esiksha.com - Computers - CISCO Certification - Cisco Internetwork Design 3.0

Microsoft Protocols were designed for flat networks where all the clients and servers are sharing the same media. There are different remedies and methods of encapsulations for handling these problems. Most noteworthy is NetBEUI, which must be bridged and cannot be routed unless encapsulated in another protocol such as NWLINK (NetBIOS over IPX) or NBT (NetBIOS over TCP/IP).

NetBIOS – broadcast-based; it does not have logical addressing functionality and operates primarily at the Session Layer.

NetBIOS	Session	Session
Transport	Transport	NetBEUI
Network	Network	NetBEUI
Data Link	Data Link	Data Link
Physical	Physical	Physical

NetBEUI – broadcast-based; it does not have logical addressing functionality and operates at the Transport and Network Layers of the OSI Model.

AppleTalk – versions include Phase 1 (antiquated does not scale well) and Phase 2 (current version). Phase 2 allows a greater number of hosts per segment (253) and supports Token Ring, Ether and FDDI.

IPX (Internetwork Packet eXchange) – is a routable protocol and has different encapsulations. Encapsulations must match to see other machines on the network, or, although it is not recommended, you can run two different encapsulation methods on the same router interface. Use the ipx route-cache same interface command. You can also run different encapsulations using subinterfaces but the two networks cannot see each other. The default for Novell 3.X protocol support is Raw Ethernet or ETHERNET_802.3 (Novell-Ether). For Novell 4.X protocol support is ETHERNET_802.2 (SAP).

Raw Ethernet (ETHERNET_802.3) is similar to the IEEE 802.3 frame with no Logical Link Control and FFFF in the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point).

TCP/IP (Transmission Control Protocol/Internet Protocol) – is a widely used routable protocol, and its biggest challenge is proper management with addressing, security and broadcast management.

Private Addressing – the usual address prefixes are 10, 172 and 192. Used for private networks not openly exposed to the Internet (inside a firewall).

Public Addressing – assigned by an ISP and not recommended for private networks. Private to public network communication can be accomplished by NAT through a PIX or other firewall. Options also include VPN (Virtual Private Networks) or extranets secured through PPTP (Point-to-Point Tunneling Protocol) and or L2TP (Layer 2 Tunneling Protocol).

Hierarchical Addressing – using address schemes where the different network numbers determine whether a destination is local or remote. Longer subnets masks are used at the access layers. The network prefix gets smaller as you move up the network hierarchy.

Prefix Routing – this is how a router forwards packets. The router uses the network number for routing determination.

Classfull Addressing – the addressing scheme commonly used where the subnet mask reflects the number of bits used to calculate the default gateway. (ex. Class A 10.0.0.0 Mask 255.X.0.0, Class B 172.0.0.0 255.255.0.0, Class C 192.0.0.0 255.255.255.0)

VLSM (Variable Length Subnet Mask) - classless addressing allows using, for example, a Class B address with a Class C subnet mask. Usually summarized in this fashion 172.98.98.24/30 (30) or 255.255.255.252 specifies the number of bits used to calculate the network portion. This allows effective use of your IP addresses and should only be used with routing protocols that support VSLM like IEGRP and OSPF.

Secondary Addressing – Is assigning a second IP gateway address for the same interface on a router. This is not recommended and should be used only when you have to.

PPP (Point-to-Point Protocol) - is an encapsulation standard used over Asynch Serial, Synch Serial and ISDN.

SLIP (Serial Line Internet Protocol) – only supports TCP/IP, and information is passed in plain text.

NCP (NetWare Core Protocol) - is a layer protocol of PPP and encapsulates multiple protocols. It has built-in security features.

LCP (Link Control Protocol) - another component of PPP and is responsible for authentication, multilink, callback and compression.

Authentication - CHAP or PAP: CHAP is encrypted, with PAP, login and password information are sent in plain text.

Multilink PPP – also referred to as MP; allows additional calls or channels to connect to a host for additional bandwidth. In order to use Multilink with Brand X routers the routers must comply with RFC1990. Multilink is configured on the interface.

Multilink Multichassis PPP - dial-in ISDN channels can be split to different access servers (a.k.a. stackgroup) or routers. The access servers (stackgroup) or routers intake the data packets and forward them to a high end MMP process server. A process server uses SGBP (Stackgroup Bidding Protocol) to do all the packet reassembly. The advantages are that the stackgroup is very scaleable and less overhead is required from the access servers.

