Chapter One

Device Configuration
1. Configuration Wizard
While the configuration wizard is an easy way to display complex configuration options, it does
rely on the user having a basic understanding of the software component.

Network Devices

Computer networking devices are units that mediate data in a computer network and are also
called network equipment. Units that are the last receiver or generate data are called hosts or data
terminal equipment.

Network Models It was developed by the International Organization for Standardization (ISO). It
was first introduced in the late 1970s. It is a model for a computer protocol architecture and as a
framework for developing protocol standards. An ISO standard that covers all aspects of network
communications is the Open Systems Interconnection (OSI) model.

OSI Model

The OSI Model (Open Systems Interconnection Model) is a conceptual framework used to
describe the functions of a networking system. The OSI model characterizes computing
functions into a universal set of rules and requirements in order to support interoperability
between different products and software. It comprises of seven layers.

Advantages:

 Network communication is broken into smaller, more manageable parts.

 Allows different types of network hardware and software to communicate with each
other.
 All layers are independent and changes does not affect other layers.
 Easier to understand network communication.

Why layered communication?

 To reduce complexity of communication task by splitting it into several layered small

tasks
 Assists in protocol design
 Changes in one layer do not affect other layers
 Provides a common language
 OSI Model

Layer 1: Physical Layer

The lowest layer of the OSI Model is concerned with electrically or optically transmitting raw
unstructured data bits across the network from the physical layer of the sending device to the
physical layer of the receiving device. It can include specifications such as voltages, pin layout,
cabling, and radio frequencies. At the physical layer, one might find “physical” resources such as
network hubs, cabling, repeaters, network adapters or modems.

 Define physical characteristics of network. E.g. wires, connector, voltages, data rates,
Asynchronous, Synchronous Transmission.
 Handles bit stream or binary transmission.
 Used to maintain, activate and deactivate physical link.
 For receiver it reassembles bits and send to upper layer for frames.

For Sender it convert frames into bit stream and send on transmission medium.

Layer 2: Data Link

At the data link layer, directly connected nodes are used to perform node-to-node data transfer
where data is packaged into frames. The data link layer also corrects errors that may have
occurred at the physical layer. The data link layer encompasses two sub-layers of its own. The
first, media access control (MAC), provides flow control and multiplexing for device
transmissions over a network. The second, the logical link control (LLC), provides flow and
error control over the physical medium as well as identifies line protocols.

 Packages raw bits from the physical layer into FRAMES.

 The data link layer provides reliable transit of data across a physical link by using the
Media Access Control (MAC) addresses. Source & Destination (address of device that
connects one Network to next) address.
 Flow Control: Prevent overwhelming of Receiving Node.
 Error Control: Through Trailer
 Access Control: Which device to have control
 Data Link LAN specifications: Fast Ethernet, Token Ring, FDDI.
 Data Link WAN specifications are: Frame Relay, PPP, X.25.
 Bridges and Switches operate at this layer

Sub layers of Layer 2

Logical link layer (LLC)

 Used for communication with upper layers

 Error correction
 Flow control

Media Access Control (MAC)

 Access to physical medium

 Header and trailer
 Trailer: The trailer typically includes a frame check sequence (FCS), which is used to
perform error detection.

Layer 3: Network

The network layer is responsible for receiving frames from the data link layer, and delivering
them to their intended destinations among based on the addresses contained inside the frame.
The network layer finds the destination by using logical addresses, such as IP (internet protocol).
At this layer, routers are a crucial component used to quite literally route information where it
needs to go between networks.

 Defines source to destination delivery of packets across NWs.

 Defines logical addressing and best path determination.
 Treat each packet independently
 Defines how routing works and how routes are learned
 Converts frames to packets
  Routed protocols ( encapsulate data into packets) and Routing protocols (create routing
tables) work on this layer
 Examples of Routed protocols are: IP, IPX, AppleTalk and Routing protocols are OSPF,
IGRP/EIGRP, RIP, BGP
 Routers operate at Layer 3.

