AGENDA 1 (Lecture) 1Day

1) OSI Model
2) Transmission Media: Wired
3) Transmission Media: Wireless
4) LAN and WAN Overview
5) TCP/IP and Port numbers
 AGENDA 2 (Lecture) 1Day

6) IP Address and Subnet planning

7) Network Security Overview
8) Storage System Overview
9) Operation System Overview
10) Basic Networking Design
OSI model
OSI Model (Open Systems Interconnection)
 Interface between App. and Communicate Software
 How data is format?
 Processing encryption
 Control end-to-end and Processing channel
 Adjust and summary data
 Reliable and Error recovery
 Segment format
 Best effort or best path delivery with logical address
 Packet format
 Flow control with MAC address
 Frame format
 Specifies electrical, cables, connector
 bits format
All People Seem To Need Data Processing
WWW, Email, Telnet, FTP, SNMP

ASCII, JPEG, MP3, Zip Application

(Upper Layer)
Window socket, SQL, NETBios

TCP, UDP, SPX Data Flow

IP, IPX, AppleTalk, Router
(Lower Layer)

IEEE 802.3, HDLC, Token, FR, ATM, Switch

V.35, RS-232, RJ-45, NIC, Twisted pair, Fiber optic

Communicating Between Layers

Transmission
Control Protocol
Internet Protocol
Logical Link Control
Media Access Control

PDU (Protocol Data Unit) = Control Information and user data

FCS (Frame Check Sequence) = Checksum error detection and correction
Example: Frame formats of Ethernet/IEEE 802.3 (L1-L2)

Data: packet of information from Layer1 to Layer2

Destination Address: network/node address of destination device
FCS (Frame Check Sequence): Cyclic redundancy check (CRC) for check validity frame.
Length: indicates the number of bytes of data that follow this field.
Preamble: tells receiving stations that a frame is coming
Source Address: network/node address of sending device
SOF (Start of Frame): In IEEE 802.3, this byte is included in the preamble
Type: specifies upper-layer protocol to receive data after Ethernet processing is completed
Communicating Between Users
TX RX

Header + Payload (Data) Header + Payload (Data)

Transmission Media: Wired
Cabling Standard
 Wired Media
Copper cable
Coaxial Cable Twisted Pair Phone Cable Power Line

Fiber Optic cable

Main Characteristic of Wired Cable

Attenuation

Frequency
Structure and Component of Coaxial Cable

Coaxial Cable
Coaxial Structure
Example equipment relation with Coaxial cable

LAN-BNC Connector

N-Type TNC

Category of Coaxial
SMA MCX
Scenarios of Coaxial Cable

Terminating Resistor
Connector

RF, Cable TV, Satellite

T-Connector

Terminating Resistor
Connector
LAN: Bus Topology
WLAN, WiMax, Cellular
Ethernet/IEEE 802.3 Standard of Coaxial Cable

RG-58 RG-8

IEEE 802.3 or 10BASE-T

 10Based-2 = ThinNet, RG-58, 10Mbps, <200meters, Bus topology
 10Based-5 = ThickNet, RG-8, 10Mbps, <500meters, Bus topology
Evolution of Copper Pair to Twisted Pair

 Parallel wires  Phone Cable

 Power Line

 Twisted wires/Twisted pairs  UTP/STP Cable

Noise source on Parallel wires Vs. Twisted Pair

Parallel wires

Twisted Pair
Structure and Component of Twisted Pair
Twisted Pair = Separate insulate 4-pairs (8-wires)
= Twisted for reduce effect electromagnetic

UTP
(Unshielded Twisted Pair)

STP
(Shielded Twisted Pair)
UTP (Unshielded Twisted Pair)

STP (Shielded Twisted Pair)

Categories Standard of Twisted Pair
Category Standard Freq.(MHz) Data Rate Applications
CAT1 TIA/EIA 1 1Mbps UTP = POTS, ISDN, Analog voice
CAT2 TIA/EIA 4 4Mbps UTP = LAN-Token Ring
CAT3 TIA/EIA-568B 10 10Mbps UTP = LAN-Ethernet
CAT4 TIA/EIA 20 16Mbps UTP = LAN-Token Ring
CAT5 TIA/EIA 100 10/100Mbps UTP/STP = LAN-Fast Ethernet, ATM

CAT5e TIA/EIA-568B >100 10/100Mbps UTP/STP = LAN-Fast/Gigabit Ethernet,

to 1Gbps Far end crosstalk (FEXT)
CAT6 TIA/EIA-568B >250 10/100Mbps UTP/STP = LAN-Fast/Gigabit Ethernet,
to 1Gbps Attenuation, NEXT, PSNEXT
CAT6a ANSI/TIA/EIA- >500 10/100Mbps UTP/STP = LAN-Fast/Gigabit Ethernet
568B.2-10 to 1/10Gbps
CAT7 ISO/IEC 11801 >600 10/100Mbps More than LAN 10Gbps
class-F to 1/10/100Gbps Future!!
Modular Plug (RJ:Registered Jack) for Parallel/Twisted Pair

RJ11/RJ14 and RJ25 RJ45

4P2C/4P4C and 6P2C/6P4C/6P6C 8P8C
(2 to 6 pin or wire) (8 pin or wire)
Telecom: POTS, ISDN BRI, ADSL Datacom: LAN, PC
RJ45 Plug for Twisted Pair (Fast Ethernet)
Wiring RJ45 Plug for Twisted Pair
Straight-through or Direct cable
 wo, o, wg, b, wb, g, wbr, br = 2Plug
 PC/Server  Hub/Switch
 Router  Hub/Switch

C1, C2, C3, …, C6, … C3, C6, C1, …, C2, …

Crossover or Xross cable
 1Plug = straight, 1Plug = 1-3, 2-6
 Back-to-Back
 PC  PC, Hub  Hub
 Switch  Switch, Hub  Switch
 Router  Router
RJ45 Jack and Patch panel for Twisted Pair

RJ45 Plug  RJ45 Jack

RJ45 Plug  Hub/Switch

Patch Panel  Hub/Switch

Patch Panel  RJ45 Jack
Example equipment relation with Twisted Pair
Tools

Modular Jack & Patch panel

CAT7
Scenarios of Twisted Pair

LAN: Star Topology or Point-to-Multipoint

Ethernet/IEEE 802.3 Standard of Twisted Pair
IEEE Ethernet Description
802.3u 100BASE-T4 4pairs, CAT3 up, 100m., Star topology
100BASE-Tx 2pairs, CAT5 up, 100m., Star topology
802.3ab 1000BASE-T 4pairs, CAT5e up, 100m., Star topology
802.3an 10GBASE-T 4pairs, CAT6 up, 55m., Star topology
Phone Cable technology
Phone Cable  HomePNA standard, use existing phone cable
 Use FDM technique (separate talk/internet/LAN)
 Use ADSL technology (talk & serve internet in same time)
 Similar LRE (Long Reach Ethernet) technology

POTS = 20Hz to 3.4KHz  Voice

ADSL = 25KHz to 582KHz  Internet
HomePNA = 5.5MHz to 9.5MHz  LAN
Example equipment relation with Phone Cable

PNA-LAN Card (USB to RJ11)

Phone Jack (RJ11)

PNA-Bridge (Ethernet to RJ11)
Standard of Phone Cable
Standard ITU Description
HomePNA 1.0 NA 1Mbps, 1-2pairs, CAT1 up,
<500m., Bus/Star topology
HomePNA 2.0 G.9951, G.9952, 10Mbps, 1-2pairs, CAT1 up,
and G.9953 <350m., Bus/Star topology
HomePNA 3.0 G.9954 128Mbps, 1-2pairs, CAT1 up,
(02/05) in Feb. 2005. <600m., Bus/Star topology
Scenarios of Phone Cable
 PNA-LAN Card

Patch Cord Phone Line Splitter

Phone Line PNA-Bridge

Patch Cord Phone Line Splitter

PNA-Bridge
Splitter
ISP
PSTN UTP UTP
Router
HUB/Switch
Billing Server
PBX
Power Line technology
Power line  HomePlug standard, use existing power line
 Use OFDM and FDM technique for extend bandwidth

Available Bandwidth
Multiple Carriers (Tones)
Amplitude

Frequency
Example equipment relation with Power line

USB

Power line-LAN Card (USB to AC. Power Plug)

Ethernet

Power line-Bridge (Ethernet to AC. Power Plug)

Standard of Power Line
Standard IEEE/TIA Description
HomePlug 1.0 TIA-1113 14Mbps, AC. Power plug,
No fix area, Bus/Star topology
HomePlug 1.0 (Turbo) NA 85Mbps, AC. Power plug,
No fix area, Bus/Star topology
HomePlug AV NA 200Mbps, AC. Power plug,
No fix area, Bus/Star topology
HomePlug BPL IEEE P1901 Pending!
HomePlug Command Pending Pending!
& Control (HPCC)
Scenarios of Power Line
 Power line-Bridge Power line-Bridge

