end. The connection between the two DCE devices is the WAN service provider transmission network. In this case:
• The CPE, which is generally a router, is the DTE. The DTE could also be a terminal, computer, printer, or fax machine if they connect directly to the service provider network.
• The DCE, commonly a modem or CSU/DSU, is the device used to convert the user data from the DTE into a form acceptable to the WAN service provider transmission link. This signal is received at the remote DCE, which decodes the signal back into a sequence of bits. The remote DCE then signals this sequence to the remote DTE.
The more common WAN protocols and where they are used is shown in the figure, following are short descriptions:

• HDLC – The default encapsulation type on point-to-point connections, dedicated links, and circuit-switched connections when the link uses two Cisco devices. HDLC is now the basis for synchronous PPP used by many servers to connect to a WAN, most commonly the Internet.
• PPP – Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. PPP works with several Network layer protocols, such as IP and IPX. PPP also has built-in security mechanisms such as PAP and CHAP. Most of this chapter deals with PPP.
• Serial Line Internet Protocol (SLIP) – A standard protocol for point-to-point serial connections using TCP/IP. SLIP has been largely displaced by PPP.
• X.25/Link Access Procedure, Balanced (LAPB) – ITU-T standard that defines how connections between a DTE and DCE are maintained for remote terminal access and computer communications in public data networks. X.25 specifies LAPB, a Data Link layer protocol. X.25 is a predecessor to Frame Relay.
• Frame Relay – Industry standard, switched, Data Link layer protocol that handles multiple virtual circuits. Frame Relay is a next generation protocol after X.25. Frame Relay eliminates some of the time-consuming processes (such as error correction and flow control) employed in X.25. The next chapter is devoted to Frame Relay.
• ATM – The international standard for cell relay in which devices send multiple service types (such as voice, video, or data) in fixed-length (53-byte) cells. Fixed-length cells allow processing to occur in hardware, thereby reducing transit delays. ATM takes advantages of high-speed transmission media such as E3, SONET, and T3.
HDLC Frame Types
• Flag – The flag field initiates and terminates error checking. The frame always starts and ends with an 8-bit flag field.
What is PPP?
cisco HDLC can only work with other Cisco devices. However, when you need to connect to a non-Cisco router, you should use PPP encapsulation.

PPP encapsulation has been carefully designed to retain compatibility with most commonly used supporting hardware. PPP encapsulates data frames for transmission over Layer 2 physical links.
• The link quality management feature monitors the quality of the link. If too many errors are detected, PPP takes the link down.
• PPP supports PAP and CHAP authentication. This feature is explained and practiced in a later section.
PPP contains three main components:

• HDLC protocol for encapsulating datagrams over point-to-point links.
• Extensible Link Control Protocol (LCP) to establish, configure, and test the data link connection.
• Family of Network Control Protocols (NCPs) for establishing and configuring different Network layer protocols. PPP allows the simultaneous use of multiple Network layer protocols. Some of the more common NCPs are Internet Protocol Control Protocol, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol.
The LCP sets up the PPP connection and its parameters, the NCPs handle higher layer protocol configurations, and the LCP terminates the PPP connection.
The LCP provides automatic configuration of the interfaces at each end, including:

• Handling varying limits on packet size
• Detecting common misconfiguration errors
• Terminating the link
• Determining when a link is functioning properly or when it is failing

PPP also uses the LCP to agree automatically on encapsulation formats (authentication, compression, error detection) as soon as the link is established.
NCPs include functional fields containing standardized codes (PPP protocol field numbers shown in the figure) to indicate the Network layer protocol that PPP encapsulates. Each NCP manages the specific needs required by its respective Network layer protocols. The various NCP components encapsulate and negotiate options for multiple Network layer protocols.
IPCP negotiates two options:

• Compression – Allows devices to negotiate an algorithm to compress TCP and IP headers and save bandwidth. Van Jacobson TCP/IP header compression reduces the size of the TCP/IP headers to as few as 3 bytes. This can be a significant improvement on slow serial lines, particularly for interactive traffic.
• IP-Address – Allows the initiating device to specify an IP address to use for routing IP over the PPP link, or to request an IP address for the responder. Dialup network links commonly use the IP address option.
PPP may include the following LCP options:

• Authentication – Peer routers exchange authentication messages. Two authentication choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Authentication is explained in the next section.
• Compression – Increases the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link. The protocol decompresses the frame at its destination. Two compression protocols available in Cisco routers are Stacker and Predictor.
• Error detection – Identifies fault conditions. The Quality and Magic Number options help ensure a reliable, loop-free data link. The Magic Number field helps in detecting links that are in a looped-back condition. Until the Magic-Number Configuration Option has been successfully negotiated, the Magic-Number must be transmitted as zero. Magic numbers are generated randomly at each end of the connection.
• Multilink – Cisco IOS Release 11.1 and later supports multilink PPP. This alternative provides load balancing over the router interfaces that PPP uses. Multilink PPP (also referred to as MP, MPPP, MLP, or Multilink) provides a method for spreading traffic across multiple physical WAN links while providing packet fragmentation and reassembly, proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic. Multilink is not covered in this course.
• PPP Callback – To enhance security, Cisco IOS Release 11.1 and later offers callback over PPP. With this LCP option, a Cisco router can act as a callback client or a callback server. The client makes the initial call, requests that the server call it back, and terminates its initial call. The callback router answers the initial call and makes the return call to the client based on its configuration statements. The command is ppp callback [accept | request].
You can use the debug ppp error command to display protocol errors and error statistics associated with PPP connection negotiation and operation.
PAP Authentication Protocol
PAP is a very basic two-way process. There is no encryption-the username and password are sent in plain text. If it is accepted, the connection is allowed. CHAP is more secure than PAP. It involves a three-way exchange of a shared secret.
Challenge Handshake Authentication Protocol (CHAP)
Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value.

