How to install a FTP server in Windows 7?

Having an FTP server along with your webserver has benefits of it's own. You can transfer files very easily to and from your server. Also, editing files on your webserver is a breeze if you enable FTP. We have already shown you how to install the IIS Webserver in Windows 7.

Now, we will tell you how you can install a FTP Web server along with your IIS webserver in Windows 7. Please note that installation of FTP and the IIS Web server are not inter-dependent, which means you need not compulsorily install a webserver in order to install an FTP server and vice-versa.

1. Go to Control Panel > Programs. Then click on "Turn Windows features On or Off". You can check this detailed guide on how to add or remove Windows features in Windows 7.

2. Now from the list that opens, locate the option for Internet Information Services and select FTP Server. Click on OK. Installation will take some time.

3. After your FTP server is installed, you can check the installation using an ftp client by entering localhost as the hostname and 21 as the port number. You should also read the article on how to manage the settings for your FTP server in windows 7.

Some additional steps for configuring the FTP sites and servers to work: (Thanks to Wildfire in the comments)

1. Open the IIS Manager
2. In the tree view (on the far right), right-click “Server (ServerUser)” and select “Add FTP Site…”
3. Follow the wizard to configure the FTP server.
Once you've done this, IIS will have your FTP server listed under Web Sites so you can configure it.

Create a New Partition on a Windows 7 Hard Disk

The Windows 7 Disk Management tool provides a simple interface for managing partitions and volumes.

Here’s an easy way to create a new partition on your disk.

1. Open the Disk Management console by typing diskmgmt.msc at an elevated command prompt.
   
   
   
2. In Disk Management’s Graphical view, right-click an unallocated or free area, and then click New Simple Volume. This starts the New Simple Volume Wizard. (Note: If you need to create unallocated space, see the Tip Easily Shrink a Volume on a Windows 7 Disk for information on how to do this.)
   
   
   
3. Read the Welcome page and then click Next.
   
4. The Specify Volume Size page specifies the minimum and maximum size for the volume in megabytes and lets you size the volume within these limits. Size the partition in megabytes using the Simple Volume Size field and then click Next.
   
   
   
5. On the Assign Drive Letter Or Path page, specify whether you want to assign a drive letter or path and then click Next. The available options are as follows:
   
   
   
   Assign The Following Drive Letter Select an available drive letter in the selection list provided. By default, Windows 7 selects the lowest available drive letter and excludes reserved drive letters as well as those assigned to local disks or network drives.
   Mount In The Following Empty NTFS Folder Choose this option to mount the partition in an empty NTFS folder. You must then type the path to an existing folder or click Browse to search for or create a folder to use.
   Do Not Assign A Drive Letter Or Drive Path Choose this option if you want to create the partition without assigning a drive letter or path. Later, if you want the partition to be available for storage, you can assign a drive letter or path at that time.
   
6. Use the Format Partition page to determine whether and how the volume should be formatted. If you want to format the volume, choose Format This Volume With The Following Settings, and then configure the following options:
   
   
   
   File System Sets the file system type as FAT, FAT32, or NTFS. NTFS is selected by default in most cases. If you create a file system as FAT or FAT32, you can later convert it to NTFS by using the Convert utility. You can’t, however, convert NTFS partitions to FAT or FAT32.
   Allocation Unit Size Sets the cluster size for the file system. This is the basic unit in which disk space is allocated. The default allocation unit size is based on the size of the volume and, by default, is set dynamically prior to formatting. To override this feature, you can set the allocation unit size to a specific value. If you use many small files, you might want to use a smaller cluster size, such as 512 or 1,024 bytes. With these settings, small files use less disk space.
   Volume Label Sets a text label for the partition. This label is the partition’s volume name and by default is set to New Volume. You can change the volume label at any time by right-clicking the volume in Windows Explorer, choosing Properties, and typing a new value in the Label field provided on the General tab.
   Perform A Quick Format Tells Windows 7 to format without checking the partition for errors. With large partitions, this option can save you a few minutes. However, it’s usually better to check for errors, which enables Disk Management to mark bad sectors on the disk and lock them out.
   Enable File And Folder Compression Turns on compression for the disk. Built-in compression is available only for NTFS. Under NTFS, compression is transparent to users and compressed files can be accessed just like regular files. If you select this option, files and directories on this drive are compressed automatically.
   
7. Click Next, confirm your options, and then click Finish.
   
   

The Windows 7 Disk Management tool will now show the space configured as a new partition.

Understand why AutoRun no Longer Works for Some USB Devices

AutoRun is the mechanism that proposes a default action when you insert an optical disc in the drive. For example, the contents of a file called AutoRun on the inserted CD is responsible for suggesting the action Run index.html.

Because of the rising incidence of malware that uses AutoRun to induce unwary users into running Trojan horses, the designers of Windows 7 decided to disable AutoRun capability on USB devices other than removable optical media.

Because of this security change, some devices that executed programs automatically when plugged into a Windows Vista computer might appear not to work in Windows 7. If your device seems inert when attached to your Windows 7 system, don’t assume it’s broken. Open Computer in Windows Explorer, and then open the entry for your device. You will probably find a file there called AutoRun. Opening that file in Notepad will reveal the name of the program that would run automatically had AutoRun not been disabled for your device. Run that program from Windows Explorer.

Run (and Automate) Windows Defender from the Command Line

Windows Defender includes a command-line utility, MpCmdRun.exe, which can be handy if you want to automate the use of Windows Defender. The utility is located on Windows 7 at %ProgramFiles%\Windows Defender\MpCmdRun.exe.

The basic usage at the command prompt is:
MpCmdRun.exe [command] [-options]



Here’s an overview of available commands:

Command	Description
-?	Displays all available options for the tool
-Trace [-Grouping #] [-Level #]	Starts diagnostic tracing
-RemoveDefinitions [-All]	Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-RestoreDefaults	Resets the registry values for Windows Defender settings to known good defaults
-SignatureUpdate	Checks for new definition updates
-Scan [-ScanType]	Scans for malicious software
-GetFiles	Collects support information

WLAN

Definition: AWLAN provides wireless network communication over short distances using radio or infrared signals instead of traditional network cabling.

 

A WLAN typically extends an existing wired local area network. WLANs are built by attaching a device called the access point (AP) to the edge of the wired network. Clients communicate with the AP using a wireless networkadapter similar in function to a traditional Ethernet adapter.
Network security remains an important issue for WLANs. Random wireless clients must usually be prohibited from joining the WLAN. Technologies like WEP raise the level of security on wireless networks to rival that of traditional wired networks.

Also Known As: wireless LAN

Examples:

For WLANs that connect to the Internet, Wireless Application Protocol (WAP) technology allows Web content to be more easily downloaded to a WLAN and rendered on wireless clients like cell phones and PDAs

USB Flash Drive and How to Avoid Data Loss

Technology has changed the way we do a lot of things. Sending of mails for example is one good example. Before, it will take days before mail can reach recipients who are thousand of miles away. But things have changed with the advent of the Internet as emails can be send and will be received in just a matter of seconds.
The way we save and share files has changed too. Back in the days when computer was just a new technology, we use floppy disks that can save only kilobytes of files. Now, we can save thousands of Gigabyte of files in media as small as a thumb that can save up to 256 GB of data and more. This device is what we call USB flash drive.


A USB flash drive is one of the most portable devices used today. It became extremely popular due to the following reasons:

• Portability. Since the device is small, it can easily fit in a pocket or bag so these means, your files goes with you wherever you go.
• Large Capacity. USB devices come in many different sizes from 1 GB, 3 GB, 16 GB, and more which gives the users the freedom to select which USB size fits their needs.
• Robust. USB flash drive are durable and it can be use to rewrite data over a million times.
• Speed. USB flash drive has no moving parts, which makes it a very fast media to write data to.
• Easy to Use. Modern operating systems can readily detect flash drives when plugged into the PC and would not even require installation of drivers or a reboot to access data from the flash drive. It does not also require a separate power supply to operate.

But just like any other media, there is still a tendency for USB device to fail. Here are some of the causes that can lead to corruption of your USB drive:

• Improper disconnection of Flash Drive from the computer. When unplugging flash drive from the computer, it is important to always use the “Safely Remove Hardware” feature to make sure that no system is accessing the flash drive before unplugging it. Unsafely removing USB device from the computer can lead to logical damage of disks, which can corrupt the data stored in it.
• Power Outages. Surge in power while the USB device is being accessed can also cause damage to your flash drive.
• Exposure to extreme temperature. High temperature or high humidity can lead to condensation, which can cause short circuit of the boards.
• Physical damage to the disks. Dropping the flash drive, breaking of the USB connectors, etc can render the flash drive unusable.

