1|Page

INDUSTRIAL TRAINING REPORT

Submitted in partial fulfillment of the Requirements for the award of the degree

Of

Bachelor of Technology
In INFORMATION TECHNOLOGY

L.R INSTITUTE OF ENGINEERING & TECHNOLOGY

OACHGHAT, SOLAN, HP (INDIA) BY:-

SUMIT CHANDEL 45 !

2|Page

Acknowledgement
This project was one of the most productive & knowledgeable experience in my engineering carrier. I have learned so many new things during this project like how to work in a group ,leadership, how to use different skills and knowledge, group discussion etc. It provided me a golden opportunity to improve my basic skills and practical aspects which is the primary requirement of the today s companies and organi!ations. It gives me an immense pleasure to thank those people who have contributed directly or indirectly during the completion of this project. I would like to express my gratitude to "#. $%&'T(%& %ir for all time cooperation in guiding this project into final shape. )ast but not the least, I wish to thank our *ollege +rincipal and &.(.,. %ir to encourage me to complete this project.

-%'"IT *&$.,/)0

3|Page

CE"TI#ICATE

Thi i !" #e$!i%& !ha! !he '$"(e#! $e'"$! e)!i!*e+ , NET$%"& SYSTEM' S-./i!!e+ .& SU0IT CAHNDEL, i) !he 'a$!ia* %-*%i**/e)! "% !he $e1-i$e/e)! "% !he #"-$ e "% NET$%"&IN( AND TECHN%L%(Y i) IN#%"MATI%N TECHN%L%(Y e/."+ie !he 2"$3 +")e .& !he/ -)+e$ /& g-i+a)#e.

)ro*ec+ Incharge , (-./e:

Mr. ASHUTOSH SHARMA (PROJECT ASSISTANT) DIT-SHIMLA

4|Page

INDE0
Sr1 No1 1 2 To2.c T$ai)i)g O$ga)i5a!i") +e!ai* I)!$"+-#!i") !" C"/'-!e$ Ne!9"$3i)g P$i)#i'*e :-i*+i)g :*"#3 ; The .a i# #"/'")e)! "% a )e!9"$3 3 4 7 < @ = > 16 11 12 (SI 0"+e* TCP?IP Ci #" IOS R"-!i)g Ta.*e STP TCP?IP ALAN A##e 8Li ! Ne!9"$3 A++$e :i.*i"g$a'h& T$a) *a!i") 1> 8 21 22 8 27 2< 8 36 31 8 32 33 8 34 37 8 3< 3@ 8 3= 3> 8 46 41 8 44 47 8 47 )age 67 8 67 6< 8 1=

7|Page

CHAPTERTRAINING ORGANISATION DETAIL

Department of Information Technology is the state level organization that provides all the software needs to the state of Himachal Pradesh. It is a national level government organization that provides training to young individuals in the field of Information Technology and Computer Science field. The entire software maintenance and development task is done y this very organization. DIT is a dynamic! growing institution! focused on the development of cutting edge solutions in the following domains" Health Informatics #ultilingual Technologies Software Technologies Cy er $orensics and Security #ultimedia Technologies

The organization inculcates the tangi le need of fle%i le nature of software market. It has various plans to implement and to share with trainees. They make to work in some of the live pro&ects of the state. So this is overall training to an individual here at DIT 'ational Informatics Centre is the ma&or player for the spread of IT in the State and Districts. The IT re(uirements at the District are eing fulfilled y the District Informatics Centres of 'IC esta lished in each District.

<|Page

CHAPTER- !
Computer Network
) computer network is interconnection of various computer systems located at different places. In computer network two or more computers are linked together with a medium and data communication devices for the purpose of communication data and sharing resources. The computer that provides resources to other computers on a network is known as server. In the network the individual computers! which access shared network resources! are known as nodes.

Ty2e3 of Ne+4or53:
There are many different types of networks. However! from an end user*s point of view there are two asic types" Local-Area Ne+4or53 6LAN37 The computers are geographically close together +that is! in the same uilding,. $./e-Area Ne+4or53 6$AN37 The computers are farther apart and are connected y telephone lines or radio waves. In addition to these types! the following characteristics are also used to categorize different types of networks.

Other Definitions:

To2ology
The geometric arrangement of computer system is termed as a topology. Common topologies include us! star! and ring.

)ro+ocol
The protocol defines a common set of rules and signals that computers on the network use to communicate. -ne of the most popular protocols for .)'s is called /thernet. )nother popular .)' protocol for PCs is the I0# token1ring network.

Arch.+ec+-re

@|Page 'etworks can e roadly classified as using either peer1to1peer or client2server architecture. Computers on a network are sometimes called nodes. Computers and devices that allocate resources for a network are called servers.

LANs
.)' is a computer network that spans a relatively small area. #ost .)'s are confined to a single uilding or group of uildings. However! one .)' can e connected to other .)'S over any distance via telephone lines and radio waves. ) system of .)'s connected in this way is called a wide1area network +3)',. #ost .)'s as shown in $igure connect workstations and personal computers. /ach node +individual computer, in a .)' has its own CP4 with which it e%ecutes programs! ut it is also a le to access data and devices anywhere on the .)'. This means that many users can share e%pensive devices! such as laser printers! as well as data. 4sers can also use the .)' to communicate with each other! y sending e1mail or engaging in chart sessions. There are many different types of .)'s1token1ring networks! /thernets! and )5Cnets eing the most common for PCs.

A Ty2.cal LAN .)'s are capa le of transmitting data at very fast rates! much faster than data can e transmitted over a telephone line6 ut the distance are limited! and there is also a limit on the num er of computers that can e attached to a single .)'.

=|Page

WANs
) 3)' is a computer network that spans a relatively large geographical area. Typically! ) 3)' consists of two or more local1area networks +.)'s,. Computers connected to a wide1 area network are often connected through pu lic networks! such as the telephone system. They can also e connected through leased lines or satellites. The largest 3)' in e%istence is the Internet.

DCE DTE $AN Connec+.on 3)'s connect users and .)'s spread etween various sites! whether in the same city! across the country! or around the world. 75emote access8 refers to a simple connection! usually dialled up over telephone lines as needed! etween an individual user or very small ranch office and a central network. 9our campus gains access to the Internet through some type of remote connection. ) single user can use a modem to dial up an Internet service provider +ISP,. #ultiple users within a campus might choose to rely on a router to connect to the ISP! who then connects the campus to the Internet. In general! .)' speeds are much greater than 3)' and remote access speeds. $or e%ample! a single shared1 /thernet connection runs at :; # ps +mega means 7million8,. Today<s fastest analogue modem runs at => kilo its per second +? ps, +kilo means 7thousand8, @less than one percent of the speed of an /thernet link. /ven the more e%pensive! dedicated 3)' services such as T: lines don<t compare +with andwidth of :.= # ps! a T: lines has only := percent of the capacity of a single /thernet link,. $or this reason! proper network design aims to keep most traffic local@that is! contained within one site@rather than allowing that traffic.

Network Topologies

>|Page

)s we have seen earlier! topology is the geometric arrangement of the computers in a network. Common topologies include star! ring and us.

S+ar Ne+4or5
The star network as shown in $ig =.> is fre(uently used to connect one or more small computers or peripheral devices to a large host computer or CP4. #any organizations use the star network or a variation of it in a time1sharing system! in which several users are a le to share a central processor.

In a time1sharing setup! each terminal receives a fi%ed amount of the CP4*s time! called a time slice. If you are sitting at a terminal and cannot complete your task during the time slice! the computer will come ack to you to allow you to do so. )ctually! ecause the CP4 operates so much faster than terminals! you will pro a ly not even notice that the CP4 is away. 0y esta lishing time1sharing! many people in a large organization can use a centralized computing facility. Time1sharing can also e purchased from an outside service! which is an economical way to operate for a small company that cannot afford its own large computer. Star network is fre(uently used in a .)' to connect several microcomputers to a central unit that works as a communications controller. If the user of one microcomputer wants to send a document or message to a user at another computer! the message is routed through the central communications controller. )nother common use of the star network is the feasi ility of connecting several microcomputers to a mainframe computer that allows access to an organization*s data ase. )ccess and control of star network typically is maintained y a polling system. Polling means that the central computer or communications controller ApollsA or asks each device in the network if it has a message to send and then allows each in turn to transmit data.

