What is a Network Operating System (NOS)?

A Network Operating System (NOS) is a special type of computer operating system (software) primarily designed to support workstations, PCs, and, in some instances, older terminals that are connected on a Local Area Network (LAN).

Some examples of a Network Operating System (NOS) include:

• Artisoft's LANtastic
• Banyan VINES
• Novell's NetWare - Novell Netware and Novell Netware servers can still be found out there but Novell are now firmly behind SUSE Linux for their network operating systems
• Microsoft's LAN Manager, Windows® NT, Windows® 2000 Server, Windows® Server 2003 and now the new Microsoft server flagships Windows® Server 2008 and Windows® Server 2008 Core Edition, as well as the recently arrived Microsoft Windows® Server Home Edition
• Sun Microsystems' Solaris Operating Systems - Solaris 10 is now open source and freeware. Big iron computing for those with the hardware to run it is now free. A word of warning though; Solaris takes a considerable time to install and boot but once up and running it will stay that way for like ever.
• IBM's OS/2 and OS/2 Warp - Both of which are still very capable network operating systems. When released they were definitely head and shoulders above most other network operating systems for small business and the individual. IBM also provided considerable support, which was another big plus in their favor.

Unfortunately, IBM blew the marketing and advertising campaign to such an extent that OS/2 never saw the market penetration that many say it deserved. I will agree that it certainly left Microsoft's Windows® 95 offering, which it predated for dead. Along with Novell Netware these were the “big three” of the day sorry Apple and Linux was still a toy (most definitely not a network operating system then).

IBM having some faces on the TV saying “WOW” did not sell product. Maybe they should have shown a picture of what they were saying, “WOW” about instead. Millions of dollars spent advertising an operating system without showing even one screen shot of it. Big mistake I think.

There are still quite a few systems running OS/2 or OS/2 Warp particularly today. IBM has only just announced that they intend to cease all support but when they have given no definitive date. Compare that to Microsoft's record. They, Microsoft killed all support for Windows 95, 98, ME along with the early versions of Windows NT (pre-NT4) some time ago.

• Cisco System's Internetworking Operating System (IOS) - Cisco have traditionally had a very special internetworking focus and no surprise their IOS is for use with their networking devices. Its internetworking capabilities are right up there.

Most of the larger routers in the world, at least until recently were the nearly exclusive domain of Cisco Systems and their IOS. The Internet runs on these massive and incredibly powerful routers. The Cisco IOS is proprietary software. Cisco does not license clones.

• BSD - Particularly implementations such as FreeBSD and OpenBSD deserve mention if only due to their reasonable installation base. You will come across this OS more often than you might think.
• Plan 9 - A distributed OS from Bell Labs
• Multi-purpose Operating Systems, such as Microsoft Windows® NT & Digital's OpenVMS come with capabilities that also enable them to be include in this list as a Network Operating System (NOS)
• Linux - Linux variants that have had massive additional support added by various groups deserve inclusion as well. Unfortunately, there are just too many of them for me to include them all here in this list of Network Operating Systems (NOS).

However, one that does stand out is Novell's version of SUSE Linux Enterprise 10.1 and above. Novell have incorporated an incredible array of networking capabilities and tools supported straight out of the box. No big surprise really since networking has always been Novell's forte.

As already mentioned Novell have had their own network operating system called Novell Netware but with this SUSE Linux offering, I think they have lifted their game considerably. Believe me I am not easily impressed but Novell's efforts with SUSE Linux Enterprise 10.1 I can definitely recommend as being worth a look. This includes support for dual Graphical User Interfaces (GUI).

You have the option to install both the Gnome and the KDE desktop environments at the same time. Even more exciting is the fact that you are able to run them simultaneously. Switching from one desktop environment to the other is seamless. So much so that at times I almost forgot, I was running the two.

The reason you might do this is simply that each desktop environment has its strengths and weaknesses. They also come with different tools. One tool may be better at a task or even because you just like it better. Well you can now have the best of both worlds. Novell have definitely gone to town on this one.

• UNIX - UNIX is definitely not for the average person and remains nearly exclusively in the realm of the mainframe and some supercomputers. Note that Linux is in many ways very similar to the UNIX OS. UNIX was reportedly firmly in Mr. Torvold's mind when he wrote the original Linux kernel but that was a long time ago.

Note: Microsoft Windows® XP Pro has limited network aware capabilities (workgroups, print sharing, Internet, & domain connectivity) but it is not a true fully blown network operating system even though many people do mistakenly think so due to the presence of the network neighborhood & My Network Places icons found on their desktops.

It still depends on and requires a true Network Operating System (NOS) to be fully network capable. Microsoft built their Windows® Server 2003 for this exact reason. To provide the network operating system functionalities that Windows® XP lacks.

Their new server flagship Windows® Server 2008 continues this trend of Microsoft building a general-purpose operating system and then providing a more beefy server network operating system to plug all the holes that businesses complain they want fixed.

“Knee-jerk” it may be but sure as hell, it is easier than supplying a network operating system with bells and whistles to compensate for failings that nobody would have screamed about in the first place. At least not as loudly as all the other issues, they consider more pressing.

What are a Network Operating System's (NOS) Features?

All network operating systems have a number of functionalities and features in common. The manner of their implementation is where the major differences lay. In “Network Operating System Features”, I have listed many of the most common of them.

Having covered naming conventions in the last issue we are now ready to tackle the physical labeling of our devices. As usual we will be starting at the center of our universe the communications and networking core center and associated infrastructure.

Labeling

There are a number of important considerations that need to be taken into account when designing and implementing a physical labeling structure. We have already looked at the first one which was a naming convention. We will now look at the actual physical labels in more detail.