Exploration 4-chapter 1

Here are the three major characteristics of WANs:

• WANs generally connect devices that are separated by a broader geographical area than can be served by a LAN.
• WANs use the services of carriers, such as telephone companies, cable companies, satellite systems, and network providers.
• WANs use serial connections of various types to provide access to bandwidth over large geographic areas.
LAN technologies provide both speed and cost-efficiency for the transmission of data in organizations over relatively small geographic areas.
let us look at an example of a fictitious company called Span Engineering, and watch how its network requirements change as the company grows from a small local business into a global enterprise.
Campus (Multiple LANs)

Five years later, Span Engineering has grown rapidly. As the owners had hoped, the company was contracted to design and implement a full-sized waste conversion facility soon after the successful implementation of their first pilot plant.
Branch (WAN)
Another five years later, Span Engineering has been so successful with its patented process that demand for its services has skyrocketed, and new projects are now being built in other cities. To manage those projects, the company has opened small branch offices closer to the project sites.
Distributed (Global)
Span Engineering has now been in business for 20 years and has grown to thousands of employees distributed in offices worldwide. The cost of the network and its related services is now a significant expense.
Enterprise Architecture
To help prevent this situation, Cisco has developed a recommended architecture called the Cisco Enterprise Architecture that has relevance to the different stages of growth of a business.
This architecture is designed to provide network planners with a roadmap for network growth as the business moves through different stages.
Enterprise Campus Architecture

A campus network is a building or group of buildings connected into one enterprise network that consists of many LANs.
Enterprise Edge Architecture

This module offers connectivity to voice, video, and data services outside the enterprise. This module enables the enterprise to use Internet and partner resources, and provide resources for its customers.
The Enterprise WAN and Metropolitan-Area Network (MAN) Architecture, which the technologies covered later in this course are relevant to, are considered part of this module.
Enterprise Branch Architecture

This module allows businesses to extend the applications and services found at the campus to thousands of remote locations and users or to a small group of branches. Much of this course focuses on the technologies that are often implemented in this module.

Enterprise Data Center Architecture

Data centers are responsible for managing and maintaining the many data systems that are vital to modern business operations. Employees, partners, and customers rely on data and resources in the data center to effectively create, collaborate, and interact.
Enterprise Teleworker Architecture

Many businesses today offer a flexible work environment to their employees, allowing them to telecommute from home offices. To telecommute is to leverage the network resources of the enterprise from home.
WANs and the OSI Model

As described in relation to the OSI reference model, WAN operations focus primarily on Layer 1 and Layer 2. WAN access standards typically describe both Physical layer delivery methods and Data Link layer requirements, including physical addressing, flow control, and encapsulation. WAN access standards are defined and managed by a number of recognized authorities, including the International Organization for Standardization (ISO), the Telecommunication Industry Association (TIA), and the Electronic Industries Alliance (EIA).

The Physical layer (OSI Layer 1) protocols describe how to provide electrical, mechanical, operational, and functional connections to the services of a communications service provider.

The Data Link layer (OSI Layer 2) protocols define how data is encapsulated for transmission toward a remote location and the mechanisms for transferring the resulting frames. A variety of different technologies are used, such as Frame Relay and ATM. Some of these protocols use the same basic framing mechanism, High-Level Data Link Control (HDLC), an ISO standard, or one of its subsets or variants.
commonly used to describe physical WAN connections, including:

Customer Premises Equipment (CPE)-The devices and inside wiring located at the premises of the subscriber and connected with a telecommunication channel of a carrier. The subscriber either owns the CPE or leases the CPE from the service provider. A subscriber, in this context, is a company that arranges for WAN services from a service provider or carrier.
Data Communications Equipment (DCE)-Also called data circuit-terminating equipment, the DCE consists of devices that put data on the local loop. The DCE primarily provides an interface to connect subscribers to a communication link on the WAN cloud.
Data Terminal Equipment (DTE)-The customer devices that pass the data from a customer network or host computer for transmission over the WAN. The DTE connects to the local loop through the DCE.
Demarcation Point-A point established in a building or complex to separate customer equipment from service provider equipment. Physically, the demarcation point is the cabling junction box, located on the customer premises, that connects the CPE wiring to the local loop. It is usually placed for easy access by a technician. The demarcation point is the place access by a technician.
Local Loop-The copper or fiber telephone cable that connects the CPE at the subscriber site to the CO of the service provider. The local loop is also sometimes called the “last-mile.”
Central Office (CO)-A local service provider facility or building where local telephone cables link to long-haul, all-digital, fiber-optic communications lines through a system of switches and other equipment.
WAN Devices
Modem-Modulates an analog carrier signal to encode digital information, and also demodulates the carrier signal to decode the transmitted information.
CSU/DSU-Digital lines, such as T1 or T3 carrier lines, require a channel service unit (CSU) and a data service unit (DSU). The two are often combined into a single piece of equipment, called the CSU/DSU. The CSU provides termination for the digital signal and ensures connection integrity through error correction and line monitoring. The DSU converts the T-carrier line frames into frames that the LAN can interpret and vice versa.
Access server-Concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digital interfaces and support hundreds of simultaneous users.
WAN switch-A multiport internetworking device used in carrier networks. These devices typically switch traffic such as Frame Relay, ATM, or X.25, and operate at the Data Link layer of the OSI reference model. Public switched telephone network (PSTN) switches may also be used within the cloud for circuit-switched connections like Integrated Services Digital Network (ISDN) or analog dialup.
Router-Provides internetworking and WAN access interface ports that are used to connect to the service provider network. These interfaces may be serial connections or other WAN interfaces.
Core router-A router that resides within the middle or backbone of the WAN rather than at its periphery. To fulfill this role, a router must be able to support multiple telecommunications interfaces of the highest speed in use in the WAN core, and it must be able to forward IP packets at full speed on all of those interfaces.
WAN Physical Layer Standards

