A

This part of the book covers the following ISCW exam topics Describe the components and operations of IPSec VPNs and GRE Tunnels. Configure a site-to-site IPSec VPN GRE Tunnel with SDM (i.e., preshared key). Verify IPSec GRE Tunnel configurations (i.e., IOS CLI configurations). Describe, configure, and verify VPN backup interfaces. Describe and configure Cisco Easy VPN solutions using SDM.

Acknowledgments

First and foremost, we would like to acknowledge the sacrifices made by our families in allowing us to make the time to write this book. Without their support, it would not have been possible. Thanks to our friends who were not shy about stepping in for a bit of motivational correction when timelines were slipping. As always, a huge thank you goes to the production team. Mary Beth, Chris, and Tonya suffered no end of frustration throughout this writing. They never fully gave up on it, and for...

ADSL Physical Connectivity

With regard to ADSL, there are a number of points at which there can be a physical issue. Figure 7-2 provides a reference point for the physical connectivity of ADSL. Figure 7-2 ADSL Physical Connectivity The physical connectivity relies on a number of individual segments in order to function properly for a DSL connection. Each time another device is encountered, the PMD and TC sublayers must perform their line up the bits and kick them out the interface function once again. However, each...

Application Layer

The Application Layer contains the business and collaborative applications that use interactive services to function more efficiently. The interactive services allow the applications to grow dynamically, thus allowing more rapid and efficient deployment while keeping integration costs down. When a new user base, department, or branch site is added, the application can simply be allocated a larger share of the resource pools dynamically to compensate for the increased use. The Application Layer...

Asymmetric DSL Types

ADSL is most commonly deployed in the current broadband market where DSL is offered. The following are the different flavors of DSL currently available ADSL The full-rate offering of ADSL, which can be configured to deliver from 1.5 to 8 Mbps downstream and 16 kbps to 1 Mbps upstream over a local loop up to 18,000 feet in length. ADSL enables voice and high-speed data to be sent simultaneously over the existing telephone line. ITU-T Recommendation G.992.1 and ANSI Standard T1.413-1998 specify...

Basic GRE Configuration

A GRE tunnel carries some Layer 3 protocol between two IP endpoints. During the initial use of GRE tunnels, the tunnel contents were typically any protocol except IP. Today, GRE tunnels are used to carry IP data over an IP network. But the GRE tunnel itself can be sent through an IPsec tunnel for security. Figure 14-2 shows a basic GRE tunnel setup. Figure 14-2 GRE Tunnel Configuration Figure 14-2 GRE Tunnel Configuration interface serial 3 2 ip address 10.1.3.2 255.255.255.0 interface tunnel 2...

Cable System Components

The description of the components associated with cable systems essentially equates to defining additional terminology. Typical components include Antenna site A location containing a cable provider's main receiving and satellite dish facilities. This site is chosen based on potential for optimal reception of transmissions over the air, via satellite, and via point-to-point communication. Headend A master facility where signals are received, processed, formatted, and distributed over to the...

Cable System Standards

Like any networking technology, cable systems have associated standards meant to loosely govern the manner in which the technologies evolve and the manner in which they are implemented by various hardware and software vendors. These standards include National Television Standards Committee (NTSC) Created in 1941, and named after its authoring committee, NTSC defines technical standards for analog television systems (utilizing a 6-MHz modulated signal) used in North America. Phase Alternating...

Campus Network Architecture

Campus network architecture has evolved rapidly over the last decade or more. The number of services supported in a campus environment has evolved just as quickly, if not more so. The basic infrastructure has traditionally been summed up under the Cisco Hierarchical Network Model mentioned in the previous section. This remains the case because that model scales very well. The role has expanded somewhat on its own to include technologies such as quality of service (QoS), Multiprotocol Label...

Ccnp Iscw Official Exam Certification Guide

Cisco Press logo is a trademark of Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the...

CEF Switching

CEF is a topology-driven technology and makes use of a FIB. The FIB is basically a mirror image of the IP routing table. When topological changes occur, the FIB is updated based on the updates in the IP routing table. The FIB maintains next-hop address information based on information provided by the protocol routing table. Because CEF maintains a one-to-one listing of routes in the IP routing table, the need for constant maintenance of FIB entries is eliminated because that function is...

Configuring Frame Mode MPLS 207

Do I Know This Already Quiz 207 Foundation Topics 210 Configuring CEF 211 Configuring MPLS on a Frame Mode Interface 214 Configuring MTU Size 217 Chapter 11 MPLS VPN Technologies 225 Do I Know This Already Quiz 225 Foundation Topics 229 MPLS VPN Architecture 229 Traditional VPNs 230 Layer 1 Overlay 230 Layer 2 Overlay 231 Layer 3 Overlay 232 Peer-to-Peer VPNs 232 VPN Benefits 234 VPN Drawbacks 234 MPLS VPNs 236 MPLS VPN Terminology 237 CE Router Architecture 237 PE Router Architecture 238 P...