Layer 4: Transport

The transport layer manages the delivery and error checking of data packets. It regulates the size,
sequencing, and ultimately the transfer of data between systems and hosts. One of the most
common examples of the transport layer is TCP or the Transmission Control Protocol.

 It regulates information flow to ensure process-to- process connectivity between host

applications reliably and accurately
 Adds service point address or Port address
 Segmentation & Re-assembly: SEGMENTS data from sending node and reassembles
data on receiving node
 Flow control / Error control at Source to destination level
 Connection oriented transport service ensures that data is delivered error free, in
sequence with no losses or duplications
 Establishes, maintains and terminates virtual circuits
 Connection oriented / Connectionless:

TCP (Reliable, provides guaranteed delivery),

UDP (Unreliable, less overhead, reliability can be provided by the Application layer)

Provides multiplexing: the support of different flows of data to different applications on the same
host.

Layer 5: Session

The session layer controls the conversations between different computers. A session or
connection between machines is set up and managed at layer 5. Session layer services also
include authentication and reconnections.

 The session layer defines how to start, control and end conversations (called sessions)
between applications
 Establishes dialog control between the two computers in a session, regulating which side
transmits, plus when and how long it transmits (Full duplex)
 Synchronization: Allows processes to add check points. E.g. Insert check point at every
100 page of 2000 page file to ensure that each 100-page unit is received & acknowledged
 Transmits Data
Layer 6: Presentation

The presentation layer formats or translates data for the application layer based on the syntax or
semantics that the application accepts. Because of this, it at times also called the syntax layer.
This layer can also handle the encryption and decryption required by the application layer.

 Presentation layer is concerned with the syntax and semantics of the information
exchanged between two systems.
 This layer is primarily responsible for the translation, encryption and compression of
data.
 Defines coding and conversion functions
 This layer also manages security issues by providing services such as data encryption and
data compression.
 Examples of these formats and schemes are: MPEG, QuickTime, ASCII, EBCDIC, GIF,
TIFF, JPEG.

Layer 7: Application

At this layer, both the end user and the application layer interact directly with the software
application. This layer sees network services provided to end-user applications such as a web
browser or Office 365. The application layer identifies communication partners, resource
availability, and synchronizes communication.

 The application layer is responsible for providing services to the user

 Closest to the user and provides user interface
 Establishes the availability of intended communication partners
 Examples of Application layer protocols are: Telnet, SMTP, FTP, SNMP

Layer 1 and Layer 2

Layer 1 cannot communicate with upper layers Layer 2 does this using LLC

Layer 1 cannot identify computer Layer 2 uses addressing process

Layer 1 can only describe stream of bits Layer 2 uses framing to organize bits

Data Encapsulation

Data Encapsulation is the process of adding a header to wrap/envelop the data that flows down
the OSI model. The 5 Steps of Data Encapsulation are:

1. The Application, Presentation and Session layers create DATA from users’ input.
2. The Transport layer converts the DATA to SEGMENTS
3. The NW layer converts the Segments to Packets (datagram)
4. The Data Link layer converts the PACKETS to FRAMES
 5. The Physical layer converts the FRAMES to BITS.

Some of application layer protocols and their functions

Simple Mail Transfer Protocol (SMTP)

 Governs the transmission of mail messages and attachments

 SMTP is used in the case of outgoing messages
 More powerful protocols such as POP3 and IMAP4 are needed and available to manage
incoming messages
 POP3(Post Office Protocol version 3) is the older protocol
 IMAP4(Internet Mail Access Protocol version 4) is the more advanced protocol

Telnet

 It allows a user on a remote client machine, called the Telnet client, to access the
resources of another machine, the Telnet server, in order to access a command-line
interface.