HDLC – is used for serial lines and this version is proprietary for Cisco. Do not use if connecting to a non-Cisco router or with the AutoInstall feature. This is a connectionless datagram protocol.

SLDC – used often in SNA environments, it supports full and half duplex and can be used in packet or circuit switched environment.

LAPB – used over unreliable links and .X25. Connection-oriented with ordering and error checking.

RDSB – used to tunnel SNA over WAN links. ACKs and LLC2 frames are sent over the WAN.

STUN (Serial Tunneling) - used to tunnel SNA over WAN links. It supports local ACK used with SDLC on congested WAN links.

PPTP(Point-to-Point Tunneling Protocol) – used to tunnel IP packets securely over the Internet.

GRE (Generic Routing Encapsulation) – used primarily in the backbone. Can be used to tunnel IPX or AppleTalk. Fast switching supported.

NWLINK – used to encapsulate NetBIOS over IPX. Requires type 20 packets to operate properly. Use the ipx type-20-propogation commands on the interface.

AURP (AppleTalk Update Routing Protocol) – encapsulated in TCP/IP over WAN links. Sends updates only, like EIGRP.

IPXWAN – client- and server-side software used with PPP to connect servers or clients over a dial-up connection. It is responsible for establishing a routing metric once the connection is made. It is dynamic and no configuration is required.

Design principals are shaped around the type and numbers of connections that need to be made. The applications and requirements will depend on the type of users that will be connecting to the network. Users usually fit into these categories:

Remote Gateway - limited access and limited functionality. It can be used only to get email or access an application.

Remote Node - most common access method. It is like dialing into a security server, RAS server, modem bank or access server stackgroup. This is the preferred method since it is very flexible and scales well in the Enterprise. Less overhead and PC appears as if directly connected to the LAN.

Remote Control - is when a PC dialing in and taking control of another PC on the LAN. User has full function of network services. This requires the most overhead due to the fact that an extra PC, analog line and modem are required. A good example of this is PCAnywhere.

AS5300 Access servers are recommended because they can combine analog and ISDN and can support higher densities. External modems are no longer recommended since they do not scale well.

Enterprise (AS5X00 Servers) - can be configured from medium to heavy port density and can support analog and ISDN lines. It is very scalable and servers can use MPP in stackgroups.

It is important to distinguish between routed and routing protocols. Routing protocols use metrics, hop counts, ticks, etc. to make a routing decision. Since routers do not forward broadcasts, routers separate networks into different broadcast domains. Switches and bridges separate media into separate collision domains. Routers are responsible for:

	Link/DV	Updates	VSLM Support	Route Metric	IP Summary	NOTES

Cisco Proprietary

IRGP	Distance Vector	90 sec	no	Bandwidth, delay MTU, load	AUTO	Must use IP and Classfull IP addresses. Can load balance.
EIGRP	Enhanced Distance Vector	triggered	yes	Bandwidth, delay MTU, load	manual or automatic	Supports multi-protocols sends updates only on WAN. Scales well. Converges quickly

Non Proprietary

RIPv2	Distance Vector	30 sec	yes	Hop count	AUTO	More robust than RIP sends subnet info so it can support VSLM
RIP	Distance Vector	30 sec	yes	Hop count	AUTO	Max Hop count is 15, is chatty and does not scale well
OSPF	Link State	triggered	yes	Cost	manual	Uses LSAs to check on links. Backbone is area 0 Supports VSLM and Discontigous subnets
BGP	Link State Exterior	triggered	yes	Cost	manual	Used to connect autonomous areas.
IS-IS	Link State Interior & Exterior	triggered	yes	Cost	manual	Used to connect autonomous areas, can be used as an interior protocol.
RMTP	Distance Vector	10 sec	no	Hop count	none AppleTalk	Very chatty not recommended for WAN traffic or slow links
NLSP	Link State	triggered	no	Cost	none IPX	Link state for IPX. Robust and scales well. Used in large IPX networks <400 per area
AURP	Link State	triggered	no	Cost	none AppleTalk	Tunnelled by IP over WAN links. Sends updates over the WAN and full updates on LAN

Use NLSP (NetWare Link State Protocol) for faster convergence over IPX/RIP and reducing of routing traffic. It uses cost as calculation metric and is more CPU intensive. NLSP redistributes RIP, but retains a 15-hop limit. NLSP supports up to 1023 hops and areas of <400 routers.