Implementing Cisco IOS Firewalls 536

Do I Know This Already Quiz 536 Foundation Topics 540 Configure a Cisco IOS Firewall Using the CLI 540 Step 1 Choose an Interface and Packet Direction to Inspect 540 Step 2 Configure an IP ACL for the Interface 540 Step 3 Define the Inspection Rules 541 Step 4 Apply the Inspection Rules and the ACL to the Interface 542 Step 5 Verify the Configuration 543 Configure a Basic Firewall Using SDM 544 Configure an Advanced Firewall Using SDM 547 Foundation Summary 557 Q& A 560 Chapter 23...

Using DSL to Connect to a Central Site

Do I Know This Already Quiz 75 Foundation Topics 81 DSL Features 81 POTS Coexistence 83 DSL Limitations 85 DSL Variants 87 Asymmetric DSL Types 87 Symmetric DSL Types 88 ADSL Basics 89 ADSL Modulation 89 CAP 90 DMT 91 Data Transmission over ADSL 93 RFC 1483 2684 Bridging 94 PPP Background 95 PPP over Ethernet 96 Discovery Phase 97 PPP Session Phase 99 PPPoE Session Variables 99 Optimizing PPPoE MTU 100 PPP over ATM 101 Foundation Summary 104 Q& A 106

Configuring DSL Access with PPPoA 127

Do I Know This Already Quiz 127 Foundation Topics 130 Configure a Cisco Router as a PPPoA Client 130 PPP over AAL5 Connections 131 VCMultiplexed PPP over AAL5 132 LLC Encapsulated PPP over AAL5 132 Cisco PPPoA 134 Configure an ATM Interface for PPPoA 134 Configure the PPPoA DSL Dialer and Virtual-Template Interfaces 135 Configure Additional PPPoA Elements 136 The Overall CPE Router Configuration 136

Verifying and Troubleshooting ADSL Configurations 145

Do I Know This Already Quiz 145 Layers of Trouble to Shoot 149 Isolating Physical Layer Issues 150 Layer 1 Anatomy 151 ADSL Physical Connectivity 151 Where to Begin 152 Playing with Colors 154 Tangled Wires 154 Keeping the Head on Straight 154 DSL Operating Mode 155 Isolating Data Link Layer Issues 156 PPP Negotiation 157 Foundation Summary 161 Q& A 162 Part II Implementing Frame Mode MPLS 165

Cisco Hierarchical Network Model

Prior to any discussion of the architecture models proposed in the IIN vision, it is necessary to step back to a discussion of a somewhat older model advocated for network scalability, the Cisco Hierarchical Network Model. Figure 1-2 illustrates the model for purposes of discussion. Figure 1-2 Cisco Hierarchical Network Model As is evident in the figure, the essential layers of the network are divided into three layers Core, Distribution, and Access. This provides a repeatable, or...

Cisco Network Models

Now that the basic concepts of SONA, the road to the creation of an IIN, are somewhat clearer, some discussion of network models is needed. Network models vary based on the technology being implemented however, the goal of the models is still the same convergence and enabling service integration. As mentioned previously, Cisco has created a visionary architecture for its customer market segments. For the enterprise network, SONA is the architecture. At the Networked Infrastructure Layer exists...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Configure a Cisco Router as a PPPoE Client

Configuration of a home router for DSL connectivity includes a number of pieces and parts that must be assembled properly in order for the solution to function properly. As discussed in Chapter 4, Asynchronous Transfer Mode (ATM) is DSL's underlying technology. As the PPPoE name implies, Point-to-Point Protocol (PPP) and Ethernet both play a significant role as well. DSL is a Layer 1 access methodology that relies on multiple Layer 2 protocols in order to function properly. The Layer 1...

Configure the PPPoE DSL Dialer Interface

The dialer interface is the DSL provider-facing component of the CPE router. Example 5-3 demonstrates how to configure the basic elements of the dialer interface. Example 5-3 Configuring the Dialer Interface interface Dialer0 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 This configuration specifies that the dialer interface should get its IP address from the provider's DHCP server while specifying the upstream MTU and setting the interface encapsulation to PPP. Finally, the...

Configuring a Siteto Site VPN in SDM

To configure site-to-site VPNs in SDM, start by clicking the Configure button at the top of the screen to display the Configure page, shown in Figure 13-11. On the left side of this window is the Tasks bar, which lists all the configuration options, described next Interfaces and Connections Used to create and edit interfaces on the router. Firewall and ACL Used to create and edit basic (inside and outside) and advanced (inside, outside, and DMZ) firewall configurations in the router. VPN Used...

Configuring DSL Access with PPPoA

With the discussion of PPPoE covered in Chapter 5, some of the information presented here is redundant. This is to be expected with two fairly similar technologies. However, in the interest of reducing the amount of page turning, some of the covered information is offered once again as review. PPPoA is a technology based on the ability of the customer premises equipment (CPE) to offer a native Asynchronous Transfer Mode (ATM)-capable interface as the provider-facing interface. As with PPPoE,...

