Why Networks Need Security? Security Basics

All Networks Need Security

Security is very important. The Internet is a wonderful tool. Meteoric growth like that of Cisco from nowhere to a multi-billion dollar company in a decade would not be possible without leveraging the tools available with the internet and intranet.

But without well defined security, the Internet can be a dangerous place. The good news is that the tools are available to make the Internet a safe place for your business. Some people think that only large sites are hacked. In reality, even small company sites are hacked.
There’s a false impression from many small company owners that, "Hey, who would want to break into my company? I’m a nobody.
I’m not a big corporation like IBM or the Pentagon or something like that, so why would somebody want to break into my company?"
The reality is that even small companies are hacked into very, very often.

Why Security?

Why network security? There’s three primary reasons to explore network security.

 - One is policy vulnerabilities.
 - Another one, configuration vulnerabilities.
 - Lastly, there’s technology vulnerabilities.

And the bottom line is there are people that are willing and eager to take advantage of these vulnerabilities.

Security Threats

So these are some of the different things that we need to protect against:

Loss of privacy: Without encryption, every message sent may be read by an unauthorized party. This is probably the largest inhibitor of business-to-business communications today.


Impersonation: You must also be careful to protect your identity on the Internet. Many security systems today rely on IP addresses to uniquely identify users. Unfortunately this system is quite easy to fool and has led to numerous break-ins.


Denial of service:And you must ensure that your systems are available. Over the last several years, attackers have found deficiencies in the TCP/IP protocol suite that allows them to arbitrarily cause computer systems to crash.


Loss of integrity:Even for data that is not confidential, one must still take measures to ensure data integrity. For example, if you were able to securely identify yourself to the your bank using digital certificates, you would still want to ensure that the transaction itself is not modified in some way, such as by changing the amount of the deposit.

Security Objective: Balance Business Needs with Risks

Objectives for security need to balance the risks of providing access with the need to protect network resources. Creating a security policy involves evaluating the risks, defining what’s valuable, and determining whom you can trust. The security policy plays three roles to help you specify what must be done to secure company assets.

   -It specifies what is being protected and why, and the responsibility for that protection.
   -It provides grounds for interpreting and resolving conflicts in implementation, without listing     specific threats, machines, or individuals. A well-designed policy does not change much over     time.
   -It addresses scalability issues

Employees expect access but an enterprise requires security. It is important to plan with scalability and deployment of layered technologies in mind. Security policies that inhibit productivity may be too restrictive.

Snapshot Routing - WAN Basics

Snapshot Routing

By default, routing protocols such as RIP exchange routing tables every 30 seconds. If placed as calls, these routine updates will drive up WAN costs unnecessarily, and Snapshot Routing limits these calls to the remote site.
A remote router with this feature only requests a routing update when the WAN link is already up for the purpose of transferring user application data.
Without Snapshot Routing, your ISDN connection would be dialed every 30 seconds; this feature ensures that the remote router always has the most up-to-date routing information but only when needed.

 - IPX Protocol Spoofing

Protocol spoofing allows the user to improve performance while providing the ability to use lower line speeds over the WAN.

 - Compression

Compression reduces the space required to store data, thus reducing the bandwidth required to transmit. The benefit of these compression algorithms is that users can utilize lower line speeds if needed to save costs. Compression also provides the ability to move more data over a link than it would normally bear.

 - Three types
     Header
     Link
     Payload

 - Van Jacobson header compression
     RFC 1144
     Reduces header from 40 to ~5 bytes

 - Dial Backup

Dial backup addresses a customer’s need for reliability and guaranteed uptime. Dial backup capability offers users protection against WAN downtime by allowing them to configure a backup serial line via a circuit-switched connection such as ISDN. When the software detects the loss of a signal from the primary line device or finds that the line protocol is down, it activates the secondary line to establish a new session and continue the job of transmitting traffic over the backup line.

Wide - Area Network Requirements - WAN Basics

Wide - Area Network Requirements

 - Minimize bandwidth costs
 - Maximize efficiency
 - Maximize performance
 - Support new/emerging applications
 - Maximize availability
 - Minimize management and maintenance

 

Manage Bandwidth to Control Cost

Because transmission costs are by far the largest portion of a network’s cost, there are a number of bandwidth optimization features you should be aware of that enable the cost-effective use of WAN links. These include dial-on-demand routing, bandwidth-on-demand, snapshot routing, IPX protocol spoofing, and compression.
Dial-on-demand ensures that you’re only paying for bandwidth when it’s needed for switched services such as ISDN and asynchronous modem (and switched 56Kb in the U.S. and Canada only).
Bandwidth-on-demand gives you the flexibility to add additional WAN bandwidth when it’s needed to accommodate heavy network loads such as file transfers. Snapshot routing prevents unnecessary transmissions. It inhibits your switched network from being dialed solely for the purpose of exchanging routing updates at short intervals (e.g.: 30 seconds). Many of you are familiar with compression, which is also a good method of optimization.