".ng Ne+4or5
The ring network is a .ocal )rea 'etwork +.)', whose topology is a ring 1 can e as simple as a circle or point1to1point connections of computers at dispersed locations! with no central host computer or communications controller. That is! all of the nodes are connected in a closed loop. #essages travel around the ring! with each node reading those messages addressed to it. -ne of the advantages of ring networks is that they can span larger distance than other types of networks! such as us networks! ecause each node regenerates messages as they pass through it.

16 | P a g e

)ccess and control of ring networks are typically maintained y a Atoken1passingA system. I0#*s Token15ing network is thought y some o servers to e a watershed event compara le to the development of the I0# PCB itself! ecause the Token15ing network is designed to link all types of computers together! including not only personal computers ut also possi le mini computes and mainframes.

B-3 Ne+4or5
0us networks are similar to ring network that the ends are not connected. )ll communications are carried on a common ca le or us and are availa le to each device on the network.

)ccess and control of us networks are typically maintained y a method called contention! where y if a line is unused! a terminal or device can transmit its message at will! ut if two or more terminals initiate messages simultaneously! they must stop and transmit again at different intervals.

Network Ar hite ture

The term architecture can refer to either hardware or software! or a com ination of hardware and software. The architecture of a system always defines its road outlines! and may define precise mechanisms as well. )n open architecture allows the system to e connected easily to devices and programs made y other manufacturers. -pen architectures use off1the1shelf components and conform to approved standards. ) system with a closed architecture! on the other hand! is one whose design is proprietary! making it difficult to connect the system to other systems. )s we have seen efore! network architectures can e roadly classified as using either peer1to1peer or client2server architecture.

11 | P a g e

)eer-+o-2eer Arch.+ec+-re
This is a type of network in which each workstation has e(uivalent capa ilities and responsi ilities. This differs from client2server architecture! in which some workstations are dedicated to serving the others. Peer1to1peer networks are generally simpler and less e%pensive! ut they usually do not offer the same performance under heavy loads.

Cl.en+8Ser9er Arch.+ec+-re
This is network architecture in which each computer or process on the network is either a client or a server. Servers are powerful computers or processors dedicated to managing disk drives +file servers,! printers +print servers,! or network traffic +network servers,. Clients are less powerful PCs workstations on which users run applications. Clients rely on servers for resources! such as files! devices! and even processing power.

Ne+4or5 )ro+ocol %9er9.e4

The -SI model! and any other network communication model! provides only a conceptual framework for communication etween computers! ut the model itself does not provide specific methods of communication. )ctual communication is defined y various communication protocols. In the conte%t of data communication! a protocol is a formal set of rules! conventions and data structure that governs how computers and other network devices e%change information over a network. In other words! a protocol is a standard procedure and format that two data communication devices must understand! accept and use to e a le to talk to each other.

12 | P a g e In modern protocol design! protocols are AlayeredA according to the -SI C layer model or a similar layered model. .ayering is a design principle which divides the protocol design into a num er of smaller parts! each part accomplishing a particular su 1task and interacting with the other parts of the protocol only in a small num er of well1defined ways. .ayering allows the parts of a protocol to e designed and tested without a com inatorial e%plosion of cases! keeping each design relatively simple. .ayering also permits familiar protocols to e adapted to unusual circumstances. The header and2or trailer at each layer reflect the structure of the protocol. Detailed rules and procedures of a protocol or protocol group are often defined y a lengthy document. $or e%ample! I/T$ uses 5$Cs +5e(uest for Comments, to define protocols and updates to the protocols. ) wide variety of communication protocols e%ists. These protocols were defined y many different standard organizations throughout the world and y technology vendors over years of technology evolution and development. -ne of the most popular protocol suites is TCP2IP! which is the heart of Internetworking communications. The IP! the Internet Protocol! is responsi le for e%changing information etween routers so that the routers can select the proper path for network traffic! while TCP is responsi le for ensuring the data packets are transmitted across the network relia ly and error free. .)' and 3)' protocols are also critical protocols in network communications. The .)' protocols suite is for the physical and data link layers of communications over various .)' media such as /thernet wires and wireless radio waves. The 3)' protocol suite is for the lowest three layers and defines communication over various wide1area media! such as fi er optic and copper ca les. 'etwork communication has slowly evolved. Today*s new technologies are ased on the accumulation over years of technologies! which may e either still e%isting or o solete. 0ecause of this! the protocols which define the network communication are highly inter1related. #any protocols rely on others for operation. $or e%ample! many routing protocols use other network protocols to e%change information etween routers. In addition to standards for individual protocols in transmission! there are now also interface standards for different layers to talk to the ones a ove or elow +usually operating system specific,. The protocols for data communication cover all areas as defined in the -SI model. However! the -SI model is only loosely defined. ) protocol may perform the functions of one or more of the -SI layers! which introduces comple%ity to understanding protocols relevant to the -SI C layer model. In real1world protocols! there is some argument as to where the distinctions etween layers are drawn6 there is no one lack and white answer. To develop a complete technology that is useful for the industry! very often a group of protocols is re(uired in the same layer or across many different layers. Different protocols often descri e different aspects of a single communication6 taken together! these form a protocol suite. $or e%ample! Boice over IP +B-IP,! a group of protocols developed y many vendors and standard organizations! has many protocols across the D top layers in the -SI model. Protocols can e implemented either in hardware or software or a mi%ture of oth. Typically! the lower layers are implemented in hardware! with the higher layers eing implemented in software. Protocols could e grouped into suites +or families! or stacks, y their technical functions! or origin of the protocol introduction! or oth. ) protocol may elong to one or multiple protocol suites! depending on how you categorize it. $or e%ample! the Eiga it /thernet

13 | P a g e protocol I/// F;G.Hz is a .)' +.ocal )rea 'etwork, protocol and it can also e used in #)' +#etropolitan )rea 'etwork, communications. #ost recent protocols are designed y the I/T$ for Internetworking communications and y the I/// for local area networking +.)', and metropolitan area networking +#)',. The IT41T contri utes mostly to wide area networking +3)', and telecommunications protocols. IS- has its own suite of protocols for internetworking communications! which is mainly deployed in /uropean countries.

Co:2are +he Ne+4or5 )ro+ocol3

!roto ol /thernet $ast /thernet .ocal Talk Token 5ing $DDI )T# C"#le Twisted Pair! Coa%ial! $i er Twisted Pair! $i er Twisted Pair Twisted Pair $i er Twisted Pair! $i er Spee$ :; # ps :;; # ps .GH # ps D # ps 1 :> # ps :;; # ps :==1GDFF # ps Topolog% .inear 0us! Star! Tree Star .inear 0us or Star Star13ired 5ing Dual ring .inear 0us! Star! Tree

INTE"NET BAC&B%NE
The Internet ack one refers to the principal data routes etween large! strategically interconnected networks and core routers in the Internet. These data routes are hosted y commercial! government! academic and other high1capacity network centers! the Internet e%change points and network access points that interchange Internet traffic etween the countries! continents and across the oceans of the world. Traffic interchange etween the Internet service providers +often Tier : networks, participating in the Internet ack one e%change traffic y privately negotiated interconnection agreements! primarily governed y the principle of settlement1free peering.