WAN Physical layer protocols describe how to provide electrical, mechanical, operational, and functional connections for WAN services.
The DTE/DCE interface uses various Physical layer protocols, including:

EIA/TIA-232-This protocol allows signal speeds of up to 64 kb/s on a 25-pin D-connector over short distances. It was formerly known as RS-232. The ITU-T V.24 specification is effectively the same.
EIA/TIA-449/530-This protocol is a faster (up to 2 Mb/s) version of EIA/TIA-232. It uses a 36-pin D-connector and is capable of longer cable runs. There are several versions. This standard is also known as RS422 and RS-423.
EIA/TIA-612/613-This standard describes the High-Speed Serial Interface (HSSI) protocol, which provides access to services up to 52 Mb/s on a 60-pin D-connector.
V.35-This is the ITU-T standard for synchronous communications between a network access device and a packet network. Originally specified to support data rates of 48 kb/s, it now supports speeds of up to 2.048 Mb/s using a 34-pin rectangular connector.
X.21-This protocol is an ITU-T standard for synchronous digital communications. It uses a 15-pin D-connector.
The most common WAN data-link protocols are:

HDLC
PPP
Frame Relay
ATM
WAN Encapsulation

Data from the Network layer is passed to the Data Link layer for delivery on a physical link, which is normally point-to-point on a WAN connection.
The internal path taken by the circuit between exchanges is shared by a number of conversations. Time-division multiplexing (TDM) gives each conversation a share of the connection in turn. TDM assures that a fixed capacity connection is made available to the subscriber.
PSTN and ISDN are two types of circuit-switching technology that may be used to implement a WAN in an enterprise setting.
Packet Switching

In contrast to circuit switching, packet switching splits traffic data into packets that are routed over a shared network. Packet-switching networks do not require a circuit to be established, and they allow many pairs of nodes to communicate over the same channel.
There are two approaches to this link determination, connectionless or connection-oriented.

Connectionless systems, such as the Internet, carry full addressing information in each packet. Each switch must evaluate the address to determine where to send the packet.
Connection-oriented systems predetermine the route for a packet, and each packet only has to carry an identifier. In the case of Frame Relay, these are called Data Link Connection Identifiers (DLCIs). The switch determines the onward route by looking up the identifier in tables held in memory.
Virtual Circuits

Packet-switched networks may establish routes through the switches for particular end-to-end connections. These routes are called virtual circuits.
Two types of VCs exist:
• Permanent Virtual Circuit (PVC)-A permanently established virtual circuit that consists of one mode: data transfer. PVCs are used in situations in which data transfer between devices is constant. PVCs decrease the bandwidth use associated with establishing and terminating VCs, but they increase costs because of constant virtual circuit availability.
• Switched Virtual Circuit (SVC)-A VC that is dynamically established on demand and terminated when transmission is complete. Communication over an SVC consists of three phases: circuit establishment, data transfer, and circuit termination. The establishment phase involves creating the VC between the source and destination devices. Data transfer involves transmitting data between the devices over the VC, and the circuit termination phase involves tearing down the VC between the source and destination devices.
Switched communication links can be either circuit switched or packet switched.

Circuit-switched communication links-Circuit switching dynamically establishes a dedicated virtual connection for voice or data between a sender and a receiver. Before communication can start, it is necessary to establish the connection through the network of the service provider. Examples of circuit-switched communication links are analog dialup (PSTN) and ISDN.
Packet-switched communication links-Many WAN users do not make efficient use of the fixed bandwidth that is available with dedicated, switched, or permanent circuits because the data flow fluctuates. Communications providers have data networks available to more appropriately service these users. In packet-switched networks, the data is transmitted in labeled frames, cells, or packets. Packet-switched communication links include Frame Relay, ATM, X.25, and Metro Ethernet.
There are two types of ISDN interfaces:

