4 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork
The DEN Solution
DEN is a solution to several challenges from which both enterprise admin-
istrators and software vendors suffer. Administrators and vendors are
faced with the following issues:
■
How to integrate new e-business systems
■
How to incorporate service level agreements for specific users
■
How to apply and manage policies
■
How to integrate management “islands” (i.e., separate network
administration units and separate network management systems)
■
How to get interoperability from systems right out of the box
■
How to achieve advanced services that are applicable network-wide
DEN solves these issues with the definition of a directory service,
shown in Figure 1.2, which can manage:
■
Integration of e-business systems, media, devices, and protocols
■
Incorporation of service levels into the management of users and
applications
■
Application and management of policies
■
Integration of extensible management applications into the direc-
tory to centralize the network management
■

Utilization of common protocols, common application programming
interfaces (APIs), and a common repository for information to
ensure interoperability
■
Advanced services from configuration, access control, security, and
provisioning of Quality of Service (QoS)
As a result, DEN harnesses the power of a database to centralize and
manage network systems and services. DEN defines a common schema for
network units and services, and enables interoperability between them.
DEN specifies an object-oriented information model, called a directory, for
networked units. A networked unit is defined within the directory as a
class. The network units, or classes, are not limited to devices or user
accounts, but encompass every possible application or system that can
participate on the network. Classes are composed of objects that share the
same basis of attributes. Any single network element (a user account,
server, policy, etc.) represents some individual entity (Joe User, Server1, or
SecurityPolicyA, and so on) on the network. Each object contains a set of
www.syngress.com
71_BCNW2K_01 9/10/00 12:27 PM Page 4
Developing a Windows 2000 and Cisco Internetwork • Chapter 1 5
attributes that describe its properties. For example, an attribute for a user
account may be the user’s telephone number.
DEN does not define a management protocol like Simple Network
Management Protocol (SNMP), even though it enables network manage-
ment at a new level. It does not define a network protocol like Lightweight
Directory Access Protocol (LDAP), although new directory services will
likely integrate LDAP. It does not define a new type of schema for a
database. DEN is not a product in and by itself.
DEN is a definition of the foundational elements required for building a
directory enabled network service or application. It defines a standard hier-

archy for a directory service, but opposes limitations by defining extensi-
bility. When DEN is used, multiple vendors will not experience conflicts
between their schemas, and network device configuration and management
can be performed through the use of the directory service.
In the DEN policy server model, network devices will use standard pro-
tocols to access the network, such as Domain Name System (DNS) and
Dynamic Host Configuration Protocol (DHCP). The network devices will
access servers or hosts to attempt a network transaction, which will check
the directory service (whether it is stored locally, or on other servers) for
any policies that may apply.
If a policy does apply to the network transaction, the policy is applied
and the transaction is permitted with whatever alterations the policy
requires, or denied based on the policy, as shown in Figure 1.3.
www.syngress.com
Figure 1.2
Directory-enabled networking architecture.
Directory service
Distributed storage
Application A
Application B
Application C
Application D
Directory Report
Users can access
directory for use
of applications
Report can be generated from directory
with integrated information
71_BCNW2K_01 9/10/00 12:27 PM Page 5
6 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork

Figure 1.3
Policy server model.
QoS is a way of establishing a priority (or lack of priority) for a specific
type of traffic depending on when it is sent, what type of traffic it is, where
it is going, or from where it is coming.
Look at an example where it is assumed that a corporate executive
videoconferences with direct reports over the internetwork on a monthly
basis. This executive travels from one location to another and can be any-
where when he or she holds the videoconference. As a result, the executive
is never using the same computer or the same Internet Protocol (IP)
address when videoconferencing. Many QoS products will mark a type of
traffic with priority based on its physical or Media Access Control (MAC)
address, which is determined from either the IP address or host name of
the computer using Address Resolution Protocol (ARP). If the executive
wants the videoconference to be granted priority over other network ser-
vices, then the network administrator will need to know what IP address or
host name the executive is using at the time the videoconference is held.
Not only that, but the administrator will need to find out that same infor-
mation each and every time the executive holds a videoconference. Without
a network administrator manually configuring the videoconference to have
priority through QoS, the videoconference will suffer, and as a result, this
type of QoS usage will result in an excessive amount of administrative
www.syngress.com
Policy Enforcement
Policy
Decision?
Network Traffic Flow
Yes
No
Policy Server