Increases bandwidth by only sending updates over the WAN and full updates over the LAN. When a route goes from IPX/RIP to EIGRP it increases the hop count by two. From EIRGP to IPX/RIP, the route tick count is unchanged.

LSA2 – Network Link LSA – Sent by the DR to all routers in the AS. A list of routers in the segment.

LSA3 – Summary Link LSA – Sent by ABR’s list of networks available outside the area.

LSA4 – Summary Link LSA – Sent by ASBR’s list of networks available outside the area.

LSA5 – External Link LSA – Sent by ASBR’s list of external network routes.

OSPF recalculates a new table when a route goes down, so if you have a link flapping you may want to increase the amount of time to wait; use spf holdtime command, if not, it could overload the CPU and cause performance issues.

OSPF Backbone – try to stay away from meshing the backbone. Use LAN backbone design and keep everything to one hop. Use as few routers as possible to keep the diameter small.

IGRP – used only for IP. The entire routing table is sent every 90 seconds, and updates are triggered on link failures. Flapping links can be detected with a protocol analyzer, as updates are sent when the link state changes. It does not support VSLM or summarization. Primary metric is bandwidth and delay. Complete updates can be changed from 90 seconds. Stay with the defaults unless a fast network requires faster convergence.

RTMP – AppleTalk’s version of a routing protocol. It is very similar to RIP; broadcasts entire table in 10 seconds. Max Hop count is still 15, uses split horizon.

AURP (AppleTalk Update Routing Protocol) – Apple’s attempt to create a better WAN-friendly routing protocol than RTMP. RTMP is encapsulated in IP over an AURP Tunnel on WAN links. Reduces WAN traffic because only updates are sent over the wire. Use in an IP only WAN environment.

Windows computers use LMHOST files, broadcasts, WINS, DNS and HOSTS files to locate services. By default they elect a default browser.

DHCP (Dynamic Host Configuration Protocol) – a BOOTP server used to assign IP addresses to requesting clients. Can be configured to specify node type, WINS, DNS and other information such as subnet mask and default gateway.

There are several options for DHCP configuration. Cisco offers IOS features to forward DHCP packets. The ip helper-address command forwards broadcasts to DHCP servers like an NT server.

CNR (Cisco Network Registrar) – a Cisco solution that automates network services and provides a fully scalable solution for DHCP and DNS. Noted for being able to integrate network infrastructure software and applications.

Cisco DNS/DHCP Manager – similar to CNR, not as robust and will be cancelled soon.Example:

WINS (Windows Internet Name Service) – is a static-addressed server that performs NetBIOS name to IP address resolution, which takes away the need to ARP (broadcast) to resolve network names. Acts as a register for Windows machines. After booting and obtaining a DHCP IP address, the client sends a unicast packet to the WINS server requesting it to register its NetBIOS name. DNS servers and WINS servers (sometimes on the same server) work together to resolve name lookup.

DNS (Domain Name Services) - Application server that provides Internet-name to IP-address conversion. A Windows DNS server can be directed to query a WINS server for NetBIOS names.

RAS (Remote Access Server) – uses PPP and CHAP or PAP to encapsulate the client’s dial-in multi-protocol support, usually a NT Server. For a larger scalable solution an AS5X00 is recommended.

IPeXchange Gateway – A client and server solution for accessing the Internet in an IPX network. Primarily used by IPX clients to access the Internet. The gateway server must run both IPX and TCP/IP. Clients run the client software and servers are usually dual homed to act as a gateway. The server only needs one IP address to serve several IPX clients.

Workstations sharing resources are defined as Workgroups. The presence of an NT server classifies it as a domain. Domains make the administration of resources easier.

Master Domain Model – is a collection of domains trusting a single master PDC for centralized administration. Simplifies management of resources.

Multiple Master Domain Model – resource domains trusting multiple master domain PDCs.

Complete Trust Domain Model – (a.k.a. Cluster Trust) all domains trust all other domains and resources can be administered and shared across these domains.

Multicast Issues – one-to-many services. Class D multicast address needed. Router must be configured correctly for multicast, or it will forward out all of its ports. ICMP, CGMP and PIM are often used (PIM scales well in the Enterprise).

Firewalls – PIX is the preferred Cisco solution. It is advisable to turn off all ports, and then enable ports for only certain services to specific hosts. Protect yourself from IP from the Internet and configure your outside router to deny packets shown to have an inside IP address. Do not configure your routers for rsh or rlogin.