Basic Rate Interface (BRI)-ISDN is intended for the home and small enterprise and provides two 64 kb/s B channels and a 16 kb/s D channel. The BRI D channel is designed for control and often underused, because it has only two B channels to control. Therefore, some providers allow the D channel to carry data at low bit rates, such as X.25 connections at 9.6 kb/s.
Primary Rate Interface (PRI)-ISDN is also available for larger installations. PRI delivers 23 B channels with 64 kb/s and one D channel with 64 kb/s in North America, for a total bit rate of up to 1.544 Mb/s. This includes some additional overhead for synchronization. In Europe, Australia, and other parts of the world, ISDN PRI provides 30 B channels and one D channel, for a total bit rate of up to 2.048 Mb/s, including synchronization overhead. In North America, PRI corresponds to a T1 connection. The rate of international PRI corresponds to an E1 or J1 connection.
X.25

X.25 is a legacy Network layer protocol that provides subscribers with a network address. Virtual circuits can be established through the network with call request packets to the target address. The resulting SVC is identified by a channel number.
Frame Relay

Although the network layout appears similar to X.25, Frame Relay differs from X.25 in several ways. Most importantly, it is a much simpler protocol that works at the Data Link layer rather than the Network layer. Frame Relay implements no error or flow control. The simplified handling of frames leads to reduced latency, and measures taken to avoid frame build-up at intermediate switches help reduce jitter. Frame Relay offers data rates up to 4 Mb/s, with some providers offering even higher rates.
ATM

Asynchronous Transfer Mode (ATM) technology is capable of transferring voice, video, and data through private and public networks. It is built on a cell-based architecture rather than on a frame-based architecture. ATM cells are always a fixed length of 53 bytes. The ATM cell contains a 5 byte ATM header followed by 48 bytes of ATM payload. Small, fixed-length cells are well suited for carrying voice and video traffic because this traffic is intolerant of delay. Video and voice traffic do not have to wait for a larger data packet to be transmitted.
DSL

DSL technology is an always-on connection technology that uses existing twisted-pair telephone lines to transport high-bandwidth data, and provides IP services to subscribers. A DSL modem converts an Ethernet signal from the user device to a DSL signal, which is transmitted to the central office.
Cable Modem

Coaxial cable is widely used in urban areas to distribute television signals. Network access is available from some cable television networks. This allows for greater bandwidth than the conventional telephone local loop.
Broadband Wireless

Wireless technology uses the unlicensed radio spectrum to send and receive data. The unlicensed spectrum is accessible to anyone who has a wireless router and wireless technology in the device they are using.
Municipal WiFi-Many cities have begun setting up municipal wireless networks. Some of these networks provide high-speed Internet access for free or for substantially less than the price of other broadband services. Others are for city use only, allowing police and fire departments and other city employees to do certain aspects of their jobs remotely.
WiMAX-Worldwide Interoperability for Microwave Access (WiMAX) is a new technology that is just beginning to come into use. It is described in the IEEE standard 802.16. WiMAX provides high-speed broadband service with wireless access and provides broad coverage like a cell phone network rather than through small WiFi hotspots.
Satellite Internet-Typically used by rural users where cable and DSL are not available. A satellite dish provides two-way (upload and download) data communications. The upload speed is about one-tenth of the 500 kb/s download speed. Cable and DSL have higher download speeds, but satellite systems are about 10 times faster than an analog modem.
VPN Technology
A VPN is an encrypted connection between private networks over a public network such as the Internet. Instead of using a dedicated Layer 2 connection such as a leased line, a VPN uses virtual connections called VPN tunnels, which are routed through the Internet from the private network of the company to the remote site or employee host.
There are two types of VPN access:

• Site-to-site VPNs-Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network, as shown in the figure. Each site is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or security appliance. In the figure, a remote branch office uses a site-to-site-VPN to connect with the corporate head office.
• Remote-access VPNs-Remote-access VPNs enable individual hosts, such as telecommuters, mobile users, and extranet consumers, to access a company network securely over the Internet. Each host typically has VPN client software loaded or uses a web-based client.
Metro Ethernet

Metro Ethernet is a rapidly maturing networking technology that broadens Ethernet to the public networks run by telecommunications companies. IP-aware Ethernet switches enable service providers to offer enterprises converged voice, data, and video services such as IP telephony, video streaming, imaging, and data storage
Benefits of Metro Ethernet include:

• Reduced expenses and administration-Metro Ethernet provides a switched, high-bandwidth Layer 2 network capable of managing data, voice, and video all on the same infrastructure. This characteristic increases bandwidth and eliminates expensive conversions to ATM and Frame Relay. The technology enables businesses to inexpensively connect numerous sites in a metropolitan area to each other and to the Internet.
• Easy integration with existing networks-Metro Ethernet connects easily to existing Ethernet LANs, reducing installation costs and time.
• Enhanced business productivity-Metro Ethernet enables businesses to take advantage of productivity-enhancing IP applications that are difficult to implement on TDM or Frame Relay networks, such as hosted IP communications, VoIP, and streaming and broadcast video.

