Symmetric Key Algorithms
DES uses a 56-bit key and can be broken fairly easily. It is a block cipher—
it encrypts 64-bit blocks of data at a time.
3DES is also a block cipher, but it encrypts each block, decrypts it, and then
encrypts it again. A 56-bit key is used each time, thus equaling a key length
of 168 bits. It is more secure than DES but also requires more processing
power.
AES is a stronger block cipher encryption method than DES or 3DES. It
uses a 128-bit data block and a key length of 128, 192, or 256 bits. AES has
been approved for use with government classified data.
IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
Authentication Methods-Encryption Methods
Authentication Methods
Several authentication methods are supported with IPsec virtual private
networks (VPN):
■ Username and password
■ A one-time password
■ Biometric features, such as fingerprint
■ Preshared key values
■ Digital certificates
Encryption Methods
IPsec encryption uses key values to encrypt and decrypt data. Keys can be
either symmetric or asymmetric. Symmetric keys use the same value to both
encrypt and decrypt the data. These include DES, 3DES, and AES. Asymmetric
keys use one value to encrypt the data and another one to decrypt it. Diffie-
Hellman and RSA use asymmetric keys.
Note
RSA is not an acronym—it is the initials of the last names of the algorithm’s inventors: Ron
Rivest, Adi Shamir, and Len Adleman
Several authentication methods are supported with IPsec virtual private
networks (VPN):
■ Username and password
■ A one-time password
■ Biometric features, such as fingerprint
■ Preshared key values
■ Digital certificates
Encryption Methods
IPsec encryption uses key values to encrypt and decrypt data. Keys can be
either symmetric or asymmetric. Symmetric keys use the same value to both
encrypt and decrypt the data. These include DES, 3DES, and AES. Asymmetric
keys use one value to encrypt the data and another one to decrypt it. Diffie-
Hellman and RSA use asymmetric keys.
Note
RSA is not an acronym—it is the initials of the last names of the algorithm’s inventors: Ron
Rivest, Adi Shamir, and Len Adleman
Encapsulating Security Payload
Encapsulating Security Payload
Encapsulating Security Payload (ESP), IP protocol number 50, encrypts packet
payloads and can optionally authenticate and do integrity checks by using it
with AH. It adds a header and a trailer to the packet. When used with AH,
the packet is encrypted first and then put through the hash mechanism.
IPsec Modes
IPsec can operate in either Transport mode or Tunnel mode. The headers
differ based on the mode used:
■ Transport mode IPsec uses the original IP header. The data payload can
be encrypted, and the packet can be authenticated from the ESP header
back. Transport mode is often used with generic routing encapsulation
(GRE) tunnels, because GRE hides the original IP address.
■ Tunnel mode IPsec replaces the original IP header with a tunnel header.
The ESP header is placed after the new header, before the original one.
The original IP header can be encrypted along with the data payload,
and the packet can be authenticated from the ESP header back. Tunnel
mode adds about 20 bytes to the packet.
Figure 4-1 shows the packet headers in the two IPsec modes.
Encapsulating Security Payload (ESP), IP protocol number 50, encrypts packet
payloads and can optionally authenticate and do integrity checks by using it
with AH. It adds a header and a trailer to the packet. When used with AH,
the packet is encrypted first and then put through the hash mechanism.
IPsec Modes
IPsec can operate in either Transport mode or Tunnel mode. The headers
differ based on the mode used:
■ Transport mode IPsec uses the original IP header. The data payload can
be encrypted, and the packet can be authenticated from the ESP header
back. Transport mode is often used with generic routing encapsulation
(GRE) tunnels, because GRE hides the original IP address.
■ Tunnel mode IPsec replaces the original IP header with a tunnel header.
The ESP header is placed after the new header, before the original one.
The original IP header can be encrypted along with the data payload,
and the packet can be authenticated from the ESP header back. Tunnel
mode adds about 20 bytes to the packet.
Figure 4-1 shows the packet headers in the two IPsec modes.
Authentication Header
Authentication Header
Authentication Header (AH) is IP protocol number 51. It authenticates the
packet, including the IP header, but does not encrypt the packet payload. AH
works by creating an MD5 or SHA-1 hash from the IP header (except any
changeable fields such as Time to Live) and the packet payload. It sends this
hash in an AH header after the Layer 3 IP header. The receiving host also
creates a hash value from the IP header and original payload and compares
Authentication Header (AH) is IP protocol number 51. It authenticates the
packet, including the IP header, but does not encrypt the packet payload. AH
works by creating an MD5 or SHA-1 hash from the IP header (except any
changeable fields such as Time to Live) and the packet payload. It sends this
hash in an AH header after the Layer 3 IP header. The receiving host also
creates a hash value from the IP header and original payload and compares
IPsec
IPsec
IP Security, or IPsec, is a set of rules for securing data communications
across a public, untrusted network such as the Internet. It provides the
following:
■ Data confidentiality by encrypting portions of a packet
■ Data integrity by ensuring the packet has not been altered in transit
■ Data source authentication to ensure that the data originated
with a trusted source
■ Anti-replay protection to ensure that packets are not copied
and sent
IPsec standards do not specify exactly how packets should be encrypted or
authenticated; it relies on other protocols to accomplish those functions. For
encryption, it can use Data Encryption Standard (DES), Triple Data Encryption
Standard (3DES), and Advanced Encryption Standard (AES). For authentication,
it can use Hash-based Message Authentication Codes (HMAC). An HMAC
combines a hash function such as Message Digest 5 (MD5) and Secure Hash
Algorithm 1 (SHA-1) with a shared secret key. MD5 uses a 128-bit hash,
whereas SHA-1 uses a 160-bit hash. Only 96 bits of the SHA-1 hash are
used with IPsec, however.
IPsec Headers
IPsec defines two types of headers: Authentication Header and
Encapsulating Security Payload.
IP Security, or IPsec, is a set of rules for securing data communications
across a public, untrusted network such as the Internet. It provides the
following:
■ Data confidentiality by encrypting portions of a packet
■ Data integrity by ensuring the packet has not been altered in transit
■ Data source authentication to ensure that the data originated
with a trusted source
■ Anti-replay protection to ensure that packets are not copied
and sent
IPsec standards do not specify exactly how packets should be encrypted or
authenticated; it relies on other protocols to accomplish those functions. For
encryption, it can use Data Encryption Standard (DES), Triple Data Encryption
Standard (3DES), and Advanced Encryption Standard (AES). For authentication,
it can use Hash-based Message Authentication Codes (HMAC). An HMAC
combines a hash function such as Message Digest 5 (MD5) and Secure Hash
Algorithm 1 (SHA-1) with a shared secret key. MD5 uses a 128-bit hash,
whereas SHA-1 uses a 160-bit hash. Only 96 bits of the SHA-1 hash are
used with IPsec, however.
IPsec Headers
IPsec defines two types of headers: Authentication Header and
Encapsulating Security Payload.
Route Targets 225
Route Targets
Sometimes, customer sites need to participate in more than one MPLS VPN.
Export and import route targets (RT) are attributes attached to BGP routes to
indicate which VPNs the route belongs to. This allows the creation of
complex topologies with overlapping VPNs:
■ Export RT—Attached to routes when they are imported into the VRF
database to identify the VPNs to which the route belongs. These routes
are then advertised to other PE routers.
■ Import RT—Used by the PE router receiving the routes to identify
which VRFs should receive the routes. VRFs with an import RT
matching the route’s RT will import the route. These networks are then
installed in the VRF table and advertised to the appropriate customer
routers.
Sometimes, customer sites need to participate in more than one MPLS VPN.
Export and import route targets (RT) are attributes attached to BGP routes to
indicate which VPNs the route belongs to. This allows the creation of
complex topologies with overlapping VPNs:
■ Export RT—Attached to routes when they are imported into the VRF
database to identify the VPNs to which the route belongs. These routes
are then advertised to other PE routers.
■ Import RT—Used by the PE router receiving the routes to identify
which VRFs should receive the routes. VRFs with an import RT
matching the route’s RT will import the route. These networks are then
installed in the VRF table and advertised to the appropriate customer
routers.
Route Distinguishers
Route Distinguishers
To support customers with overlapping IP address space, MPLS providers
use route distinguishers (RD). An RD is a 64-bit prefix added to each
customer’s IP address to make it globally unique. The resulting 96-bit IP
address is called a VPNv4 address.
RDs are used to propagate routes across provider networks in the following
way:
Step 1. A C router advertises its normal IPv4 networks to the PE router.
Step 2. The PE router prepends the RD to the C networks to create
VPNv4 addresses.
Step 3. The PE router advertises the VPNv4 addresses to its MP-BGP
peers.
Step 4. Other PE routers strip the RD from the network address and
advertise the route to C routers in the same VRF.
Note
The RD is used only within the MPLS network and only to create a globally unique address. C
routers never see the RD and are not aware of their VPNv4 address.
To support customers with overlapping IP address space, MPLS providers
use route distinguishers (RD). An RD is a 64-bit prefix added to each
customer’s IP address to make it globally unique. The resulting 96-bit IP
address is called a VPNv4 address.
RDs are used to propagate routes across provider networks in the following
way:
Step 1. A C router advertises its normal IPv4 networks to the PE router.
Step 2. The PE router prepends the RD to the C networks to create
VPNv4 addresses.
Step 3. The PE router advertises the VPNv4 addresses to its MP-BGP
peers.
Step 4. Other PE routers strip the RD from the network address and
advertise the route to C routers in the same VRF.
Note
The RD is used only within the MPLS network and only to create a globally unique address. C
routers never see the RD and are not aware of their VPNv4 address.
Handling Customer Routes
Handling Customer Routes
MPLS PE routers use a separate virtual routing instance for each customer,
called a Virtual Routing and Forwarding (VRF) table. Each customer router
advertises its routes to its PE router. C routers can use a standard routing
protocol to advertise their routes. The PE router looks like any other neighbor
to the C router. Because VRFs must be configured on the PE router, the
routing protocol needs to support them. EIGRP, OSPF, RIPv2, BGP, and
static routing support VRFs.
C routes are then advertised via Multiprotocol BGP (MP-BGP) to other PE
routers participating in that VRF. BGP runs only between the edge routers;
internal P routers use an Interior Gateway Protocol (IGP) such as OSPF or
EIGRP to tell them how to reach the PE routers. P routers have no knowledge
of customer routes. Thus, PE routers do the following types of routing:
■ IGP, BGP, or static routing with its customer routers to exchange IPv4
routes
■ MP-BGP with its peer PE routers to exchange VPNv4 routes
■ IGP with its neighboring P routers to exchange core network routes
MPLS PE routers use a separate virtual routing instance for each customer,
called a Virtual Routing and Forwarding (VRF) table. Each customer router
advertises its routes to its PE router. C routers can use a standard routing
protocol to advertise their routes. The PE router looks like any other neighbor
to the C router. Because VRFs must be configured on the PE router, the
routing protocol needs to support them. EIGRP, OSPF, RIPv2, BGP, and
static routing support VRFs.
C routes are then advertised via Multiprotocol BGP (MP-BGP) to other PE
routers participating in that VRF. BGP runs only between the edge routers;
internal P routers use an Interior Gateway Protocol (IGP) such as OSPF or
EIGRP to tell them how to reach the PE routers. P routers have no knowledge
of customer routes. Thus, PE routers do the following types of routing:
■ IGP, BGP, or static routing with its customer routers to exchange IPv4
routes
■ MP-BGP with its peer PE routers to exchange VPNv4 routes
■ IGP with its neighboring P routers to exchange core network routes
MPLS VPNs
MPLS VPNs
There are two basic types of VPNs: overlay and peer to peer. In an overlay
VPN, the service provider sets up the connections. Frame Relay permanent
virtual circuits (PVC) are an example of an overlay VPN. The service
provider does not participate in the customer’s routing when using an overlay
VPN. In a peer-to-peer VPN, the service provider transports the customer’s
routes across its network. Only one circuit per customer site is required, but
the service provider is required to have knowledge of each customer’s routes.
Customers may be required to re-IP address their networks, depending on
whether the provider uses a dedicated or a shared PE router. In addition,
there is no separation of customer routes.
MPLS VPNs provide the advantages of both types and minimize their drawbacks.
They provide the following:
■ The service provider participates in customer routing, thus providing
optimum paths through the provider network.
■ Each customer’s routes are kept separate from other customers’ routes.
■ Overlapping IP addresses are permitted, so customers do not have to
renumber.
MPLS VPNs use a two-label stack. In a traditional VPN, the IP header is
hidden by a tunnel IP header. In an MPLS VPN, the label identifying the
interface to the customer router is hidden by a label identifying the PE router
connected to that customer. MPLS switching through the provider network is
based on the top label until it reaches the edge (or egress) router. The top
label is popped, and the egress router reads the second label to learn where
to send that traffic. PHP can be used with MPLS VPNs. If so, the PE router
can use the second label to identify the VPN customer and do a route lookup
based on it. Otherwise, the PE router must do two lookups.
There are two basic types of VPNs: overlay and peer to peer. In an overlay
VPN, the service provider sets up the connections. Frame Relay permanent
virtual circuits (PVC) are an example of an overlay VPN. The service
provider does not participate in the customer’s routing when using an overlay
VPN. In a peer-to-peer VPN, the service provider transports the customer’s
routes across its network. Only one circuit per customer site is required, but
the service provider is required to have knowledge of each customer’s routes.
Customers may be required to re-IP address their networks, depending on
whether the provider uses a dedicated or a shared PE router. In addition,
there is no separation of customer routes.
MPLS VPNs provide the advantages of both types and minimize their drawbacks.
They provide the following:
■ The service provider participates in customer routing, thus providing
optimum paths through the provider network.
■ Each customer’s routes are kept separate from other customers’ routes.
■ Overlapping IP addresses are permitted, so customers do not have to
renumber.
MPLS VPNs use a two-label stack. In a traditional VPN, the IP header is
hidden by a tunnel IP header. In an MPLS VPN, the label identifying the
interface to the customer router is hidden by a label identifying the PE router
connected to that customer. MPLS switching through the provider network is
based on the top label until it reaches the edge (or egress) router. The top
label is popped, and the egress router reads the second label to learn where
to send that traffic. PHP can be used with MPLS VPNs. If so, the PE router
can use the second label to identify the VPN customer and do a route lookup
based on it. Otherwise, the PE router must do two lookups.
Configuring Frame Mode MPLS
Configuring Frame Mode MPLS
Three steps are required to configure a router to run MPLS:
Step 1. Enable CEF.
Step 2. Enable MPLS on the desired interfaces.
Step 3. Optionally adjust the interface maximum transmission units
(MTU).
This following subsections examine each of these steps more closely.
Enabling CEF
CEF can be enabled either for all interfaces or on individual interfaces only.
If it is not already enabled by default, use the global command ip cef
[distributed] to enable it on all interface. The distributed keyword is used
to enable distributed CEF on line cards or processors capable of running it.
To enable CEF on an individual interface, use the ip route-cache cef interface
command. Note that CEF is not supported on logical interfaces, such as
loopbacks.
Verify CEF operation with any of several variables of the show ip cef
command. The show ip cef detail option is good to start with because it
shows a summary of CEF routes and a list of all adjacencies.
Enabling MPLS
MPLS is globally enabled by default on Cisco routers. If it has been
disabled, enable it with the global command mpls ip. It must then be
enabled on each interface that will participate in label switching; enable it
with the interface command mpls ip.
LDP is the default label distribution protocol in Cisco IOS Release 12.4(3)
and later. There is an older Cisco prestandard version called Tag Distribution
Protocol (TDP.) You might need to enable it if you are connecting to a Cisco
router that does not support LDP; if you need to specify the protocol, use the
interface command mpls label protocol [tdp | ldp | both]. Both protocols
can run on the same router, and even on the same interface. In some Cisco IOS
versions, MPLS commands show in the running configuration as “tag-switching”
commands.
Increasing the MTU Size
The MPLS Frame mode tag adds 4 bytes to every frame. You might need to
increase the interface MTU size to accommodate this, to prevent packets from
being fragmented. The MTU is automatically increased on WAN interfaces,
but must be manually configured on LAN interfaces.
Ethernet uses a default MTU of 1500 bytes. If you are using an MPLS
implementation that uses just one label, increase it to 1504 bytes. MPLS
VPNs and MPLS traffic engineering (TE) use two labels, so you must
increase the MTU size to 1508 bytes if you are using either of these.
Increase the MTU to 1512 bytes when using MPLS VPNs with TE, to
accommodate three headers.
To manually set MTU size, use the mpls mtu bytes command in interface
configuration mode. You may also need to enable jumbo frame support on
the connecting switch.
Three steps are required to configure a router to run MPLS:
Step 1. Enable CEF.
Step 2. Enable MPLS on the desired interfaces.
Step 3. Optionally adjust the interface maximum transmission units
(MTU).
This following subsections examine each of these steps more closely.
Enabling CEF
CEF can be enabled either for all interfaces or on individual interfaces only.
If it is not already enabled by default, use the global command ip cef
[distributed] to enable it on all interface. The distributed keyword is used
to enable distributed CEF on line cards or processors capable of running it.
To enable CEF on an individual interface, use the ip route-cache cef interface
command. Note that CEF is not supported on logical interfaces, such as
loopbacks.
Verify CEF operation with any of several variables of the show ip cef
command. The show ip cef detail option is good to start with because it
shows a summary of CEF routes and a list of all adjacencies.
Enabling MPLS
MPLS is globally enabled by default on Cisco routers. If it has been
disabled, enable it with the global command mpls ip. It must then be
enabled on each interface that will participate in label switching; enable it
with the interface command mpls ip.
LDP is the default label distribution protocol in Cisco IOS Release 12.4(3)
and later. There is an older Cisco prestandard version called Tag Distribution
Protocol (TDP.) You might need to enable it if you are connecting to a Cisco
router that does not support LDP; if you need to specify the protocol, use the
interface command mpls label protocol [tdp | ldp | both]. Both protocols
can run on the same router, and even on the same interface. In some Cisco IOS
versions, MPLS commands show in the running configuration as “tag-switching”
commands.
Increasing the MTU Size
The MPLS Frame mode tag adds 4 bytes to every frame. You might need to
increase the interface MTU size to accommodate this, to prevent packets from
being fragmented. The MTU is automatically increased on WAN interfaces,
but must be manually configured on LAN interfaces.
Ethernet uses a default MTU of 1500 bytes. If you are using an MPLS
implementation that uses just one label, increase it to 1504 bytes. MPLS
VPNs and MPLS traffic engineering (TE) use two labels, so you must
increase the MTU size to 1508 bytes if you are using either of these.
Increase the MTU to 1512 bytes when using MPLS VPNs with TE, to
accommodate three headers.
To manually set MTU size, use the mpls mtu bytes command in interface
configuration mode. You may also need to enable jumbo frame support on
the connecting switch.
Penultimate Hop Popping
Penultimate Hop Popping
The LSR directly connected to a destination network (typically the PE router)
is referred to as the ultimate hop for that network. The router right before it
is the penultimate hop for that network. The directly connected LSR can
advertise a label value of 3 for that destination network. Label 3 tells the
neighbor router to pop the label before forwarding the packet—referred to
as penultimate hop popping (PHP). This is recorded in the neighbor’s FIBs
as a null label.
PHP saves time and work for the PE LSR. Without it, the PE router would
have to do an LFIB lookup, remove the top label, and then do a FIB lookup.
With PHP, it only needs to do the FIB lookup, which helps optimize MPLS
performance.
Figure 3-3 puts all these concepts together to show how MPLS routers use
labels and each of the tables to forward traffic.
MPLS Packet Forwarding
Customer IP = X Label = 18 Label = 37 IP = X
Edge (CE)
Router
Customer
Edge (CE)
Router
Network
X
MPLS Network
Provider LSR LSR
Edge (PE)
LSR
Provider
Edge (PE)
LSR
CE-1 A B C D CE-2
FIB
LIB
LFIB
18
5
18
B
B
local
B
18
X
XX
52
FIB
LIB
LFIB
37
18
37
C
C
local
C
37
X
XX
18
FIB
LIB
LFIB
37
null
D
D
local
D
pop
X
XX
37
FIB
LIB
LFIB
20
conn.
local
untagged
X
XX
20
In Figure 3-3, router CE-1 forwards a packet destined for network X, which
is directly connected to LSR D. LSR A receives it as an IP packet, does a FIB
lookup, and imposes the label of 18. This is the value that LSR B advertised
to it for network X. It forwards the labeled packet to LSR B.
