Wiring Schematics

Wireless is definitely the wave of the future, but for now even the most extensive wireless networks have a wired backbone they rely on to connect them to the rest of humanity.

That skeleton is made up of cabled physical media like coax, fiber, and twisted pair. Surprisingly, it is the latter—specifically, unshielded twisted pair (UTP)—that screams to be pictured in a diagram. You’ll see why in a minute. To help you follow me, let’s review what we learned in Chapter 3, “Networking Topologies, Connectors, and Wiring Standards.” We’ll start by checking out Figure 20.1 (a diagram!) that pictures the fact that UTP cables use an RJ-45 connector (RJ stands for registered jack).

What we see here is that pin 1 is on the left and pin 8 is on the right, so clearly, within your UTP cable, you need to make sure the right wires get to the right pins. No worries if you got your cables premade from the store, but making them yourself not only saves you a bunch of money, it allows you to customize cable lengths, which is really important! Table 20.1 matches the colors for the wire associated with each pin, based on the Electronic Industries Association and the Telecommunications Industry Alliance (EIA/TIA) 568B wiring standard.

Standard drop cables, or patch cables, have the pins in the same order on both connectors. If you’re connecting a computer to another computer directly, you should already know that you need a crossover cable that has one connector with flipped wires. Specifically, pins 1 and 3 and pins 2 and 6 get switched to ensure that the send port from one computer’s Network Interface Card (NIC) gets attached to the receive port on the other computer’s NIC. Crossover cables were also used to connect older routers, switches, and hubs through their uplink ports. Figure 20.2 shows you what this looks like.

The crossover cable shown in Figure 20.2 is for connections up to 100BaseTX. If you are using 1000BaseT4, all four pairs of wires get crossed at the opposite end, meaning pins 4 and 7 and pins 5 and 8 get crossed as well. The Automatic MDI/MDI+ Configuration standard—an optional feature of the 1000BaseT standard—makes the need for crossover cables between gigabit-capable interfaces a thing of the past.

This is where having a diagram is golden. Let’s say you’re troubleshooting a network and discover connectivity problems between two hosts. Because you’ve got the map, you know the cable running between them is brand new and custom made. This should tell you to go directly to that new cable because it’s likely it was poorly made and is therefore causing the snag.

Another reason it’s so important to diagram all things wiring is that all wires have to plug into something somewhere, and it’s really good to know what and where that is. Whether it’s into a hub, a switch, a router, a workstation, or the wall, you positively need to know the who, what, where, when, and how of the way the wiring is attached.

After adding a new cable segment on your network, you need to update the wiring schematics.

For medium to large networks, devices like switches and routers are rack-mounted and would look something like the switch in Figure 20.3.

Knowing someone’s or something’s name is important because it helps us differentiate between people and things—especially when communicating with each other. If you want to be specific, you can’t just say, “You know that router in the rack?” This is why coming up with a good naming system for all the devices living in your racks will be invaluable for ensuring that your wires don’t get crossed.

Okay, I know it probably seems like we’re edging over into OCD territory, but stay with me here; in addition to labeling, well, everything so far, you should actually label both ends of your cables, too. If something happens (earthquake, tsunami, temper tantrum, even repairs) and more than one cable gets unplugged at the same time, it can get really messy scrambling to reconnect them from memory—fast!

Physical Network Diagrams

A physical network diagram contains all the physical devices and connectivity paths on your network and should accurately picture how your network physically fits together in glorious detail. Again, I know it seems like overkill, but ideally, your network diagram should list and map everything you would need to completely rebuild your network from scratch if you had to. This is actually what this type of diagram is designed for. But there’s still another physical network diagram variety that includes the firmware revision on all the switches and access points in your network. Remember, besides having your physical network accurately detailed, you must also clearly understand the connections, types of hardware, and their firmware revisions. I'm going to say it again—you will be so happy you have this documentation when troubleshooting! It will prevent much suffering and enable you to fix whatever the problem is so much faster!

If you can’t diagram everything for some reason, at least make sure all network devices are listed. As I said, physical network diagrams can run from simple, hand-drawn models to insanely complex monsters created by software packages like SmartDraw, Visio, and AutoCAD. Figure 20.4 shows a simple diagram that most of us could draw by hand.

For the artistically impaired, or if you just want a flashier version, Figure 20.5 exhibits a more complex physical diagram. This is an actual sample of what SmartDraw can do for you, and you can get it at www.smartdraw.com. In addition, Microsoft Visio provides many, possibly more of these same functions.

My last example, also courtesy of SmartDraw, includes diagrams of hardware racks, as revealed in Figure 20.6.

Don’t throw anything at me, but I need to bring up one last thing: Never forget to mirror any changes you make to your actual network in the network’s diagram. Think of it like an updated snapshot. If you give the authorities your college buddy’s baby picture after he goes missing, will that really help people recognize him as well as one taken just before he disappeared? Because they don’t make age progression software for networks, it’s smart to just keep things up to date.

Logical Network Diagrams

Physical diagrams depict how data physically flows from one area of your network to the next, but a logical network diagram includes things like protocols, configurations, addressing schemes, access lists, firewalls, types of applications, and so on—all things that apply logically to your network. Figure 20.7 shows what a typical logical network diagram looks like.

Just as you mirror any physical changes you make to the physical network on your physical diagram, like adding devices or even just a cable, you map logical changes, such as creating a new subnet, VLAN, or security zone, on your logical network diagram. And it’s equally vital that you keep this oh-so-important document up to date!

Asset Management

Asset management involves tracking all network assets like computers, routers, switches, and hubs through their entire life cycles. Most organizations find it beneficial to utilize asset identification numbers to facilitate this process. The ISO has established standards regarding asset management. The ISO 19770 family consists of four major parts:

• 19770-1 is a process-related standard that outlines best practices for IT asset management in an organization.
• 19770-2 is a standard for machine encapsulation (in the form of an XML file known as a SWID tag) of inventory data—allowing users to easily identify what software is deployed on a given device.
• 19770-3 is a standard that provides a schema for machine encapsulation of entitlements and rights associated with software licenses. The records (known as ENTs) will describe all entitlements and rights attendant to a piece of software and the method for measurement of license/entitlement consumption. This is still a draft.
• 19770-4 allows for standardized reporting of utilization of resources. This is crucial when considering complex data center license types and for the management of cloud-based software and hardware (software as a service, or SaaS, and infrastructure as a service, or IaaS). This is also still a draft.

IP Address Utilization

Documenting the current IP addressing scheme can also be highly beneficial, especially when changes are required. Not only is this really helpful to new technicians, it’s very useful when identifying IP addressing issues that can lead to future problems. In many cases IP addresses are configured over a long period of time with no real thought or planning on the macro level.