Common campus issues are Media, Protocols and Transport. Media issues are caused by high network loads and media contention. Use LAN switching to solve this problem. Another protocol problem is that some do not scale well and are prone to excessive broadcasts. To solve this problem, use routers to segment your network. Transport problems occur when there is not enough bandwidth to support high bandwidth applications. Use ATM, Gigabit Ethernet and/or QOS OIS features to solve these problems.

Cut-through Switching – a packet is forwarded once the destination is read. No CRC check.

Store and Forward Switching – the entire packet is processed, the CRC checked and then forwarded out the appropriate interface.

VLANS – 802.1Q is a VLAN standard. VLANS help separate broadcast domains, since a router is required for communication between VLANS. Switching separate collision domains.

Distributed Backbone – Each floor or building would be isolated by its own router and switch. This setup is more expensive and often requires costly upgrades to scale.

Collapsed Backbone – all floors are wired into a single switch and router. More cost effective, but creates a single point of failure.

Hierarchical Networks - are designed for scalability, and this model is easier to troubleshoot.

ATM (Asynchronous Transfer Mode) – like Frame Relay and X.25, it uses PVCs and SVCs to establish connectivity. Used for high-speed data, video and voice. It uses cells to transport information in 53 byte cells. ATM Features:

AAL (ATM Adaptation Layer) – operates at the Data Link Layer, and its primary function is to hide what it is doing to the frames from the higher OSI Layers. Abstraction is right.

ATM Layer – establishes connections and passes cells through the ATM network.

ATM Physical – manages the physical transmission of the cells. Does the bit to cell conversion.

AAL1 – connection-oriented; needs time sequencing from source to destination and vise versa.

AAL3/4 – connectionless-oriented; used to transfer SDMS. It loses some payload capacity due to added CRC, MIDs (Message Identifier) and the sequence number. There is a slightly increased delay attributed to the SAR (Sequence Assembly Reassembly). Requires the use of a SDSU for SAR.

AAL5 – connection- and connectionless-oriented. Used for data transport. Uses SEAL for SAR.

PNNI (Private Network Node Interface) – hierarchical routing protocol used for ATM routing. It is dynamic and requires little configuration. Scalable, but complex.

IISP (Interim Inter-Switch Signaling Protocol) – is a static routing on ATM network. Uses SVCs when routes go down.

LEC (LAN Emulation Client) – sends its MAC address to the LECS server. It can be a workstation or a router. It is responsible for endpoint functions, address resolution and data forwarding.

LES (LAN Emulation Server) – pseudo-WINS server for ATM. Acts as a register to store the multicast or unicast MAC address information of the LE clients. It accepts LE-ARP requests for destination MAC addresses.

LECS (LAN Emulation Configuration Server) – serves multiple ELANS and maintains a database of all the LEC’s MAC addresses. LECS respond to LEC’s requests by sending the appropriate ELAN information (identifier). Used like DHCP to assign LECs to certain ELANS. This is a one-per-ATM switch.

BUS (Broadcast and Unknown Server) - multicast and broadcast server. Sends traffic to clients of the ELAN is it responsible for.

X.25 is a packet-switched Layer 2 protocol that operates at the Data Link Layer of the OSI model. This protocol works by encapsulating the layer 3 protocols. X.25 was engineered for strong error checking and flow control at layers 2 and 3. X.25 uses LAPB and it is very reliable. It also uses sliding windows (much like TCP/IP) for flow control. Suffers from lower throughput and higher latency than Frame Relay. X.25 uses SVCs (Switched Virtual Circuits) and PVCs (Permanent Virtual Circuits). PVCs are always connected. X.25 treats connection as a reliable data link; Frame Relay does not.

Subinterfaces solve the problem of split horizon and forwarding updates on NBMA.

PAD (Packet Assembler Disassembler) - can also be a router. It collects the data transmissions from the terminals and gathers them into a X.25 data stream and vice versa. PAD acts like a multiplexer for the terminals. During configuration of the X.25 you specify whether the interface will act as a DCE or DTE. When configured as a DCE the router behaves as an X.25 switch.

X.121 - is the addressing standard. Static mappings must be made manually. X.25 does not support ARP. The addressing standard is a 4-digit country code. The following 8 to 11 digits are assigned by the X.25 service provider.