LSR B receives the labeled packet, does and an LFIB lookup, and swaps the
labels. It forwards the packet to LSR C with a label of 37, the label value
advertised by C for network X.
LSR C receives the labeled packet and does an LFIB lookup. It sees that it
must pop the label before forwarding the packet to the next hop, router D.
When the label is popped, there are no other labels, so the packet is
forwarded to LSR D as an IP packet.
The packet is addressed to the WAN interface of CE-2, so LSR D forwards
it as an IP packet to CE-2.
The LSR directly connected to a destination network (typically the PE router)
is referred to as the ultimate hop for that network. The router right before it
is the penultimate hop for that network. The directly connected LSR can
advertise a label value of 3 for that destination network. Label 3 tells the
neighbor router to pop the label before forwarding the packet—referred to
as penultimate hop popping (PHP). This is recorded in the neighbor’s FIBs
as a null label.
PHP saves time and work for the PE LSR. Without it, the PE router would
have to do an LFIB lookup, remove the top label, and then do a FIB lookup.
With PHP, it only needs to do the FIB lookup, which helps optimize MPLS
performance.
Figure 3-3 puts all these concepts together to show how MPLS routers use
labels and each of the tables to forward traffic.
MPLS Packet Forwarding
Customer IP = X Label = 18 Label = 37 IP = X
Edge (CE)
Router
Customer
Edge (CE)
Router
Network
X
MPLS Network
Provider LSR LSR
Edge (PE)
LSR
Provider
Edge (PE)
LSR
CE-1 A B C D CE-2
FIB
LIB
LFIB
18
5
18
B
B
local
B
18
X
XX
52
FIB
LIB
LFIB
37
18
37
C
C
local
C
37
X
XX
18
FIB
LIB
LFIB
37
null
D
D
local
D
pop
X
XX
37
FIB
LIB
LFIB
20
conn.
local
untagged
X
XX
20
In Figure 3-3, router CE-1 forwards a packet destined for network X, which
is directly connected to LSR D. LSR A receives it as an IP packet, does a FIB
lookup, and imposes the label of 18. This is the value that LSR B advertised
to it for network X. It forwards the labeled packet to LSR B.
LSR B receives the labeled packet, does and an LFIB lookup, and swaps the
labels. It forwards the packet to LSR C with a label of 37, the label value
advertised by C for network X.
LSR C receives the labeled packet and does an LFIB lookup. It sees that it
must pop the label before forwarding the packet to the next hop, router D.
When the label is popped, there are no other labels, so the packet is
forwarded to LSR D as an IP packet.
The packet is addressed to the WAN interface of CE-2, so LSR D forwards
it as an IP packet to CE-2.
Label Distribution and Label Tables
Label Distribution and Label Tables
Routers send label information to each other using LDP, but they must first have
a route to a network before creating a label for it. The process has four steps:
Step 1. Routing protocols distribute route information. The routing table
and CEF FIB are built based on this information.
Step 2. The LSR assigns a locally significant label to each destination
network. This is recorded in the LIB table. Label values 0
through 15 are reserved for special use.
Step 3. Each LSR sends the local label for each network to its neighbors
via LDP. This is done asynchronously.a router does not wait to
receive a label from its downstream router before advertising its
own label. Labels are advertised to every neighbor, even the one
chosen as the next hop for that network.
Step 4. The LSR records label information received from its neighbors in
its LIB, FIB, and LFIB.
Each forwarding table is used as follows:
�¡ The LIB lists each IP network, the local label for that network, and
any labels received from neighbors for that network. It is in the
control plane.
�¡ The FIB is used to forward unlabeled IP packets. It is in the data plane.
�¡ The LFIB lists each label, what label to swap it for, and the next-hop
neighbor. It is in the data plane.
Routers send label information to each other using LDP, but they must first have
a route to a network before creating a label for it. The process has four steps:
Step 1. Routing protocols distribute route information. The routing table
and CEF FIB are built based on this information.
Step 2. The LSR assigns a locally significant label to each destination
network. This is recorded in the LIB table. Label values 0
through 15 are reserved for special use.
Step 3. Each LSR sends the local label for each network to its neighbors
via LDP. This is done asynchronously.a router does not wait to
receive a label from its downstream router before advertising its
own label. Labels are advertised to every neighbor, even the one
chosen as the next hop for that network.
Step 4. The LSR records label information received from its neighbors in
its LIB, FIB, and LFIB.
Each forwarding table is used as follows:
�¡ The LIB lists each IP network, the local label for that network, and
any labels received from neighbors for that network. It is in the
control plane.
�¡ The FIB is used to forward unlabeled IP packets. It is in the data plane.
�¡ The LFIB lists each label, what label to swap it for, and the next-hop
neighbor. It is in the data plane.
MPLS Labels
MPLS Labels
MPLS has two modes: Cell mode and Frame mode. Cell mode is used with
ATM, and the virtual path identifier / virtual circuit identifier (VPI/VCI)
values are used as the MPLS label. Frame mode is used with any Layer 2
protocol that uses frames and inserts a 32-bit label between the Layer 2 and
Layer 3 headers. MPLS routers can do one of three things with a label. They
can impose a label, which means they insert it into the header. They can swap
a label, which means they remove one label and replace it with another. Or
they can pop a label, which means they remove the label. Figure 3-2 shows
the structure of an MPLS label.
Figure 3-2 MPLS Label
Label Number Exp. S TTL
20 bits 3 bits 1
bit
8 bits
The label�fs Number field is 20 bits, the 3 Experimental bits are used to indicate
IP precedence, the 1-bit Bottom of the Stack field indicates whether this is
the last label, and the last 8-bit field indicates a Time to Live value. Multiple
labels can be imposed, such as when using an MPLS VPN, MPLS traffic
engineering, or a combination of the two. Each LSR only acts based on the
top label.
Special Ethertypes are used in an Ethernet header to indicate that an MPLS
label follows, including
�¡ 0x8847.Indicates a unicast labeled IP packet
�¡ 0x8848.Indicates a multicast labeled IP packet
MPLS has two modes: Cell mode and Frame mode. Cell mode is used with
ATM, and the virtual path identifier / virtual circuit identifier (VPI/VCI)
values are used as the MPLS label. Frame mode is used with any Layer 2
protocol that uses frames and inserts a 32-bit label between the Layer 2 and
Layer 3 headers. MPLS routers can do one of three things with a label. They
can impose a label, which means they insert it into the header. They can swap
a label, which means they remove one label and replace it with another. Or
they can pop a label, which means they remove the label. Figure 3-2 shows
the structure of an MPLS label.
Figure 3-2 MPLS Label
Label Number Exp. S TTL
20 bits 3 bits 1
bit
8 bits
The label�fs Number field is 20 bits, the 3 Experimental bits are used to indicate
IP precedence, the 1-bit Bottom of the Stack field indicates whether this is
the last label, and the last 8-bit field indicates a Time to Live value. Multiple
labels can be imposed, such as when using an MPLS VPN, MPLS traffic
engineering, or a combination of the two. Each LSR only acts based on the
top label.
Special Ethertypes are used in an Ethernet header to indicate that an MPLS
label follows, including
�¡ 0x8847.Indicates a unicast labeled IP packet
�¡ 0x8848.Indicates a multicast labeled IP packet
Functions of the Control and Data Planes on an LSR
Functions of the Control and Data Planes on an LSR
Edge LSR
Routing Protocol
Routing Table
Label Distribution Protocol
Label Information Base
Control Plane
FIB
LFIB
Data Plane
Figure 3-1 shows an edge LSR, which does both routing and label switching.
Four forwarding scenarios could occur in this router:
�¡ An unlabeled IP packet is received and is forwarded unlabeled to a
next hop in the IP network.
�¡ An unlabeled IP packet is received, a label is imposed, and it is
forwarded to a next hop in the MPLS network.
�¡ A labeled packet is received, the label is swapped, and it is forwarded
to a next hop in the MPLS network.
�¡ A labeled packet is received, the label is removed, and it is sent as an
unlabeled, regular IP packet.
Edge LSR
Routing Protocol
Routing Table
Label Distribution Protocol
Label Information Base
Control Plane
FIB
LFIB
Data Plane
Figure 3-1 shows an edge LSR, which does both routing and label switching.
Four forwarding scenarios could occur in this router:
�¡ An unlabeled IP packet is received and is forwarded unlabeled to a
next hop in the IP network.
�¡ An unlabeled IP packet is received, a label is imposed, and it is
forwarded to a next hop in the MPLS network.
�¡ A labeled packet is received, the label is swapped, and it is forwarded
to a next hop in the MPLS network.
�¡ A labeled packet is received, the label is removed, and it is sent as an
unlabeled, regular IP packet.
MPLS Routers
MPLS Routers
MPLS defines two roles for routers. A Label Switch Router (LSR) has all its
interfaces within the MPLS network and does its path selection primarily
based on labels. An Edge LSR has some interfaces in the MPLS network and
some in a normal IP network, and so does some routing and some label
switching. An LSR is sometimes referred to as a provider (P) router, and the
edge LSR as a provider edge (PE) router.
LSRs function at two planes, the control plane and the data plane. The
control plane handles routing protocols and a label-exchange protocol called
Label Distribution Protocol (LDP). It contains the routing table and the
Label Information Base (LIB). The data plane contains the CEF FIB and
adjacency table and the MPLS Label FIB (LFIB); it forwards traffic based
on those. Figure 3-1 shows the functions at each plane.
MPLS defines two roles for routers. A Label Switch Router (LSR) has all its
interfaces within the MPLS network and does its path selection primarily
based on labels. An Edge LSR has some interfaces in the MPLS network and
some in a normal IP network, and so does some routing and some label
switching. An LSR is sometimes referred to as a provider (P) router, and the
edge LSR as a provider edge (PE) router.
LSRs function at two planes, the control plane and the data plane. The
control plane handles routing protocols and a label-exchange protocol called
Label Distribution Protocol (LDP). It contains the routing table and the
Label Information Base (LIB). The data plane contains the CEF FIB and
adjacency table and the MPLS Label FIB (LFIB); it forwards traffic based
on those. Figure 3-1 shows the functions at each plane.
Cisco Express Forwarding
Cisco Express Forwarding
MPLS relies on Cisco Express Forwarding (CEF) to indicate the next hop
for a packet to use. Cisco routers can use three types of packet switching:
�¡ Process switching.The CPU must be interrupted and a route table
lookup done for every packet. This is the slowest type of switching.
�¡ Fast switching.A route table lookup is done only for the first packet
in a flow. The next-hop information, including the Layer 2 header, is
cached and used for the remainder of the packets in the flow. Faster
than process switching.
�¡ CEF switching.The router builds tables of next-hop and Layer 2
information before any traffic is received. This is the fastest type of
switching.
CEF takes information from the IP routing table and builds its own table, the
Forwarding Information Base (FIB). Because the CEF table is based on the
routing table, any route changes are immediately reflected in it. CEF also builds
an adjacency table, which contains the Layer 2 header for each next-hop
neighbor. When a packet needs to be forwarded through the router, CEF can
usually do all the processing in hardware, making it extremely fast. With
MPLS, an extra field with label information is added to the FIB.
MPLS relies on Cisco Express Forwarding (CEF) to indicate the next hop
for a packet to use. Cisco routers can use three types of packet switching:
�¡ Process switching.The CPU must be interrupted and a route table
lookup done for every packet. This is the slowest type of switching.
�¡ Fast switching.A route table lookup is done only for the first packet
in a flow. The next-hop information, including the Layer 2 header, is
cached and used for the remainder of the packets in the flow. Faster
than process switching.
�¡ CEF switching.The router builds tables of next-hop and Layer 2
information before any traffic is received. This is the fastest type of
switching.
CEF takes information from the IP routing table and builds its own table, the
Forwarding Information Base (FIB). Because the CEF table is based on the
routing table, any route changes are immediately reflected in it. CEF also builds
an adjacency table, which contains the Layer 2 header for each next-hop
neighbor. When a packet needs to be forwarded through the router, CEF can
usually do all the processing in hardware, making it extremely fast. With
MPLS, an extra field with label information is added to the FIB.
Troubleshooting ADSL
Troubleshooting ADSL
When troubleshooting ADSL problems, start with checking Layer 1 physical
connectivity. If that checks out okay, progress to checking Layer 2 connectivity.
Finally, check Layer 3.
Troubleshooting ADSL at Layer 1
Try the following procedures when troubleshooting DSL physical layer
problems:
1. Check for the carrier detect light on the router’s ATM interface. If it is
off, use the show interfaces atm interface_number command to check
the interface status. If the interface status is down, try swapping out the
RJ-11 cable connecting to the wall jack. The middle pins are used with
ADSL signaling. If that doesn’t work, contact the provider to make sure
that the DSL service has been started.
2. If the interface status shown in the show interfaces atm command is
“administratively down,” enable the interface with the command no
shutdown.
3. If there is a carrier detect light, check communication with the DSLAM.
The subscriber DSL modem should train to the DSLAM. This allows
them to negotiate settings such as speed. To verify this, use the show
dsl interface atm interface_number command and look for the Modem
Status field. It should say “Showtime.” There should also be a nonzero
value in the Speed field.
4. Check the DSL modulation type. Verify with the provider that your
router’s chipset is supported and find out what operating mode it
should be in to support the correct modulation. Set this on the router
with the command dsl operating-mode {auto | ansi-dmt | itu-dmt |
splitterless}. If the modulation type is unknown, use the auto option.
When troubleshooting ADSL problems, start with checking Layer 1 physical
connectivity. If that checks out okay, progress to checking Layer 2 connectivity.
Finally, check Layer 3.
Troubleshooting ADSL at Layer 1
Try the following procedures when troubleshooting DSL physical layer
problems:
1. Check for the carrier detect light on the router’s ATM interface. If it is
off, use the show interfaces atm interface_number command to check
the interface status. If the interface status is down, try swapping out the
RJ-11 cable connecting to the wall jack. The middle pins are used with
ADSL signaling. If that doesn’t work, contact the provider to make sure
that the DSL service has been started.
2. If the interface status shown in the show interfaces atm command is
“administratively down,” enable the interface with the command no
shutdown.
3. If there is a carrier detect light, check communication with the DSLAM.
The subscriber DSL modem should train to the DSLAM. This allows
them to negotiate settings such as speed. To verify this, use the show
dsl interface atm interface_number command and look for the Modem
Status field. It should say “Showtime.” There should also be a nonzero
value in the Speed field.
4. Check the DSL modulation type. Verify with the provider that your
router’s chipset is supported and find out what operating mode it
should be in to support the correct modulation. Set this on the router
with the command dsl operating-mode {auto | ansi-dmt | itu-dmt |
splitterless}. If the modulation type is unknown, use the auto option.
Configuring PPPoA CPE
Configuring PPPoA CPE
Cisco routers support three types of PPPoA connections:
�¡ Cisco proprietary PPPoA
�¡ The Internet Engineering Task Force (IETF)�fs Multiplex (MUX)-
encapsulated PPPoA
�¡ The IETF�fs Logical Link Control (LLC)-encapsulated PPPoA
Configuring PPPoA involves almost the same tasks as configuring PPPoE.
You still must set up the internal Ethernet interface, a dialer interface, PAT,
DHCP, and a static default route. The main difference is in the configuration
of the external interface. Because it is ATM, you need to configure virtual
path identifier (VPI) and virtual circuit identifier (VCI) information to match
that of the provider. The type of ATM encapsulation must be specified, and
the PPPoA enabled, and linked to the virtual dialer interface. A dialer pool is
associated with PVC, as shown in Example 2-7.
Example 2-7 Configuring the PPPoA ATM Interface
interface ATM1/0
description DSL interface
no ip address
dsl operating-mode auto
pvc 1/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
Cisco routers support three types of PPPoA connections:
�¡ Cisco proprietary PPPoA
�¡ The Internet Engineering Task Force (IETF)�fs Multiplex (MUX)-
encapsulated PPPoA
�¡ The IETF�fs Logical Link Control (LLC)-encapsulated PPPoA
Configuring PPPoA involves almost the same tasks as configuring PPPoE.
You still must set up the internal Ethernet interface, a dialer interface, PAT,
DHCP, and a static default route. The main difference is in the configuration
of the external interface. Because it is ATM, you need to configure virtual
path identifier (VPI) and virtual circuit identifier (VCI) information to match
that of the provider. The type of ATM encapsulation must be specified, and
the PPPoA enabled, and linked to the virtual dialer interface. A dialer pool is
associated with PVC, as shown in Example 2-7.
Example 2-7 Configuring the PPPoA ATM Interface
interface ATM1/0
description DSL interface
no ip address
dsl operating-mode auto
pvc 1/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
Frame Mode MPLS
Frame Mode MPLS
Multiprotocol Label Switching (MPLS) is a technology that provides any-toany
connectivity between remote sites, using only a single WAN connection
per site. The �gmagic�h to MPLS is done in the WAN provider�fs network
where traffic is switched from hop to hop, rather than routed. MPLS tunnels
each company�fs traffic through the provider�fs network, providing an extra
level of separation and security. Some large companies set up their own
private MPLS networks, but most rely on the provider. Most companies just
connect their WAN edge routers to a provider MPLS edge router and have
no MPLS configuration on their own routers at all.
The destination IP network usually determines the path between sites, but
MPLS allows other considerations to influence the path, such as the following:
�¡ Virtual private network (VPN) destination
�¡ Quality of service (QoS) settings
�¡ Source address
�¡ Outbound interface
�¡ Layer 2 circuit
Having path-selection options other than IP route enables MPLS to support
non-IP protocols. MPLS uses labels that are read and acted upon at Layer 2
to indicate the selected path. MPLS routers remove the received label and
insert a new label before the packet is forwarded to the next hop.
Multiprotocol Label Switching (MPLS) is a technology that provides any-toany
connectivity between remote sites, using only a single WAN connection
per site. The �gmagic�h to MPLS is done in the WAN provider�fs network
where traffic is switched from hop to hop, rather than routed. MPLS tunnels
each company�fs traffic through the provider�fs network, providing an extra
level of separation and security. Some large companies set up their own
private MPLS networks, but most rely on the provider. Most companies just
connect their WAN edge routers to a provider MPLS edge router and have
no MPLS configuration on their own routers at all.
The destination IP network usually determines the path between sites, but
MPLS allows other considerations to influence the path, such as the following:
�¡ Virtual private network (VPN) destination
�¡ Quality of service (QoS) settings
�¡ Source address
�¡ Outbound interface
�¡ Layer 2 circuit
Having path-selection options other than IP route enables MPLS to support
non-IP protocols. MPLS uses labels that are read and acted upon at Layer 2
to indicate the selected path. MPLS routers remove the received label and
insert a new label before the packet is forwarded to the next hop.
Troubleshooting ADSL at Layer 2
Troubleshooting ADSL at Layer 2
If the interface status shows that it is up, and the line protocol is up, move to
troubleshooting Layer 2 issues. Try the following to look for PVC or PPP
problems:
1. Use the command ping atm interface atm interface_number vpi vci
seg-loopback to check that your PVC is configured on the next-hop
ATM switch, which is typically the DSLAM. This command sends
management traffic called Operation, Administration, and Maintenance
(OAM) packets to the DSLAM. You should receive a normal ping
response if the PVC is configured.
2. Debug the events occurring on the interface processor with the debug
atm events command. This should show no output when everything is
working well; when there are problems, however, it can show useful
information such as the VPI/VCI number that the DSLAM expects.
The ISCW course recommends beginning a continuous ping over the
Internet (not over the internal network) to the router’s IP address
before giving this command.
3. Verify that the router is receiving data by using the show interfaces
atm interface_number command. Look for packets input and output.
4. If the previous procedures show that everything is working, check
for PPP problems. PPP should go through three phases: Link Control
Protocol (LCP) negotiation, authentication, and Network Control
Protocol (NCP) negotiation. The IP address is assigned by IPCP during
the NCP phase. Use the commands debug ppp negotiation and debug
ppp authentication to see whether there is a failure at any of these
phases.
When debugging PPP, look first for a lack of response from the aggregation
router. If data link parameters cannot be negotiated, LCP will
not open. If the authentication parameters are incorrectly configured,
CHAP authentication will fail. If IPCP fails, the IP parameters are
likely configured incorrectly either on the CPE or on the aggregation
router.