File Transfer Protocol (FTP)

 File Transfer Protocol (FTP) actually lets us transfer files, and it can accomplish this
between any two machines using it.
 FTP’s functions are limited to listing and manipulating directories, typing file contents,
and copying files between hosts.

Simple Network Management Protocol (SNMP)

 Simple Network Management Protocol (SNMP) collects and manipulates valuable

network information.

Hypertext Transfer Protocol (HTTP)

 It’s used to manage communications between web browsers and web servers and opens
the right resource when you click a link, wherever that resource may actually reside.

Hypertext Transfer Protocol Secure (HTTPS)

 Hypertext Transfer Protocol Secure (HTTPS) is also known as Secure Hypertext Transfer
Protocol. It uses Secure Sockets Layer (SSL).

Domain Name Service (DNS)

 Domain Name Service (DNS) resolves hostnames—specifically, Internet names, such as

www.wcu.edu.et
Dynamic Host Configuration Protocol (DHCP)

 Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts

dynamically.
 It allows for easier administration and works well in small to very large network
environments.

Some of Transport layer protocols and their functions

TCP (Transmission Control Protocol)

 TCP: takes large blocks of information from an application and breaks them into
segments.
 It is Connection oriented means that a virtual connection is established before any user
data is transferred. (handshake)

User Datagram Protocol (UDP)

 UDP does not sequence the segments and does not care about the order in which the
segments arrive at the destination.
 UDP just sends the segments off and forgets about them.

Network device

Hub

Hubs connect computers together in a star topology network. Due to their design, they increase
the chances for collisions. Hubs operate in the physical layer of the OSI model and have no
intelligence. Hubs flood incoming packets to all ports all the time. For this reason, if a network is
connected using hubs, the chances of a collision increases linearly with the number of computers
(assuming equal bandwidth use). Hubs cannot filter data so data packets are sent to all connected
devices/computers and do not have intelligence to find out best path for data packets. This leads
to inefficiencies and wastage.

Bridge

In telecommunication networks, a bridge is a product that connects a local area network (LAN)
to another local area network that uses the same protocol. Having a single incoming and
outgoing port and filters traffic on the LAN by looking at the MAC address, bridge is more
complex than hub. Bridge looks at the destination of the packet before forwarding unlike a hub.
It restricts transmission on other LAN segment if destination is not found. Bridge works at the
data-link (physical network) level of a network, copying a data frame from one network to the
next network along the communications path. It used to connect two subnetworks that use
interchangeable protocols. It combines two LANs to form an extended LAN. The main
difference between the bridge and repeater is that the bridge has a penetrating efficiency.
  Transparent Bridges: It is also called learning bridges. Bridge construct its table of
terminal addresses on its own as it implements connecting two LANs. It facilitates the
source location to create its table. It is self-updating. It is a plug and plays bridge.
Transparent Bridges is invisible to the other devices on the network. Transparent Bridge
only perform the function of blocking or forwarding data based on MAC address. MAC
address may also be referred as hardware address or physical address. These addresses
are used to built tables and make decision regarding whether a frame should be forward
and where it should be forwarded.
 Source Routing Bridge: Source-route Bridges were designed by IBM for use on Token
ring networks. The SR Bridge derives the entire route of the frame embedded within the
frame. This allows the Bridge to make specific decision about how the frame should be
forwarded through the network. This sending terminal means the bridges that the frames
should stay. This type of bridge is used to prevent looping problem.
 Translational Bridge: Translational Bridges are useful to connect segments running at
different speeds or using different protocols such as token Ring and Ethernet networks.
Depending on the direction of travel, a Translational Bridge can add or remove
information and fields from frame as needed.

Repeater

A repeater is an electronic device that receives a signal and retransmits it at a higher level and/or
higher power, or onto the other side of an obstruction, so that the signal can cover longer
distances without degradation. Because repeaters work with the actual physical signal, and do
not attempt to interpret the data being transmitted, they operate on the physical layer, the first
layer of the OSI model. Repeaters are majorly employed in long distance transmission to reduce
the effect of attenuation. It is important to note that repeaters do not amplify the original signal
but simply regenerate it.