Clarity

Always clearly label devices and take care that the label itself is clearly visible. You do not want to have to adjust the device so that you can read its label.

Legibility

Always ensure that whatever is on your labels; be it alpha-numeric characters or symbols, is clearly and unmistakably readily legible. I tend to stick with true-type fonts and in most instances use upper case characters. Devices such as the portable labeler shown in the picture do an admirable job.

Hand-Written Labels

When ever writing labels by hand; such as on the self-adhesive varieties, there are a couple of rules that need to be followed.

Bar Codes

While bar codes are an asset at stock-take and audit time they are useless when it comes to physical connectivity and troubleshooting. This is even more reason to use multiple label types for your labeling systems.

The bar code labels are great for the speed reading by machines; especially at audit time. The labels with the alpha-numeric characters are much more “human friendly” for us humans to use on a day-to-day functional basis.

Color

Color-coding your labels is also very handy as it adds another dimension that can be invaluable in the speedy recognition of what is out of place. We humans are very visual creatures and color is an important element of this. So it only makes sense to make use of that which comes “naturally”.

For example: if the colors of two paired and matching labels don't match then you can see at a glance that something is wrong and needs closer inspection. The possibilities are endless so I will leave the rest up to you.

Just remember that when ever using color-coded labels that the extra redundancy that this imparts to your physical naming and labeling structures will pay dividends in many ways. From the troubleshooting perspective color-coded labels can be a great assistance in getting to the root cause of a physical connectivity issue.

An example of this would be in the use of labels for dedicated devices such as a switch that is the distribution point for a number of workgroup access switches.

All of the workgroup level switches that connect to a specific centrally located distribution switch may have a red star, a red 1 or even a label with a red background as seen in Fig.1.

Every little bit counts and visual clues are essential for speed and proficiency.

Symbols

Whenever you use symbols or contracted labeling (abbreviated) always remember to keep a master index and register detailing the full expanded version of the contraction along with the symbols.

Where symbols are concerned it is usually a good idea to keep your symbolic structures fairly simple and not over lengthy. In most situations you will find that six to twelve or so different symbols will be more than sufficient.

In Fig.1 the red star could indicate that this device belonged to a particular VLAN or as already mentioned that all devices with the red star might all be connected to the same central distribution switch.

Remember the naming convention structures that we discussed last time. Don't worry I have included the naming convention hierarchy structure table that we created last time.

To refresh your memory and for the benefit of those who have as yet not read the last issue here is the naming convention code that we developed last time:

Facility number 1, Rack number 4, Shelf number 2, Slot number 3 becomes: F1R4S2S3.

In addition we also know that the addition of the red star means that this distribution switch is related in some way to all of our workgroup access switches. In the example that we have been using this means that all of the access switches are connected (cabled) to this particular central distribution switch. The access switches will have a similar label and star affixed to them.

Carried Consistency

This is known as “carried consistency” which means that the conventions in one area are carried on through and applied to all other areas. In any hierarchal structure the attribute of consistency is highly desired and prized.

I will be discussing the value of carried consistency a little later. I will also be presenting examples to illustrate carried consistency in practice. One of which I have presented in the next section where I cite the case of telephone cabling and wire tapping.

Self-Adhesive Labels

Another possible medium that you might consider are paper-based self-adhesive labels. As a labeling system paper-based self-adhesive have been around for a considerable time now. While they do have their drawbacks many are out-weighed by the benefits. The biggest benefit to using self-adhesive labels is purely a simple matter of economics. They are comparatively cheap.

Magnetic Strips

Using magnetic strips; such as the fridge magnetic variety, is not something you should be wasting your time considering. They are far too easily removed both deliberately and accidentally.

Magnetic materials with embedded magnetic information might be essential to credit cards, smart cards and the like but they do not belong with your network and communications infrastructure and devices. Areas where magnetic fields are generated such as a rack of routers and switches can destroy this magnetically stored data leaving you back at square one.

Engraving

Using an engraver to permanently tag a device with a code of some sort is all about recovery rather than creating a easily identified label. An engraved version of your label can be of assistance in identifying devices that have lost their primary “human-friendly” main label.

A word of warning; do not engrave those sections of your devices that have protective coatings applied as this may well render the proactive coating layer null and void.

Other Labeling Media

Marking pens, computer printed labels and tags, tie-on tags, super glue and label plate combinations as well as embossed media are also labeling systems that you may need to consider. Which; way you go, will depend on your current situation and the objectives that a naming convention and labeling systems is meant to deliver.

Network Wall Adapters, Power Face Plates and Power Cords

Often overlooked in the “bigger picture” wall adapter, and power faceplates and power cords must also be labeled in an appropriate manner that is consistent with your other naming and labeling systems.

The purpose of doing this is to expedite the identification of the appropriate connectors for devices and infrastructure alike. It is handy to be able to identify the power cord of any device in the shortest possible time. This strategy will pay dividends when it comes time to perform many routine network administrative tasks and troubleshooting.

You will now be able to follow the physical connectivity aspects of your network/system from one end to the other using your naming and labeling conventions since you implemented a carried consistency throughout the network including the network's core, distribution, access devices and infrastructure.

Glossary of Label Acronyms and Symbols

Building your master list index structure is a must. Once done it should be regularly checked, maintained and updated as necessary. The exact procedures and timings by which this is to be done will be defined in your naming conventions and labeling policy. Make sure all who may take part in these processes are aware of the requirements of your Policy and abide by the directions contained therein.

As for the cabling we could tag the cables with labels along similar lines. This in conjunction with the master “key list” is in fact the same type of keyed color/alpha-numeric coding system used by the phone company's technicians when they need to sort out physical connectivity issues at major junction boxes that contain cables with literally thousands of twisted pair wires.

