4 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork The DEN Solution DEN is a solution to several challenges from which both enterprise admin- istrators and software vendors suffer. Administrators and vendors are faced with the following issues: ■ How to integrate new e-business systems ■ How to incorporate service level agreements for specific users ■ How to apply and manage policies ■ How to integrate management “islands” (i.e., separate network administration units and separate network management systems) ■ How to get interoperability from systems right out of the box ■ How to achieve advanced services that are applicable network-wide DEN solves these issues with the definition of a directory service, shown in Figure 1.2, which can manage: ■ Integration of e-business systems, media, devices, and protocols ■ Incorporation of service levels into the management of users and applications ■ Application and management of policies ■ Integration of extensible management applications into the direc- tory to centralize the network management ■ Utilization of common protocols, common application programming interfaces (APIs), and a common repository for information to ensure interoperability ■ Advanced services from configuration, access control, security, and provisioning of Quality of Service (QoS) As a result, DEN harnesses the power of a database to centralize and manage network systems and services. DEN defines a common schema for network units and services, and enables interoperability between them. DEN specifies an object-oriented information model, called a directory, for networked units. A networked unit is defined within the directory as a class. The network units, or classes, are not limited to devices or user accounts, but encompass every possible application or system that can participate on the network. Classes are composed of objects that share the same basis of attributes. Any single network element (a user account, server, policy, etc.) represents some individual entity (Joe User, Server1, or SecurityPolicyA, and so on) on the network. Each object contains a set of www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 4 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 5 attributes that describe its properties. For example, an attribute for a user account may be the user’s telephone number. DEN does not define a management protocol like Simple Network Management Protocol (SNMP), even though it enables network manage- ment at a new level. It does not define a network protocol like Lightweight Directory Access Protocol (LDAP), although new directory services will likely integrate LDAP. It does not define a new type of schema for a database. DEN is not a product in and by itself. DEN is a definition of the foundational elements required for building a directory enabled network service or application. It defines a standard hier- archy for a directory service, but opposes limitations by defining extensi- bility. When DEN is used, multiple vendors will not experience conflicts between their schemas, and network device configuration and management can be performed through the use of the directory service. In the DEN policy server model, network devices will use standard pro- tocols to access the network, such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP). The network devices will access servers or hosts to attempt a network transaction, which will check the directory service (whether it is stored locally, or on other servers) for any policies that may apply. If a policy does apply to the network transaction, the policy is applied and the transaction is permitted with whatever alterations the policy requires, or denied based on the policy, as shown in Figure 1.3. www.syngress.com Figure 1.2 Directory-enabled networking architecture. Directory service Distributed storage Application A Application B Application C Application D Directory Report Users can access directory for use of applications Report can be generated from directory with integrated information 71_BCNW2K_01 9/10/00 12:27 PM Page 5 6 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork Figure 1.3 Policy server model. QoS is a way of establishing a priority (or lack of priority) for a specific type of traffic depending on when it is sent, what type of traffic it is, where it is going, or from where it is coming. Look at an example where it is assumed that a corporate executive videoconferences with direct reports over the internetwork on a monthly basis. This executive travels from one location to another and can be any- where when he or she holds the videoconference. As a result, the executive is never using the same computer or the same Internet Protocol (IP) address when videoconferencing. Many QoS products will mark a type of traffic with priority based on its physical or Media Access Control (MAC) address, which is determined from either the IP address or host name of the computer using Address Resolution Protocol (ARP). If the executive wants the videoconference to be granted priority over other network ser- vices, then the network administrator will need to know what IP address or host name the executive is using at the