Configuring Frame Mode MPLS

Multiprotocol Label Switching (MPLS) is experiencing a rapid expansion in deployment throughout the service provider and enterprise networking industries. The move to a Layer 3 WAN has allowed the offering of applications and services thought impossible up to now. This fits well with the Service-Oriented Network Architecture (SONA) framework in that the same applications and services offered at central or headquarters sites can now be easily extended to the branch office, the home office, and...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales For sales outside the United States, please contact International Sales international pearsoned.com

Creating a Siteto Site IPsec VPN

There are five generic steps in the lifecycle of any IPsec VPN. The steps described here are applied specifically to site-to-site VPNs, but these steps are true whenever any two endpoints wish to establish an IPsec VPN between them. The five steps in the life of an IPsec VPN are as follows Step 1 Specify interesting traffic. Step 5 IPsec tunnel termination. Each of these steps is detailed in the following sections. Some of these steps should be familiar from Chapter 12, IPsec Overview, where...

Data Center Architecture

The data center is a key point in the evolution of the network. It is rapidly evolving to take in more and more service-oriented functions. The move toward a dynamic, demand-based service offering dictates that the network be aware of server and application health at all times. This health information is then used to take appropriate action, making incremental increases in service resources that are available to a particular application or service. This can be the addition of virtual servers,...

Data Transmission

DOCSIS has a number of components that comprise its architecture. These include Cable modem termination system (CMTS) The CMTS usually resides in the headend. The CMTS modulates the signal to the cable modem (CM) and demodulates the CM response. Cable modem (CM) The CM is a CPE device that terminates as well as performs modulation and demodulation of signals to and from the CMTS. Typical transmission speeds for CMs range from 1.5 to 6 Mbps. Back office services Services such as TFTP (for...

Digital Signals over RF Channels

Cable specifications are defined by a document known as Data-over-Cable Service Interface Specifications (DOCSIS). DOCSIS is an international standard developed by CableLabs, a nonprofit organization and development consortium dedicated to cable-related technologies. Founded in 1988, CableLabs is essentially charged with the testing and certification of cable technology access equipment such as cable modems and CMTS. The organization makes decisions on standardization and grants for DOCSIS...

Discovery Phase

To initiate a PPPoE session, the CPE router must first perform Discovery to identify the MAC address of the device to which it must build a peer relationship. It must establish a PPPoE SESSION_ID. The Discovery process is inherently a client server relationship. During Discovery, a router discovers the provider access concentrator. Discovery allows the CPE router to discover all available aggregation resources, and then select one. Upon successful completion, both the CPE router and the...

Dmt

DMT describes a version of multicarrier DSL modulation in which incoming data is collected and then distributed over a large number of small individual carriers, each of which uses a form of QAM modulation. DMT is a form of orthogonal frequency-division multiplexing (OFDM) called coded OFDM. This is essentially a very technical name for the use of multiple, independent subchannels within a larger channel (RF range), which can be brought up or taken down dynamically with no effect whatsoever on...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 7-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you to determine how to spend your limited study time. Table 6-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz...

DSL Connection Troubleshooting

In the internetworking industry, it seems that there are more problems to be addressed than there are technologies to cause them. At times, it may be that correcting one problem simply gives rise to another. With proper monitoring and proactive network management practices in place, the vast majority of network problems can be addressed and resolved before they ever become anything one might classify as a problem. This gives the IT staff the ability to reduce downtime and or service-impacting...

DSL Variants

DSL is available in a number of so-called flavors. Though different in practice or deployment, each of these flavors inevitably falls into one of the following classifications of DSL service Asymmetrical DSL (ADSL) Communication in which differing transmission speeds are used for downstream and upstream signals. Typically, downstream speeds tend to be higher than upstream speeds. Symmetrical DSL (SDSL) Communication in which identical transmission speeds are used for downstream and upstream...

Easy VPN Connection Establishment

Easy VPN connectivity is relatively straightforward. The configuration and connection phases are subject to certain restrictions as listed in the previous section. The Cisco Easy VPN Remote feature supports a two-stage process for client server authentication Stage 1 is Group Level Authentication, which represents a portion of the channel creation process. During this stage, two types of authentication can be used, either preshared keys or digital certificates. Stage 2 of the authentication is...

Easy VPN Remote

Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 series hardware software clients to act as remote VPN Clients. They receive security policies from an Easy VPN Server. This minimizes the need for manual configuration tasks. Easy VPN Remote provides for automated, centralized management of the following Tunnel parameter negotiation (addresses, algorithms, and duration) Tunnel establishment according to set parameters Automatic creation of Network Address...

Easy VPN Server Configuration

To configure the Easy VPN Server, some amount of information gathering is necessary. The information necessary includes the user's account information, any required enable secret passwords, AAA configuration (if not already done), and the configuration of the Easy VPN Server itself. The configuration can be done through the traditional command-line interface (CLI) or through the Security Device Manager (SDM) interface of the router itself. SDM provides a graphical, web-based interface for...