Power line-LAN card

Power line-LAN card

Power line-LAN card Power line-LAN card

220V/50Hz
From
Transformer
ISP
HUB/Switch UTP
Main Braker Router

UTP
Power line-Bridge Billing Server
Structure and Component of Fiber Optic
Fiber Optic = Light Pulse, Impervious to EMI/RFI/Crosstalk
= Signal strength when long distance, Greater Bandwidth
= FO.x1pair to equal Copper x1,400pairs

Note1: 62.5/125um = Core/Cladding

Note2: Core 9um long distance > Core 62.5um
Note3: Wavelength 1,550um long distance > Wavelength 850um
Type of Fiber Optic: Transmission Mode
SMF (Single Mode Fiber)
 Transmit LD (laser Diode) as straight through to medium of core
 Long distance and higher bandwidth, best suit for Outdoor area

MMF (Multi Mode Fiber)

 Transmit LED (Light Emitting Diode) at bouncing surface of core
 Short distance and low bandwidth, best suit for Indoor area
Type of Fiber Optic: Index of Refraction

MMF

MMF

SMF
Modular Plug for Fiber Optic

ST SC

FC
LC

MTRJ
Modular Jack for Fiber Optic

GBIC module for Hub/Switch SFP module for Hub/Switch

Fiber Optic-Patch panel for Hub/Switch

Hub/Switch  Hub/Switch
Hub/Switch  Patch panel
Patch panel  Patch panel
Example category of Fiber Optic
 Indoor area
 Outdoor area
Scenarios of Fiber Optic

LAN: Ring Topology  Token/FDDI

LAN: Star Topology  Cascade/Daisy chain
Ethernet/IEEE 802.3 Standard of Fiber Optic (Ring)
Ethernet/IEEE 802.3 Standard of Fiber Optic (Star)
IEEE Ethernet Description
802.3u 100BASE-FX MMF, Wavelength 1310nm, <2Km, Star topology
100BASE-LX SMF, Wavelength 1310nm, <10Km, Star topology
100BASE-ZX SMF, Wavelength 1550nm, <80Km, Star topology
802.3z 1000BASE-SX MMF, Wavelength 850nm, <500m, Star topology
1000BASE-LX SMF, Wavelength 1310nm, <5Km, Star topology
1000BASE-ZX SMF, Wavelength 1550nm, <70Km, Star topology
802.3ae 10GBASE-SR MMF, Wavelength 850nm, <300m, Star topology
10GBASE-LR SMF, Wavelength 1310nm, <10Km, Star topology
10GBASE-ER SMF, Wavelength 1550nm, <40Km, Star topology
Standards for Fiber Optic Transmission System (FOTS)
SONET SDH Speed (Mbps)
STS-1/OC-1 STM-0 51.84
STS-1/OC-3 STM-1 155.52
STS-1/OC-12 STM-4 622.08
STS-1/OC-24 STM-8 1,244.16
STS-1/OC-48 STM-16 2,488.32
STS-1/OC-192 STM-64 9,953.28
Transmission Media: Wireless
Wireless Standard

r e a N e tw o rk
i r e l e s s Lo c a lA
W
o r k
e tw
N

ork
WiFi or WLAN r ea
A

tw
a l

Ne
s on
er

rea
s P

dA
e l es
Wi r

an
db
roa
sB
es
rel
Wi
Bluetooth, IrDA, UWB, RFID
WiMAX, Cellular, Satellite
Comparison Wireless media technology
802.11 WLAN: OSI model

Application
Presentation
Session
Transport
Network
Logical Link Control (LLC)
Data Link Layer
Medium Access Control
(MAC)
802.11 Physical (PHY) Physical Layer
FHSS DSSS HR-DSSS IR OFDM PBCC CCK

Supports 7 different types of RF modulation schema

802.11 WLAN: Radio Frequency Band
FM Broadcast
Short Wave Radio
Television
AM Broadcast Cellular (840MHz)
NPCS (1.9GHz)
Audio
Infrared Wireless LAN

Extremely Very Low Medium High Very Ultra Super Infrared Visible Ultra- X-Rays
Low Low High High High Light Violet

5 GHz
2.4-2.4835 GHz 325 MHz
902-928 MHz
83.5 MHz IEEE 802.11a/
26 MHz
IEEE 802.11b/g/ n draft
n draft U-NII Band
ISM Band 5 or 17 GHz
Older WLAN ETSI Hiperlan1,2
802.11 WLAN: Frequency Channel Plan @2.4GHz
802.11 WLAN: Frequency Channel Allocation @2.4GHz
1) non overlap run on 2.4GHz
2) Co-Ch. Interference

Horizontal Frequency design

1,6,11 and 1,4,8,11
Vertical Frequency design
1,6,11 and 1,8,11,4
802.11 WLAN: Radio Frequency Barrier
IEEE 802.11 WLAN: Modulation technique
FHSS

Available Bandwidth
Multiple Carriers (Tones)

DSSS
Amplitude

Frequency
OFDM
802.11 WLAN: Data Rate (Bandwidth)

GI (Grade Interval) = Period within OFDM symbol allow the next signal to transmitting across
the next symbol.
IEEE 802.11 WLAN: Standard Comparison
IEEE 802.11 WLAN: Topology
1) Ad-Hoc (Peer-to-Peer)

 No use AP (Wireless Access Point)

 Same SSID (Service Set Identification) or Workgroup/Domain name
 Same frequency channel
 Same subnet or network
 Broadcast Data
 Called “BSS (Basic Service Set)”
2) Infrastructure Mode (Client-to-Server)

 Must use Wireless Access Point!

 Same SSID (Service Set Identification) or Workgroup/Domain name
 No need set frequency channel at Wireless client
 Same subnet or network
 Broadcast Data
 Called “ESS (Extended Service Set)”
IEEE 802.11 WLAN: Main Characteristic
1) CSMA/CA (Carrier Sense Multiple Access/Collision
Avoidance) plus acknowledge protocol

CSMA/CD

RTS (Request to Send) = All node must send request packet to all member
for send to destination.
CTS (Clear to Send) = All node must clear own packet to all member
for avoidance data
2) Roaming system
 AP <---> Wireless Client
3) Automatic rate selection

Low BW. High BW.

< 30m.
< 100m.

 802.11a = High BW 54Mbps Low BW. 6Mbps

 802.11b = High BW 11Mbps Low BW. 1Mbps
 802.11g = High BW 54Mbps Low BW. 6Mbps
 802.11n draft = High BW 100-300Mbps Low BW. 6Mbps
 AP <---> AP

Line of Sight
< 300m. @Antenna 2.12dBi

 Gain of Antenna = Propagate RF (Distance area)

 High Gain antenna

 Transmitting Power = Control speed data (Bandwidth)

 Booster
 External Antenna for WLAN

Omnidirectional
Point-to-Multipoint Directional
Point-to-Point
IEEE 802.11 WLAN: Solution design

CH.11 CH.6
CH.1

CH.6 CH.1

Wireless Roaming
CH.1 CH.1
Wireless Bridging (Point-to-Point)

CH.1 CH.1

Wireless Repeater (Point-to-Point)

 CH.1

CH.1
CH.1

CH.1

Wireless Point-to-Multipoint
 CH.1

CH.1 CH.1

CH.1 CH.1

Wireless Mesh (Outdoor Solution)

IEEE 802.11 WLAN: Security
Because WLAN use Radio frequency to transfer data by via the air.
So, we carefully data about Correct-Data & Protect-Data
 SSID
 MAC Filtering
 WEP
 WPA & WPA2
 RADIUS & IEEE 802.1X/EAP
 VLAN & Firewall
 Remote VPN & Personal Firewall
SSID (Service Set Identifier)
The SSID provides a mechanism to “segment” a wireless network into multiple networks service
by one or more APs. So, client computers must be configured with the correct SSID.
START

Fix name of SSID

for AP

Fix name of SSID

for Client

No or Not Connect
Name of Client
recemble AP?
 Broadcast SSID  Monitor cell site
Yes  Hidden SSID  Stop broadcast to security
END  Careful  Hack-Scan SSID
(Connecting Network)
MAC (Media Access Control) Filtering
The Media Access Control (MAC) address is a unique number assigned by the manufacturer to
any Ethernet networking device, Each AP has Access Control table on its can filter wireless client
START

- Enable feature MAC Address Filtering at AP

- Select Allow for Client
- Put MAC of all Client want access on network
into table

No
Do you client wireless card
has burn into AP?