Since majority of USB drives now come in large capacities, it can hold thousands of different data from documents, pictures, movies, eBooks and more. Losing this important data can be a big headache, that is why it is important that we take measures so we will be prepared in case of data corruption of our USB flash drive.
Here are a few tips to prevent data loss:

1. Backup your files. Don’t just rely on your USB drive to save your data. Make sure that you backup critical files either to a DVD or a second flash drive. DVDs, external hard disks and USB drives are so affordable now so there is no reason not to get a second one for backup.
2. Keep your computer up to date. Make sure that your computer has the latest antivirus program, patches and software like hp drivers, OS updates and more to make sure that it is protected from any virus, malware, spyware, etc that can corrupt and even erase data stored on your USB drive.
3. Keep your USB device in a safe place. Because of its size, it is very easy to carry a USB device with you wherever you go. Although it is built to be mobile, it is still important that you put it in a safe place like inside a pocket in a bag.
4. Use UPS or power protectors. One of the primary causes of data corruption is power outage so it will help to install UPS and surge protectors to protect your PC and your flash drive from sudden change in electric current.
5. Always disconnect your USB flash drive safely. Never just unplug a USB device after using it. Always disconnect it by following the proper steps on how to safely remove hardware.

USB flash drives is the most preferred media for storage and sharing of data because of its speed, capacity and portability. But make sure that you take good care of your flash drive by following the tips mentioned above to avoid losing your valuable data.

A Server is a Computer That You Can Create at Home

If you happen to have an old computer at home, then you can create a home storage server since a server is a computer.
Most people tend to already have a network installed at home since many use broadband Internet with a router, so it may make sense to make use of an old computer to create a centrally located storage server.
While the old desktop may not become a high performance file server, it can easily be converted to storing your file to help you backup your data.
On top of that, you can also share the data stored on your home file storage server with any computer connected to the network.
Create one or more backup file servers is easy to do, and I’ll touch on how you can go about doing it in this post.

A Server is a Computer Than Can Store Data

As mentioned earlier, the old desktop that you have lying around probably won’t be a high performance file server, but it can easily be more than what you need it to be for simply storing your files.
If you have more than one desktop, then you can also create multiple backup file servers, however; there is a cost to running multiple desktops as servers.
Before you setup an old desktop as a home storage server, there are a few things that you will need. The items are outlined below.

A Server is a Computer That Requires Some Setup

While most desktops will already contain the following items, you may want to go over the list to ensure you have everything.

• Large enough hard drive(s) to store your data. While a server is a computer, it is also a computer that has multiple hard drives running with RAID. In the case of your old desktop, you may want to ensure that you have at least one hard drive installed that is large enough to store your data files. A faster hard drive may help provide a more high performance file server than a slower hard drive.
• Network adapter card. All computers sold today have network adapters installed, so unless you are using a computer that is more than 10-15 years old, there should already be a network adapter card installed. You may also want to upgrade to a gigabit ethernet card if your network supports it for faster transfer rates.
• An Operating System. I had to throw this one in here, even though you probably already have an OS installed. You will need to determine what operating system you will be running and ensure it is installed. If you are familiar with Linux, then install that OS, likewise with Windows and Mac.

The above list provides the basics that you will need installed to create your backup file server. The items below will outline the principals that are needed to setup a computer to act as a server.

A Sever is a Computer that Needs User Permissions

The server will need to be connected to the network in order to be used as a backup file server. This will require some knowledge of both network security and operating systems.
If you are familiar with both, then you can ensure that the following is performed:

• Connect the server to the network. Plugging the server into a router or switch that is connected to your home network will connect the server to your home network. You may even want to assign a static IP address to ensure the IP of the server will always be the same.
• Create the file shares. In order to share data, you should create shares on the server to limit access to specific directories on the server. You can create many shares, with different access levels so you can create different configurations.
• Set up user access levels. Once the shares are setup on the server, the next step is to assign specific user permissions to the shares. You can create users on the server, and then assign those users to groups to help control the access. When someone connects to a share, they can then provide the user ID and password to connect to the share.
• Allow connection to the server. Firewalls and security software may block access to and from the server, so you must ensure that your security software has been opened to allow connections. This part may be complex, especially if you have several, different security software and hardware installed on the network.

By look using the above ideas to create your home backup server, you can help to keep your data safe and be able to share it among other computers that are connected to your network.
A server is a computer that you may have lying around, and while it may not be a high performance file server, it can be created easily and cheaply.

Functions and Resources of Memory Card Data Recovery Software

Without a dependable, preexisting data backup system, recovery from memory card failures, and the resultant data loss can be expensive and near to impossible. At times, even the best data recovery technicians encounter insurmountable complications. But do not despair. Sometimes the process of memory card data recovery can be as simple as rightly applying the correct memory card data recovery software.
Data recovery solutions come in three formats: 1) Hire a data recovery specialist, 2) Purchase professional data recovery software, or 3) Download a free data recovery software package. This article addresses the second two methods of memory card data recovery.

Concept of Data Recovery

Flash memory has a limited number of write cycles. Writing zeros to the location of a deleted file would senselessly reduce the life of the memory card. Thus when files are erased, the system merely modifies the file directory so that the file seems no longer to exist.
In seeking to squeeze the most possible write cycles out of a flash card, the system applies equal usage to ever area of the card. Before deleted file space is reused, the remainder of the flash chip must be filled up.
This overwrite process is very useful for flash memory card data recovery. In fact, this is a best-case scenario for file recovery. Unless the memory card is physically unreadable, the right software, correctly applied, can help you recover lost data.
Most every data recovery software package addresses the same issues with similar methods. They go after the underlying data by ignoring the conventional Windows file system. They typically work out of RAM memory so as to avoid any risk of writing data to the target drive or flash memory card. Use them to:

• Fix partition tables
• Recover deleted partitions
• Recover boot sectors
• Fix FAT tables
• Rebuild NTFS boot sectors
• Undelete files
• Copy deleted files to new sources
• Repair MFT using MFT mirror
• More.

Memory Card Data Recovery Software

I make the following software lists for reference rather than for detailed application processes. All are considered effective data recovery packages.

• PhotoRec – Free, open source software.
• IsoBuster – Free with limited function. Pro version $29.
• Adroit Photo Recovery – Priced at $40.00.
• Photo Rescue – Priced from $29 to $99.
• Digital Photo Recovery – Priced at $29.

SAN & NAN Introduction.

Definition: A storage area network (SAN) is a type of local area network (LAN) designed to handle large data transfers. A SAN typically supports data storage, retrieval and replication on business networks using high-end servers, multiple disk arrays and Fibre Channel interconnection technology.SAN technology is similar but distinct from network attached storage (NAS) technology. While SANs traditionally employ low-level network protocols for transfering disk blocks, a NAS device typically works over TCP/IP and can be integrated fairly easily into home computer networks.
The term SAN can sometimes refer to system area networks instead of a storage area network. System area networks are clusters of high performance computers used for distributed processing applications requiring fast local network performance. Storage area networks, on the other, are designed specifically for data management.

Also Known As: Storage Area Network, System Area Network

 

 

 

 

Definition:NAS allows files to be stored and retrieved across a computer network. A NAS includes a dedicated hardware device often called the head that connects to a local area network (usually via Ethernet). This NAS "server" authenticates clients and manages file operations in much the same manner as traditional file servers, through well-established network protocols like NFS and CIFS/SMB.

NAS systems attempt to reduce the cost associated with traditional file servers. Rather than utilize general-purpose computer hardware and a full-featured network operating system (NOS) like NetWare, NAS devices generally run an embedded operating system on simplified hardware. NAS boxes support hard drives, and sometimes tape drives, but lack peripherals like a monitor or keyboard. Designed specifically for network storage, a NAS tends to be easier to manage than a file server.The term "NAS" is often confused with the related term "SAN" (Storage Area Network). In a nutshell, NAS devices are just one type of entity that can exist on a SAN.
Also Known As: Network Attached Storage

How to Design your own Visual Resume

Why create a job resume that resembles a standard black-and-white Word document written in Times New Roman when you can easily use pictures, maps and other visual elements to make your otherwise boring resume stand out from the rest.

In the above slides, Jesse offers some good and compelling advice on why you need to make a visual resume and how you can go about creating one using presentation software that you probably already have on your computer.
A visual resume is obviously not any replacement for traditional resumes yet but it can certainly help you accentuate your achievements and education better.

Do Not Lose Your Data – Learn How to Recover Hard Drive Files

Sooner or later, each one of us will accidentally delete a file. Sometimes the recovery process is simple. Other times the process used to recover hard drive files can be extremely technical. In these few words, I am going to take you from the simple to the complex.