Lets take a close look at a few features that will keep your WAN costs down.

 - Dial-on-Demand Routing

Dial-on-demand routing allows a router to automatically initiate and close a circuit-switched session.
With dial-on-demand routing, the router dials up the WAN link only when it senses “interesting” traffic. Interesting traffic might be defined as any traffic destined for the remote network, or only traffic related to a specific host address or service.
Equally important, dial-on-demand routing enables the router to take down the connection when it is no longer needed, ensuring that the user will not have unnecessary WAN usage charges.

 - Bandwidth-on-Demand

Bandwidth-on-demand works in a similar way.
When the router senses that the traffic level on the primary link has reached a certain threshold—say, when a user starts a large file transfer—it automatically dials up additional bandwidth through the PSTN to accommodate the increased load.
For example, if you’re using ISDN, you may decide that when the first B channel reaches 75% saturation for more than one minute, your router will automatically dial up a second B channel. When the traffic load on the second B channel falls below 40%, the channel is automatically dropped.

Analog services - WAN Basics - How to Choose Services?

Analog services

Analog services are the least expensive type of service. ISDN costs somewhat more but improves performance over even the fastest current analog offerings. Leased lines are the costliest of these three options, but offer dedicated, digital service for more demanding situations. Which is right?
You’ll need to answer a few questions:

 - Will employees use the Internet frequently?
 - Will the Internet be used for conducting business (for example, inventory management, online    catalog selling or account information or bidding on new jobs)?
 - Do you anticipate a large volume of traffic between branch offices of the business?
 - Is there a plan to use videoconferencing or video training between locations?
 - Who will use the main office’s connection to the Internet - individual employees at the central    office, telecommuting workers dialing in from home, mobile workers dialing in from the road?

The more times the answer is “yes”, the more likely that leased line services are required. It is also possible to mix and match services. For example, small branch offices or individual employees dialing in from home might connect to the central office using ISDN, while the main connection from the central office to the Internet can be a T1.
Which service you select also depends on what the Internet Service Provider (is using. If the ISP’s maximum line speed is 128K, as with ISDN, it wouldn’t make sense to connect to that ISP with a T1 service. It is important to understand that as the bandwidth increases, so do the charges, both from the ISP and the phone company. Keep in mind that rates for different kinds of connections vary from location to location.

Let’s compare our technology options, assuming all services are available in our region. To summarize:

 - A leased-line service provides a dedicated connection with a fixed bandwidth at a flat rate. You pay the    same monthly fee regardless how much or how little you use the connection.

 - A packet-switched service typically provides a permanent connection with specific, guaranteed bandwidth    (Frame Relay). Temporary connections (such as X.25) may also be available. The cost of the line is typically    a flat rate, plus an additional charge based on actual usage.

 - A circuit-switched service provides a temporary connection with variable bandwidth, with cost primarily    based on actual usage.

X.25 Devices - Digital Subscriber Line (xDSL) - WAN Basics

X.25 Devices

X.25 networks implement the internationally accepted ITU-T standard governing the operation of packet switching networks. Transmission links are used only when needed. X.25 was designed almost 20 years ago when network link quality was relatively unstable. It performs error checking along each hop from source node to destination node. The bandwidth is typically between 9.6Kbps and 64Kbps. X.25 is widely available in many parts of the world including North America, Europe, and Asia. There is a large installed base of X.25 devices.

Digital Subscriber Line (xDSL)

 - DSL is a pair of “modems” on each end of a copper wire pair
 - DSL converts ordinary phone lines into high-speed data conduits
 - Like dial, cable, wireless, and T1, DSL by itself is a transmission technology, not a complete    solution
 - End-users don’t “buy” DSL, they “buy” services, such as high-speed Internet access, intranet, leased line, voice,    VPN, and video on demand
 - Service is limited to certain geographical areas

Digital subscriber line (DSL) technology is a high-speed service that, like ISDN, operates over ordinary twisted-pair copper wires supplying phone service to businesses and homes in most areas. DSL is often more expensive than ISDN in markets where it is offered today.
Using special modems and dedicated equipment in the phone company's switching office, DSL offers faster data transmission than either analog modems or ISDN service, plus-in most cases-simultaneous voice communications over the same lines. This means you don't need to add lines to supercharge your data access speeds. And since DSL devotes a separate channel to voice service, phone calls are unaffected by data transmissions.

DSL Modem Technology

DSL has several flavors. ADSL delivers asymmetrical data rates (for example, data moves faster on the way to your PC than it does on the way out to Internet). Other DSL technologies deliver symmetrical data (same speeds traveling in and out of your PC).
The type of service available to you will depend on the carriers operating in your area. Because DSL works over the existing telephone infrastructure, it should be easy to deploy over a wide area in a relatively short time. As a result, the pursuit of market share and new customers is spawning competition between traditional phone companies and a new breed of firms called competitive local exchange carriers (CLECs).