Easy VPN Server Requirements

To implement Easy VPN Remote capabilities, a number of prerequisite guidelines must be met. The Cisco Easy VPN Remote feature requires that the destination peer be a Cisco Easy VPN Server or VPN Concentrator that supports the Cisco Easy VPN Server feature. Essentially, the hardware and software feature sets must be those capable of performing the roles and functions of the Easy VPN solution. To that end, a minimum Cisco IOS version is required as follows Cisco 831, 836, 837, 851, 857, 871, 876,...

Easy VPN User Authentication

Now that the SA is accepted and the device is authenticated, a challenge is issued according to the configured methodology. If the Easy VPN Server is configured (as is typical) for Xauth, the VPN Client will wait for a username password challenge. Obviously, some input from the user is required at this point. The username and password are entered upon receipt of the prompt. This information is checked against some authentication entity, be it local authentication or some combination of TACACS,...

Encryption Algorithms

Encryption is simply a mathematical algorithm and a key applied to data to make the contents unreadable to everyone except those who have the ability to decrypt it. Ideally, encrypted data can be decrypted only with the proper key. Thus, the strength of the cipher text (encrypted data) is based on the complexity of the encryption algorithm, and the size of the key used to encrypt the data. There are two types of encryption algorithms available symmetric and asymmetric. Symmetric encryption...

Enterprise Architecture Framework

SONA was assembled to address the needs of today's enterprise networks and provide a map of how they can evolve into an IIN. To maintain the SONA mindset, Figure 2-1 repeats the illustration of the SONA model from Chapter 1. Middleware and Application Platforms Advanced Analytics and Decision Support Voice and Collaboration Services Compute Services Network Infrastructure Virtualization Infrastructure Management As is evident in Figure 2-1, SONA encompasses a number of architectures at the...

Enterprise Edge Architecture

The enterprise edge is evolving with the need to provide more and higher-level security features as a first line of defense for the network. This is true of both internal- and external-facing server farms and services. Figure 1-6 illustrates the enterprise edge architecture. Figure 1-6 Enterprise Edge Architecture Figure 1-6 Enterprise Edge Architecture A number of server farms may be supported, each varying in function from demilitarized zone (DMZ) functions for internal or external users...

Establishing an Isakmp Sa

When a VPN Client attempts to establish an SA between peers, it sends multiple ISAKMP proposals to the Easy VPN Server. As mentioned previously, Easy VPN supports only group 2 ISAKMP policy. The VPN Client attempts to establish an SA between the peer IP addresses through the transmission of multiple ISAKMP proposals to the Easy VPN Server. To reduce the amount of manual configuration of devices necessary to implement and support the Easy VPN solution, ISAKMP proposals include multiple...

Failover Strategies

The best redundancy plans cannot be executed if the failure state cannot be recognized. There are two ways that IPsec failover can be executed Stateless In a stateless environment, redundant logical connections (IPsec VPN tunnels) are used to provide primary and backup paths. The use of the paths is determined by message exchanges between the peers, or a determination by the end devices on which path to use. The state of the IPsec VPN tunnels is not known. Traffic is sent across the backup...

Failure Mitigation

Each of the failure sources mentioned earlier can be mitigated by employing one or more redundancy mechanisms. It is important to remember that the greater the level of high availability in the network, the greater the implementation cost. The primary failure points and some preventive solutions are as follows Access link failure To overcome the loss of an access link, multiple interfaces and devices can be used. A single IPsec VPN endpoint could have multiple interfaces, multiple interface...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Foundation Summary

Potential network failure points and some of the ways to mitigate them include Access link Use multiple interfaces and devices. Remote peer Use multiple interfaces and devices. Device failure Use duplicate interfaces and devices to help overcome a local failure. Having multiple diverse paths between endpoints helps avoid misbehaving devices beyond your administrative control. Path failure Use path redundancy to circumvent a path failure in an untrusted network. Two ways that IPsec failover can...

Foundation Topics

The configuration of MPLS on a per-router basis is relatively straightforward. That is, the basic configuration is straightforward. There are a number of considerations that must be taken into account. These include the size of the network and the number of prefixes to be propagated. MPLS and its associated overhead may be a significant hit to the resources of a router. In a typical service provider model, the router should expect to hold the full Internet routing table, which is well in excess...

Frame Mode MPLS

The term frame mode MPLS essentially denotes the use of MPLS with Ethernet-encapsulated or other frame-based-encapsulated interfaces. It does not include ATM-encapsulated interfaces. ATM uses cell mode MPLS and has a unique set of requirements due to the lack of a flexible framing structure. When a PE router receives a packet, it has a decision to make just like any other router. If the outbound interface is an MPLS-enabled interface, the router must impose the label and encapsulate the packet...