Directory
Service
Stored Policy
Policy
management
application
Yes
Policy
Management
71_BCNW2K_01 9/10/00 12:27 PM Page 6
Developing a Windows 2000 and Cisco Internetwork • Chapter 1 7
overhead. If the executive holds a spontaneous videoconference without
notifying the administrator, then he or she will not receive the expected
performance and will be disappointed that the business objective was not
met by the QoS product. All of this is a recipe for failure.
The type of network environment in which a QoS product using IP
addresses for policy definition will work well is a static environment in
which the IP addresses, host names, and traffic types rarely change. With
the rate of change of technology today, this type of network is rare.
A DEN-based QoS product can resolve this issue. A DEN-based QoS
product potentially can attach a user’s account dynamically to his or her
computer’s IP address at logon, and statically attach the QoS policy to the
user’s account. Going back to our videoconferencing executive, he or she
would log on to the network and would already have a VideoConference
QoS policy attached to his or her user account (the policy having been cre-
ated by the administrator and assigned to the user account). At logon, this
policy would dynamically be assigned to the IP address the executive had
at that moment. The administrator never needs to be involved except for
the initial definition of the QoS policy, and the executive always receives
the QoS needed for his or her videoconferences, regardless of where he or

she logs on to the network.
TIP
Whitepapers and other information about QoS and policy-based net-
working can be found on the Internet at the following addresses:
www.qosforum.com/tech_resources.htm
www.xedia.com/products/demystify/htm
www.packeteer.com/technology/tcp.htm
www.netreference.com/PublishedArchive/WhitePapers/WPIndex.html
www.lsiinc.com/warp/public/732/net_enabled/qos_management.html
www.stardust.com/iband3/whitepaper
www.whatis.com/qos.htm
www.internet2.edu/qos/wg/calendar/Feb98ChicagoWGMtg/qos3/
tsld001.htm
www.syngress.com
71_BCNW2K_01 9/10/00 12:27 PM Page 7
8 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork
About Microsoft’s Windows 2000 and
Cisco’s IOS
Microsoft’s Windows 2000 and Cisco’s Internetwork Operating System
(IOS) combine to provide the power of a DEN model. These operating sys-
tems are described briefly in the following section, and in much more
detail in Chapter 2, “A Tour of Windows 2000,” and Chapter 3, “Cisco
Hardware and IOS Basics.”
Cisco’s IOS and Software Products
Cisco develops a great deal of software products to work with their hard-
ware products. The Cisco IOS is a platform that provides network services
to an internetwork. It supports both local area network (LAN) and wide
area network (WAN) environments, although actual configuration for an
environment must also be supported by the Cisco hardware. The IOS can
scale to multiple interfaces on a single piece of hardware, and with mul-

tiple routers in an internetwork, the IOS proves to be versatile in addition
to being scalable from small offices to large enterprise internetworks. IOS
supports standard network protocol stacks and media types, including (but
not nearly limited to):
■
Transmission Control Protocol/Internet Protocol (TCP/IP)
■
Internetwork Packet Exchange/Sequenced Packet Exchange
(IPX/SPX)
■
AppleTalk
■
Ethernet
■
Token Ring
■
Frame Relay
■
Integrated Services Digital Network (ISDN)
■
Asynchronous Transfer Mode (ATM)
Cisco’s IOS is the operating system that Cisco routers, switches, and
access servers use to boot up. To enhance access services, routing, and
bridging, the IOS supports a full set of security features—encryption,
authentication, access control, packet filtering, and firewall services. The
IOS is upgradeable as Cisco releases new versions. Each version includes
new capabilities and network services. These new services meet enter-
prises’ business requirements for new technology. The IOS can support
and grow with an organization’s needs.
www.syngress.com