Current and correct documentation can help administrators identify discontiguous networks (where subnets of a major network are separated by another major network) that can cause routing protocol issues. Proper IP address design can also facilitate summarization, which makes routing tables smaller, speeding the routing process. None of these wise design choices can be made without proper IP address documentation.

Vendor Documentation

Vendor agreements often have beneficial clauses that were negotiated during the purchase process. Many also contain critical details concerning SLAs and deadlines for warranties. These documents need to be organized and stored safety for future reference. Creating a spreadsheet or some other form of tracking documentation that alerts you of upcoming dates of interest can be a huge advantage!

Processes

When monitoring baselines there are processes that can be used to enhance the process. In this section we’ll look at one particularly helpful process.

Log reviewing   While regular log review is always recommended anyway, log review can have benefits when monitoring baselines. In some cases you may be able to identify a non-compliant device by the entries in its log or in the logs of infrastructure devices.

Patch Management issues   In some cases, applying patches, especially device driver updates, can be problematic. Issues can include the device no longer working, loss of some key functionality or generation of odd error messages. When this occurs, you may want make use of the procedure covered in the next section.

Rollback   While rollback is a general term that applies to reversing any operation about device drivers, it means to remove the newer driver and going back to using the previous driver. This is typically an available option if the last driver you used is the driver you want to which you want to roll back.

Policies

I talked extensively about security policies in Chapter 14, “Network Threats and Mitigation,” so if you’re drawing a blank, you can go back there for details. Here’s a summary list of factors that most policies cover:

Security Policies These are policies applied to users to help maintain security in the network:

• Clean-desk policies: These policies are designed to prevent users from leaving sensitive documents on unattended desks.
• Network access (who, what, and how): These policies control which users can access which portions of the network. They should be designed around job responsibilities.
• Acceptable-use policies (AUP): These policies should be as comprehensive as possible and should outline every action that is allowed in addition to those that are not allowed. They should also specify which devices are allowed, which websites are allowed, and the proper use of company equipment.
• Consent to monitoring: These policies are designed to constantly remind users that their activities are subject to monitoring as they are using company equipment and as such they should have no expectation of privacy.
• Privileged user agreement: Whenever a user is given some right normally possessed by the administrator, they thus possess a privileged user account. In this agreement, they agree to use these rights responsibly.
• Password policy: This policy defines the requirements for all passwords, including length, complexity, and age.
• Licensing restrictions: These restrictions define the procedures used to ensure that all software license agreements are not violated.
• International export controls: in accordance with all agreements between countries in which the organization does business, all allowable export destinations and import sources are defined.
• Data loss prevention: This policy defines all procedures for preventing the egress of sensitive data from the network and may include references to the use of Data Loss Prevention (DLP) software.
• Remote access policies: These policies define the requirements for all remote access connections to the enterprise. This may cover VPN, dial-up and wireless access methods.
• Incident response policies: These policies define a scripted and repeatable process for responding to incidents and responsibilities of various roles in the network in this process.
• Nondisclosure agreement (NDA): All scenarios in which contractors and other third parties must execute a nondisclosure agreement are defined.
• System life cycle: The steps in the asset life cycle are defined, including acquisition, implementation, maintenance, and decommissioning. It specifies certain due diligence activities to be performed in each phase.
• Asset disposal: This is usually a subset of the system life cycle and prescribes methods of ensuring that sensitive data is removed from devices before disposal.

Change Management These policies ensure a consistent approach to managing changes to network configurations:

• Disposal of network equipment
• Use of recording equipment
• How passwords are managed (length and complexity required, and how often they need to be changed)
• Types of security hardware in place
• How often to do backups and take other fault-tolerant measures
• What to do with user accounts after an employee leaves the company

Procedures

These are the actions to be taken in specific situations:

• Disciplinary action to be taken if a policy is broken
• What to do during an audit
• How issues are reported to management
• What to do when someone has locked themselves out of their account
• How to properly install or remove software on servers
• What to do if files on the servers suddenly appear to be “missing” or altered
• How to respond when a network computer has a virus
• Actions to take if it appears that a hacker has broken into the network
• Actions to take if there is a physical emergency like a fire or flood

So you get the idea, right? For every policy on your network, there should be a credible related procedure that clearly dictates the steps to take in order to fulfill it. And you know that policies and procedures are as unique as the wide array of companies and organizations that create and employ them. But all this doesn’t mean you can’t borrow good ideas and plans from others and tweak them a bit to meet your requirements.

An example of a network access policy is a time-of-day restriction on logging into the network.

Standard Business Documents

In the course of supporting mergers and acquisitions, and in providing support to departments within the organization, it’s always important to keep the details of agreements in writing to reduce the risk of misunderstandings. In this section, I’ll discuss standard documents that are used in these situations. You should be familiar with the purpose of the following documents:

Statement of Work (SOW) This documents spells out all details concerning what work is to be performed, deliverables, and the timeline a vendor must execute in performance of specified work.

Memorandum of Understanding (MOU) This is an agreement between two or more organizations that details a common line of action. It is often used in cases where parties do not have a legal commitment or in situations where the parties cannot create a legally enforceable agreement. In some cases, it is referred to as a letter of intent.

Master License Agreement (MLA) This is an agreement whereby one party is agreeing to pay another party for the use of a piece of software for a period of time. These agreements, as you would expect, are pretty common in the IT world.

Service-Level Agreement (SLA) This is an agreement that defines the allowable time in which a party must respond to issues on behalf of the other party. Most service contracts are accompanied by an SLA, which often include security priorities, responsibilities, guarantees, and warranties.

Regulations

In contrast, regulations are rules imposed on your organization by an outside agency, like a certifying board or a government entity, and they’re usually totally rigid and immutable. The list of possible regulations that your company could be subjected to is so exhaustively long, there’s no way I can include them all in this book. Different regulations exist for different types of organizations, depending on whether they’re corporate, nonprofit, scientific, educational, legal, governmental, and so on, and they also vary by where the organization is located.

For instance, US governmental regulations vary by county and state, federal regulations are piled on top of those, and many other countries have multiple regulatory bodies as well. The Sarbanes-Oxley Act of 2002 (SOX) is an example of a regulation system imposed on all publicly traded companies in the United States. Its main goal was to ensure corporate responsibility and sound accounting practices, and although that may not sound like it would have much of an effect on your IT department, it does, because a lot of the provisions in this act target the retention and protection of data. Believe me, something as innocent sounding as deleting old emails could get you in trouble—if any of them could’ve remotely had a material impact on the company’s financial disclosures, deleting them could actually be breaking the law. All good to know, so be aware, and be careful!

I’m not going to give you a laundry list of regulations to memorize here, but I will tell you that IT regulations center around something known as the CIA triad:

• Confidentiality: Only authorized users have access to the data.
• Integrity: The data is accurate and complete.
• Availability: Authorized users have access to the data when access is needed.