Further Label Allocation

They route and they switch and they forward. It seems that these terms have evolved into synonyms of a sort in recent years. The job of a router is to find paths and make use of them. When MPLS has a path from point A to point B, a label-switched path (LSP) is created. The LSP is essentially a tunnel between source and destination for a particular FEC. Zooming out, it would look more like a tunnel with many forks in the road, because it is feasible for two FECs to share a...

GRE Characteristics

The initial power of GRE was that anything could be encapsulated into it. The primary use of GRE was to carry non-IP packets through an IP network however, GRE was also used to carry IP packets through an IP cloud. Used this way, the original IP header is buried inside of the GRE header and hidden from prying eyes. The generic characteristics of a GRE tunnel are as follows A GRE tunnel is similar to an IPsec tunnel because the original packet is wrapped inside of an outer shell. GRE is...

GRE Header

The GRE header itself contains 4 bytes, which represent the minimum size of GRE header with no added options. The first pair of bytes (bits 0 through 15) contains the flags that indicate the presence of GRE options. Such options, if active, add additional overhead to the GRE header. The second pair of bytes is the protocol field and indicates the type of data that is carried in the GRE tunnel. Table 14-2 describes the GRE header options. Adds a 4-byte checksum field to the GRE header after the...

IKE Phase

During the initial step of the connection attempt, the IKE phase 1 process is initiated. There are two separate manners in which authentication can be performed when initiating IKE phase 1 Use of a preshared key for authentication The VPN Client initiates aggressive mode. Each peer is aware of the key of the other peer. Preshared keys are visible in the running-config of the router or VPN device on which they reside. With this in mind, an optional encrypted preshared key option is available. An...

Infrastructure Options

Consider the number of applications used daily by the typical network user. It doesn't take long for the application count to get into double-digits. That said, now consider those applications and services that are actually relevant to the business at hand for a given job position or function, specifically those applications and services that are critical for one to do the job for which they were hired. Once again, it remains rather easy to get to a significant number of items on the list. What...

Integrated Services for Secure Remote Access

The cost of providing voice and data services to all users who require them has traditionally been exceedingly high. This has made the business case for opening branch offices a rather difficult one to make. The office required a small PBX or key system to provide telephony and a router to provide data connectivity. This often required two separate departments to maintain services at a single branch office. Add to that equation the need for a third department for support and maintenance of user...

Psec High Availability Options

Redundancy is typically found at various spots throughout networks. Because any path or component has the potential to fail, an alternate solution ensures that data continues to flow from one point to another. However, redundancy does come with a price. The configuration of additional paths could imply that such paths must be procured from the provider, and such paths are not free. To avoid a hardware failure, additional hardware must be procured and installed. To avoid a cable cut catastrophe,...

Psec Overview

IP Security, or IPsec, has been in use for a number of years now to protect sensitive data as it flows from one location to another. The evolution of corporate communications has changed the way that private data is exchanged and maintained. Most companies have distributed resources and personnel. It is important that corporate data remains private during transit. IPsec offers a standards-based mechanism to provide such secure data transmission. Typically, IPsec is associated with Virtual...

Isolating Data Link Layer Issues

Once the physical layer is happily doing its job, the DSL connection will train up and negotiate upstream and downstream channels. With PPPoA and PPPoE, additional functions must take place at Layer 2 to get the connectivity established. The DSL router will negotiate an ATM PVC. It may be more accurate to say that the DSL router will be automatically configured with an ATM PVC. It is not so much a negotiation function, but simply a provisioning function. Most routers have a debugging capability...

Isolating Physical Layer Issues

The OSI reference model was created in layers so that it would be modular and more easily implemented. In essence, it boils down to a simple assembly-line function. Each layer is responsible only for its own little job function. This function includes a means of passing the payload to the layer above, below, or adjacent. The adjacent layer is its twin on the remote host. With that in mind, it stands to reason that no higher layer may function unless the layer below it is functioning fully and...

Keeping the Head on Straight

There is also the rare occurrence of a cable pinout issue. If the phone cable has been incorrectly terminated or the cable head crimped with wires in the wrong order, no connection will be established. An RJ-11 standard connector is a 6-pin connector. A typical phone cord uses only four wires, sometimes only two. The wires on a typical 4-wire phone cord use a different color for each wire (red, green, black, and yellow). Typically, red green are the inner pair and black yellow are the outer...

Label Allocation in Frame Mode MPLS Networks

Over the course of Chapter 8 and a good portion of this chapter, the forwarding process has been discussed. In each discussion, a new facet of information has been added to the overall discussion to expand comprehension. This section serves to bring together the concepts discussed up to this point. The traditional functions of both routed and routing protocols are leveraged in an MPLS environment. While it should be understood that MPLS is Layer 3 protocol independent, the discussions herein...

Label Stacks

Label stacks can be roughly compared to encapsulation of IP inside IP, such as what occurs in a generic routing encapsulation (GRE) tunnel carrying IP traffic. Essentially, this amounts to IP over IP. For each packet in the tunnel, there are two IP headers, yet only the first one is used in making routing decisions that is, until the packet reaches the tunnel destination. At that point, the extra IP header is no longer of any use and is stripped away. Label stacks function in much the same...