If the interface status shows that it is up, and the line protocol is up, move to
troubleshooting Layer 2 issues. Try the following to look for PVC or PPP
problems:
1. Use the command ping atm interface atm interface_number vpi vci
seg-loopback to check that your PVC is configured on the next-hop
ATM switch, which is typically the DSLAM. This command sends
management traffic called Operation, Administration, and Maintenance
(OAM) packets to the DSLAM. You should receive a normal ping
response if the PVC is configured.
2. Debug the events occurring on the interface processor with the debug
atm events command. This should show no output when everything is
working well; when there are problems, however, it can show useful
information such as the VPI/VCI number that the DSLAM expects.
The ISCW course recommends beginning a continuous ping over the
Internet (not over the internal network) to the router’s IP address
before giving this command.
3. Verify that the router is receiving data by using the show interfaces
atm interface_number command. Look for packets input and output.
4. If the previous procedures show that everything is working, check
for PPP problems. PPP should go through three phases: Link Control
Protocol (LCP) negotiation, authentication, and Network Control
Protocol (NCP) negotiation. The IP address is assigned by IPCP during
the NCP phase. Use the commands debug ppp negotiation and debug
ppp authentication to see whether there is a failure at any of these
phases.
When debugging PPP, look first for a lack of response from the aggregation
router. If data link parameters cannot be negotiated, LCP will
not open. If the authentication parameters are incorrectly configured,
CHAP authentication will fail. If IPCP fails, the IP parameters are
likely configured incorrectly either on the CPE or on the aggregation
router.
Configuring DSL CPE-Configuring PPPoE CPE
Configuring DSL CPE
When a CPE router is used as the PPP client, it must be configured. The
configuration will differ depending on whether you are using PPPoE or
PPPoA. PPPoE can be used with an Ethernet or an ATM interface on the
router connecting to the DSL network. An Ethernet interface is used if the
router connects to a DSL modem; an ATM interface is used if the router
connects directly to the DSL network. A dialer interface must also be
created and configured with PPP parameters.
Configuring PPPoE CPE
The following tasks must be completed to configure a CPE router with for
PPPoE:
1. Configure the internal and external interfaces.
2. Configure a dialer interface.
3. Configure NAT/PAT.
4. Configure the router to act as a DHCP server.
5. Configure a default route.
First, configure the internal Ethernet interface with an IP address. It will be
the default gateway for the users. Also, configure it as the inside interface for
NAT.
Do not put an IP address on the external Ethernet interface. Enable PPPoE
on it, and assign it to a PPPoE client dialer pool. The final configuration on
the two Ethernet interfaces should be similar to that shown in Example 2-1.
Example 2-1 Configuring Ethernet Interfaces for PPPoE
interface FastEthernet0/0
description DSL interface
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description Internal interface
ip address 172.16.1.1 255.255.255.0
ip nat inside
If the external interface is ATM, the configuration changes slightly. You must
configure the ATM permanent virtual circuit (PVC) information and assign
the interface to a PPPoE client dialer pool. Leave the DSL operating mode at
its default to auto-detect the correct modulation, as shown in Example 2-2.
Example 2-2 Configuring an ATM Interface for PPPoE
interface ATM1/0
description DSL interface
no ip address
dsl operating-mode auto
pvc 1/100
pppoe-client dial-pool-number 1
Second, configure a dialer interface and assign it to the same dialer pool as
the Ethernet interface. Give it a PPP encapsulation and configure the PPP
parameters on it. Make it the NAT outside interface. Limit the maximum
transmission unit (MTU) size to 1492 bytes, to allow for the PPP and
Ethernet headers. Because DSL is an always-on connection, a dialer list is
not required. Your configuration should look similar to Example 2-3. Verify
PPP operation with the show ppp session command. You can also debug
PPP with the commands debug ppp authentication and debug ppp negotiation.
Example 2-3 Configuring a Dialer Interface for PPPoE
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap
ppp chap password dslpass
Next, configure the router to do NAT or PAT. NAT translates one internal
address to one external one. PAT can translate multiple internal addresses to
one external one. Most residential and SOHO subscribers use PAT. To
configure it, identify the traffic that must be translated using an access list.
Then tell the router to translate those IP addresses to the IP address of the
dialer interface, and to “overload” that external IP address. The overload
command causes the router to use PAT. Be sure to designate the inside and
outside interfaces (see Example 2-1 for those commands.) PAT configuration
is done in global command mode, and shown in Example 2-4.
Verify your NAT/PAT operation with the show ip nat translations
command.
Example 2-4 Configuring NAT/PAT
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
!
ip nat inside source list 100 interface Dialer1 overload
The next task is to configure the router to serve IP addresses to internal
hosts. To set up basic DHCP, create a pool of addresses for assigning to
clients, specify the clients’ default gateway, and import the DNS information
obtained from the DSL provider via PPP. Example 2-5 shows what this
might look like. On the router, verify IP address assignment using the
command show ip dhcp binding. On a Windows-based user computer,
verify the IP address using the DOS command ipconfig /all.
Example 2-5 Configuring a Router as a DHCP Server
ip dhcp pool Users
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
Finally, configure a static default route. It should point to the dialer interface
rather than an IP address, as shown in Example 2-6.
Example 2-6 Configuring a Static Default Route
ip route 0.0.0.0 0.0.0.0 Dialer1
When a CPE router is used as the PPP client, it must be configured. The
configuration will differ depending on whether you are using PPPoE or
PPPoA. PPPoE can be used with an Ethernet or an ATM interface on the
router connecting to the DSL network. An Ethernet interface is used if the
router connects to a DSL modem; an ATM interface is used if the router
connects directly to the DSL network. A dialer interface must also be
created and configured with PPP parameters.
Configuring PPPoE CPE
The following tasks must be completed to configure a CPE router with for
PPPoE:
1. Configure the internal and external interfaces.
2. Configure a dialer interface.
3. Configure NAT/PAT.
4. Configure the router to act as a DHCP server.
5. Configure a default route.
First, configure the internal Ethernet interface with an IP address. It will be
the default gateway for the users. Also, configure it as the inside interface for
NAT.
Do not put an IP address on the external Ethernet interface. Enable PPPoE
on it, and assign it to a PPPoE client dialer pool. The final configuration on
the two Ethernet interfaces should be similar to that shown in Example 2-1.
Example 2-1 Configuring Ethernet Interfaces for PPPoE
interface FastEthernet0/0
description DSL interface
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description Internal interface
ip address 172.16.1.1 255.255.255.0
ip nat inside
If the external interface is ATM, the configuration changes slightly. You must
configure the ATM permanent virtual circuit (PVC) information and assign
the interface to a PPPoE client dialer pool. Leave the DSL operating mode at
its default to auto-detect the correct modulation, as shown in Example 2-2.
Example 2-2 Configuring an ATM Interface for PPPoE
interface ATM1/0
description DSL interface
no ip address
dsl operating-mode auto
pvc 1/100
pppoe-client dial-pool-number 1
Second, configure a dialer interface and assign it to the same dialer pool as
the Ethernet interface. Give it a PPP encapsulation and configure the PPP
parameters on it. Make it the NAT outside interface. Limit the maximum
transmission unit (MTU) size to 1492 bytes, to allow for the PPP and
Ethernet headers. Because DSL is an always-on connection, a dialer list is
not required. Your configuration should look similar to Example 2-3. Verify
PPP operation with the show ppp session command. You can also debug
PPP with the commands debug ppp authentication and debug ppp negotiation.
Example 2-3 Configuring a Dialer Interface for PPPoE
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap
ppp chap password dslpass
Next, configure the router to do NAT or PAT. NAT translates one internal
address to one external one. PAT can translate multiple internal addresses to
one external one. Most residential and SOHO subscribers use PAT. To
configure it, identify the traffic that must be translated using an access list.
Then tell the router to translate those IP addresses to the IP address of the
dialer interface, and to “overload” that external IP address. The overload
command causes the router to use PAT. Be sure to designate the inside and
outside interfaces (see Example 2-1 for those commands.) PAT configuration
is done in global command mode, and shown in Example 2-4.
Verify your NAT/PAT operation with the show ip nat translations
command.
Example 2-4 Configuring NAT/PAT
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
!
ip nat inside source list 100 interface Dialer1 overload
The next task is to configure the router to serve IP addresses to internal
hosts. To set up basic DHCP, create a pool of addresses for assigning to
clients, specify the clients’ default gateway, and import the DNS information
obtained from the DSL provider via PPP. Example 2-5 shows what this
might look like. On the router, verify IP address assignment using the
command show ip dhcp binding. On a Windows-based user computer,
verify the IP address using the DOS command ipconfig /all.
Example 2-5 Configuring a Router as a DHCP Server
ip dhcp pool Users
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
Finally, configure a static default route. It should point to the dialer interface
rather than an IP address, as shown in Example 2-6.
Example 2-6 Configuring a Static Default Route
ip route 0.0.0.0 0.0.0.0 Dialer1
PPPoE-PPPoA
PPPoE
When PPPoE is used, a PPP session is established, similar to when using
dialup. Either Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP) authentication can be used. The
provider’s aggregation router and the subscriber’s CPE establish a session
between them. There are three ways to do this:
■ The PPP client on a subscriber router with a DSL interface terminates
both the DSL and the PPP sessions. The router can allow multiple
users over the DSL with just one PPP login, by acting as a DHCP
server and doing Network Address Translation (NAT) or Port Address
Translation (PAT) for the subscriber users. The router obtains its
outside IP address via PPP’s IP Control Protocol (IPCP.)
■ A DSL modem terminates the DSL session, and the PPP client on a
CPE router terminates the PPP session. The router can act as a DHCP
server and do NAT/PAT, to allow multiple internal users. It obtains its
outside address via IPCP.
■ A DSL modem terminates the DSL session, and a PPP client on the
subscriber PC terminates the PPP session. Traffic is bridged from the
PC to the aggregation router. This allows only a single DSL user. If
multiple users are at the same residence, they must each have their
own PPP login, and they each obtain an IP address via IPCP.
PPP was created to be used over a point-to-point connection, and Ethernet is
inherently multipoint, so PPPoE uses a PPP server discovery process. After
a server has been discovered, a virtual point-to-point link can be established,
and the PPP session process can continue. The PPP server discovery stage
has four steps:
Step 1. The PPP client sends a PPPoE Active Discovery Initiation
(PADI) broadcast.
Step 2. Any PPP servers (aggregation routers) reply with a PPPoE Active
Discovery Offer (PADO), sent as a unicast to the client’s MAC
address.
Step 3. The client replies to the server with a PPPoE Active Discovery
Request (PADR).
Step 4. The server confirms the association with a PPPoE Active
Discovery Session-confirmation (PADS) message.
When these steps have been completed, the normal PPP session negotiations
proceed, and a session is established.
PPPoA
PPPoA requires a CPE router; traffic is routed from the subscriber PCs to
the aggregation router—it cannot be bridged as with PPPoE. The PPP
session is established between the CPE router and the aggregation router.
Multiple users are supported if the CPE router is configured to do DHCP
and NAT. Traffic between the CPE router and the aggregation router is
encapsulated as ATM at Layer 2, rather than Ethernet. Therefore, the CPE
router must have an ATM interface.
When PPPoE is used, a PPP session is established, similar to when using
dialup. Either Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP) authentication can be used. The
provider’s aggregation router and the subscriber’s CPE establish a session
between them. There are three ways to do this:
■ The PPP client on a subscriber router with a DSL interface terminates
both the DSL and the PPP sessions. The router can allow multiple
users over the DSL with just one PPP login, by acting as a DHCP
server and doing Network Address Translation (NAT) or Port Address
Translation (PAT) for the subscriber users. The router obtains its
outside IP address via PPP’s IP Control Protocol (IPCP.)
■ A DSL modem terminates the DSL session, and the PPP client on a
CPE router terminates the PPP session. The router can act as a DHCP
server and do NAT/PAT, to allow multiple internal users. It obtains its
outside address via IPCP.
■ A DSL modem terminates the DSL session, and a PPP client on the
subscriber PC terminates the PPP session. Traffic is bridged from the
PC to the aggregation router. This allows only a single DSL user. If
multiple users are at the same residence, they must each have their
own PPP login, and they each obtain an IP address via IPCP.
PPP was created to be used over a point-to-point connection, and Ethernet is
inherently multipoint, so PPPoE uses a PPP server discovery process. After
a server has been discovered, a virtual point-to-point link can be established,
and the PPP session process can continue. The PPP server discovery stage
has four steps:
Step 1. The PPP client sends a PPPoE Active Discovery Initiation
(PADI) broadcast.
Step 2. Any PPP servers (aggregation routers) reply with a PPPoE Active
Discovery Offer (PADO), sent as a unicast to the client’s MAC
address.
Step 3. The client replies to the server with a PPPoE Active Discovery
Request (PADR).
Step 4. The server confirms the association with a PPPoE Active
Discovery Session-confirmation (PADS) message.
When these steps have been completed, the normal PPP session negotiations
proceed, and a session is established.
PPPoA
PPPoA requires a CPE router; traffic is routed from the subscriber PCs to
the aggregation router—it cannot be bridged as with PPPoE. The PPP
session is established between the CPE router and the aggregation router.
Multiple users are supported if the CPE router is configured to do DHCP
and NAT. Traffic between the CPE router and the aggregation router is
encapsulated as ATM at Layer 2, rather than Ethernet. Therefore, the CPE
router must have an ATM interface.
ADSL
ADSL
ADSL is a popular residential service because it can carry both voice and
data over one twisted pair of wires. This capability is accomplished by using
either a splitter or a filter. A splitter takes the incoming analog signals and
splits off the frequencies under 4 MHz to a voice line. It sends all other
traffic to the DSL line. Splitters are more typically used at the CO than the
subscriber premises because they require a technician to install them. A
filter, or microfilter, requires no installation. It simply connects to the phone
line on one end and the telephone on the other. It passively filters out any
signals in the DSL range so that only voice reaches the telephone.
Figure 2-2 shows how ADSL components work together in a typical residential
implementation. The telephone company’s CO forwards both plain old
telephone service (POTS) and DSL data traffic over the same line to the
subscriber. The line enters at the network interface device (NIDS) and
branches toward the telephone and the PC. A low-pass filter blocks everything
but voice frequencies from reaching the phone. A DSL modem (or
router with a DSL interface) forwards data to the PC. When the CO receives
traffic from the subscriber, a splitter sends voice frequencies to the PSTN
switch and DSL frequencies to the DSLAM. The DSLAM sends data traffic
to a router for forwarding to the Internet
ADSL is a popular residential service because it can carry both voice and
data over one twisted pair of wires. This capability is accomplished by using
either a splitter or a filter. A splitter takes the incoming analog signals and
splits off the frequencies under 4 MHz to a voice line. It sends all other
traffic to the DSL line. Splitters are more typically used at the CO than the
subscriber premises because they require a technician to install them. A
filter, or microfilter, requires no installation. It simply connects to the phone
line on one end and the telephone on the other. It passively filters out any
signals in the DSL range so that only voice reaches the telephone.
Figure 2-2 shows how ADSL components work together in a typical residential
implementation. The telephone company’s CO forwards both plain old
telephone service (POTS) and DSL data traffic over the same line to the
subscriber. The line enters at the network interface device (NIDS) and
branches toward the telephone and the PC. A low-pass filter blocks everything
but voice frequencies from reaching the phone. A DSL modem (or
router with a DSL interface) forwards data to the PC. When the CO receives
traffic from the subscriber, a splitter sends voice frequencies to the PSTN
switch and DSL frequencies to the DSLAM. The DSLAM sends data traffic
to a router for forwarding to the Internet
Components of an ADSL System
Components of an ADSL System
Internet
Aggregation
Router
DSLAM
PSTN Switch
Central Office
Splitter
NIDS
Filter
DSL
Modem
PSTN
Voice
DSL Voice + DSL
Carrierless Amplitude and Phase Line Coding
Carrierless Amplitude and Phase (CAP) is a DSL line-coding method that
divides the bandwidth into three channels: one for voice, one for downstream
data, and one for upstream data. Each type of traffic is carried within one
frequency band, and so CAP is termed a single-carrier modulation
technique. The bands are fairly wide. Voice uses 0 to 4 kHz, upstream traffic
uses 25 to 160 kHz, and downstream uses 240 kHz to 1.5 MHz. CAP is
simple to understand and implement but does not scale as well as Discrete
Multi-Tone (DMT) modulation.
Discrete Multi-Tone Line Coding
Discrete Multi-Tone (DMT) is the most widely used method of ADSL line
coding. It divides the DSL frequency band into 256 channels of 4 kHz each.
Some channels are duplex and used for both downstream and upstream
traffic. Others are used only for downstream. Channel quality is constantly
monitored, and the channels used can be changed when conditions warrant.
DMT is more complex than CAP but is also more flexible and scalable and
can achieve higher speeds.
A version of DMT, G.Lite ADSL, uses half the number of channels as DMT.
Layer 2 over DSL
Recall that DSL is a Layer 1 (physical layer) technology. There are three
methods of carrying data at Layer 2 over DSL:
�¡ Bridging.Based on RFCs 1483 and 2684. Ethernet traffic is just
bridged from the subscriber PCs, through the DSL modem and the
DSLAM, to a provider router. Bridging is not as secure or scalable as
other methods.
�¡ PPP over Ethernet (PPPoE).The most common Layer 2 method of
carrying data over DSL. PPP traffic is encapsulated in Ethernet
frames.
�¡ PPP over ATM (PPPoA).PPP packets are routed over ATM
between the subscriber equipment and the provider.
Internet
Aggregation
Router
DSLAM
PSTN Switch
Central Office
Splitter
NIDS
Filter
DSL
Modem
PSTN
Voice
DSL Voice + DSL
Carrierless Amplitude and Phase Line Coding
Carrierless Amplitude and Phase (CAP) is a DSL line-coding method that
divides the bandwidth into three channels: one for voice, one for downstream
data, and one for upstream data. Each type of traffic is carried within one
frequency band, and so CAP is termed a single-carrier modulation
technique. The bands are fairly wide. Voice uses 0 to 4 kHz, upstream traffic
uses 25 to 160 kHz, and downstream uses 240 kHz to 1.5 MHz. CAP is
simple to understand and implement but does not scale as well as Discrete
Multi-Tone (DMT) modulation.
Discrete Multi-Tone Line Coding
Discrete Multi-Tone (DMT) is the most widely used method of ADSL line
coding. It divides the DSL frequency band into 256 channels of 4 kHz each.
Some channels are duplex and used for both downstream and upstream
traffic. Others are used only for downstream. Channel quality is constantly
monitored, and the channels used can be changed when conditions warrant.
DMT is more complex than CAP but is also more flexible and scalable and
can achieve higher speeds.
A version of DMT, G.Lite ADSL, uses half the number of channels as DMT.
Layer 2 over DSL
Recall that DSL is a Layer 1 (physical layer) technology. There are three
methods of carrying data at Layer 2 over DSL:
�¡ Bridging.Based on RFCs 1483 and 2684. Ethernet traffic is just
bridged from the subscriber PCs, through the DSL modem and the
DSLAM, to a provider router. Bridging is not as secure or scalable as
other methods.
�¡ PPP over Ethernet (PPPoE).The most common Layer 2 method of
carrying data over DSL. PPP traffic is encapsulated in Ethernet
frames.
�¡ PPP over ATM (PPPoA).PPP packets are routed over ATM
between the subscriber equipment and the provider.
Types of DSL
Types of DSL
Asymmetrical DSL has higher downstream (from the provider�fs central
office [CO] to the subscriber) bandwidth than upstream (from the subscriber
to the CO.) Symmetrical DSL has the same bandwidth both downstream
and upstream. You will sometimes see these referred to as �gasynchronous�h
and �gsynchronous�h DSL.
The various types of DSL include the following:
�¡ ADSL.Asymmetric DSL supports both voice and data. Downstream
bandwidth goes up to 8 Mbps; upstream goes up to 1 Mbps. Two other
versions, ADSL2 and ADSL2+, provide 24 Mbps downstream and 1.5
Mbps upstream. The maximum distance from the CO is 18,000 feet, or
5.46 km.
�¡ RADSL.Rate-adaptive DSL changes the rate based on the local loop.