Exploration 3-chapter 7

Wireless LANs
Portable communications have become an expectation in many countries around the world. You can see portability and mobility in everything from cordless keyboards and headsets, to satellite phones and global positioning systems (GPS). The mix of wireless technologies in different types of networks allows workers to be mobile.
Comparing a WLAN to a LAN
Wireless LANs share a similar origin with Ethernet LANs. The IEEE has adopted the 802 LAN/MAN portfolio of computer network architecture standards. The two dominant 802 working groups are 802.3 Ethernet and 802.11 wireless LAN. However, there are important differences between the two.
Wireless LAN Standards
802.11 wireless LAN is an IEEE standard that defines how radio frequency (RF) in the unlicensed industrial, scientific, and medical (ISM) frequency bands is used for the Physical layer and the MAC sub-layer of wireless links.
Typically, the choice of which WLAN standard to use is based on data rates. For instance, 802.11a and g can support up to 54 Mb/s, while 802.11b supports up to a maximum of 11 Mb/s, making 802.11b the “slow” standard, and 802.11 a and g the preferred ones. A fourth WLAN draft, 802.11n, exceeds the currently available data rates. The IEEE 802.11n should be ratified by September 2008. The figure compares the ratified IEEE 802.11a, b, and g standards.
802.11b and 802.11g
There are advantages to using the 2.4 GHz band. Devices in the 2.4 GHz band will have better range than those in the 5GHz band. Also, transmissions in this band are not as easily obstructed as 802.11a.
There is one important disadvantage to using the 2.4 GHz band. Many consumer devices also use the 2.4 GHz band and cause 802.11b and g devices to be prone to interference.
802.11n
The IEEE 802.11n draft standard is intended to improve WLAN data rates and range without requiring additional power or RF band allocation. 802.11n uses multiple radios and antennae at endpoints, each broadcasting on the same frequency to establish multiple streams
Important: RF bands are allocated by the International Telecommunications Union-Radio communication sector (ITU-R). The ITU-R designates the 900 MHz, 2.4 GHz, and 5 GHz frequency bands as unlicensed for ISM communities. Although the ISM bands are globally unlicensed, they are still subject to local regulations.
Standards ensure interoperability between devices made by different manufacturers. Internationally, the three key organizations influencing WLAN standards are:

ITU-R
IEEE
Wi-Fi Alliance
The ITU-R regulates the allocation of the RF spectrum and satellite orbits. These are described as finite natural resources that are in demand from such consumers as fixed wireless networks, mobile wireless networks, and global positioning systems.
Wireless NICs
the wireless NIC, using the modulation technique it is configured to use, encodes a data stream onto an RF signal.
Wireless Access Points

An access point connects wireless clients (or stations) to the wired LAN. Client devices do not typically communicate directly with each other; they communicate with the AP. In essence, an access point converts the TCP/IP data packets from their 802.11 frame encapsulation format in the air to the 802.3 Ethernet frame format on the wired Ethernet network.
An access point is a Layer 2 device that functions like an 802.3 Ethernet hub. RF is a shared medium and access points hear all radio traffic.
CSMA/CA
Access points oversee a distributed coordination function (DCF) called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). This simply means that devices on a WLAN must sense the medium for energy (RF stimulation above a certain threshold) and wait until the medium is free before sending.
Wireless Routers

Wireless routers perform the role of access point, Ethernet switch, and router. For example, the Linksys WRT300N used is really three devices in one box. First, there is the wireless access point, which performs the typical functions of an access point. A built-in four-port, full-duplex, 10/100 switch provides connectivity to wired devices. Finally, the router function provides a gateway for connecting to other network infrastructures.
Configurable Parameters for Wireless Endpoints
You have to configure parameters on the access point-and subsequently on your client device-to enable the negotiation of these processes.
A shared service set identifier (SSID)
A shared service set identifier (SSID) is a unique identifier that client devices use to distinguish between multiple wireless networks in the same vicinity. Several access points on a network can share an SSID.
Ad hoc Networks
Wireless networks can operate without access points; this is called an ad hoc topology.
A key part of the 802.11 process is discovering a WLAN and subsequently connecting to it. The primary components of this process are as follows:
• Beacons – Frames used by the WLAN network to advertise its presence.
• Probes – Frames used by WLAN clients to find their networks.
• Authentication – A process which is an artifact from the original 802.11 standard, but still required by the standard.
• Association – The process for establishing the data link between an access point and a WLAN client.
The primary purpose of the beacon is to allow WLAN clients to learn which networks and access points are available in a given area, thereby allowing them to choose which network and access point to use. Access points may broadcast beacons periodically.
802.11 authentication
802.11 was originally developed with two authentication mechanisms. The first one, called open authentication, is fundamentally a NULL authentication where the client says “authenticate me,” and the access point responds with “yes.” This is the mechanism used in almost all 802.11 deployments.
Rogue Access Points

A rogue access point is an access point placed on a WLAN that is used to interfere with normal network operation. If a rogue access point is configured with the correct security settings, client data could be captured.
Man-in-the-Middle Attacks

One of the more sophisticated attacks an unauthorized user can make is called a man-in-the-middle (MITM) attack. Attackers select a host as a target and position themselves logically between the target and the router or gateway of the target. In a wired LAN environment, the attacker needs to be able to physically access the LAN to insert a device logically into the topology. With a WLAN, the radio waves emitted by access points can provide the connection.
Denial of Service

802.11b and g WLANs use the unlicensed 2.4 GHz ISM band. This is the same band used by most wireless consumer products, including baby monitors, cordless phones, and microwave ovens. With these devices crowding the RF band, attackers can create noise on all the channels in the band with commonly available devices.
Encryption
Two enterprise-level encryption mechanisms specified by 802.11i are certified as WPA and WPA2 by the Wi-Fi Alliance: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).
TKIP is the encryption method certified as WPA. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method. It makes use of the original encryption algorithm used by WEP.
TKIP has two primary functions:
• It encrypts the Layer 2 payload
• It carries out a message integrity check (MIC) in the encrypted packet. This helps ensure against a message being tampered with.
a view of the GUI for each configuration.

