URL Filtering

The internet has been a unified place to access almost any information needed. But, some internet contents are not appropriate to be seen at work, it's just at the wrong time and at the wrong place. Gambling and adult sites are examples of this. But there are some sites that fall into "gray area". Sports leagues, auction, and social networking sites can reduce employees productivity. The first step of URL Filtering is to make a policy of which sites are allowed and which are denied. The policy must also put a decision to the "gray area" site.




How URL Filtering works?





URL Filtering works by making a list of restricted sites. After it is created, all HTTP request will be checked against the list. If the URL is in the list, the request is blocked and typically the employee will be given a warning screen that he/she is trying to access a restricted site. Maintaining the list can be done manually by the network administrator (this way is called black/white list), but the job can be given to a third party server. The company may subscript for the service and the list of restricted sites is maintain in a database on a third-party filtering server.


The advantages of the black/white list are:



  • It provides a basic solution if a few specific URLs need to be exempted.

  • It allows the company to directly manage the URLs it considers to be out of policy.

  • Existing network equipment can be leveraged.


While the advantages of using the third-parti filtering server are:



  • It provides a comprehensive, scalable solution.

  • Companies that specialize in appropriate web content manage the URL lists and provide updates.

  • Existing network equipment can be leveraged.

  • It covers millions of URLs (for the high-end services).


With Cisco, you can use subscription-based Cisco IOS content filtering. This feature is first integrated in IOS 12.2(15)T and offered through third-party companies, Websense, SmartFilter (N2H2), and also Trend Micro (since IOS 12.4(15)XZ and 12.4(20)T). To configure Cisco URL Filtering, first you have to register at one of those companies.The summary steps of configuring URL Filtering with Trend Micro are:



  • Configure Class Maps for Local URL Filtering

  • Configure Class Maps for Trend Micro URL Filtering

  • Configure Parameter Maps for Trend Micro URL Filtering

  • Configure URL Filtering Policies

  • Attach a URL Filtering Policy


You can see Cisco documentation to get examples.



Read more...

The Control Plane (Basic)

The network is said to have two planes: a control plane and a data plane. The data plane simply refers to the information that is being transported. Beside the main function of a network to route and forward data, there's another critical function that should be provided by the network for the network administrators. The network should provide a way for network administrators to provision and maintain the network devices themselves. The functions include monitoring network throughput and performance, updating the network topology, establishing new connections, and enforcing security and service policies. These functions is performed by the control plane in a network device. The control plane is responsible to provide a clean way to the network administrator to access the device, give command, and providing response. When a network goes wrong, the control plane is critical. If somehow the control plane is compromised, the network device could be "locked up". In this state, no network changes are possible, no monitoring is available, and there is no visibility into the operational state.




Control Plane Protection


Control Plane Protection (sometimes called Control Plane Policing or CoPP) should be taken to ensure bandwidth availability for the network administrator. The actions taken involves:



  • Preserving CPU “bandwidth” as a high priority for control plane services

  • Safeguards on the data plane to prevent CPU overruns

  • Separate CPU processors for the data plane and control plane


Denial of service (DoS) and distributed denial of service (DDoS) attacks typically try to overwhelm a device with traffic to the point of instability. Control Plane Policing (CoPP) uses QoS traffic policies to restrict the amount of traffic destined for network devices. The CoPP treats the Control Plane as an independent entity, it has its own ingress and egress port, therefore a set of rules can be attached to the ingress and/or egress of the port. The rules applied to a packet after it has been determined to have the Control Plane as its destination and when a packet goes out from the Control Plane.





An example command of attaching a QoS to the control Plane is:




Router(config)# control-plane


Router(config)#service-policy {input | output} policy-map-name





The first line will enter the control plane configuration mode, while the second line will attach the QoS to the ingress or egress of the control plane port.



Read more...

MultiProtocol Label Switching (MPLS) is Originally developed by Cisco in the form of tag switching, MPLS was adopted as an Internet standard by the Internet Engineering Task Force (IETF). Service providers are the primary implementers of the technology. With MPLS networks, service providers can offer services similar to traditional WAN technologies at lower costs and provide additional IP-based services previously not available.



MPLS provides an encapsulation scheme that serves as an alternative to traditional routing. When a packet comes into the service provider edge, a router assigns a tag to the packet based on the destination IP network. The tag is a type of shorthand for a traditional IP-based route. After the tag is applied, the router forwards the packet into the MPLS core. The core routers read the label, apply the appropriate services, and forward the packet based on the label. As soon as the packet reaches the destination edge of the service provider network, the MPLS label is removed, and the IP packet is forwarded onto the IP network. One of the MPLS services that service providers offer is virtual private networks. Using MPLS labels, service providers can deliver IP-based services to many customers without the complexity of traditional Frame Relay or ATM circuit management. Customers can use private or public IP addressing without concern about overlapping other customer addressing. another opportunity of MPLS is because MPLS provides any-to-any connectivity. MPLS is divided into two layers or planes, each having a specific function in the network. The layers are the Control plane and the Data plane. The Data plane handles forwarding operations. The Control plane is responsible for the exchange of routing information (including labels) between adjacent devices.



