Document Text Contents
Page 1
Prepared by: Javed Ahmad Dogar (PUCIT) Page 1
1
Network Management and Administration
Course Goal:
To train network administrators on the techniques to plan, implement,
administer and monitor a scalable network.”
Overview
The convergence of voice, video, and data has not only changed the conceptual
network models but has also affected the way that networks support services and
applications.
This module describes Cisco conceptual models and architectures for converged
networks.
Objectives
Upon completing this module, you will be able to describe the converged
network requirements of various network and networked applications within the Cisco
network architectures.
The PDF files and any printed representation for this material are the property of Cisco
Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed
representations may not be used in commercial training, and may not be distributed for
purposes other than individual self‐study.
Additional References
This topic presents the Cisco icons and symbols used in this course, as well as
information on where to find additional technical references.
Page 2
Prepared by: Javed Ahmad Dogar (PUCIT) Page 2
2
Network Requirements
Overview
The convergence of voice, video, and data has not only changed the conceptual
network models but has also affected the way that networks support services and
applications. This module describes conceptual models and architectures for converged
networks.
Module Objectives
Upon completing this module, you will be able to describe the converged
network requirements of various network and networked applications within the
network architectures.
Cisco Network Models
This topic describes Cisco network models, starting with the Cisco Enterprise
Architectures and their mapping to traditional three‐layer hierarchical network model.
Page 5
Prepared by: Javed Ahmad Dogar (PUCIT) Page 5
5
Distribution layer: This layer aggregates the wiring closets and uses switches to
segment workgroups and isolate network problems in a campus environment.
Similarly, the distribution layer aggregates WAN connection at the edge of the
campus and provides policy‐based connectivity.
Core layer (also referred to as the backbone): This layer is a high‐speed
backbone and is designed to switch packets as fast as possible. Because the core
is critical for connectivity, it must provide a high level of availability and adapt to
changes very quickly.
Hierarchical Campus Model
Hierarchical Network Model WAN
Page 6
Prepared by: Javed Ahmad Dogar (PUCIT) Page 6
6
Cisco SONA and IIN
Intelligent Information Network (IIN) and the Service-Oriented Network Architecture (SONA)
Cisco is helping organizations to address new IT challenges, such as the deployment of
service oriented architectures, web services, and virtualization. Cisco SONA is an
architectural framework that guides the evolution of enterprise networks to an IIN. The
Cisco SONA framework provides several advantages to enterprises:
Outlines the path toward the IIN
Illustrates how to build integrated systems across a fully converged IIN
Improves flexibility and increases efficiency, which results in optimized
applications, processes, and resources
Cisco SONA uses the extensive product line services, proven architectures, and
experience of Cisco and its partners to help enterprises achieve their business goals.
The Cisco SONA framework shows how integrated systems can both allow a dynamic,
flexible architecture and provide for operational efficiency through standardization and
virtualization. It centers on the concept that the network is the common element that
connects and enables all components of the IT infrastructure. Cisco SONA outlines these
three layers of the IIN:
Networked infrastructure layer: This layer is where all of the IT resources are
interconnected across a converged network foundation. The IT resources include
servers, storage, and clients. The network infrastructure layer represents how
these resources exist in different places in the network, including the campus,
branch, data center, WAN and MAN, and teleworker. The objective for customers
in this layer is to have “anywhere and anytime” connectivity.
Page 10
Prepared by: Javed Ahmad Dogar (PUCIT) Page 10
10
Electrical threats: Threats such as voltage spike, insufficient supply voltage
(brownouts), unconditioned power (noise), and total power loss
Maintenance threats: Threats such as poor handling of key electronic
components (electrostatic discharge), lack of critical spare parts, poor cabling,
and poor labeling
Configuring Password Security
The command‐line interface (CLI) is used to configure the password and other
console commands. Examples 2‐4, 2‐5, 2‐6, and 2‐7 show the various passwords
to be configured on a switch.
Example 24 Switch Password Configuration: Console Password Configuration
SwitchX(config)# line console 0
SwitchX(configline)# login
SwitchX(configline)# password cisco
Example 2‐5 Switch Password Configuration: Virtual Terminal (Telnet) Password
Configuration
SwitchX(config)# line vty 0 4
SwitchX(configline)# login
SwitchX(configline)# password pucit
You can secure a switch by using passwords to restrict various levels of access.
Using passwords and assigning privilege levels are simple ways of providing both local
and remote terminal access control in a network. Passwords can be established on
individual lines, such as the console, and to the privileged EXEC (enable) mode.
Passwords are case sensitive.
Each Telnet (VTY) port on the switch is known as a virtual type terminal (vty). By
default there are five VTY ports on the switch, allowing five concurrent Telnet sessions,
noting that other Cisco devices might have more than five logical VTY ports. The five
total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty
0 4 (notice the space between 0 and 4). By syntax, this would include the range from 0
to 4, so it includes all five logical VTY ports, 0–4.
Use the line console 0 commands, followed by the password and login subcommands, to
require login and establish a login password on the console terminal or on a VTY port.
By default, login is not enabled on the console or on VTY ports.