 Easy  Fixed MAC of member

 Strong  not over 50 MAC
Yes
 Careful  Hack-MAC spoofing
END END
(Connecting Network) (No Connect)
WEP (Wired Equivalent Privacy)
WEP is Encryption method, data privacy mechanism based on 64 to 128bits (standard)
or up to 152bits (proprietary), use shared-key RC4 algorithm

IV (initialization vector) Used in WEP to enhance the shared secret key

PRNG (pseudo-random number generator) Produce a keystream
CRC (Cyclic Redundancy Check 32 bit) A error checking/integrity technique
ICV (Integrity Check Value) Prevent a hacker from modifying or changing the
contents of the packet during transmission
 S TA R T

- E nable feature W E P at A P
- S elect num ber bit for secret key
- P ut P assphrase for plaintext
- S elect key for encryption

- E nable feature W E P at C lient

- S elect num ber bit for secret key
- P ut P assphrase for plaintext
- S elect key or auto key for encryption

D o you put param eter of C lient No or N ot C onnect

on feature W E P recem ble AP ?
 Easy  Dynamic of member
 Strong  over 200 user (class C)
Y es
 Careful  Hack-WEP
END
(C onnecting N etw ork)
WPA (Wi-Fi Protected Access ) and WPA2
Standard Authentication Method Encryption Method
Default 802.11 No need WEP/RC4
(Open system/Share Key)
WPA Personal WPA Passphrase TKIP/RC4
(802.11) (WPA-PSK)
WPA Enterprise 802.1X/EAP WEP/RC4
(802.11) (Radius) Dynamic TKIP/RC4
WPA2 Personal WPA2 Passphrase TKIP/AES
(802.11i) (WPA2-PSK) CCMP/AES
WPA2 Enterprise 802.1X/EAP TKIP/AES
(802.11i) (Radius) CCMP/AES
RADIUS and IEEE 802.1X/EAP
IEEE 802.1X = Port based network access control standard
EAP (Extensible Authentication Protocol) = Standard security protocol for access control 802.1X
VLAN and Firewall
Remote VPN and Personal Firewall
Consideration the security for WLAN
 Home and Small SMB
 SSID + MAC + WEP
 SSID + MAC + WPA/WPA2
 Medium SMB and Enterprise
 SSID + RADIUS/WEP
 SSID + RADIUS/WPA
 SSID + VPN + Firewall
 SSID + VLAN + Firewall

NOTE:
- Static IP, Scope of DHCP, Proxy, IP Filtering, Domain, IPS, IDS, NAC
- Existing/Old equipment, Backward compatible, Interoperation, Cost
Operation Type of WLAN

Autonomous Access Point Lightweight Access Point (LWAPP)

 Similar client to server  Look like cellular system (BTS + Antenna)
 Distribute configuration at AP only  Centralize configuration at WLAN Controller
via USB/WEB/SSH/NMS etc. only (no need config at AP)
 Best suit for Home/Small SMB user  Best suit for Medium SMB/Enterprise user
Example WiFi-Certificate @www.wi-fi.org
LAN and WAN Overview
LAN (Local Area Network) Topology
Stand Alone PC  No any sharing

Floppy Disk, CD-ROM, Flash Drive

Back-to-Back or Peer-to-Peer  Need sharing

RS-232/DB9, Parallel, UTP

Basic network equipment for LAN
LAN Card: Interface for transfer data between one to another

Repeater: Boosting weak signal, Regenerate propagate signal

Hub: Multi-port of Repeater, Broadcast data (point to multipoint)

Bridge: Intelligent Repeater, Determine destination

Switch: Multi-port of Bridge, Dedicate data (point to point)

Basic LAN topology: Bus
Terminating Resistor
Connector

T-Connector

Terminating Resistor
Connector

 Single cable to connect each PC (Daisy Chain) and low cost

 Long distance up to 500meters (Thicknet cable)
 Easy to Initial setup but difficult from cable when more PC
 Broadcast data (Frame only)
Basic LAN topology: Ring

Token Ring/IEEE 802.5 FDDI/CDDI

 Less cable to connect each PC (Loop) but high cost for FO.
 Short distance and Difficult from cable when more PC
 Unicast data (Frame only)
Basic LAN topology: Star

 Many cable to connect PC from HUB/Switch (point-to-multipoint)

 Support UTP/FO. Cabling, Flexible for more PC & Distance
 Low effect when damage on cable
 Support unicast/multicast/broadcast data
Basic LAN topology: Mesh

 Connect between HUB/Switch (each node must connect together)

 For high critical application, Redundant service
 Must strong & difficult configuration
 Support unicast/multicast/broadcast data
Basic operation for Ethernet/IEEE 802.3
1) Transmission

Unicast
Multicast

Broadcast
2) Media Access

 Any station on a LAN can access the network at any time.

 Before sending data, stations listen for traffic on the network.
A station waits until it detects no traffic before it transmits data.
3) Collision handling
CSMA/CD (Carrier Sense Multiple Access with Collision Detection)

 CSMA/CD  First Come-First Serve

 Rolled the Dice algorithm  random choose hold time
 Check “ACK” for release the data
Basic network equipment for WAN @Customer
Router: Routing best path & filter information for difference network

Modem or DSU/CSU (Data Service Unit/Channel Service Unit):

Modulation/Demodulation signal to convert digital<-->analog signal
via PSTN or Co.

CPE (Customer Premises Equipment)

or RG (Resident Gateway) : Router + Modem or All-in-one box
Basic network equipment for WAN @Provider
WAN Switch: Carrier switch for connect interface from customer
and transfer or route data to any WAN switch such as ATM, X.25,
Frame Relay, ISDN, MSAN, MPLS, DSLAM

MUX (Multiplexer): Combine multiple signal for transmission over

circuit such as voice, video, data together

Terminal Server: same RAS (remote access server) support dial

in-dial out from remote location then attach to LAN

Media Gateway: Support interface analog/digital for connect

to VoIP or NGN network
Basic network equipment for connecting
DTE (Data Terminal Equipment):
 Interface for connect end-device or user side such as PC/Server, Router
 Receive clock signal from DCE
DCE (Data Circuit Equipment):
 Interface for connect circuit-device or network side such as Modem,
DSU/CSU, NTU (Network Terminal Unit)
 Bias clock signal to DTE
V.35 Serial Cable
DCE

DCE DTE DTE

 DTE @ end-device such as Router

EIA/TIA-232 EIA/TIA-449 V.35 X.21 EIA-530

DCE @ circuit-device such as Modem
DTE DCE DCE DTE

DTE DTE
DCE DCE
WAN (Wide Area Network) Overview
LAN = Intranet
MAN = Extranet
WAN = Internet
Comparison LAN/MAN/WAN
Network Description Equipment
LAN Internal area & Private user Hub/Switch
Long distance for Internal area (<100m.)
Highest Bandwidth for Internal area
MAN Internetwork Link between Private-to-Private Hub/Switch
Extend distance for Internetwork Link (>1Km.) Router
Low Bandwidth for Internetwork Link Modem
WAN Internetwork Link between Private-to-Public Hub/Switch
Short distance for Internetwork Link (<10m.) Router
Lowest Bandwidth for Internetwork Link Modem
Transmission Facility of WAN

Circuit-Switched Packet-Switched
Dial up X.25
Leased Line Frame Relay
IxDSL ATM
Cable MPLS
Satellite
Metro LAN
Circuit-Switched
Fixed bandwidth, Permanent circuit, single-data, frame format

Packet-Switched (Frame)
Dynamic bandwidth, Virtual circuit, split data, frame format
Packet-Switched (Cell)
integrate data, Cells format

Transmission Technology
Transmission = node-to-node technology
 Analog FDM (Frequency Division Multiplexing)
 Digital TDM (Time Division Multiplexing) such as PDH, SONET/SDH
 Lightwave WDM (Wave Division Multiplexing)
Transmission: Analog (FDM)
Send data with multiple frequency in same time
Transmission: Digital (TDM)
Send data with multiple time in same frequency
Transmission: LightWave (TDM)
Technology of WAN
Synchronous Leased Line or Dedicated circuit

Parameter:
 username, password
 encapsulation (PPP, HDLC)
 authentication (PAP, CHAP)
Frame Relay

Parameter:
 encapsulation Frame relay
 bandwidth
 LMI
 DLCI
Leased Line: benefits
 บริการสื่อสารระบบดิจิตอลความเร็วสูงตั้งแต 64 Kbps ถึง 2.048 Mbps ขึ้นไป
 การเชื่อมตอการสงขอมูลระหวางสาขาแบบจุดตอจุด (Point to Point)
โดยเชื่อมโยงสัญญาณจากตนทางจุดหนึ่งไปยังปลายทางอีกจุดหนึ่ง
 เหมาะสําหรับการสื่อสารขอมูลในปริมาณมาก และตอเนื่องตลอดเวลา
 คาเชาสัญญาณสูง
 ใช Layer2 Encapsulation = HDLC, PPP, SLIP

Frame Relay: benefits

 บริการสื่อสารระบบดิจิตอลความเร็วสูงตั้งแต 64 Kbps ถึง 2.048 Mbps ขึ้นไป
 การเชื่อมตอการสงขอมูลระหวางสํานักงานใหญกับสาขาตางๆ (Point to Multipoint)
โดยเชื่อมโยงสัญญาณจากตนทางจุดหนึ่งไปยังปลายทางหลายจุด
 เหมาะสําหรับองคกรที่มีสาขาจํานวนมาก และตองการสื่อสารขอมูลจากตนทาง
ไปหลายจุดปลายทาง
 คาเชาสัญญาณต่ํากวา Leased Line
 ใช Layer2 Encapsulation = X.25, Frame Relay, ATM
 xDSL (Digital Subscriber Line) technology
DSL  use media PSTN line for transfer digital data with FDM Technique
or ECH Technique. Application such as Video, Interactive 2ways, Game, Internet
DSL Family
Symmetric data Asymmetric data
HDSL ADSL
HDSL2 (G.SHDSL) G.lite
SDSL RADSL
IDSL (ISDN: BRI) VDSL