Equipment and Stuff



Three primary equipment in MPLS are:


  1. CPE: This is equipment on the customer site. All traffic leaving the local site is routed through this point. This is often called customer equipment (CE).

  2. PE: Located at the ingress point of the SP network, this is the equipment that assigns (and removes) labels. The PE can either be routers or high-end switches. This is also referred to as the Edge Label Switch Router (ELSR).

  3. P: Located in the core of the SP network, provider (P) routers forward packets based on their labels. This is also called a Label Switch Router (LSR).



MPLS Labels


MPLS uses a label to decide where and how to send packets through the network. The label is applied at the ingress to the SP network and is removed at the network egress point. The only router responsible for adding the label is the network router that needs to process the entire packet header. The information contained in the header, along with the preconfigured instructions, is used to generate the label. Labels can be based on IP destinations (this is what traditional routing uses) and other parameters, such as IP sources, QoS, VPN membership, or specific routes for traffic engineering purposes. MPLS is also designed to support forwarding mechanisms from other protocols. Label information is distributed throughout the network using the Label Distribution Protocol (LDP). The

label assigned essentially keeps that packet separated from all other customers’ packets/cells. Because there is no place where one customer can view another customer’s packet/cells, there is no danger of having someone outside the SP network snoop for packets. Obviously this would not stop someone bent on illegally accessing a company’s information, but it does remove the possibility of someone claiming that he “accidentally” received the information.


MPLS router forward packets by using the label, but the router must know the relationship between a label and path through the network. This relationship is established and communicate throughout the network using Forwarding Equivalence Classes (FEC). A FEC is a specific path through the network of LSRs and is equal to the destination network, stored in an IP routing table. The LSRs simply look at the label and forward the packet based on the contents of the FEC. This is much simpler, faster, and more flexible than traditional IP routing.




Read more...

Campus Network Herarchical Design

Over time, the hierarchical approach in designing a network has proven as the most effective. The goal in designing a Campus network is to divide buildings, floors, workgroups, and server farms into different layer 3 groups to prevent network faults from effecting a large scale of the network. The layers in a hierarchical design are:



  • Core: The core is the central thoroughfare for corporate traffic. All other parts of the network eventually feed into the core. You should design the core to switch packets as quickly as possible. This level should not include operations that might slow the switching of the packet: The distribution layer should handle any packet manipulation or filtering that needs to occur.


  • Distribution: The distribution layer should provide policy-based connectivity between the access layers and the core layer. It is at this layer that packets should be filtered or manipulated. Therefore as the packets are routed to the core, the core just simply needs to switch them quickly to the destination distribution location.


  • Access: The access layer provides user access to the network. It is at this point that users are permitted (or denied) access into the corporate network. Typically, each person sitting at a desk has a cable that runs to a wiring closet and connects to a switch; hence, this level is where the user accesses the network.






When correctly designed, a campus network can enhance business efficiency and lower operational cost. Additionally, a properly designed network can position a business for future growth. A modular or hierarchal network is made from building blocks that are easier to replicate, redesign, and grow. Each time a module is added or removed, there shouldn’t be a need to redesign the whole network. Distinct blocks can be put into and out of service without impacting other blocks

or the network core. This greatly enhances troubleshooting, isolating problems, and network management.




Campus Design Best Practices




  • Redundancy, redundancy is a key of a highly available network. However, too much redundancy can actually be a bad network. It causes the network to hard to reach convergence, and also it is hard to troubleshoot and manage the network.



  • High availability, this refer to the ability of the network to recover from failures. High availibility should be design at many layers.

    • Layer 1: Redundant links and hardware providealternative physical paths through the network.

    • Layers 2 and 3: Protocols such as spanning tree,HSRP, and others provide alternative path awareness and fast convergence.

    • Application availability: The application server and client processes must support failover for maximum availability.





  • Oversubscription, Oversubscription occurs when there are more trafficgenerating endpoints than the network can accommodate at a single time. QoS

    should be used to ensure that real-time traffic such as voice and video, or critical data such as SAP traffic, is not dropped or delayed.





Read more...

OSPF Packet Types

There are five types of OSPF packet types. The following figure describe the different types of OSPF





  1. Hello - Hello packets are used to establish and maintain adjacency with other OSPF routers. The hello protocol is discussed in detail in the next topic.


  2. DBD - The Database Description (DBD) packet contains an abbreviated list of the sending router's link-state database and is used by receiving routers to check against the local link-state database.


  3. LSR - Receiving routers can then request more information about any entry in the DBD by sending a Link-State Request (LSR).


  4. LSU - Link-State Update (LSU) packets are used to reply to LSRs as well as to announce new information. LSUs contain seven different types of Link-State Advertisements (LSAs).


  5. LSAck - When an LSU is received, the router sends a Link-State Acknowledgement (LSAck) to confirm receipt of the LSU.



OSPF packet Type 1 is the OSPF Hello packet. Hello packets are used to:

  • Discover OSPF neighbors and establish neighbor adjacencies.

  • Advertise parameters on which two routers must agree to become neighbors.

  • Elect the Designated Router (DR) and Backup Designated Router (BDR) on multiaccess networks like Ethernet and Frame Relay.



Read more...

Inside a Router

a router is a computer. like a PC, a router also includes CPU, RAM and ROM. the components in a router are:

  • Central Processing Unit (CPU). the CPU executes operating system instructions, such as system initialization, routing fuinctions and switching functions.