time the videoconference is held. Not only that, but the administrator will need to find out that same infor- mation each and every time the executive holds a videoconference. Without a network administrator manually configuring the videoconference to have priority through QoS, the videoconference will suffer, and as a result, this type of QoS usage will result in an excessive amount of administrative www.syngress.com Policy Enforcement Policy Decision? Network Traffic Flow Yes No Policy Server Directory Service Stored Policy Policy management application Yes Policy Management 71_BCNW2K_01 9/10/00 12:27 PM Page 6 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 7 overhead. If the executive holds a spontaneous videoconference without notifying the administrator, then he or she will not receive the expected performance and will be disappointed that the business objective was not met by the QoS product. All of this is a recipe for failure. The type of network environment in which a QoS product using IP addresses for policy definition will work well is a static environment in which the IP addresses, host names, and traffic types rarely change. With the rate of change of technology today, this type of network is rare. A DEN-based QoS product can resolve this issue. A DEN-based QoS product potentially can attach a user’s account dynamically to his or her computer’s IP address at logon, and statically attach the QoS policy to the user’s account. Going back to our videoconferencing executive, he or she would log on to the network and would already have a VideoConference QoS policy attached to his or her user account (the policy having been cre- ated by the administrator and assigned to the user account). At logon, this policy would dynamically be assigned to the IP address the executive had at that moment. The administrator never needs to be involved except for the initial definition of the QoS policy, and the executive always receives the QoS needed for his or her videoconferences, regardless of where he or she logs on to the network. TIP Whitepapers and other information about QoS and policy-based net- working can be found on the Internet at the following addresses: www.qosforum.com/tech_resources.htm www.xedia.com/products/demystify/htm www.packeteer.com/technology/tcp.htm www.netreference.com/PublishedArchive/WhitePapers/WPIndex.html www.lsiinc.com/warp/public/732/net_enabled/qos_management.html www.stardust.com/iband3/whitepaper www.whatis.com/qos.htm www.internet2.edu/qos/wg/calendar/Feb98ChicagoWGMtg/qos3/ tsld001.htm www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 7 8 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork About Microsoft’s Windows 2000 and Cisco’s IOS Microsoft’s Windows 2000 and Cisco’s Internetwork Operating System (IOS) combine to provide the power of a DEN model. These operating sys- tems are described briefly in the following section, and in much more detail in Chapter 2, “A Tour of Windows 2000,” and Chapter 3, “Cisco Hardware and IOS Basics.” Cisco’s IOS and Software Products Cisco develops a great deal of software products to work with their hard- ware products. The Cisco IOS is a platform that provides network services to an internetwork. It supports both local area network (LAN) and wide area network (WAN) environments, although actual configuration for an environment must also be supported by the Cisco hardware. The IOS can scale to multiple interfaces on a single piece of hardware, and with mul- tiple routers in an internetwork, the IOS proves to be versatile in addition to being scalable from small offices to large enterprise internetworks. IOS supports standard network protocol stacks and media types, including (but not nearly limited to): ■ Transmission Control Protocol/Internet Protocol (TCP/IP) ■ Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) ■ AppleTalk ■ Ethernet ■ Token Ring ■ Frame Relay ■ Integrated Services Digital Network (ISDN) ■ Asynchronous Transfer Mode (ATM) Cisco’s IOS is the operating system that Cisco routers, switches, and access servers use to boot up. To enhance access services, routing, and bridging, the IOS supports a full set of security features—encryption, authentication, access control, packet filtering, and firewall services. The IOS is upgradeable as Cisco releases new versions. Each version includes new capabilities and network services. These new services meet enter- prises’ business requirements for new technology. The IOS can support and grow with an organization’s needs. www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 8 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 9 In the grand tradition of UNIX enthusiasts, the IOS is command-line friendly. Although Cisco routers do not come equipped with monitors, they can be accessed over the network, or through a terminal connection. The Command Line Interface (CLI) appears as a simple text-based screen with a prompt, somewhat similar to a DOS prompt. Newer versions of the IOS can be configured using HTML pages and a Web browser. Cisco ConfigMaker Designing an internetwork is not an easy job. It takes knowledge of proto- cols, hardware, software capabilities, and how to place