Modem

Modem (from modulator-demodulator) is a device that turns the digital 1s and 0s of a personal
computer into sounds that can be transmitted over the telephone lines

NIC (Network Interface Card)

A network interface card is a computer hardware component designed to allow computers to

communicate over a computer network. It is both an OSI layer 1 (physical layer) and layer 2
(data link layer) device, as it provides physical access to a networking medium and provides a
low-level addressing system through the use of MAC addresses. It allows users to connect to
each other either by using cables or wirelessly. Most motherboards today come equipped with a
network interface card in the form of a controller, with the hardware built into the board itself,
eliminating the need for a standalone card.
Switch

A switch when compared to bridge has multiple ports. Switches can perform error checking
before forwarding data, which are very efficient by not forwarding packets that error-end out or
forwarding good packets selectively to correct devices only. Switches can support both layer 2
(based on MAC Address) and layer 3 (Based on IP address) depending on the type of switch.
Usually large networks use switches instead of hubs to connect computers within the same
subnet.

 A switch operates in the layer 2, i.e. data link layer of the OSI model.
 It is an intelligent network device that can be conceived as a multiport network bridge.
 It uses MAC addresses (addresses of medium access control sublayer) to send data
packets to selected destination ports.
 It uses packet switching technique to receive and forward data packets from the source to
the destination device.
 It is supports unicast (one-to-one), multicast (one-to-many) and broadcast (one-to-all)
communications.
 Transmission mode is full duplex, i.e. communication in the channel occurs in both the
directions at the same time. Due to this, collisions do not occur.
 Switches are active devices, equipped with network software and network management
capabilities.
 Switches can perform some error checking before forwarding data to the destined port.
 The number of ports is higher – 24/48.

Types of Switches

There are variety of switches that can be broadly categorized into 4 types:

 Unmanaged Switch − These are inexpensive switches commonly used in home networks
and small businesses. They can be set up by simply plugging in to the network, after
which they instantly start operating. When more devices needs to be added, more
switches are simply added by this plug and play method. They are referred to as
unmanaged since they do not require to be configured or monitored. Unmanaged
switches are generally made as plug-and-play devices and require little to no special
installation beyond an Ethernet cable. The setup of this type of switch relies on auto-
negotiation between Ethernet devices to enable communication between them. The
switch will automatically determine the best data rate to use, switching between full-
duplex mode (where data is received or transmitted in two directions at the same time) or
half-duplex mode (where data is received or transmitted two ways but only one direction
at a time).
 Managed Switch − These are costly switches that are used in organizations with large
and complex networks, since they can be customized to augment the functionalities of a
 standard switch. The augmented features may be QoS (Quality of Service) like higher
security levels, better precision control and complete network management. Despite their
cost, they are preferred in growing organizations due to their scalability and flexibility.
Simple Network Management Protocol (SNMP) is used for configuring managed
switches. A managed switch is exactly what it sounds like—a switch that requires some
oversight by a network administrator. This type of switch gives you total control over the
traffic accessing your network while allowing you to custom-configure each Ethernet
port so you get maximum efficiency over data transfers on the network. Managed
switches are also typically the best network switches to support the Gigabit standard of
Ethernet rather than traditional Fast Ethernet.
2. View VLANs by device and port
 VLANs are assigned to individual switch ports.
 Ports can be statically assigned to a single VLAN or dynamically assigned to a single
VLAN.
 All ports are assigned to VLAN 1 by default
 Ports are active only if they are assigned to VLANs that exist on the switch.
 Static port assignments are performed by the administrator and do not change unless
modified by the administrator, whether the VLAN exists on the switch or not.
 Dynamic VLANs are assigned to a port based on the MAC address of the device plugged
into a port.
 Dynamic VLAN configuration requires a VLAN Membership Policy Server (VMPS)
client, server, and database to operate properly.