Infra3+r-c+-re
The internet ack one is a conglomeration of multiple! redundant networks owned y numerous companies. It is typically a fi er optic trunk line. The trunk line consists of many fi er optic ca les undled together to increase the capacity. The ack one is a le to re route traffic in case of a failure. The data speeds of ack one lines have changed with the times. In :IIF! all of the 4nited States ack one networks had utilized the slowest data rate of D= # ps. However the changing technologies allowed for D: percent of ack ones to have data rates of G!DFF # ps or faster y the mid G;;;*s. The $CC currently defines Ahigh speedA as any connection with data speeds that e%ceed G;; kilo its per second. )n )zer ai&ani ased telecommunication company! Delta Telecom! has recently developed a very efficient trunk line with possi le speeds of to :.> tera its per second. Internet traffic from this line goes through

14 | P a g e the countries of Iran! Ira( and Eeorgia. $i er1optic ca les are the medium of choice for internet ack one providers for many reasons. $i er1optics allow for fast data speeds and large andwidth6 they suffer relatively little attenuation! allowing them to cover long distances with few repeaters6 they are also immune to crosstalk and other forms of /# interference which plague electrical transmission.

The B-.l/.ng Bloc53: Ba3.c Co:2onen+3 of Ne+4or53 E9ery ne+4or5 .ncl-/e3:

J )t least two computers J ) network interface on each computer +the device that lets the computer talk to the network@ usually called a network interface card K'ICL or adapter, J ) connection medium@usually a wire or ca le! ut wireless communication etween networked computers and peripherals is also possi le J'etwork operating system software@such as #icrosoft 3indows I= or 3indows 'T! 'ovell 'et3are! )ppleShare etc. #ost networks@even those with &ust two computers! have a hu or a switch to act as a connection point etween

3hen their computers are &oined in a network! people can share files and peripherals such as modems! printers! tape ackup drives! and CD15-# drives. 3hen networks at multiple locations are connected using services availa le from phone companies! people can send e1mail! share links to the glo al Internet! or conduct videoconferences in real time with other remote users on the network.

T4.3+e/-2a.r

17 | P a g e This wire comes in several 7standards.8 4nshielded twisted pair +4TP, Category H wire +also called :;0aseT, is often used for your phone lines! and 4TP Category = +also called :;0aseG, wire is the current networking standards. Coa%ial resem les round ca le TB wiring.

#.;er-o2+.c
4sually reserved for connections etween ack one8 devices in larger networks! though in some very demanding environments! highly fault resistant ca le is used to connect desktop workstations to the network and to link ad&acent uildings. $i er1optic ca le is the most relia le wiring ut also the most e%pensive. $or instance! /thernet can use4TP Category H wiring. However! $ast /thernet re(uires at least the higher1grade 4TP Category = wiring. )s a result! all new wiring installations should e Category =.

Ne+4or5 .n+erface car/3

'etwork interface cards +'ICs,! or adapters! are usually installed inside a computer<s case. 3ith porta le and note ook computers! the 'IC is usually in the credit card sized PC card +PC#CI), format! which is installed in a slot. /thernet 'ICs support only /thernet connections! while :;2:;; 'ICs cost a out the same and can work with either /thernet or higher1performance $ast /thernet connections .In addition! you need to ensure that your 'ICs will support the type of ca ling you will use@twisted1pair+also called :;0aseT,! coa%ial +also called :;0aseG,! or a mi%ture of oth.

H-;3

1< | P a g e Hubs, or repeaters! are simple devices that interconnect groups of users. Hu s forward any data packets they receive over one port from one workstation@including e1mail! word processing documents! spreadsheets! graphics! or print re(uests@to all of their remaining ports. )ll users connected to a single hu or stack of connected hu s are in the same segment! sharing the hu <s andwidth or data1carrying capacity. )s more users are added to a segment! they compete for a finite amount of andwidth devoted to that segment.

S4.+che3
Switches are smarter than hu s and offer more andwidth. ) switch forwards data packets only to the appropriate port for the intended recipient! ased on information in each packet<s header. To insulate the transmission from the other ports! the switch esta lishes a temporary connection etween the source and destination then terminates the connection when the conversation is done. )s such! a switch can support multiple 7conversations8 and move much more traffic through the network than a hu . ) single eight1port /thernet hu provides a total of :; mega its per second +# ps, of data1carrying capacity shared among all users on the hu . ) 7full1duple%!8 eight1port /thernet switch can support eight :;1# ps conversations at once! for a total data1carrying capacity of :>; # ps. 7$ull1duple%8 refers to simultaneous two1way communications! such as telephone communication. 3ith half1duple% communications! data can move across the ca le or transmission medium in &ust one direction at a time.

"o-+er3
Compared to switches and ridges! routers are smarter still. 5outers use a more complete packet 7address8 to which router or workstation should receive each packet. 0ased on a network roadmap called a 7routing ta le!8 routers can help ensure that packets are travelling the most efficient paths to their destinations. If a link etween two routers goes down! the sending router can determine an alternate route to keep traffic moving. 5outers also provide links etween networks that speak different languages@or! in computer speak@ networks that use different 7protocols.8 /%amples include IP +Internet Protocol,! the IPMN +Internet Packet /%change Protocol,! and )ppleTalk. 5outers not only connect networks in a single location or set of uildings! ut they provide interfaces@ or 7sockets8@for connecting to wide1area network +3)', services. These 3)' services! which are offered y telecommunications companies to connect geographically! dispersed networks.

1@ | P a g e

E+herne+ an/ #a3+ E+herne+

/thernet has een around since the late :IC;s and remains the leading network technology for local1area networks +.)'s,. /thernet is ased on carrier sense multiple access with collision detection +CS#)2CD,. Simply put! an /thernet workstation can send data packets only when no other packets are travelling on the network! that is! when the network is 7(uiet.8 -therwise! it waits to transmit! &ust as a person might wait for another to speak during conversation. 'etworking Technologies -verview If multiple stations sense an opening and start sending at the same time! a 7collision8 occurs. Then! each station waits a random amount of time and tries to send its packet again. )fter :> consecutive failed attempts! the original application that sent the packet has to start again. )s more people try to use the network! the num er of collisions! errors! and su se(uent retransmits grows (uickly! causing a snow all effect. Collisions are normal occurrences! ut too many can start to cause the network to slow down. 3hen more than =; percent of the network<s total andwidth is used! collision rates egin to cause congestion. $iles take longer to print! applications take longer to open! and users are forced to wait. )t >; percent or higher andwidth usage! the network can slow dramatically or even grind to a halt.

/thernet<s andwidth or data1carrying capacity +also called throughput, is :; # ps. $ast /thernet +or :;;0aseT, works the same way@through collision detection@ ut it provides :; times the andwidth! or :;; # ps. Shared /thernet is like a single1lane highway with a :;1 # ps speed limit +see diagrams elow,. Shared $ast /thernet is like a much wider highway with a :;;1# ps speed limit6 there is more room for cars! and they can travel at higher speeds. 3hat would Switched /thernet look likeO ) multilane highway with a speed limit of :; # ps in each lane! Switched $ast /thernet also would e a multilane highway! ut with a speed limit of :;; # ps in each lane.

E+herne+ Ca;l.ng

1= | P a g e

)lthough /thernet networks originally used thick or thin coa%ial ca le! most installations currently use unshielded twisted pair +4TP, ca ling. The 4TP ca le contains eight conductors! arranged in four twisted pairs! and is terminated with an 5PD= type connector. ) normal straight1through 4TP /thernet ca le follows the /I)=>F0 standard wiring as descri ed elow. Category = Ca le Quality Category = distri uted ca le that meets )'SI2/I)2TI)1=>F1) uilding wiring standards can e a ma%imum of HGF feet +ft., or :;; meters +m, in length! divided as follows" G; ft. +> m, etween the hu and the patch panel +if used, GI= ft. +I; m, from the wiring closet to the wall outlet :; ft. +H m, from the wall outlet to the desktop device The patch panel and other connecting hardware must meet the re(uirements for :;;1# ps operation +Category =,. -nly ;.= inch +:.= cm, of untwist in the wire pair is allowed at any termination point. ) twisted pair /thernet network operating at :; # its2second +:;0)S/1T, will often tolerate low1(uality ca les! ut at :;; # its2second +:;0)S/1 T%, the ca le must e rated as Category =! or Cat =! y the /lectronic Industry )ssociation +/I),. This rating will e printed on the ca le &acket. ) Category = ca le will meet specified re(uirements regarding loss and crosstalk. In addition! there are restrictions on ma%imum ca le length for oth :;1 and :;;1 # its2second networks.