One of the most commonly applied regulations is the ISO/IEC 27002 standard for information security, previously known as ISO 17799, renamed in 2007 and updated in 2013. It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and it is based on British Standard (BS) 7799-1:1999.

The official title of ISO/IEC 27002 is Information technology - Security techniques - Code of practice for information security controls. Although it’s beyond our scope to get into the details of this standard, know that the following items are among the topics it covers:

• Risk assessment
• Security policy
• Organization of information security
• Asset management
• Human-resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and maintenance
• Information security incident management
• Business-continuity management
• Compliance

So, what do you take with you from this? Your mission is clear. Know the regulations your company is expected to comply with, and make sure your IT policies and procedures are totally in line with any regulations so it’s easy for you to comply with them. No sense getting hauled off to jail because you didn’t archive an email, right?

Electrical Safety

IT personnel spend a great deal of time dealing with electrical devices. Therefore, electrical safety should be stressed in all procedures. In this section, we’ll look at key issues involved with electrical safety, relevant to preventing injuries and for preventing damage to computer equipment.

Grounding Grounding is the electrical term for providing a path for an electrical charge to follow to return to earth. To prevent injury to yourself when you are working with equipment, you should ensure that you are grounded. To avoid damaging the equipment with which you are working, it should also be grounded.

You can provide grounding to yourself or the equipment with either a grounding strap or a grounding mat. Either of these should be plugged into the ground of an electrical outlet. The way in which these devices are connected to ground is pictured in Figure 20.8.

ESD Electrostatic discharge (ESD) is the technical term for what happens whenever two objects of dissimilar charge come in contact. ESD can be generated easily by walking across a carpeted floor. While the amount of ESD generated doing that may shock you if you touch a doorknob, it’s really not enough to harm you. However, even that small amount is enough to seriously damage sensitive parts of computers.

This is exactly why we ground both ourselves and the equipment—to prevent ESD damage. Always use mats and straps to prevent damage when working with computing equipment.

Static When ESD is created, it’s a form of static energy. Extremely dry conditions in the area where computers are utilized make the problem of static electricity worse. This is why the humidity of the area must be controlled so that it’s not too humid, which causes corrosion of electrical connections, and not too dry, which causes static buildup and potential for damage.

Installation Safety

While protecting yourself from electrical injury is very important, it’s not the only safety issue you’ve got to take into consideration. Other types of injuries can also occur, ranging from a simple pulled muscle to a more serious incident requiring a trip to the hospital. The following issues related to installing equipment should also be taken into consideration.

Lifting Equipment Oftentimes when a piece of equipment is being installed, the time pressures involved and the rush to “get ’er done” can lead to improper lifting. Always keep in mind these safe lifting techniques:

• Be careful to not twist when lifting. Keep the weight at the center of your body.
• Keep objects as close to your body as possible and at waist level.
• Lift with your legs, not your back. When you have to pick up something, bend at the knees, not at the waist. You want to maintain the natural curve of the back and spine when lifting.
• Whenever possible, push instead of pull.

Rack Installation Even for a small business, it’s bad business to operate computing equipment in a poor environment such as on a shelf. There is a reason so many devices come “rack ready.” Racks not only make for a neat and clean server room or closet, but when combined with proper cable management and environmental control, they provide an environment that allows the devices to breathe and stay cool.

When installing racks, always follow the manufacturer’s directions and always use the correct tools! Countless screws have been ruined using the wrong tool.

Server racks are measured in terms of rack units, usually written as RU or simply U. One rack unit equals 1.75 inches (44.45 mm) in height, with compliant equipment measured in multiples of U. Network switches are generally 1U to 2U, servers can range from 1U to 4U, and blade servers can be anywhere from 5U to 10U or more.

I’ll cover the types of racks you’re likely to encounter in more detail later in this chapter.

Placement The most important issue when placing devices is to ensure proper cooling and protection from moisture. It’s a good idea to align the racks and install your equipment in hot and cold aisles. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing air flow.

Hot aisle/cold aisle design involves lining up racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other. The rows composed of rack fronts are called cold aisles. Typically, cold aisles face air conditioner output ducts. The rows the heated exhausts pour into are called hot aisles and face air conditioner return ducts. Moreover, all of the racks and the equipment they hold should never be on the floor. There should be a raised floor to provide protection against water.

Figure 20.9 pictures a solid arrangement:

Tool safety It’s worth mentioning again that the first step on safely using tools is to make sure you’re properly grounded. Besides practicing tool safety for your own welfare, you should do so to protect the equipment. Here are some specific guidelines to follow:

• Avoid using pencils inside a computer. They can become a conductor and cause damage.
• Be sure that the tools you are using have not been magnetized. Magnetic fields can be harmful to data stored on magnetic media.
• When using compressed air to clean inside the computer, blow the air around the components with a minimum distance of 4 inches (10 centimeters) from the nozzle.
• Clean the contacts on components with isopropyl alcohol. Do not use rubbing alcohol.
• Never use a standard vacuum cleaner inside a computer case. The plastic parts of the vacuum cleaner can build up static electricity and discharge to the components. Use only vacuums that are approved for electronic components.

MSDS In the course of installing, servicing, and repairing equipment, you’ll come in contact with many different types of materials. Some are safer than others. You can get all the information you need regarding the safe handling of materials by reviewing the Materials Safety Data Sheet (MSDS).

Any type of chemical, equipment, or supply that has the potential to harm the environment or people has to have an MSDS associated with it. These are traditionally created by the manufacturer and describe the boiling point, melting point, flash point, and potential health risks. You can obtain them from the manufacturer or from the Environmental Protection Agency.

Emergency Procedures

Every organization should be prepared for emergencies of all types. If possible, this planning should start with the design of the facility and its layout. In this section, I’ll go over some of the components of a well-planned emergency system along with some guidelines for maintaining safety on a day-to-day basis.

Building Layout Planning for emergencies can start with the layout of the facility. Here are some key considerations:

• All walls should have a two-hour minimum fire rating.
• Doors must resist forcible entry.
• The location and type of fire suppression systems should be known.
• Flooring in server rooms and wiring closets should be raised to help mitigate flooding damage.
• Separate AC units must be dedicated to the information processing facilities.
• Backup and alternate power sources should exist.

Fire Escape Plan You should develop a plan that identifies the escape route in the event of a fire. You should create a facility map showing the escape route for each section of the building, keeping in mind that it’s better to use multiple exits to move people out quickly. These diagrams should be placed in all areas.