3. Configuring Static VLANs

On a Cisco switch, ports are assigned to a single VLAN. These ports are referred to as access
ports and provide a connection for end users or node devices, such as a router or server. By
default, all devices are assigned to VLAN 1, known as the default VLAN. After creating a
VLAN, you can manually assign a port to that VLAN and it will be able to communicate only
with or through other devices in the VLAN. Configure the switch port for membership in a given
VLAN as follows:

To change the VLAN for a CISCO device, use the set vlan command, followed by the VLAN
number, and then the port or ports that should be added to that VLAN. VLAN assignments such
as this are considered static because they do not change unless the administrator changes the
VLAN configuration.

For the IOS device, you must first select the port (or port range for integrated IOS) and then use
the switchport access vlan command followed by the VLAN number.
Configuring Dynamic VLANs

Although static VLANs are the most common form of port VLAN assignments, it is possible to
have the switch dynamically choose a VLAN based on the MAC address of the device connected
to a port. To achieve this, you must have a VTP database file, a VTP server, a VTP client switch,
and a dynamic port. After you have properly configured these components, a dynamic port can
choose the VLAN based on whichever device is connected to that port.

Configuring a VLAN based on ports allows PCs in the VLAN to communicate with each other.
Application Environment: A company has multiple departments located in different buildings.
For service security, it is required that employees in one department be able to communicate with
each other, whereas employees in different departments be prohibited from communicating with
each other. Devices on the network shown in the following figure. Add ports connecting devices
to PCs of the financial department to VLAN 5 and ports connecting devices to PCs of the
marketing department to VLAN 9. This configuration prevents employees in financial and
marketing departments from communicating with each other.

Configure links between CE and PE as trunk links to allow frames from VLAN 5 and VLAN 9
to pass through, allowing employees of the same department but different buildings to
communicate with each other. By configuring port-based VLANs on the PE, CE1, and CE2,
employees in the same department can communicate with each other, whereas employees in
different departments cannot.

Networking diagram for configuring a VLAN based on ports

Pre-configuration Tasks

Before configuring a VLAN based on ports, complete the following task: Connecting ports and
configuring physical parameters of the ports, ensuring that the ports are physically Up.

Configuration Procedures

Figure 8-6 Procedure of configuring a VLAN based on ports

Figure 8-6 Procedure of configuring a VLAN based on ports

Procedure of configuring a VLAN based on ports

After a VLAN profile is created, assign it to switches, aggregation devices in a Junos Fusion
fabric, Virtual Chassis Fabric, members of Layer 3 Fabric, or members of custom groups. You
must have one or more existing VLAN profiles, either user-configured or system-created, before
you can assign a VLAN profile to a switch, or member of a custom group or port group.

4. Automatic Discovery and Configuration Manager

Configuration management is a process closely linked to change management, which is also

called configuration control. Any system that needs to be controlled closely and run with good
reliability, maintainability and performance benefits greatly from configuration management,
i.e., the management of system information and system changes. Configuration management can
extend life, reduce cost, reduce risk, and even correct defects. It should be applied over the life
cycle of a system in order to provide visibility and control of its performance as well as its
functional and physical attributes.

In Configuration Manager 2012, the discovery of users, groups and devices has been improved
since Configuration Manager 2007. The discovery feature in Configuration Manager 2012
enables you to identify computer and user resources that can be managed with Configuration
Manager. You are able to configure the discovery of resources on different levels in the
Configuration Manager 2012 hierarchy.
Active Directory Forest Discovery

The Active Directory Forest Discovery is a new discovery method in Configuration Manager
2012 that allows the discovery of Active Directory Forest where the site servers reside and any
trusted forest. With this discovery method, you are able to automatically create the Active
Directory or IP subnet boundaries that are within the discovered Active Directory Forests. Active
Directory Forest Discovery can be configured on Central Administration Sites and Primary Sites.