CHAPTER "

1> | P a g e

OSI &ODEL

The -pen Systems Interconnection model +-SI model, was a product of the -pen Systems Interconnection effort at the International -rganization for Standardization. It is a way of su 1dividing a communications system into smaller parts called layers. Similar communication functions are grouped into logical layers. ) layer provides services to its upper layer while receiving services from the layer elow. -n each layer! an instance provides service to the instances at the layer a ove and re(uests service from the layer elow.

Layer !: )hy3.cal Layer

The Physical .ayer defines electrical and physical specifications for devices. In particular! it defines the relationship etween a device and a transmission medium! such as a copper or optical ca le. This includes the layout of pins! voltages! ca le specifications! hu s! repeaters! network adapters! host us adapters +H0) used in storage area networks, and more. The ma&or functions and services performed y the Physical .ayer are" /sta lishment and termination of a connection to a communications medium. Participation in the process where y the communication resources are effectively shared among multiple users. $or e%ample! contention resolution and flow control. #odulation or conversion etween the representation of digital data in user e(uipment and the corresponding signals transmitted over a communications channel. These are signals operating over the physical ca ling +such as copper and optical fi er, or over a radio link.

Layer <: Da+a L.n5 Layer

26 | P a g e The Data .ink .ayer provides the functional and procedural means to transfer data etween network entities and to detect and possi ly correct errors that may occur in the Physical .ayer. -riginally! this layer was intended for point1to1point and point1to1multipoint media! characteristic of wide area media in the telephone system. .ocal area network architecture! which included roadcast1capa le multi1access media! was developed independently of the IS- work in I/// Pro&ect F;G. I/// work assumed su layering and management functions not re(uired for 3)' use. In modern practice! only error detection! not flow control using sliding window! is present in data link protocols such as Point1to1Point Protocol +PPP,! and! on local area networks! the I/// F;G.G ..C layer is not used for most protocols on the /thernet! and on other local area networks! its flow control and acknowledgment mechanisms are rarely used.

Layer =: Ne+4or5 Layer

The 'etwork .ayer provides the functional and procedural means of transferring varia le length data se(uences from a source host on one network to a destination host on a different network! while maintaining the (uality of service re(uested y the Transport .ayer +in contrast to the data link layer which connects hosts within the same network,. The 'etwork .ayer performs network routing functions! and might also perform fragmentation and reassem ly! and report delivery errors. 5outers operate at this layer@sending data throughout the e%tended network and making the Internet possi le. This is a logical addressing scheme R values are chosen y the network engineer. The addressing scheme is not hierarchical. Careful analysis of the 'etwork .ayer indicated that the 'etwork .ayer could have at least three su layers" Su network )ccess R that considers protocols that deal with the interface to networks! such as M.G=6 Su network Dependent Convergence R when it is necessary to ring the level of a transit network up to the level of networks on either side6 Su network Independent Convergence R which handles transfer across multiple networks.

Layer 4: Tran32or+ Layer

The Transport .ayer provides transparent transfer of data etween end users! providing relia le data transfer services to the upper layers. The Transport .ayer controls the relia ility of a given link through flow control! segmentation2segmentation! and error control. Some protocols are state and connection1oriented. This means that the Transport .ayer can keep track of the segments and retransmit those that fail. The Transport layer also provides! the acknowledgement of the successful data transmission and sends the ne%t data if no errors occurred. )lthough not developed under the -SI 5eference #odel and not strictly conforming to the -SI definition of the Transport .ayer! typical e%amples of .ayer D are the Transmission Control Protocol +TCP, and 4ser Datagram Protocol +4DP,.

21 | P a g e

Layer 5: Se33.on Layer

The Session .ayer controls the dialogues +connections, etween computers. It esta lishes! manages and terminates the connections etween the local and remote application. It provides for full1duple%! half1duple%! or simple% operation! and esta lishes check pointing! ad&ournment! termination! and restart procedures. The -SI model made this layer responsi le for graceful close of sessions! which is a property of the Transmission Control Protocol! and also for session check pointing and recovery! which is not usually used in the Internet Protocol Suite. The Session .ayer is commonly implemented e%plicitly in application environments that use remote procedure calls.

Layer : )re3en+a+.on Layer

The Presentation .ayer esta lishes conte%t etween )pplication .ayer entities! in which the higher1layer entities may use different synta% and semantics if the presentation service provides a mapping etween them. If a mapping is availa le! presentation service data units are encapsulated into session protocol data units! and passed down the stack. This layer provides independence from data representation +e.g.! encryption, y translating etween application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to e sent across a network. It is sometimes called the synta% layer.

Layer >: A22l.ca+.on Layer

The )pplication .ayer is the -SI layer closest to the end user! which means that oth the -SI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the -SI model. 3hen determining resource availa ility! the application layer must decide whether sufficient network or the re(uested communication e%ists. In synchronizing communication! all communication etween applications re(uires cooperation that is managed y the application layer. Some e%amples of application layer implementations also include" -n -SI stack" $T)# $ile Transfer and )ccess #anagement Protocol M.D;; #ail Common management information protocol +C#IP,

CHAPTER #
TC!'I!

22 | P a g e In the TCP2IP model of the Internet! protocols are deli erately not as rigidly designed into strict layers as the -SI model. However! TCP2IP does recognize four road layers of functionality which are derived from the operating scope of their contained protocols! namely the scope of the software application! the end1to1end transport connection! the internetworking range! and lastly the scope of the direct links to other nodes on the local network. /ven though the concept is different from the -SI model! these layers are nevertheless often compared with the -SI layering scheme in the following way" The Internet )pplication .ayer includes the -SI )pplication .ayer! Presentation .ayer! and most of the Session .ayer. Its end1to1end Transport .ayer includes the graceful close function of the -SI Session .ayer as well as the -SI Transport .ayer. The internetworking layer +Internet .ayer, is a su set of the -SI 'etwork .ayer +see a ove,! while the .ink .ayer includes the -SI Data .ink and Physical .ayers! as well as parts of -SI*s 'etwork .ayer. These comparisons are ased on the original seven1layer protocol model as defined in IS- CDIF! rather than refinements in such things as the internal organization of the 'etwork .ayer document. The presuma ly strict peer layering of the -SI model as it is usually descri ed does not present contradictions in TCP2IP! as it is permissi le that protocol usage does not follow the hierarchy implied in a layered model. Such e%amples e%ist in some routing protocols +e.g.! -SP$,! or in the description of tunneling protocols! which provide a .ink .ayer for an application! although the tunnel host protocol may well e a Transport or even an )pplication .ayer protocol in its own right.

In+erne+ )ro+ocol 6I)7 A//re33e3

0ecause TCP2IP networks are interconnected across the world! each computer on the Internet must have a uni(ue address +called an IP address, to make sure that transmitted data reaches the correct destination. 0locks of addresses are assigned to organizations y the Internet )ssigned 'um ers )uthority +I)'),. Individual users and small organizations may o tain their addresses either from the I)') or from an Internet service provider +ISP,.The Internet Protocol +IP, uses a HG1 it address structure. The address is usually written in dot notation +also called dotted1decimal notation,! in which each group of eight its is written in decimal form! separated y decimal points. $or e%ample! the following inary address" ::;;;;:: ;;:;;;:; ;;;;::;; ;;;;;::: is normally written as" :I=.HD.:G.C The latter version is easier to remem er and easier to enter into your computer. In addition! the HG its of the address are su divided into two parts. The first part of the address identifies the network! and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address! allowing for different num ers of hosts on a network. /ach address type egins with a uni(ue it pattern! which is used y the TCP2IP software to identify the address class. )fter the address class has een determined! the software can correctly identify the host section of the address. The figure elow shows the three main address classes! including network and host sections of the address for each address type.