• Network Mode – If you have Wireless-N, Wireless-G, and 802.11b devices in your network, keep Mixed, the default setting. If you have Wireless-G and 802.11b devices, select BG-Mixed. If you have only Wireless-N devices, select Wireless-N Only. If you have only Wireless-G devices, select Wireless-G Only. If you have only Wireless-B devices, select Wireless-B Only. If you want to disable wireless networking, select Disable.
• Network Name (SSID) – The SSID is the network name shared among all points in a wireless network. The SSID must be identical for all devices in the wireless network. It is case-sensitive and must not exceed 32 characters (use any of the characters on the keyboard). For added security, you should change the default SSID (linksys) to a unique name.
• SSID Broadcast – When wireless clients survey the local area for wireless networks to associate with, they detect the SSID broadcast by the access point. To broadcast the SSID, keep Enabled, the default setting. If you do not want to broadcast the SSID, select Disabled. When you have finished making changes to this screen, click the Save Settings button, or click the Cancel Changes button to undo your changes. For more information, click Help.
• Radio Band – For best performance in a network using Wireless-N, Wireless-G, and Wireless-B devices, keep the default Auto. For Wireless-N devices only, select Wide – 40MHz Channel. For Wireless-G and Wireless-B networking only, select Standard – 20MHz Channel.
• Wide Channel – If you selected Wide – 40MHz Channel for the Radio Band setting, this setting is available for your primary Wireless-N channel. Select any channel from the drop-down menu.
• Standard Channel – Select the channel for Wireless-N, Wireless-G, and Wireless-B networking. If you selected Wide – 40MHz Channel for the Radio Band setting, the standard channel is a secondary channel for Wireless-N.

Exploration 3-chapter 6

Router-base Inter- VLAN routing is a process for forwarding network traffic from one VLAN to other VLAN using a router.
“Router-on-a-stick” is a type of router configuration in which a single physical interface routes traffic between multiple VLANs on a network.
Subinterfaces are multiple virtual interfaces, associated with one physical interface. Unlike a typical physical interface, subinterfaces are not enabled with the no shutdown command at the subinterface configuration mode level of the Cisco IOS software.
when the physical interface is enabled with the no shutdown command, all the configured subinterfaces are enabled. Likewise, if the physical interface is disabled, all subinterfaces are disabled.
physical interfaces and subinterfaces
Port Limits
Physical interfaces are configured to have one interface per VLAN on the network. On networks with many VLANs, using a single router to perform inter-VLAN routing is not possible.
Subinterfaces allow a router to scale to accommodate more VLANs than the physical interfaces permit.
Performance
Because there is no contention for bandwidth on separate physical interfaces, physical interfaces have better performance when compared to using subinterfaces. Traffic from each connected VLAN has access to the full bandwidth of the physical router interface connected to that VLAN for inter-VLAN routing.
When subinterfaces are used for inter-VLAN routing, the traffic being routed competes for bandwidth on the single physical interface. On a busy network, this could cause a bottleneck for communication.
Access Ports and Trunk Ports
Connecting physical interfaces for inter-VLAN routing requires that the switch ports be configured as access ports. Subinterfaces require the switch port to be configured as a trunk port so that it can accept VLAN tagged traffic on the trunk link.
Using subinterfaces, many VLANs can be routed over a single trunk link rather than a single physical interface for each VLAN.
Cost
it is more cost-effective to use subinterfaces over separate physical interfaces. Routers that have many physical interfaces cost more than routers with a single interface.
Complexity
Using subinterfaces for inter-VLAN routing results in a less complex physical configuration than using separate physical interfaces, because there are fewer physical network cables interconnecting the router to the switch.
The Ping Test
The ping command sends an ICMP echo request to the destination address. When a host receives an ICMP echo request, it responds with an ICMP echo reply to confirm that it received the ICMP echo request. The ping command calculates the elapsed time using the difference between the time the ping was sent and the time the echo reply was received.
PC>ping 172.17.30.23
The Tracert Test
Tracert is a useful utility for confirming the routed path taken between two devices. On UNIX systems, the utility is specified by traceroute. Tracert also uses ICMP to determine the path taken, but it uses ICMP echo requests with specific time-to-live values defined on the frame.
PC>tracert 172.17.30.23
the show running-config and the show interface interface-id switchport commands are useful for identifying VLAN assignment and port configuration issues.
• Inter-VLAN routing is accomplished using a dedicated router or a multilayer switch. Inter-VLAN routing facilitates communication between devices isolated by VLAN boundaries.
• Traditional inter-VLAN routing requires that a router be configured with multiple physical interfaces, each connected physically to separate VLANs on a switch.
• The router-on-a-stick model provides similar functionality to the traditional inter-VLAN routing at reduced cost but provides lower performance on busy networks.
• Traditional inter-VLAN routing uses the physical interfaces of the router, while router-on-a-stick inter-VLAN routing uses logical subinterfaces of the physical interface.
• Configure switch ports connected to the router for the appropriate VLANs. Configure each router interface with the subnet associated with each VLAN.
• Configure each subinterface on a router-on-a-stick with a unique VLAN ID and corresponding IP address to match the subnet associated with the VLAN.
• To reduce the risk of switch, router, or IP address configuration problems, verify the configuration of each device.