Simple Solution

Some deleted files can be recovered from the Windows trash bin. The process here is simple. Double left click on the Windows Recycle Bin. This opens a window into the recycle folder. The displayed content includes every deleted file that has not been permanently deleted by an empting of the trash bin. If the deleted file is displayed in the list, merely right click on the filename. This displays a list of options. Select Restore. When the confirmation dialog box is displayed, select the option to continue. The deleted file will be restored to its original location on your hard drive.

Using Software to Recover Hard Drive Files

Unfortunately, the simple solution often fails. Once the Recycle Bin has been emptied, it cannot be used to recover a deleted file. We must turn to special software.

Pay Attention: Cease using the hard drive that contains the deleted or damaged file. Every call to the hard drive increases the risk that the file will be permanently lost. Programs designed to recover hard drive files can only succeed if the space occupied by the deleted file has not been overwritten by new data.
Unless you are using a file-shredder software package, Windows never actually deletes the contents of a file. It merely reassigns the space by informing the system that the file is no longer active. With the right software, you can reset the file name and restore the file space to active use by the original file.
Now it would be senseless to waste what little space remains in trying to explain how you use any particular file recovery software. Thus I will finish this out by pointing to one particular free file retrieval tool.
Recuva by Piriform: http://www.piriform.com/recuva/builds. This free file recovery program is easy to use and easy to install. The download is small. Remembering that any use of the hard drive increases the risk of failure, it is critical that you download and utilize the portable version of Recuva (rcsetup139.zip). The software is wizard driven, meaning that the menu makes operation simple.
File retrieval software is not limited to the recovery of deleted files. In many cases it can recover data from virus infections, system crashes, and even what appears to be a fatal hard drive failure.

Configuring Routing Protocols

Routing protocols serve one function: To let nearby routers know how to get to them and the networks they serve. There are two basic types of routing protocols: distance vector protocols and link state protocols. The simplest protocols are perhaps those that classify as Distance Vector protocols. They base their routing decisions on the number of intermediate routers along a given path. This has the advantage of taking very few resources but has the disadvantages of not considering bandwidth or the load of the available link. They also suffer limitations when long distances are present. The path may be valid but because of the high metric, the routers decide that the remote host or network is unreachable. In addition, these types of protocols usually broadcast their entire routing tables at preset intervals. This can take quite a bit of time and consume considerable bandwidth. Protocols that fall under this classification are RIP, IGRP, and BGP. Link State protocols function by maintaining a database of advertisements they have received from other routers called the link state database. This means that each router is wholly responsible for determining the best path to a given location from its point of view and already has an idea of an alternate path, if any, should the first path become unavailable.

• I. Configuring RIP

• The Routing Information Protocol (RIP) is perhaps the simplest of routing protocols. It functions by broadcasting its entire routing table to all participating networks once every 60 seconds for IP or once every 90 seconds for IPX. When a route is heard from a remote router, the metric is increased by one. This number cannot exceed 15. A metric of 16 describes an unreachable network. The simplicity of this protocol means that there is very little that the router must do each update. This allows the processor to perform other tasks. At the same time, there is no database being maintained. Its all contained in the routing tables. This simplicity, however, requires increased bandwidth as the entire routing table must be sent across the network. In a large network, this can take considerable time. In addition, It is not uncommon for networks to be more than 15 hops apart. This means that end nodes will not be able to contact each other because the metrics surpass the "unreachable" point. Configuration is a 3 step procedure. First, create a RIP process and determine if any other routing process (such as IGRP or OSPF) is to redistribute its routes into this one. Second, specify which networks will receive RIP broadcasts. Third, configure any non-broadcast neighbors. A sample configuration might look like

  router rip
    redistribute igrp 1000
    network 2.3.4.0
    network 4.5.3.0
    neighbor 4.5.5.2
    neighbor 4.5.5.3
  

  
  

• II. Configuring IGRP

• The Interior Gateway Routing Protocol (IGRP) is a dynamic distance-vector routing protocol designed by Cisco Systems in the mid-1980s. The advantages of IGRP over RIP include the maximum diameter of the network. Networks over 15 hops are unreachable in a RIP controlled network. IGRP allows up to 100 hops by default and can be set to accept paths as far away as 255 hops. IGRP uses a combination of user-configurable metrics including internetwork delay, bandwidth, reliability, and load. Unlike RIP, IGRP routes are shared in proportion to their cost to provide equal or unequal cost load balancing with up to 4 paths to a given destination. Equal or unequal cost can be specified with a variance factor. The variance determines how unequal paths can be when performing load balancing. A variance of 1 (the default) specifies load balancing only when all paths are of an equal cost. This behavior can be overridden with the "traffic-share" command. To permit only the path with the lowest cost to be used, specify "traffic-share min". "traffic-share balanced" is the default. Basic IGRP configuration is very similar to that of RIP. An IGRP routing process must be created on the router and given a list of participating networks. IGRP also accepts an optional Autonomous System number. When running IGRP over a non-broadcast network, systems which will accept updates can be entered individually with the "neighbor" command, as in RIP. Interfaces included in the range of addresses specified with a network statement that should not participate in IGRP (an example would be if that interface is managed through some other protocol such as OSPF), it can be designated passive with the "passive-interface" statement. Example configuration:

  router igrp 1000
   variance 3
   network 203.4.22.0
   network 204.103.24.0
   neighbor 204.103.24.5
   neighbor 204.103.24.6
   neighbor 204.103.24.7
   passive-interface Ethernet4/1
   passive-interface Fddi3/0
  

  
  

• III. Configuring Enhanced IGRP

• Enhanced IGRP is a redesign by Cisco of IGRP. It is intended to overcome some of the limitations that became apparent when IGRP was put into heavy use. Principally, improvements concentrated on the convergance time. Towards that end, a new convergence algorithm, DUAL (Diffusing Update Algorithm) was introduced. Among the benefits gained by the new algorithm is a guarantee of loop-free routing tables where EIGRP is the controlling protocol. EIGRP also introduces partial updates. This allows fewer routing messages to be exchanged between routers which, in turn, consume less bandwidth, leaving the data path free for user data. Partial updates also allow the receiving router to spend less time recalculating routing tables since routes not included in the update do not have to be recalculated. Two key features of EIGRP are support for variable-length subnet masks and arbitrary route summarization. This allows for the removal of "classfull" routes in favor of CIDR routes, reducing the size of the routing table as a whole and allowing for easier maintenance of routing tables. EIGRP is also capable of automatically summarizing routes into common routes when possible. This feature can be disabled by specifying "no auto-summary" in the EIGRP configuration. Additional summarization can be performed within the router configuration on a per interface basis by placing "ip summary-address eigrp" statements in the interface configuration commands to advertise a specific aggregate as belonging to a given autonomous system as shown below.

     interface Ethernet0
      ip summary-address eigrp 1234 201.200.8.0 255.255.224.0
  

  The result of this command is that advertisements of networks within the 201.200.8.0 block are reduced to a single advertisement of the aggregate block. So rather than sending routes for 32 class C networks, as RIP would do, a single advertisement encompassing all 32 networks can be made instead. Another addition to EIGRP is support for the exchange of hello messages. When an EIGRP process is started, the router will send out hello packets on all participating interfaces using multicast packets when appropriate. Once the router determines which other routers are participating in EIGRP, the process of exchanging updates can begin. This allows for routers to quickly determine when new routers are added to the network or when existing routers become unreachable. Basic configuration of EIGRP does not differ significantly from that of IGRP except that the router configuration command requires an EIGRP process ID instead of the optional autonomous system number. Like IGRP, EIGRP supports unequal cost load balancing. But because of EIGRP's rapid convergence, enabling this feature is not only desirable from a traffic standpoint, when enabled, the other paths are already in use so fall over time in the event of a failure is minimal. To ease the transition from IGRP to EIGRP, routes are automatically redistributed between the two protocols.
  