Down Up Down Up
Comparison xDSL technology
xDSL Downstream Upstream Distance Voice + Data
in same time
HDSL 2 Mbps Equal downstream < 3Km No
HDSL2 2 Mbps Equal downstream < 8Km No
(G.SHDSL)
SDSL 768 Kbps to 2 Mbps Equal downstream < 6Km No
IDSL 144 Kbps Equal downstream < 5Km Yes
(ISDN) (ISDN: BRI)
ADSL 128 Kbps to 8 Mbps 64 to 640 Kbps < 5Km Yes
G.lite 1.5 Mbps 640 Kbps < 5Km Yes
RADSL 128 Kbps to 8 Mbps 64 to 640 Kbps < 5Km Yes
VDSL 13 to 52 Mbps 1.5 to 6 Mbps < 1Km Yes
G.SHDSL (G Single-pair High-bit rate DSL)

LAN Extender solution

Internet access solution

ISDN (Integrate Service Digital Network)
BRI (Basic Rate Interface)
 Copper media
 2B+1D = 128Kbps

PRI (Primary Rate Interface)

 Fiber optic media
 30B+1D = E1 2.048Mbps
BRI (Basic Rate Interface)
 R = Rate reference point
 S = System reference point
 T = Terminal reference point
 U = User reference point

Parameter:
 username, password
 isdn switch-type or isdn spid
 encapsulation
 authentication
 dialer
 routing
 PRI (Primary Rate Interface)
Parameter:
 username, password
 isdn switch-type
 controller (linecode, clock source, framing)
 pri-group
 dialer
 routing
ADSL (Asymmetric DSL)

LAN Extender solution

Internet access solution

 DSLAM (Digital Subscriber Line Access Multiplexer)  Multiplexer at
operator for Telephone Switching Office with ISP
 DSL Modem  DCE or CPE (Customer Premises Equipment) Mod/Demod for xDSL
Interface Internal (PCI), External(USB/RJ-45)
 Splitter  Separate Voice signal (PSTN) and Data signal (Internet)
 Micro filter  Filter noise signal no-across to Voice (Telephone)
 Parameter  VPI, VCI, encapsulation, username, password
VDSL (Very High-data rate DSL)

LAN Extender solution

Dial up (Analog Modem)
Dial up: benefits
 Internet access
 RAS to Terminal Server
 Client or remote VPN
 ATM for Bank
 POS for shop
 VNC/Remote desktop
 pc Any where
 Win FAX.
 NetMeeting
Standard of Dial up-Analog modem
 Satellite/VSAT
VSAT (Very Small Aperture Terminal)  use media Radio (GHz) for transfer
digital data (<4/2Mbps) with TDM Technique on Ku band and no Service area

Internet Access service

VoIP service
VPN service
Consideration for WAN service
 Service area
- Out of PSTN area  Satellite and any Wireless media
 Communication
- P2P  Lead Line, xDSL, Metro LAN
- P2M  Frame Relay
 Application
- Security  MPLS
- High Bandwidth  Lead Line, Metro LAN
- SLA  Frame Relay
 Cost
- Low cost  xDSL, Dial up
TCP/IP and Port Numbers
OSI model Vs. TCP/IP

Application/Process

Transport/Host to Host

Network/Internetwork

Network Interface/Link
 TCP/IP
TCP (Transmission Control Protocol)
 Transport Layer, TCP Segment, Connection-Oriented by 3Ways handshake
 Put SEQ (Sequence Number) and check ACK (Acknowledgement) for RX.
 Retransmission by Error Recovery for Reliability
 Check Window Size by Sliding Window
 Control process, Manage buffer, Combine with IP to upper layer

IP (Internet Protocol)
 Network Layer, Connectionless (Logical link) by Unreliable
 Addressing for set up Logical address
 Packaging for prepare IP header to mix TCP/UDP (datagram) by segment
 Routing for search path to best effort
TCP/IP Layer suit
Application

Transport

Network

Link

Media
 TCP (Transmission Control Protocol)
Manage-Control transfer data with reliable and guarantee
 UDP (User Datagram Protocol)
Manage-Control transfer data without reliable and guarantee
 IP (Internet Protocol)
Route with best effort for transfer data
 ICMP (Internet Control Message Protocol)
Support IP and alert error message to IP
 IGMP (Internet Group Management Protocol)
Send UDP datagram with multicast or broadcast to client
 ARP (Address Reservation Protocol)
Convert IP Address  MAC address
 RARP (Reverse ARP)
Convert MAC Address  IP Address
TCP Vs. UDP segment

TCP segment UDP segment

TCP with 3Ways Handshake and Window size

3Ways Handshake

Windows Size
IP Datagram and Internet Address (IP Address)

IP Datagram

Rang of IP Address Class of Network

0.0.0.0 to 127.255.255.255 A
128.0.0.0 to 191.255.255.255 B Internet Address
192.0.0.0 to 223.255.255.255 C
224.0.0.0 to 239.255.255.255 D
240.0.0.0 to 255.255.255.255 E
ICMP (Internet Control Message Protocol)

Type Code Description Query Error

0 0 Echo Reply 
3 - Destination 
Unreachable
3 0 Network Unreachable 
3 1 Host Unreachable 
5 - Redirect 
8 0 Echo Request 
IGMP (Internet Group Management Protocol)

Multicast

Broadcast
ARP (Address Reservation Protocol)
and RARP (Reverse ARP)

ARP

RARP
Convert IP Address  MAC address

Convert MAC address  IP Address

TCP/IP with Encapsulation and Demultiplexing
Port Numbers
 Physical Port  Serial port/Parallel port/Ethernet port at Equipment
 Logical Port  Port Numbers (using with Protocol together)
 PC client  available 131,068 port (TCP=65,534 ports UDP=65,534 ports)
 Server  Fixed port number for service client
 TCP/IP  use Protocol Numbers and Port Numbers for transfer
data/Application to upper layer (Application layer)
TCP/IP with Port Numbers
by Internet Assigned Numbers Authority (IANA)

1) Well-Know Ports
Below port number 1024, Using as standard port for application

2) Assign/Registered Ports
Above port number 1024, Using as special port such as Server, Trojan,
Vender-proprietary etc.

3) Reserved Ports
Rang port number 1-1023, Using for some OS such as Unix, Win NT
TCP/IP with Protocol Numbers
Protocol Name Assigned Number Description
IP 0 Internet Protocol
ICMP 1 Internet Control Message Protocol
TCP 6 Transmission Control Protocol
UDP 17 User Datagram Protocol
TCP/IP with Well-Know ports*
Service Name Port Number/Protocol Description
FTP-data 20/TCP File Transfer Protocol (data)
FTP 21/TCP File Transfer Protocol (control)
Telnet 23/TCP Remote tool
SMTP 25/TCP Simple Mail Transfer Protocol
(send Email)
Domain 53/UDP-TCP Domain Name Server
TFTP 69/UDP Trivial File Transfer
WWW-http 80/TCP World Wide Web HTTP
POP3 110/TCP Post Office Protocol-Version 3
(receive Email to client as retrieve)
* Postel, J. and Reynolds, J. RFC1700. “Assigned numbers.” October 1994.
Service Name Port Number/Protocol Description
NTP 123/UDP Network Time Protocol
IMAP4 143/TCP Internet Message Access Protocol
(receive mail to client as copy)
SNMP 161/UDP Simple Network Management Protocol
SNMP-Trap 162/UDP SNMP Trap (spy agent)
IPX 213/UDP IPX over IP
LDAP 389/TCP Lightweight Directory Access Protocol
(Database for AAA)
https 443/UDP-TCP World Wide Web HTTP Security
isakmp 500/UDP Internet Key Exchange
(Encription such as VPN)
Service Name Port Number/Protocol Description
Login 513/TCP Remote login
CMD 514/TCP Command Prompt Shell
Syslog 514/UDP Syslog
Ms-sql-s 1433/UDP-TCP Microsoft SQL Server
Ms-sql-m 1434/UDP-TCP Microsoft SQL Monitor
WINS 1512/UDP-TCP MS Windows Internet Name Service
L2TP 1701/UDP Layer Two Tunneling Protocol
PPTP 1723/TCP Point to Point Tunneling Protocol
Radius 1812/UDP RADIUS authentication protocol
Radacct 1813/UDP RADIUS accounting protocol
NFSD 2049/UDP NFS server (File server)
 IP Address
and Subnet Planning
IP Address and Subnet
 IP Address  Host’s address for reference transfer between TX. and RX.
 IPv.4 used 32bits (4nodes*8) in frame format for TCP/IP