Note that you cannot establish a Telnet connection unless you first set all the vty
passwords.
If there are no vty passwords set, when you try to telnet in, you get a “password
required
. . . but none set . . .” error message, and your attempt to telnet is rejected.
The line vty 0 4 command, followed by the password and login subcommands,
requires login and establishes a login password on incoming Telnet sessions.
Again, for Telnet VTY ports to accept a Telnet EXEC session, you must set the vty
passwords.
The login local command can be used to enable password checking on a per‐user basis
using the username and password specified with the username global configuration
command. The username command establishes username authentication with
encrypted passwords.
Example 2‐6 Switch Password Configuration: Enable Password Configuration
SwitchX(config)# enable password cisco
Example 2‐7 Switch Password Configuration: Secret Password Configuration
SwitchX(config)# enable secret pucit
CAUTION The passwords used in this text are for instructional purposes only.
Passwords used in an actual implementation should meet the requirements of a
“strong” and “complex” password.
Page 11
Prepared by: Javed Ahmad Dogar (PUCIT) Page 11
11
The enable password global command restricts access to the privileged EXEC (enable)
mode. You can assign an encrypted form of the enable password, called the enable
secret password, by entering the enable secret command with the desired password at
the global configuration mode prompt. If the enable secret password is configured, it is
used (and required) instead of the enable password, not in addition to it. To set
password encryption, enter the service passwordencryption command in global
configuration mode.
Passwords that are displayed or set after you configure the service password
encryption command will be encrypted in the output. This includes the encrypting of
the passwords that might otherwise be displayed in plain text on the screen in the
terminal output of a show command, such as show run.
To disable a command, enter no before the command. For example, use the no service
passwordencryption command to disable the servicepassword encryption
command:
SwitchX(config)# service passwordencryption
SwitchX(config)# no service passwordencryption
Configuring the Login Banner
The CLI is used to configure the “message of the day” and other console commands. This
banner can be used to warn others that they have accessed a secure device and that
they might be monitored.
You can define a customized banner to be displayed before the username and password
login prompts by using the banner command in global configuration mode. To disable
the login banner, use the no form of this command.
When the banner command is entered, follow the command
Example: Switch(config)#banner motd "Authorized User Can Access it"
Summary of Understanding Switch Security
The key points that were discussed in the previous sections are as follows:
User and Privileged Passwords can be used to restrict access levels to users that
have different access needs for the device. The first level of security is physical.
The login banner can be used to display a message before the user is prompted
for a username.
Port security can be used to limit a MAC address to a port. Unused ports should
be shut down.
Prepared by: Javed Ahmad Dogar (PUCIT) Page 1
1
Network Management and Administration
Course Goal:
To train network administrators on the techniques to plan, implement,
administer and monitor a scalable network.”
Overview
The convergence of voice, video, and data has not only changed the conceptual
network models but has also affected the way that networks support services and
applications.
This module describes Cisco conceptual models and architectures for converged
networks.
Objectives
Upon completing this module, you will be able to describe the converged
network requirements of various network and networked applications within the Cisco
network architectures.
The PDF files and any printed representation for this material are the property of Cisco
Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed
representations may not be used in commercial training, and may not be distributed for
purposes other than individual self‐study.
Additional References
This topic presents the Cisco icons and symbols used in this course, as well as
information on where to find additional technical references.
Page 2
Prepared by: Javed Ahmad Dogar (PUCIT) Page 2
2
Network Requirements
Overview
The convergence of voice, video, and data has not only changed the conceptual
network models but has also affected the way that networks support services and
applications. This module describes conceptual models and architectures for converged
networks.
Module Objectives
Upon completing this module, you will be able to describe the converged
network requirements of various network and networked applications within the
network architectures.
Cisco Network Models
This topic describes Cisco network models, starting with the Cisco Enterprise
Architectures and their mapping to traditional three‐layer hierarchical network model.
Page 5
Prepared by: Javed Ahmad Dogar (PUCIT) Page 5
5
Distribution layer: This layer aggregates the wiring closets and uses switches to
segment workgroups and isolate network problems in a campus environment.
Similarly, the distribution layer aggregates WAN connection at the edge of the
campus and provides policy‐based connectivity.
Core layer (also referred to as the backbone): This layer is a high‐speed
backbone and is designed to switch packets as fast as possible. Because the core
is critical for connectivity, it must provide a high level of availability and adapt to
changes very quickly.
Hierarchical Campus Model
Hierarchical Network Model WAN
Page 6
Prepared by: Javed Ahmad Dogar (PUCIT) Page 6
6
Cisco SONA and IIN
Intelligent Information Network (IIN) and the Service-Oriented Network Architecture (SONA)
Cisco is helping organizations to address new IT challenges, such as the deployment of
service oriented architectures, web services, and virtualization. Cisco SONA is an
architectural framework that guides the evolution of enterprise networks to an IIN. The
Cisco SONA framework provides several advantages to enterprises:
Outlines the path toward the IIN
Illustrates how to build integrated systems across a fully converged IIN
Improves flexibility and increases efficiency, which results in optimized
applications, processes, and resources
Cisco SONA uses the extensive product line services, proven architectures, and
experience of Cisco and its partners to help enterprises achieve their business goals.