• IV. Configuring OSPF

• The Open Shortest Path First (OSPF) Protocol was designed by the IETF as an IGP expressly for use with TCP/IP networks belonging to a single Autonomous System. It is designed as a link state protocol and is scalable to all but the most complex networks. OSPF operates by forming adjacencies between routers and creating a topological database containing information about the state of all the links in the OSPF network. This information includes weights placed on various interfaces based on the bandwidth of the link and the type of interface or placed there manually by the network administrator. The cost of an internal path is determined by calculating the sum of the cost of traversing each link in the database. The path with the lowest cost (shortest path) is chosen as the best route. If there are multiple paths with equal cost, OSPF will load balance across up to 4 of these paths. This database is updated whenever an adjacency is formed or dropped. Because a complete picture of the network is maintained by every router, when an adjacency drops and the corrosponding link is no longer availible, a new path can quickly be chosen from information the router already has. However, because it must hold a complete copy of the topological database, the memory requirements are quite substantial. On large networks, the number of links in the database can grow to immense proportions. In these cases, a single link change can have a significant impact on every router in the system. A link that is intermittantly availible and unavailible can lead to high processor use for all routers, diminishing the performance of the network. OSPF provides a method of segmenting the network into several areas. These areas act as described above and are connected to a "backbone" area (area 0). The area boundry routers, rather than propegating every link state advertizement (LSA) into the backbone, only propegate "summary" advertizements describing the area they are linked to. This summary advertizement describes the entire area database in a single message, thus reducing the computational overhead and memory usage. Dividing the network into areas also reduces the impact of a single router or interface changing states on the rest of the network. only the attached area must recalculate the paths through that router or interface. Use of stub areas and route summarization between areas can also help to reduce the number of entries in the topological database and reduce the memory requirements and CPU requirements for recalculating paths when changes occur in the network even further. Stub areas do not receive external LSAs (those injected into OSPF via redistribution from another protocol, such as RIP) and do not have to maintain any link state records except those within the stub area. Routers configured with OSPF discover other OSPF routers by multicasting or unicasting hello packets to all SPF routers (multicast address 224.0.0.5). These hello packets are used to form and maintain adjacencies between routers. Adjacencies are formed automatically across point to point links. On multiaccess networks such as ethernet, a "Designated Router" (DR) is elected. This router forms adjacencies with all other routers on the multi-access network and is responsible for synchronizing the topological database. In addition, a backup designated router (BDR) is also selected. In the event of a failure which disconnects the DR from the network, the BDR takes over and a new BDR is elected. This reduces traffic across the network since each router does not have to form an adjacency with every other router. This also reduces the CPU usage on all other routers connected to this network when a router becomes unavailable. Which routers are DR and BDR can be determined with either "show ip ospf neighbors" or "show ip ospf interface <interface>". OSPF is enabled by creating an OSPF routing process and specifying a process ID. Which networks OSPF operates over is controlled by "network" statements (as in RIP or IGRP). At the same time, these networks are assigned an area number. Neighbors can be hinted at by using the "neighbor" statement. Note that a neighbor does not necessarily form an adjacency. The exec command "show ip ospf neighbor" can be used to determine which routers are viewed as neighbors and the state of the link (whether they are simple neighbors, adjacent neighbors, BDR, or DR.) A simple OSPF configuration is shown below.

   Interface Ethernet0/0
    ip address 1.1.1.1 255.255.255.0
   Interface Serial1/2
    ip address 1.1.2.1 255.255.255.0
   Interface Fddi2/0
    ip address 1.1.3.1 255.255.255.0
  
   router ospf 1234
    network 1.1.1.0 0.0.0.255 area 1
    network 1.1.2.0 0.0.0.255 area 2
    network 1.1.3.0 0.0.0.255 area 0
  

  This sequence of commands configures OSPF on the three interfaces listed assigning Ethernet0/0 to area 1, Serial1/2 to area 2, and Fddi2/0 to the backbone area (area 0). Note that the network statements require a wildcard mask and not a network mask. OSPF also supports variable length subnetting and route sumarization though it must be configured manualy. Sumarization takes place between areas and into the OSPF backbone area. Configuration of summary networks is done at area border routers with the "area <area ID> range <network> <network mask>" command. Using route sumarization can greatly decrease the size of the topological database and reduce the amount of recalculation that needs to be done when a route becomes inaccessible or other topological changes occur. The backbone area should not be sumarized. If all other areas are summarized properly, all the backbone area will contain is summary routes. Similarly, sumarization can be done when another protocol is redistributed into OSPF with a "summary-address <network> <network mask>"
  

• V. Configuring BGP

• The Border Gateway Protocol (BGP) is another in the family of distance vector protocols. However, unlike most routing protocols, BGP views its paths in terms of Autonomous Systems (ASs). An AS is loosely defined as a collection of routers under common administration. For example, Primenet is one AS, MCI is another, AT&T a third, and so on. Each of these ASs has their own AS number, which is used in the BGP exchange. Primenet's AS number (ASN) is 3549, MCI is 3561, and so forth. BGP functions by setting up peering sessions with neighboring routers. An important advantage of BGP over other protocols is the use of TCP to transmit update messages and maintain peering sessions. Because of this, these sessions are not intended directly to be a measure of the link integrity, but more to provide an idea of the health of the neighboring router. If the router becomes unreachable or stops responding, the peering session will drop and the routes received over that link will be deleted from the BGP tables and other routers subsequently informed. This loss of conectivity can be caused by the router going down due to a failure or loss of power, a problem with the link the session is transmitting over, or simply congestion which causes BGP information packets to be dropped. With the explosion of the internet over the last several years, routers which experience repeated BGP or EGP neighbor state changes have become more problematic. This is usually caused by the router rebooting multiple times or by an intermittant link. Most recently, a cause of such problems has been routers simply being overwhelemd by update messages and being unable to maintain peering sessions as a result. The term coined to describe this repeated advertizement and deletion of routes is "route flap" or a router "flapping". The result is that neighboring routers (and quite probably routers two or three links downstream) being overwhelemd with these messages and spending all their time recalculating paths. The effect of this is that those routers' services are degraded until stability returns. It can even cause those routers to begin to "flap" as well as the number of updates goes beyond what that router is capable of processing, creating a cascade failure. A great deal of research and development is being done by many companies at a feverish rate to produce routers capable of handling these updates and many service providers have instituted policies designed to reduce the size of the routing tables to reduce flap or to protect themselves from flap by "dampening" routes that flap repeatedly in a given interval. A BGP route contains only a few pieces of information. The first is the network that the route describes. Second, the AS path necessary to get to that destination. Third, the origin of the route (External BGP or EBGP, Internal BGP or IBGP, another Interior Gateway Protocol or IGP, or incomplete.) Fourth, the router ID of the advertizing router, and finally, the BGP next hop address. BGP provides a simple, yet effective loop detection method. Simply, the AS path of the learned route is checked against the router's own AS number. If this number apears anywhere in the path, the route is unusable and is discarded. There are also a few weights and metrics associated with a BGP route which are used to aid in the path selection process. The first is litterally known as a "weight" and is used only by the router which sets it. This weight is not propegated to other routers. The second is a "local prefference" value. This is propegated to all routers belonging to a single AS. The last value availible is a "metric" or "Multi Exit Descriminator" (MED). MEDs are advertized to EBGP neighbors and is used to hint at the best path into an AS. The MED is reset when the route is readvertized to a third AS. The BGP path selection process is straight forward.
  • If the next hop is inaccessible, do not consider it.
  • Consider larger BGP administrative weights first.
  • If the routers have the same weight, consider the route with higher local preference.
  • If the routes have the same local preference, prefer the route that the local router originated.
  • If no route was originated, prefer the shorter autonomous system path.
  • If all paths are of the same autonomous system path length, prefer the lowest origin code (IGP < EGP < INCOMPLETE).
  • If origin codes are the same and all the paths are from the same autonomous system, prefer the path with the lowest Multi Exit Discriminator (MED) metric. A missing metric is treated as zero.
  • If the MEDs are the same, prefer external paths over internal paths.
  • If IGP synchronization is disabled and only internal paths remain, prefer the path through the closest neighbor.
  • Prefer the route with the lowest IP address value for the BGP router ID.
  BGP configuration begins by creating a BGP process and listing the router's local ASN. Next, neighbors are listed with their ASNs. A router with the same ASN is identified as an iBGP peer and those with differing ASNs are eBGP peers. The following configuration establishes a BGP process with ASN 3549 and creates an iBGP session with router 1.2.3.4 and an eBGP session to router 2.3.4.5 with AS number 380.

    router bgp 3549
     neighbor 1.2.3.4 remote-as 3549
     neighbor 2.3.4.5 remote-as 380
  

  Advertizements of reachable networks can be controlled by redistributing another protocol into BGP or by manualy configuring these networks as in the following example.

    network 1.0.0.0
  

  The class A network 1.0.0.0 is placed in the iBGP routing tables and becomes eligible for advertizement to eBGP peers with an origin code of "IGP". In general, this is the prefered method of advertizing BGP networks as redistribution of other protocols into BGP results in the loss of information about those networks learned by the IGP and mutual redistribution can lead to routing loops. In the normal case, BGP must synchronize with an IGP. This means that a route learned by an eBGP peer will not be readvertized to another eBGP peer until the IGP has propegated this route to all routers in the local autonomous system. This has the effect of making certain that the route is not used before all routers know about it, resulting in data loss and serving to stabalize the network somewhat. However, this can slow convergance when routes change and increase the size of the IGP tables. To disable synchronization, use the BGP "no synchronization" command. If redistribution is not used, synchronization must be disabled for BGP to function. Beginning with BGP version 4, BGP supports CIDR and route summarization. Summarization is enabled by default and can be disabled using the "no summarization" command. Routes are summarized by creating aggregate addresses. This has the effect of advertizing a single supernet for multiple related routes when possible in addition to the individual routes. Using the "summary-only" option, these more specific routes can be surpressed. router A:

    router bgp 3549
     neighbor 1.2.3.5 remote-as 3549
     network 1.2.0.0 mask 255.255.0.0
     network 1.3.0.0 mask 255.255.0.0
     network 1.1.8.0 mask 255.255.248.0
  

  router B:

    router bgp 3549
     aggregate address 1.0.0.0 255.0.0.0 summary-only
     neighbor 1.2.3.4 remote-as 3549
     neighbor 2.3.4.5 remote-as 1111
  