  • Random-Access Memory (RAM). RAM is volatile memory and it loses its content when the router is powered down or restarted. RAM stores the instructions and data needed to be executed by the CPU. RAM is used to store these components:

    • Operating System: the Cisco IOS is copied into RAM during bootup.

    • Running Configuration File: this is the file that stores the configuration commands that the router is currently using. with few exceptions, configuration commands are directly stored to the running configuration, known as running-config.

    • IP Routing Table: this file stores information about directly connected and remote networks. it is used to determine the best path to forward the packet.

    • ARP Cache: this is similar to the ARP cache on a PC, this contains the IPv4 address to MAC address mappings. this is used on routers that have LAN interfaces such as Ethernet.

    • Packet Buffer: packets are temporarily stored in a buffer when received on an interface or before they exit an interface.


  • Read-Only Memory (ROM). ROM does not lose its content when the router is powered down or restarted. cisco devices use ROM to store the bootstrap instructions, basic diagnostic software and scaled-down version of IOS. ROM uses firmware (firmware includes software that does not normally need to be modified or upgraded, such as the bootup instructions), which is software that is embedded inside the integrated circuit.

  • Flash Memory. Flash is a nonvolatile computer memory that can be electrically stored or erased. flash is used to store the router operating system, Cisco IOS. the IOS is copied to the RAM during bootup process, where it can be executed by the CPU (some old routers run the IOS directly from flash). flash consists of SIMMs and PCMCIAs cards, which can be upgraded to increase the amount of flash memory.

  • Nonvolatile RAM (NVRAM). unlike most kind of RAMs, NVRAM does not lose its content when power is turned off. Cisco IOS use this permanent storage to store the startup configuration file (startup-config). to save the changes implemented to the router in case the router is powered down or restarted, the running-config must be copied to NVRAM as the startup-config.


Router boot-up process
there are four major phases to the bootup process:

  • performing the Power-On Self Test (POST). POST is a common process done by almost every computer during bootup. when the router is powered on, the software on the ROM chip perform POST to test the router hardware. during this process, the router executes diagnostics from ROM on several hardware components including the CPU, RAM and NVRAM. after the process is done, the router executes the bootstrap program.

  • loading the bootstrap program. after the POST process, the router copies the bootstrap program from ROM into RAM. once in RAM, the CPU executes the instructions in the bootstrap program. the main purpose of the bootstrap program is to locate the Cisco IOS and load it into RAM. (at this point, if you have a console connection to the router, you will begin to see output).

  • locating and loading Cisco IOS. usually, the IOS is located in the flash memory, but can also be stored remotely, such as a TFTP server (a TFTP server can be used as a central storage for IOS images or as a backup server for IOS). if a full IOS image can not be located, a scaled-down version of the IOS is copied from ROM into RAM. this version of IOS is used to help diagnose any problems and can be used to load a complete version of the IOS into RAM. once the IOS begins to load, you may see a string of pounds signs (#), while the image decompresses.

  • locating and loading the configuration file. after the IOS is loaded, the bootstrap program searches for the startup configuration file (startup-config) in the NVRAM. if the file exists, it is copied into RAM as the running configuration file (running-config). if the file does not exists, the router may serach for a TFTP server. if the router detects that it has an active link to another configured router, it sends a broadcast searching for a configuration file across the active link. this condition will cause the router to pause. if the startup configuration file can not be located, the router prompts the user to enter setup mode. setup mode is a series of questions prompting the user for basic configurations information (setup mode is not to be used to enter complex configuration and is not commonly used by network administrators). you can terminate the setup process by pressing the Ctrl-C at any time. if the setup mode is not used, the IOS creates a default running-config. this file is a basic configuration file (this file does not contain any interface addresses, routing information, passwords or other specific configuration information).



Read more...

PIX

some PIX series 501, 515, 535, 506e
Firewall Services Module (FWSM)
PIX firewall doesn't run IOS

most PIX come with only two interface, but some could be expanded to have more interfaces. interfaces in PIX must have physical name, logilcal name and priority (security level). priority can be set to a value between 0-100. an interface from lower priority cannot send packets to interface with higher priority.

default physical name:
E0
E1
default logical name:
E0 -> outside
E1 -> inside
default priority
E0 -> 0
E1 -> 100


DMZ (demilitiarized zone) is a concept that is an area/segment in your network that is accessible through your inner network and also the internet (usually server that should be accessible from the internet reside in this area). but the DMZ couldn't access your inner network (DMZ's priority is set lower than inside interface).
DMZ priority can be set to be higher than the outside interface. to make the server in the DMZ be accessible from outside you can use NAT.

Failover, a pair of PIX can work together to give a redundancy. How this work is as much the same with HSRP. each PIX in a failover pair must have the exact same configuration. changes you make to the active PIX will be synchronized to the standby PIX. while changes to the standby PIX will not be synchronized to the active PIX. however you won't be prevented from making any changes to the standby PIX.
on a hardware PIX, there will be a failover port for connecting this device with its failover pair.

PIX also support logging. in configuring the logging process you may want to configure the destination of the log (the monitor, sys server) and the level of the logging (each level give different level of detail)

Read more...