�¡ VDSL.Very-high-rate DSL can be either symmetric or asymmetric
and can carry voice along with data. Maximum symmetric bandwidth
is 26 Mbps; maximum asymmetric is 52 Mbps downstream and 13
Mbps upstream. The maximum distance from the CO is 4,500 feet, or
1.37 km.
�¡ IDSL.ISDN DSL carries only digital data (other forms of DSL send
analog signals). It uses both ISDN B channels and the D channel, for a
symmetric bandwidth of 144 kbps. The maximum distance for IDSL is
18,000 feet, or 5.46 km.
�¡ SDSL.Symmetric DSL carries only data, with a maximum for both
downstream and upstream of 768 kbps. The distance limitation is
22,000 feet, or 6.7 km. It is a proprietary technology that uses only one
twisted pair of wires.
�¡ HDSL.High-data-rate DSL uses two twisted pairs of wires to achieve
a maximum symmetrical bandwidth of 2.048 Mbps. Its maximum
distance from the CO is 12,000 feet, or 3.7 km. HDSL carries only
data, no voice.
�¡ G.SHDSL.Symmetric high-speed DSL has a symmetrical data rate
of 2.3 Mbps and the longest maximum distance: 28,000 feet, or 8.52
km. It also carries only data, no voice.
Asymmetrical DSL has higher downstream (from the provider�fs central
office [CO] to the subscriber) bandwidth than upstream (from the subscriber
to the CO.) Symmetrical DSL has the same bandwidth both downstream
and upstream. You will sometimes see these referred to as �gasynchronous�h
and �gsynchronous�h DSL.
The various types of DSL include the following:
�¡ ADSL.Asymmetric DSL supports both voice and data. Downstream
bandwidth goes up to 8 Mbps; upstream goes up to 1 Mbps. Two other
versions, ADSL2 and ADSL2+, provide 24 Mbps downstream and 1.5
Mbps upstream. The maximum distance from the CO is 18,000 feet, or
5.46 km.
�¡ RADSL.Rate-adaptive DSL changes the rate based on the local loop.
�¡ VDSL.Very-high-rate DSL can be either symmetric or asymmetric
and can carry voice along with data. Maximum symmetric bandwidth
is 26 Mbps; maximum asymmetric is 52 Mbps downstream and 13
Mbps upstream. The maximum distance from the CO is 4,500 feet, or
1.37 km.
�¡ IDSL.ISDN DSL carries only digital data (other forms of DSL send
analog signals). It uses both ISDN B channels and the D channel, for a
symmetric bandwidth of 144 kbps. The maximum distance for IDSL is
18,000 feet, or 5.46 km.
�¡ SDSL.Symmetric DSL carries only data, with a maximum for both
downstream and upstream of 768 kbps. The distance limitation is
22,000 feet, or 6.7 km. It is a proprietary technology that uses only one
twisted pair of wires.
�¡ HDSL.High-data-rate DSL uses two twisted pairs of wires to achieve
a maximum symmetrical bandwidth of 2.048 Mbps. Its maximum
distance from the CO is 12,000 feet, or 3.7 km. HDSL carries only
data, no voice.
�¡ G.SHDSL.Symmetric high-speed DSL has a symmetrical data rate
of 2.3 Mbps and the longest maximum distance: 28,000 feet, or 8.52
km. It also carries only data, no voice.
Digital Subscriber Line
Digital Subscriber Line
Voice does not use all the available bandwidth on a phone line—it uses
frequencies only up to about 3 kHz. DSL was created to use the space between
3 kHz and 1 MHz to send data traffic over a telephone local loop. Thus, both
voice and data can be sent simultaneously over the same connection (some
variants of DSL use the entire spectrum, however, so no voice can be sent).
DSL is a physical layer medium that extends between the subscriber’s DSL
modem and the provider’s DSL access multiplexer (DSLAM.)
Voice does not use all the available bandwidth on a phone line—it uses
frequencies only up to about 3 kHz. DSL was created to use the space between
3 kHz and 1 MHz to send data traffic over a telephone local loop. Thus, both
voice and data can be sent simultaneously over the same connection (some
variants of DSL use the entire spectrum, however, so no voice can be sent).
DSL is a physical layer medium that extends between the subscriber’s DSL
modem and the provider’s DSL access multiplexer (DSLAM.)
Provisioning the Cable Modem
Provisioning the Cable Modem
Cable modems communicate with their CMTS across whatever physical
networks connect them. The service provider must have the necessary auxiliary
services, such as DHCP, TFTP, and Time of Day (TOD), available at its headend.
When a cable modem boots, it registers with the CMTS and acquires its
configuration using the following steps:
Step 1. The cable modem scans for a downstream channel to use for
communication with the CMTS. Once it finds a channel, the CM
locks it in.
Step 2. CMTS tells the CM the parameters to use for upstream messages.
Step 3. Communication is established at Layers 1 and 2 (physical and
data link layers).
Step 4. The cable modem broadcasts for a DHCP server. It obtains an IP
address, the address of the TFTP and TOD servers, and the name
of the TFTP file to download.
Step 5. The cable modem downloads the DOCSIS configuration file from
the TFTP server.
Step 6. The cable modem forwards the configuration file to the CMTS
and attempts to register with it. If the configuration is valid, the
modem is registered. The two devices negotiate QoS and security
settings.
Step 7. The user device—either a PC or a router—requests an IP address,
DNS server, and default gateway information from the cable provider.
Cable modems communicate with their CMTS across whatever physical
networks connect them. The service provider must have the necessary auxiliary
services, such as DHCP, TFTP, and Time of Day (TOD), available at its headend.
When a cable modem boots, it registers with the CMTS and acquires its
configuration using the following steps:
Step 1. The cable modem scans for a downstream channel to use for
communication with the CMTS. Once it finds a channel, the CM
locks it in.
Step 2. CMTS tells the CM the parameters to use for upstream messages.
Step 3. Communication is established at Layers 1 and 2 (physical and
data link layers).
Step 4. The cable modem broadcasts for a DHCP server. It obtains an IP
address, the address of the TFTP and TOD servers, and the name
of the TFTP file to download.
Step 5. The cable modem downloads the DOCSIS configuration file from
the TFTP server.
Step 6. The cable modem forwards the configuration file to the CMTS
and attempts to register with it. If the configuration is valid, the
modem is registered. The two devices negotiate QoS and security
settings.
Step 7. The user device—either a PC or a router—requests an IP address,
DNS server, and default gateway information from the cable provider.
Cable Standards-Components of a Cable System
Components of a Cable System
Headend
Antenna Site
CM
Receivers, Modulators,
and Scramblers
Amplifier
Fiber
Node
Fiber
Node
Servers CMTS Downstream
Upstream
Internet
Tap Splitter
In Figure 2-1, video signals are received at the antenna site and sent to the
local headend site. Feeds from other headend sites might be used, too. Each TV
channel has receivers, modulators, and scramblers. The signals are transferred
via RF to a fiber transmitter. Data signals from the Internet or various servers
(such as e-mail or content servers) are modulated by the Cable Modem
Termination System (CMTS) router and sent as RF signals to the fiber transmitter.
They are then translated to optical signals and sent downstream, toward
the end users. A fiber node in the distribution network translates them back
to RF signals and sends them over the coaxial cable. Signals are boosted at
intervals by an amplifier. A tap divides the signal for sending to a particular
subscriber�fs residence. At the residence, a splitter divides the signals into data
and video. Video is sent to the TV or set-top box, and data is sent to a cable
modem (CM). The cable modem demodulates the signal back to digital.
Cable Standards
Worldwide, three standards control cable TV systems:
�¡ National Television Standards Committee (NTSC).Analog television
standard used in North America. Specifies a 6-MHz channel width.
�¡ Phase-Alternating Line (PAL).Color television standard used in
most of the rest world. Specifies 6-, 7-, or 8-MHz channel widths.
�¡ Systeme Electronic Couleur avec Memoire (SECAM).Standard
used in France and some Eastern European countries. Specifies an 8-MHz
channel.
The standard for sending data over cable systems is Data-Over-Cable
Service Interface Specifications (DOCSIS). This standard, developed by
Cablelabs, defines physical and data link layer requirements for cable
modems. Cablelabs also certifies cable modems and CMTS systems to work
with the standard. At the physical layer, DOCSIS specifies channel widths
and modulation methods. At the data link layer it specifies access methods,
some QoS capabilities, and some security features.
Cable RF waves use different frequencies for upstream and downstream
signaling. Downstream signals are allowed 810 MHz of bandwidth, in the
50- to 860-MHz range. This is then further subdivided into channels of 6-,
7-, or 8-MHz depending on the standard used. Upstream signals have only
37 MHz of bandwidth, in the 5- to 42-MHz range.
Headend
Antenna Site
CM
Receivers, Modulators,
and Scramblers
Amplifier
Fiber
Node
Fiber
Node
Servers CMTS Downstream
Upstream
Internet
Tap Splitter
In Figure 2-1, video signals are received at the antenna site and sent to the
local headend site. Feeds from other headend sites might be used, too. Each TV
channel has receivers, modulators, and scramblers. The signals are transferred
via RF to a fiber transmitter. Data signals from the Internet or various servers
(such as e-mail or content servers) are modulated by the Cable Modem
Termination System (CMTS) router and sent as RF signals to the fiber transmitter.
They are then translated to optical signals and sent downstream, toward
the end users. A fiber node in the distribution network translates them back
to RF signals and sends them over the coaxial cable. Signals are boosted at
intervals by an amplifier. A tap divides the signal for sending to a particular
subscriber�fs residence. At the residence, a splitter divides the signals into data
and video. Video is sent to the TV or set-top box, and data is sent to a cable
modem (CM). The cable modem demodulates the signal back to digital.
Cable Standards
Worldwide, three standards control cable TV systems:
�¡ National Television Standards Committee (NTSC).Analog television
standard used in North America. Specifies a 6-MHz channel width.
�¡ Phase-Alternating Line (PAL).Color television standard used in
most of the rest world. Specifies 6-, 7-, or 8-MHz channel widths.
�¡ Systeme Electronic Couleur avec Memoire (SECAM).Standard
used in France and some Eastern European countries. Specifies an 8-MHz
channel.
The standard for sending data over cable systems is Data-Over-Cable
Service Interface Specifications (DOCSIS). This standard, developed by
Cablelabs, defines physical and data link layer requirements for cable
modems. Cablelabs also certifies cable modems and CMTS systems to work
with the standard. At the physical layer, DOCSIS specifies channel widths
and modulation methods. At the data link layer it specifies access methods,
some QoS capabilities, and some security features.
Cable RF waves use different frequencies for upstream and downstream
signaling. Downstream signals are allowed 810 MHz of bandwidth, in the
50- to 860-MHz range. This is then further subdivided into channels of 6-,
7-, or 8-MHz depending on the standard used. Upstream signals have only
37 MHz of bandwidth, in the 5- to 42-MHz range.
Providing SOHO/Teleworker Connectivity
Providing SOHO/Teleworker
Connectivity
The traditional teleworker solution consists of a virtual private network
(VPN) client on the user’s computer connecting over the Internet to a VPN
concentrator, firewall, or Cisco Adaptive Security Appliance (ASA) at the
corporate site. This requires only a dialup or broadband Internet connection
and a dialup or broadband modem. However, this approach has several
shortcomings:
■ Dialup does not provide the necessary bandwidth to take advantage of
all the corporate services, such as Voice over IP (VoIP).
■ There is no centralized control of the teleworker equipment, so security,
virus protection, and so forth are left to the teleworker to implement.
■ There is no control over quality of service (QoS) for advanced services.
■ It is hard for corporate IT staff to support.
The Cisco Business-Ready Teleworker Solution addresses these issues with
the traditional teleworker approach. It seeks to secure corporate data by
using IPsec VPNs, allow corporate control of the connection components,
and provide a scalable architecture as part of disaster planning. It consists of
an always-on broadband connection, a corporate-owned and -managed router
configured for VPN and QoS, IP phone, and (optionally) video equipment.
Two typical broadband connection types are digital subscriber line (DSL)
and cable.
Connectivity
The traditional teleworker solution consists of a virtual private network
(VPN) client on the user’s computer connecting over the Internet to a VPN
concentrator, firewall, or Cisco Adaptive Security Appliance (ASA) at the
corporate site. This requires only a dialup or broadband Internet connection
and a dialup or broadband modem. However, this approach has several
shortcomings:
■ Dialup does not provide the necessary bandwidth to take advantage of
all the corporate services, such as Voice over IP (VoIP).
■ There is no centralized control of the teleworker equipment, so security,
virus protection, and so forth are left to the teleworker to implement.
■ There is no control over quality of service (QoS) for advanced services.
■ It is hard for corporate IT staff to support.
The Cisco Business-Ready Teleworker Solution addresses these issues with
the traditional teleworker approach. It seeks to secure corporate data by
using IPsec VPNs, allow corporate control of the connection components,
and provide a scalable architecture as part of disaster planning. It consists of
an always-on broadband connection, a corporate-owned and -managed router
configured for VPN and QoS, IP phone, and (optionally) video equipment.
Two typical broadband connection types are digital subscriber line (DSL)
and cable.
Service-Oriented Network Architecture
Service-Oriented Network Architecture
An intelligent network is delivered using the Service-Oriented Network
Architecture (SONA) framework. SONA sees a converged network as the
connecting thread for all the portions of the network and the services provided.
The network is application aware; that is, it contains the intelligence needed
to tie all the various types of traffic together to deliver required services.
SONA defines three layers:
�¡ Network Infrastructure.IT resources such as servers, users, WANs,
and office locations all connected and accessible to each other
�¡ Integrated Services.Services such as voice, network management,
mobility, security, and storage that are delivered using the network
infrastructure
�¡ Application.Business applications that function using the integrated
services
In an enterprise, the campus and branch offices, teleworker access, and WAN
access all fall under the Network Infrastructure layer of the SONA. This
categorization allows workers in all types of locations to access the services
and applications of the other layers. The Cisco Enterprise Architecture
defines how each of these components should be designed and structured.
An intelligent network is delivered using the Service-Oriented Network
Architecture (SONA) framework. SONA sees a converged network as the
connecting thread for all the portions of the network and the services provided.
The network is application aware; that is, it contains the intelligence needed
to tie all the various types of traffic together to deliver required services.
SONA defines three layers:
�¡ Network Infrastructure.IT resources such as servers, users, WANs,
and office locations all connected and accessible to each other
�¡ Integrated Services.Services such as voice, network management,
mobility, security, and storage that are delivered using the network
infrastructure
�¡ Application.Business applications that function using the integrated
services
In an enterprise, the campus and branch offices, teleworker access, and WAN
access all fall under the Network Infrastructure layer of the SONA. This
categorization allows workers in all types of locations to access the services
and applications of the other layers. The Cisco Enterprise Architecture
defines how each of these components should be designed and structured.
Cable Components
Cable Components
Five basic components comprise a cable TV/data system:
�¡ Antenna site.Receives TV signals from antennas or satellite dishes.
�¡ Headend site.Converts TV signals for distribution to end users and
converts data for transport to and from end users. Similar to a telephone
central office.
�¡ Transportation network.Links the antenna site to the headend or
the headend to the distribution network. Can use microwave, coaxial
cable, or fiber cable.
�¡ Distribution network.Carries signals between the end user and the
transportation network. Consists of trunks and feeder cables. Backbone
trunks are either fiber or coaxial cable. Feeder cables are usually
coaxial and connect the distribution network to the subscriber drops.
�¡ Subscriber drops.Connects the customer premises equipment (CPE)
such as TV, set-top box, or cable modem to the distribution network.
Uses coaxial cable.
Figure 2-1 shows more detail about how these components work together to
deliver combined cable TV and data to an end user. Each acronym and
component is further explained following the figure.
Five basic components comprise a cable TV/data system:
�¡ Antenna site.Receives TV signals from antennas or satellite dishes.
�¡ Headend site.Converts TV signals for distribution to end users and
converts data for transport to and from end users. Similar to a telephone
central office.
�¡ Transportation network.Links the antenna site to the headend or
the headend to the distribution network. Can use microwave, coaxial
cable, or fiber cable.
�¡ Distribution network.Carries signals between the end user and the
transportation network. Consists of trunks and feeder cables. Backbone
trunks are either fiber or coaxial cable. Feeder cables are usually
coaxial and connect the distribution network to the subscriber drops.
�¡ Subscriber drops.Connects the customer premises equipment (CPE)
such as TV, set-top box, or cable modem to the distribution network.
Uses coaxial cable.
Figure 2-1 shows more detail about how these components work together to
deliver combined cable TV and data to an end user. Each acronym and
component is further explained following the figure.
Broadband Cable
Broadband Cable
CATV, or Community Antenna Television, was originally developed to
provide improved TV signals by sharing antennas and satellite dishes. It used
coaxial cable to transport the TV signals to each subscriber. Current systems
typically use a combination of fiber and coaxial. When both fiber and coaxial
cables are used, the system is referred to as a hybrid fiber-coaxial (HFC)
network.
Broadband cable uses frequency-division multiplexing (FDM) to deliver data
over a radio frequency (RF) network. Cable provides relatively inexpensive
high-speed Internet access that supports analog and digital video, voice, and
data. Its downsides include possible bandwidth and security issues because it
is a shared medium. The provider can increase bandwidth by using smaller
service areas and more channels. Security can be addressed by the user
within the cable modem or with an onsite router.
CATV, or Community Antenna Television, was originally developed to
provide improved TV signals by sharing antennas and satellite dishes. It used
coaxial cable to transport the TV signals to each subscriber. Current systems
typically use a combination of fiber and coaxial. When both fiber and coaxial
cables are used, the system is referred to as a hybrid fiber-coaxial (HFC)
network.
Broadband cable uses frequency-division multiplexing (FDM) to deliver data
over a radio frequency (RF) network. Cable provides relatively inexpensive
high-speed Internet access that supports analog and digital video, voice, and
data. Its downsides include possible bandwidth and security issues because it
is a shared medium. The provider can increase bandwidth by using smaller
service areas and more channels. Security can be addressed by the user
within the cable modem or with an onsite router.
Cisco Enterprise Architecture
Cisco Enterprise Architecture
The Cisco Enterprise Architecture model divides the network into building
blocks and gives best practices for the architecture of each one. The traditional
three-layer model (Core, Distribution, and Access) is still around and can be
integrated into the design of components of the Enterprise Architecture model.
Enterprise Architecture building blocks include the following:
■ Campus—The enterprise core, or headquarters. The campus building
block contains routing, switching, security, Voice over IP (VoIP), wireless,
and so on.
■ Data center—Server and application resources. Redundant data
centers provide business continuity and allow load balancing.
■ Branch office—Remote locations that contain services similar to the
campus but are administered centrally rather than at each location.
■ Teleworker—Either a small office, home office, or a mobile user.
Extends data (and possibly voice) services to these users over a virtual
private network (VPN) using broadband WAN access.
■ WAN—Connects all the different blocks together. Converges voice,
video, and data over an IP WAN that provides security, quality of
service (QoS), and ubiquitous access.
WAN options between the campus and branch offices include traditional
Layer 2 connections such as Frame Relay, ATM, and leased lines. Multiprotocol
Label Switching (MPLS) can provide any-to-any connectivity between the
sites and is highly scalable. IPsec VPNs across the Internet can also be used.
This short cut is concerned mainly with how the campus, branch, and small
office, home office (SOHO)/teleworker portions of the network use the WAN
to communicate with each other to provide network services to their users.
The Cisco Enterprise Architecture model divides the network into building
blocks and gives best practices for the architecture of each one. The traditional
three-layer model (Core, Distribution, and Access) is still around and can be
integrated into the design of components of the Enterprise Architecture model.
Enterprise Architecture building blocks include the following:
■ Campus—The enterprise core, or headquarters. The campus building
block contains routing, switching, security, Voice over IP (VoIP), wireless,
and so on.
■ Data center—Server and application resources. Redundant data
centers provide business continuity and allow load balancing.
■ Branch office—Remote locations that contain services similar to the
campus but are administered centrally rather than at each location.
■ Teleworker—Either a small office, home office, or a mobile user.
Extends data (and possibly voice) services to these users over a virtual
private network (VPN) using broadband WAN access.
■ WAN—Connects all the different blocks together. Converges voice,
video, and data over an IP WAN that provides security, quality of
service (QoS), and ubiquitous access.