and configure them to achieve the optimal ■ Performance ■ Reliability ■ Availability ■ Security ■ Scalability ■ Manageability These must meet the client’s business requirements, and some are in conflict with others. For example, a highly secure internetwork placed in an environment where usability of the network is the highest priority for a business requirement may not be easily achieved. To the organization, usability may mean granting users short passwords that are identical from system to system and that never change, whereas a highly secure network would absolutely require lengthy passwords that change on a frequent basis. A designer must be aware of these types of issues and be prepared to make decisions based on business requirements. The network designer should make recommendations that are sensible for the environment, even if the organization might want something a little different. In the security versus usability requirements, for example, the network designer could recommend using DEN-compliant systems where all user account informa- tion was held in a single database for the entire internetwork, thus requiring users to need only a single password. Then again, the designer could recommend that the users are trained on having longer passwords using numbers and characters (rather than alphabet-only), and suggest that a policy be put in place to force the users to change the passwords on a 60- or 90-day basis. This may not be the most usable system, but it is a fair compromise! Cisco provides a free tool (yes, FREE!) called Cisco ConfigMaker that a network designer can use when designing an internetwork. Cisco www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 9 10 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork ConfigMaker which is an application that runs on Windows 95, Windows 98, Windows NT, or Windows 2000 (on Windows 2000, you should install the Windows NT version). ConfigMaker is downloadable from www.cisco.com/go/configmaker, and is shown in Figure 1.4. ConfigMaker is straightforward, allowing the network designer to con- figure a small- to medium-size network, or begin the basic design for an enterprise wide area network, or a section of a large network that does not utilize the enterprise 7x00 series routers that are not listed within the ConfigMaker tool. Each new version adds new equipment and features, but the latest version 2.4 supports Cisco routers from the 800 through the 4000 series, switches, hubs, voice equipment, modems, ISDN, and other network devices. Figure 1.4 Cisco ConfigMaker. Even though the ConfigMaker tool looks similar to other design applica- tions in which you simply drag a network component to the design window and create the connections, it has a couple of additional features. ConfigMaker forces the designer to make critical design decisions while building the design. It will not allow a connection to be created between two routers if either does not have a port available for that connection. It www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 10 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 11 requires you to state the IP addresses of the interfaces, and warns you if you have selected an IP address that is assigned to another network seg- ment. It forces you to apply passwords to the routing equipment. A typical router configuration dialog, illustrated in Figure 1.5, shows how ConfigMaker includes the interfaces available for the slots in a router (in drop-down boxes) so that you can select each interface as you build the router, and do not accidentally select an interface that is not available for that particular device. ConfigMaker can also collect information about a Cisco device on your network, read which interfaces are installed within it, and then put that information into your network design. In addition, ConfigMaker can write configuration files to routers. It can greatly reduce the time and effort it takes to diagram an existing internetwork. The AutoDetect Device Wizard is shown in Figure 1.6. Cisco FastStep Cisco provides another tool, also for use on Windows 95, 98, and NT (or 2000), for configuration of Cisco series 700, 800, 1600 routers and dialup 2500 series access servers. It is called FastStep. This tool is available as a free download at www.cisco.com/go/faststep. www.syngress.com Figure 1.5 ConfigMaker router slot configuration. 71_BCNW2K_01 9/10/00 12:27 PM Page 11 12 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork www.syngress.com Figure 1.6 AutoDetect Device Wizard can assist in diagramming a network. Figure 1.7 Fast Step for 800 series routers. 