EtherChannel

EtherChannel is a way to combine some phsycal link to be one logical link.


EtherChannel cisco, layer 2 (switch)

EtherChannel doesn't really aggregate the max speed of the link. if a logical link consists of four 100mps link, the max speed for a single communication is not 400mbps. it is still 100mbps. cisco has an algorithm for determining which path a traffic will use, it could be configure to depends on:

  • soure MAC address

  • destination MAC address

  • source and destination MAC address

  • source IP

  • destination IP

  • source and destination IP

  • source port

  • destination port

  • source and destination port


how we configure this usually depends on what the other end of the EtherChannel is.


every link participating in an EtherChannel must have the same configuration (same vlan / trunk, etc)


there are two EtherChannel protocols,

  • Link Aggregation Control Protocol (LACP), defined by IEEE. used when connecting to non cisco devices

  • Port Aggregation Control Protocol (PAgP), cisco-proprietary. used when connecting to cisco devices.


each of the protocol have 2 modes, LACP -> passive, active. PAgP -> auto, desirable. each of the mode show how the configured interface will negotiating the EtherChannel (you may think of these modes as the modes in trunk negotiation)



configuring etherchannel is different in CatOS and in IOS. to establish EtherChannel in IOS first you create a virtual etherChannel interface (interface Port-channel number) and configure this interface (vlan/trunk, etc). then you configure the physical interface that will be part of the virtual etherchannel interface ('channel-group number mode desirable|auto' enter this command at interface configuration level). remember that all of the physical interface must have identical configuration.

configuration in IOS


while in CatOS

set port name 3/1 Link #1 in Channel
set port name 3/2 Link #2 in Channel
set port name 3/3 Link #3 in Channel
set port name 3/4 Link #4 in Channel

set vlan 20 3/1-4

set port channel 3/1-4 mode desirable


Read more...

VTP

advantages of VTP:
  • dynamic trunk configuration when vlans are added to the network

  • vlan configuration consistency

  • dynamic reporting of added vlans across a network



VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-range VLANs (IDs greater than 1005) are not supported by VTP.

Terminology
vtp domain : switches in the same vtp domain share the same vlan configuration details using vtp advertisements. a router or layer 3 switch defines the boundary of a domain.

vtp modes : a switch can be configured in one of the three modes:
  • Server : vtp servers advertise vlan configuration to other vtp-enabled switches in the same domain. VTP SERVERS STORE THE VLAN CONFIGURATION IN NVRAM. at the server is where the vlan can be created, deleted or renamed.

  • Client : function the same way as servers, but clients could not create, delete or rename vlans. clients also only store the vlan configuration while the switch on.

  • Transparent : transparent switches don't participate in vtp. transparent switches don't store vlans advertised by servers. however, they do advertise/forward vtp advertisement that they receive. vlans can be created, renamed or deleted and local only to that switch. In transparent mode, VLAN configurations are saved in NVRAM (but not advertised to other switches), so the configuration is available after a switch reload. This means that when a VTP transparent mode switch reboots, it does not revert to a default VTP server mode, but remains in VTP transparent mode.




VTP pruning : VTP-pruning restricts packets from passing to an interfce to a switch that doesn't have the same vlan as the packets come from. this can save some bandwidth
VTP revision number : each switch running VTP keep track of a revision number. the revision number is a 32-bit and starts from 0. the revision number will determine wether the information received is more recent than the current one or not. everytime a change (a VLAN is added or removed) occur, the revision number is incremented. (a domain name change doesn't increment the revision number but reset it to 0)
VTP Advertisements : VTP uses a hierarchy of advertisements to distribute and synchronize VLAN configurations across the network.


VTP Default Settings

version = 1 (vtp has 3 version 1, 2, 3. only one version allowed in a domain)
domain name = null (means no domain)
mode = server
config revision = 0
vlans = 1


when a VTP first starts, by default there are 5 vlans created in a switch (1, 1002-1005).

when a VTP server switch is given a domain name, it will propagate the domain name to all switches for us.

you can reset the revision number of a switch by changing its domain name.

the command "show vtp status" will give you information about the running vtp in the switch. such as the domain name, version number, vtp mode, revision number, vlans information, etc.

the command "show vtp counters" will show you information about how many each information is sent or received.

VTP ONLY COMMUNICATES ON TRUNK PORT

VTP ONLY LEARNS ABOUT NORMAL-RANGE VLANs (vlan ids of 1 to 1005)

VTP DOMAIN NAMES ARE CASE SENSITIVE

VLAN CREATED BEFOTE ENABLING VTP WILL BE REMOVED

A SWITCH CAN BE A MEMBER OF ONLY ONE VTP DOMAIN AT A TIME



************
VTP messages
************

VTP messages are encapsulated within an ethernet frame which then encapsulated in trunking protocol (either 802.1Q or ISL). the vtp message (header and message) is at the data portion of the frame. VTP ADVERTISEMENTS ARE SENT PERIODICALLY. VTP sends advertisement to a reserved multicast address which is 01-00-0C-CC-CC-CC.

VTP header - fields and size varies but always contains domain name, domain name length, version, message type, revision number.