WAN options between the campus and branch offices include traditional
Layer 2 connections such as Frame Relay, ATM, and leased lines. Multiprotocol
Label Switching (MPLS) can provide any-to-any connectivity between the
sites and is highly scalable. IPsec VPNs across the Internet can also be used.
This short cut is concerned mainly with how the campus, branch, and small
office, home office (SOHO)/teleworker portions of the network use the WAN
to communicate with each other to provide network services to their users.
Network Conceptual Models-Intelligent Information Network
Network Conceptual Models
Conceptual models allow network designers to move from looking at the
network as a collection of devices to viewing it as a way to provide services
to users, no matter where the users and the services are located. Cisco
currently defines three models as the building blocks of a world-class enterprise
network: the Intelligent Information Network, the Service-Oriented
Network Architecture, and the Cisco Enterprise Architecture.
Intelligent Information Network
The Intelligent Information Network (IIN) seeks to create a holistic network
that integrates with and enables your business processes. It allows centralized
control and interoperation of distributed systems. This control and interoperability
can provide increased network security and efficiency.
The IIN consists of three components:
�¡ Integrated transport.Data, voice, and video all transported over a
secure IP network.
�¡ Integrated services.Shared/virtualized resources, such as storage
and servers.
�¡ Integrated applications.The network is application aware, enhancing
the efficiency of applications. This component includes
Application-Oriented Networking (AON), which offloads shared,
common functions, such as logging and security, to the network.
Conceptual models allow network designers to move from looking at the
network as a collection of devices to viewing it as a way to provide services
to users, no matter where the users and the services are located. Cisco
currently defines three models as the building blocks of a world-class enterprise
network: the Intelligent Information Network, the Service-Oriented
Network Architecture, and the Cisco Enterprise Architecture.
Intelligent Information Network
The Intelligent Information Network (IIN) seeks to create a holistic network
that integrates with and enables your business processes. It allows centralized
control and interoperation of distributed systems. This control and interoperability
can provide increased network security and efficiency.
The IIN consists of three components:
�¡ Integrated transport.Data, voice, and video all transported over a
secure IP network.
�¡ Integrated services.Shared/virtualized resources, such as storage
and servers.
�¡ Integrated applications.The network is application aware, enhancing
the efficiency of applications. This component includes
Application-Oriented Networking (AON), which offloads shared,
common functions, such as logging and security, to the network.
Securing Your Switch
Securing Your Switch
Here are some basic security suggestions for network devices:
�¡ Use passwords that are not susceptible to a dictionary attack. Add
numbers or substitute numbers and symbols for letters.
�¡ Limit Telnet access using access lists.
�¡ Use SSH instead of Telnet.
�¡ Physically secure access to the device.
�¡ Use banners that warn against unauthorized access.
�¡ Remove unused services, such as finger, the TCP and UDP small
servers, service config, and HTTP server.
�¡ Set up and monitor Syslog.
�¡ Disable automatic trunking on all nontrunk ports.
�¡ Disable CDP on ports where it is not needed.
Here are some basic security suggestions for network devices:
�¡ Use passwords that are not susceptible to a dictionary attack. Add
numbers or substitute numbers and symbols for letters.
�¡ Limit Telnet access using access lists.
�¡ Use SSH instead of Telnet.
�¡ Physically secure access to the device.
�¡ Use banners that warn against unauthorized access.
�¡ Remove unused services, such as finger, the TCP and UDP small
servers, service config, and HTTP server.
�¡ Set up and monitor Syslog.
�¡ Disable automatic trunking on all nontrunk ports.
�¡ Disable CDP on ports where it is not needed.
Loop Guard
Loop Guard
Loop Guard prevents loops that might develop if a port that should be blocking
inadvertently transitions to the forwarding state. This can happen if the
port stops receiving BPDUs (perhaps because of a unidirectional link or a
software/configuration problem in its neighbor switch). When one of the
ports in a physically redundant topology stops receiving BPDUs, the STP
conceives the topology as loop-free. Eventually, the blocking port becomes
designated and moves to a forwarding state, thus creating a loop. With Loop
Guard enabled, an additional check is made.
If no BPDUs are received on a blocked port for a specific length of time,
Loop Guard puts that port into loop inconsistent blocking state, rather than
transitioning to a forwarding state. Loop Guard should be enabled on all
switch ports that have a chance of becoming root or designated ports. It is
most effective when enabled in the entire switched network, in conjunction
with UDLD.
To enable Loop Guard for all point-to-point links on the switch, use the
following command:
Switch(config)#spanning-tree loopguard default
To enable Loop Guard on a specific interface, use:
Switch(config-if)#spanning-tree guard loop
Loop Guard automatically re-enables the port if it starts receiving BPDUs
once again.
Loop Guard prevents loops that might develop if a port that should be blocking
inadvertently transitions to the forwarding state. This can happen if the
port stops receiving BPDUs (perhaps because of a unidirectional link or a
software/configuration problem in its neighbor switch). When one of the
ports in a physically redundant topology stops receiving BPDUs, the STP
conceives the topology as loop-free. Eventually, the blocking port becomes
designated and moves to a forwarding state, thus creating a loop. With Loop
Guard enabled, an additional check is made.
If no BPDUs are received on a blocked port for a specific length of time,
Loop Guard puts that port into loop inconsistent blocking state, rather than
transitioning to a forwarding state. Loop Guard should be enabled on all
switch ports that have a chance of becoming root or designated ports. It is
most effective when enabled in the entire switched network, in conjunction
with UDLD.
To enable Loop Guard for all point-to-point links on the switch, use the
following command:
Switch(config)#spanning-tree loopguard default
To enable Loop Guard on a specific interface, use:
Switch(config-if)#spanning-tree guard loop
Loop Guard automatically re-enables the port if it starts receiving BPDUs
once again.
Prevent Spanning Tree Loops- Unidirectional Link Detection (UDLD)
Prevent Spanning Tree Loops
A switch notices when a physical connection is broken by the absence of
Layer 1 electrical keepalives (Ethernet calls this a link beat). However, sometimes
a cable is intact enough to maintain keepalives, but not to pass data in
both directions. This is a unidirectional link.
Unidirectional Link Detection (UDLD)
UDLD detects a unidirectional link by sending periodic hellos out the interface.
It also uses probes, which must be acknowledged by the device on the
other end of the link. UDLD operates at Layer 2. The port is shut down if a
unidirectional link is found.
To enable UDLD on all fiber-optic interfaces, use this command:
Switch(config)#udld enable
Although this command is given at global configuration mode, it applies
only to fiber ports. To enable UDLD on nonfiber ports, give the same
command at interface config mode.
To disable UDLD on a specific fiber port, use this command:
Switch(config-if)#udld disable
To disable UDLD on a specific nonfiber port, use this command:
Switch(config-if)#no udld enable
To re-enable all interfaces shut by UDLD, use the following:
Switch#udld reset
To verify UDLD status, use the following:
Switch#show udld interface
A switch notices when a physical connection is broken by the absence of
Layer 1 electrical keepalives (Ethernet calls this a link beat). However, sometimes
a cable is intact enough to maintain keepalives, but not to pass data in
both directions. This is a unidirectional link.
Unidirectional Link Detection (UDLD)
UDLD detects a unidirectional link by sending periodic hellos out the interface.
It also uses probes, which must be acknowledged by the device on the
other end of the link. UDLD operates at Layer 2. The port is shut down if a
unidirectional link is found.
To enable UDLD on all fiber-optic interfaces, use this command:
Switch(config)#udld enable
Although this command is given at global configuration mode, it applies
only to fiber ports. To enable UDLD on nonfiber ports, give the same
command at interface config mode.
To disable UDLD on a specific fiber port, use this command:
Switch(config-if)#udld disable
To disable UDLD on a specific nonfiber port, use this command:
Switch(config-if)#no udld enable
To re-enable all interfaces shut by UDLD, use the following:
Switch#udld reset
To verify UDLD status, use the following:
Switch#show udld interface
BPDU Guard
BPDU Guard
BPDU Guard prevents loops if another switch is attached to a Portfast port.
When BPDU Guard is enabled on an interface, it is put into an error-disabled
state (basically, it is shut down) if a BPDU is received on the interface. It can
be enabled at either global configuration mode—in which case it affects all
Portfast interfaces—or at interface mode. Portfast does not have to be enabled
for it to be configured at a specific interface.
Switch(config)#spanning-tree portfast bpduguard default
Switch(config-if)#spanning-tree bpduguard enable
BPDU Guard prevents loops if another switch is attached to a Portfast port.
When BPDU Guard is enabled on an interface, it is put into an error-disabled
state (basically, it is shut down) if a BPDU is received on the interface. It can
be enabled at either global configuration mode—in which case it affects all
Portfast interfaces—or at interface mode. Portfast does not have to be enabled
for it to be configured at a specific interface.
Switch(config)#spanning-tree portfast bpduguard default
Switch(config-if)#spanning-tree bpduguard enable
ARP Spoofing
ARP Spoofing
In an ARP spoofing attack, the attacker sends out gratuitous (unsolicited) ARP
messages giving the IP address of the local default gateway, with its own MAC
address as the layer 2 address. Local devices overwrite their existing correct
ARP information with the incorrect one, and, thus, they forward off-net traffic
to the attacker (it becomes a “man-in-the-middle”). If the attacker then forwards
it on to the legitimate router, this type of attack might go undetected by the
users.
Dynamic ARP Inspection (DAI) can work with DHCP spoofing to stop ARP
spoofing. DAI defines trusted and untrusted interfaces. It intercepts ARP
messages on untrusted ports, and checks them against the IP address/MAC
address bindings in the DHCP snooping database. They must match for the
switch to forward the traffic. Access ports should be configured as untrusted,
and ports that connect to other switches or to a router should be trusted.
Enable DAI on a VLAN, or multiple VLANs, and configure trusted interfaces.
You can optionally configure a rate limit, or configure which addresses DAI
matches against (the default is IP and MAC address). The basic commands are:
Switch(config)#ip arp inspection vlan vlan_id
Switch(config-if)#ip arp inspection trust
In an ARP spoofing attack, the attacker sends out gratuitous (unsolicited) ARP
messages giving the IP address of the local default gateway, with its own MAC
address as the layer 2 address. Local devices overwrite their existing correct
ARP information with the incorrect one, and, thus, they forward off-net traffic
to the attacker (it becomes a “man-in-the-middle”). If the attacker then forwards
it on to the legitimate router, this type of attack might go undetected by the
users.
Dynamic ARP Inspection (DAI) can work with DHCP spoofing to stop ARP
spoofing. DAI defines trusted and untrusted interfaces. It intercepts ARP
messages on untrusted ports, and checks them against the IP address/MAC
address bindings in the DHCP snooping database. They must match for the
switch to forward the traffic. Access ports should be configured as untrusted,
and ports that connect to other switches or to a router should be trusted.
Enable DAI on a VLAN, or multiple VLANs, and configure trusted interfaces.
You can optionally configure a rate limit, or configure which addresses DAI
matches against (the default is IP and MAC address). The basic commands are:
Switch(config)#ip arp inspection vlan vlan_id
Switch(config-if)#ip arp inspection trust
Securing Spanning Tree
Securing Spanning Tree
Spanning Tree tuning can help prevent a rogue device from becoming root
bridge or otherwise disrupting your user traffic. There are several tools at
your disposal—Figure 8-2 shows where each could be used in a switched
network.
Figure 8-2 Securing Spanning Tree
Blocking
Forwarding
PortFast,
BPDU Guard
RootGuard
UDLD UDLD
UDLD
UDLD
LoopGuard
RootGuard
LoopGuard
BPDU Filter
Root Bridge
UDLD
UDLD UDLD
UDLD
Spanning Tree tuning can help prevent a rogue device from becoming root
bridge or otherwise disrupting your user traffic. There are several tools at
your disposal—Figure 8-2 shows where each could be used in a switched
network.
Figure 8-2 Securing Spanning Tree
Blocking
Forwarding
PortFast,
BPDU Guard
RootGuard
UDLD UDLD
UDLD
UDLD
LoopGuard
RootGuard
LoopGuard
BPDU Filter
Root Bridge
UDLD
UDLD UDLD
UDLD
Spoof Attacks-DHCP Spoofing
Spoof Attacks
Spoof attacks include DHCP spoofing, MAC address spoofing, and ARP
spoofing.
DHCP Spoofing
A DHCP spoofing attacker listens for DHCP requests and answers them,
giving its IP address as the client default gateway. The attacker then becomes a
“man-in-the-middle” as all off-net traffic flows through it.
DHCP snooping can prevent DHCP spoofing attacks. When DHCP snooping
is enabled, only ports that uplink to an authorized DHCP server are trusted,
and allowed to send all types of DHCP messages. All other ports on the
switch are untrusted and can send only DHCP requests. If a DHCP response
is seen on an untrusted port, the port is shut down. The switch can also be
configured to send information, such as port ID, using DHCP option 82.
Note
DHCP snooping configuration is user impacting, because the switch drops all DHCP requests until
the ports are configured. You should do this during off hours or during a maintenance window.
Configure DHCP snooping with the following commands, either globally or
for a particular VLAN. Configure only individual ports that uplink to DHCP
servers as trusted ports.
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping information option
Switch(config)#ip dhcp snooping vlan number number
Switch(config-if)#ip dhcp snooping trust
Switch#show ip dhcp snooping
To extend the protection further, IP Source Guard tracks the IP addresses of
the host connected to each port and prevents traffic sourced from another IP
address from entering that port. The tracking can be done based on just an IP
address or on both IP and MAC addresses.
Enable IP Source Guard for both IP and MAC addresses on host access interfaces
with the command ip verify source vlan dhcpsnooping port-security.
Spoof attacks include DHCP spoofing, MAC address spoofing, and ARP
spoofing.
DHCP Spoofing
A DHCP spoofing attacker listens for DHCP requests and answers them,
giving its IP address as the client default gateway. The attacker then becomes a
“man-in-the-middle” as all off-net traffic flows through it.
DHCP snooping can prevent DHCP spoofing attacks. When DHCP snooping
is enabled, only ports that uplink to an authorized DHCP server are trusted,
and allowed to send all types of DHCP messages. All other ports on the
switch are untrusted and can send only DHCP requests. If a DHCP response
is seen on an untrusted port, the port is shut down. The switch can also be
configured to send information, such as port ID, using DHCP option 82.
Note
DHCP snooping configuration is user impacting, because the switch drops all DHCP requests until
the ports are configured. You should do this during off hours or during a maintenance window.
Configure DHCP snooping with the following commands, either globally or
for a particular VLAN. Configure only individual ports that uplink to DHCP
servers as trusted ports.
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping information option
Switch(config)#ip dhcp snooping vlan number number
Switch(config-if)#ip dhcp snooping trust
Switch#show ip dhcp snooping
To extend the protection further, IP Source Guard tracks the IP addresses of
the host connected to each port and prevents traffic sourced from another IP
address from entering that port. The tracking can be done based on just an IP
address or on both IP and MAC addresses.
Enable IP Source Guard for both IP and MAC addresses on host access interfaces
with the command ip verify source vlan dhcpsnooping port-security.
Private VLANs
Private VLANs
Private VLANs (PVLANs) allow service providers to isolate customers into
separate multi-access domains. Using a VLAN for each customer is not scalable,
because a switch’s maximum VLANs would limit the number of
customers an ISP can have. Each VLAN requires a separate IP subnet, which
could also be a limiting factor.
PVLANs divide a VLAN into secondary VLANs, letting you isolate a set of
ports from other ports within the same VLAN. There are two types of
secondary VLANs:
■ Community VLANs—Ports can communicate with other ports in the
same community VLAN.
■ Isolated VLANs—Ports cannot communicate with each other.
Ports within a private VLAN can be one of three types:
■ Community—Communicates with other community ports and with
promiscuous ports.
■ Isolated—Communicates only with promiscuous ports.
■ Promiscuous—Communicates with all ports.
Table 8-3 shows the commands to configure a primary private VLAN,
secondary PVLANs, and their associated ports.
Table 8-3 Configuring Private VLANs
Command Description
vlan vlan-id Enters VLAN configuration mode.
private-vlan {community | Configures the VLAN as a private VLAN
isolated | primary} and specifies the type. Repeat this
command to configure all primary and
secondary VLANs.
vlan primary-vlan-id Enters configuration mode for the
primary VLAN.
private-vlan association Associates secondary VLANs with the
secondary_vlan_list primary one. Separate the secondary
VLAN numbers with a comma, no
spaces.
switchport mode private-vlan Configures a port as either a host port
(for {host | promiscuous} community or isolated) or a promiscious
port.
switchport private-vlan Associates a host port with its primary
host-association primary_vlan_ and secondary PVLANs.
ID secondary_vlan_ID
private-vlan mapping primary_ Associates a promiscuous port with its
vlan_ID secondary_vlan_list primary and secondary PVLANs.
show interfaces Verifies the VLAN configuration.
interface switchport
show interfaces private-vlan Verify the private VLAN configuration.
mapping
Private VLANs (PVLANs) allow service providers to isolate customers into
separate multi-access domains. Using a VLAN for each customer is not scalable,
because a switch’s maximum VLANs would limit the number of
customers an ISP can have. Each VLAN requires a separate IP subnet, which
could also be a limiting factor.
PVLANs divide a VLAN into secondary VLANs, letting you isolate a set of
ports from other ports within the same VLAN. There are two types of
secondary VLANs:
■ Community VLANs—Ports can communicate with other ports in the
same community VLAN.
■ Isolated VLANs—Ports cannot communicate with each other.
Ports within a private VLAN can be one of three types:
■ Community—Communicates with other community ports and with
promiscuous ports.
■ Isolated—Communicates only with promiscuous ports.
■ Promiscuous—Communicates with all ports.
Table 8-3 shows the commands to configure a primary private VLAN,
secondary PVLANs, and their associated ports.
Table 8-3 Configuring Private VLANs
Command Description
vlan vlan-id Enters VLAN configuration mode.
private-vlan {community | Configures the VLAN as a private VLAN
isolated | primary} and specifies the type. Repeat this
command to configure all primary and
secondary VLANs.
vlan primary-vlan-id Enters configuration mode for the
primary VLAN.
private-vlan association Associates secondary VLANs with the
secondary_vlan_list primary one. Separate the secondary
VLAN numbers with a comma, no
spaces.
switchport mode private-vlan Configures a port as either a host port
(for {host | promiscuous} community or isolated) or a promiscious
port.
switchport private-vlan Associates a host port with its primary
host-association primary_vlan_ and secondary PVLANs.
ID secondary_vlan_ID
private-vlan mapping primary_ Associates a promiscuous port with its
vlan_ID secondary_vlan_list primary and secondary PVLANs.
show interfaces Verifies the VLAN configuration.
interface switchport
show interfaces private-vlan Verify the private VLAN configuration.
mapping
802.1Q Double-Tagging
802.1Q Double-Tagging
A double-tagging attack is possible with 802.1Q trunking because it does not
tag frames from the native VLAN. In this attack, the attacking computer sets
up a trunk port between itself and the switch, then generates frames with two
802.1Q tags. The first tag matches the native VLAN of the trunk port, and
the second matches the VLAN of a host it wants to attack, as shown in
Figure 8-1.
Figure 8-1 VLAN Hopping by 802.1Q Double-Tagging
Attacker Target in
VLAN 200
Native
VLAN 100
Native
VLAN 100
Data
Switch A Switch B
802.1Q Data
VL 200
Data 802.1Q
VL 200
802.1Q
VL100
Switch A removes the first tag for VLAN 100, because it matches the native
VLAN for that link. It forwards the frame out all links with the same native
VLAN, including its link to Switch B. Switch B sees the frame come in with
an 802.1Q tag for VLAN 200, so it forwards it out the VLAN 200 link to the
victim computer.
To mitigate this type of attack, use the same strategies used for switch spoofing.
You can also use VLAN access control lists, called VACLs, or implement
Private VLANs.
A double-tagging attack is possible with 802.1Q trunking because it does not
tag frames from the native VLAN. In this attack, the attacking computer sets
up a trunk port between itself and the switch, then generates frames with two
802.1Q tags. The first tag matches the native VLAN of the trunk port, and
the second matches the VLAN of a host it wants to attack, as shown in
Figure 8-1.