So you see it is a practical system that has over the years been shown time and time again to work and work well at that! Tapping a phone line is as we all know possible. But in practice without the assistance of the cable/label key index unpractical unless the tap is done very close to the destination i.e. the wire going from the street to your house.

In short your master “key” index works pretty much like a list of acronyms or a glossary. It is the combination of multiple visual clues that makes for speedy recognition as well as adding another layer of built-in physical security. This is most important when it comes to some of the high end switches that have massive port densities.

Label Placement

One of the most important of all aspects of building your own physical labeling system is consistency. Always place the labels in the same relative position. For example: in the center, the left or right, top or bottom.

The easiest way to find out the best way is by a short trial and test run. Make some temporary, non-permanent, removable labels and put them on the devices (blue tack is handy here). Leave the room for a while and then come back and check out how easy the labels are to see. You may also get a colleague to do this.

One important thing here is to pay attention to where your eye immediately focuses when you first look for the label. If your labels aren't here you will know it because you will need to scan the device to find it. Try placing the label where your eye went first. This will help to give your labels the “at-a-glance” feature that will save you much time in the future.

Ventilation

Do not place or affix your labels in such a way that they cover or obstruct any of the ventilation inlet/outlet ducts (air holes) of your devices. Modern computing equipment including networking devices such as switches and routers generate considerable heat and must be well ventilated.

This becomes even more important when it comes to central facilities where there are numbers of heat producing devices all in the one room. In fact the generation of excess heat has been a major concern in data centers for quite some time now. The result that we have seen has been large and expensive cooling systems.

The “Green” Factor

Today however; the “green factor” is becoming ever more important and not just because reducing the amount of energy your facility consumes. As a result we are seeing a need for compliance and manufacturers are trying to do their bit by producing newer devices that perform better, use less energy, produce less excess heat, occupy less space and cost less all round.

The rest; well it's up to us and the accounts department will be happy if you can reduce your overheads and the consumption of utilities is at the top of their hit list. You can also use this argument as very good and valid reason for the purchase of new equipment. “It is going to save us more money than it costs”. This has and still is a very strong argument that management understands.

Label Placement Conventions

Now with the ideal location for your device labels decided make it a convention. This is how and where all labels are to be attached to devices and containers etc. Document this as it will be part of your Labeling Policy. Staff will need to understand that this is mandatory and not optional.

Label Placement Strategies

Because manufacturers of high-end devices with massive port densities; like Cisco®, Juniper®, Netgear® etc. badge the ports on these devices you can take advantage of this and incorporate it into your labeling structure. In this case the actual labeling of ports will not be required in the majority of instances.

Generally speaking the manufacturers of devices with massive port densities; as seen in this photograph of a Cisco® Catalyst® 3560-E series switch, will use their own custom naming and labeling conventions. All externally accessible I/O interfaces and ports will be numbered accordingly so we might as well take advantage of the fact.

The next article in the Physical Security Guide (7) will discuss manufacturer naming conventions and how to use them to suit your own needs. We will also take a look at the physical security requirements of our labeling system after which checklists and cross-check solutions will be explored. So until then Enjoy!

Introduction

Having already covered physical presence intrusion, detection, monitoring, surveillance, logging and privacy issues and the reason why we sometimes need to take a step back and view the situation from another perspective it is time to continue our through the eyes of a machine view of physical security.

Naming Conventions

The planning of your naming conventions for infrastructure and other network devices and assets in a logical and meaningful way is an aspect of network infrastructure that is too often not given just due care and attention. One of the most important reasons as to why you should do this is simply “so things don't get out of hand”.

“Stay on top of your devices; don't let them get on top of you”, is a theme that you will come across many times in the world of security, communications and networking. And it all starts with names.

The question that I am going to challenge you with here is what does the following string mean “F1R4S2S3CCS29501425P11F”? Read on and all will become clear.

Why Names?

Because we are humans and humans like to give things names in order to make some sort of meaning out of the world around us. Take the Internet for example: we get from place to place on the Internet by using a naming convention known as the Domain Name System or DNS for short.

Domain Name System (DNS)

Think of it as a telephone book that lists a whole pile of “human friendly” names and matches them to corresponding Internet address or IP Addresses pretty much in the same way as the white pages telephone directory that we all have come to know over the years. We humans find it easier to think of names rather than numbers. It's just the way we are.

There is no doubt about it; computersight.com is definitely more manageable than 200.184.219.176 for example. No!! This is not the IP Address for computersight.com; I just made it up, so to whoever actually owns it I apologize if a whole bunch of people get a wrong number. I will be covering DNS in another article.

Building Your Own Naming Convention

When it comes to naming conventions the question I get asked most is “How do you do it?” By “it” the enquirer wants to know how I go about creating a naming convention. It's not really that hard and I will show you now one way in which you can begin to build your own structured secure naming conventions.

Breaking the problem down I have found that most people really only want to know one basic thing and then they are quite fine to finish the job on their own. It's the big question of “Where do I start?” The best way to answer this is by using an example; so here we go:

Defining the Situation

Suppose you have 4 domain controllers, 10 web servers, 6 routers, 20 high-end switches, 100 workgroup switches that use transparent bridging, 3 mail servers, 5 file servers, 2 database servers and untold numbers of workstations and peripherals.

The first question that pops into the minds of most people; including network administrators, especially those without experience of this type of situation is: “Naming and naming conventions, where do I start?”

Defining the Beginning

Well as stupid as it may at first sound, the answer is of course at the beginning.

Which brings us to “How do I find and define the beginning?”