VTP message - VTP domain name, md5 digest, updater identity and timestamp message was sent.
for each vlan, the message contains:

  • VLAN ID

  • VLAN name

  • VLAN type

  • VLAN state

  • additional VLAN configuration information


Type of advertisements
Inside each message there's a field that tells which type the message is.

Summary advertisments :

  • are sent every 5 minutes by VTP server or client to inform other switches in the domain of the current revision number, the domain name and other VTP configuration details.

  • sent immediately after a change occur.


there is a followers field that indicates that this summary is followed by subset advertisement. code for this type is 0x01.

Subset advertisements :
contain vlan information. triggered by:

  • creating / deleting a vlan

  • suspending / activating a vlan

  • changing the name of a vlan

  • changing the MTU of the vlan

it may take some subset advertisements to fully update the vlan configuration. there is a seq-number field that tells the sequence of packets, starts with 1. the code for this type is 0x02.

Request advertisements :
a request is sent to a VTP server if:

  • domain name has been changed.

  • the switch received a summary with revision number higher than its own.

  • a subset advertisement is missed for some reasons.

  • the switch has been reset.


when a VTP server received a request, it reponds by sending a summary advertisement and then a subset advertisement. the type for this message is 0x03.



***********
VTP pruning
***********

when vtp pruning is enabled on a switch, it reconfigures the trunk link based on which ports are configured with which vlans.

essentialy, if you want to enable pruning in your network, configuring the vtp pruning at the vtp servers is enough.

vtp pruning only prunes vlan pruning-eligle. vlans 2 - 1001 are pruning-eligible by default. vlan pruning-eligibles can be changed.

pruning cannot be done to vlans which pruning-ineligible. those vlans are 1 and 1002-1005


*****************
VTP configuration
*****************

to be noticed when configuriing VTP servers:

  • confirm that default settings are present.

  • always reset the configuration revision number.

  • configure at least 2 vtp servers in the network. because only on servers we can configure vlans, if one down we still have the other one.

  • if you set a password for vtp information, ensure that all switches is configured with the same password. switches without password or wrong password reject VTP advertisements.
    BY DEFAULT A CISCO SWITCH DOESN'T IMPLEMENT ANY PASSWORD.

  • create vlan after you've enabled VTP on the vtp server, because vlan created before vtp enabled, are removed.

  • ensure all switches run the same vtp protocol version.



to be noticed when configuring vtp clients:

  • confirm that default settings are present.

  • verify vtp status. confirm that vlans has been updated and revision number is changed.

  • configure access port, you still need to assign ports to existing VLANs.



(at global configuration)
Configure VTP Domain
vtp domain word


Configure VTP mode
vtp mode word


Configure password
vtp password password


Configure version
vtp version number



*********
Common error in configuring VTP
-protocol version mismatch. vtp version is incompatbile with different version.
-password mismatch / not set on every switch.
-different domain name. to solve this only configure domain name on VTP servers, because VTP servers will propagate the domain name to all other switches.


REMEMBER, BECAUSE BOTH VTP SERVERS AND CLIENTS SEND SUMMARY ADVERTISEMENT, BOTH CAN HAVE ITS VLAN CONFIGURATION RUINED WHEN A SERVER / CLIENT RECEIVED A SUMMARY ADVERTISEMENT WITH HIGHER REVISION NUMBER, IT WILL REQUEST FOR VLAN INFORMATION (SUBSET ADVERTISEMENTS) AND CONFIGURE ITS OWN VLAN CONFIGURATION (NO MATTER IF THE SENDING SWITCHES IS A CLEINT AND THE REQUESTING IS A SERVER). ALWAYS RESET THE REVISION NUMBER OF A SWITCH BEFORE ADDING IT TO THE NETWORK.

Read more...

Teleworker Services

Organizations can take advantage of having their employeer working away from the office. It's quite possible now with the advance of broadband and wireless technology. Data, video and real-time applications can be transferred and distributed across the networks.

security, cost-effective and reliable are top priorities in an organization. with the growing number of teleworkers, enterprises must choose the right technology for connecting people in home offices (SOHOs), small offices or any other remote locations. three technologies that might be used are:

  • WAN layer 2 technologies, including Frame Relay, ATM and lease dlines. the security of these services depends on the service provider.

  • IPsec VPN, offer flexible and scalable connectivity.

  • Site-to-site connections, this is the most common used technology for connecting teleworkers. combined with the technology of VPN over the public internet, this can create a secure, cost-effective and reliable connenction.




to connect teleworkers with the organization's network, components on both sides are needed. the components might be:
  • Components at workers. a laptop/pc, a VPN router or a VPN client software installed, and a broadband connection (DSL, cable).

  • Components at corporate. VPN-capable router, VPN concentrators, security appliances, and central management devices for resilient aggregation and termination of the VPN connections.


  • soon VoIP and teleconferencing could become a component for the teleworkers connectivity. but these requirements would need upgrade to the technology such as QoS.

    **********************************
    Services Available for Teleworkers
    **********************************
    Cable
    offered by cable television service providers. this cable system use coaxial cable that carries Radio Frequency (RF) to carry signals across the network. the internet signals is carried through the same coaxial cable with the television signals. a special modem is used to seperate those signals.