  In the preceding example, router A is configured with one iBGP peer and begins advertizing 3 subnets of the 1.0.0.0 class A. Router B configures one iBGP neighbor and one eBGP neighbor and summarizes routes learned from router A into a single advertizement which is sent to the eBGP peer. Often, the closest path to a site may not be the best path, either because of bandwidth limitations or performance problems. The most direct way to prefer one neighbor's routes over another is to simply filter the advertizements to remove the unwanted routes. This can be done based on network prefix or AS path.

   router bgp 3549
    neighbor 1.2.3.4 remote-as 1111
    neighbor 1.2.3.4 distribute-list 1 in
    neighbor 2.3.4.5 remote-as 2222
    neighbor 2.3.4.5 filter-list 7 in
  
   access-list 1 deny 10.0.0.0 0.255.255.255
   access-list 1 permit any
  
   ip as-path access-list 7 deny _5555$
   ip as-path access-list 7 permit .*
  

  The preceding example prevents neighbor 1.2.3.4 for advertizing that it can reach the network 10.0.0.0/8 and prevents neighbor 2.3.4.5 from advertizing that it can reach any path where ASN 5555 is the last ASN in the path. The as-path regular expressions are documented in the cisco documentation set and follow general regular expression rules. Note that access lists and route maps (as illustrated below) can be applied to either inbound or outbound advertizements. Filtering advertizements is an easy way to determine how you want your network to route but it has one big drawback: if the primary route is down, the destination simply becomes unreachable. The filter prevents the secondary route from ever appearing in the first place. BGP provides two alternative ways of influencing the path selection process: weights and local prefference values.

   router bgp 3549
    neighbor 1.2.3.4 remote-as 1111
    neighbor 1.2.3.4 weight 300
    neighbor 2.3.4.5 remote-as 2222
  

  Configuring weights for all of a neighbor's routes requires no more than an additional statement in the BGP configuration, specifying the weight that should be assigned to these routes. If two neighbors advertize that they can reach the same network, the path with more weight will be selected. It should be noted that the configured weight is only used by the router that sets it. If you want every router in your AS to prefer the same path, you can use a "route map" to set a local preference value. This value will be propegated to every iBGP peer that receives this route. Routes with no local preference set receive a local preference of 100. Higher local preferences are selected first.

   router bgp 3549
    neighbor 1.2.3.4 remote-as 1111
    neighbor 1.2.3.4 route-map set-weight in
  
   route-map set-weight permit 10
    set local-preference 200
  

  Route maps allow complex filtering to be performed based on multiple conditions. There can be multiple statements underneath a route-map to alter a variety of attributes. The routes altered can also be limited by further filtering the advertizements by using an access-list (prefix or AS path) to "match" a subset of the routes being processed. It is also possible to apply multiple policies to the same neighbor. These policies are ordered sequentially according to the number listed after the "permit" or "deny" statement. The following example illustrates some of these capabilities.

   router bgp 3549
    neighbor 1.2.3.4 remote-as 1111
    neighbor 1.2.3.4 route-map local-policy in
    neighbor 1.2.3.4 distribute-list 25 in
  
   route-map local-policy permit 10
    match as-path 1
    set weight 300
  
   route-map local-policy permit 20
    match ip address 20
    set local-preference 125
    
   route-map local-policy permit 30
    set as-path prepend 1111
  
   ip as-path access-list 1 deny _350_
   ip as-path access-list 1 permit .*
  
   access-list 20 permit 120.10.0.0 0.0.255.255
   access-list 20 deny any
  

  This example also demonstrates that it is possible to alter the AS path of a given route. By prepending the appropriate AS number, it is possible to increase the path length of a BGP route, making it further away. One problem with running iBGP is the requirement of BGP for a "full mesh" within the AS (every router must establish a peering session with every other router). Clearly, this is not possible in all settings and can create problems when a great meny peering sessions must be maintained on a single router. There are ways to reduce the mesh needed to propegate iBGP routes and simplify the structure of the autonomous system. The first of these is router reflectors. Normaly, when a route is received from one iBGP speaker, it is not readvertized to another. Route reflectors provide a way to permit this occurence. Each client's routes are reflected to every other iBGP router that the server peers with. The clients are configured as normal iBGP speakers. The server simply designates clients as such.

   router bgp 3549
    neighbor 1.2.3.4 remote-as 3549
    neighbor 1.2.3.4 route-reflector-client
    neighbor 1.2.3.5 remote-as 3549
    neighbor 1.2.3.5 route-reflector-client
  

  With such a configuration, peering between 1.2.3.4 and 1.2.3.5 is not necessary since the route server reflects the routes received by each neighbor to the other neighbor. Another method of reducing the iBGP mesh is to create a confederation, effectively splitting the single AS into several smaller autonomous systems. These "mini-ASs" must be fully meshed but only require one connection between themselves and other mini-ASs. Confederations allow the smaller ASs to exchange routes between themselves as if they were using iBGP (local preference values, MEDs, etc are all preserved). To the rest of the world, the confederation appears as a single AS.

   router bgp 65501
    bgp confederation identifier 3549
    bgp confederation peers 65502 65503
    neighbor 1.2.3.4 remote-as 65501
    neighbor 1.2.3.5 remote-as 65501
    neighbor 2.3.4.5 remote-as 65502
    neighbor 2.3.4.6 remote-as 65503
    neighbor 2.3.4.6 weight 300
    neighbor 5.5.5.5 remote-as 1050
    neighbor 5.5.5.5 route-map set-preference in
  

  The local router is identified to the confederation as 65501. It is identified to non-confederation peers as ASN 3549. AS 65502 and 65503 are also members of this confederation. iBGP connections are configured between this router and the routers listed as 1.2.3.4 and 1.2.3.5. Peering sessions are established between this router and the confederation members 65502 and 65503. There is also an eBGP session established with router 5.5.5.5 with the remote ASN of 1050. This router will view the peer as AS 3549 and not be aware of 65501, 65502, or 65503. This router sets the local preference for AS 1050 and passes it to every iBGP peer and the rest of the confederation.
  

• VI. Exchanging Routes Between Protocols

• It is entirely possible (and often necessary) to exchange routes learned by one protocol into another. An example of such a case would be where a network cannot be managed by a single protocol due to software or hardware limitations. Such limitations might be due to a lack of adequate memory in the router or a router that does not support the desired protocol. It might also be the case that functionality provided by one protocol is not sufficient in a particular area of the network and another protocl must be left to manage that section. In order for the rest of the network to know the routes to those other sections and vice versa, the protocols must exchange routing information. Assume that a collection of routers only speak RIP but that these routes need to make their way into EIGRP and the EIGRP routes neet to be injected into RIP. Redistribution would occur at the boundry router and would look similar to the example that follows.

   router eigrp 10
    redistribute rip
  
   router rip
    redistribute eigrp 10
  

  The routes that one protocol learns are now visible to the other. But assume for a momment that the network running RIP only needs to default out to the network running EIGRP. In this case, the RIp network does not need to see the eigrp routes and the redistribution is only necessary into EIGRP. This saves memory on the RIP routers, network bandwidth, calculation time, etc and generaly makes things run cleaner. It also eliminates one problem with the configuration shown above. Once the routes from the RIP process are distributed into the EIGRP process, they become EIGRP routes and are eligigle to be distibuted BACK into the RIP process. This can create routing loops and destroy the connectivity of the network. When using such mutual redistribution, careful filtering is required to avoid such pitfalls. This filtering is set by using a route-map along with the redistribution statement. In this example, the RIP network needs to learn the EIGRP routes and send its routes back. The RIP network manages routes for 10.2.3.0/24 and 10.2.4.0/24. The EIGRP network routes the rest of the 10.0.0.0/8 network.

   router eigrp 10
    redistribute rip route-map rip-in
  
   router rip
    redistribute eigrp 10 route-map eigrp-in
  
   route-map rip-in permit 10
    match ip address 20
  
   route-map eigrp-in permit 10
    match ip address 21
  
   access-list 20 permit 10.2.3.0 0.0.0.255
   access-list 20 permit 10.2.4.0 0.0.0.255
  
   access-list 21 deny 10.2.3.0 0.0.0.255
   access-list 21 deny 10.2.4.0 0.0.0.255
  

  This effectively limits the routes seen by the two processes. This is not the only method of filtering, however. Assuming the same access lists, the following two configurations would also work.

   router rip
    redistribute eigrp 10 metric 2
    distribute-list 21 in
  
   router eigrp 10
    redistribute rip
    default-metric 1000 100 250 100 200
  

  Or

   router rip
    redistribute eigrp 10
    distribute-list 20 out
  
   router eigrp 10
    redistribute rip
    distribute-list 21 out
  

  These two examples accomplish the same end result as the route-map example above. In addition, two other features are demonstrated. The first is the setting of a metric on the inbound routes. The second is a default metric used when the metric cannot properly be calculated or when information is missing (as in the redistribution). This information is specific to the protocol and the command refference guide should be used to determine which values to use.