In this case the beginning is a physical thing. This means that we will be able to construct our new naming convention based on physical properties. The reasons for doing this are partly for ease of reference and partly for solidarity.

Physical infrastructure and devices have a tendency to be relatively stable in terms of their outward physical characteristics and location. Routers and servers do not go on walk-about all of their own volition. Rack-mounted devices are even more unlikely to wander. The rack itself; if bolted to the floor and/or wall or ceiling also makes it hard for physical infrastructure and devices to wander.

So what are the types of physical characteristics that we can take advantage of to make our naming systems and conventions easier to create and administer?

Defining the Physical Basics

The first thing to do is; as mentioned above, bolt and lock all physical infrastructure and devices down securely. Once done this has been done you can be confident that they will remain where they are. You now have your starting-point; that is, you have now created a “center-of-the-universe” reference base at least for this network.

The next thing to do is to find suitable aspects and physical attributes of our devices that would be suitable to use in our new naming convention. The question that we need to ask ourselves at this point is “What attributes should I use and where do they fit into the big picture?”

Defining a Hierarchy

In the example that we are working with here we have a number of different classes and types of devices as well as a whole bunch of physical infrastructure components such as cabling, racks, shelves etc. We also have communications and networking devices including routers and switches. In addition they are a number of servers. So let's put them into some form of structured order.

Humans find it easiest to address and manage large numbers and large numbers of individual items when they are given some sort of structured order and when that structured order inherently defines the relationships between the individual units, groups of units and the entire system of units as a collective entity.

So let us build our naming convention on a device and physical location hierarchal structure. At the top of this hierarchy are the core and infrastructure components of our network. The next layer down will be the distribution devices and infrastructure and then comes the local and peripheral devices and infrastructure components.

The biggest distinguishing feature between all of these assets is the type of service(s) that they deliver. Never forget networking and communications are all about the delivery of services when requested.

Top Level Entities

The devices that will be placed at the top level of a physical naming convention are those components that house other components. In our scenario this means the racks, their shelves and slots. At this point our most pressing concern is with the identification of specific physical locations.

Creating a naming convention that has the built-in capabilities of locating a device without even knowing the type of device that is physically located at this site will deliver your first layer of physical level naming convention security and redundancy. We will add the more device specific attributes shortly.

So Rack number 4, Shelf number 2, Slot number 3 definitely and unambiguously defines a specific physical location within our network but let's face it. This is a clumsy cumbersome name but its meaning is clear. Our next task is to make this clear and precise name less unwieldy. We shall do this by using the age old technique of contraction.

Facility number 1, Rack number 4, Shelf number 2, Slot number 3 becomes: F1R4S2S3. Definitely a lot easier to use at a glance and for those in the “know” a very precise physical location has been defined. Yet those not in the “know” are going to start having difficulties figuring this out. Given time they just might.

So we are going to make their job of cracking our simply naming convention system a lot harder by adding some extra detail that will assist us in knowing that the device that is currently at any given physical location is in fact the device that is meant to be there.

In this example physical naming convention the label; or tag if you prefer, of F1R4S2S3 would most definitely allows us to identify and locate in a very short period of time any specific device that is housed in this facility without prior knowledge of the device or even what type of device it is.

You will also note; that in Table 1 Naming Convention Hierarchy (above), I have not used building or room numbers that may be displayed publically. Instead I used “F1” to mean facility one which could be located anywhere within your organisation's complex. The communications, networking and security staff will all know that the “F1” refers to major central facility one.

You could of course have called it “N1” indicating that it is networking center one. The reason that I have not done so in this example is because we are looking to the future and I do mean the very near future.

Unified Communications and Network Convergence

Unified communications and networking convergence mean that it won't be too long before there will be no really clear demarcation point between networking and communications devices and infrastructure. Devices will be capable of and actually performing both functions.

IP telephony (VoIP) enabled LANs technologies and rollouts also add more weight to this being the norm rather than the exception in the years to come. So we might as well start thinking about this now and design our naming conventions to suit. Anyway I think you will be able to come up with your own system now that you have the knowledge of how and where.

Adding the Detail

In our example naming convention we have started with the entity that contained the most other entities: The Facility. Then we used the next sub-entity which also contained many other entities but with fewer sub-entities than the parent: The Rack. Then came: The Shelf, followed by: The Slot. Table 1 above shows this and how a Top-Down hierarchal system such as this works in the practical sense.

It is important that at the moment it makes absolutely no difference is actually located at the physical location of F1R4S2S3. Simply going here will get you to the device currently located here. But is it the “right” device?

This is where the next part of our naming convention comes into play. From a physical security stand-point it would be nice if we could not only get to the correct location but identify the device that should be there and compare this with the device that is actually there. In other words; what we need is a naming convention with a built-in cross-check, cross-referencing system. Here is how this can be done.

Built-In Device Confirmation

We are going to take advantage of the physical naming and labeling systems used by the manufacturer of the device and work them into our naming convention in this way will be able to distinguish any specific device from among the hordes that we are administering. In this aspect “human friendly” is a must.

Don't get me wrong. I do not mean friendly to every human just those “in-the-know”. We really don't care how much confusion we create for those not “in-the-know” because we don't want them to know. This is where the art and experience of creating naming conventions lies.

Mixing Alpha-Numeric Characters

You have already seen part of the way that I use most often to do this by creating a naming convention that uses a mix of alpha-numeric characters. Pretty much like they say you should do when creating authentication passwords.