Exploration 3-chapter 5

Spanning Tree Protocol (STP)
STP Topology
Redundancy increases the availability of the network topology by protecting the network from a single point of failure, such as a failed network cable or switch.
STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. A port is considered blocked when network traffic is prevented from entering or leaving that port.
STP Algorithm

STP uses the Spanning Tree Algorithm (STA) to determine which switch ports on a network need to be configured for blocking to prevent loops from occurring.
All switches participating in STP exchange BPDU frames to determine which switch has the lowest bridge ID (BID) on the network. The switch with the lowest BID automatically becomes the root bridge for the STA calculations.
The BPDU is the message frame exchanged by switches for STP. Each BPDU contains a BID that identifies the switch that sent the BPDU. The BID contains a priority value, the MAC address of the sending switch, and an optional extended system ID. The lowest BID value is determined by the combination of these three fields.
Root ports – Switch ports closest to the root bridge. In the example, the root port on switch S2 is F0/1 configured for the trunk link between switch S2 and switch S1. The root port on switch S3 is F0/1, configured for the trunk link between switch S3 and switch S1.
Designated ports – All non-root ports that are still permitted to forward traffic on the network. In the example, switch ports F0/1 and F0/2 on switch S1 are designated ports. Switch S2 also has its port F0/2 configured as a designated port.
Non-designated ports – All ports configured to be in a blocking state to prevent loops. In the example, the STA configured port F0/2 on switch S3 in the non-designated role. Port F0/2 on switch S3 is in the blocking state.
BID
BID is made up of a priority value, an extended system ID, and the MAC address of the switch.
Best Paths to the Root Bridge
Path cost is the sum of all the port costs along the path to the root bridge.
The BPDU Fields
The BPDU frame contains 12 distinct fields that are used to convey path and priority information that STP uses to determine the root bridge and paths to the root bridge.
Root Port
The root port exists on non-root bridges and is the switch port with the best path to the root bridge. Root ports forward traffic toward the root bridge.
Designated Port
The designated port exists on root and non-root bridges. For root bridges, all switch ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment.
Non-designated Port
The non-designated port is a switch port that is blocked, so it is not forwarding data frames and not populating the MAC address table with source addresses.
Port States
The spanning tree is determined immediately after a switch is finished booting up. If a switch port were to transition directly from the blocking to the forwarding state, the port could temporarily create a data loop if the switch was not aware of all topology information at the time.
Blocking – The port is a non-designated port and does not participate in frame forwarding. The port receives BPDU frames to determine the location and root ID of the root bridge switch and what port roles each switch port should assume in the final active STP topology.
Listening – STP has determined that the port can participate in frame forwarding according to the BPDU frames that the switch has received thus far. At this point, the switch port is not only receiving BPDU frames, it is also transmitting its own BPDU frames and informing adjacent switches that the switch port is preparing to participate in the active topology.
Learning – The port prepares to participate in frame forwarding and begins to populate the MAC address table.
Forwarding – The port is considered part of the active topology and forwards frames and also sends and receives BPDU frames.
Disabled – The Layer 2 port does not participate in spanning tree and does not forward frames. The disabled state is set when the switch port is administratively disabled.
BPDU Timers
• Hello time
• Forward delay
• Maximum age
STP Convergence Steps
Three Steps

Step 1: Elect a Root Bridge
Step 2: Elect the Root Ports
Step 3: Elect the Designated and Non-Designated ports
Step 1. Electing a Root Bridge
The root bridge is the basis for all spanning-tree path cost calculations and ultimately leads to the assignment of the different port roles used to prevent loops from occurring.
A root bridge election is triggered after a switch has finished booting up, or when a path failure has been detected on a network.
Step 2: Elect the Root Ports
The root port is the switch port with the lowest path cost to the root bridge. Normally path cost alone determines which switch port becomes the root port.
Step 3. Electing Designated Ports and Non-Designated Ports
Each segment in a switched network can have only one designated port. When two non-root port switch ports are connected on the same LAN segment, a competition for port roles occurs. The two switches exchange BPDU frames to sort out which switch port is designated and which one is non-designated.
Cisco Proprietary
Per-VLAN spanning tree protocol (PVST) – Maintains a spanning-tree instance for each VLAN configured in the network. It uses the Cisco proprietary ISL trunking protocol that allows a VLAN trunk to be forwarding for some VLANs while blocking for other VLANs.
Per-VLAN spanning tree protocol plus (PVST+) – Cisco developed PVST+ to provide support for IEEE 802.1Q trunking. PVST+ provides the same functionality as PVST, including the Cisco proprietary STP extensions. PVST+ is not supported on non-Cisco devices.
Rapid per-VLAN spanning tree protocol (rapid PVST+) – Based on the IEEE 802.1w standard and has a faster convergence than STP (standard 802.1D). Rapid PVST+ includes Cisco-proprietary extensions such as BackboneFast, UplinkFast, and PortFast.
IEEE Standards
Rapid spanning tree protocol (RSTP) – First introduced in 1982 as an evolution of STP (802.1D standard). It provides faster spanning-tree convergence after a topology change. RSTP implements the Cisco-proprietary STP extensions, BackboneFast, UplinkFast, and PortFast, into the public standard.
Multiple STP (MSTP) – Enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of instances needed to support a large number of VLANs. MSTP was inspired by the Cisco-proprietary Multiple Instances STP (MISTP) and is an evolution of STP and RSTP
What is RSTP?
RSTP (IEEE 802.1w) is an evolution of the 802.1D standard. The 802.1w STP terminology remains primarily the same as the IEEE 802.1D STP terminology. Most parameters have been left unchanged, so users familiar with STP can rapidly configure the new protocol.