Label Switching Routers

As discussed in Chapter 8, MPLS forwarding is performed by devices capable of performing a label lookup and replacement. This device either cannot analyze network layer headers or cannot do so at adequate speed. The nomenclature and purpose of individual devices is based on the architectural position in the MPLS domain. In the purest definition, an LSR is an MPLS node that is capable of forwarding native Layer 3 packets based on the labels imposed on each packet. LSRs must have the capability...

Launch the GRE over IPsec Wizard

The GRE over IPsec wizard is accessed from the same window that started the Site-to-Site VPN wizard as seen in Chapter 13. Figure 14-5 shows how to access the GRE over IPsec wizard. Similar to how the Site-to-Site VPN Wizard was initiated in Chapter 13, the GRE over IPsec wizard is accessed as follows Step 1 Click the Configure button at the top of the window. Step 2 Click the VPN button in the Tasks bar on the left. Step 3 Click the Site-to-Site VPN option at the top of the menu. Step 4 Click...

Layer 1 Anatomy

There are typically two distinct functions performed at Layer 1. These usually include some form of transmission convergence (TC) sublayer and a physical medium dependent (PMD) sublayer. They sound quite technical but all they really mean is that the bits have to be placed in a particular order as per protocol between the endpoints and that the bits must be transmitted. The process of placing the bits in a formalized, predetermined order is known as framing. The process of actually transmitting...

Layers of Trouble to Shoot

The preferred method of troubleshooting is known as bottom-up troubleshooting. The bottom-up approach to troubleshooting is a direct reference to the OSI reference model. As with the planning, design, and implementation steps involved in building a network infrastructure, the OSI reference model plays a very important part in troubleshooting issues that arise. Troubleshooting is a game of layers and logic. Different people are capable of exercising varying degrees of ability with both. It is...

Monitoring the IPsec VPN Tunnel

There are a variety of ways to monitor an IPsec VPN tunnel in a Cisco router. This section explores how to accomplish this both from SDM and with the IOS CLI. In SDM, all monitor options are performed from the Monitor page. Click the Monitor button at the top of any SDM screen to enter this page. Figure 13-18 shows the Monitor page. The Tasks bar options on the left of the screen change to the following Overview Displays a generic status of the router, including CPU and memory usage, as well as...

MPLS Architecture

Multiprotocol Label Switching (MPLS) is growing in popularity as a technological replacement for traditional WAN deployments. MPLS provides a fully Layer 3 environment and the ability to fully mesh sites across WAN connections. This is an immense advance in terms of latency reduction and topological resilience. MPLS extends the reach of the enterprise network across the provider network. This includes routing information as well as quality of service (QoS) protection of critical network traffic...

MPLS Components

Chapter 8 covered most of the terminology involved with MPLS. However, not all of the concepts were touched upon. It is doubtful that any one or two chapters could cover MPLS technology completely and remain within the scope of the exam topic coverage. In terms of underlying architecture, MPLS has separated traditional routing mechanisms into two major components Control plane Maintains routing and label information exchange between adjacent devices Data plane Forwards traffic based on...

Mpls Vpn Architecture

To properly understand MPLS VPNs as a solution, it is important to understand the problem. MPLS VPNs are a Layer 3 WAN solution to an age-old Layer 2 WAN problem that is, the quest to provide any-to-any connectivity among sites in a cost-efficient manner. In the past, WAN architects struggled with topological design principals that amounted to choosing the least of all evils. A full mesh topology was too expensive but most robust. A hub-and-spoke topology was least expensive but least robust. A...

Mpls Vpns

The MPLS VPN takes the best aspects of overlay VPNs and the best aspects of peer-to-peer VPNs and assembles them into a single product offering. MPLS VPNs are essentially peer-to-peer VPN implementations. Each customer's routing information is kept securely separate from every other customer's routing information through the use of a route distinguisher (RD) that is unique to a particular customer. The use of the RD allows the provider to give each customer a logically separate PE router,...

Pedagogical Approach

Retention and recall are the two features of human memory most closely related to performance on tests. This exam preparation guide focuses on increasing both retention and recall of the topics on the exam. The other human characteristic involved in successfully passing the exam is intelligence this book does not address that issue. Adult retention is typically less than that of children. For example, it is common for 4-year-olds to pick up basic language skills in a new country faster than...

Peerto Peer VPNs

The introduction of a peer-to-peer VPN causes the service provider to take a more active role in the routing operations of its customer base. This means that the service provider will be maintaining customer routing information stored in a separate routing instance within its network. The customer edge (CE) router exchanges routing information not with the far-end CE router, but with the local, provider edge (PE) router. These routes are conveyed across the provider network to other CE routers....

Playing with Colors

Another logical starting point is with the most useful troubleshooting tool ever created, the trusty old light emitting diode (LED). Look at the front of the DSL modem or router and check the LED states. Many hours of troubleshooting have been avoided by the mantra of the network technician, Green is good That is to say that on the front of the DSL router or modem, there should be a Carrier Detect (CD) LED. When training, it may flash, but when connected properly, it will be solid and green. If...