Asynchronous Transfer Mode (ATM)

ATM is short for Asynchronous Transfer Mode, and it is a technology capable of transferring voice, video and data through private and public networks. It uses VLSI technology to segment data at high speeds into units called cells. Basically it carves up Ethernet or Token ring packets and creates cells out of them.

Each cell contains 5 bites of header information, 48 bites of payload for 53 bites total in every cell. Each cell contains identifiers that specify the data stream to which they belong. ATM is capable of T3 speeds, E3 speeds in Europe as well as Fiber speed, like Sonet which is asynchronous optical networking speeds of OC-1 and up. ATM technology is primarily used in enterprise backbones or in WAN links.

Leased Line and Frame Relay - WAN Basics

Leased lines are most cost-effective if a customer’s daily usage exceeds four to six hours. Leased lines offer predictable throughput with bandwidth typically 56 Kbps to 1.544 Mbps. They require one connection per physical interface (namely, a synchronous serial port).

 - One connection per physical interface
 - Bandwidth: 56 kbps–1.544 Mbps
 - T1/E1 and fractional T1/E1
 - Cost effective at 4–6 hours daily usage
 - Dedicated connections with predictable throughput
 - Permanent
 - Cost varies by distance

Frame Relay

Frame Relay provides a standard interface to the wide-area network for bridges, routers, front-end processors (FEPs), and other LAN devices. A Frame Relay interface is designed to act like a wide-area LAN- it relays data frames directly to their destinations at very high speeds. Frame Relay frames travel over predetermined virtual circuit paths, are self-routing, and arrive at their destination in the correct order.
Frame Relay is designed to handle the LAN-type bursty traffic efficiently.
The guaranteed bandwidth (known as committed information rate or CIR) is typically between 56 Kbps and 1.544 Mbps.
The cost is normally not distance-sensitive.

Connecting Offices with Frame Relay

Companies who require office-to-office communications, usually choose between a dedicated leased-line connection or a packet-based service, such as Frame Relay or X.25. As a rule, higher connect times make leased-line solutions more cost-effective.
Like ISDN, Frame Relay requires only one physical connection to the Frame Relay network, but can support many Permanent Virtual Circuits, or PVCs.

Frame Relay service is often less expensive than leased lines, and the cost is based on:

 - The committed information rate (CIR), which can be exceeded up to the port speed when the    capacity is available on your carrier’s network.
 - Port speed
 - The number of permanent virtual circuits (PVCs) you require; a benefit to users who need    reliable, dedicated connections to resources simultaneously.

Transmission Options or WAN Services - WAN Basics

Transmission Options or WAN Services

There are a number of transmission options available today. They fall either into the analog or digital category. Next let’s take a brief look at each of these transmission types.

POTS Using Modem Dialup

Analog modems using basic telephone service are asynchronous transmission-based, and have the following benefits:

 - Available everywhere
 - Easy to set up
 - Dial anywhere on demand
 - The lowest cost alternative of any wide-area service

Integrated Services Digital Network (ISDN)

 

ISDN is a digital service that can use asynchronous or, more commonly, synchronous transmission. ISDN can transmit data, voice, and video over existing copper phone lines. Instead of leasing a dedicated line for high-speed digital transmission, ISDN offers the option of dialup connectivity—incurring charges only when the line is active.
ISDN provides a high-bandwidth, cost-effective solution for companies requiring light or sporadic high-speed access to either a central or branch office.
ISDN can transmit data, voice, and video over existing copper phone lines.
Instead of leasing a dedicated line for high-speed digital transmission, ISDN offers the option of dialup connectivity —incurring charges only when the line is active.
Companies needing more permanent connections should evaluate leased-line connections.

 - High bandwidth
 - Up to 128 Kbps per basic rate interface
 - Dial on demand
 - Multiple channels
 - Fast connection time
 - Monthly rate plus cost-effective, usage-based billing
 - Strictly digital

ISDN comes in two flavors, Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI provides two “B” or bearer channels of 64 Kbps each and one additional signaling channel called the “D” or delta channel.
While it requires only one physical connection, ISDN provides two channels that remote telecommuters use to connect to the company network.
PRI provides up to 23 bearer channels of 64 Kbps each and one D channel for signaling. That’s 23 channels but with only one physical connection, which makes it an elegant solution- there’s no wiring mess (PRI service typically provides 30 bearer channels outside the U.S. and Canada).
You’ll want to use PRI at your central site if you plan to have many ISDN dial-in clients.