The Cisco SONA framework shows how integrated systems can both allow a dynamic,
flexible architecture and provide for operational efficiency through standardization and
virtualization. It centers on the concept that the network is the common element that
connects and enables all components of the IT infrastructure. Cisco SONA outlines these
three layers of the IIN:
Networked infrastructure layer: This layer is where all of the IT resources are
interconnected across a converged network foundation. The IT resources include
servers, storage, and clients. The network infrastructure layer represents how
these resources exist in different places in the network, including the campus,
branch, data center, WAN and MAN, and teleworker. The objective for customers
in this layer is to have “anywhere and anytime” connectivity.
Page 10
Prepared by: Javed Ahmad Dogar (PUCIT) Page 10
10
Electrical threats: Threats such as voltage spike, insufficient supply voltage
(brownouts), unconditioned power (noise), and total power loss
Maintenance threats: Threats such as poor handling of key electronic
components (electrostatic discharge), lack of critical spare parts, poor cabling,
and poor labeling
Configuring Password Security
The command‐line interface (CLI) is used to configure the password and other
console commands. Examples 2‐4, 2‐5, 2‐6, and 2‐7 show the various passwords
to be configured on a switch.
Example 24 Switch Password Configuration: Console Password Configuration
SwitchX(config)# line console 0
SwitchX(configline)# login
SwitchX(configline)# password cisco
Example 2‐5 Switch Password Configuration: Virtual Terminal (Telnet) Password
Configuration
SwitchX(config)# line vty 0 4
SwitchX(configline)# login
SwitchX(configline)# password pucit
You can secure a switch by using passwords to restrict various levels of access.
Using passwords and assigning privilege levels are simple ways of providing both local
and remote terminal access control in a network. Passwords can be established on
individual lines, such as the console, and to the privileged EXEC (enable) mode.
Passwords are case sensitive.
Each Telnet (VTY) port on the switch is known as a virtual type terminal (vty). By
default there are five VTY ports on the switch, allowing five concurrent Telnet sessions,
noting that other Cisco devices might have more than five logical VTY ports. The five
total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty
0 4 (notice the space between 0 and 4). By syntax, this would include the range from 0
to 4, so it includes all five logical VTY ports, 0–4.
Use the line console 0 commands, followed by the password and login subcommands, to
require login and establish a login password on the console terminal or on a VTY port.
By default, login is not enabled on the console or on VTY ports.
Note that you cannot establish a Telnet connection unless you first set all the vty
passwords.
If there are no vty passwords set, when you try to telnet in, you get a “password
required
. . . but none set . . .” error message, and your attempt to telnet is rejected.
The line vty 0 4 command, followed by the password and login subcommands,
requires login and establishes a login password on incoming Telnet sessions.
Again, for Telnet VTY ports to accept a Telnet EXEC session, you must set the vty
passwords.
The login local command can be used to enable password checking on a per‐user basis
using the username and password specified with the username global configuration
command. The username command establishes username authentication with
encrypted passwords.
Example 2‐6 Switch Password Configuration: Enable Password Configuration
SwitchX(config)# enable password cisco
Example 2‐7 Switch Password Configuration: Secret Password Configuration
SwitchX(config)# enable secret pucit
CAUTION The passwords used in this text are for instructional purposes only.
Passwords used in an actual implementation should meet the requirements of a
“strong” and “complex” password.
Page 11
Prepared by: Javed Ahmad Dogar (PUCIT) Page 11
11
The enable password global command restricts access to the privileged EXEC (enable)
mode. You can assign an encrypted form of the enable password, called the enable
secret password, by entering the enable secret command with the desired password at
the global configuration mode prompt. If the enable secret password is configured, it is
used (and required) instead of the enable password, not in addition to it. To set
password encryption, enter the service passwordencryption command in global
configuration mode.
Passwords that are displayed or set after you configure the service password
encryption command will be encrypted in the output. This includes the encrypting of
the passwords that might otherwise be displayed in plain text on the screen in the
terminal output of a show command, such as show run.
To disable a command, enter no before the command. For example, use the no service
passwordencryption command to disable the servicepassword encryption
command:
SwitchX(config)# service passwordencryption
SwitchX(config)# no service passwordencryption
Configuring the Login Banner
The CLI is used to configure the “message of the day” and other console commands. This
banner can be used to warn others that they have accessed a secure device and that
they might be monitored.
You can define a customized banner to be displayed before the username and password
login prompts by using the banner command in global configuration mode. To disable
the login banner, use the no form of this command.
When the banner command is entered, follow the command
Example: Switch(config)#banner motd "Authorized User Can Access it"
Summary of Understanding Switch Security
The key points that were discussed in the previous sections are as follows:
User and Privileged Passwords can be used to restrict access levels to users that
have different access needs for the device. The first level of security is physical.
The login banner can be used to display a message before the user is prompted
for a username.
Port security can be used to limit a MAC address to a port. Unused ports should
be shut down.