Configuring Access Lists and Network Security

Once the router's interfaces are configured, a momment should be taken to determine if any of these interfaces connect to "secure" networks. These networks can be those that connect corporate workstations with the rest of your network or perhaps the rest of the internet. They could also be networks which house servers that provide specific services to the internet community but which you would like to protect as much as possible. A good example of such a server is a WWW server of SMTP gateway. The general public needs to be able to view your web page and send you mail but they do not need to be able to connect interractively to those servers. Other uses for access control could be in protecting parts of your corporate intra-net from other parts of your company. For example, if you have a Research and Development department, it is unlike that you'll be giving your sales staff access details on top secret projects. Likewise, you don't want your Research and Development department making some clever modifications to your accounting servers. The traditional way of protecting such servers is with access lists. Access lists filter Internet traffic and determine if a packet is permitted to pass into or out of the network. Ideas about how access lists should be designed, where they should be placed, and how physical networks should be structured to allow propper filtering without overloading network links and the routers they connect varry considerably. Some corporations choose to invest in commercial "fire wall" products while others will implement minimal access controls at all. Still others will invest in the hardware necessary to service access lists at two levels (one router that blocks access to itself and the interrior router and a second, the interrior router, that blocks access to itself, is only accessible from inside or even only from its console, and provides primary access list control. This router generally does nothing else besides filtering packets and sending them to its default router or a local host.) Which method you choose depends on your needed level of security, your budget, and the particular application for which the protection is needed. The decisions that lead to the various scenarios are beyond the scope of this document, however. This section intends to focus solely on access list design and implementation for the general case. Cisco has created two different classes of access lists within its routers. The first, the standard access list, filters only on source address. If numbered access lists are being used (IOS 11.1 and earlier did not support named access lists), than these lists would be numbered from 1 to 99. The second type of access list, the extended access list, is numberes from 100 to 199 and is capable of filtering based on source address, destination address, protocol, protocol port number, and a myriad of other features not necessarily applicable to general IP traffic. Once an access list is created, it must be tied to an interface in order to be used. The interface configuration considers a filter list to be an "access group". The access group can be applied either inbound or outbound with respect to the interface. For example:

 Interface Serial0
  ip access-group 101 in
  ip access-group 6 out

This group of commands specifies that traffic coming into Serial0 must be processed through extended access list number 101 and that outbound traffic must pass through standard access list 10 before leaving the interface. Standard access lists are configured by specifying a list number, wether a match on this entry will result in traffic being permitted or denied, and the host or network which is being filtered and the mask associated with it (if it is a network or subnet).

 access-list 10 permit 234.5.6.12
 access-list 10 deny 5.10.10.32 0.0.0.31
 access-list 10 permit 5.10.0.0 0.0.255.255
 access-list 10 permit 123.234.0.0 0.0.0.255

The above example creates access list 10 and configured 4 entries. The first line permit all traffic with a source IP address of 234.5.6.12. Note that when a host IP address is listed, no mask needs to be associated with it. The second line denies all traffic from the subnet 5.10.10.32/27. One thing to observe about access lists is that instead of netmasks, they use what Cisco calls "wildcard masks." These masks function very similarly to netmasks with one important difference. Network masks operate from left to right. Wildcard masks operate from right to left. Therefore, when looking at the above configuration line, what the wildcard mask is matching is the 32 addresses that begin at 5.10.10.32. (Since zero is a valid mask, it counts as one address. Hence 31 is used in the mask instead of 32.) The remaining two lines permit traffic from 5.10.10.0.0/16 and 123.234.0.0/24 respectively. On first glance, a newcommer to access lists might think that the only thing getting denied to this network is the second line and that the permit lines are unnecessary. Access lists, though, are designed to be selectively permissive, not to selectively deny traffic. As a result, an implicit deny exists at the end of this access list. (More propperly, anything that does not explicitly match an entry in the access list is dropped.) There are a couple of other important things to consider when creating access lists. First, order is extremely important. Since access lists function through "short circuit" processing (bail out when a match is found), those entries that are most likely to match traffic should be listed first. IP access list processing is very processor intensive. By listing frequent matches first, processor utilization is kept to a minimum. Note also lines 2 and 3 of the above example. They state, collectively, that all traffic from 5.10.0.0/16 is to be permitted EXCEPT for those hosts in 5.10.10.32/27. If line 2 (the deny statement) were listed AFTER line 3, than the denial would have no effect. The traffic would be permitted as a result of line 3 and those hosts you intended to block would be allowed access. When you create access lists, you should review them very carefully to be certain that no mis-ordering has occured. The second thing to watch for when creating access lists is the fact that changes to a cisco router take effect immediately upon entry. It is a fact that most access lists are not the stagnant, unchanging creatures we would like them to be. From time to time, they will require modification. Modifying an access list means deleting the existing list and recreating it with the appropriate changes. When an interface is configured to refference an access list that does not exist, the traffic will, by default, be permitted through. However, when you create that access list, the implicit denial at the end can result in your configuration session being filtered out. As a matter of policy, it is good practice to remove the refference to the access list from the interface before modifying the access list. (via "no ip access-group 123" or whatever access list you intend to refference.) Building extended access lists is somewhat more complicated and requires a few more steps. Since extended access lists filter based on both the source and destination IP address, two parts to each entry are needed. The following is a brief example of an extended access list for IP.

 access-list 101 permit tcp any any established
 access-list 101 permit tcp any 204.34.5.25 host eq 80
 access-list 101 permit ip 203.45.34.0 0.0.0.255 204.34.5.0 0.0.0.255
 access-list 101 permit tcp 203.44.32.0 0.0.0.31 204.34.5.0 0.0.0.255 eq telnet
 access-list 101 permit tcp any 204.34.5.10 eq smtp

This access list allows all TCP connections with the established flag, allows any user to get to the host 204.34.5.25, tcp port 80 (which is the http port), all IP protocols from 203.45.34.0/24 to reach any host within the 204.34.5.0 class C, all hosts within 203.44.32.0/27 can telnet into any host on the 204.34.5.0, and allows all hosts to connect to the smtp port on host 204.34.5.10. A few notes about this access list. The first line is important. It allows all packets which have had the TCP established flag set. This means two things. First, all outbound connections will be able to have the return traffic pass back through the access list. This is important. Since outbound tcp connections come from random ports above 1024, it is not possible to filter explicitly for outbound connections. The established field takes care of that. Second, an inbound TCP connection only needs to have the first packet pass beyond this point in the access list. Once the connection has been opened, the remaining traffic will have the established flag set and will not have to again pass through the entire access list. The second line also demonstrates that when a source or destination is used, the wildcard mask can be replaced with the word "host" to indicate this. It also gives an example of filtering based on a destination port. The third line matches all IP protocols (TCP, UDP, ICMP, etc. Everything that gets encapsulated in an IP packet.) The source and destination network number and wildcard mask pairs function the same as in standard access lists. The fourth line shows that, on well known services, the port number can be replaced with the name of the service. There is one last important thing to consider when creating access lists however. Many services depend on other services in order to function. For example, you can't just permit telnet connections without permitting DNS packets to get through as well. You often won't be able to telnet out unless telnet ident requests can come back into your network. If you wish to synchronize the clocks on your computer systems to other systems, you likely need to permit NTP packets (both TCP and UDP) to pass through. For this reason, carefull consideration is needed when creating access lists. It is all too easy to overlook one or two key services when creating lists. As network administrators gain experience with access controls, these omissions become more rare, but they still occur with annoying frequency. Access lists should be tested throroughly once they are in place. Both to be certain that necessary traffic is permitted through the list as well as to be certain that unwanted traffic does not.