Valid IP Address

Class A Class B Class C

Rang of Network Numbers 1.0.0.0 to 128.1.0.0 to 192.0.1.0 to
126.0.0.0 191.254.0.0 223.255.254.0
Network Address per Class 27  2 ;8-1 = 7 214  2 ;16-2 = 14 221  2 ;24-3 = 21
Host Address per Network 224  2 216  2 28  2
 Subnet Mask  Show class (A/B/C/D/E) of IP Address
 used 32bits (4nodes*8) in frame format for TCP/IP
 Calculate AND-gate is ‘1 AND 1 = 1’ only
 Wildcard Mask is matching IP Address

Class A Class B Class C

Size of Network Address 8bits 16bits 24bits
Subnet Mask 255.0.0.0 255.255.0.0 255.255.255.0
Size of Host Address 24bits 16bits 8bits
Wildcard Mask 0.255.255.255 0.0.255.255 0.0.0.255

Example Class B:
Subnet Mask 255.255.0.0 = 11111111.11111111.00000000.00000000
Wildcard Mask 0.0.255.255 = 00000000.00000000.11111111.11111111

Note: 11111111 = 128+64+32+16+8+4+2+1

 Network Address = (IP Address) AND-gate (Subnet Mask)
Host Address = (IP Address) AND-gate (Wildcard Mask)
Network Address + Subnet Address = IP Address AND-gate Subnet Mask
Example Class C:
IP Address = 192.168.15.20 Subnet Mask = 255.255.255.0 Wildcard Mask = 0.0.0.255
Solve: Network Address = 11000000.10101000.00001111.00010100 AND-gate
11111111.11111111.11111111.00000000
= 11000000.10101000.00001111.00000000 หรือ 192.168.15.0

Host Address = 11000000.10101000.00001111.00010100 AND-gate

00000000.00000000.00000000.11111111
= 00000000.00000000.00000000.00010100 หรือ 0.0.0.20

Note: 11111111 = 128+64+32+16+8+4+2+1

 Subnet Address  Increase Network Address, Decrease Host Address
 Separate Host Address to Subnet Address
 Subnet Zero = not use, conflict Network Address!
 Subnet All-One = not use, conflict Broadcast Address!

Valid IP Address
With Subnet Address

Example: assume if Host = 12 bits @ Class B

Network Address per Class 218  2 ;(16-2)+(16-12) = 18
Host Address per Network 212  2
Subnet Mask 255.255.240.0 ; (16)+(16-12) = 20
; (11111111.11111111.11110000.00000000)
; (11111111 = 128+64+32+16+8+4+2+1)
 Broadcast Address  Scope of Host Network
 Match Class network + Inverse Subnet Mask

Example Class C:
Host Address = 192.168.10.1 Subnet Mask = 255.255.255.192
Solve: Host Address = 11000000.10101000.00001010.00000001 AND-gate
Subnet Mask = 11111111.11111111.11111111.11000000

Subnet Address = 11000000.10101000.00001010.00000000 หรือ 192.168.10.0

Broadcast Address= 11000000.10101000.00001010.00111111 หรือ 192.168.10.63

Current Host Address Range = 192.168.10.1 to 192.168.10.62

Note: 11111111 = 128+64+32+16+8+4+2+1

Private IP Address
Rang of IP Address Subnet Mask Class of Network
10.0.0.0 to 10.255.255.255 255.0.0.0 or /8 A
172.16.0.0 to 172.31.255.255 255.255.0.0 or /16 B
192.168.0.0 to 192.168.255.255 255.255.255.0 or /24 C

Public IP Address
Rang of IP Address Class of Network
1.0.0.0 to 126.0.0.0 A
128.1.0.0 to 191.254.0.0 B
192.0.1.0 to 223.255.254.0 C

*The Internet Assigned Numbers Authority (IANA)

*Reserved IP Address = 0.0.0.0, 127.0.0.0, 128.0.0.0, 191.255.0.0, 192.0.0.0, 223.255.255.0
Subnet Mask based on Class B
Subnet Mask Mask bits Maximum of Host Address
255.255.0.0 /16 65,534
255.255.128.0 /17 32,766
255.255.192.0 /18 16,382
255.255.224.0 /19 8,190
255.255.240.0 /12 4,094
255.255.248.0 /21 2,046
255.255.252.0 /22 1,022
255.255.254.0 /23 510
Subnet Mask based on Class C
Subnet Mask Mask bits Maximum of Host Address
255.255.255.255 0 1
255.255.255.252 /30 2
255.255.255.248 /29 6
255.255.255.240 /28 14
255.255.255.224 /27 30
255.255.255.192 /26 62
255.255.255.128 /25 126
255.255.255.0 /24 254
Network Security Overview
Scenarios of Network Security

Door: Firewall, QoS CCTV: IDS/IPS

Control Rm: NMS Scanner/Guard: AAA/NAC Secure Transport: VPN

Basic security: Firewall
Firewall = “smart router for as gateway of network”
Main Function:
 Deny all protocol & all ports via inbound (incoming) and outbound (Outgoing)
 Detect & Protect any attach or dangerous behavior by Access Rule!!

Type of Firewall:
1) Packet Filtering Allow and Deny packet only!
Access List (ACL) Function of Router/Layer3
router(config)#access-list 11 deny 161.246.20.0 0.0.0.255
router(config)#access-list 11 permit any
router(config)#interface fastethernet1
router(config-if)#ip access-group 11 in
2) Stateful Inspection Tracking State table of data flow
format such as TCP, UDP, ICMP
Reassemble the data fragmentation
High speed firewall
 3) Application Proxy Using Address Translation (NAT, PAT)
Working at Application Layer7
Target is Well know port/protocol
High Security

Hybrid/Adaptive Firewall Integrate Stateful Inspection + Application Proxy

Auto select layer for working
Firewall: Design = Design, Deploy, Manage, Assess and Optimization
2 Zones
• Non-Trust = WAN/Internet
= Public user/Guest
• Trust = LAN and Private user

3 Zones
• Non-Trust = WAN/Internet
= Public user/Guest
• Trust = LAN and Private user
• DMZ = Public Server
Firewall: Characteristic
 Software Firewall
 Software + Server machine
 Software + PC machine (Personal Firewall)

 Hardware Firewall (Appliance Box)

 Normal Firewall = FW + VPN
 UTM (Unified Threat Management) = FW + VPN + IPS + AV

Major of Feature:
 Mode of operation
 Layer2 Transparent mode
 Layer3 Route mode (NAT, PAT)
 VPN
 Site-to-Site
 Remote to Site
Firewall: Access Rules

NO. = Sequence of rules, first sequence is highest priority

Source = Host Address, Group of Host Address, Network Address, Any
Destination = Host Address, Group of Host Address, Network Address, Any
Service = Port Number, Protocol
Action = Allow/Accept/Permit, Deny/Reject/Droup, Alert/Alarm/Notification
Track = Logging for Date Time/Source/Destination/Service/Action
Time = Detail of Time/Date for any traffic
Firewall: Technique for setup Access Rules
1) Sequence by queuing (FIFO), first sequence is highest priority
2) Avoid overlap or dispute condition
3) Setup total rule with low sequence
4) Allow wish-condition only
5) Allow Firewall’s admin
6) Arrange rules order
Firewall: Access Rules basic-example
Objective:
- Private1 allow IT/Manager only
- DMZ allow any
- Deny Non-trust to Private area

No. Source Destination Service Action Track Time

1 192.168.1.50-60 192.168.1.10-20 Any Allow Log Any
2 Any Public Server Any Allow Log Any
3 Any Private area Any Deny Non Any
Basic security: Address Translation
Address Translation or NAT (Network Address Translation)
- Change Network Address between Private Addressing  Public Addressing
by fixed source Network Address

Private Addressing
- Personal IP address for using within LAN/Intranet only
- Cannot route via WAN/Internet

Public Addressing
- Public IP address (Real IP address) for using communicate between
WAN/Internet area
- Can route across Network Address
Type of NAT’s Operation:
1) Static NAT (Static assignment and basic NAT)
- Matching Private IP and Public IP as One-to-One address
- Separate service by fixed IP address
- Consumption for Public IP!!
2) Dynamic NAT (Dynamic assignment and basic NAT)
- Dynamic/Random for Private IP and Public IP as Many-to-Many address
- Protect from Outbound or Outside
- Limit concurrent session to Outbound or Outside
3) Overloading NAT (NAPT: Network Address Port Translation)
- Dynamic/Random or Fixed for Private IP and Public IP to communicate
- Using Know-port (TCP/UDP/ICMP) for application service (WEB/FTP)
- Save public IP, Reference at port service
- Overloading NAT know well as PAT or NAT/PAT
4) Overlapping NAT (Twice-NAT)
- Client & Server on difference location and using Private IP same broadcast ID
- Double NAT by 1st NAT from Private IP to Private IP then 2nd NAT from
Private IP to Public IP
Basic security: QoS (Quality of Service)
QoS = Service to Voice/Video/Data application
= Management Bandwidth/Delay & Jitter/Packet Loss
= SLA (Service Level Agreement) as Guarantee BW.
Levels of QoS:
 Integrated Service  Bandwidth in first (end-to-end guarantee)
such as Voice, Video, Data (all important)
 Differentiated Service  Priority (Delay & Jitter) in first (Ingress
guarantee) such as first-serve Voice
last-serve Internet
 Best-Effort Service  Packet Loss in first (No guarantee)
such as WWW, FTP, E-mail
QoS Characteristic: Bandwidth
QoS Tool Affectation
Compression Compress (TX) and Uncompress (RX) data
Header, Payload, Header and Payload
CAC Protect concurrent for Voice & Video call
(Call Admission Control)
Queuing Reserve minimum bandwidth by type of packet