Circuit, Packet Switching and WAN Protocols - WAN Basics

Circuit Switching

 - Dedicated physical circuit established, maintained, and terminated through a carrier network for    each communication session

 - Datagram and data stream transmissions

 - Operates like a normal telephone call

 - Example: ISDN

Service providers typically offer both circuit switching packet switching services.
Circuit switching is a WAN switching method in which a dedicated physical circuit is established, maintained, and terminated through a carrier network for each communication session. Circuit switching accommodates two types of transmissions: datagram transmissions and data-stream transmissions. Used extensively in telephone company networks, circuit switching operates much like a normal telephone call. Integrated Services Digital Network (ISDN) is an example of a circuit-switched WAN technology.

Packet Switching

Packet switching is a WAN switching method in which network devices share a single point-to-point link to transport packets from a source to a destination across a carrier network. Statistical multiplexing is used to enable devices to share these circuits. Asynchronous Transfer Mode (ATM), Frame Relay, Switched Multimegabit Data Service (SMDS), and X.25 are examples of packet-switched WAN technologies.

 - Network devices share a point-to-point link to transport packets from a source to a destination across    a carrier network

 - Statistical multiplexing is used to enable devices to share these circuits

 - Examples: ATM, Frame Relay, SMDS, X.25

WAN Virtual Circuits

 - A logical circuit ensuring reliable communication between two devices

 - Switched virtual circuits (SVCs)

     - Dynamically established on demand
     - Torn down when transmission is complete
     - Used when data transmission is sporadic

 - Permanent virtual circuits (PVCs)

     - Permanently established
     - Save bandwidth for cases where certain virtual circuits must exist all the time

 - Used in Frame Relay, X.25, and ATM

A virtual circuit is a logical circuit created to ensure reliable communication between two network devices. Two types of virtual circuits exist: switched virtual circuits (SVCs) and permanent virtual circuits (PVCs). Virtual circuits are used in Frame Relay and X.25 and ATM.
SVCs are dynamically established on demand and are torn down when transmission is complete. SVCs are used in situations where data transmission is sporadic.
PVCs are permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time.

WAN Protocols

The OSI model provides a conceptual framework for communication between computers, but the model itself is not a method of communication. Actual communication is made possible by using communication protocols. A protocol implements the functions of one or more of the OSI layers. A wide variety of communication protocols exist, but all tend to fall into one of the following groups:

 - LAN protocols: operate at the physical and data link layers and define communication over the various    LAN media

 - WAN protocols: operate at the lowest three layers and define communication over the various wide-area    media.

 - Network protocols: are the various upper-layer protocols in a given protocol suite.

 - Routing protocols: network-layer protocols responsible for path determination and traffic switching.

SDLC:-
Synchronous Data Link Control. IBM’s SNA data link layer communications protocol. SDLC is a bit-oriented, full-duplex serial protocol that has spawned numerous similar protocols, including HDLC and LAPB.

HDLC:-
High-Level Data Link Control. Bit-oriented synchronous data link layer protocol developed by ISO. Specifies a data encapsulation method on synchronous serial links using frame characters and checksums.

LAPB:-
Link Access Procedure, Balanced. Data link layer protocol in the X.25 protocol stack. LAPB is a bit-oriented protocol derived from HDLC.

PPP:-
Point-to-Point Protocol. Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits with built-in security features. Works with several network layer protocols, such as IP, IPX, & ARA.

X.25 PTP:-
Packet level protocol. Network layer protocol in the X.25 protocol stack. Defines how connections are maintained for remote terminal access and computer communications in PDNs. Frame Relay is superseding X.25.

ISDN:-
Integrated Services Digital Network. Communication protocol, offered by telephone companies, that permits telephone networks to carry data, voice, and other source traffic.

Frame Relay:-
Industry-standard, switched data link layer protocol that handles multiple virtual circuits using HDLC encapsulation between connected devices. Frame Relay is more efficient than X.25, and generally replaces it.

What Is a WAN? WAN Basics

What Is a WAN?

So, what is a WAN? A WAN is a data communications network that serves users across a broad geographic area and often uses transmission facilities provided by common carriers such as telephone companies. These providers are companies like MCI, AT&T, UuNet, and Sprint. There are also many small service providers that provide connectivity to one of the larger carriers’ networks and may even have email servers to store clients mail until it is retrieved.

 - Telephone service is commonly referred to as plain old telephone service (POTS).

 - WAN technologies function at the lower three layers of the OSI reference model: the physical    layer, the data link layer, and the network layer.

Common WAN network components include WAN switches, access servers, modems, CSU/DSUs, and ISDN Terminals.

WAN Devices

A WAN switch is a multiport internetworking device used in carrier networks. These devices typically switch traffic such as Frame Relay, X.25, and SMDS and operate at the data link layer of the OSI reference model. These WAN switches can share bandwidth among allocated service priorities, recover from outages, and provide network design and management systems.

A modem is a device that interprets digital and analog signals, enabling data to be transmitted over voice-grade telephone lines. At the source, digital signals are converted to analog. At the destination, these analog signals are returned to their digital form.

An access server is a concentration point for dial-in and dial-out connections.