71_BCNW2K_01 9/10/00 12:27 PM Page 8
Developing a Windows 2000 and Cisco Internetwork • Chapter 1 9
In the grand tradition of UNIX enthusiasts, the IOS is command-line
friendly. Although Cisco routers do not come equipped with monitors, they
can be accessed over the network, or through a terminal connection. The
Command Line Interface (CLI) appears as a simple text-based screen with
a prompt, somewhat similar to a DOS prompt. Newer versions of the IOS
can be configured using HTML pages and a Web browser.
Cisco ConfigMaker
Designing an internetwork is not an easy job. It takes knowledge of proto-
cols, hardware, software capabilities, and how to place and configure them
to achieve the optimal
■
Performance
■
Reliability
■
Availability
■
Security
■
Scalability
■
Manageability
These must meet the client’s business requirements, and some are in
conflict with others. For example, a highly secure internetwork placed in
an environment where usability of the network is the highest priority for a
business requirement may not be easily achieved. To the organization,
usability may mean granting users short passwords that are identical from
system to system and that never change, whereas a highly secure network

would absolutely require lengthy passwords that change on a frequent
basis. A designer must be aware of these types of issues and be prepared
to make decisions based on business requirements. The network designer
should make recommendations that are sensible for the environment, even
if the organization might want something a little different. In the security
versus usability requirements, for example, the network designer could
recommend using DEN-compliant systems where all user account informa-
tion was held in a single database for the entire internetwork, thus
requiring users to need only a single password. Then again, the designer
could recommend that the users are trained on having longer passwords
using numbers and characters (rather than alphabet-only), and suggest
that a policy be put in place to force the users to change the passwords on
a 60- or 90-day basis. This may not be the most usable system, but it is a
fair compromise!
Cisco provides a free tool (yes, FREE!) called Cisco ConfigMaker that a
network designer can use when designing an internetwork. Cisco
www.syngress.com
71_BCNW2K_01 9/10/00 12:27 PM Page 9
10 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork
ConfigMaker which is an application that runs on Windows 95, Windows
98, Windows NT, or Windows 2000 (on Windows 2000, you should install
the Windows NT version). ConfigMaker is downloadable from
www.cisco.com/go/configmaker, and is shown in Figure 1.4.
ConfigMaker is straightforward, allowing the network designer to con-
figure a small- to medium-size network, or begin the basic design for an
enterprise wide area network, or a section of a large network that does not
utilize the enterprise 7x00 series routers that are not listed within the
ConfigMaker tool. Each new version adds new equipment and features, but
the latest version 2.4 supports Cisco routers from the 800 through the
4000 series, switches, hubs, voice equipment, modems, ISDN, and other

network devices.
Figure 1.4
Cisco ConfigMaker.
Even though the ConfigMaker tool looks similar to other design applica-
tions in which you simply drag a network component to the design window
and create the connections, it has a couple of additional features.
ConfigMaker forces the designer to make critical design decisions while
building the design. It will not allow a connection to be created between
two routers if either does not have a port available for that connection. It
www.syngress.com
71_BCNW2K_01 9/10/00 12:27 PM Page 10
Developing a Windows 2000 and Cisco Internetwork • Chapter 1 11
requires you to state the IP addresses of the interfaces, and warns you if
you have selected an IP address that is assigned to another network seg-
ment. It forces you to apply passwords to the routing equipment. A typical
router configuration dialog, illustrated in Figure 1.5, shows how
ConfigMaker includes the interfaces available for the slots in a router (in
drop-down boxes) so that you can select each interface as you build the
router, and do not accidentally select an interface that is not available for
that particular device.
ConfigMaker can also collect information about a Cisco device on your
network, read which interfaces are installed within it, and then put that
information into your network design. In addition, ConfigMaker can write
configuration files to routers. It can greatly reduce the time and effort it
takes to diagram an existing internetwork. The AutoDetect Device Wizard
is shown in Figure 1.6.
Cisco FastStep
Cisco provides another tool, also for use on Windows 95, 98, and NT (or
2000), for configuration of Cisco series 700, 800, 1600 routers and dialup
2500 series access servers. It is called FastStep. This tool is available as a

free download at www.cisco.com/go/faststep.
www.syngress.com
Figure 1.5
ConfigMaker router slot configuration.
71_BCNW2K_01 9/10/00 12:27 PM Page 11