23 | P a g e

The five address classes are" J Cl"ss A Class ) addresses can have up to :>!CCC!G:D hosts on a single network. They use an F1 it network num er and a GD1 it node num er. Class ) addresses are in this range" :.%.%.% to :G>.%.%.%. J Cl"ss ( Class 0 addresses can have up to >=!H=D hosts on a network. ) Class 0 address uses a :>1 it network num er and a :>1 it node num er. Class 0 addresses are in this range" :GF.:.%.% to :I:.G=D.%.%. J Cl"ss C Class C addresses can have up to G=D hosts on a network. ) Class C address uses a GD1 it network num er and an F1 it node num er. Class C addresses are in this range" :IG.;.:.% to GGH.G==.G=D.%. J Cl"ss D Class D addresses are used for multicasts +messages sent to many hosts,. Class D addresses are in this range" GGD.;.;.; to GHI.G==.G==.G==. J Cl"ss E Class / addresses are for e%perimental use.

Ne+ :a35
In each of the address classes previously descri ed! the size of the two parts +network address and host address, is implied y the class. This partitioning scheme can also e e%pressed y a netmask associated with the IP address. ) netmask is a HG1 it (uantity that! when logically com ined +using an )'D operator, with an IP address! yields the network address. $or instance! the netmasks for Class )! 0! and C addresses are G==.;.;.;! G==.G==.;.;! and G==.G==.G==.;! respectively. $or e%ample! the address :IG.:>F.:C;.GHC is a Class C IP address whose network portion is the upper GD its. 3hen com ined +using an )'D operator, with the Class C netmask! as shown here! only the network portion of the address remains" ::;;;;;; :;:;:;;; :;:;:;:; :::;::;: +:IG.:>F.:C;.GHC, com ined with" :::::::: :::::::: :::::::: ;;;;;;;; +G==.G==.G==.;, e(uals" ::;;;;;; :;:;:;;; :;:;:;:; ;;;;;;;; +:IG.:>F.:C;.;, )s a shorter alternative to dotted1decimal notation! the netmask may also e e%pressed in terms of the num er of ones from the left. This num er is appended to the IP address! following a ackward slash +2,! as 72n.8 In the e%ample! the address could e written as :IG.:>F.:C;.GHC2GD! indicating that the netmask is GD ones followed y F zeros.

24 | P a g e

27 | P a g e

Me/.a Acce33 Con+rol 6MAC7 A//re33e3 an/ A//re33 "e3ol-+.on )ro+ocol

)n IP address alone cannot e used to deliver data from one .)' device to another. To send data etween .)' devices! you must convert the IP address of the destination device to its #)C address. /ach device on an /thernet network has a uni(ue #)C address! which is a DF1 it num er assigned to each device y the manufacturer. The techni(ue that associates the IP address with a #)C address is known as address resolution. Internet Protocol uses the )ddress 5esolution Protocol +)5P, to resolve #)C addresses. If a device sends data to another station on the network and the destination #)C address is not yet recorded! )5P is used. )n )5P re(uest is roadcast onto the network. )ll stations +computers! for e%ample, on the network receive and read the re(uest. The destination IP address for the chosen station is included as part of the message so that only the station with this IP address responds to the )5P re(uest. )ll other stations discard the re(uest.

Do:a.n Na:e Sy3+e: 6DNS7 Ser9er

#any of the resources on the Internet can e addressed y simple descriptive names such as http://www.NETGEAR.com. This addressing is very helpful at the application level! ut the descriptive name must e translated to an IP address in order for a user to actually contact the resource. Pust as a telephone directory maps names to phone num ers! or as an )5P ta le maps IP addresses to #)C addresses! a D'S server maps descriptive names of network resources to IP addresses. 3hen a computer accesses a resource y its descriptive name! it first contacts a D'S server to o tain the IP address of the resource. The computer sends the desired message using the IP address. #any large organizations! such as ISPs! maintain their own D'S servers and allow their customers to use the servers to look up addresses.

)r.9a+e I) A//re33e3
If you<re local network is isolated from the Internet +for e%ample! when using 'etwork )ddress Translation! ')T! which is descri ed elow,! you can assign any IP addresses to the hosts without pro lems. However! the I)') has reserved the following three locks of IP addresses specifically for private networks" :;.;.;.; 1 :;.G==.G==.G== :CG.:>.;.; 1 :CG.H:.G==.G== :IG.:>F.;.; 1 :IG.:>F.G==.G== Choose your private network num er from this range.

CHAPTER $

2< | P a g e

Cis o Inter)network Oper"ting S%stem

C.3co I%S Mo/e3 of %2era+.on
The Cisco I-S software provides access to several different command modes. /ach command mode provides a different group of related commands. $or security purposes! the Cisco I-S software provides two levels of access to commands" user and privileged. The unprivileged user mode is called user /M/C mode. The privileged mode is called privileged /M/C mode and re(uires a password. The commands availa le in user /M/C mode are a su set of the commands availa le in privileged /M/C mode. The following ta le descri es some of the most commonly used modes! how to enter the modes! and the resulting prompts. The prompt helps you identify which mode you are in and! therefore! which commands are availa le to you

4ser /M/C #ode" 3hen you are connected to the router! you are started in user /M/C mode. The user /M/C commands are a su set of the privileged /M/C commands. Privileged /M/C #ode" Privileged commands include the following" J Configure R Changes the software configuration. J De ug R Display process and hardware event messages. J Setup R /nter configuration information at the prompts. /nter the command disa le to e%it from the privileged /M/C mode and return to user /M/C mode.

Conf.g-ra+.on Mo/e

2@ | P a g e Configuration mode has a set of su modes that you use for modifying interface settings! routing protocol settings! line settings! and so forth. 4se caution with configuration mode ecause all changes you enter take effect immediately. To enter configuration mode! enter the command onfigure termin"l and e%it y pressing Ctrl)*. 'ote" )lmost every configuration command also has a no form. In general! use the no form to disa le a feature or function. 4se the command without the keyword no to re1ena le a disa led feature or to ena le a feature that is disa led y default. $or e%ample! IP routing is ena led y default. To disa le IP routing! enter the no ip routing command and enter ip routing to re1ena le it.

(e++.ng Hel2
In any command mode! you can get a list of availa le commands y entering a (uestion mark +O,. 5outerS+ To o tain a list of commands that egin with a particular character se(uence! type in those characters followed immediately y the (uestion mark +O,. 5outerT o+ configure connect copy To list keywords or arguments! enter a (uestion mark in place of a keyword or argument. Include a space efore the (uestion mark. 5outerT onfigure + memory Configure from 'B memory network Configure from a T$TP network host terminal Configure from the terminal 9ou can also a reviate commands and keywords y entering &ust enough characters to make the command uni(ue from other commands. $or e%ample! you can a reviate the show command to sh.,

Conf.g-ra+.on #.le3
)ny time you make changes to the router configuration! you must save the changes to memory ecause if you do not they will e lost if there is a system reload or power outage. There are two types of configuration files" the running +current operating, configuration and the startup configuration. 4se the following privileged mode commands to work with configuration files. J onfigure termin"l R modify the running configuration manually from the terminal. J show running) onfig R display the running configuration. J show st"rtup) onfig R display the startup configuration. J op% running) onfig st"rtup) onfig R copy the running configuration to the startup configuration. J op% st"rtup) onfig running) onfig R copy the startup configuration to the running configuration.

2= | P a g e J er"se st"rtup) onfig R erase the startup1configuration in 'B5)#. J op% tftp running) onfig R load a configuration file stored on a Trivial $ile Transfer Protocol +T$TP, server into the running configuration. J op% running) onfig tftp R store the running configuration on a T$TP server.