    Radio Waves constitue a portion of the electromagnetic wave spectrum between 1 kilohertz (kHz) and 1 terahertz. Each TV station has each own frequency over this spectrum. the same applies to a cable network. the scope of the frequencies used in cable network are:
  • Downstream. traffic from the provider to subscribers. downstream frequencies are in the range 50 to 860 megahertz (MHz).

  • Upstream. traffic from subscribers to the provider. upstream frequencies are in the range of 5 to 42 MHz.


  • Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs, a reasearch, non-profit and development consortium for cable-related technologies. it certifies cable equipments from vendors such as cable modem and cable model termination system. devices from cable vendors must pass the test conducted by CableLabs. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system. DOCSIS specifies the OSI layer 1 and 2 requirements
  • Physical layer. DOCSIS specifies the wdith of the channel (bandwidth) and the modulation techniques used to carry the RF signals. it could be 200kHz, 400kHz, 800kHz, 1.6MHz, 3.2MHz and 6.4MHz.

  • MAC Layer. DOCSIS defines the access method, such as time-division multiple access (TDMA), frequency-division multiple access (FDMA) or synchronous code division multiple access (S-CDMA).


  • as stated above that downstream and upstream use different frequencies. the devices required to send upstream and downstream in a cable system are also different. Cable Modem Termination System located at the subscriber to send RF over the cable system, while Cable Modem located at the subscribers. the CMTS communicates with CMs, the architecture of the network can consists of optical fiber mixed with the coaxial cable. fiber cables are used to connect the subscriber headend with some nodes (used to converts optical signals to RF signals) forming a web of fiber trunk cables. then coaxial cables are used to connect the subscribers to the node. every subscribers share the upstream and downstream bandwidth in a network segment of cable system. the actual bandwidth in a CATV line can be up to 27mb/s for downstream and 2.5 mb/s for upstream.

    DSL (Data Subscriber Link)
    over years, copper lines are used for transferring voice communication only. actualy the bandwidth needed to carry a voice conversation over copper lines is 300Hz to 3KHz. DSL technology uses the upper bandwidth from 3kHz up to 1MHz to transfer high-speed data services over ordinary copper lines. two basic types of DSL are asymmetric DSL (ASDL) and symmetric DSL (SDSL). each type has many further varieties. ADSL provides higher bandwidth for downstream traffic than upstream traffic. while SDSL provides the same capacity. Unlike cable system, the subscriber must be in less than 5.5 kilometers from the loop. the advantage of DSL over cable system is that DSL is not a shared medium, every subscribers use a seperate direct connection.

    devices needed for a DSL connection are:
  • Transceiver. located at the subscriber end. usually this is a DSL modem.

  • DSLAM. DSL access Multiplexer. this is located at the central office of the provider. this will combines (multiplexing) individual DSL connections from users into one high-capacity link to an ISP.


  • one advantage of ADSL is the ability to use POTS voice service and high-speed data service simultaneously. in order to achieve this, voice and data traffic must be seperated. two ways to seperate ADSL signals from voice transmission are using a microfilter or a splitter
  • microfilter. microfilter is a passive low-pass filter with two ends. one end connects to the telephone and the other end connects to the telephone wall jack.

  • POTS splitter. POTS splitter is a passive device that seperates the ADSL signals from voice traffic. Splitter can be located at the provider or at the subscriber end. a splitter has three ends. one connects to the telephone, one connects to the ADSL modem and the other to the wall jack.


  • Wireless / Stelite
    DSL and cable require teleworkers to connect their PCs with a cable either ethernet or coaxial cable. wireless/wi-fi doesn't need it. other thing that makes wi-fi easy to be installed is that it uses unlicensed radio spectrum, most TV and radio station use transmission that require a license to use. and since the beginning of 2007, wireless adapter is becoming cheaper and that many computer manufacturers start building wireless adapter into their laptop computers.

    recently, the main challenge of wireless is the limited area covered by a wireless router or wireless acess point. however, with advances of technology, the area covered can be extended. multiple access points can be used together to form one large covered area. new development in broadband wireless technology increase the wireless availability including Municipal wi-fi, WiMax and satellite internet. WiMax offers greater area and higher speed than Wi-Fi.
    a WiMax network consists of two main components:
  • a tower similar to a cellular telephone tower in concept. a single WiMax tower covers a 3000 square miles area.

  • a WiMax receiver, this similar to wifi adapter in laptop or PC.


  • satellite internet services are used where land-based internet service is not available. satellite internet can be used for vessels at sea, airplanes in flight and vehicles on land. three way to connect to internet using satelites are:
  • one-way multicast satellite internet system, used for IP multicast based data such as data, video or audio distribution. full interactivity is not possible.

  • one-way terrestrial return satellite internet system, use traditional dialup access to send data through a modem and download data from the satellite.

  • two-way satellite internet, sends data from remote sites to a hub via satellites, from the hub, data will be sent to the internet. each satellite requires precise positioning to avoid intereference with other satellites.



  • Read more...

    Drupal installation .htaccess error

    Just a few days ago, i installed Drupal on my computer for the first time. it went ok just until i wanted to configure my Drupal site for the first time. I was served with a 500 internal error page when i was trying to access the index page. my computer runs on Windows XP and i use Apache 2.0.55 as the web server.


    after googling around and asking why the problem happened in the Drupal Forum, i found that something wrong in the .htaccess mostly becomes the cause of the problem. So that i tried to use the .htaccess that come with Drupal, but still, it didn't resolve the problem.