Figure 8-1 VLAN Hopping by 802.1Q Double-Tagging
Attacker Target in
VLAN 200
Native
VLAN 100
Native
VLAN 100
Data
Switch A Switch B
802.1Q Data
VL 200
Data 802.1Q
VL 200
802.1Q
VL100
Switch A removes the first tag for VLAN 100, because it matches the native
VLAN for that link. It forwards the frame out all links with the same native
VLAN, including its link to Switch B. Switch B sees the frame come in with
an 802.1Q tag for VLAN 200, so it forwards it out the VLAN 200 link to the
victim computer.
To mitigate this type of attack, use the same strategies used for switch spoofing.
You can also use VLAN access control lists, called VACLs, or implement
Private VLANs.
VLAN-Based Attacks
VLAN-Based Attacks
VLAN-based attacks include VLAN hopping, in which a station is able to
access a VLAN other than its own. This can be done with switch spoofing or
with 802.1Q double-tagging.
Switch Spoofing
Switch spoofing involves a station configured to negotiate a trunk link
between itself and the switch. By default, switches dynamically negotiate
trunking status using Dynamic Trunking Protocol (DTP). If a computer is
able to use DTP to establish a trunk link to the switch, it will receive all
traffic bound for VLANs allowed on that trunk. By default, all VLANs are
allowed on a trunk.
You can mitigate this by turning off DTP on all ports that should not become
trunks, such as most access ports, using the interface command switchport
nonegotiate. If the port should be an access port, configure it as such with
the interface command switchport mode access. Additionally, shut down all
unused ports and assign them to an unused VLAN. The commands to do this
are:
Switch(config)#interface interface
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan vlan
Switch(config-if)#shutdown
VLAN-based attacks include VLAN hopping, in which a station is able to
access a VLAN other than its own. This can be done with switch spoofing or
with 802.1Q double-tagging.
Switch Spoofing
Switch spoofing involves a station configured to negotiate a trunk link
between itself and the switch. By default, switches dynamically negotiate
trunking status using Dynamic Trunking Protocol (DTP). If a computer is
able to use DTP to establish a trunk link to the switch, it will receive all
traffic bound for VLANs allowed on that trunk. By default, all VLANs are
allowed on a trunk.
You can mitigate this by turning off DTP on all ports that should not become
trunks, such as most access ports, using the interface command switchport
nonegotiate. If the port should be an access port, configure it as such with
the interface command switchport mode access. Additionally, shut down all
unused ports and assign them to an unused VLAN. The commands to do this
are:
Switch(config)#interface interface
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan vlan
Switch(config-if)#shutdown
Root Guard
Root Guard
Root Guard is meant to prevent the wrong switch from becoming the spanningtree
root. It is enabled on ports other than the root port and on switches other
than the root. If a Root Guard port receives a BPDU that causes it to become
a root port, the port is put into a “root-inconsistent” state and does not pass
traffic through it. If the port stops receiving these BPDUs, it automatically
re-enables itself.
Switch(config-if)#spanning-tree guard root
Switch#show spanning-tree inconsistentports
Root Guard is meant to prevent the wrong switch from becoming the spanningtree
root. It is enabled on ports other than the root port and on switches other
than the root. If a Root Guard port receives a BPDU that causes it to become
a root port, the port is put into a “root-inconsistent” state and does not pass
traffic through it. If the port stops receiving these BPDUs, it automatically
re-enables itself.
Switch(config-if)#spanning-tree guard root
Switch#show spanning-tree inconsistentports
BPDU Filtering
BPDU Filtering
BPDU filtering is another way of preventing loops in the network. It also can
be enabled either globally or at the interface, and it functions differently at
each. In global configuration, if a Portfast interface receives any BPDUs, it is
taken out of Portfast status. At interface configuration mode, it prevents the
port from sending or receiving BPDUs. The commands are:
Switch(config)#spanning-tree portfast bpdufilter default
Switch(config-if)#spanning-tree bpdufilter enable
BPDU filtering is another way of preventing loops in the network. It also can
be enabled either globally or at the interface, and it functions differently at
each. In global configuration, if a Portfast interface receives any BPDUs, it is
taken out of Portfast status. At interface configuration mode, it prevents the
port from sending or receiving BPDUs. The commands are:
Switch(config)#spanning-tree portfast bpdufilter default
Switch(config-if)#spanning-tree bpdufilter enable
VACLs
VACLs
Cisco switches support of various kinds of ACLs:
■ Traditional Router ACL (RACL)
■ QoS ACL
■ VACL
VLAN access control lists (VACLs) are similar to route-maps in that they are
composed of statements that contain match and set conditions. In a VACL,
the “set” conditions are called “actions.” Actions include forward, drop, and
redirect. Like route-maps, VACL statements are numbered for ordering.
After configuration, VACLs are applied to traffic to specified VLANs.
The following is a sample VACL that instructs the switch to drop traffic
matching ACL 101 (not shown), and forward all other traffic:
Switch(config)#vlan access-map Drop101 5
Switch(config-access-map)#match ip address 101
Switch(config-access-map)#action drop
Switch(config-access-map)#vlan access-map Drop101 10
Switch(config-access-map)#action forward!
Switch(config)#vlan filter Drop101 vlan_list 10
To view VACL settings, use the commands show vlan access-map
vacl_name or show vlan filter access-map vacl_name.
Cisco switches support of various kinds of ACLs:
■ Traditional Router ACL (RACL)
■ QoS ACL
■ VACL
VLAN access control lists (VACLs) are similar to route-maps in that they are
composed of statements that contain match and set conditions. In a VACL,
the “set” conditions are called “actions.” Actions include forward, drop, and
redirect. Like route-maps, VACL statements are numbered for ordering.
After configuration, VACLs are applied to traffic to specified VLANs.
The following is a sample VACL that instructs the switch to drop traffic
matching ACL 101 (not shown), and forward all other traffic:
Switch(config)#vlan access-map Drop101 5
Switch(config-access-map)#match ip address 101
Switch(config-access-map)#action drop
Switch(config-access-map)#vlan access-map Drop101 10
Switch(config-access-map)#action forward!
Switch(config)#vlan filter Drop101 vlan_list 10
To view VACL settings, use the commands show vlan access-map
vacl_name or show vlan filter access-map vacl_name.
Port Security
Port Security
Port security limits the number of MAC addresses allowed per port and can
also limit which MAC addresses are allowed. Allowed MAC addressed can
be manually configured or the switch can sticky learn them. Table 8-1 lists
port security commands; these are given at the interface.
Table 8-1 Port Security Commands
Command Description
switchport port-security Enables port security on that interface.
switchport port-security Specifies the max MAC addresses
maximum value allowed on this port. Default is 1.
switchport port-security Configures the action to be taken when
violation {shutdown | the maximum number is reached and a
restrict | protect} MAC address not associated with the
port attempts to use the port, or when a
station whose MAC address is associated
with a different port attempt to access
this port. Default is shutdown.
switchport port-security Statically associates a specific MAC
mac-address mac-address address with a port.
switchport port-security Enables the switch port to dynamically
mac-address sticky learn secure MAC addresses. MAC
addresses learned through that port, up
to the maximum number, if a maximum
is configured, are treated as secure MAC
addresses.
show port security [interface Verifies port security actions.
interface | address]
Port-Based Authentication
802.1x authentication requires a computer (called a client) to be authenticated
before it is allowed access to the LAN. This can be combined with port
security to allow only authenticated clients with specified MAC addresses to
access a port. When a computer connects to a switch port configured for
802.1x authentication, the following steps occur:
Step 1. The port is in the unauthorized state, allowing only 802.1x EAP
over LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests authentication
or the client sends an EAPOL frame to begin authentication.
Step 3. The switch relays authentication information between the client
and a RADIUS server that acts in proxy for the client.
Step 4. If authentication succeeds, the port transitions to the authorized
state, and normal LAN traffic is allowed through it.
Table 8-2 shows commands to configure 802.1x authentication on a switch.
Table 8-2 Configuring 802.1x Port Authentication
Command Description
(config)#aaa new-model Enables AAA on the switch.
(config)#aaa authentication Creates a AAA method list that says to
dot1x default group radius use 802.1x authentication by default,
using a RADIUS server (configured
separately).
(config)#dot1x system- Globally enabled 802.1x authentication
auth-control on the switch.
(config-if)#dot1x port- Enables 802.1x authentication on an
control auto interface of the switch.
show dot1x Verifies 802.1x authentication.
Port security limits the number of MAC addresses allowed per port and can
also limit which MAC addresses are allowed. Allowed MAC addressed can
be manually configured or the switch can sticky learn them. Table 8-1 lists
port security commands; these are given at the interface.
Table 8-1 Port Security Commands
Command Description
switchport port-security Enables port security on that interface.
switchport port-security Specifies the max MAC addresses
maximum value allowed on this port. Default is 1.
switchport port-security Configures the action to be taken when
violation {shutdown | the maximum number is reached and a
restrict | protect} MAC address not associated with the
port attempts to use the port, or when a
station whose MAC address is associated
with a different port attempt to access
this port. Default is shutdown.
switchport port-security Statically associates a specific MAC
mac-address mac-address address with a port.
switchport port-security Enables the switch port to dynamically
mac-address sticky learn secure MAC addresses. MAC
addresses learned through that port, up
to the maximum number, if a maximum
is configured, are treated as secure MAC
addresses.
show port security [interface Verifies port security actions.
interface | address]
Port-Based Authentication
802.1x authentication requires a computer (called a client) to be authenticated
before it is allowed access to the LAN. This can be combined with port
security to allow only authenticated clients with specified MAC addresses to
access a port. When a computer connects to a switch port configured for
802.1x authentication, the following steps occur:
Step 1. The port is in the unauthorized state, allowing only 802.1x EAP
over LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests authentication
or the client sends an EAPOL frame to begin authentication.
Step 3. The switch relays authentication information between the client
and a RADIUS server that acts in proxy for the client.
Step 4. If authentication succeeds, the port transitions to the authorized
state, and normal LAN traffic is allowed through it.
Table 8-2 shows commands to configure 802.1x authentication on a switch.
Table 8-2 Configuring 802.1x Port Authentication
Command Description
(config)#aaa new-model Enables AAA on the switch.
(config)#aaa authentication Creates a AAA method list that says to
dot1x default group radius use 802.1x authentication by default,
using a RADIUS server (configured
separately).
(config)#dot1x system- Globally enabled 802.1x authentication
auth-control on the switch.
(config-if)#dot1x port- Enables 802.1x authentication on an
control auto interface of the switch.
show dot1x Verifies 802.1x authentication.
MAC Address Flooding
MAC Address Flooding
In a MAC address flooding attack, the attacker fills the switch’s Content
Addressable Memory (CAM) table with invalid MAC addresses. After the table
is full, all traffic with an address not in the table is flooded out all interfaces.
This has two bad effects—more traffic on the LAN and more work for the
switch. Additionally, the intruder’s traffic is also flooded, so they have access
to more ports than they would normally have. After the attack stops, CAM
entries age out and life returns to normal. However, meanwhile the attacker
might have captured a significant amount of data.
Port security and port-based authentication can help mitigate MAC address
attacks.
In a MAC address flooding attack, the attacker fills the switch’s Content
Addressable Memory (CAM) table with invalid MAC addresses. After the table
is full, all traffic with an address not in the table is flooded out all interfaces.
This has two bad effects—more traffic on the LAN and more work for the
switch. Additionally, the intruder’s traffic is also flooded, so they have access
to more ports than they would normally have. After the attack stops, CAM
entries age out and life returns to normal. However, meanwhile the attacker
might have captured a significant amount of data.
Port security and port-based authentication can help mitigate MAC address
attacks.
Campus Network Security
Campus Network Security
Attention has traditionally been paid to network perimeter security, such as
firewall, and to mitigating Layer 3 attacks. However, networks must be
protected against Layer 2 attacks, also. These are launched from devices
inside the network by either a rogue device or a legitimate device that has
been compromised. Rogue devices might be placed maliciously or might just
be connected to an access switch by an employee wanting more switch port
or wireless access. They include:
■ Wireless routers or hubs
■ Access switches
■ Hubs
A switch might become the Spanning Tree root bridge, and disrupt user
traffic. Use root guard and bpdu guard commands to prevent this.
(Spanning tree security is discussed later in this chapter.)
There are four typical types of attacks against a switched network:
■ MAC-based attacks, such as MAC address flooding
■ VLAN-based attacks, such as VLAN hopping and attacks against
devices on the same VLAN
■ Spoofing attacks, such as DHCP spoofing, MAC spoofing, Address
Resolution Protocol (ARP) spoofing, and Spanning Tree attacks
■ Attacks against the switch, such as Cisco Discovery Protocol (CDP)
manipulation, Telnet attacks, and Secure Shell (SSH) attacks
Attention has traditionally been paid to network perimeter security, such as
firewall, and to mitigating Layer 3 attacks. However, networks must be
protected against Layer 2 attacks, also. These are launched from devices
inside the network by either a rogue device or a legitimate device that has
been compromised. Rogue devices might be placed maliciously or might just
be connected to an access switch by an employee wanting more switch port
or wireless access. They include:
■ Wireless routers or hubs
■ Access switches
■ Hubs
A switch might become the Spanning Tree root bridge, and disrupt user
traffic. Use root guard and bpdu guard commands to prevent this.
(Spanning tree security is discussed later in this chapter.)
There are four typical types of attacks against a switched network:
■ MAC-based attacks, such as MAC address flooding
■ VLAN-based attacks, such as VLAN hopping and attacks against
devices on the same VLAN
■ Spoofing attacks, such as DHCP spoofing, MAC spoofing, Address
Resolution Protocol (ARP) spoofing, and Spanning Tree attacks
■ Attacks against the switch, such as Cisco Discovery Protocol (CDP)
manipulation, Telnet attacks, and Secure Shell (SSH) attacks
QoS for VoIP-QoS Actions
QoS for VoIP
QoS gives special treatment to certain traffic at the expense of others. Using
QoS in the network has several advantages:
■ Prioritizes access to resources, so that critical traffic can be served.
■ Allows good management of network resources.
■ Allows service to be tailored to network needs.
■ Allows mission-critical applications to share the network with other
data.
People sometimes think that there is no need for QoS strategies in a LAN.
However, switch ports can experience congestion because of port speed
mismatches, many people trying to access the switch backbone, and many
people trying to send traffic to the same switch port (such as a server port).
QoS Actions
Three QoS strategies are commonly implemented on interfaces where traffic
enters the switch:
■ Classification—Distinguishing one type of traffic from another. After
traffic is classified, other actions can be performed on it. Some classification
methods include access lists, ingress interface, and NBAR.
■ Marking—At layer 2, placing 802.1p class of service (CoS) value
within the 802.1Q tag. At layer 3, setting IP Precedence or
Differentiated Services Code Point (DSCP) values on the classified
traffic.
■ Policing—Determining whether or not a specific type of traffic is
within preset bandwidth levels. If so, it is usually allowed and might be
marked. If not, the traffic is typically marked or dropped. CAR and
class-based policing are examples of policing techniques.
Other QoS techniques are typically used on outbound interfaces:
■ Traffic shaping and conditioning—Attempts to send traffic out in a
steady stream at a specified rate. Buffers traffic that goes above that
rate and sends it when there is less traffic on the line.
■ Queuing—After traffic is classified and marked, one way it can be
given special treatment is to be put into different queues on the interface
to be sent out at different rates and times. Some examples include
priority queuing, weighted fair queuing, and custom queuing. The
default queuing method for a switch port is FIFO.
■ Dropping—Normally interface queues accept packets until they are
full and then drop everything after that. You can implement prioritized
dropping, so that less important packets are dropped before more
important ones—such as with Weighted Random Early Detection
(WRED).
QoS gives special treatment to certain traffic at the expense of others. Using
QoS in the network has several advantages:
■ Prioritizes access to resources, so that critical traffic can be served.
■ Allows good management of network resources.
■ Allows service to be tailored to network needs.
■ Allows mission-critical applications to share the network with other
data.
People sometimes think that there is no need for QoS strategies in a LAN.
However, switch ports can experience congestion because of port speed
mismatches, many people trying to access the switch backbone, and many
people trying to send traffic to the same switch port (such as a server port).
QoS Actions
Three QoS strategies are commonly implemented on interfaces where traffic
enters the switch:
■ Classification—Distinguishing one type of traffic from another. After
traffic is classified, other actions can be performed on it. Some classification
methods include access lists, ingress interface, and NBAR.
■ Marking—At layer 2, placing 802.1p class of service (CoS) value
within the 802.1Q tag. At layer 3, setting IP Precedence or
Differentiated Services Code Point (DSCP) values on the classified
traffic.
■ Policing—Determining whether or not a specific type of traffic is
within preset bandwidth levels. If so, it is usually allowed and might be
marked. If not, the traffic is typically marked or dropped. CAR and
class-based policing are examples of policing techniques.
Other QoS techniques are typically used on outbound interfaces:
■ Traffic shaping and conditioning—Attempts to send traffic out in a
steady stream at a specified rate. Buffers traffic that goes above that
rate and sends it when there is less traffic on the line.
■ Queuing—After traffic is classified and marked, one way it can be
given special treatment is to be put into different queues on the interface
to be sent out at different rates and times. Some examples include
priority queuing, weighted fair queuing, and custom queuing. The
default queuing method for a switch port is FIFO.
■ Dropping—Normally interface queues accept packets until they are
full and then drop everything after that. You can implement prioritized
dropping, so that less important packets are dropped before more
important ones—such as with Weighted Random Early Detection
(WRED).
Configuring VoIP Support on a Switch
Configuring VoIP Support on a Switch
Manual Configuration
To associate a voice VLAN with a switch port, use the following:
Switch(config-if)#switchport voice vlan vlan-ID
To configure an IOS switch to trust the markings on traffic entering an
interface, use the following:
Switch(config-if)#mls qos trust {dscp | cos}
To configure the switch to trust the traffic markings only if a Cisco phone is
connected, use the following:
Switch(config-if)#mls qos trust device cisco-phone
To set a COS value for frames coming from a PC attached to the phone, use
the following:
Switch(config-if)#switchport priority extend cos cos-value
To verify the interface parameters, use the following:
Switch(config-if)#show interfaces interface switchport
To verify the QoS parameters on an interface, use the following:
Switch(config-if)#show mls qos interface interface
Using AutoQoS
When AutoQoS is enabled, the switch configures its interfaces based on a
best-practices template. AutoQoS has the following benefits:
■ Automatic discovery and classification of network applications.
■ Creates QoS policies for those applications.
■ Configures the switch to support Cisco IP phones as well as network
applications. Manual configuration can be done afterward, also.
■ Sets up SNMP traps for network reporting.
■ Configures consistently across your network when used on all routers
and switches.
CDP must be enabled for AutoQoS to function properly with Cisco IP phones.
AutoQoS commands for switches running the Catalyst OS are listed in Table 7-2.
Table 7-2 AutoQoS Commands for Catalyst OS
Command Description
set qos autoqos Globally enables AutoQoS on the switch.
set port qos mod/port Configures the port to trust either the COS
autoqos trust [cos|dscp] or DSCP markings of all traffic coming in
the port.
set port qos mod/port autoqos Configures the port to trust traffic markings
voip [ciscosoftphone | only if a Cisco phone or a computer with a
ciscoipphone] [trust] Cisco softphone is connected to the port.
Requires that CDP be enabled.
AutoQoS commands for switches running Native IOS are shown in Table 7-3.
Table 7-3 AutoQoS Commands for IOS
Command Description
(config-if)#auto qos voip trust Configures the port to trust the COS on all
traffic entering the port.
(config-if)#auto qos voip Configures the port to trust traffic markings
cisco-phone only if a Cisco phone is connected to the
port. Requires that CDP be enabled.
#show auto qos Shows the AutoQoS configuration. Does
[interface interface] not show any manual QoS configuration—
use show run to see that.
Manual Configuration
To associate a voice VLAN with a switch port, use the following:
Switch(config-if)#switchport voice vlan vlan-ID
To configure an IOS switch to trust the markings on traffic entering an
interface, use the following:
Switch(config-if)#mls qos trust {dscp | cos}
To configure the switch to trust the traffic markings only if a Cisco phone is
connected, use the following:
Switch(config-if)#mls qos trust device cisco-phone
To set a COS value for frames coming from a PC attached to the phone, use
the following:
Switch(config-if)#switchport priority extend cos cos-value
To verify the interface parameters, use the following:
Switch(config-if)#show interfaces interface switchport
To verify the QoS parameters on an interface, use the following:
Switch(config-if)#show mls qos interface interface
Using AutoQoS
When AutoQoS is enabled, the switch configures its interfaces based on a
best-practices template. AutoQoS has the following benefits:
■ Automatic discovery and classification of network applications.