I) A//re33 Conf.g-ra+.on
Take the following steps to configure the IP address of an interface. Step :" /nter privileged /M/C mode" 5outerSena le password Step G" /nter the configure terminal command to enter glo al configuration mode. 5outerTconfig terminal Step H" /nter the interface type slot2port +for Cisco C;;; series, or interface type port +for Cisco G=;; series, to enter the interface configuration mode. /%ample" 5outer +config,Tinterface ethernet ;2: Step D" /nter the IP address and su net mask of the interface using the ip address ipaddress su netmask command. /%ample! 5outer +config1if,Tip address :IG.:>F.:;.: G==.G==.G==.; Step =" /%it the configuration mode y pressing Ctrl1U 5outer+config1if,TKCtrl1U, Routing !roto ol Configur"tion Routing Inform"tion !roto ol -RI!. Step :" /nter privileged /M/C mode" 5outerSen"#le password Step G" /nter the onfigure termin"l command to enter glo al configuration mode. 5outerT onfig termin"l Step H" /nter the router rip command 5outer+config,Trouter rip Step D" )dd the network num er to use 5IP and repeat this step for all the num ers. 5outer+config1router,Tnetwork network1num er /%ample" 5outer+config1router,Tnetwork /012/342/525 'ote" To turn off 5IP! use the no router rip command. 5outer+config,Tno router rip Other useful omm"n$s J Specify a 5IP Bersion

2> | P a g e 0y default! the software receives 5IP version : and version G packets! ut sends only version : packets. To control which 5IP version an interface sends! use one of the following commands in interface configuration mode"

To control how packets received from an interface are processed! use one of the following commands"

Open Shortest !"th 6irst -OS!6. Step :" /nter privileged /M/C mode" 5outerSen"#le password Step G" /nter the onfigure termin"l command to enter glo al configuration mode. 5outerT onfig termin"l Step H" /nter the router ospf command and follow y the process1id. 5outer+config,Trouter ospf process1id Pick the process1id which is not eing used. To determine what ids are eing used! issue the show pro ess command. 5outer+config,Tshow pro ess Step D" )dd the network num er! mask and area1id 5outer+config1router,Tnetwork network1num er mask "re" area1id The network1num er identifies the network using -SP$. The mask tells which its to use from the network1num er! and the area1id is used for determining areas in an -SP$ configuration. /%ample" 5outer+config1router,Tnetwork /012/342/525 1772177217725 "re" 5252525 5epeat this step for all the network num ers. To turn off -SP$! use the following command. 5outer+config,Tno router ospf process1id

%+her -3ef-l co::an/3

Configure -SP$ Interface Parameters

36 | P a g e 9ou are not re(uired to alter any of these parameters! ut some interface parameters must e consistent across all routers in an attached network.

Co::an/
ip ospf ost cost ip ospf retr"nsmit)inter8"l seconds

)-r2o3e
/%plicitly specify the cost of sending a packet on an -SP$ interface. Specify the num er of seconds etween link state advertisement retransmissions for ad&acencies elonging to an -SP$ interface. Set the estimated num er of seconds it takes to transmit a link state update packet on an -SP$ interface. Set router priority to help determine the -SP$ designated router for a network. Specify the length of time! in seconds! etween the hello packets that a router sends on an -SP$ interface. Set the num er of seconds that a router<s hello packets must not have een seen efore its neigh ors declare the -SP$ router down.

ip ospf tr"nsmit)$el"% seconds

ip ospf priorit% num er ip ospf hello)inter8"l seconds

ip ospf $e"$)inter8"l seconds

Ho4 +o rea/ ro-+er8l.n5 3+a+-3

Status of router and links can e easily determined y power ./D of router and link ./D of each interface +if any,. However! you may find a transceiver connected to an )4I port looks like the following"

CHAPTER %

31 | P a g e

RO9TING TA(LE
In computer networking a routing ta le! or 5outing Information 0ase +5I0,! is a data structure in the form of a ta le1like o &ect stored in a router or a networked computer that lists the routes to particular network destinations! and in some cases! metrics associated with those routes. The routing ta le contains information a out the topology of the network immediately around it. The construction of routing ta les is the primary goal of routing protocols. Static routes are entries made in a routing ta le y non1automatic means and which are fi%ed rather than eing the result of some network topology *discovery* procedure. 5outing ta les are generally not used directly for packet forwarding in modern router architectures6 instead! they are used to generate the information for a smaller forwarding ta le which contains only the routes which are chosen y the routing algorithm as preferred routes for packet forwarding! often in a compressed or pre1compiled format that is optimized for hardware storage and lookup. The remainder of this article will ignore this implementation detail! and refer to the entire routing2forwarding information su system as the Arouting ta leA.

Ba3.c3
) routing ta le utilizes the same idea that one does when using a map in package delivery. 3henever a node needs to send data to another node on a network! it must know where to send it! first. If the node cannot directly connect to the destination node! it has to send it via other nodes along a proper route to the destination node. #ost nodes do not try to figure out which route+s, might work6 instead! a node will send an IP packet to a gateway in the .)'! which then decides how to route the ApackageA of data to the correct destination. /ach gateway will need to keep track of which way to deliver various packages of data! and for this it uses a 5outing Ta le. ) routing ta le is a data ase which keeps track of paths! like a map! and allows the gateway to provide this information to the node re(uesting the information. 3ith hop1 y1hop routing! each routing ta le lists! for all reacha le destinations! the address of the ne%t device along the path to that destination6 the ne%t hop. )ssuming that the routing ta les are consistent! the simple algorithm of relaying packets to their destination*s ne%t hop thus suffices to deliver data anywhere in a network. Hop1 y1hop is the fundamental characteristic of the IP Internetwork layer and the -SI 'etwork .ayer! in contrast to the functions of the IP /nd1to1/nd and -SI Transport .ayers. Current router architecture separates the Control Plane function of the routing ta le from the $orwarding Plane function of the forwarding ta le.

D.ff.c-l+.e3 4.+h ro-+.ng +a;le3

The need to record routes to large num ers of devices using limited storage space represents a ma&or challenge in routing ta le construction. In the Internet! the currently dominant address aggregation technology is a itwise prefi% matching scheme called Classless Inter1Domain 5outing +CID5,.

Since in a network each node presuma ly possesses a valid routing ta le! routing ta les must e consistent among the various nodes or routing loops can develop. This is particularly pro lematic in the hop1 y1hop routing model in which the net effect of inconsistent ta les in several different routers could e to forward packets in an endless loop. 5outing

32 | P a g e .oops have historically plagued routing! and their avoidance is a ma&or design goal of routing protocols.

Con+en+3 of ro-+.ng +a;le3

The routing ta le consists of at least three information fields"1 The network id" i.e. the destination network id Cost" i.e. the cost or metric of the path through which the packet is to e sent 'e%t hop" The ne%t hop! or gateway! is the address of the ne%t station to which the packet is to e sent on the way to its final destination Depending on the application and implementation! it can also contain additional values that refine path selection" Quality of service associated with the route. $or e%ample! the 4 flag indicates that an IP route is up. links to filtering criteria2access lists associated with the route Interface" such as eth; for the first /thernet card! eth: for the second /thernet card! etc.

CHAPTER &
SWITC:ES

33 | P a g e

#-nc+.on
The network switch plays an integral part in most modern /thernet local area networks +.)'s,. #id1to1large sized .)'s contain a num er of linked managed switches. Small office2home office +S-H-, applications typically use a single switch! or an all1purpose converged device such as a gateway to access small office2home road and services such as DS. or ca le internet. In most of these cases! the end1user device contains a router and components that interface to the particular physical road and technology. 4ser devices may also include a telephone interface for BoIP. )n /thernet switch operates at the data link layer of the -SI model to create a separate collision domain for each switch port. 3ith D computers +e.g.! )! 0! C! and D, on D switch ports! ) and 0 can transfer data ack and forth! while C and D also do so simultaneously! and the two conversations will not interfere with one another. In the case of a hu ! they would all share the andwidth and run in half duple%! resulting in collisions! which would then necessitate retransmissions. 4sing a switch is called micro segmentation. This allows computers to have dedicated andwidth on a point1to1point connection to the network and to therefore run in full duple% without collisions.

"ole of 34.+che3 .n ne+4or53

Switches may operate at one or more layers of the -SI model! including data link! network! or transport +i.e.! end1to1end,. ) device that operates simultaneously at more than one of these layers is known as a multilayer switch. In switches intended for commercial use! uilt1in or modular interfaces make it possi le to connect different types of networks! including /thernet! $i re Channel! )T#! IT41T E.hn and F;G.::. This connectivity can functionality is ade(uate for e at any of the layers mentioned. 3hile .ayer G andwidth1shifting within one technology! interconnecting

technologies such as /thernet and token ring are easier at .ayer H.