Configuring the Router

The Cisco Internetwork Operating System (IOS) is extremely flexible and powerful. Hence, there are many subtleties to configuring certain services and many things that the router can do that you will never use. For the full description of the options that can be used with each of these commands, refer to the router configuration guide and command reference. These documents are available in printed form and via the World Wide Web as http://www.cisco.com/univercd/data/doc/software.htm. (hint: This is a good bookmark to place in Netscape.) From there, you may select the appropriate version of IOS to find the section you are looking for. Cisco interfaces are named according to interface type and interface number. The 7000, 7200, and 7500 series routers also add a slot number. All interfaces and slots are indexed at zero. The first ethernet port on a model 2501 router would be identified as Ethernet0. The fourth serial port on a 7000 with a serial card in slot 2 would be Serial2/3. * For the remainder of this section, it is assumed that the reader has entered the terminal configuration mode within the router via "configure terminal" from the privileged EXEC prompt.

• I. Set a Hostname

• The first order of business in configuring a router is to choose a hostname for the router. This name is not used by the router itself and is entirely for human consumption. The hostname you set replaces "Router" in the prompt and can be useful in distinguishing which router you are connected to when telnetting among several routers. This line also appears within the first 20 lines of the configuration file and can be used to distinguish saved configurations of one router from another. The form of this command is

    hostname <name>
  

  
  

• II. Establishing Enable Password Protection

• Before connecting the router to your network it is also a good idea to set the enable password. This password is used to gain privileged access to the router so it should not be an obvious password. The format of this command is as follows:

    enable password <password>
  

  This password may contain any alphanumeric characters up to 80 including spaces but MUST NOT START with a number or a space. The password is stored in an unencrypted (plain text) format in the configuration file. Obviously, it is desirable to have the password encrypted before it is saved. To do this, use:

    service password-encryption
  

  This will cause all passwords in the system to be encrypted before being stored in a saved configuration using Cisco's proprietary encryption algorithm. NOTE: There is no way to recover a lost encrypted password.
  

• III. Optionally Enable UDP and TCP network services

• Cisco routers support standard network services for TCP and UDP such as echo, discard, daytime, and so forth. These services are enabled with the commands

    service tcp-small-servers
    service udp-small-servers
  

  It should be noted that these package all standard network services in one bundle. Without creating access lists, it is not possible to disallow any of the services these create. Cisco also supports a finger daemon to give information about who is connected to a given router. This service is enabled by default. Finger may be disabled as follows

     no service finger
  

  
  

• IV. Configure Console and Network Access

• Initialy, the only device setup for access is the console. When placed in the field, it is more convenient to program and maintain the routers through a telnet connection than it is to dial up into each router to configure or monitor the system. In order to do this, virtual ttys (vtys) must be configured. Generally, 5 vtys should be configured however, the router will support up to 100. Each should be given a timeout to avoid all vtys being in use. If all vtys are in use, further connection attempts will result in a "connection refused". It is probably a good idea to force the user to enter a password before he can login to the router through a vty as well. An example of this configuration is shown below.

    line vty 0 4
    exec-timeout 30 0
    login
    password steamboat
  

  This creates 5 vtys numbered 0 through 4. Each vty has a timeout of 30 minutes and 0 seconds. These vtys require a password for login. This password is "steamboat". Note: If password-encryption is enabled, this password is encrypted before being stored in the router's configuration. The minimum number of vtys that may be enabled is 5. Usually you do not want to require a password for console access but you would like to specify a timeout.

    line con 0
    exec-timeout 15 0
  

  For a full description of how each vty may be configured, refer to chapter 4 of the router configuration guide.
  

• V. Configure Serial and Ethernet Interfaces

• By far, the easiest interfaces to configure are ethernet interfaces. To bring up an ethernet interface, all that is necessary is to assign it an IP address, associate a netmask with that address, and turn up the interface. For example, to bring online the ethernet interface on a 2501 and assign it the IP address 150.151.152.1 with a class C netmask (255.255.255.0), the following commands would be used:

    interface Ethernet0
    ip address 150.151.152.1 255.255.255.0
    no shutdown
  

  and thats it. It should be noted that this has the side effect of placing a route for 150.151.152.0 in the 2501's routing tables since this is a network that is directly "Connected" via ethernet0. As a result, you can immediately connect to any system on that network from the router. Routing and types of routes will be discussed later in this document. Configuring serial interfaces for point to point connections is not too different.

    interface serial0/3
    ip address 203.142.253.33 255.255.255.252
    encapsulation ppp
    mtu 1500
    no shutdown
  

  This gives serial0/3 the address 203.142.253.33 and makes it part of a subnet of 2 ip addresses (plus broadcast/network number) of 203.142.253.32-35. Again, a connected route is placed in the routing tables. These routes can be useful when configuring BGP or OSPF or some other routing protocol as discussed later. IP subnetting, as used in the above example, is not covered within the scope of this document. The preceeding example also assigned a link encapsulation of PPP to the interface and gives it an MTU of 1500 bytes, which is the default if no MTU is specified. This is correct for most instances, but when connecting to another cisco, it will be slightly more efficient to make use of Cisco's HDLC protocol. This is the default encapsulation for all serial interfaces. To make use of this, either omit the encapsulation or specify "no encapsulation" to remove a previous setting. There is a third encapsulation for serial interfaces, frame relay, which will be discussed in its own section later on.
  

• VI. Configuring the CIP card and the virtual interfaces

• The CIP card appears to the router as a controller instead of a standard interface. T1 channels may be defined, modified, or deleted without any external configuration to the card. CSU loops may be initiated and released from within software and testing patterns run to these loops from the router. The advantages of full management is well known to anyone who has spent any time at all performing work as a network operations technician. The ability to quickly determine CSU states, attempt quick fixes, and obtain a full diagnostic of the problem is invaluable when reporting an outage to a carrier. The more information that can be provided to them during the initial problem report can often greatly speed the diagnostic and repair processes. The T3 controller, since it is built on VIP2 technology introduces a third level to the card designation. Instead of simply slot/port, it not introduces a port adaptor number. Since there is only one CT3IP per card, the port and port adaptor numbers will always be zero. An interface in slot 2 will be identified as 2/0/0. T1 channels are designated by a colon and a channel number after the interface identifier (numbering 1 through 28 to coincide with belcore designations). In the previous example, the 17th T1 channel would be 2/0/0:17. The first step in configuring this interface is the configuration of the T3. Settings required are T3 framing, clock source, and cable distance (which is used in determining the LBO to use). The default cable length is 224 feet. This should be acceptable for most applications. The framing types availible are cbit and m23. It is possible to configure the router to auto-detect framing but in many instances, auto detection can lead to future problems so it is best to use this only when you are uncertain of the framing being used. Once the framing has been identified, it can then be set staticly in the router's configuration. For most muxed T3s, the framing type will be m23. cbit is used, for example, in a clear channel T3 into an ATM network.

   controller t3 0/0/0
    framing m23
    clock source line
    cablelength 224
  

  Once the T3 has been configured, T1 channels may be assigned. The T1 channels need to be configured for the number of slots on the T1 in use, the framing and encoding being used, the speed of the underlying DS0s (56K or 64K), and the clock source for the T1.

   controller t3 0/0/0
    t1 1 timeslots 1-24 speed 64
    t1 1 clock source line
    t1 1 framing esf
    t1 1 linecone b8zs
  

  T1 default parameters are clock source line, esf, b8zs, and 64K DS0s. If this is the desired configuration, the only command necessary is "t1 1 timeslots 1-24". The first three channels on the T3 may also be output to the connectors on the outside of the card. This is accomplished by configuring that T1 as external.

   controller t3 0/0/0
    t1 external 1
  

  After the T1 is configured, the router creates a virtual serial interface. This interface does not appear until the T1 has been created and is identified in the same manner described above. For example, to refference the serial interface for the first t1, it would be identified as Serial0/0/0:1. This interface may beconfigured as any other serial interface. Loopbacks and tests are initiated from the interface level. The T3 may also be looped back from the controller configuration. It is important to note that the T1s may NOT be looped from the controller configuration.

   interface Serial0/0/0:1
    loopback network
  

  The loop is removed by specifying "no loopback network" in the interface configuration.
  

• VII. Add IP Routes and Set a Default Route

• Obviously, the internet is not centered around one router. Usually, to get to another system requires passing through at least one other router (probably several). It is also possible that more than one network will end up on a single interface. The general form of Cisco's route command is

    ip route <network> <mask> <interface/next-hop> [metric]
  

  The metric is used by certain routing protocols such as RIP as a hint to other routers of the "distance" to network when advertising this route to other routers. In general, you can omit the metric and let the routing protocols assign default values to these. Examples: Add a route for 202.123.100.0 (class C) through 204.203.12.1.

    ip route 202.123.100.0 255.255.255.0 204.203.12.1
  

  Add 122.250.0.0 (class B) to ethernet0

    ip route 122.250.0.0 255.255.0.0 Ethernet0
  

  Classless Inter-Domain Routing.