5. Wireless Mobility configuration menu

A Mobility Domain enables users to roam geographically across the system while maintaining
data sessions and VLAN or subnet membership, including IP address, regardless of connectivity
to the network backbone. As users move from one area of a building or campus to another, client
associations with servers or other resources remains the same. The clustering functionality
ensures mobility across an entire wireless network. With clustering, you can effortlessly create
logical groups of controllers and access points, which share network and user information in a
proactive manner for continuous and uninterrupted support. You can create a mobility domain
using the Create Mobility Domain window from the Network Director user interface.

A Mobility Group is a group of Wireless LAN Controllers (WLCs) in a network with the same
Mobility Group name. These WLCs can dynamically share context and state of client devices,
WLC load information, and can forward data traffic among them, which enables inter-controller
wireless LAN roam and controller redundancy. Before you add controllers to a mobility group,
you must verify that certain requirements are met for all controllers that are to be included in the
group.

A Mobility Group is configured manually. The IP and MAC address of the Wireless LAN
Controllers (WLCs) that belong to the same Mobility Group are configured on each of the WLCs
individually. Mobility Groups can be configured either through the CLI or through the GUI.
Mobility Groups can also be configured with the Prime Infrastructure (PI). This alternative
method comes in handy when a large number of WLCs is deployed. No Wireless LAN
Controllers (WLCs) can be configured only in one Mobility Group. A Mobility Group can
include up to 24 WLCs of any type. The number of access points supported in a Mobility Group
is bound by the number of WLCs and WLC types in the group. For example, if a controller
supports 6000 access points, a mobility group that consists of 24 such controllers supports up to
144,000 access points (24 * 6000 = 144,000 access points). You can add different mobility
members that are part of a different Mobility Group into the mobility list that is used for mobility
anchors that can anchor within a different Mobility Group. There can be up to 72 members in the
list with up to 24 in the same Mobility Group.
In a mobility list, the below combinations of mobility groups and members are allowed:

 3 mobility groups with 24 members in each group

 12 mobility groups with 6 members in each group
 24 mobility groups with 3 members in each group
 72 mobility groups with 1 member in each group

Configuring Mobility Groups (Cisco Wireless LAN Controllers)

To add an entry to a controller mobility configuration using the GUI, go to CONTROLLER >
Mobility Management > Mobility Groups, and click on New. Here you enter the MAC address
and IP address of the controller management interface you are adding along with the mobility
group name of that controller.

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly
from one access point to another securely and with as little latency as possible.

Mobility group is a set of controllers, identified by the same mobility group name that make
seamless roaming for wireless clients. By creating a mobility group, we can enable multiple
controllers in a network to dynamically share information and forward data traffic when inter-
controller or inter-subnet roaming occurs. Controllers in the same mobility group can share the
context and state of client devices as well as their list of access points so that they do not
consider each other’s access points as rogue devices.

Wireless access point

A wireless access point (WAP or AP) is a device that allows wireless communication devices to
connect to a wireless network using Wi-Fi, Bluetooth or related standards. The WAP usually
connects to a wired network, and can relay data between the wireless devices (such as computers
or printers) and wired devices on the network.

Basic firewall A firewall is a part of a computer system or network that is designed to block
unauthorized access while permitting outward communication. It is also a device or set of
devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between
different security domains based upon a set of rules and other criteria.

Routers

 A router, like a switch forwards packets based on address.

 Usually, routers use the IP address to forward packets, which allows the network to go
across different protocols.
 Routers forward packets based on software while a switch (Layer 3 for example)
forwards using hardware called ASIC (Application Specific Integrated Circuits).
 Routers support different WAN technologies but switches do not.
  Besides, wireless routers have access point built in.
 The most common home use for routers is to share a broadband internet connection.
 As the router has a public IP address which is shared with the network, when data comes
through the router, it is forwarded to the correct computer.