Here is where we get to the device specific element of our name. We could identify a Cisco® Catalyst 2950 switch for example by using CCS29501. Here the CCS = Cisco® Catalyst Switch, the 2950 tells us that it is a 2950 series model and the last 1 tells us that it is switch 1. Remember we may have a number of the same series devices so it is handy to be able to tell them apart. I usually just use the last three or four digits from the devices serial number.

If you wanted to identify a specific port then I would use the same port identification convention as the manufacturer. Once again most manufacturers including Cisco® print this information on the device either above, below or next to the actual port.

So our new device name using our new naming convention would be F1R4S2S3CCS29501425P11F. I will write this out in full and then I think you will have the basic idea of what we have just done.

F1 = Facility 1, R4 = Rack 4, S2 = Self 2, S3 = Slot 3, CCS29501425 = Cisco Catalyst Switch 2950 series unit 1425 and P11F = Port 11 of the Front module.

Depending on your specific situation you can change this to suit yourself and your situation as desired. Now that you know the meaning behind the naming convention F1R4S2S3CCS29501425P11F seems as plain as day.

To someone; not-in-the-know, this jumble of alpha numeric characters is really quite formidable. Most of the time; those with malicious intent would simply give up and not even try to decipher the meaning of this string of characters.

It is in this way that we can quickly locate specific resources and components of resources. If you now the device name you can quickly go to it and check to may sure that the correct peripheral in another building is plugged into the correct port.

Network Convergence Implications

This is becoming even more important considering the convergence of networking and communications technologies that we are seeing today. Now the network administrator is performing a lot of tasks that were once the providence of the telephone guy. Not so anymore.

Develop and Maintain a Naming Convention Policy

The final task will as always be to create thorough documentation as you go. On the other hand the development and implement of an appropriate Physical Naming Convention Policy would be the first thing that you would do.

Coming up in the Physical Security Guide series are the following topics and concepts:

• Labeling, Checklists and Label and Checklist System(s) Security
• Drilling, Rehearsal, Role Playing Scenarios and Proof-of-Concept Implementations
• Surviving an Audit and Surviving Users
• The Physically Static Nature of Core Network Infrastructure Components
• Physical Location and Placement of Wiring Closets, Infrastructure Cabling and Cabling in General
• Mission Critical Systems, Rack Mounted Systems and Servers

So until next time enjoy!!

LAN Segmentation Using Transparent Bridges

Architecture Matters

Transparent bridges can be used with Ethernet networks. Other architectures require different types of bridges. For example Token Ring networks use a type of bridging technology called source-route bridging.

Reduced Outlay and Greater Return On Investment (ROI)

It's all about more bangs for the buck! Today a compact workgroup switch that supports transparent bridging such as those from D-Link, 3Com, Netgear and others can be obtained for well under $100.

Unmanaged Vs Managed

Switches that support transparent bridging can be of the managed or unmanaged varieties. The big difference; apart from the cost that is, is that unmanaged switches are a lot more user friendly than the managed variety.

Improved Network Performance

LAN segmentation using transparent bridges reduces the size of the network's collision domain(s) because it turns large collision domain(s) into a number of smaller collision domains with fewer machines per collision domain (LAN segment).

Fewer Collisions

Reducing the number and frequency of collisions improves the network's data transfer speed and efficiency

Reduced Competition

Improved data transfer rates and shorter wait states because fewer machines per segment means less competition for the finite available transmission bandwidth

More Effective Bandwidth Allocation

Improved Effective Available Network Bandwidth

Fewer nodes per segment means each node effectively gets a greater “share” of the available bandwidth.

Maximizing Returns

Since the available network bandwidth is a finite resource any measures that improve this aspect will have the greatest noticeable effect on the largest number of devices both individually and as a”collective”.

More Responsive Network from the Users Perspective

Improved Network Responsiveness

Segmentation of large collision domains into a number of smaller collision domains will result in users noticing an increase in the responsiveness of the network in terms of a reduction in the amount of time that their computer takes to gain access to the transmission media in order to transmit the job that the user has requested.

Faster Transmissions

Users will also see an overall improvement in the time taken to complete a data transmission or data reception task.

Shared Internet Services Improved

Internet searches; for instance, will be done in shorter periods of time than was the case prior to the segmentation.

Reduced Network Congestion

Transparent bridging can greatly reduce network congestion & bottlenecks. Only traffic that belongs on a segment will be placed onto that segment by a device implementing transparent bridging. How transparent bridging works its magic is a topic that will be discussed in a future article of the CCNA Summary Series.

Greatly Reduced Administrative Overheads

Reduced Installation Time

Because of the plug "n" play nature of transparent bridges administrators will spend far less time in installing this type of bridge or a switch.

Switches and Transparent Bridging

Most switches today support transparent bridging. The main difference between these switches and the traditional transparent bridge is in port density. Switches have massively higher port densities than traditional transparent bridges. It's all a matter of evolution.

Smaller Footprint

With higher port densities a modern switch that supports transparent bridging will occupy less physical space and so are ideal to use as workgroup out-of-the-closet scenarios.

Guess what?

Today's topic: internal switching methods, is one that you must know. This is not optional; rather it is mandatory, and you can bet your bottom dollar that there will be questions on the CCNA exam that are directly related to and based upon your knowledge and understanding of these internal switching methods and concepts.

Network Foundations

Internal switching methods are the foundation upon which modern networks are based. This includes: businesses; large and small, home networks, government and educational institutions to name but a few. What's more they apply equally to both the managed (Cisco®, Netgear® etc.) and the unmanaged (D-Link®, 3Com® etc.) varieties of modern switches.

New Class of Networking Devices and Technologies

If you head on over to Cisco's® website and check out Cisco's switching and routing products roadmaps you will see that a new type (class/category) of network, networking and internetworking devices are now in full production and have already been implemented into production environment networks.