■ Creates QoS policies for those applications.
■ Configures the switch to support Cisco IP phones as well as network
applications. Manual configuration can be done afterward, also.
■ Sets up SNMP traps for network reporting.
■ Configures consistently across your network when used on all routers
and switches.
CDP must be enabled for AutoQoS to function properly with Cisco IP phones.
AutoQoS commands for switches running the Catalyst OS are listed in Table 7-2.
Table 7-2 AutoQoS Commands for Catalyst OS
Command Description
set qos autoqos Globally enables AutoQoS on the switch.
set port qos mod/port Configures the port to trust either the COS
autoqos trust [cos|dscp] or DSCP markings of all traffic coming in
the port.
set port qos mod/port autoqos Configures the port to trust traffic markings
voip [ciscosoftphone | only if a Cisco phone or a computer with a
ciscoipphone] [trust] Cisco softphone is connected to the port.
Requires that CDP be enabled.
AutoQoS commands for switches running Native IOS are shown in Table 7-3.
Table 7-3 AutoQoS Commands for IOS
Command Description
(config-if)#auto qos voip trust Configures the port to trust the COS on all
traffic entering the port.
(config-if)#auto qos voip Configures the port to trust traffic markings
cisco-phone only if a Cisco phone is connected to the
port. Requires that CDP be enabled.
#show auto qos Shows the AutoQoS configuration. Does
[interface interface] not show any manual QoS configuration—
use show run to see that.
Trust Boundaries
Trust Boundaries
When IP traffic comes in already marked, the switch has some options about
how to handle it. It can:
■ Trust the DSCP value in the incoming packet, if present.
■ Trust the IP Precedence value in the incoming packet, if present.
■ Trust the CoS value in the incoming frame, if present.
■ Classify the traffic based on an IP access control list or a MAC address
access control list.
Mark traffic for QoS as close to the source as possible. If the source is an IP
telephone, it can mark its own traffic. If not, the building access module
switch can do the marking. If those are not under your control, you might
need to mark at the distribution layer. Classifying and marking slows traffic
flow, so do not do it at the core. All devices along the path should then be
configured to trust the marking and provide a level of service based on it.
The place where trusted marking is done is called the trust boundary.
When IP traffic comes in already marked, the switch has some options about
how to handle it. It can:
■ Trust the DSCP value in the incoming packet, if present.
■ Trust the IP Precedence value in the incoming packet, if present.
■ Trust the CoS value in the incoming frame, if present.
■ Classify the traffic based on an IP access control list or a MAC address
access control list.
Mark traffic for QoS as close to the source as possible. If the source is an IP
telephone, it can mark its own traffic. If not, the building access module
switch can do the marking. If those are not under your control, you might
need to mark at the distribution layer. Classifying and marking slows traffic
flow, so do not do it at the core. All devices along the path should then be
configured to trust the marking and provide a level of service based on it.
The place where trusted marking is done is called the trust boundary.
DSCP Values
DSCP Values
Differentiated services provide levels of service based on the value of certain
bits in the IP or ISL header or the 802.1Q tag. Each hop along the way must
be configured to treat the marked traffic the way you want—this is called
per-hop behavior (PHB).
In the Layer 3 IP header, you use the 8-bit ToS field. You can set either IP
Precedence using the top 3 bits or Differentiated Services Code Points
(DSCP) using the top 6 bits of the field. The bottom 2 bits are set aside for
congestion notification. The default DSCP value is zero, which corresponds
to best-effort delivery
The six DSCP bits can be broken down into two sections: The first 3 bits
define the DiffServ Assured Forwarding (AF) class, and the next 2 bits
define the drop probability within that class. The sixth bit is 0 and unused.
AF classes 1–4 are defined, and within each class, 1 is low drop probability,
2 is medium, and 3 is high (meaning that traffic is more likely to get dropped
if there is congestion). These are shown in Table 7-1. Each hop still needs to
be configured for how to treat each AF class.
Table 7-1 DSCP Assured Forwarding Values
Low Drop Medium Drop High Drop
Class 1 AF11 AF12 AF13
Class 2 AF21 AF22 AF23
Class 3 AF31 AF32 AF33
Class 4 AF41 AF42 AF43
Voice bearer traffic uses an Expedited Forwarding value of DSCP 46 to give
it higher priority within the network.
Differentiated services provide levels of service based on the value of certain
bits in the IP or ISL header or the 802.1Q tag. Each hop along the way must
be configured to treat the marked traffic the way you want—this is called
per-hop behavior (PHB).
In the Layer 3 IP header, you use the 8-bit ToS field. You can set either IP
Precedence using the top 3 bits or Differentiated Services Code Points
(DSCP) using the top 6 bits of the field. The bottom 2 bits are set aside for
congestion notification. The default DSCP value is zero, which corresponds
to best-effort delivery
The six DSCP bits can be broken down into two sections: The first 3 bits
define the DiffServ Assured Forwarding (AF) class, and the next 2 bits
define the drop probability within that class. The sixth bit is 0 and unused.
AF classes 1–4 are defined, and within each class, 1 is low drop probability,
2 is medium, and 3 is high (meaning that traffic is more likely to get dropped
if there is congestion). These are shown in Table 7-1. Each hop still needs to
be configured for how to treat each AF class.
Table 7-1 DSCP Assured Forwarding Values
Low Drop Medium Drop High Drop
Class 1 AF11 AF12 AF13
Class 2 AF21 AF22 AF23
Class 3 AF31 AF32 AF33
Class 4 AF41 AF42 AF43
Voice bearer traffic uses an Expedited Forwarding value of DSCP 46 to give
it higher priority within the network.
Preparing the Network for VoIP
Preparing the Network for VoIP
When adding voice or video to an existing network, you should examine
several things in advance to provide the high level of availability users
expect in their phone system:
■ What features are needed?—Power for IP phones, voice VLANs on the
switches, network redundancy for high availability, security for voice
calls, and Quality of Service (QoS) settings.
■ The physical plant—Cabling at least CAT-5.
■ Electrical power for the IP phones—Use either inline power from
Catalyst switch or power patch panel. Need uninterruptible power
supply (UPS) with auto-restart, monitoring, and 4-hour response
contract. May need generator backup. Maintain correct operating
temperatures.
■ Bandwidth—Commit no more than 75 percent of bandwidth. Consider
all types of traffic—voice, video, and data. Have more than enough
bandwidth if possible. Include both voice and call-control traffic in
your planning.
■ Network management—Need to monitor and proactively manage the
network so that it does not go down.
Network and Bandwidth Considerations
The network requirements for VoIP include:
■ Maximum delay of 150–200 ms (one-way)
■ No more than 1 percent packet loss
■ Maximum average jitter of 30 ms
■ Bandwidth of 21–106 kbps per call, plus about 150 bps per phone for
control traffic
A formula to use when calculating bandwidth needed for voice calls is as
follows:
(Packet payload + all headers) * Packet rate per second
Auxiliary (or Voice) VLANs
Cisco switches can be configured to dynamically place IP telephones into
a VLAN separate from the data VLANs. They can do this even when the
phone and PC are physically connected to the same switch port. This is
called an auxiliary VLAN or a voice VLAN. Voice VLANs allow phones
to be dynamically placed in a separate IP subnet from hosts, to have QoS
(using 802.1Q/p headers) and security policies applied, and makes troubleshooting
easier.
When adding voice or video to an existing network, you should examine
several things in advance to provide the high level of availability users
expect in their phone system:
■ What features are needed?—Power for IP phones, voice VLANs on the
switches, network redundancy for high availability, security for voice
calls, and Quality of Service (QoS) settings.
■ The physical plant—Cabling at least CAT-5.
■ Electrical power for the IP phones—Use either inline power from
Catalyst switch or power patch panel. Need uninterruptible power
supply (UPS) with auto-restart, monitoring, and 4-hour response
contract. May need generator backup. Maintain correct operating
temperatures.
■ Bandwidth—Commit no more than 75 percent of bandwidth. Consider
all types of traffic—voice, video, and data. Have more than enough
bandwidth if possible. Include both voice and call-control traffic in
your planning.
■ Network management—Need to monitor and proactively manage the
network so that it does not go down.
Network and Bandwidth Considerations
The network requirements for VoIP include:
■ Maximum delay of 150–200 ms (one-way)
■ No more than 1 percent packet loss
■ Maximum average jitter of 30 ms
■ Bandwidth of 21–106 kbps per call, plus about 150 bps per phone for
control traffic
A formula to use when calculating bandwidth needed for voice calls is as
follows:
(Packet payload + all headers) * Packet rate per second
Auxiliary (or Voice) VLANs
Cisco switches can be configured to dynamically place IP telephones into
a VLAN separate from the data VLANs. They can do this even when the
phone and PC are physically connected to the same switch port. This is
called an auxiliary VLAN or a voice VLAN. Voice VLANs allow phones
to be dynamically placed in a separate IP subnet from hosts, to have QoS
(using 802.1Q/p headers) and security policies applied, and makes troubleshooting
easier.
VoIP in a Campus Network
VoIP in a Campus Network
Many companies are integrating Voice over IP (VoIP) into their networks.
Figure 7-1 shows some components of a VoIP system, which can include the
following:
■ IP phones—Provide voice and applications to the user.
■ Voice gateways—Translates between PSTN and IP calls and provides
backup to the Cisco CallManager (IP PBX, or Call Agent).
■ Gatekeepers—An optional component that can do call admission
control, allocate bandwidth for calls, and resolve phone numbers into
IP addresses.
■ Cisco CallManager—Serves as an IP PBX. Registers phones, controls
calls.
■ Video conferencing unit—Allows voice and video in the same phone
call.
■ Multipoint control unit—Allows multiple participants to join an audio
and/or video conference call.
■ Application server—Provides services such as Unity voice mail.
Figure 7-1 Some Components of a VoIP System
WAN
PSTN
Unity Server
CallManager
Server
Power over
Ethernet Switch
User PC IP Phone Voice and WAN
Gateway
Video Conferencing
Camera
Voice and data have different network requirements. Although TCP data
adjusts to dropped packets, packet loss is one of the biggest enemies of voice
transmissions and is often caused by jitter and congestion. Jitter (variable
delay) causes buffer over- and under-runs. Congestion at the interface can be
caused by traffic from a fast port being switched to exit out a slower port,
which causes the transmit buffer to be overrun.
VoIP traffic consists of two types: voice bearer and call control signaling.
Voice bearer traffic is carried over the UDP-based Real Time Protocol (RTP).
Call control uses one of several different protocols to communicate between
the phone and CallManager and between the CallManager and the voice
gateways.
Many companies are integrating Voice over IP (VoIP) into their networks.
Figure 7-1 shows some components of a VoIP system, which can include the
following:
■ IP phones—Provide voice and applications to the user.
■ Voice gateways—Translates between PSTN and IP calls and provides
backup to the Cisco CallManager (IP PBX, or Call Agent).
■ Gatekeepers—An optional component that can do call admission
control, allocate bandwidth for calls, and resolve phone numbers into
IP addresses.
■ Cisco CallManager—Serves as an IP PBX. Registers phones, controls
calls.
■ Video conferencing unit—Allows voice and video in the same phone
call.
■ Multipoint control unit—Allows multiple participants to join an audio
and/or video conference call.
■ Application server—Provides services such as Unity voice mail.
Figure 7-1 Some Components of a VoIP System
WAN
PSTN
Unity Server
CallManager
Server
Power over
Ethernet Switch
User PC IP Phone Voice and WAN
Gateway
Video Conferencing
Camera
Voice and data have different network requirements. Although TCP data
adjusts to dropped packets, packet loss is one of the biggest enemies of voice
transmissions and is often caused by jitter and congestion. Jitter (variable
delay) causes buffer over- and under-runs. Congestion at the interface can be
caused by traffic from a fast port being switched to exit out a slower port,
which causes the transmit buffer to be overrun.
VoIP traffic consists of two types: voice bearer and call control signaling.
Voice bearer traffic is carried over the UDP-based Real Time Protocol (RTP).
Call control uses one of several different protocols to communicate between
the phone and CallManager and between the CallManager and the voice
gateways.
Configuring a WLAN Controller
Configuring a WLAN Controller
Cisco lightweight APs receive their configuration from the Wireless LAN
Controller, which must be configured first. Initial configuration of the lightweight
WLC can be done via command line using the console port or via
web browser using the service port. Subsequent configuration can be done
via:
■ IOS Command Line—Either by Telnet, SSH, or the console port.
■ Web browser—Using the WLC’s IP address and Internet Explorer.
■ Cisco Wireless Control System—For centralized configuration control.
You need to configure the WLC with information such as VLANs, SSIDs,
and security policies. It downloads a configuration to its associated APs, and
you can also configure, monitor, or reset individual APs through the web
browser of the WLC. Review the material at this link for screen shots and
WLC configuration information:
http://www.cisco.com/en/US/products/ps6366/products_configuration_guide
_book09186a00806b0077.html.
WLCs use several different types of physical and logical interfaces that are
described in Table 6-2.
Table 6-2 Wireless LAN Controller Interfaces
Interface Type Description
Service Port Used for out of band management and initial
setup. Must be a unique subnet. Not present on
the 2006 WLC.
Management Interface Used by the APs to find their WLC and associate
with it. One per WLC.
AP-Manager Interface Used for LWAPP traffic between controller and
APs. Can have multiple AP-Manager interfaces.
Virtual Interface IP address used for mobility group when
implementing layer 3 roaming.
User Interface Used to carry data traffic from users. One per
VLAN.
Cisco lightweight APs receive their configuration from the Wireless LAN
Controller, which must be configured first. Initial configuration of the lightweight
WLC can be done via command line using the console port or via
web browser using the service port. Subsequent configuration can be done
via:
■ IOS Command Line—Either by Telnet, SSH, or the console port.
■ Web browser—Using the WLC’s IP address and Internet Explorer.
■ Cisco Wireless Control System—For centralized configuration control.
You need to configure the WLC with information such as VLANs, SSIDs,
and security policies. It downloads a configuration to its associated APs, and
you can also configure, monitor, or reset individual APs through the web
browser of the WLC. Review the material at this link for screen shots and
WLC configuration information:
http://www.cisco.com/en/US/products/ps6366/products_configuration_guide
_book09186a00806b0077.html.
WLCs use several different types of physical and logical interfaces that are
described in Table 6-2.
Table 6-2 Wireless LAN Controller Interfaces
Interface Type Description
Service Port Used for out of band management and initial
setup. Must be a unique subnet. Not present on
the 2006 WLC.
Management Interface Used by the APs to find their WLC and associate
with it. One per WLC.
AP-Manager Interface Used for LWAPP traffic between controller and
APs. Can have multiple AP-Manager interfaces.
Virtual Interface IP address used for mobility group when
implementing layer 3 roaming.
User Interface Used to carry data traffic from users. One per
VLAN.
Configuring Wireless LAN Devices
Configuring Wireless LAN Devices
Autonomous APs must be configured individually, while the WLC provides
configuration to lightweight APs. WLAN clients must also be configured;
this process varies depending on the client software used.
Configuring Autonomous Access Points
Autonomous APs can be configured in one of three ways:
■ IOS Command Line—Either via Telnet or the console port.
■ Web browser—This is the Cisco preferred way.
■ CiscoWorks WLSE—For centralized configuration control.
The AP must already have an IP address to use any of these except the console
port. It attempts to obtain one via DHCP by default. This link has directions
and screen shots for both the command line and web browser configuration:
http://www.cisco.com/en/US/products/ps6087/products_installation_and_con
figuration_guides_list.html.
Aironet 1100, 1200, and 1300 series APs perform various functions:
■ Wireless AP
■ Root bridge
■ Nonroot bridge
■ Repeater
■ Scanner
■ Workgroup bridge
Autonomous APs must be configured individually, while the WLC provides
configuration to lightweight APs. WLAN clients must also be configured;
this process varies depending on the client software used.
Configuring Autonomous Access Points
Autonomous APs can be configured in one of three ways:
■ IOS Command Line—Either via Telnet or the console port.
■ Web browser—This is the Cisco preferred way.
■ CiscoWorks WLSE—For centralized configuration control.
The AP must already have an IP address to use any of these except the console
port. It attempts to obtain one via DHCP by default. This link has directions
and screen shots for both the command line and web browser configuration:
http://www.cisco.com/en/US/products/ps6087/products_installation_and_con
figuration_guides_list.html.
Aironet 1100, 1200, and 1300 series APs perform various functions:
■ Wireless AP
■ Root bridge
■ Nonroot bridge
■ Repeater
■ Scanner
■ Workgroup bridge
Multipath Distortion
Multipath Distortion
Because radio waves are transmitted in many directions, not all go in a straight
line to every client’s antenna. Some bounce off walls or other objects and arrive
at the client in varying intervals. Thus, the client receives several copies of
the same RF signal, which can cause degraded data quality. This is multipath
distortion, or multipath interference. Diversity systems try to minimize this by
using two antennas; you might try moving antennas or changing the frequency
if this is a problem in your facility. OFDM uses multiple frequencies operating
together to increase performance in multipath situations.
Because radio waves are transmitted in many directions, not all go in a straight
line to every client’s antenna. Some bounce off walls or other objects and arrive
at the client in varying intervals. Thus, the client receives several copies of
the same RF signal, which can cause degraded data quality. This is multipath
distortion, or multipath interference. Diversity systems try to minimize this by
using two antennas; you might try moving antennas or changing the frequency
if this is a problem in your facility. OFDM uses multiple frequencies operating
together to increase performance in multipath situations.
Power over Ethernet (PoE) Switches
Power over Ethernet (PoE) Switches
Access points can receive their power over Ethernet cables from Power over
Ethernet (PoE) switches, routers with PoE switch modules, or midspan
power injectors, thus alleviating the need for electrical outlets near them.
APs require up to 15W of power, so plan your power budget accordingly.
Two power standards are the Cisco Prestandard PoE and the IEEE’s 802.3af
standard. Both have a method for sensing that a powered device is connected
to the port. 802.3af specifies a method for determining the amount of power
needed by the device. Cisco devices, when connected to Cisco switches, can
additionally use CDP to send that information. Power can be supplied over
the data pairs—1, 2, 3, and 6—or over the unused pairs of 4, 5, 7, and 8.
Cisco PoE switches are configured by default to automatically detect and
provide power. To disable this function, or to re-enable it, use the interface
command power inline {never | auto}. To view interfaces and the power
allotted to each, use show power inline [interface].
Access points can receive their power over Ethernet cables from Power over
Ethernet (PoE) switches, routers with PoE switch modules, or midspan
power injectors, thus alleviating the need for electrical outlets near them.
APs require up to 15W of power, so plan your power budget accordingly.
Two power standards are the Cisco Prestandard PoE and the IEEE’s 802.3af
standard. Both have a method for sensing that a powered device is connected
to the port. 802.3af specifies a method for determining the amount of power
needed by the device. Cisco devices, when connected to Cisco switches, can
additionally use CDP to send that information. Power can be supplied over
the data pairs—1, 2, 3, and 6—or over the unused pairs of 4, 5, 7, and 8.
Cisco PoE switches are configured by default to automatically detect and
provide power. To disable this function, or to re-enable it, use the interface
command power inline {never | auto}. To view interfaces and the power
allotted to each, use show power inline [interface].
EIRP
EIRP
EIRP is the actual power of the signal that comes from the antenna, measured
in Decibel Milliwatts (dBm). (0 dBm equals 1 milliwatt of power.) EIRP is
calculated by taking the transmitter power, subtracting the amount of signal
lost traversing the cable between the transmitter and antenna, and adding the
antenna’s gain. This can be expressed:
EIRP = (power – cable loss) + antenna gain.
Different countries have different rules about the amount of EIRP allowed.
For instance, the maximum in the United States is 36 dBm. To minimize
signal loss, use the shortest low-loss cable possible. Wider cables conserve
more signal but are also more expensive.