6. Device Schedules

Owing to the increasing need for massive data analysis and model training at the network edge,
as well as the rising concerns about the data privacy, a new distributed training framework called
federated learning (FL) has emerged. In each iteration of FL (called round), the edge devices
update local models based on their own data and contribute to the global training by uploading
the model updates via wireless channels. Due to the limited spectrum resources, only a portion of
the devices can be scheduled in each round.

In order to take a backup of your device configurations, you need to first discover your devices
using Network Configuration Manager. The tool also allows you to add devices in bulk. Once
the devices are discovered, you can proceed to scheduling network backups. Device
configurations need to be backed up often in order to maintain a repository of backups ready to
be restored in case of emergencies. In large enterprises with more number of devices, this task of
getting the device configuration backup up becomes a huge mundane task taking up most of the
time of an admin. Being able to schedule configuration backups is used to free up a network
admin’s time to do productivity enhancing tasks.

7. VPN Policy Manager

A virtual private network (VPN) is a private data network connection that makes use of the
public telecommunications infrastructure, maintaining privacy through the use of a tunneling
protocol and security procedures. Using a virtual private network involves maintaining privacy
through the use of authorization, authentication, and encryption controls that encrypt data before
sending it through the public network and decrypting it at the receiving end. In a site-to-site
configuration, a VPN can be contrasted with a system of owned or leased lines that can only be
used by one company. In a remote user configuration, a VPN can be contrasted to a privately
managed remote access system (e.g. dial-up). The concept of the VPN is to give the agency the
same capabilities at much lower costs by using the shared public infrastructure rather than a
private one. However, VPN links are considered to be less trusted than dedicated, private
connections; therefore, this policy sets forth the security requirements for VPN connections to
the State’s network.

VPN’s enable an organization to use public networks such as the internet, to provide a secure
connection among the organization’s wide area network. Customers can use VPN’s to connect an
enterprise Intranet to a wide area network comprised of partners, customers, resellers and
suppliers. Traditionally, business have relied on private 56-Kbps or T-1 leased lines to connect
remote offices together. Leased lines are expensive to install and maintain. For small companies,
the cost is just too high. Using the internet as a backbone, A VPN can securely and cost
effectively connect all of companies’ offices, telecommuters, mobile workers, customers,
partners and suppliers.

Overview of how it Works

 Two connections – one is made to the Internet and the second is made to the VPN.
 Datagrams – contains data, destination and source information.
 Firewalls – VPNs allow authorized users to pass through the firewalls.
 Protocols – protocols create the VPN tunnels.

VPN Gateway and Tunnels

A VPN gateway is a network device that provides encryption and authentication service to a
multitude of hosts that connect to it. From the outside (internet), all communications addressed to
inside hosts flow through the gateway. There are two types of endpoint VPN tunnels:

Computer to gateway

 For remote access: generally set up for a remote user to connect A corporate LAN

Gateway to Gateway

 This is a typical enterprise-to-enterprise configuration. The two gateways communicate

with each other

Types of endpoint VPN tunnels

8. Element Manager

Importance of Managing Network Devices

 Configuration Management
 Performance Management
  Fault Management

Common ways to analyze the configuration, Performance and Faults on a Cisco Device

 CLI (Command Line Interface)

 SNMP (Simple Network Management Protocol)
 CiscoView

Using SNMP and CiscoView:

 A user can define a VTP domain,

 Configure devices as VTP servers, clients, or transparent devices in the domain,
 Create VLANs within the domain,
 Assign ports to a VLAN, and view the ports assigned to a VLAN.

9. CLI Configuration Manager

Configuration Manager can be run from a command line. You want to run the Configuration
Manager from the commend line as opposed to using the graphical user interface because of the
following reasons:

 You want to automate the configuration of the software.

 Your site wants the command-line version run for security reasons.
 You want to create a script to set up your system and then allow a user to run the script.