    So now if it happens to you also maybe by doing the following changes to your httpd.conf of your Apache server might helps




    <directory "/Applications/xampp/xamppfiles/htdocs">
      #
      # Possible values for the Options directive are "None", "All",
      # or any combination of:
      # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
      #
      # Note that "MultiViews" must be named *explicitly* --- "Options All"
      # doesn't give it to you.
      #
      # The Options directive is both complicated and important. Please see
      # http://httpd.apache.org/docs/2.2/mod/core.html#options
      # for more information.
      #
      Options Indexes FollowSymLinks ExecCGI Includes

      #
      # AllowOverride controls what directives may be placed in .htaccess files.
      # It can be "All", "None", or any combination of the keywords:
      # Options FileInfo AuthConfig Limit
      #
      AllowOverride All

      #
      # Controls who can get stuff from this server.
      #
      Order allow,deny
      Allow from all

    </directory>



    Remember to make the changes in the </directory "path/to/your/htdocs">. Thanks to hunthunthunt who posted it in Drupal Forum.



    Read more...

    Cisco Brings Web Conferencing To More Smartphones

    BARCELONA--Smarrtphone users will soon be able to participate in Web conferences using the hosted WebEx tool right from their phones.

    Cisco Systems, which owns the WebEx Web conferencing service, announced Tuesday at the GSMA Mobile World Congress 2009 here that it is making a version of its WebEx client software available to several smartphones including Research In Motion's BlackBerry Bold, BlackBerry Curve 8900, and BlackBerry Storm.


    It will also be available for the Nokia E71, Nokia E75, Nokia N97, and other Nokia E series and N series devices, as well as for the Samsung Blackjack II. The new functionality allows smartphone users to participate in Web and audio conference calls right from their mobile devices. The company already offers the capability on the Apple iPhone 3G.

    And the application, which is free for all WebEx users, has been downloaded more than 50,000 times, making it one of Apple's top 10 business apps on its App Store. "Cell phone users will no longer be second class citizens," said Doug Dunnerline, senior vice president and general manager of Cisco's collaboration software group.

    Read more...

    Change Blog Favicon

    a Favicon is a small graphic associated with a website. Most graphical browser will make use of it. The favicon of the website will appear beside the url and in a multitabbed browser, the favicon will appear beside each of the tab title.



    By default, a blog in blogger have a favicon like this , but you can change this to any other image that you want. There are websites that offer you some ready to use ico filesiconj is one of them. You can either go the websites, and choose the one that they offer or create a new one by your own. if you choose to create a new one, you must create a new image file (it could be gif, png) of which size is 16x16 or 32x32 the larger the file, the longer it takes to load it. Then you need to find a place to host the image, so it could be accessed from the internet.




    If you're done using whatever way (choosing an existing one or creating a new one) the next thing you need to do is to edit the template code of your blog.




    First go to the Layout > Edit HTML. You need to add some code to the area between the but after the section. To make it simple just find the line with "]]></b:skin>" and add the following code right after it




    <!-- custom favicon code -->
    <link href="http://binusmaya.110mb.com/ns.PNG" rel="shortcut icon" type="image/x-icon">
    <link href="http://binusmaya.110mb.com/ns.ico" rel="icon" type="image/gif">
    <!-- end of custom favicon code -->




    Remember to change the href='' part to the url of your ico file location.



    Read more...

    Redirection

    Shell redirection operators are used to direct a program's input and output. These operators can be used to feed a program input from another application, from the command line, or even from another file. Those operators are >, >>, and < (there's another redirection operator << which is known as here operator. use this to tell the shell when to stop reading input).

    The > operator is known as standard output redirection operator. When used with a program that display output, the output can be redirected to somewhere else than the standard output. For example when used with the cat command (cat is short for concatenate, is used to print one or more files to your display), the cat command will copy a file by sending its output to another file

    cat first.txt > second.txt

    The output of the example above will be sent to the second.txt in the current directory.

    The < (standard input) redirection operator feeds information to a program as follows

    cat <>

    In the example above, the cat command reads the contents of the file.txt and sends its content to the standart display.

    The >> redirection operator is used to append the output of an executed command to a file. The example bellow will redirect the output to the file.txt. If the file.txt doesn't exist, it will be created. If it exists, the output will be appended to the end of the file.txt.

    cat first.txt >> file.txt

    The standard input and output have assigned file numbers in the shell. The standard input uses the number 0, the standar output uses the number 1 while another type of output is standard error uses the number 2. Most linux command report the error to the standard error output. You can redirect the error reports to a file by doing so:

    cat first.txt >> file.txt  2 >> error.log


    Read more...

    Finding Files and Directories

    The find and locate commands can be used to search files on your system. The find command can be used to find files and directories not only based on the name or partial name of a file or directory but also from the age of the file (the time lapsed since the creation time until now), the size of the file, the last accessed time and many others. The locate command is used to quickly locate files or directories on your system. This program works very quickly ecause it uses a database of filenames instead of searching your hard drives.