Options for X.25 - windows and packet sizes must match on both sides on the connection. Use the x25 ips command for incoming packet size and x25 ops for outgoing packet size. Window size uses a counter for when to send an acknowledgement. x25 win and x25 wout commands are used. The modulo controls the size of the window 8 or 128 are used to specify the number of packets.

Satellites use X.25 as well. To increase performance, they use modulo 128 which sets the window size higher.

Frame Relay

Frame Relay Interfaces - Frame Relay requires the use of a CSU/DSU. Like X.25, Frame Relay uses SVCs and PVCs. PVCs are used for frequent and long connection times. SVCs are for sporadic, infrequent traffic.

Frame Relay Bandwidth - maximum throughput is up to T3 speed. Frame Relay is a layer 2 protocol. It uses the upper layer for error correction and is faster than x.25.

LMI (Line Management Interface) - is the standard for signaling. There are 3 types:

LMI Autoconfigure - a router with IOS 11.2 and newer does not need to be configured for the LMI. The newer routers will send a signal to the FR switch to determine the LMI in use.

DLCI (Data Link Connection Identifier) - verifies the logical circuits in use and the status from the CPE to the Frame Relay switch.

Encapsulation Types - are Cisco and IETF. Cisco is the default. If the router is a non-Cisco router, use IETF. This designation can be made per DLCI. Even if all the routers are Cisco, you can communicate with a location with a non-Cisco router. Specify the IETF encapsulation and DLCI. You can use this with the map command. In short, encapsulation can be set to per interface or per destination.

Split Horizon and Routing Updates - since routing updates should not be sent out from the same interface you receive the update from (as this causes routing loops), the solution to fixing this problem is creating subinterfaces with different DLCIs.

Each subinterface has its own DLCI-enabled multipoint connection. Routing updates will now work properly.

Frame Relay Map – command is used to configure the next hop address on an interface.

Inverse ARP – takes care of all the mappings for you. It builds a Frame-Relay map by querying the Frame-Relay switch during the LMI exchange. It sends an Inverse ARP request for the protocols that are specified on the interface. The downside for the automatic set up is troubleshooting can be a pain.

NBMA Model (Non-Broadcast Multi-Access Model) – mesh between peer routers. Routers are configured as a simulated LAN and are configured as one logical subnet. The downside is processor overhead: each broadcast packet must be processed.

To control the amount of bandwidth used on an interface use the frame-relay broadcast-queue command.

Virtual Circuit Routing – Uses subinterfaces to conquer the split horizon issues. This simulates several point-to-point links.

MBNA Full Mesh, Subinterfaces with Full Mesh, Hub and Spoke. X.25 and Frame- Relay interfaces can be backed up with an option called a floating static map using an analog or ISDN line.

Network Address Translation - can be used to merge two large networks without having to re-address the whole network. Another function of NAT is overloading inside global addresses. This process contains several inside addresses using a single IP address. NAT can also use a pool of addresses or multiple interfaces. NAT is supported by IOS 11.2 and higher. (Easily remembered by “meet me at 11 toNAT” instead of tonight. 11.2 toNAT, it is corny but effective!)

TE2 - does not have an ISDN interface; requires a TA (Terminal Adapter). The TA is typically an ISDN Modem. The TA converts the signal to ISDN standards. DS0=64Kbps

ISDN PRI US T1 - requires different connectors. Uses DB15 and RJ48 connections. DS1=1.54Mbps contains 24 DS0s considered in band.

ISDN PRI EUROPE E1 - requires four connections DB15 before the CSU/DSU, and four RJ45 and/or DB15 connections to the switch. 30 X DS0 is considered out of band.

In Europe, the ISDN service provider provides the NT1. In the US, the customer supplies the NT1. In the USA, T1’s D channel is in band. In Europe, it is considered out-of-band signaling.

Rate Reference Point- located between the Non-ISDN router interface and the Terminal Adapter (TA).

System Reference Point - is the reference point between the router with an ISDN Interface and the NT2 or TA and NT2. Non-U.S. demarcation.

Terminal Reference Point - the reference point between the TE1 and NT1 and/or TA. If there is an NT2 (Customer Switching Equipment), the reference point is included to the NT1 as well. This point is Non-U.S. demarcation.

User Reference Point- This reference point is a U.S. demarcation. It references the point between the NT1 and the LT.

V Reference Point - Located between the LT and the ET. Also referred to as the Local Exchange.

SNA is a hierarchal network structure. There are several components and possible configurations for configuring a SNA network.