PPP Background

PPP (RFC 1661) provides a standard method of encapsulating higher-layer protocols across point-to-point connections. It extends the High-Level Data Link Control (HDLC) packet structure with a 16-bit protocol identifier that contains information about the content of the packet. Link Control Protocol (LCP) Negotiates link parameters, packet size, or type of authentication Network Control Protocol (NCP) Contains information about higher-layer protocols Data frames Contain user data PPP has a...

Provisioning Cable Modems

Cable modem provisioning can seem a bit daunting when compared with other technologies. There are several steps involved in the process. The headend CMTS must have operational provisioning servers such as DHCP and TFTP in order for IP addressing and configuration files to be provided. The steps defined by DOCSIS are as follows Step 1 Downstream setup At power-on, the cable modem scans and locks the downstream path for the allocated RF data channel in order for physical and data link layers to...

Public Key Infrastructure

A public key infrastructure (PKI) is the progression of the key exchange and maintenance concepts discussed throughout this chapter. A PKI provides a hierarchical framework for managing the security attributes of entities who engage in secure communications across a network. Such entities can be all of the IPsec devices mentioned throughout this chapter, as well as the people who use those devices. The PKI consists of a number of elements, which are also network entities Peers Devices and...

Qa

The questions and scenarios in this book are designed to be challenging and to make sure that you know the answer. Rather than allowing you to derive the answers from clues hidden inside the questions themselves, the questions challenge your understanding and recall of the subject. Hopefully, mastering these questions will help you limit the number of exam questions on which you narrow your choices to two options, and then guess. You can find the answers to these questions in Appendix A. For...

Router Switching Mechanisms

The underlying mechanism for MPLS switching is provided in Cisco IOS Software by Cisco Express Forwarding (CEF). To understand the evolution of CEF, a short discussion of other IOS switching mechanisms is in order Process switching Each packet is processed individually and a full routing table lookup is performed prior to packet dispatch. This is the slowest and most resource-intensive method of packet forwarding. Cache-driven switching Packet destinations are stored in memory and used for...

Secure GRE Tunnels

GRE over IPsec implies that the GRE packet sits higher in the stack than the IPsec portion. Similar to how TCP IP is represented, TCP is at Layer 4, while IP is at Layer 3. When laid out in a graphical packet, the TCP portion is inside of the IP part. The same is true with GRE over IPsec. The original packet is the innermost layer. Then the GRE wrapper appears. Finally, the IPsec portion is added for security. Figure 14-3 shows the GRE over IPsec packet format. Figure 14-3 GRE over IPsec Packet...

Security Device Manager Features and Interface

Cisco has a web-based configuration tool that permits virtually all IOS features to be configured without accessing the command-line interface (CLI). This tool is called the Cisco Router and Security Device Manager (SDM). This section provides an overview of the SDM tool, and the section that follows explains how to configure site-to-site IPsec VPNs using the tool. SDM is embedded within a variety of IOS-based routers. The 800 through 3800 series routers benefit from this free tool, which is...

Siteto Site IPsec Configuration Steps

Now that the components of a site-to-site IPsec VPN are understood, it is time to configure the secure connection using the Cisco IOS. There are five steps in the IPsec lifecycle (interesting traffic, IKE phase 1, IKE phase 2, secure data transfer, tunnel termination). However, not all of those steps require configuration. Thus, there cannot be a direct 1 1 map between IPsec steps and configuration steps. The six steps necessary to configure a site-to-site IPsec VPN are as follows Step 1...

Siteto Site VPN Operations

The growth of the Internet has spawned the use of site-to-site VPNs. Prior to widespread adoption of the Internet, remote sites were connected to each other or back to a central location via point-to-point connections or virtual circuits. Because virtually every location has an Internet connection today, connectivity to virtually anywhere is possible. Secure connectivity is achieved through the use of IPsec VPNs. Site-to-site VPNs are typically used to connect a remote office back to the...

Siteto Site VPN Overview

Even before the remarkable growth of the Internet, corporations had deployed remote offices, disbursed data centers, and establish global operations. Before the Internet was embraced as a trusted conduit to fulfill such corporate communications requirements, however, carriers were called upon to provide local, regional, national, and international conduits between locations. Figure 13-1 shows two corporate sites connected the old way. Figure 13-1 Carrier-Provided Circuits Figure 13-1...

SOHO Site

SOHO sites typically are single-user sites but may include several employees. In any event, these are the smallest sites. A smaller size does not equate to a smaller need for access to applications and services. Although providing those services from a central or branch office site to the SOHO site might be more challenging, doing so is still a crucial factor in ensuring business success. SOHO sites will likely access resources at multiple other sites including branch offices and the central...