Bandwidth = Link speed in Data-communication

= High bandwidth (>20percent) is good
= LAN  Ethernet speed
= WAN  WAN speed
QoS Characteristic: Priority (Delay & Jitter)
QoS Tool Affectation
Queuing Order packet for delay-sensitive
Link Fragmentation Break large packet into small packet before send
Compression Compress (TX) and Uncompress (RX) data
Header, Payload, Header and Payload
Traffic shaping Artificial increase delay to reduce drop inside
for Frame relay or ATM network
Delay = Hold time for run some process
Jitter = Difference delay such as RTP for voice
= Small Delay (<150ms) & Jitter (<30ms) is good
= Fixed Delay & Jitter  Physical interface, Length of Link speed
= Variable Delay & Jitter  Queuing, Forward, Send-Drop, ISP
QoS Characteristic: Packet Loss
QoS Tool Affectation
Queuing Long queuing for increase delay to avoid loss
RED Drop some packet for slow TCP connection
(Random Early Detection)
Packet Loss = Data Frame with Header + Payload
= Low packet loss (<1percent) is good
= Loss  Header, Payload, Trailer
Traffic Characteristic: Voice
Voice format

Voice Codec Approx. BW. Ethernet Voice Description

and Bit rate (Header +Payload) 1Way-Delay only
G.711 64 Kbps 87.2 Kbps 0-150msec Accept
G.726 24/32 Kbps 47.2/55.2 Kbps 150-400msec Degrade
G.728 16 Kbps 31.5 Kbps 400msec + Unaccepted
G.729 8 Kbps 31.2 Kbps Voice Delay
G.723.1 5.3/6.3 Kbps 20.8/21.9 Kbps
Voice Codec
Traffic Characteristic: Video
Video Codec and Bit rate Resolution (pixels)
H.261 40Kbps and 2Mbps 176x144 and 352x288
MPEG-1 1.5Mbps 352x240
MPEG-2/H.262 4Mbps to 80Mbps 352x288 to 1,920x1,152
H.263 V.2-V.3 20Kbps to 12Mbps 128x96 to 704x576
MPEG-4/H.264 256Kbps to 960Mbps 1,485x99 to 983,040x36,864
Video Codec
Video = Voice + Video
= Interactive-Two way such as Video call (P2P), Video conference (P2M)
= Streaming-One way such as IP-TV, Video on demand
 Video Codec and Bit rate Approx. BW. Ethernet
(Header +Payload)
G.711 + H.263@ Min.128K (87.2K)+(128K+20%) >241Kbps per one concurrent
G.711 + H.264@ Min.256K (87.2K)+(256K+20%) >395Kbps per one concurrent
G.729 + H.263@ Min.128K (31.2K)+(128K+20%) >185Kbps per one concurrent
G.729 + H.264@ Min.256K (31.2K)+(256K+20%) >339Kbps per one concurrent
Voice + Video BW. Ethernet
Traffic Characteristic: Data
Main Feature TCP UDP
Using Port number Yes Yes
Using Window as flow control Yes No
Using Error Recovery Yes No
Error recovery
Classification & Marking Packets (Priority Marking)
Marking = Original basic QoS
= Class-Based with Queuing/Policy/Shaping method
Marker Preservation Range Value
IEEE 802.1P/Q CoS Through to LAN Switch L2 4 values (0-3)
ISL Priority Through to LAN Switch L2 8 values (0-7)
IP precedence Through network L3 8 values (0-7)
DSCP Through network L3 64 values (0-63)
Frame Relay DE Through FR network 2 values (0-1)
ATM CLP Through ATM network 2 values (0-1)
MPLS experimental Through MPLS network 8 values
QoS group Local to Router 100 values (0-99)
Integrated Services (IntServ)
IntServ = Multiple service but specific type of service in LAN before send
= Using queuing, end-to-end, RSVP
Differentiated Services (DiffServ)
DiffServ = Multiple service for all type of service in LAN before send
= Implement with 6 bits DSCP field (in IP header of ToS)
Layer 2 Marking: 802.1p, CoS Marking Layer2
 802.1p using priority from CoS
 Assign CoS of value for difference traffic
Layer 3 Marking: IP Precedence, DSCP Marking Layer3
 IPv4 = 3bits of ToS is IP Precedence
= another bit are unused
 DiffServ = 3bits of ToS is DSCP (DiffServ Code Point)
= DSCP compatible with IP Precedence
= 2bits using as flow control
 QoS

Bandwidth Priority Packet Loss

(Delay & Jitter)
Compression Queuing (Congest Management) Queuing (Congest Management)
Payload compress, FIFO, PQ, CQ, WFQ, CBWFQ, FIFO, PQ, CQ, WFQ, CBWFQ,
cRTP, cTCP LLQ, MDRR, CBQ, RTPQ, LLQ, MDRR, CBQ, RTPQ,
CAC PVC PQ PVC PQ
Call Admission Control Link Fragmentation RED (Congest Avoidance)
Queuing (Congest Management) MLPPP LFI, FRF*, RED, WRED, ECN, DAR
FIFO, PQ, CQ, WFQ, CBWFQ, LFI & Interleave for FR/ATM
LLQ, MDRR, CBQ, RTPQ, Compress
PVC PQ Payload compress, cRTP, cTCP
Traffic Policy & Shaping
CB policing, CB shaping, FRTS,
GTS, CAR, CIR, CBS, EBS, LR
Compression method:
cRTP (compression RTP)
Queuing (Congest Management) method:

PQ (Priority Queuing)
Link Fragmentation method:
LFI (Link Fragmentation and Interleave)
Traffic Shaping method:
FRTS (Frame Relay Traffic Shaping )
RED (Congest Avoidance) method:
WRED (Weighted Random Early Detection)
Basic security: IDS/IPS
IDS (Intrusion Detection System)
= Detect after income to LAN network, Passive system
= IDS cannot analysis encryption packet

IPS (Intrusion Prevention System)

= Prevent before income to LAN network, Re-active system
= Inline with traffic flow (Network-based IPS)
= prevent attack in real-time
= IPS can decode encryption packet (Network-based IPS)
IDS/IPS: IDPS (Intrusion Detection and Prevention System)
IDPS = Using intrusion detection for event occurring and analyzing
them for signs of possible incidents.
= Using intrusion prevention for process perform intrusion
detection and attempting to stop detect possible incidents.

Type of IDPS technology:

1) Network-Based IDPS
 monitor network traffic for particular & analysis network to identify suspicious
activity
2) Wireless IDPS
 monitor wireless network traffic for analysis network to identify suspicious
activity
3) Network Behavior Analysis (NBA) IDPS
 examine network traffic for identify threat such as DDoS, Malware
4) Host-Based IDPS
 monitor characteristic of single host and event for suspicious activity
Detection Method:
1) Signature-based
 compare threat signature to observed events to identify incidents
 cannot track-understand stat or multiple event
2) Anomaly-based detection
 compare definitions of activity with considered to identify significant
3) Stateful protocol analysis
 compare predetermined profiles of general accept definitions of begin
protocol activity for each state to identify, cannot detect no characteristic
Major component of IDPS:
1) Sensor or Agent
 monitor and analysis
 sensor use with network but agent use with host
2) Management Server
 centralized device for receive information from sensor/agent then analysis
event, finding events triggered by same IP address (correlation)
3) Database Server
 repository for event information record by sensor/agent, management server
4) Console
 interface program for administrator and user
IDS/IPS Design: Inline Network-Based IDPS
IDS/IPS Design: Wireless IDPS
IDS/IPS Design: Network Behavior Analysis (NBA) IDPS
IDS/IPS Design: Host-Based IDPS
 Basic security: VPN (Virtual Private Network)
VPN = An encrypted or encapsulated communicate process that transfers data
from one point to another point through Internet/WAN

VPN

Site to Site
Remote Access - Intranet VPN
- Access VPN - Extranet VPN

Client ISP Layer 2 Layer 3

Initiated Initiated VPN VPN
• PPTP • PPTP • PPTP • IPSec
• L2TP • L2TP • L2F • GRE
• IPSec • IPSec • L2TP
• PPP • L2F
• SSL • SSL
VPN: Characteristic
 Firewall Based VPNs (Software or Hardware)
 Hardware Based VPNs (Hardware)
 Standalone VPN Application (Software)

VPN: Advantage
 Working via Internet to LAN-Office
 Remote Admin to Public server
 Using legacy system with plain text such as Bank, Hospital, Insurance etc.
 Protect sniff within LAN-Office (encryption data)
 Special for TCP/IP protocol between IP network (NetBios/IPX/SNA are limit)
VPN: Authentication
 Password based Authentication
 Certificate based Authentication
(Exchange certificate)