A channel service unit/digital service unit (CSU/DSU) is a digital interface device that adapts the physical interface on a data terminal equipment device (such as a terminal) to the interface of a data circuit terminating (DCE) device (such as a switch) in a switched-carrier network. The CSU/DSU also provides signal timing for communication between these devices.

An ISDN terminal is a device used to connect ISDN Basic Rate Interface (BRI) connections to other interfaces, such as EIA/TIA-232. A terminal adapter is essentially an ISDN modem.

WAN Terminating Equipment

The WAN physical layer describes the interface between the data terminal equipment (DTE) and the data circuit-terminating equipment (DCE). Typically, the DCE is the service provider, and the DTE is the attached device (the customer’s device). In this model, the services offered to the DTE are made available through a modem or channel service unit/data service unit (CSU/DSU).
CSU/DSU (Channel Service Unit / Data Service Unit) Device that connects the end-user equipment to the local digital telephone loop or to the service providers data transmission loop. The DSU adapts the physical interface on a DTE device to a transmission facility such as T1 or E1. Also responsible for such functions as signal timing for synchronous serial transmissions.
Unless a company owns (literally) the lines over which they transport data, they must utilize the services of a Service Provider to access the wide area network.

LAN Switching Basics - Understanding LAN Switching

LAN Switching Basics

 - Enables dedicated access
 - Eliminates collisions and increases capacity
 - Supports multiple conversations at the same time

First of all, it's important to understand the reason that we use LAN switching. Basically, they do this to provide what we called earlier as micro-segmentation. Again, micro-segmentation provides dedicated bandwidth for each user on the network.What this is going to do is eliminate collisions in our network, and it's going to effectively increase the capacity for each station connected to the network.It'll also support multiple, simultaneous conversations at any given time, and this will dramatically improve the bandwidth that's available, and it'll dramatically improve the scalability in our network.

LAN Switch Operation

So let's take a look at the fundamental operation of a LAN switch to see what it can do for us. As you can see indicated in the diagram, we have some data that we need to transmit from Station A to Station B.

Now, as we watch this traffic go through the network, remember that the switch operates at Layer 2. What that means is the switch has the ability to look at the MAC-layer address, the Media Access Control address, that's on each frame as it goes through the network.

And we're going to see that the switch actually looks at the traffic as it goes through to pick off that MAC address and store it in an address table.So, as the traffic goes through, you can see that we've made an entry into this table in terms of which station and the port that it's connected to on the switch.

Now what happens, once that frame of data is in the switch, we have no choice but to flood it to all ports. The reason that we flood it to all ports is because we don't know where the destination station resides.

Once that address entry is made into the table, though, when we have a response coming back from Station B, going back to Station A, we now know where Station A is connected to the network.

So what we do is we transmit our data into the switch,but notice the switch doesn't flood that traffic this time, it sends it only out port number 3. The reason is because we know exactly where Station A is on the network, because of that original transmission we made.On that original transmission we were able to note where that MAC address came from. That allows us to more efficiently deliver that traffic in the network.

Today’s LANs - Understanding LAN Switching

Today’s LANs

 - Mostly switched resources; few shared
 - Routers provide scalability
 - Groups of users determined by physical location

When we look at today's LANs, the ones that are most commonly implemented today, we're looking at mostly switched infrastructures, because of the price point of deploying switches, many companies are bypassing the shared hub technologies and moving directly to switches.Even within switched networks, at some point we still need to look to routers to provide scalability. And also we see that in terms of the grouping of users, they're largely determined by the physical location.So that's a quick look at traditional shared LAN technologies. What we want to do now, since we know those limitations, we want to look at how we can fix some of those issues. We want to see how we can deploy LAN switches to take advantage of some new, improved technologies.

The Need for Speed: Early warning signs for congestion problems - Understanding LAN Switching

Now, how can you tell if you have congestion problems in your network? Well, some early things to look at, some early things to watch out for, include increased delay on our file transfers.If basic file transfers are taking a long, long time in the network, that means we may need more bandwidth. Also, another thing to watch out for is print jobs that take a very long time to print out.From the time we queue them from our workstation, till the time they actually get printed, if that's increasing, that's an indication that we may have some LAN congestion problems.Also, if your organization is looking to take advantage of multimedia applications, you're going to need to move beyond basic shared LAN technologies, because those shared LAN technologies don't have the multicast controls that we're going to need for multimedia applications.

Typical Causes of Network Congestion

Some causes of this congestion, if we're seeing those early warning signs some things we might want to look for, if we have too many users on a shared LAN segment. Remember that shared LAN segments have a fixed amount of bandwidth.As we add users, proportionally, we're degrading the amount of bandwidth per user. So we're going to get to a certain number of users and it's going to be too much congestion, too many collisions, too many simultaneous conversations trying to occur all at the same time.