Interconnection of different .ayer H networks is done

y routers. If there are any

features that characterize A.ayer1H switchesA as opposed to general1purpose routers! it tends to e that they are optimized! in larger switches! for high1density /thernet connectivity. In some service provider and other environments where there is a need for a great deal of analysis of

34 | P a g e network performance and security! switches may e connected etween 3)' routers as

places for analytic modules. Some vendors provide firewall! network intrusion detection! and performance analysis modules that can plug into switch ports. Some of these functions may e on com ined modules. In other cases! the switch is used to create a mirror image of data that can go to an e%ternal device. Since most switch port mirroring provides only one mirrored stream! network hu s can e useful for fanning out data to several read1only analyzers! such as intrusion detection systems and packet sniffers.

S4.+ch

A S4.+che/ Ne+4or5

Ba3.c f-nc+.on3 2erfor:e/:

)ddress learning $orwarding ased on the learned addresses

CHAPTER '
ST!
STP is a ridge1to1 ridge protocol used to maintain a loop1free network.

37 | P a g e To maintain a loop1free network topology! STP esta lishes a root ridge! a root port! designated ports. and

3ith STP! the root ridge has the lowest 0ID! which is made up of the ridge priority and the #)C address. 3hen STP is ena led! every ridge in the network goes through the locking state and the transitory states of listening and learning at power up. If properly configured! the ports then sta ilize to the forwarding or locking state. If the network topology changes! STP maintains connectivity y transitioning some locked ports to the forwarding state. 5STP significantly speeds the recalculation of the spanning tree when the network topology changes.

ST) 2ro9./e3 a loo2-free re/-n/an+ ne+4or5 +o2ology ;y 2lac.ng cer+a.n 2or+3 .n +he ;loc5.ng 3+a+e -ne root ridge per roadcast domain -ne root port per no root ridge -ne designated port per segment 'o designated ports are unused

S2ann.ng Tree )ro+ocol "oo+ Br./ge Selec+.on

3< | P a g e

0PD4 +default V sent every two seconds 5oot ridge V ridge with the lowest ridge ID Spanning tree transits each port through several different states"

S2ann.ng Tree Con9ergence

Convergence occurs when all the switch and ridge ports have transitioned to either the forwarding or the locking state. 3hen the network topology changes! switches and ridges must recomputed STP! which disrupts user traffic.

CHAPTER (

3@ | P a g e

;LAN
) virtual local area network! virtual .)' or B.)'! is a group of hosts with a common set of re(uirements that communicate as if they were attached to the same roadcast domain! regardless of their physical location. ) B.)' has the same attri utes as a physical local area network +.)',! ut it allows for end stations to e grouped together even if they are not located on the same network switch. .)' mem ership can e configured through software instead of physically relocating devices or connections. To physically replicate the functions of a B.)'! it would e necessary to install a separate! parallel collection of network ca les and e(uipment which are kept separate from the primary network. However unlike a physically separate network! B.)'s must share andwidth6 two separate one1giga it B.)'s using a single one1giga it interconnection can suffer oth reduced throughput and congestion. It virtualizes B.)' ehaviors +configuring switch ports! tagging frames when entering B.)'! lookup #)C ta le to switch2flood frames to trunk links! and untangling when e%it from B.)'.,

U3e3
B.)'s are created to provide the segmentation services traditionally provided y routers in .)' configurations. B.)'s address issues such as scala ility! security! and network management. 5outers in B.)' topologies provide roadcast filtering! security! address summarization! and traffic flow management. 0y definition! switches may not ridge IP traffic etween B.)'s as it would violate the integrity of the B.)' roadcast domain. This is also useful if someone wants to create multiple layer H networks on the same layer G switch. $or e%ample! if a DHCP server is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. 0y using B.)'s you can easily split the network up so some hosts won*t use that DHCP server and will o tain link1local addresses! or o tain an address from a different DHCP server. B.)'s are layer G constructs! compared with IP su nets which are layer H constructs. In an environment employing B.)'s! a one1to1one relationship often e%ists etween B.)'s and IP su nets! although it is possi le to have multiple su nets on one B.)'. B.)'s and IP su nets provide independent .ayer G and .ayer H constructs that map to one another and this correspondence is useful during the network design process. 0y using B.)'s! one can control traffic patterns and react (uickly to relocations. B.)'s provide the fle%i ility to adapt to changes in network re(uirements and allow for simplified administration.

E3+a;l.3h.ng ?LAN :e:;er3h.23

The two common approaches to assigning B.)' mem ership are as follows" Static B.)'s Dynamic B.)'s Static B.)'s are also referred to as port1 ased B.)'s. Static B.)' assignments are created y assigning ports to a B.)'. )s a device enters the network! the device automatically assumes the B.)' of the port. If the user changes ports and needs access to the same B.)'! the network administrator must manually make a port1to1B.)' assignment for the new connection.

3= | P a g e

Dynamic B.)'s are created through the use of software. 3ith a B.)' #anagement Policy Server +B#PS,! an administrator can assign switch ports to B.)'s dynamically ased on information such as the source #)C address of the device connected to the port or the username used to log onto that device. )s a device enters the network! the device (ueries a data ase for B.)' mem ership.

C.3co ?LAN Tr-n5.ng )ro+ocol 6?T)7

-n Cis o De8i es! BTP +B.)' Trunking Protocol, maintains B.)' configuration consistency across the entire network. BTP uses .ayer G trunk frames to manage the addition! deletion! and renaming of B.)'s on a network1wide asis from a centralized switch in the BTP server mode. BTP is responsi le for synchronizing B.)' information within a BTP domain and reduces the need to configure the same B.)' information on each switch. BTP minimizes the possi le configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations! ecause B.)'s can cross connect when duplicate names are used. They also could ecome internally disconnected when they are mapped from one .)' type to another! for e%ample! /thernet to )T# .)'/ /.)'s or $DDI F;G.:; B.)'s. BTP provides a mapping scheme that ena les seamless trunking within a network employing mi%ed1media technologies. BTP provides the following enefits" B.)' configuration consistency across the network #apping scheme that allows a B.)' to e trunked over mi%ed media )ccurate tracking and monitoring of B.)'s Dynamic reporting of added B.)'s across the network Plug1and1play configuration when adding new B.)'s )s eneficial as BTP can e! it does have disadvantages that are normally related to the spanning tree protocol +STP, as a ridging loop propagating throughout the network can occur. Cisco switches run an instance of STP for each B.)'! and since BTP propagates B.)'s across the campus .)'! BTP effectively creates more opportunities for a ridging loop to occur. 0efore creating B.)'s on the switch that will e propagated via BTP! a BTP domain must first e set up. ) BTP domain for a network is a set of all contiguously trunked switches with the same BTP domain name. )ll switches in the same management domain share their B.)' information with each other! and a switch can participate in only one BTP management domain. Switches in different domains do not share BTP information. 4sing BTP! each Catalyst $amily Switch advertises the following on its trunk ports"

CHAPTER
ACCESS)LISTS

3> | P a g e Standard )ccess Control .ists +)C., is Cisco I-S1 ased commands used to filter packets on Cisco routers ased on the source IP )ddress of the packet. /%tended )ccess Control .ists have the a ility to filter packets ased on source and destination IP addresses.

N-:;ere/ S+an/ar/ Acce33 Con+rol L.3+3

'um ers etween : and II! :H;; and :III or named e%plicitly with *ip access1list standard name* can e used as a Standard )C.. The num er used in this range doesn*t affect how the )C. is processed or which )C. is more important to the router. ) standard )C. is concerned with only one factor! the source IP address of the packet. T he destination is not Considered. The num er takes the place of a name you might give to a specific rule. The num er in no way corresponds to a list of pre1defined )C.s

Na:e/ S+an/ar/ Acce33 Con+rol L.3+3

The difference etween 'amed and 'um ered )C.s is that a name! not a num er! is associated with a named )C.. 'ames are easier to remem er than num ers. /ither way! the name of an )C. is given as either a num er or a name.