VPN: Client Authentication Protocols

 PAP (Password Authentication Protocol)
 CHAP (Challenge Handshake Authen. Protocol)
 MS-CHAP version1, 2
VPN: User Authentication Server
 Internal Authentication  VPN concentrater
 External Authentication  RADIUS, SecureID, LDAP

VPN: Encryption Client to Site

 PPTP  MS Point-to-Point encryption
 L2TP  IPSec
 IPSec  ESP, AH
Type of VPN Tunnel: Remote-to-Site (Access VPN)
Remote to Host = Restrict to Host only
Remote to LAN = Unrestricted to any
Type of VPN Tunnel: Site-to-Site
Basic security: AAA/NAC
AAA = Authentication  Identity and Credential
such as password, digital certificate, phone number.
= Authorization  Allow or Deny for privilege service
such as IP address, QoS, Tunneling, Encryption.
= Accounting  Track consumption of network resource by user
such as information, service, start, end, billing.
Type of AAA Protocol:
RADIUS = Remote Authentication Dial In User Service
Diameter = upgrade from RADIUS for Mobile IP
TACACS = Terminal Access Controller Access-Control System

Authentication Method:
PAP = Password Authentication Protocol
CHAP = Challenge-handshake Authentication Protocol
EAP = Extensible Authentication Protocol
PEAP = Protected Extensible Authentication Protocol
Authorization Method:
1) User/ACL
2) Account Group/ACL
3) Account Group/Resource Group
4) Role-based

Accounting Method:
1) none
2) start-stop
3) stop-only
4) wait-start
Radius Server Return Messages
 Access Reject
 Access Challenge

 Access Accept

Radius Server
 Use port 1812 for authentication
 Use port 1813 for accounting

 Store accounting information in

file or database
EAP-MD5 LEAP EAP-TLS EAP-TTLS

Authentication: EAP-Methods
IEEE 802.1X port-based authentication system layering
Message Flows between Supplicant <--> Authentication
and Authentication <--> Authentication Server
Example RADIUS for WLAN
2
1

3 Authentication
Supplicant Authenticator
Server

5
6
NAC = Network Access Control or Network Admission Control
 Detect :Detect & identificat new devices connect network
check AntiVirus, Spyware, Personal FW, Patch OS
put to Quarantine area (clean and last update all)
 Authenticate :Authenticat of users and devices
 Assess :Assess end systems compliance & vulnerable
 Authorize :Authorize use network by authenticate & assess
to Production area (separate by policy)
 Monitor :Monitor users & devices once connect network
 Contain :Quarantine problem end systems & user
 Remediate :Remediation problems with end system & user
Technique method for Authentication end system and/or users
1) 802.1X port based authentication (via RADIUS)
2) MAC based authentication (via RADIUS)
3) Web based authentication
4) Static port/MAC configuration
5) Dynamic port/MAC configuration (SNMP)
6) Kerberos snooping
Example NAC in Scenario: Wired LAN

VLAN=Quarantine

VLAN=Production
Example NAC in Scenario: Wireless LAN

VLAN=Quarantine

VLAN=Production
Example NAC in Scenario: Remote VPN client
Basic security: NMS (Network Management System)
NMS  for Wired (Switch/Router), WLAN, FW, NAC-IPS, DHCP, Log, Storage…
1) Centralization management (console all devices)
2) Monitoring management (Status/Alive/Physical Layer)
3) Configuration management (Setup/Deploy/Backup/Restore)
4) Provisioning management (TFTP server by policy/configuration)
5) Fault management (Alert/Notification any Alarm)
6) Log management (Keep/Show detail of any events)
7) Utilization management (Summary traffic/performance/billing)
8) Reporter management (Summary graph/text in many time)
Vender Example:
HP-OpenView, Cisco-Works, 3COM-Transcend, Nortel-Optivity
Enterasys-NetSight, SUN-Net manager, H3C-iMC
Example NMS in Scenario: management for Switch-Router
Storage System Overview
Storage System
Storage System = Keep & Maintains Data
= Hardware for Backup & Redundant Data
= Software for Backup & Restore Data

Typical of Storage method:

Internal Storage : Hard Disk Drive (Installation within PC/Server)
External Storage : DAS, NAS, SAN (Installation without PC/Server)
Accessories : Floppy Disk Drive, CD-Rom, DVD-Rom, Flash Drive
Internal Storage
HDD = Hard Disk Drive
 Dimension Size, Capacity, RPM, Buffer, Warranty, Cost

HDD Technology

Parallel Serial
- PATA/IDE /ATA - SATA

- SCSI - SAS, FC
IDE (Integrated Drive Electronics)
ATA (Advanced Technology Attachment)
PATA (Parallel ATA)

Technology of Interface Data Transfer

ATA4, ATA/33, UDMA/33 33MB/s
(264Mbps)
ATA5, ATA/66, UDMA/66 66MB/s
(528Mbps)
ATA6, ATA/100, UDMA/100 100MB/s
(800Mbps)
ATA7, ATA/133, UDMA/133 133MB/s
ATA cable
(1,064Mbps)
40, 80 pin
SCSI (Small Computer System Interface)

Technology of Interface Data Transfer

Ultra160 SCSI 160MB/s
(1,280Mbps)
Ultra320 SCSI 320MB/s
(2,560Mbps)
Ultra640 SCSI 640MB/s
(5,120Mbps)
SATA (Serial ATA)
SAS (Serial Attached SCSI)
Technology of Interface Data Transfer
SATA 1.5Gbps 187.5MB/s
(1,500Mbps)
SATA 3Gbps 375MB/s
(3,000Mbps)
SATA 6Gbps 600MB/s
(4,800Mbps)
SAS 375MB/s
(3,000Mbps)
SAS2 750MB/s
(6,000Mbps)
FC (Fiber Channel)
FC Data
Technology Transfer
1GFC 106.25MB/s
(850Mbps)
2GFC 212.5MB/s
(1,700Mbps)
FC SAS SCSI
4GFC 425MB/s
(3,400Mbps)
8GFC 850MB/s
(6,800Mbps)
10GFC 1,000MB/s
(8,000Mbps)
RAID = Redundant Array of Independent Disks
RAID Advantage Minimum
Technology HDD.
RAID 0 Striped Disk Array without Fault Tolerance 2
RAID 1 Mirroring & Duplexing 2
RAID 0+1 High Data Transfer Performance 4
RAID 3 Parallel Transfer with Parity 3
RAID 5 Independent Data Disk with Distributed Parity Blocks 3
RAID 0

Advantages : High Read, High Write

Disadvantages : No real RAID, No security, No suit for critical application

RAID 1

Advantages : High Security as A/A or A/S

Disadvantages : Low Read, Low Write

RAID 0+1

Advantages : High Read, High Write, High Security as A/A or A/S

Disadvantages : High cost

RAID 3

Advantages : High Read, High Write, High Security by single Parity

Disadvantages : High cost

RAID 5

Advantages : High Read, Medium Write, High Security by distribute Parity

Disadvantages : High cost

External Storage
Connecting
method

DAS NAS SAN

Direct attach to Server Connect via Connect via
Hub/Switch (LAN) SAN switch (Fiber switch)
DAS (Direct Attach Storage)

Attached Cable
 Parallel, Serial, USB, IEEE1394 (FireWire), eSATA, Fiber Optic
Bus Controller
 ISA, PCI, RAID controller, Bus Host Adapter
NAS (Network Attach Storage)

LAN Cable
 Twisted Pair, Fiber Optic
Bus Controller
 LAN Card, NIC Card
SAN (Storage Attach Network)

 SAN via Fiber Optic

 SAN via Copper (iSCSI)
 Protocol Support
FCP, NFS, CIFS, iSCSI
Storage Media
Vender Example :NetApp, Quantum, HP, IBM, SUN

 Tape Backup

Tape Backup Auto Loaders

(Manual) (Semi Robot)
Tape Library
(Robot Slot)

DLT/LTO = critical business, high capacities up to 1,600GB (compressed)

DDS/DAT/Travan = SME business, capacities up to 40-160GB (compressed)
 Disk Backup

Disk-Based backup
-RAID
-Redundant & HotSwap
-Max. disk up to 504Drive (mix SATA/FC)
-Max. capacity up to 504TB
Software for Backup & Restore
Vender Example:
Symantec-Backup Exec, CA-ARCserve, IBM-Tivoli, EMC-AlphaStor

Main Feature of Software for Backup & Restore:

 Data Compression & Encryption for Backup
 Schedules Backup by Time & Date
 Backup method with Full/Incremental/Differential
 Backup File for open-file & off-file
 Local & Remote back up
 Backup-Site or DR (Disaster Recovery) for recovery center-site
Accessories
USB

IEEE 1394
(FireWire/i-Link/Lynx)

eSATA
Interface Data Transfer
USB 1.1 12Mbps
USB 2.0 480Mbps
USB 3.0 4,800Mbps
IEEE 1394 a 98/196/393Mbps
IEEE 1394 b 786/1,573Mbps
eSATA 2,400Mbps
Operation System Overview
Operating System
OS : Manage resource for each application running on computer
Basic OS Features
- User interface
- Control devices
- Resource management
NOS : Manage communication to network and network resource