Safety/Emergency Exits All escape routes on the map should have the following characteristics:

• Clearly marked and well lit
• Wide enough to accommodate the expected number of people
• Clear of obstructions

Fail Open/Fail Close Door systems that have electronic locks may lose power during a fire. When they do, they may lock automatically (fail close) or unlock automatically (fail open). While a fail close setting may enhance security during an electrical outage, you should consider the effect it will have during an evacuation and take steps to ensure that everyone can get out of the building when the time comes.

Emergency Alert System All facilities should be equipped with a system to alert all employees when a fire or any other type of emergency occurs. It might be advisable to connect the facility to the Emergency Alert System (EAS), which is a national warning system in the United States. One of the functions of this system is to alert the public of local weather emergencies such as tornadoes and flash floods. EAS messages are transmitted via AM and FM radio, broadcast television, cable television, and the Land Mobile Radio Service as well as VHF, UHF, and FiOS (wireline video providers).

Fire-Suppression Systems While fire extinguishers are important and should be placed throughout a facility, when large numbers of computing devices are present, it is worth the money to protect them with a fire-suppression system. The following types of systems exist:

• Wet pipe systems use water contained in pipes to extinguish the fire.
• Dry pipe systems hold the water in a holding tank instead of in the pipes.
• Preaction systems operate like a dry pipe system except that the sprinkler head holds a thermal-fusible link that must melt before the water is released.
• Deluge systems allow large amounts of water to be released into the room, which obviously makes this not a good choice where computing equipment will be located.
• Today, most companies use a fire-suppressant like Halon, which is known as a “Clean Agent, an electrically non-conducting, volatile, or gaseous fire extinguisher that does not leave a residue upon evaporation.” Leaving no residue means not rendering inoperative expensive networking equipment as water can do if released in a data center. It’s remarkably safe for human exposure, meaning that it won’t poison living things, and it will allow you to leave the area safely, returning only after the fire department gives the all-clear.

HVAC

The heating and air-conditioning systems must support the massive amounts of computing equipment deployed by most enterprises. Computing equipment and infrastructure devices like routers and switches do not like the following conditions:

• Heat. Excessive heat causes reboots and crashes.
• High humidity. It causes corrosion problems with connections.
• Low humidity. Dry conditions encourage static electricity, which can damage equipment.

Here are some important facts to know about temperature:

• At 100 degrees, damage starts occurring to magnetic media. In fact, floppy disks are the most susceptible.
• At 175 degrees, damage starts occurring to computers and peripherals.
• At 350 degrees, damage starts occurring to paper products.

SCADA Systems/Industrial Control Systems

Industrial control system (ICS) is a general term that encompasses several types of control systems used in industrial production. The most widespread is Supervisory Control and Data Acquisition (SCADA). SCADA is a system operating with coded signals over communication channels to provide control of remote equipment. It includes the following components:

• Sensors, which typically have digital or analog I/O, and these signals are not in a form that can be easily communicated over long distances
• Remote terminal units (RTUs), which connect to the sensors and convert sensor data to digital data (includes telemetry hardware)
• Programmable logic controllers (PLCs), which connect to the sensors and convert sensor data to digital data (does not include telemetry hardware)
• Telemetry systems, which connect RTUs and PLCs to control centers and the enterprise
• Human interface, which presents data to the operator
• ICS server, also called a data acquisition server, which uses coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions

The distributed control system (DCS) network should be a closed network, meaning it should be securely segregated from other networks. The Stuxnet virus hit the SCADA used for the control and monitoring of industrial processes.

Medianets

Medianets are networks primarily devoted to VoIP and video data that often require segmentation from the rest of the network at some layer. We implement segmentation for two reasons: first, to ensure the security of the data, and second, to ensure that the network delivers the high performance and low latency required by these applications. One such high-demand application is video teleconferencing (VTC), which I’ll cover next.

Video Teleconferencing (VTC)

IP video has ushered in a new age of remote collaboration. This has saved a great deal of money on travel expenses and enabled more efficient use of time. When you’re implementing IP video systems, consider and plan for the following issues:

• Expect a large increase in the need for bandwidth.
• QoS will need to be configured to ensure performance.
• Storage will need to be provisioned for the camera recordings.
• Initial cost may be high.

There are two types of VTC systems. Let’s look at both:

ISDN The first VTC systems were ISDN based. These systems were based on a standard called H.320. While the bandwidth in each ISDN line is quite low by today’s standard (128 Kbps per line), multiple lines could be combined or bonded.

IP/SIP VTC systems based on IP use a standard called H.323. Since these work on a packet-switched network, you don’t need a direct ISDN link between the sites. Session Initiation Protocol can also be used, and it operates over IP but lacks many of the structured call control functions that H.323 provides.

Legacy Systems

Legacy systems are those that are older and incompatible with more modern systems and equipment. They may also be less secure and no longer supported by the vendor. In some cases, these legacy systems, especially with respect to industrial control systems, use propriety protocols that prevent them from communicating on the IP-based network. It’s a good idea to segment these systems to protect them from security issues they aren’t equipped to handle or even just to allow them to function correctly.

Separate Private/Public Networks

Public IP addressing isn’t typically used in a modern network. Instead, private IP addresses are used and Network Address Translation services are employed to convert traffic to a public IP address when the traffic enters the Internet. While this is one of the strategies used to conserve the public IP address space, it also served to segment the private network from the public network (Internet). Hiding the actual IP address (private) of the hosts inside the network makes it very difficult to make an unsolicited connection to a system on the inside of the network from the outside.

Honeypot/Honeynet

Another segmentation tactic is to create honeypots and honeynets. Honeypots are systems strategically configured to be attractive to hackers and to lure them into spending enough time attacking them while information is gathered about the attack. In some cases, entire networks called honeynets are attractively configured for this purpose.

You need to make sure that either of these types of systems do not provide direct connections to any important systems. Their ultimate purpose is to divert attention from valuable resources and to gather as much information about an attack as possible. A tarpit is a type of honeypot designed to provide a very slow connection to the hacker so that the attack takes enough time to be properly analyzed.

Testing Lab

Testing labs are used for many purposes. Sometimes they’re created as an environment for developers to test applications. They may also be used to test operating system patches and antivirus updates. These environments may even be virtual environments. Virtualization works well for testing labs because it makes it easier to ensure that the virtual networks have no physical connection to the rest of the network, providing necessary segmentation.

Security

One of the biggest reasons for implementing segmentation is for security purposes. At Layer 1, this means complete physical separation. However, if you don’t want to go with complete segmentation, you can also segment at Layer 2 on switches by implementing VLANs and port security. This can prevent connections between systems that are connected to the same switch. They can also be used to organize users into common networks regardless of their physical location.

If segmentation at Layer 3 is required, it’s achieved using access control lists on routers to control access from one subnet to another or from one VLAN to another. Firewalls can implement these types of access lists as well.