And that's going to reduce our performance. Also, when we look at the newer technologies that we're using in our workstations. With early LAN technologies the workstations were relatively limited in terms of the amount of traffic they could dump on the network.Well, with newer, faster CPUs, faster busses, faster peripherals and so on, it's much easier for a single workstation to fill up a network segment.So by virtue of the fact that we have much faster PCs, we can also do more with the applications that are on there, we can more quickly fill up the available bandwidth that we have.

Network Traffic Impact from Centralization of Servers

Also, the way the traffic is distributed on our network can have an impact as well. A very common thing to do in many networks is to build what's known as a server farm for example.Well, in a server farm effectively what we're doing is centralizing all of the resources on our network that need to be accessed by all of the workstations in our network.So what happens here is we cause congestion on those centralized segments within the network. So, when we start doing that, what we're going to do is cause congestion on those centralized or backbone resources.

Servers are gradually moving into a central area (data center) versus being located throughout the company to:

 - Ensure company data integrity
 - Maintain the network and ensure operability
 - Maintain security
 - Perform configuration and administrative functions

More centralized servers increase the bandwidth demands on campus and workgroup backbones

Bridges And Switches - Layer 2 - Understanding LAN Switching

Bridges

Another way is to add bridges. In order to scale our networks we need to do something known as segmentation. And bridges provide a certain level of segmentation in our network.And bridges do this by adding a certain amount of intelligence into the network. Bridges operate at Layer 2, while hubs operate at Layer 1. So operating at Layer 2 gives us more intelligence in order to make an intelligent forwarding decision.

That's why we say that bridges are more intelligent than a hub, because they can actually listen in, or eavesdrop on the traffic going through the bridge, they can look at source and destination addresses, and they can build a table that allows them to make intelligent forwarding decisions.

They actually collect and pass frames between two network segments and while they're doing this they're making intelligent forwarding decisions. As a result, they can actually provide greater control of the traffic within our network.

Switches - Layer 2

To provide even better control we're going to look to switches to provide the most control in our network, at least at Layer 2. And as you can see in the diagram, have improved the model of traffic going through our network.

Getting back to our traffic analogy, as you can see looking at the highway here, we've actually subdivided the main highway so that each particular car has it's own lane that they can drive on through the network. And fundamentally, this is what we can provide in our data networks as well.So that when we look at our network we see that physically each station has its own cable into the network, well, conceptually we can think of this as each workstation having their own lane through the highway.Basically there is something known as micro-segmentation. That's a fancy way simply to say that each workstation gets its own dedicated segment through the network.

Switches versus Hubs

If we compare that with a hub or with a bridge, we're limited on the number of simultaneous conversations we can have at a time.Remember that if two stations tried to communicate in a hubbed environment, that caused something known as collisions. Well, in a switched environment we're not going to expect collisions because each workstation has its own dedicated path through the network.What that means in terms of bandwidth, and in terms of scalability, is we have dramatically more bandwidth in the network. Each station now will have a dedicated 10 megabits per second worth of bandwidth.

So when we look at our switches versus our hubs, and the top diagram, remember that we're looking at a hub. And this is when all of our traffic was fighting for the same fixed amount of bandwidth.Looking at the bottom diagram you can see that we've improved our traffic flow through the network, because we've provided a dedicated lane for each workstation.

Broadcasts Consume Bandwidth - Understanding LAN Switching

Broadcasts Consume Bandwidth

Now, in terms of broadcast, it's relatively easy to broadcast in a network, and that's a transmission mechanism that many different protocols use to communicate certain information, such as address resolution, for example.Address resolution is something that all protocols need to do in order to map Layer 2 MAC addresses up to logical layer, or Layer 3, addresses. For example, in an IP network we do something known as an ARP, an Address Resolution Protocol.And this allows us to map Layer 3 IP addresses down to Layer 2 MAC-layer addresses. Also, in terms of distributing routing protocol information, we do this by way of broadcasting, and also some key network services in our networks rely on broadcast mechanisms as well.

And it doesn't really matter what our protocol is, whether it's AppleTalk or Novell IPX, or TCP IP, for example, all of these different Layer 3 protocols rely on the broadcast mechanism. So, in other words, all of these protocols produce broadcast traffic in a network.

Broadcasts Consume Processor Performance

Now, in addition to consuming bandwidth on the network, another by-product of broadcast traffic in the network is that they consume CPU cycles as well.Since broadcast traffic is sent out and received by all stations on the network, that means that we must interrupt the CPU of all stations connected to the network.So here in this diagram you see the results of a study that was performed with several different CPUs on a network. And it shows you the relative level of CPU degradation as the number of broadcasts on a network increases.

So you can see, we did this study based on a SPARC2 CPU, a SPARC5 CPU and also a Pentium CPU. And as the number of broadcasts increased, the amount of CPU cycles consumed, simply by processing and listening to that broadcast traffic, increased dramatically.So, the other thing we need to recognize is that a lot of times the broadcast traffic in our network is not needed by the stations that receive it.So what we have then in shared LAN technologies is our broadcast traffic running throughout the network, needlessly consuming bandwidth, and needlessly consuming CPU cycles.