Basic NOS Features

- File and printer services
- Management services
- Security services
- Internet/intranet services
- Multiprocessing and clustering services
Example of NOS
 Microsoft Windows Server
- Microsoft Windows Server 2003
 Novell Netware

- Netware 6.5
 Unix

- Sun Solaris
- IBM AIX
- HP-UX
 Linux

- Redhat Enterprise Linux

- Debain Linux
- Fedora Linux
- Suse Linux
 Mac OS X Server

- Mac OS X Leopard Server

Microsoft Windows Server (NT Family)
Technical Information

Creator : Microsoft
Processor supported : Intel, AMD
Computer achitecture supported : x86,x86-64,IA-64
File system supported : NTFS,FAT
Kernel type : Hybrid
Package management : MSI, custom installers
Update management : Windows update
Native API : Win32, NT API
Resource access control : ACLs, Priveleges, RBAC
Integrated firewall : Windows Firewall,IP sec, TCP/IP Filtering
Encrypted file system : Yes
Versions : Windows NT, Windows 2000 Server, Windows 2003 Server, Windows 2008 Server
(Latest version)
Directory Service : Actives Directory Service
Multiprocessing : 8 CPU
Cluster Nodes : 16 Nodes
Maximum Memory : 64 GB
Max file system size : 2 TB
 Sun Solaris
Technical Information
Creator : Sun
Processor supported : Sparc, Intel, AMD
Computer achitecture supported : x86,x86-64,Sparc
File system supported : NFS, ZFS
Kernel type : Monolithic with modules
Package management : SysV package (pkg)
Update management : Sun connection
Native API : SysV, POSIX, GTK
Resource access control : Unix, RBAC, ACLs, Privileges, Trusted Extension
Integrated firewall : IP filter, JASS
Encrypted file system : Yes
Versions : Solaris 8, Solaris 9, Solaris 10 (Latest version)
Directory Service : Sun Directory Service
Multiprocessing : 64 CPU
Cluster Nodes : 4 Nodes
Maximum Memory : 64 GB
Max file system size : 4 TB
 Redhat Enterprise Linux
Technical Information
Creator : Linus Torvald, Redhat
Processor supported : Sparc, Intel, AMD, Alpha, PowerPC
Computer achitecture supported : x86,x86-64,Sparc,Alpha,PPC
File system supported : ext2, ext3, ReiserFS
Kernel type : Monolithic with modules
Package management : rpm
Update management : yum, apt-get
Native API : POSIX, LSB, GTK
Resource access control : Unix, ACLs, MAC
Integrated firewall : Net Filter, IPtables
Encrypted file system : Yes
Versions : Redhat Enterprise AS, Redhat Enterprise ES
Directory Service : Open LDAP
Multiprocessing : 8 CPU
Cluster Nodes : 16 Nodes
Maximum Memory : 4 GB
Max file system size : 4 TB
Server System in scenario

DNS

FTP WEB
NOS

E-Mail DHCP
Domain Name System(DNS)
Hierachichal naming for computers, services, or any resource participating in the Internet
DNS serves as the “phone book” for the Internet by translating human-friendly hostnames into
IP addresses.
Parts of Domain Name System

 Name Resolvers/DNS Resolvers

 Domain Name Space

 Name Server/DNS Server

DNS Structure
 Root Domain
 Top-Level Domain

 Second-Level Domain

Types of DNS Server

 Primary Name Server
 Secondary Name Server

Redundancy

Distribution

Load Balancing

 Master Name Server

 Forwarders and Slaves

 Caching-Only Name Server

Address resolution mechanism
1 the local system is pre-configured with the known addresses of the root servers in a file of root hints,
which need to be updated periodically by the local administrator from a reliable source to be kept up to
date with the changes which occur over time.
2 query one of the root servers to find the server authoritative for the next level down (so in the case
of our simple hostname, a root server would be asked for the address of a server with detailed
knowledge of the example top-level domain).
3 querying this second server for the address of a DNS server with detailed knowledge of the
second-level domain.
4 repeating the previous step to progress down the name, until the final step which would, rather than
generating the address of the next DNS server, return the final address sought.
DNS Query Type
 Recursive
 Interactive

 Inverse

Zone
 Forward Lookup zone
 Reverse Lookup zone

Types of zone record

 SOA
 NS

 A

 PTR

 CNAME

 MX
Dynamic Host Configuration Protocol (DHCP)
Provide comprehensive TCP/IP configuration data, allow hosts to obtain TCP/IP data
from server and adds dynamic address assignment.

DHCP supported IP address allocation types

 Permanent fixed
- Allows use of static IP address
- Useful for server hosts whose IP address should not change
 Manual allocation

- IP allocation based on Ethernet/Token Ring physical address

- Useful for clients that must use BOOTP
 Automatic allocation

- Long term, permanent IP address allocation

 Dynamic allocation

- Short term allocation – a lease

- Most commonly used form of allocation

DHCP Dynamic Allocation VS. DNS

 Dynamic IP address allocation creates problems for DNS
- Hostname, A records, PTR records
 Update to DNS attemps to solve problem

- Dynamic DNS (DDNS)

- DHCP server notifies DDNS system of new information
DHCP Client/Server Conversation Message

 DHCPDISCOVER
 DHCPOFFER

 DHCPREQUEST

 DHCPACK/DHCPNAK
Web Server
A computer program that is responsible for accepting HTTP requests from web clients,
which are known as web browsers, and serving them HTTP responses along with optional
data contents, which usually are web pages such as HTML documents and linked objects
(images, etc).

Common features
 HTTP
 Logging

 Authentication

 HTTPS (support by SSL or TLS)

 Contents compression

 Virtual hosting

 Large file support

 Bandwidth throtting

HTTP Request message

 Request line such as Get /images/logo.gif HTTP/1.1
 Headers

 An optional message body

HTTP Request Methods
 HEAD
 GET

 POST

 PUT

 DELETE

 TRACE

 OPTIONS

 CONNECT

Market structure of Web Server Application

Web site
Vendor Product Percent
hosted

Apache Apache 91,068,713 50.24%

Microsoft IIS 62,364,634 34.4%

Google GWS 10,072,687 5.56%

Lighttpd Lighttpd 3,095,928 1.71%

Nginx nginx 1,938,953 1.41%

 Electronic-Mail (E-Mail)
 Use SMTP (Simple Mail Transfer Protocol) send and receive mail messages, mail client
application typically only use SMTP for sending messages to a mail server.
 Use POP (Post Office Protocol) or IMAP (Internet Access Protocol) for mail client to access
their mail box account on a mail server.
 File Transfer Protocol (FTP)
Network protocol over TCP used to transfer data from one computer to another through
a network such as a network and internet.

Types of FTP Connection Method

 Active mode
Clients open dynamic port and sends that port to FTP server by PORT command, after
FTP server initiates the data connection it binds port 20 to FTP clients.
 Passive mode

FTP server open dynamic port and sends IP address and port to connection to Clients,
in this mode clients use PASV command to FTP server.
Basic Networking Design
Hierarchical Design

Core/Backbone switch layer

Highest speed, Full redundant, Full hot-swap, 24x7
Distributed/Edge/Aggregate switch layer
High speed, Full feature, Routing, High scalability of physical port
Access switch layer
Normal speed (10/100Mbps), basic equipment, 8X5, Lowest cost
 Main Design for Data Communication Network:
1) Fault Tolerance & Availability
 Percentage for UP Time (Lowest DOWN Time)
 HA (High Available) such as A/A, A/P, A/S
 Redundancy such as Spanning Tree, Link backup
 Apply to PC, Server, Network equipment

2) Scalability & Adaptability

 Support more physical ports (network connection)
such as copper, fiber optic for PC/Server, WAN (Internet/Extranet)
need Modular chassis for increase LAN module, WAN module etc.
 Support future features (new function or value-added feature)
such as IPv6, QoS, VPN, Firewall, VoIP, WLAN, PoE etc.
need upgrade OS/Firmware/Patch/Memory only (no replace equipment!!)
3) Performance & QoS
 Network performance such as Bandwidth/Speed, Utilization,
Throughput/Efficiency, Delay/Latency, Response time
 SLA (Service Level Agreement) such as QoS, Bandwidth management
Platinum/Gold/Bronze bandwidth guaranty level

4) Security & Customize Policy

 Support security when inbound (incoming) and outbound (outgoing)
Must Detect & Protect all such as Firewall, IDS, IPS, NAC, VPN etc.
 Support customize policy (any change or anything)
Internet security such as AntiVirus, AntiSpyware, Personal FW etc.
Server farm such as Mail/File/DNS/FTP/WEB/Public/Database etc.
Value-Added feature such as WLAN, VoIP, PoE etc.
Example Network Design: Fault Tolerance & Availability
Example Network Design: Scalability & Adaptability
Example Network Design: Performance & QoS
Example Network Design: Security & Customize Policy