    To search for files or directories, specify a search path and search pattern on the command line. For example:

    find /usr -name *emacs -xdev

    The example above will search the /usr directory for the emacs editoer and other and other files locates th emacs program and its manual page, the -xdev option tell the command to search only your local machine (if there's any remotely mounted file system, it will be searched as well without the -xdev option and this will take a long tame).

    another example would be finding files in /usr/bin directory which are accessed witihin the last 30 days. To do this, use the -atime option of the find command like so:

    find /usr/bin -type f -atime +30 -print

    the -type in the example above specifies that we want to find files (as opposed to a directory, symlink, device and so on).

    You can also use the locate command to search for files and directories. For example, to look for any icons of the emacs text editor, use the locate command like this:

    locate *icon*emacs*

    The locate command searces a database called locatedb. This database is created with the updatedb command. System managers generally use the cron daemon and an updatedb crontab entry to keep the locate locatedb updated and accurate.


    Read more...

    Creating Symbolic Links

    Symbolic links are convenient shortcuts used to link existing files or directories to files or directories with more convenient locations or names. There are times when you want to have more than one path to an existing file or directory. For example, you may want to execute a program without having to type the entire path, then you can create a link to the program from the /usr/local/bin directory.

    There are two kinds of links in Linux, hard and soft links.

    Soft Links


    a soft link is a very small file that you create in a directory. When you execute a soft link file, it will behave as you were executing the original file. But, if you delete the original file the soft link file will be nothing and useless. Think of a soft link as a call forwarding to the original file. To create a soft link, use the ln -s command. The following example will create a softlink file to originalfile.

    ln -s originalfile softlink

    Soft links will work across networked file systems, mounted devices, other file systems and directories.



    Hard Links


    a hard link is different from a soft link in the way that if you delete the original file that a hard link is pointing to, the hard link file will remain usefull. Because when you create a hard link to a file, you are creating another directory listing to point to the same inode. The only way you can delete any file on the file system is by deleting all the hard links to that file. If you make changes to the original file, all the links will reflect that change (because they are all pointing to the same inode). Use the ln command to create a hard link (without the -s option)

    ln orignalfile hardlink

    hard links will only work to a file on the same disk and partition as the original.


    Read more...

    Getting Help

    Linux distributions include documentation about nearly all the programs, commands and files installed on your hard drive. each distributions also comes with a number of commands and programs to help you learn about the systems. Some of the commands will be discussed shortly.




    Man


    man command is used to display the manual pages of a command, file or other Linux function (actually the manual pages are displayed using a program called less). To read a manual page of a program or command just pass the program name as the argument of the man command. The following example will show you the manual pages of the cat program

    man cat

    The Manual pages are located in the /usr/man directory





    Whatis


    Use the whatis command if you're unsure about what a program does. The whatis command will give you a short synopsis about the specified program. For example, if you issue the command whatis cal, it will return the following result

    cal (1)         - dispays a calendar and the date of easter 

    The synopsis is extracted from the command's manual page and is stored in a database called whatis. The database is located under the /usr/man directory and is built each day by a crontab script run each week by the makewhatis.cron script int /etc/cron.weekly directory (this script runs the makewhatis program that is found under /usr/sbin directory).





    apropos


    apropos command uses the whatis database to display all related mathes of the command's name. Use apropos to find related command or actions for programs installed on your system. For example, issuing the command apropos bell returns the following result (the output may be different from yours, it depends on the distribution you use)

                       beep, flash (3)            - Curses bell and screen flash routines

                           bell (n)                        - Rings a display's bell


    Read more...

    Shutting Down from Command Line

    To reboot your system, you can use the shutdown command, which is found under the /sbin directory (to execute the shutdown command you must be root).  The shutdown command has several command-line options. use -r followed by now to reboot your system immediately (you can also reboot by using the Ctrl+Alt+Del key combination). 

    shutdown -r now

    You can change the now keyword to a number specifying the time in seconds when you want Linux to reboot. another options is the -h or halt to shutdown you system.  as with the -r option, -h also followed by another option specifying the time when you want Linux to shut down.

    shutdown -h now

    You can also use the poweroff command to turn off your system immediately. You can execute poweroff without becoming the root.


    Read more...

    Manage User Account

    Linux was created with security in mind. That's why after you boot Linux, you'll see login and password prompts. To access Linux for the first time you can enter the root account and password (some distributions give you the option to create a user account during installation). but keep this in mind Running as root can be dangerous!


    as you can accidentally delete system files or any other important files.

    To create a user you need the root privilege (in some distributions you may need to prepend the sudo command everytime you want to execute a command that need root's privilege). if you're not root, you can become root with the su, you'll will be prompted to enter the root password.


    if you're root. you can add a user with the command

    useradd mike

    that command will create a new user named mike, the useradd command will add a user entry in a file called passwd in the /etc directory. 

    mike:x:1003:1003::/home/mike:/bin/sh

    Some versions of useradd aks you for details about hte user, such as the user's full name and password. if yours doesn't, you can change a user password by using the passwd command. Again, you need a root privilege, except you're changing your own password.

     passwd amy

    it will then propmts you for a new pasword, and then asks you to type it again to verify the change. if you've successfully change the user's password, it will be reflected in /etc/passwd entry as an encrypted string.


    Read more...
    top