  With the recent explosion of the internet, Dividing address into class A, B, C, and D networks is no longer adequate. Cisco's IOS support the concept of Classless Inter-Domain Routing, or CIDR entries (often pronounced "cider") to allow a given subset of any class of network to be routed at a given destination. For example, the following example routes 8 class Cs at the specified router.

    ip route 221.243.242.0 255.255.248.0 128.230.3.1
  

  Note that the only change from the above examples is the different mask. This command uses subnet style netmasks to split off 8 class C networks beginning at 221.243.242.0 through 221.243.250.0 and lists 128.230.3.1 as the next-hop router. Normally, 8 routes would be needed to accomplish what this one entry has done. The goal of CIDR routing is to simplify routing tables and reduce the size of the internet routing tables, preventing complete collapse when older backbone routers (such as sprint, ANS, and Alternet) reach a point where they simply do not have enough memory to hold the full internet routing tables and cannot operate. Such outages cause major disruption of internet services worldwide. One practice often used is subnetting a class C network into blocks of 64 or 32 IP addresses for customers who don't require the full 254 addresses in order to save wasting large blocks of numbers. Traditional subnetting allowed you to split a class C into blocks of 4, 8, 16, 32, 64, and 128 but ONLY one size. Cisco's IOS supports variable length subnetting however. This allows a class C to be segmented such that it is possible to have some portions 4 addresses in length, some in 32, etc. This permits more efficient use of addresses by eliminating the need to send 32 addresses at a customer who only intends to use 6. One caveat of subnet routing is that the IOS does not normally permit you to specify a subnet mask with a class C address (ie, you can't route a subnet of 8 addresses 203.102.123.0 since that is the network number for a class C and it wants to treat the route as a class C route). This can cause confusion when looking at routing tables. In order to get around this, Cisco has provided a command to override this behavior:

    ip subnet-zero
  

  Once that has been entered, it will very happily take the subnet route.
  

• VIII. Configure Frame Relay

• Configuring Frame Relay is a little more complicated than configuring point to point networks and therefore involves a few more steps. First is to configure the interface as a frame relay link. At the same time, you need to specify the type of frame relay packets carried by this network. Currently, cisco only supports IETF and Cisco's own frame relay packet types. Since not very many vendors use the cisco format, we always specify IETF. The format of this command as as follows.

     interface Serial0/0
     ip address 1.2.3.4 255.255.255.224
     encapsulation frame-relay IETF
  

  Having the wrong LMI type specified can interfere with the operation of the frame relay circuit. Cisco supports LMI types ANSI (annex D), cisco (default), and q933a (annex A). Most vendors' switches are capable of auto detecting which LMI type you are using but not all. Generally, its safe to leave the default LMI type set. Should you need to change it, the command is

     frame-relay lmi-type ANSI
  

  to specify the ANSI packet format. Using LMI, the router can obtain information from the switch and other routers with PVCs to this circuit to build its own DLCI list or map as its sometimes called. However, it should be noted that cisco has problems talking to some vendors' equipment (most notably Livingston Enterprises.) This can result in the router sensing an active PVC (based on what its getting from the switch) but not being able to tell what the address of the router on the other end is. For the sake of robustness, it is generally better to manually configure the DLCI list. This can make it more difficult to configure the router or make changes in the frame relay network but can save considerable headaches when initially configuring a circuit or coping with service disruptions within the frame relay network. The DLCI number assigned to each PVC is provided by the telco and is entered into the router along with the networking protocol operating over this PVC as well as additional optional information about this PVC. For example, a router transmitting IP into with an address of 10.2.3.4 and connected to DLCI 19 would be entered into the "map" as shown below

     frame-relay map ip 10.2.3.4 19 broadcast IETF
  

  Again, the packet type needs to be specified for this particular PVC and again, we have selected IETF. The "broadcast" keyword instructs the router to forward broadcast packets over this PVC. This can assist with broadcast routing protocols, for example. One line is needed for each DLCI configured. You can check to see the status of the PVC you just setup by entering the command "show frame-relay map" from the EXEC prompt.
  

• IX. Configure Asynchronous Transfer Mode (ATM)

• The structure of ATM draws heavily from X.25 and frame relay but is designed to operate at much higher speeds. Unlike frame relay, however, there is a card for the 7000 and 7500 series router designed specially to interface with the ATM network. It is also possible to configure ATM over a serial interface using a serial interface (either FSIP or HSSI) or (on a 4000) an NMP. For more information on this configuration, refer to chapter 7 of the configuration guide. Configuring the ATM interface begins with assigning the interface an IP address (as demonstrated earlier in this document). Like Frame Relay, ATM requires that each host on the network be a part of the same subnet. The next step is configuring PVCs. There are two parts to doing this. The first is creating the PVC "map" on the interface. The second is mapping a protocol address to each PVC created. PVCs are created by assigning a Virtual Circuit Descriptor (VCD) to a given Virtual Path Identifier (VPI) and a Virtual Circuit Identifier (VCI). The VCI for a given link, as with frame relay DLCIs, is assigned by the carrier. The general form of the command to create a PVC on a given interface is

     atm pvc <vcd> <vpi> <vci> <aal-encapsulation> [[<midlow> <midhigh>]
  	[<peak> <avg> <burst> [oam <seconds>]]
  

  The VCD is specific to the router and is used by the router to match VPI/VCI pairs and can be different than the numbers used to identify the VPI and VCI. It is also necessary to specify an encapsulation for the ATM packets over this VCI. This is the ATM Adaptation Layer (AAL). The peak and average values are used to specify the bandwidth at which this PVC will be permitted to connect. When these values are omitted, the highest possible connection rate is assumed. Next, it is necessary to map a protocol to each PVC created on an interface. This is accomplished by creating a map list. Each entry in this list has the form "<protocol> <address> atm-vc <vcd> [broadcast]" where protocol is either IPX, IP, or AppleTalk for example. The address is the address of the remote router with respect to the protocol being transmitted over the virtual connection. Once the map is created, it need to be associated with a given ATM interface using the interface command "map-group <map name> An example configuration might look as follows

  interface ATM1/0
   ip address 1.2.3.4 255.255.255.224
   ipx network 121
   atm pvc 32 0 3 aal5snap
   atm pvc 33 0 4 aal5snap
   map-group atm-map-1
  
  map-list atm-map-1
   ip 1.2.3.5 atm-vc 3 broadcast
   ipx 121.0000.0c7e.a45.546 atm-vc 4
  

  There are two principle AAL encapsulations appropriate for use with data. The first, as already shown is aal5snap. This encapsulation allows multiple protocols to be routed over a virtual circuit. The second encapsulation is AAL5MUX. This encapsulation dedicates a single protocol to a virtual circuit. It has slightly less overhead than AAL5SNAP and can be useful when the network you are attached to has been configured with a per packet usage charge. The current default for Cisco's IOS is AAL5SNAP. However, earlier versions of the operating software specified AAL5NLPID as the default. NLPID is also a multi protocol encapsulation somewhat similar to SNAP which is often used when running ATM over a serial interface (such HSSI) where an external ATM DSU is necessary. This encapsulation is prevalent at exchange points such as Ameritech's NAP (AADS).

SAN vs NAS - What Is the Difference?

Question: SAN vs NAS - What Is the Difference?

Both Storage Area Networks (SANs) and Network Attached Storage (NAS) provide networked storage solutions.

Answer: A NAS is a single storage device that operate on data files, while a SAN is a local network of multiple devices that operate on disk blocks.

SAN vs NAS Technology

A SAN commonly utilizes Fibre Channel interconnects. A NAS typically makes Ethernet and TCP/IP connections.

SAN vs NAS Usage Model

The administrator of a home or small business network can connect one NAS device to their LAN. The NAS maintains its own IP address comparable to computer and other TCP/IP devices. Using a software program that normally is provided together with the NAS hardware, a network administrator can set up automatic or manual backups and file copies between the NAS and all other connected devices. The NAS holds many gigabytes of data, up to a few terabytes. Administrators add more storage capacity to their network by installing additional NAS devices, although each NAS operates independently.Administrators of larger enterprise networks may require many terabytes of centralized file storage or very high-speed file transfer operations. Where installing an army of many NAS devices is not a practical option, administrators can instead install a single SAN containing a high-performance disk array to provide the needed scalability and performance. Administrators require specialized knowledge and training to configure and maintain SANs.

SAN / NAS Convergence

As Internet technologies like TCP/IP and Ethernet have proliferated worldwide, some SAN products are making the transition from Fibre Channel to the same IP-based approach NAS uses. Also, with the rapid improvements in disk storage technology, today's NAS devices now offer capacities and performance that once were only possible with SAN. These two industry factors have led to a partial convergence of NAS and SAN approaches to network storage.