Hub-Based LANs

So hubs are introduced into the network as a better way to scale our thinand thick Ethernet networks. It's important to remember, though, that these are still shared Ethernet networks, even though we're using hubs.

Basically what we have is an individual desktop connection for each individual workstation or server in the network, and this allows us to centralize all of our cabling back to a wiring closet for example. There are still security issues here, though.It's still relatively easy to tap in and monitor a network by way of a hub. In fact it's even easier to do that because all of the resources are generally located centrally.If we need to scale this type of network we're going to rely on routers to scale this network beyond the workgroup, for example.

It's makes adds, moves and changes easier because we can simply go to the wiring closet and move cables around, but we'll see later on with LAN switching that it's even easier with LAN switching.Also, in terms of our workgroups, in a hub or concentrator based network, the workgroups are determined simply by the physical hub that we plug into. And once again we'll see later on with LAN switching how we can improve this as well.

Shared LAN Technology - Understanding LAN Switching

Early Local Area Networks

The earliest Local Area Network technologies that were installed widely were either thick Ethernet or thin Ethernet infrastructures. And it's important to understand some of he limitations of these to see where we're at today with LAN switching.With thick Ethernet installations there were some important limitations such as distance, for example. Early thick Ethernet networks were limited to only 500 meters before the signal degraded.In order to extend beyond the 500 meter distance, they required to install repeaters to boost and amplify that signal.There were also limitations on the number of stations and servers we could have on our network, as well as the placement of those workstations on the network.

The cable itself was relatively expensive, it was also large in diameter, which made it difficult or more challenging to install throughout the building, as we pulled it through the walls and ceilings and so on. As far as adding new users, it was relatively simple.There could use what was known as a non-intrusive tap to plug in a new station anywhere along the cable.And in terms of the capacity that was provided by this thick Ethernet network, it provided 10 megabits per second, but this was shared bandwidth, meaning that that 10 megabits was shared amongst all users on a given segment.

A slight improvement to thick Ethernet was thin Ethernet technology, commonly referred to as cheaper net.This was less expensive and it required less space in terms of installation than thick Ethernet because it was actually thinner in diameter, which is where the name thin Ethernet came from.It was still relatively challenging to install, though, as it sometimes required what we call home runs, or a direct run from a workstation back to a hub or concentrator.And also adding users required a momentary interruption in the network, because we actually had to cut or make a break in a cable segment in order to add a new server or workstation. So those are some of the limitations of early thin and thick Ethernet networks.An improvement on thin and thick Ethernet technology was adding hubs or concentrators into our network. And this allowed us to use something known as UTP cabling, or Unshielded Twisted Pair cabling.

As you can see indicated in the diagram on the left, Ethernet is fundamentally what we call a shared technology.And that is, all users of a given LAN segment are fighting for the same amount of bandwidth. And this is very similar to the cars you see in our diagram, here, all trying to get onto the freeway at once.This is really what our frames, or packets, do in our network as we're trying to make transmissions on our Ethernet network. So, this is actually what's occurring on our hub.Even though each device has its own cable segment connecting into the hub, we're still all fighting for the same fixed amount of bandwidth in the network.Some common terms that we hear associated with the use of hubs, sometimes we call these Ethernet concentrators, or Ethernet repeaters, and they're basically self-contained Ethernet segments within a box.So while physically it looks like everybody has their own segment to their workstation, they're all interconnected inside of this hub, so it's still a shared Ethernet technology.Also, these are passive devices, meaning that they're virtually transparent to the end users, the end users don't even know that those devices exist, and they don't have any role in terms of a forwarding decision in the network whatsoever, they also don't provide any segmentation within the network whatsoever.And this is basically because they work at Layer 1 in the OSI framework.

Collisions: Telltale Signs

A by-product that we have in any Ethernet network is something called collisions. And this is a result of the fundamental characteristic of how any Ethernet network works.Basically, what happens in an Ethernet network is that many stations are sharing the same segment. So what can happen is any one of these stations can transmit at any given time.And if 2 or more stations try to transmit at the same time, it's going to result in what we call a collision. And this is actually one of the early tell-tale signs that your Ethernet network is becoming too congested. Or we simply have too many users on the same segment.And when we get to a certain number of collisions in the network, where they become excessive, this is going to cause sluggish network response times, and a good way to measure that is by the increasing number of user complaints that are reported to the network manager.

Other Bandwidth Consumers

It's also important to understand fundamentally how transmissions can occur in the network. There's basically three different ways that we can communicate in the network. The most common way is by way of unicast transmissions.And when we make a unicast transmission, we basically have one transmitter that's trying to reach one receiver, which is by far the most common, or hopefully the most common form of communication in our network.