Compliance

Finally, network segmentation may be required to comply with an industry regulation. For example, while it’s not strictly required, the Payment Card Industry Data Security Standard (PCI DSS) strongly recommends that the credit card network should be segmented from the regular network. If you choose not to do this, your entire network must be compliant with all sections of the standard.

Latency Sensitivity

Most of us have clicked to open an application or clicked a web link only to have the computer just sit there staring back at us, helplessly hanging. That sort of lag comes when the resources needed to open the program or take us to the next page are not fully available. That kind of lag on a network is called latency—the time between when data is requested and the moment it actually gets delivered. The more latency, the longer the delay and the longer you have to stare blankly back at your computer screen, hoping something happens soon.

Latency affects some programs more than others. If you are sending an email, it may be annoying to have to wait a few seconds for the email server to respond, but that type of delay isn’t likely to cause physical harm to you or a loved one. Applications that are adversely affected by latency are said to have high latency sensitivity. A common example of this is online gaming. Although it may not mean actual life or death, playing certain online games with significant delays can mean the untimely demise of your character—and you won’t even know it. Worse, it can affect the entire experience for those playing with you, which can get you booted from some game servers. On a much more serious level, applications like remote surgery also have high latency sensitivity.

High-Bandwidth Applications

Many of the applications we now use over the network would have been totally unserviceable in the past because of the high amount of bandwidth they consume. And even though technology is constantly improving to give us more bandwidth, developers are in hot pursuit, developing new applications that gobble up that bandwidth as soon as it becomes—even in advance of it becoming—available. A couple of good examples of high-bandwidth applications are VoIP and video streaming:

VoIP Voice over Internet Protocol (VoIP) describes several technologies that work to deliver voice communications over the Internet or other data networks. In many cases, VoIP includes not only voice but video transmissions as well. VoIP allows us to send voice, video, and data all over the same connection to another location. Its most common application is video teleconferencing.

Many companies are investing in VoIP systems to reduce travel costs. Ponying up for pricey plane tickets, lodging, and rental cars adds up fast, so investing in a good VoIP system that allows the company to have virtual conferences with people in another state or country pays for itself in no time.

But sadly, VoIP installations can be stressed heavily by things like really low bandwidth, latency issues, packet loss, jitter, security flaws, and reliability concerns. And in some cases, routing VoIP through firewalls and routers using address translation can prove pretty problematic as well.

Video Applications Watching real-time video on the Internet today is great if you have a decent high-speed connection. You can watch the news, sports, movies, and pretty much anything else that you watch on television. Although viewing digital media online is so common that anyone born after the year 2000 won’t be able to remember a time when we had to watch videos on anything other than a computer, again, this requires lots of bandwidth. And excessive use can cause traffic problems even on the most robust networks!

Other Real-Time Services

While VoIP and video traffic certainly require the most attention with respect to performance and latency, other real-time services are probably in use in your network. We’re going to briefly look at presence, another example of real-time services you may not give a lot of thought to, and then I’ll compare the use of unicast and multicast in real-time services.

Presence Presence is a function provided by many collaboration solutions that indicates the availability of a user. It signals to other users whether a user is online, busy, in a meeting, and so forth. If enabled across multiple communication tools, such as IM, phone, email, and videoconferencing, it also can help determine the communication channel on which the user is currently active and therefore which channel provides the best possibility of an immediate response.

Multicast vs. Unicast Unicast transmissions represent a one-to-one conversation, that is, data sent from a single device to another single device. On the other hand, multicast is a technology that sends information for a single source to multiple recipients and is far superior to using unicast transmission when it comes to video streaming and conferencing.

While unicast transmission creates a data connection and stream for each recipient, multicast uses the same stream for all recipients. This single stream is replicated as needed by multicast routers and switches in the network. The stream is limited to branches of the network topology that actually have subscribers to the stream. This greatly reduces the use of bandwidth in the network.

Uptime

Uptime is the amount of time the system is up and accessible to your end users, so the more uptime you have the better. And depending on how critical the nature of your business is, you may need to provide four-nine or five-nine uptime on your network—that’s a lot. Why is this a lot? Because you write out four-nine as 99.99 percent, or better, you write out five-nine as 99.999 percent! Now that is some serious uptime!

Quality of Service

Quality of Service (QoS) refers to the way the resources are controlled so that the quality of services is maintained. It’s basically the ability to provide a different priority to one or more types of traffic over other levels for different applications, data flows, or users so that they can be guaranteed a certain performance level.

QoS methods focus on one of five problems that can affect data as it traverses network cable:

Delay Data can run into congested lines or take a less-than-ideal route to the destination, and delays like these can make some applications, such as VoIP, fail. This is the best reason to implement QoS when real-time applications are in use in the network—to prioritize delay-sensitive traffic.

Dropped Packets Some routers will drop packets if they receive them while their buffers are full. If the receiving application is waiting for the packets but doesn’t get them, it will usually request that the packets be retransmitted—another common cause of a service(s) delay.

Error Packets can be corrupted in transit and arrive at the destination in an unacceptable format, again requiring retransmission and resulting in delays.

Jitter Not every packet takes the same route to the destination, so some will be more delayed than others if they travel through a slower or busier network connection. The variation in packet delay is called jitter, and this can have a nastily negative impact on programs that communicate in real time.

Out-of-Order Delivery Out-of-order delivery is also a result of packets taking different paths through the network to their destinations. The application at the receiving end needs to put them back together in the right order for the message to be completed, so if there are significant delays or the packets are reassembled out of order, users will probably notice degradation of an application’s quality.

QoS can ensure that applications with a required bit rate receive the necessary bandwidth to work properly. Clearly, on networks with excess bandwidth, this is not a factor, but the more limited your bandwidth is, the more important a concept like this becomes.

DSCP

One of the methods that can be used for classifying and managing network traffic and providing Quality of Service (QoS) on modern IP networks is Differentiated Services Code Point (DSCP), or DiffServ. DiffServ uses a 6-bit differentiated services code point (DSCP) in the 8-bit Differentiated Services field (DS field) in the IP header for packet classification. This allows for the creation of traffic classes that can be used to assign priorities to various traffic classes.

In theory, a network could have up to 64 different traffic classes using different DSCPs, but most networks use the following traffic classifications:

• Default, which is typically best-effort traffic
• Expedited Forwarding (EF), which is dedicated to low-loss, low-latency traffic
• Assured Forwarding (AF), which gives assurance of delivery under prescribed conditions
• Class Selector, which maintains backward compatibility with the IP Precedence field (a field formerly used by the Type of Service, or TOS, function)

Class of Service (COS)

The second method of providing traffic classification and thus the ability to treat the classes differently is a 3-bit field called the Priority Code Point (PCP) within an Ethernet frame header when VLAN tagged frames as defined by IEEE 802.1Q are used.