71_BCNW2K_01 9/10/00 12:27 PM Page 12 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 13 The FastStep application guides an administrator using a “wizard-like” sequence of dialog boxes, such as those shown in Figure 1.7. Each dialog box adds new information towards building a configuration and then applying it to a router. FastStep allows the administrator to select the specific router model and the types of options that the IOS should support on the router. The dialog that illustrates this selection is shown in Figure 1.8. When you complete a router configuration with FastStep, the applica- tion will save your options in a file. This file will be the name you give your router concatenated with the suffix .cfg. So, if you run the FastStep appli- cation and name your router MyRouter, the file will be called MyRouter.cfg. A sample of this file is available in Appendix A. CiscoWorks 2000 Once a router or switch is up and running, the administrator’s next task is to manage it. A network consisting of only one or two routers or switches that is used only during standard business hours (Monday through Friday, 8:00 AM to 5:00 PM ) is a simple system and fairly easy to manage on a manual basis. However, if you have a complex internetwork, or one that www.syngress.com Figure 1.8 Router and option selection in Fast Step. 71_BCNW2K_01 9/10/00 12:27 PM Page 13 [...]... PM Page 14 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork must be online and available 24 hours a day, seven days a week, then you need to look at the manageability features and management applications CiscoWorks is one such application for network management Cisco recommends that CiscoWorks be used in small to medium networks CiscoWorks is available for use on UNIX, and there is a version... configured and working StackMaker An application that an administrator can use to create a virtual stack of devices for easier visual management Threshold Manager A remote monitoring (RMON) application that can set thresholds on Cisco routers and switches in order to alert an administrator when the device is not working at optimal levels WhatsUp Gold An application licensed from Ipswitch, Inc that delivers... between a vendor and the organization for the streamlining of accounting information, the network administrator would probably want the data to be encrypted while it crosses the Internet And for servers that store development data for a small group of internal developers, the network administrator may not wish that server to be available on the Internet at all Another challenge that businesses face is... storage s High-bandwidth utilization on network media, usually only on a portion of the internetwork s Loss of network integrity You can resolve many bottlenecks by following these best practices: s Balance network traffic to a server by using multiple network adapters and network load balancing s Use media and protocols that enable the highest bandwidth available If you have Category 5 cabling and are... There are very few reasons why a Windows 2000 machine requires rebooting The BSOD is much more rare than it was in Windows NT Installation is uncomplicated, since the Windows 2000 will detect hardware and install Plug and Play standard hardware The user interface (UI) is simplified and the operating system supports power management standards Active Directory The Windows 2000 Active Directory is a tremendous... PM Page 19 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 Table 1.1 Active Directory Features Feature Description Active Directory Services Interface (ADSI) Domain Name System (DNS) integration Extensible schema The Active Directory Services Interface (ADSI) is an API for programming and scripting Active Directory applications Group Policy Hierarchical architecture Hierarchical namespace... version available for Windows There are several components within the CiscoWorks application: CiscoView A graphical view of back and front panels of the Cisco devices, provided remotely in order to simplify monitoring and configuring devices Show Commands A translator of the IOS command-line language to displayed router system and protocol data, facilitating a novice administrator’s ability to understand... tremendous enhancement to Windows 2000 This is a feature that can be installed only as part of the Windows 2000 Server line There are four products: Windows 2000 Professional Meant to be installed on workstations and PCs for end-user usage, and is considered the upgrade for Windows NT Workstation v4.0 Windows 2000 Server Intended for small or workgroup servers, and is considered the upgrade version of Windows. .. is applied to HPPrinter, but no access required for Server HPPrinter User Joe Active Directory Domain Three products, Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 DataCenter Server, can become Active Directory domain controllers (DC) A DC is a server that stores a replica of an Active Directory partition on its storage system The Active Directory itself is a database, using a. .. have far more insight into how that technology must be able to support their existing business processes The third phase is to create a vision of the future network This is the goal of your project In many cases, it is a good idea to go ahead and put the impossible down as a goal when a team member suggests a technology need Sometimes that so-called “impossible” feat is actually available as a feature . select an interface that is not available for that particular device. ConfigMaker can also collect information about a Cisco device on your network, read which. local area network (LAN) and wide area network (WAN) environments, although actual configuration for an environment must also be supported by the Cisco hardware.