These new types of networking devices are based on what Cisco® likes to call a “switch/switching fabric”. There is little doubt that in the not too distant future we will be seeing the Cisco® switching fabric being incorporated into nearly all; if not all members of Cisco's hardware products range. It has already been integrated into their new Catalyst™ and Catalyst Express™ series of switches.

Internal Switching Methods

The three main methods of internal switching used in production environment switches today are; in order of increasing latency:

1. Cut-Through (Fast Forward)
   • When in Cut-Through mode the switch waits for the destination Media Access Control (MAC) Address (also referred to as the hardware address) to be received
   • It then looks up the destination MAC Address in its MAC filter table
   • Once the switch knows which port to forward the frame through it does so (even before the entire frame has arrived)
   • Cisco® sometimes calls this the Fast Forward method
2. Fragment Free (Modified Cut-Through)
   • Fragment Free is the default mode used by Cisco® Catalyst® 1900 series switches
   • It is also referred to as modified cut-through
   • When in Fragment Free mode the switch will check the first 64 bytes of a frame for fragmentation. The vast bulk of errors occur within the first 64 bytes.
   • Frame fragments known as runts are created as a result of collisions
   • If a runt is detected the switch will drop the frame
   • If all is well and there is no fragmentation the switch will then look up the destination MAC Address in its MAC filter table
   • Once the switch knows which port it should forward the frame through it does so
3. Store-and-Forward
   • When in Store-and-Forward mode the switch will store the incoming data frame in its internal buffer
   • Once the complete frame has been received and stored to buffer the switch will run a Cyclic Redundancy Check (CRC) against the frame
   • If the CRC passes the switch will then look up the destination MAC Address in its MAC filter table
   • Once the switch knows which port to forward the frame through it does so

Runts and Other Frame Corruption

Runts are the by-products of collisions. Simply by checking the frame for fragmentation before forwarding it greatly reduces the number of runts being propagated throughout the network.

Remember that the vast majority of errors occur in the first 64 bytes of the frame. By checking this part of a frame (the first 64 bytes) will allow the switch to detect and drop the majority of corrupted frames while doing as little work as possible. This is known as working “smarter”.

Reducing the number of runts and frames with other errors that are placed on the network's transmission media can improve network performance considerably. This is simply because we are not transporting runts or other corrupted frames that will be automatically rejected immediately the corruption is detected by the intended recipient.

The recipient bases this decision to drop the frame on the grounds that errors have occurred and/or these frames (the runts) are incomplete and so untrustworthy. Thus the intended recipient will automatically drop these frames.

So: if only, for reasons of efficiency and improved network bandwidth we may as well just drop them at the switch level because their eventual dropping is inevitable. In some instances this is the end of the line.

Once the device that requested the information in the first place: becomes aware that the frame never got through, it will issue are request for the remote device to retransmit that frame.

On the other hand if the remote device does not receive an acknowledgement from the requesting machine informing the remote machine that all parts of the conversation were satisfactorily received the remote machine will assume that something happened to the frame in transit.

And so it will then automatically retransmit any frames for which it has not received an acknowledgement of receipt for. These transmissions, retransmission requests and transmission control are the realm of the Transmission Control Protocol (TCP) if we are using the TCP/IP protocol stack.

I will be covering TCP/IP in another article. So until we meet again in a future edition of The CCNA Summary Series enjoy!!!

Changing Focal Perspective

Today we are going to change track and begin discussing physical security matters that are primarily concerned with assets, devices and infrastructure presence, location and placement. We will identify how to plan and implement strategies that will reduce our exposure to potential threats.

Factors such as the “best” location and placement of assets, devices and infrastructure will therefore be upper most in our minds. Selecting the ideal location in which to place assets is crucial in ensuring that we get the most out of our asset dollars in terms of:

Services

The performance, availability, range, responsiveness and reliability of available services delivered

Quality

The quality of both the service delivered and the user experience

Efficiency

Increasing efficiency through selective optimisation targeted towards reducing the amount of administrative time required to administer and maintain our systems in order for them to be able to deliver the services and functionalities for which they were designed and implemented into the production environment to deliver.

Economy

Reducing downtime and maximising the practical working functional life of our assets is also a premium consideration here.

Health

It is up to you to do all of the thinking when it comes to the health of your organisations hardware. Placing devices in tight cramped poorly ventilated hallway closets may be a space saving wonder but it will cost you dearly in the end.

Planning Asset Security

When it comes to the physical security of assets (I am referring to hardware and software as opposed to humans) many of the elements that need to be taken into consideration need to be analysed and planned long before the actual implementation takes place.

Doing the Thinking

With assets one of the highest priority factors that we must always bear in mind is that; unlike the case with human-related physical security thinking, asset-related physical security thinking requires us to do all of the thinking.

Your router does not usually say things like “I think it would be best if you installed me in the server room rather than this unmonitored publically accessible hallway bookcase”. Well not to me at least.

In the case of our assets we can be comfortable in the knowledge that they don't think or behave for themselves or on behalf of themselves which is vary much the opposite with humans. Although some the programs that many network devices run these days does make it look a lot like the machine is thinking when in reality the thinking was done in advance by the software design, production and programming teams.

Predictability

On the one hand this is good as it allows us to make predictive assessments with a high degree of accuracy. The Cisco® router and Cisco® Catalyst™ switch that you just bolted into rack 15, slots 8 and 11 will remain in rack 15, slots 8 and 11, until someone does something to change this state of affairs.