This method is defined in the IEEE 802.1p standard. It describes eight different classes of service as expressed through the 3-bit PCP field in an IEEE 802.1Q header added to the frame. These classes are shown in Table 20.2.

QoS levels are established per call, per session, or in advance of the session by an agreement known as a service-level agreement (SLA).

On Site vs. Off Site

Often you hear the terms public cloud and private cloud. Clouds can be thought of as virtual computing environments where virtual servers and desktops live and can be accessed by users. A private cloud is one in which this environment is provided to the enterprise by a third party for a fee. This is a good solution for a company that has neither the expertise nor the resources to manage their own cloud yet would like to take advantage of the benefits that cloud computing offers:

• Increased performance
• Increased fault tolerance
• Constant availability
• Access from anywhere

These types of clouds might be considered off site or public. On the other hand, for the organization that has the expertise and resources, a private or onsite solution might be better and might be more secure. This approach will enjoy the same benefits as a public cloud and may offer more precise control and more options to the organization.

Virtual Networking Components

The foundation of virtualization is the host device, which may be a workstation or a server. This device is the physical machine that contains the software that makes virtualization possible and the containers or virtual machines for the guest operating systems. The host provides the underlying hardware and computing resources, such as processing power, memory, and disk and network I/O to the VMs. Each guest is a separate and independent instance of an operating system and application software. From a high level, the relationship is shown in Figure 20.11.

Virtualization can be deployed in several different ways to deliver cost-effective solutions to different problems. Each of the following components can have its place in the solution:

Hypervisor The host is responsible for allocating compute resources to each of the VMs as specified by the configuration. The software that manages all of this is called the hypervisor. Based on parameters set by the administrator, the hypervisor may take various actions to maintain the performance of each guest as specified by the administrator. This may include the following actions:

• Turning off a VM not in use
• Taking CPU resources away from one VM and allocating them to another
• Turning on additional VMs when required to provide fault tolerance

The exact nature of the relationship between the hypervisor, the host operating system, and the guest operating systems depends on the type of hypervisor in use. There are two types of hypervisors in use today. Let’s review both of these.

Type I A Type I hypervisor (or native, bare metal) runs directly on the host’s hardware to control the hardware and to manage guest operating systems. A guest operating system runs on another level above the hypervisor. Examples of these are VMware vSphere and Microsoft Hyper-V.

Type II A Type II hypervisor runs within a conventional operating system environment. With the hypervisor layer as a distinct second software level, guest operating systems run at the third level above the hardware. VMware Workstation and Virtual Box exemplify Type II hypervisors. A comparison of the two approaches is shown in Figure 20.12.

Virtual Servers Virtual servers can perform all the same functions as physical servers but can enjoy some significant advantages. By clustering a virtual server with other virtual servers located on different hosts, you can achieve fault tolerance in the case of a host failure. Increased performance can also be derived from this approach.

The virtualization software can allow you to allocate CPU and memory resources to the virtual machines (VMs) dynamically as needed to ensure that the maximum amount of computing power is available to any single VM at any moment while not wasting any of that power on an idle VM. In fact, in situations where VMs have been clustered, they may even be suspended or powered down in times of low demand in the cluster.

Virtual Switches Virtual switches are software versions of a Layer 2 switch that can be used to create virtual networks. They can be used for the same purposes as physical switches. VLANs can be created, virtual servers can be connected to the switches, and the virtual network can be managed, all while residing on the same physical box. These switches can also span multiple hosts (the physical machines that house multiple virtual servers, desktops, and switches are called hosts).

Distributed virtual switches are those switches that span multiple hosts, and they are what link together the VMs that are located on different hosts yet are members of the same cluster.

Virtual vs. Physical NICs Figure 20.13 shows the relationship between a physical server and the virtual servers and virtual switches that it hosts. The virtual servers, called virtual machines (VMs), have virtual network cards (vNICs) that connect to the virtual switch. Keep in mind that all three of these components are software running on the same physical server. Then the virtual switch makes a software connection to the physical NIC on the physical host, which makes a physical connection to the physical switch in the network.

It is interesting to note and important to be aware of the fact that the IP address of the physical NIC in Figure 20.13 will actually be transmitting packets from multiple MAC addresses since each of the virtual servers will have a unique virtual MAC address.

Virtual Routers In virtualized environments, virtual routers are typically implemented as specialized software. They consist of individual routing and forwarding tables, each of which could be considered a virtual router.

Virtual Firewall Virtual firewalls are also implemented as software in the virtualized environment. Like their physical counterparts, they can be used to restrict traffic between virtual subnets created by virtual routers.

Software-Defined Networking Software-defined networking (SDN) is an approach to computer networking that allows network administrators to manage network services through abstraction of lower-level functionality. SDN architectures decouple network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services.

Virtual Desktops Using operating system images for desktop computers is not a new concept. Delivering these desktop images to users from a virtual environment when they start their computer is. This allows for the user desktop to require less computing power, especially if the applications are also delivered virtually and those applications are running in a VM in the cloud rather than in the local desktop eating up local resources. Another benefit of using virtual desktops is the ability to maintain a consistent user environment (same desktop, applications, etc.), which can enhance user support.

Thin computing takes this a step further. In this case, all of the computing is taking place on the server. A thin client is simply displaying the output from the operating system running in the cloud, and the keyboard is used to interact with that operating system in the cloud. Does this sound like dumb terminals with a GUI to anyone yet? Back to the future indeed! The thin client needs very little processing power for this job.

Virtual PBX Virtual PBX is an example of what is called software as a service (SaaS). A hosting company manages the entire phone system for the company, freeing the organization from the need to purchase and manage the physical equipment that would be required otherwise to provide the same level of service. To the outside world, the company appears to have a professional phone system while everything is actually being routed through the hosting company’s system.

Network as a Service (NaaS) Now that you know what SaaS is you can probably guess what NaaS is. You guessed it: a network hosted and managed by a third party on behalf of the company. For many enterprises, it makes more sense to outsource the management of the network to a third party when it is not cost effective to maintain a networking staff.

An example of this is the Cisco OpenStack cloud operating system, which is an open-source platform that provides computers and storage.

Storage Area Network

Storage area networks (SANs) comprise high-capacity storage devices that are connected by a high-speed private network (separate from the LAN) using a storage-specific switch. This storage information architecture addresses the collection of data, management of data, and use of data. In this section, we’ll take a look at the protocols that can be used to access the data and the client systems that can use those various protocols. We’ll also look at an alternative to a SAN, network-attached storage (NAS).

iSCSI Internet Small Computer System Interface (iSCSI) is an IP-based networking storage standard method of encapsulating SCSI commands (which are used with storage area networks) within IP packets. This allows the use of the same network for storage as is used for the balance of the network. A comparison of a regular SAN that uses the Fibre-Channel protocol, and one using iSCSI is shown in Figure 20.14. I’ll talk more about Fiber Channel in a bit.