Another way to communicate is with a mechanism known as a broadcast. And that is when one transmitter is trying to reach all receivers in the network.So, as you can see in the diagram, in the middle, our server station is sending out one message, and it's being received by everyone on that particular segment.

The last mechanism we have is what is known as a multicast.And a multicast is when one transmitter is trying to reach, not everyone, but a subset or a group of the entire segment.So as you can see in the bottom diagram, we're reaching two stations, but there's one station that doesn't need to participate, so he's not in our multicast group. So those are the three basic ways that we can communicate within our Local Area Network.

FDDI - Fiber Distributed Data Interface - LAN Basics

FDDI - Fiber Distributed Data Interface

FDDI is an American National Standards Institute (ANSI) standard that defines a dual Token Ring LAN operating at 100 Mbps over an optical fiber medium. It is used primarily for corporate and carrier backbones.

Token Ring and FDDI share several characteristics including token passing and a ring architecture which were explored in the previous section on Token Ring. Copper Distributed Data Interface (CDDI) is the implementation of FDDI protocols over STP and UTP cabling. CDDI transmits over relatively short distances (about 100 meters), providing data rates of 100 Mbps using a dual-ring architecture to provide redundancy.
While FDDI is fast, reliable, and handles a lot of data well, its major problem is the use of expensive fiber-optic cable. CDDI addresses this problem by using UTP or STP. However, notice that the maximum segment length drops significantly.

FDDI was developed in the mid-1980s to fill the needs of growing high-speed engineering workstation capacity and network reliability. Today, FDDI is frequently used as a high-speed backbone technology because of its support for high bandwidth and greater distances than copper.

FDDI Network Architecture

FDDI uses a dual-ring architecture. Traffic on each ring flows in opposite directions (called counter-rotating). The dual-rings consist of a primary and a secondary ring. During normal operation, the primary ring is used for data transmissions, and the secondary ring remains idle. The primary purpose of the dual rings is to provide superior reliability and robustness.
One of the unique characteristics of FDDI is that multiple ways exist to connect devices to the ring. FDDI defines three types of devices: single-attachment station (SAS) such as PCs, dual attachment station (DAS) such as routers and servers, and a concentrator.

 - Dual-ring architecture

       - Primary ring for data transmissions
       - Secondary ring for reliability and robustness

 - Components

       - Single attachment station (SAS)—PCs
       - Dual attachment station (DAS)—Servers
       - Concentrator

 - FDDI concentrator

       - Also called a dual-attached concentrator (DAC)
       - Building block of an FDDI network
       - Attaches directly to both rings and ensures that any SAS failure or power-down does not           bring down the ring

Example:-

An FDDI concentrator (also called a dual-attachment concentrator [DAC]) is the building block of an FDDI network. It attaches directly to both the primary and secondary rings and ensures that the failure or power-down of any single attachment station (SAS) does not bring down the ring. This is particularly useful when PCs, or similar devices that are frequently powered on and off, connect to the ring.

- FDDI Summary -

 - Features

       - 100-Mbps token-passing network
       - Single-mode (100 km), double-mode (2 km)
       - CDDI transmits at 100 Mbps over about 100 m
       - Dual-ring architecture for reliability

 - Optical fiber advantages versus copper

       - Security, reliability, and performance are enhanced because it does not emit electrical signals
       - Much higher bandwidth than copper

 - Used for corporate and carrier backbones

Token Ring Operation - LAN Basics

Token Ring Operation

Station access to a Token Ring is deterministic; a station can transmit only when it receives a special frame called a token. One station on a token ring network is designated as the active monitor. The active monitor will prepare a token. A token is usually a few bits with significance to each one of the network interface cards on the network. The active monitor will pass the token into the multistation access unit. The multistation access unit then will pass the token to the first downstream neighbor. Let’s say in this example that station A has something to transmit. Station A will seize the token and append its data to the token. Station A will then send its token back to the multistation access unit. The MAU will then grab the token and push it to the next downstream neighbor. This process is followed until the token reaches the destination for which it is intended.

If a station receiving the token has no information to send, it simply passes the token to the next station. If a station possessing the token has information to transmit, it claims the token by altering one bit of the frame, the T bit. The station then appends the information it wishes to transmit and sends the information frame to the next station on the Token Ring.

The information frame circulates the ring until it reaches the destination station, where the frame is copied by the station and tagged as having been copied. The information frame continues around the ring until it returns to the station that originated it, and is removed.
Because frames proceed serially around the ring, and because a station must claim the token before transmitting, collisions are not expected in a Token Ring network.
Broadcasting is supported in the form of a special mechanism known as explorer packets. These are used to locate a route to a destination through one or more source route bridges.

- Token Ring Summary -

 - Reliable transport, minimized collisions

 - Token passing/token seizing

 - 4- or 16-Mbps transport

 - Little performance impact with increased number of users

 - Popular at IBM-oriented sites such as banks and automated factories