Exploration 3-chapter 4

What is VTP?
VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to other switches in the network.
VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-range VLANs (IDs greater than 1005) are not supported by VTP.
VTP Domain-Consists of one or more interconnected switches. All switches in a domain share VLAN configuration details using VTP advertisements. A router or Layer 3 switch defines the boundary of each domain.
VTP Advertisements-VTP uses a hierarchy of advertisements to distribute and synchronize VLAN configurations across the network.
VTP Modes- A switch can be configured in one of three modes: server, client, or transparent.
VTP Server-VTP servers advertise the VTP domain VLAN information to other VTP-enabled switches in the same VTP domain. VTP servers store the VLAN information for the entire domain in NVRAM. The server is where VLANs can be created, deleted, or renamed for the domain.
VTP Client-VTP clients function the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client. A VTP client only stores the VLAN information for the entire domain while the switch is on. A switch reset deletes the VLAN information. You must configure VTP client mode on a switch.
VTP Transparent-Transparent switches forward VTP advertisements to VTP clients and VTP servers. Transparent switches do not participate in VTP. VLANs that are created, renamed, or deleted on transparent switches are local to that switch only.
VTP Pruning-VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them.
The benefit of VTP is that it automatically distributes and synchronizes domain and VLAN configurations across the network.
VTP Version-Displays the VTP version the switch is capable of running. By default, the switch implements version 1, but can be set to version 2.
Configuration Revision-Current configuration revision number on this switch. You will learn more about revisions numbers in this chapter.
Maximum VLANs Supported Locally-Maximum number of VLANs supported locally.
VTP Operating Mode-Can be server, client, or transparent.
VTP Domain Name-Name that identifies the administrative domain for the switch.
VTP Pruning Mode-Displays whether pruning is enabled or disabled.
VTP V2 Mode-Displays if VTP version 2 mode is enabled. VTP version 2 is disabled by default.
VTP Traps Generation-Displays whether VTP traps are sent to a network management station.
MD5 Digest-A 16-byte checksum of the VTP configuration.
Configuration Last Modified-Date and time of the last configuration modification. Displays the IP address of the switch that caused the configuration change to the database.
VTP Domains
VTP allows you to separate your network into smaller management domains to help reduce VLAN management.
A VTP domain consists of one switch or several interconnected switches sharing the same VTP domain name.
VTP Domain Name Propagation
For a VTP server or client switch to participate in a VTP-enabled network, it must be a part of the same domain. When switches are in different VTP domains, they do not exchange VTP messages.
VTP Frame Structure
VTP advertisements (or messages) distribute VTP domain name and VLAN configuration changes to VTP-enabled switches.
VTP Frame Encapsulation
A VTP frame consists of a header field and a message field. The VTP information is inserted into the data field of an Ethernet frame.
VTP frames contain the following fixed-length global domain information:
• VTP domain name
• Identity of the switch sending the message, and the time it was sent
• MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN
• Frame format: ISL or 802.1Q
VTP frames contain the following information for each configured VLAN:

• VLAN IDs (IEEE 802.1Q)
• VLAN name
• VLAN type
• VLAN state
• Additional VLAN configuration information specific to the VLAN type
VTP Revision Number
The configuration revision number is a 32-bit number that indicates the level of revision for a VTP frame. The default configuration number for a switch is zero.
The configuration revision number determines whether the configuration information received from another VTP-enabled switch is more recent than the version stored on the switch.
VTP Advertisements
Summary Advertisements
The summary advertisement contains the VTP domain name, the current revision number, and other VTP configuration details.
Request Advertisements
When a request advertisement is sent to a VTP server in the same VTP domain, the VTP server responds by sending a summary advertisement and then a subset advertisement.
Request advertisements are sent if:
• The VTP domain name has been changed
• The switch receives a summary advertisement with a higher configuration revision number than its own
• A subset advertisement message is missed for some reason
• The switch has been reset
Server Mode
In server mode, you can create, modify, and delete VLANs for the entire VTP domain. VTP server mode is the default mode for a Cisco switch. VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links.
Client Mode

If a switch is in client mode, you cannot create, change, or delete VLANs. In addition, the VLAN configuration information that a VTP client switch receives from a VTP server switch is stored in a VLAN database, not in NVRAM.
Transparent Mode
Switches configured in transparent mode forward VTP advertisements that they receive on trunk ports to other switches in the network.
VTP pruning
VTP pruning prevents unnecessary flooding of broadcast information from one VLAN across all trunks in a VTP domain. VTP pruning permits switches to negotiate which VLANs are assigned to ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the remote switch.