InfiniBand InfiniBand is a communications standard that provides high performance and low latency. It is utilized as a direct, or switched, interconnect between servers and storage systems as well as an interconnect between storage systems. It uses a switched fabric topology. The adaptors can exchange information on QoS.

Fiber Channel Fiber Channel, or FC, is a high-speed network technology (commonly running at 2, 4, 8, and 16 gigabit per second rates) primarily used to connect computer data storage. It operates on an optical network that is not compatible with the regular IP-based data network. As you can see in Figure 20.14, this protocol runs on a private network that connects the servers to the storage network.

Fibre-Channel over Ethernet (FCoE), on the other hand, encapsulates Fiber Channel traffic within Ethernet frames much like iSCSI encapsulates SCSI commands in IP packets. However, unlike iSCSI, it does not use IP at all. It does allow this traffic on the IP network.

Jumbo Frames Jumbo frames are Ethernet frames with more than 1,500 bytes of payload. Jumbo frames with more than 9,000-byte payloads have the potential to reduce overhead and CPU cycles. In high-speed networks such as those typically used in a SAN, it may be advisable to enable jumbo frames to improve performance.

Network-Attached Storage Network-attached storage (NAS) serves the same function as SAN, but clients access the storage in a different way. In a NAS configuration, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, and HTTP to connect to the NAS and share files. In a SAN configuration, only devices that can use the Fiber Channel SCSI network can access the data, so it’s typically done though a server with this capability. A comparison of the two systems is shown in Figure 20.15.

Cloud Concepts

Cloud storage locates the data on a central server, but unlike with an internal data center in the LAN, the data is accessible from anywhere and in many cases from a variety of device types. Moreover, cloud solutions typically provide fault tolerance and dynamic computer resource (CPU, memory, network) provisioning.

Cloud deployments can differ in two ways:

• The entity that manages the solution
• The percentage of the total solution provided by the vendor

First, let’s look at the options relative to the entity that manages the solution:

• Private cloud: This is a solution owned and managed by one company solely for that company’s use.
• Public cloud: This is a solution provided by a third party. It offloads the details to the third party but gives up some control and can introduce security issues.
• Hybrid cloud: This is some combination of private and public. For example, perhaps you only use the facilities of the provider but still manage the data yourself.
• Community cloud: This is a solution owned and managed by a group of organizations that create the cloud for a common purpose.

There are several levels of service that can be made available through a cloud deployment:

• Infrastructure as a service (IaaS). The vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems.
• Platform as a service (PaaS). The vendor provides the hardware platform or data center and the software running on the platform.
• Software as a service (SaaS). The vendor provides the entire solution. This includes the operating system, infrastructure software, and the application.

Connectivity Methods

When connecting to a virtual server that is in a cloud environment, there are several ways to make this connection:

• Virtual Private Network (VPN) connections: This is the most direct way to connect. An example is the Amazon Web Services (AWS) Virtual Private Cloud (VPC) that will set up a VPN connection between your entire enterprise network and its cloud.
• Remote Desktop: While the VPN connection connects you to the virtual network, an RDP connection can be directly to a server. If the server is Windows, then you will use the Remote Desktop client. If the server is Linux, then the connection will most likely be an SSH connection to the command line.
• File Transfer Protocol (FTP): The FTP server will need to be enabled on the server and then you can use the FTP client or work at the command line. This is best when performing bulk data downloads.
• VMware remote console: This allows you to mount a local DVD drive to the virtual server. This is handy for uploading ISO or installation disks to the cloud server.

Security Implications/Considerations

While an entire book could be written on the security implications of the cloud, there are some concerns that stand above the others. Among them are these:

• While clouds increasingly contain valuable data, they are just as susceptible to attacks as on-premises environments. Cases such as the Salesforce.com incident in which a technician fell for a phishing attack that compromised customer passwords remind us of this.
• Customers are failing to ensure that the provider keeps their data safe in multitenant environments. They are failing to ensure that passwords are assigned, protected, and changed with the same attention to detail the customer might desire.
• No specific standard has been developed to guide providers with respect to data privacy.
• Data security varies greatly from country to country and customers have no idea where their data is located at any point in time.

Relationship Between Local and Cloud Resources

When comparing the advantages of local and cloud environments and the resources that reside in each, several things stand out:

• A cloud environment requires very little infrastructure investment on the part of the customer, while a local environment requires an investment in both the equipment and the personnel to set it up and manage it.
• A cloud environment can be extremely scalable and at a moment’s notice, while scaling a local environment either up or out requires an investment in both equipment and personnel.
• Investments in cloud environments involve monthly fees rather that capital expenditures as would be required in a local environment.
• While a local environment provides total control for the organization, a cloud takes some of that control away.
• While you always know where your data is in a local environment, that may not be the case in a cloud, and the location may change rapidly.

Main Distribution Frame

The main distribution frame connects equipment (inside plant) to cables and subscriber carrier equipment (outside plant). It also terminates cables that run to intermediate distribution frames distributed throughout the facility.

Intermediate Distribution Frame

An intermediate distribution frame (IDF) serves as a distribution point for cables from the main distribution frame (MDF) to individual cables connected to equipment in areas remote from these frames. The relationship between the IDFs and the MDF is shown in Figure 20.16.

Cable Management

While some parts of our network may be wireless, the lion’s share of the network will be connected with cables. The cables come together in large numbers at distribution points where managing them becomes important both to protect the integrity of the cables and to prevent overheating of the infrastructure devices caused by masses of unruly cabling. The points of congestion typically occur at the patch panels.

Patch panels terminate cables from wall or data outlets. These masses of wires that emerge from the wall in a room will probably feed to the patch panel in a cable tray, which I’ll talk more about soon. The critical maintenance issues at the patch panel are to ensure that cabling from the patch panel to the switch is neat, that the patch cables are as short as possible without causing stress on the cables, and that the positioning of the cabling does not impede air flow to the devices, which can cause overheating.

Power Management

Computing equipment of all types needs clean and constant power. Power fluctuations of any sort, especially complete outages and powerful surges, are a serious matter. In this section, we’ll look at power issues and devices that can be implemented to avoid or mitigate them.

Power Converters Power conversion is the process of converting electric energy from one form to another. This conversion could take several forms:

• AC to DC
• From one voltage level to another
• From one frequency to another

Power converters are devices that make these conversions, and they typically are placed inline, where the energy flowing into one end is converted to another form when it exits the converter.