Hypothetical Scenario Case Study One - Let us consider the following scenario: somebody changes the labels on the racks for whatever reason; perhaps they accidently dislodged some of the rack labels while poking around looking for their security clearance smart card which had snagged on the corners of one of the racks. A topic we will be discussing and what to do about it when we get to labeling and physical label issues shortly.

Anyway the rack labels have been altered unknown to anyone else; including you, rack 15 is now rack 19 and rack 8 is now rack 15. Time goes by and the whole affair is not thought of any more.

Then Bob in the clerical department is given a promotion and is now in charge of the clerical and administrative functionalities of the retail sales division. It is important that Bob is bale to relocate quickly and efficiently from the 6TH floor to the 2ND floor. For reasons not explained to you Bob and his computers along with his VoIP facilities are to be relocated on masse.

You send one of the junior network staff members off to over see the big move and give him specific instructions to make sure that Bob is fully aware that all is under control. All required equipment will be disconnected and packaged correctly for the move. The junior IT guy has his checklists and follows procedure to the letter as you know he will. Life is really great at this point.

You have also checked the new location and the junior will record the necessary information on his checklist as he reinstalls and reconnects the equipment at its new home. These will include the wall socket codes for the LAN connections etc.

The good bit is that you have already segmented your network using Virtual Local Area Networks (VLAN) some time ago. This gave you greater network bandwidth usage and efficiency. It was also a good idea when installing the VoIP components since VoIP needs to be on a separate VLAN to the rest of your IT assets if only for reasons of network efficiency.

This VLAN scheme now seems even better since all you will need to do in order to connect Bob up to the network at his new location is to make some changes in VLAN membership relating to his particular situation which your junior will be arriving back with shortly and leave everything else as is. The world is a truly wonderful place you think to yourself.

This VLAN idea and the greater degree of flexibility it has given you just keeps on getting better by the moment. Implementing a VLAN infrastructure is most definitely one of the better decisions that you have made since taking over the network.

Virtual Local Area Networks (VLAN) and Physical Security - Using a carefully crafted VLAN structure and hierarchy can be a great way to fuse both the physical and logical elements of security while serving the higher ideals of improved network performance, service availability, authenticity and reducing our network's and all those whose use it's exposure to the many and varied security risks and threats with the least amount of required input from the network's general authorised user population.

In summary the principles that we are discussing here are:

• The truly complex nature of modern networks from a security stand-point
• How application of the concept of security-in-depth merges the physical and the logical at multiple points
• How the basics of physical security when carefully constructed play a major role in preventing many of the accidental and incidental issues that will invariably arise in any network
• How physical security elements can be useful for troubleshooting
• How a strong foundation allows you to get to the true cause of an issue in the most efficient and speediest of manners
• How security systems should avoid any single points of failure that an attacker might exploit

Part 6 of the IT Security Guide will continue with Part 5 of the Physical Security Guide series and we will be introducing the following topics and concepts also from the asset/machine/infrastructure perspective while not forgetting the human element or the principles of security-in-depth:

• Naming Conventions, Labeling, Checklists and Label and Checklist System(s) Security
• Drilling, Rehearsal, Role Playing Scenarios and Proof-of-Concept Implementations
• Surviving an Audit and Surviving Users
• The Physically Static Nature of Core Network Infrastructure Components
• Physical Location and Placement of Wiring Closets, Infrastructure Cabling and Cabling in General
• Mission Critical Systems, Rack Mounted Systems and Servers

So until next time enjoy!

In no particular order, the following resources are arguably the most useful in preparation to take the CCNA exam:

CCNA Exam topics list

This list should be the starting point for any serious candidate. It lists all the relevant topics that will possibly be tested on the exam. These guidelines are extremely useful during one's preparation. A few months ago when the new CCNA exam was rolled out (640-802) the list was updated to provide slightly more detail in the objectives - take advantage of that and KNOW all those topic areas without exception. Neglect that and the probability of passing begins to drop exponentially. The list can be found here, at the Cisco website.

Network Simulator or the Real Deal

The exam has simulation questions. Expect a couple of questions that require you to type in command line interface (CLI) directives to perform a task e.g. configure EIGRP on a set of routers. For practice you need to get a simulator such as Boson's NetSim for CCNA or RouterSim's CCNA NetVisualizer. Those will probably cost you some change, but are worth it if you get to use them. Of course the Real Deal is having an actual router or switch then the experience gets as real as can be. Some have scored great deals on CCNA racks from EBay or Amazon. There's a free router simulator, Dynamips that supports the Cisco 7200, 3600 series, 3700 series and 2600 series. There is a learning curve to this though but once you get the hang of it, you'll realize how useful and cost-effective (free!) it is.

CCNA Study Guide by Todd Lamlle (Sybex)

Many people have found that this book is easier to read than many other tech books because of the casual manner in which it is written. I've read an earlier edition of this book and found this to be so. The content covers well the objectives for the exam. Practice tests are also included, so take advantage of them; the same concept tested may show up in the actual test. Amazon.com is a great place to get title this from.

CCNA Official Exam Certification Library by Wendell Odom (Cisco Press)

Wendell Odom has a great deal of experience in the networking industry and it shows in the level of depth in technical content his books have. This book is no exception. In fact I consider most of his books not just written for the exam but for the work place too (indeed, i've kept most of mine). Use the simulation tests offered to hone those configuration skills. Again, Amazon.com is a good place to check out for this book.

CCNA Forums

Go register at the CCNA Prep Center; there's a ton or resources to peruse over. Also head over to Group Study; there are plenty of people in the same boat as you either taking the exam or technically competent to answer your questions. Be certain to read the forum guidelines first before you post, else you may suffer the wrath of other forum members or get banned by the webmaster altogether. There are a lot of other forums out there, find your fit.