You begin by generating the configuration XML files that define the application server, the
profile type, and the XML file path. You then edit the files to enter values for your environment.

Understanding Cisco IOS Command Line Modes

Cisco Command Line Interface (CLI) is the main interface where we will interact with Cisco
IOS devices. CLI is accessible directly via console cable or remotely via methods such as
Telnet/SSH. From here, we can do things such as monitoring device status or changing
configuration. Cisco has divided its CLI into several different modes. Understanding Cisco IOS
Command Line Modes is essential because each mode has its own set of commands. Cisco has at
least three main command line modes: user EXEC mode, privileged EXEC mode, and global
configuration mode. Of course, there are other more specific modes such as interface
configuration mode, extended ACL configuration mode, routing/VLAN configuration mode, etc.
User EXEC mode

By default this is where we begin the session with our Cisco IOS devices (unless a specific
privilege level has been granted to our user account). The characteristics of user EXEC mode
are:

 Indicated by a right angle bracket sign (“>”) next to the device hostname.
 Contains commands that we can use to test device/network configuration such as ping
and traceroute.
 A limited set of commands that are not changing the device configuration such as the
show and clear command are available.
 We can connect to other device from user EXEC mode by using telnet or ssh
 To protect user EXEC mode we can create username and password combination on the
device.
 Issuing exit command here will disconnect the session.

This flowchart below will show the position of each mode against the other modes.

Cisco IOS Command Line Modes

Privileged EXEC mode

Basically, privileged EXEC mode contains the complete command of what we got in user EXEC
mode. In this mode, we still cannot do any configuration changes. However, the configuration
mode can only be accessed from privileged EXEC mode. Privileged EXEC mode is activated
after we use command enable on user EXEC mode.

Below are the characteristics of privileged EXEC mode:

 Indicated by a hash sign (“#”) next to the device hostname

 All commands that are available on user EXEC mode are available in here too
 More complete set of commands under show and clear command are available here. For
example, in user EXEC mode there is no show running-config under the show command,
but in privileged EXEC mode it is exist.
 Unless the user account that we used has specific privilege level assigned to it, by default
it will get the highest privilege level, which is level 15.
 Privileged EXEC mode can be protected using an enable password.
 Issuing disable command here will bring us back to the user EXEC mode.
 Issuing exit command here will disconnect the session.

Global configuration mode

This is where the real configurations are done. We can enter global configuration mode from
privileged EXEC mode by using command configure terminal. From here we can do changes on
the global device configuration such as hostname, domain-name, creating user accounts, etc; or
we can enter more specific configuration within global configuration mode and make changes
such as IP address interface, access-list, DHCP, policy, etc.
Some characteristics of global configuration mode are:

 Indicated by device hostname prompt, followed by a word “config” inside a bracket and
then hash sign (“#”).
 All commands from EXEC mode can be used here by adding a word do before the
command that we want to execute, for example if we want to use show running-config in
global configuration mode we have to type it as do show running-config.
 Despite that we can change configuration within global configuration mode, if we want to
save the configuration we have to do it by exiting back to privileged EXEC mode and
issue command write memory or copy running-config startup-startup config from there
(however, these two commands can also be used from within global configuration mode
by adding a do prefix to the command, as explained in the previous point).
 Global configuration mode can be protected by assigning a custom privilege level to the
user account then set allowed commands and block the rest, thus limiting the
configuration capability.
 Issuing exit here will bring us back to the privileged EXEC mode.

To change a device configuration, you need to enter the global configuration mode. This mode
can be accessed by typing configure terminal (or conf t, the abbreviated version of the command)
from the enable mode. The prompt for this mode is hostname (config). Global configuration
mode commands are used to configure a device. You can set a hostname, configure
authentication, set an IP address for an interface, etc. From this mode, you can also access
submodes, for example the interface mode, from where you can configure interface options. You
can get back to a privileged EXEC mode by typing the end command. You can also type CTRL
+ C to exit the configuration mode.