Circuits In situations where high availability is required, it may be advisable to provision multiple power circuits to the facility. This is sometimes called A+B or A/B power. To provision for A+B power, you should utilize a pair of identically sized circuits (e.g., 2 × 20 amperes). In the final analysis, even these systems can fail you in some natural disasters and so you should always also have power generators as well as a final backup.

UPS All infrastructure systems and servers should be connected to an uninterruptible power supply (UPS). As described in Chapter 15, a UPS can immediately supply power from a battery backup when a loss of power is detected. They provide power long enough for you to either shut the system down gracefully or turn on a power generator.

Inverters A power inverter is type of power converter that specifically converts DC to AC. It produces no power and must be connected to a DC source.

Power Redundancy While the facility itself needs redundant power circuits and backup generators, a system can still fail if the power supply in the device fails. Mission-critical devices should be equipped with redundant power supplies, which can mitigate this issue.

Device Placement

When locating equipment in a data center, server room, or wiring closet, the placement of the equipment should take several issues into consideration.

Air Flow Air flow around the equipment is crucially important to keep devices running. When hot air is not removed from the area and replaced with cooler air, the devices overheat and start doing things like rebooting unexpectedly. Even if the situation doesn’t reach that point, the high heat will shorten the life of costly equipment.

One of the approaches that has been really successful is called hot/cold aisles. As explained earlier in this chapter, hot aisle/cold aisle design involves lining up racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other. The rows composed of rack fronts are called cold aisles. Typically, cold aisles face air conditioner output ducts. The rows the heated exhausts pour into are called hot aisles. They face air conditioner return ducts. Moreover, all of the racks and the equipment they hold should never be on the floor. There should be a raised floor to provide some protection against water.

Cable Trays Masses of unruly cables can block air flow and act as a heat blanket on the equipment if the situation is bad enough. Cable trays are metal trays used to organize the cabling neatly and keep it away from the areas where it can cause heat buildup. In Figure 20.17, some examples of cable tray components are shown. These are used to organize the cables and route them as needed.

Rack Systems Rack systems are used to hold and arrange the servers, routers, switches, firewalls, and other rack-ready equipment. Rack devices are advertised in terms of Us. U is the standard unit of measure for designating the vertical usable space, or the height of racks. 1U is equal to 1.75 inches. For example, a rack designated as 20U has 20 rack spaces for equipment and has 35 (20 × 1.75) inches of vertical usable space. You should be familiar with the following types of rack systems and components:

Server Rail Racks Server rail racks are used to hold servers in one of the types of racks described next. They are designed to hold the server while allowing the server to be slid out from the rack for maintenance.

Two-Post Racks A two-post rack is one in which only two posts run from the floor. These posts may reach to the ceiling or they may not (freestanding). Several sizes of two-post racks are shown in Figure 20.18.

Four-Post Racks As you would expect, these racks have four rails and can be either floor to ceiling or freestanding. One is shown in Figure 20.19.

Freestanding racks A freestanding rack is one that does not reach the ceiling and stands on its own. A four-post freestanding rack is shown in Figure 20.20.

Labeling

In a data center, server room, or wiring closet, correct and updated labeling of ports, systems, circuits, and patch panels can prevent a lot of confusion and mistakes when configuration changes are made. Working with incorrect or incomplete (in some cases nonexistent) labeling is somewhat like trying to locate a place with an incorrect or incomplete map. In this section, we’ll touch on some of the items that should be correctly labeled.

Port Labeling Ports on switches, patch panels, and other systems should be properly labeled, and the wall outlets to which they lead should match! You should arrive at an agreement as to the naming convention to use so that all technicians are operating from the same point of reference. They also should be updated in any case where changes are made that dictate an update.

System Labeling Other systems that are installed in racks, such as servers, firewall appliances, and redundant power supplies, should also be labeled with IP addresses and DNS names that the devices possess.

Circuit Labeling Circuits entering the facility should also be labeled. Label electrical receptacles, circuit breaker panels, and power distribution units. Include circuit information, voltage and amperage, the type of electrical receptacle, and where in the data center the conduit terminates.

Naming Conventions A naming system or convention guides and organizes labeling and ensures consistency. No matter what name or numbering system you use, be consistent.

Patch Panel Labeling The key issue when labeling patch panels is to ensure that they’re correct. Also, you need to make sure that the wall outlet they’re connected to is the same. The American National Standards Institute/Telecommunications Industry Association (ANSI/TIA) 606-B.1 Administration Standard for Telecommunications Infrastructure for identification and labeling approved in April 2012 provides clear specifications for labeling and administration best practices across all electrical and network systems premise classes, including large data centers.

Rack Monitoring

Racks should contain monitoring devices that can be operated remotely. These devices can be used to monitor the following issues:

• Temperature
• Humidity
• Physical security (open doors)
• Smoke
• Water leaks
• Vibration

Rack Security

Rack devices should be secured from theft. There are several locking systems that can be used to facilitate this. These locks are typically implemented in the doors on the front of a rack cabinet:

• Swing handle/wing knob locks with common key
• Swing handle/wing knob locks with unique key
• Swing handle with number and key lock
• Electronic locks
• Radio-frequency identification (RFID) card locks

Document Reason for a Change

Clearly, every change should be made for a reason, and before the change is even discussed, that reason should be documented. During all stages of the approval process (discussed later), this information should be clearly communicated and attached to the change under consideration.

Change Request

A change should start its life as a change request. This request will move through various stages of the approval process and should include certain pieces of information that will guide those tasked with approving or denying it.

Approval Process

Requests for changes should be fully vetted by a cross section of users, IT personnel, management, and security experts. In many cases, it’s wise to form a change control board to complete the following tasks:

• Assure that changes made are approved, tested, documented, and implemented correctly.
• Meet periodically to discuss change status accounting reports.
• Maintain responsibility for assuring that changes made do not jeopardize the soundness of the verification system.

Maintenance Window

A maintenance window is an amount of time a system will be down or unavailable during the implementation of changes. Before this window of time is specified, all affected systems should be examined with respect to their criticality in supporting mission-critical operations. It may be that the time required to make the change may exceed the allowable downtime a system can suffer during normal business hours, and the change may need to be implemented during a weekend or in the evening.

Authorized Downtime

Once the time required to make the change has been compared to the maximum allowable downtime a system can suffer and the optimum time for the change is identified, the authorized downtime can be specified. This amounts to a final decision on when the change will be made.

Notification of Change

When the change has been successfully completed and a sufficient amount of time has elapsed for issues to manifest themselves, all stakeholders should be notified that the change is complete. At that time, these stakeholders (those possibly affected by the change) can continue to monitor the situation for any residual problems.

Documentation

The job isn’t complete until the paperwork is complete. In this case, the following should be updated to reflect the changed state of the network:

• Network configurations
• Additions to network
• Physical location changes