Extra mile:

Still have that nudging question or missing piece in the puzzle that just isn't adequately covered in the study guide? Or your thirst for deeper technical knowledge surpasses what the book has to offer? Well, you're in luck because Cisco Documentation at the Cisco.com site has all that and more. It's a treasure trove. This is the same (and only allowed) documentation set used when taking the CCIE lab. Initially, navigation through the site may take a little getting used to.

Last Word:

Need motivation to carry you through your studying? Register for the exam! Some of us work better with deadlines set. Register early, weeks in advance. Once you pay, you'll get motivated to study.

I received my CCNA certification nearly ten years ago. When I was studying for it, I did not have a job that allowed me access to Cisco routers and there were no real virtual router applications available, so I bought two routers off of eBay including a token ring router. Without those routers to practice on, certification would have been a lot more difficult, if not impossible. My solution was expensive and I was left with two routers I had no use for after the test. Is there a better solution?

Yes. Today's CCNA candidates have many online and offline virtual router labs available for use. Virtual routers offer students the ability to experiment with the IOS without having to worry about shutting down a network, or spending a fortune. Let's take a look at some of the products available.

Sem Sim Router Simulator

Sem Sim offers an inexpensive simulator designed specifically for exams 640-801, 640-607, 640-811, and 641-821. Sem Sim's virtual router offers a Cisco IOS simulator with support for over 200 IOS commands. Additionally, Sem Sim's router simulator offers users more than 30 tutorials designed to help you pass the certification exams. Sem Sim also offers 6 different practical router simulation scenarios to help gauge your knowledge and proficiency in with routing concepts. A test mode is available that provides a skill assessment, and a detailed study plan to speed up sudy times and improve test scores. Additionally, Sem Sim gives you 70 plus flash card based CCNA practice questions that help build your knowledge of the IOS commands.

V-Lab

V-Lab offers a free online router lab simulation tool. The tool is not as full featured as some others but it is free. Additionally you will need to schedule lab time, so access is not always available. V- Lab does however offer several great resources for learning including several very well documented scenarios. V-Lab is certainly worth a try just to get a feel for working in the IOS and learning some basic commands.

Sybex CCNA Virtual Lab, Titanium Edition

If you want a more structured lab experience, Sybex's CCNA Virtual Lab, Titanium Edition is your tool. The book and software combination provides users with a tool that can create a simulated lab of up to four switches, three routers, and six hosts. The book contains a very thorough list of exercises to follow or you can just experiment with the lab. The virtual lab offers access configuration consoles for network devices, including Cisco routers 2621,1900, 2950, and 3550 Cisco switches, and boasts an impressive 470 Cisco commands. There is also a great tool for testing your newly acquired skills called Net Assessment. Net Assessment, a tool for generating and evaluating problem-solving scenarios can create scenarios for you to troubleshoot.

NetSim® - Network Simulation Software

Boson offers a router simulator, NetSim. NetSim offers two different certification-focused versions NetSim for CCNA 7.0 Preview and NetSim for CCNP 7.0. NetSim for CCNA 7.0 Preview offers users a Network Designer tool that supports 47 different router and switch types and as many as 200 devices per network. NetSim's Virtual Packet Technology provides software-created packets that are routed and switched through the simulated network. With NetSim you can populate the WAN slots in the virtual routers with a broad range of Network Modules. It also allows you to configure your own ISDN and Frame Relay switch mappings and supports IPv6 addressing. You will also find CCNA-specific lab exercises that cover the skill set you will need to prepare for the CCNA exam.

CertExams.com - Network Simulator with Designer

CertExams.com offers free router lab software. The Network Simulator with Designer provides users with a drag and drop feature for inserting devices and connectors into their virtual network. Simulations for Cisco IOS routers (2501/2503) or switches (1900, 2950) are included in the package. Additionally the Network Simulator offers support for short form commands so you can type short form commands in the IOS simulator just as you can in the actual router and/or switch. Laboratory exercises are included for many CCNA test functions.

MIMIC Virtual Lab CCNA

The 600 pound gorilla in the Virtual Router market is MIMIC. MIMIC's Virtual Lab software is used by many companies for testing and planning difficult network environments. It is even said Cisco uses it for development. MIMIC offers several products and we will look at the product geared towards CCNA certification preparation, MIMIC Virtual Lab CCNA.

MIMIC Virtual Lab CCNA comes in two versions: MIMIC Virtual Lab CCNA and MIMIC Virtual Lab CCNA Plus. Both products share the following features:

• Ability to build a network of 7 devices
• Simulation of various Cisco Routers (2620, 3640 and 7206)
• Simulation of various Cisco Switches (2950, 3550 (2) and 6500)
• A Robust set of IOS Commands
• The ability to simulate LAN, WAN, ISDN and serial links
• Reconfigure the lab any way you like
• Support for the following protocols
  • Telnet
  • Cisco IOS
  • SNMPv1
  • SNMPv2
  • SNMPv3
  • TFTP
  • SYSLOG

There is also a wealth of tutorials included in both version to help you get certified.

The plus version is a fully networked virtual lab and also offers the following features:

Fully connected to your network

SNMP support

SYSLOG Support

You can Telnet in to any device from any remote machine.

You can discover and manage the lab devices using Cisco Network Management applications such as CiscoWorks, CiscoWorks 2000, CiscoView and CEMF (CDM, GSR Manager).

All the changes done using IOS are visible via management applications.

Each of these tools can help you get certified. Whether you choose a free tool or the 600 pound gorilla, you will need practice with the IOS to get certified and a virtual lab is much cheaper than buying several routers. Almost all of these tools have free demos available, so give each one a spin and choose the tool that is right for you.