NAUs – Network Addressable Units – all devices that can communicate in an SNA network.

LU – Logical Unit – the software end unit. Software that provides the interaction for the users.

PU – Physical Unit – controls resources on the node. Loads software and provides the communication with the SSCP.

SSCP – System Services Control Point – software for the mainframe that is responsible for establishing the lines of communication and controlling resources.

SNA Gateways – handling direct communication with the mainframe for a dumb terminal or PC would be quite rough without a gateway.

LU Gateway – SDLC uses polling to communicate. Sending polling traffic over the LAN may convince you to establish a gateway. LU gateways are good because the Mainframe has a SSCP session to PU session to the LU gateway. The clients only connect to the LU gateway though NetBIOS, so the Mainframe maintains fewer connections.

PU Gateways – have a larger amount of overhead and administrative burden. The PCs attached to the PU have to be manually configured on the VTAM.

DSPU

DSPU – Downstream PU – is a Cisco router acting as a PU 2.0 device. To PCs it looks like the mainframe and is very robust.

DLSW – Data Link Switching – recommended as a scalable solution for traffic over a WAN link. It is compatible with other vendors. Responsible for multiplexing LLC connections over the WAN link. They are encapsulated in TCP/IP.

RDSB – Remote Source Route Bridging – older method of SNA tunneling. Prone to timeouts over slow WAN links. Tends to be chatty. Local ACK is used to solve this problem. It is much like IPX Spoofing and prevents time outs.

STUN – Serial Tunneling - older method of SNA tunneling. Prone to timeouts over slow WAN links. It performs very well over serial lines and supports direct serial connections. Has fewer options than RDSB but is more robust. Supports local ACK is routable.

VPN is “any network built upon a public network and partitioned for use by individual customers”.

A VPN will allow you or your company to use a public media such as the Internet to provide end-to-end connection. This allows you to design a cost effective solution for your clients but you must be aware of all the major design considerations that follow. Your main issue of course will be Security and Encryption. VPNs use encryption and tunneling to establish secure connections.

A Remote Access VPN solution will allow a connection to a corporate Intranet or extranet over a public infrastructure.

Access VPNs enable mobile or remote users to access resources at company headquarters locations.

Intranet VPNs provide a link over a shared infrastructure using mostly dedicated connections.

An Intranet will connect entities together and most of them are trusted entities. When you let your doors open to un-trusted or less trusted entities, you begin to create a Extranet based VPN.

Extranet VPNs provide a link to a corporate Intranet over a shared infrastructure using mostly dedicated connections.

Now external customers can take part in your Intranet solution. This would be a typical design if you wanted to have an external business partner take part in some of your web server transactions or access a database. This of course puts a new twist into your design where you need to start thinking about intrusion detection systems or ways to monitor access.

Notice that in the above scenario you are allowing access to your Intranet over the VPN Solution

What are the advantages of having a VPN strategy as part of your network design?

Remember: You get what you pay for. If you are designing a network for a client, you will need to take into account that although you are saving money, you may not be able to provide the most redundancy or offer a guarantee of bandwidth. A VPN solution should be implemented into an infrastructure with much thought and planning.

Cisco Secure PIX Firewall	Determines whether network traffic crossing in either direction is authorized
Cisco IOS Firewall	Is an add-on module to Cisco IOS software It provides advanced firewall capabilities, security technology such as intrusion detection and authentication
Cisco Secure Intrusion Detection System (IDS)	Detects unauthorized activity on the network, responds to it, and send alarms back to the management console
Cisco Secure Scanner	Is software that scans networks to find security vulnerabilities and provides recommendations to correct them (Cisco’s Port/ Vulnerability Scanner)
Cisco Secure Policy Manager (CSPM)	Enables deployment of network policies on the network and centrally manages policies on PIX firewalls, VPNs, and Cisco Secure IDS systems
Cisco Secure Consulting Services (CSCS)	Offer comprehensive security posture assessments by highly experienced teams of Cisco Network Security Engineers
Cisco Secure Encyclopedia (CSEC) *MUST VISIT*	Has been developed as a central warehouse of security knowledge to provide Cisco security professionals with an interactive database of security vulnerability information
Cisco Secure Access Control Server (ACS)	Delivers easy-to-use authentication, authorization, and accounting services for both small and large access environments
Cisco Security and VPN Associate Program	Is a program designed to deliver comprehensive, interoperable security solutions for Cisco networks to its customers and its associates customers