Acce33 L.3+ "-le3

5egardless of the type of access list you create! standard or e%tended! you must follow certain rules. $or instance! you must create and apply access lists se(uentially and must remem er that they end with an implicit deny. 5outerW)+config,Taccess1list : deny :CG.:>.=.G ;.;.;.; 5outerW)+config,Taccess1list : deny :CG.:>.=.H ;.;.;.; 5outerW)+config,Taccess1list : permit any The previous e%ample is a standard IP access list that denies the hosts :CG.:>.=.G and :CG.:>.=.H! while allowing all other traffic. The list is applied se(uentially from the top down as the router checks the packets arriving at the interface where this access list is applied! in order to check if the packets match the permit and deny statements. In the process of applying the access list! the router first checks an arriving packet to determine if it matches the deny :CG.:>.=.G ;.;.;.; statement. If it does! the router discards the packet. If it does not! the router applies the second statement! deny :CG.:>.=.H ;.;.;.;. If the packet matches the second statement! the router discards the packet. -nce again! if the packet does not meet the rules of the first two lines! the router applies the final permit any statement! and the packet is forwarded through the interface. If you wish to remove an access1list! you use the no access1list +list T, command. $or e%ample! to remove the a ove list! you enter glo al configuration mode and type the no access1list command. The information elow shows the correct procedure for typing this command.

Crea+.ng N-:;ere/ S+an/ar/ Acce33 Con+rol L.3+3

$rom Elo al Configuration mode! type in" )ccess1list Kaccess1list1num erL Kdeny2permitL Ksource1ip1address interface Kinterface1num erL ip access1group Knum er of listL in2out

46 | P a g e /%ample" access1list = permit ::.;.H.; ;.;.;.G== access1list = permit :;.;.=.; ;.;.;.G== int fa;2; ip access1group = in The a ove e%ample permits traffic from two specific networks. 'ote that the access1list must e defined! and assigned an interface. )n access1list y itself +not assigned to an interface, doesn*t do anything at all. AinA or AoutA refer to the traffic into! or out of! the router that is eing configured.

Crea+.ng Na:e/ S+an/ar/ Acce33 Con+rol L.3+3

$rom Elo al configuration mode type" ip access1list standard KnameL deny Ksource ip or keyword anyL Kwildcard mask or keyword anyL -5 permit Ksource ip or keyword anyL Kwildcard mask or keyword anyL

)ro;le:3 4.+h Acce33 L.3+3

I. -ne of the most common pro lems associated with access lists is a lack of planning. 0efore you even egin the process of creating access lists on your router! you must plan e%actly what needs to e filtered and where it needs to e filtered. II. )nother trou lesome area is the se(uential nature in which you must enter the lists into the router. 9ou cannot remove individual statements once they are entered. 3hen making changes! you must remove the list! using the no access1list command! and then retype the commands. G; permit :.:.:.G III. $inally! many new network administrators find themselves in trou le when they Telnet into a router and egin applying an access list. )n access list egins to work the second it*s applied to an interface. It*s very possi le that many new administrators will find themselves inadvertently locked from the same router on which they*re applying the access list.

CHAPTER
Network "$$ress tr"nsl"tion
In computer networking! network address translation +')T, is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device.

41 | P a g e The simplest type of ')T provides a one to one translation of IP addresses. 5$C G>>H refers to this type of ')T as asic ')T. It is often also referred to as one1to1one ')T. In this type of ')T only the IP addresses! IP header checksum and any higher level checksums that include the IP address need to e changed. The rest of the packet can e left untouched +at least for asic TCP24DP functionality! some higher level protocols may need further translation,. 0asic ')Ts can e used when there is a re(uirement to interconnect two IP networks with incompati le addressing. However it is common to hide an entire IP address space! usually consisting of private IP addresses! ehind a single IP address +or in some cases a small group of IP addresses, in another +usually pu lic, address space. To avoid am iguity in the handling of returned packets! a one1to1many ')T must alter higher level information such as TCP24DP ports in outgoing communications and must maintain a translation ta le so that return packets can e correctly translated ack. -ther names include P)T +port address translation,! IP mas(uerading! ')T -verload and many1to1one ')T. Since this is the most common type of ')T it is often referred to simply as ')T. )s descri ed! the method ena les communication through the router only when the conversation originates in the mas(ueraded network! since this esta lishes the translation ta les. $or e%ample! a we rowser in the mas(ueraded network can rowse a we site outside! ut a we rowser outside could not rowse a we site in the mas(ueraded network. However! most ')T devices today allow the network administrator to configure translation ta le entries for permanent use. This feature is often referred to as Astatic ')TA or port forwarding and allows traffic originating in the AoutsideA network to reach designated hosts in the mas(ueraded network. In the mid1:II;s ')T ecame a popular tool for alleviating the conse(uences of IPvD address e%haustion. It has ecome a standard! indispensa le feature in routers for home and small1office Internet connections. #ost systems using ')T do so in order to ena le multiple hosts on a private network to access the Internet using a single pu lic IP address 'etwork address translation has serious draw acks on the (uality of Internet connectivity and re(uires careful attention to the details of its implementation. In particular all types of ')T reak the originally envisioned model of IP end1to1end connectivity across the Internet and ')PT makes it difficult for systems ehind a ')T to accept incoming communications. )s a result! ')T traversal methods have een devised to alleviate the issues encountered.

42 | P a g e

?.3.;.l.+y of %2era+.on
')T operation is typically transparent to oth the internal and e%ternal hosts. Typically the internal host is aware of the true IP address and TCP or 4DP port of the e%ternal host. Typically the ')T device may function as the default gateway for the internal host. However the e%ternal host is only aware of the pu lic IP address for the ')T device and the particular port eing used to communicate on ehalf of a specific internal host.

NAT an/ TC)8UD)

APure ')TA! operating on IP alone! may or may not correctly parse protocols that are totally concerned with IP information! such as IC#P! depending on whether the payload is interpreted y a host on the AinsideA or AoutsideA of translation. )s soon as the protocol stack is traversed! even with such asic protocols as TCP and 4DP! the protocols will reak unless ')T takes action eyond the network layer. IP packets have a checksum in each packet header! which provides error detection only for the header. IP datagrams may ecome fragmented and it is necessary for a ')T to reassem le these fragments to allow correct recalculation of higher1level checksums and correct tracking of which packets elong to which connection. The ma&or transport layer protocols! TCP and 4DP! have a checksum that covers all the data they carry! as well as the TCP24DP header! plus a Apseudo1headerA that contains the source and destination IP addresses of the packet carrying the TCP24DP header. $or an originating ')T to pass TCP or 4DP successfully! it must recomputed the TCP24DP header checksum ased on the translated IP addresses! not the original ones! and put that checksum into the TCP24DP header of the first packet of the fragmented set of packets. The receiving ')T must recomputed the IP checksum on every packet it passes to the destination host! and also recognize and recomputed the TCP24DP header using the retranslated addresses and pseudo1header. This is not a completely solved pro lem. -ne solution is for the receiving ')T to reassem le the entire segment and then recomputed a checksum calculated across all packets.

43 | P a g e The originating host may perform #a%imum transmission unit +#T4, path discovery to determine the packet size that can e transmitted without fragmentation! and then set the don*t fragment +D$, it in the appropriate packet header field.

Conf.g-r.ng S+a+.c Tran3la+.on

5outer+config,T ip nat inside source static local ip !lobal ip /sta lishes static translation etween an inside local address and an inside glo al address 5outer+config1if,T ip nat inside #arks the interface as connected to the inside 5outer+config1if,T ip nat outside #arks the interface as connected to the outside

Ena;l.ng S+a+.c NAT: A//re33 Ma22.ng E@a:2le

44 | P a g e

Conf.g-r.ng Dyna:.c Tran3la+.on

E0AM)LE:

WAN

47 | P a g e

(I(LIOGRA!:<

Boo53:
CC') >th /dition +Todd .ammle, 'etwork security fundamental

S.+e3:
www.google.com