EIRP is the actual power of the signal that comes from the antenna, measured
in Decibel Milliwatts (dBm). (0 dBm equals 1 milliwatt of power.) EIRP is
calculated by taking the transmitter power, subtracting the amount of signal
lost traversing the cable between the transmitter and antenna, and adding the
antenna’s gain. This can be expressed:
EIRP = (power – cable loss) + antenna gain.
Different countries have different rules about the amount of EIRP allowed.
For instance, the maximum in the United States is 36 dBm. To minimize
signal loss, use the shortest low-loss cable possible. Wider cables conserve
more signal but are also more expensive.
Directionality
Directionality
Omnidirectional antennas have signals that theoretically extend in all directions,
both vertically and horizontally. When gain in increased, the signal expands
horizontally, but decreases vertically. One omnidirectional example is the
dipole “Rubber Duck” antenna.
Directional antennas aim their signal in a specific direction. Signals can spread
fairly wide in one direction or can be narrowly focused. Some examples
include the Diversity Patch Wall Mount Antenna, Yagi, and dish antennas.
Omnidirectional antennas have signals that theoretically extend in all directions,
both vertically and horizontally. When gain in increased, the signal expands
horizontally, but decreases vertically. One omnidirectional example is the
dipole “Rubber Duck” antenna.
Directional antennas aim their signal in a specific direction. Signals can spread
fairly wide in one direction or can be narrowly focused. Some examples
include the Diversity Patch Wall Mount Antenna, Yagi, and dish antennas.
Gain
Gain
Cisco measures gain in dBi, which stands for decibel isotropic and is a
measure of decibels relative to an isotropic source in free space. A decibel is
the ratio between two signal levels. An isotropic antenna is a theoretical one
in which the signal spreads out evenly in all directions from one point. Thus,
dBi is the ratio of an antenna’s signal to that of an isotropic antenna.
Cisco measures gain in dBi, which stands for decibel isotropic and is a
measure of decibels relative to an isotropic source in free space. A decibel is
the ratio between two signal levels. An isotropic antenna is a theoretical one
in which the signal spreads out evenly in all directions from one point. Thus,
dBi is the ratio of an antenna’s signal to that of an isotropic antenna.
Wireless LAN Antennas
Wireless LAN Antennas
Several concepts are important in understanding wireless antennas:
■ Gain—The energy an antenna adds to the RF signal.
■ Directionality—How the radio coverage is distributed.
■ Polarization—The physical orientation the RF element. Cisco Aironet
antennas use vertical polarization.
■ Multipath Distortion—Receiving both direct and reflected signals
arriving from different directions.
■ Effective Isotropic Radiated Power (EIRP)—The AP radio’s effective
transmission power. Includes gain from the antenna and loss from the
antenna’s cable.
Several concepts are important in understanding wireless antennas:
■ Gain—The energy an antenna adds to the RF signal.
■ Directionality—How the radio coverage is distributed.
■ Polarization—The physical orientation the RF element. Cisco Aironet
antennas use vertical polarization.
■ Multipath Distortion—Receiving both direct and reflected signals
arriving from different directions.
■ Effective Isotropic Radiated Power (EIRP)—The AP radio’s effective
transmission power. Includes gain from the antenna and loss from the
antenna’s cable.
Security management-QoS policies-VLAN tagging-Forwarding of user traffic
■ Security management
■ QoS policies
■ VLAN tagging
■ Forwarding of user traffic
The Lightweight Access Point Protocol (LWAP) supports the split MAC
function in traffic between a lightweight AP and its controller. LWAP uses
AES-encrypted control messages and encapsulates, but does not encrypt,
data traffic. LWAP operates at Layer 2, and also at Layer 3 over UDP.
(However, Layer 2 operation has been deprecated by Cisco.) The controller
can be either in the same broadcast domain and IP subnet or in a different
broadcast domain and IP subnets for Layer 3 operation. The AP follows this
process to discover its controller:
Step 1. The AP requests a DHCP address. The DHCP response includes
the management IP address of one or more WLCs.
Step 2. The AP sends an LWAPP Discovery Request message to each
WLC.
Step 3. The WLCs respond with an LWAPP Discovery Response that
includes the number of APs currently associated to it.
Step 4. The AP sends a Join Request to the WLC with the fewest APs
associated to it.
Step 5. The WLC responds with a Join Response message, the AP and
the controller mutually authenticate each other and derive encryption
keys to be used with future control messages. The WLC then
configures the AP with settings, such as SSIDs, channels, security
settings, and 802.11 parameters.
The Cisco Aironet 2000 series WLC can handle up to six APs; thus, it is
sized for small- to medium-sized operations.
The Cisco Aironet 4400 series WLC supports medium to large facilities with
the 4402 handling up to 50 APs, and the 4404 handling up to 100 APs.
■ QoS policies
■ VLAN tagging
■ Forwarding of user traffic
The Lightweight Access Point Protocol (LWAP) supports the split MAC
function in traffic between a lightweight AP and its controller. LWAP uses
AES-encrypted control messages and encapsulates, but does not encrypt,
data traffic. LWAP operates at Layer 2, and also at Layer 3 over UDP.
(However, Layer 2 operation has been deprecated by Cisco.) The controller
can be either in the same broadcast domain and IP subnet or in a different
broadcast domain and IP subnets for Layer 3 operation. The AP follows this
process to discover its controller:
Step 1. The AP requests a DHCP address. The DHCP response includes
the management IP address of one or more WLCs.
Step 2. The AP sends an LWAPP Discovery Request message to each
WLC.
Step 3. The WLCs respond with an LWAPP Discovery Response that
includes the number of APs currently associated to it.
Step 4. The AP sends a Join Request to the WLC with the fewest APs
associated to it.
Step 5. The WLC responds with a Join Response message, the AP and
the controller mutually authenticate each other and derive encryption
keys to be used with future control messages. The WLC then
configures the AP with settings, such as SSIDs, channels, security
settings, and 802.11 parameters.
The Cisco Aironet 2000 series WLC can handle up to six APs; thus, it is
sized for small- to medium-sized operations.
The Cisco Aironet 4400 series WLC supports medium to large facilities with
the 4402 handling up to 50 APs, and the 4404 handling up to 100 APs.
Cisco Unified Wireless Network
Cisco Unified Wireless Network
The Cisco Unified Wireless Network concept has five components that work
together to create a complete network, from client devices to network infrastructure,
to network applications. Cisco has equipment appropriate to each component.
Table 6-1 lists components and equipment.
Table 6-1 Cisco Unified Wireless Network Components
Component Description and Devices
Client Devices Cisco Aironet client, and Cisco compatible
third-party vendor clients.
Mobility Platform Aironet APs and bridges, using LWAPP.
Network Unification Leverages existing wired network. 2000- and
4400-series WLAN controllers and switch and
router modules.
World-Class Network Visualize and secure the WLAN. WCS for
Management location tracking, RF management, wireless
IPS, and WLC management.
Unified Advanced Applications such as wireless IP phones,
Services location appliances, and RF firewalls.
You should review the following link for more information on Cisco wireless
controllers and access points before you take the exam:
http://www.cisco.com/en/US/products/hw/wireless/products_category_
buyers_guide.htmlWireless Clients.
Cisco has a wireless NIC that can be installed on Windows 2000 and
Windows XP systems. It comes with some utilities: Aironet Desktop Utility
(ADU), Aironet Client Monitor (ACM), and Aironet Client Administration
Utility (ACAU). Cisco recommends using the ADU and ACM utilities to
control your wireless card, rather than the built-in Windows controls to get the
increased functionality Cisco provides. The Cisco ACAU allows loading and
configuration of the Cisco client software over the network, using encrypted
files. There is also an Aironet Site Survey Utility to scan for APs and get
information about them.
Cisco wireless IP phones have the same features as Cisco wired IP phones
and can use LEAP for authentication.
The Cisco Compatible Extensions Program tests other vendors’ devices for
compatibility with Cisco wireless products. Using products certified by this
program ensures full functionality of Cisco enhancements and proprietary
extensions. A list of these products can be found at www.cisco.com/go/ciscocompatible/
wireless.
The Cisco Unified Wireless Network concept has five components that work
together to create a complete network, from client devices to network infrastructure,
to network applications. Cisco has equipment appropriate to each component.
Table 6-1 lists components and equipment.
Table 6-1 Cisco Unified Wireless Network Components
Component Description and Devices
Client Devices Cisco Aironet client, and Cisco compatible
third-party vendor clients.
Mobility Platform Aironet APs and bridges, using LWAPP.
Network Unification Leverages existing wired network. 2000- and
4400-series WLAN controllers and switch and
router modules.
World-Class Network Visualize and secure the WLAN. WCS for
Management location tracking, RF management, wireless
IPS, and WLC management.
Unified Advanced Applications such as wireless IP phones,
Services location appliances, and RF firewalls.
You should review the following link for more information on Cisco wireless
controllers and access points before you take the exam:
http://www.cisco.com/en/US/products/hw/wireless/products_category_
buyers_guide.htmlWireless Clients.
Cisco has a wireless NIC that can be installed on Windows 2000 and
Windows XP systems. It comes with some utilities: Aironet Desktop Utility
(ADU), Aironet Client Monitor (ACM), and Aironet Client Administration
Utility (ACAU). Cisco recommends using the ADU and ACM utilities to
control your wireless card, rather than the built-in Windows controls to get the
increased functionality Cisco provides. The Cisco ACAU allows loading and
configuration of the Cisco client software over the network, using encrypted
files. There is also an Aironet Site Survey Utility to scan for APs and get
information about them.
Cisco wireless IP phones have the same features as Cisco wired IP phones
and can use LEAP for authentication.
The Cisco Compatible Extensions Program tests other vendors’ devices for
compatibility with Cisco wireless products. Using products certified by this
program ensures full functionality of Cisco enhancements and proprietary
extensions. A list of these products can be found at www.cisco.com/go/ciscocompatible/
wireless.
Cisco Wireless Network Components
Cisco Wireless Network Components
This section is mainly concerned with Cisco products and is quite marketing
oriented. Cisco supported two types of wireless solutions: one using
autonomous access points, and one using lightweight (or “dumb”) access
points in combination with WLAN controllers. The wired network infrastructure
is the same for both types: switches and routers.
This section is mainly concerned with Cisco products and is quite marketing
oriented. Cisco supported two types of wireless solutions: one using
autonomous access points, and one using lightweight (or “dumb”) access
points in combination with WLAN controllers. The wired network infrastructure
is the same for both types: switches and routers.
WPA/WPA2 Authentication
WPA/WPA2 Authentication
When a host wanting WLAN access needs to be authenticated in a network
using WPA or WPA2, the following steps occur:
Step 1. An 802.1x/EAP supplicant on the host contacts the AP (or
WLAN controller, if it is a lightweight AP) using 802.1x.
Step 2. The AP or WLAN controller uses RADIUS to contact the AAA
server, and attempts to authentication the user.
Step 3. If the authentication succeeds, all traffic from the client to the AP
is encrypted.
When a host wanting WLAN access needs to be authenticated in a network
using WPA or WPA2, the following steps occur:
Step 1. An 802.1x/EAP supplicant on the host contacts the AP (or
WLAN controller, if it is a lightweight AP) using 802.1x.
Step 2. The AP or WLAN controller uses RADIUS to contact the AAA
server, and attempts to authentication the user.
Step 3. If the authentication succeeds, all traffic from the client to the AP
is encrypted.
Wireless Security
Wireless Security
Wireless security methods, listed from weakest to strongest, include:
■ Wired Equivalent Privacy (WEP)—It uses static keys, weak authentication,
and is not scalable.
■ 802.1x Extensible Authentication Protocol (EAP)—Uses RADIUS for
authentication, dynamic keys, and stronger encryption. Cisco supports
it via Lightweight EAP (LEAP) and Protected EAP (PEAP).
■ Wi-Fi Protected Access (WPA)—This is a Wi-Fi Alliance standard.
Uses Temporal Key Integrity Protocol (TKIP) for encryption, dynamic
keys, and 802.1x user authentication. Cisco supports it via Lightweight
EAP (LEAP), Protected EAP (PEAP), and Extensible Authentication
Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).
■ WPA2—The Wi-Fi Alliance’s implementation of the 802.11i standard,
which specifies the use of Advanced Encryption Standard (AES) for
data encryption and uses 802.1x authentication methods. Can also use
TKIP encryption.
Wireless security methods, listed from weakest to strongest, include:
■ Wired Equivalent Privacy (WEP)—It uses static keys, weak authentication,
and is not scalable.
■ 802.1x Extensible Authentication Protocol (EAP)—Uses RADIUS for
authentication, dynamic keys, and stronger encryption. Cisco supports
it via Lightweight EAP (LEAP) and Protected EAP (PEAP).
■ Wi-Fi Protected Access (WPA)—This is a Wi-Fi Alliance standard.
Uses Temporal Key Integrity Protocol (TKIP) for encryption, dynamic
keys, and 802.1x user authentication. Cisco supports it via Lightweight
EAP (LEAP), Protected EAP (PEAP), and Extensible Authentication
Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).
■ WPA2—The Wi-Fi Alliance’s implementation of the 802.11i standard,
which specifies the use of Advanced Encryption Standard (AES) for
data encryption and uses 802.1x authentication methods. Can also use
TKIP encryption.
Autonomous APs-Lightweight Access Points
Autonomous APs
Autonomous APs run Cisco IOS, are programmed individually, and act independently.
They can be centrally managed with the CiscoWorks Wireless
LAN Solution Engine (WLSE) and can use Cisco Secure Access Control
Server (ACS) for RADIUS and TACAS+ authentication. Redundancy
consists of multiple APs.
Lightweight Access Points
Lightweight APs divide the 802.11 processing between the AP and a Cisco
Wireless LAN Controller (WLC). This is sometimes called “split MAC,”
because they split the functions of the MAC layer—Layer 2. Their management
components also include the Wireless Control System (WCS) and a
location-tracking appliance. Redundancy consists of multiple WLCs. The AP
handles real-time processes, and the WLC handles processes such as:
■ Authentication
■ Client association/mobility management
Autonomous APs run Cisco IOS, are programmed individually, and act independently.
They can be centrally managed with the CiscoWorks Wireless
LAN Solution Engine (WLSE) and can use Cisco Secure Access Control
Server (ACS) for RADIUS and TACAS+ authentication. Redundancy
consists of multiple APs.
Lightweight Access Points
Lightweight APs divide the 802.11 processing between the AP and a Cisco
Wireless LAN Controller (WLC). This is sometimes called “split MAC,”
because they split the functions of the MAC layer—Layer 2. Their management
components also include the Wireless Control System (WCS) and a
location-tracking appliance. Redundancy consists of multiple WLCs. The AP
handles real-time processes, and the WLC handles processes such as:
■ Authentication
■ Client association/mobility management
802.11g Standard
802.11g Standard
802.11g operates in the same 2.4 GHz range as 802.11b and uses the same
three nonoverlapping channels: 1, 6, and 11. It can provide higher data rates;
however. 802.11g uses DSSS to provide 1, 2, 5.5, and 11 Mbps throughput,
which makes it backward compatible with 802.11b. It uses OFDM to provide
6, 9, 12, 18, 24, 36, 48, and 54 Mbps throughput, as does 802.11a.
802.11b/g access points can register both 802.11b and 802.11g clients.
Because 802.11b clients do not understand OFDM messages, when 802.11b
clients register, the AP implements an RTS/CTS protection mechanism
against collisions. When a client wants to talk, it sends an RTS message. The
AP must answer with a CTS message before the client is allowed to transmit.
This creates overhead for the AP and causes a drop in overall throughput for
all clients. Cisco recommends a maximum of 20 users per cell; expect an
actual peak throughput of about 32 Mbps.
802.11g operates in the same 2.4 GHz range as 802.11b and uses the same
three nonoverlapping channels: 1, 6, and 11. It can provide higher data rates;
however. 802.11g uses DSSS to provide 1, 2, 5.5, and 11 Mbps throughput,
which makes it backward compatible with 802.11b. It uses OFDM to provide
6, 9, 12, 18, 24, 36, 48, and 54 Mbps throughput, as does 802.11a.
802.11b/g access points can register both 802.11b and 802.11g clients.
Because 802.11b clients do not understand OFDM messages, when 802.11b
clients register, the AP implements an RTS/CTS protection mechanism
against collisions. When a client wants to talk, it sends an RTS message. The
AP must answer with a CTS message before the client is allowed to transmit.
This creates overhead for the AP and causes a drop in overall throughput for
all clients. Cisco recommends a maximum of 20 users per cell; expect an
actual peak throughput of about 32 Mbps.
802.11a Standard
802.11a Standard
802.11a operates in the 5 GHz range and uses Orthogonal Frequency-
Division Multiplexing (OFDM). It has eight data rates: 6, 9, 12, 18, 24, 36,
48, and 54 Mbps. 802.11a provides from 12–23 nonoverlapping channels,
depending on country regulations. Portions of the 5 GHz range are allocated
to radar, so 802.11a uses Dynamic Frequency Selection (DFS) to check for
radar signals and choose a different channel if it detects them. It also uses
Transmit Power Control (TMC) to adjust client power, so that they use only
enough to stay in contact with the AP. DFS and TMC are part of the 802.11h
specification. Cisco recommends a maximum of 15 users per cell; expect an
actual peak throughput of about 32 Mbps.
802.11a operates in the 5 GHz range and uses Orthogonal Frequency-
Division Multiplexing (OFDM). It has eight data rates: 6, 9, 12, 18, 24, 36,
48, and 54 Mbps. 802.11a provides from 12–23 nonoverlapping channels,
depending on country regulations. Portions of the 5 GHz range are allocated
to radar, so 802.11a uses Dynamic Frequency Selection (DFS) to check for
radar signals and choose a different channel if it detects them. It also uses
Transmit Power Control (TMC) to adjust client power, so that they use only
enough to stay in contact with the AP. DFS and TMC are part of the 802.11h
specification. Cisco recommends a maximum of 15 users per cell; expect an
actual peak throughput of about 32 Mbps.
Using Wireless LANs Wireless LAN Overview
Using Wireless LANs
Wireless LAN Overview
Devices on a wireless LAN (WLAN) transmit and receive data using radio
or infrared signals, sent through an access point (AP). WLANs function
similarly to Ethernet LANs with the access point providing connectivity to
the rest of the network as would a hub or switch. WLANs use an Institute of
Electrical and Electronics Engineers (IEEE) standard that defines the physical
and data link specifications, including the use of Media Access Control
(MAC) addresses. The same protocols (such as IP) and applications (such as
IPSec) can run over both wired and wireless LANs.
WLANs are local to a building or a campus, use customer-owned equipment,
and are not usually required to have radio frequency (RF) licenses.
Service Set Identifiers (SSID) correspond to a VLAN and can be used to
segment users. SSIDs can be broadcast by the access point, or statically
configured on the client, but the client must have the same SSID as the AP to
register with it. SSIDs are case sensitive. Clients associate with access points
as follows:
Step 1. The client sends a probe request.
Step 2. The AP sends a probe response.
Step 3. The client initiates an association to an AP. Authentication and
any other security information is sent to the AP.
Step 4. The AP accepts the association.
Step 5. The AP adds the client’s MAC address to its association table.
Wireless LAN Overview
Devices on a wireless LAN (WLAN) transmit and receive data using radio
or infrared signals, sent through an access point (AP). WLANs function
similarly to Ethernet LANs with the access point providing connectivity to
the rest of the network as would a hub or switch. WLANs use an Institute of
Electrical and Electronics Engineers (IEEE) standard that defines the physical
and data link specifications, including the use of Media Access Control
(MAC) addresses. The same protocols (such as IP) and applications (such as
IPSec) can run over both wired and wireless LANs.
WLANs are local to a building or a campus, use customer-owned equipment,
and are not usually required to have radio frequency (RF) licenses.
Service Set Identifiers (SSID) correspond to a VLAN and can be used to
segment users. SSIDs can be broadcast by the access point, or statically
configured on the client, but the client must have the same SSID as the AP to
register with it. SSIDs are case sensitive. Clients associate with access points
as follows:
Step 1. The client sends a probe request.
Step 2. The AP sends a probe response.
Step 3. The client initiates an association to an AP. Authentication and
any other security information is sent to the AP.
Step 4. The AP accepts the association.
Step 5. The AP adds the client’s MAC address to its association table.
Subscribe to:
Posts (Atom)