Sources of Failures

The network has a number of possible points vulnerable to failure. Remember that an IPsec VPN is an end-to-end connection. It typically travels across untrusted networks (such as the Internet), and through many different network devices. The loss of any one of these components can cause the IPsec VPN to fail. Such potential failure points include An access link failure could include the failure of a physical interface on any transit network device (although the access link is typically seen at...

Standard IP Switching

In terms of process and cache-driven switching, the routing process is relatively straightforward. Within the enterprise network, an Interior Gateway Protocol (IGP) will be used. To connect to an external autonomous system (AS), an Exterior Gateway Protocol (EGP) is used. In most cases, the selected EGP is the Border Gateway Protocol (BGP). To advertise reachability to enterprise prefixes, routes are redistributed between the two entities, so long as the routes in question are outside the...

Step 1 Configure the Isakmp Policy

Configuration of the ISAKMP policy basically maps to IKE phase 1, described earlier. Remember that IKE phase 1 establishes a secure bidirectional tunnel that is used to exchange IPsec keys for the SAs. The following list is a reminder of the IKE phase 1 parameters IKE encryption algorithm (DES, 3DES, or AES) IKE authentication algorithm (MD5 or SHA-1) IKE key (preshared, RSA signatures, nonces) Diffie-Hellman version (1, 2, or 5) IKE tunnel lifetime (time and or byte count) Figure 13-6 shows...

Step 1 Create the GRE Tunnel

The first part of the GRE over IPsec tunnel is the GRE tunnel. Figure 14-3 showed the various layers within the GRE over IPsec tunnel. The original IP packet is the innermost portion. Next comes the GRE layer. Figure 14-6 shows the GRE Tunnel Information window. The GRE Tunnel Information window is the first configuration window of the Secure GRE Wizard. There are two sets of IP addresses that are applied to the GRE tunnel interface the tunnel source and destination (at the top of the window)...

Step 1 Specify Interesting Traffic

Interesting traffic is better thought of as traffic that must be protected by the IPsec VPN. When an IPsec VPN tunnel exists between two sites, traffic that is considered interesting is sent securely through the VPN to the remote location. Once inside the VPN, the data is safe until it reaches the other end of the tunnel. The traffic cannot be modified without detection, nor can it be read by anyone in the middle (if ESP is employed). In fact, such traffic can only travel to the other end of...

Step 2 Create a Backup GRE Tunnel

The Secure GRE Wizard offers the option to create a second GRE tunnel for survivability. If the GRE tunnel fails for any reason, then the IPsec tunnel that is carried within it fails also. A backup GRE tunnel provides stateless failover in the event of the loss of the primary GRE tunnel. Figure 14-7 shows the Backup GRE Tunnel Information window. Because a backup GRE tunnel is an optional feature, you must check the Create a backup secure GRE tunnel for resilience box to activate this window....

Step 2 IKE Phase

Once the first packet deemed interesting arrives, the process of creating the site-to-site IPsec VPN tunnel commences. As already discussed in Chapter 12, IKE exchanges the security parameters and symmetric encryption keys used to create the IPsec tunnels that the data will eventually flow in. The second step in an IPsec VPN is the first phase of IKE. Remember that IKE phase 1 has two possible modes main mode or aggressive mode. The basic purpose of either mode is identical, but the number of...

Step 4 Configure the Crypto

The final configuration is the crypto map, which ties the transform set and access list together and points them to a remote peer. The numbers 70 and 55 in each of the crypto maps are line numbers. Each map could have multiple lines, and the lines are referenced numerically from the lowest to the highest number. If a router has only a single interface, yet multiple remote VPN clients, a single crypto map must be used with a unique entry for each peer. At the remote office, the crypto map...

Step 5 Apply the Crypto Map to the Interface

After the crypto map is successfully configured, it must be applied to an interface to be operational. Remember that the crypto map is a collection of the IP address of the remote peer, the interesting traffic that will flow through the IPsec tunnel, and the IPsec security parameters (transform set) that will be used to protect the data. Figure 13-8 shows the application of the crypto map to an interface. Figure 13-8 IPsec Interface Configuration S2 1 172.16.1.2 , S3 2 10.1.3.2 Figure 13-8...

Step 5 IPsec Tunnel Termination

There are two events that can cause an IPsec tunnel to be terminated. As mentioned earlier, if the SA lifetime expires (time and or byte count), then the tunnel must be torn down. However, if secure transfer is still needed between the two endpoints, then a new pair of SAs is normally created before the old set is retired. It is also possible to manually delete an IPsec tunnel. This is typically done by an administrator at either end of the IPsec connection. In most cases, the automatic...

Step 6 Configure the Interface ACL

In the examples shown thus far, the router connected to the Internet also served as the IPsec peer. It is likely that such an Internet-connected device would be a firewall in today's networks, although this is more of a guideline than a rule. In either case, it is important to permit IPsec packets so that IKE and IPsec SAs can be established. Typical Internet-facing devices block most packets that come toward them, unless the stream was initiated on the inside. Site-to-site IPsec VPN tunnels...

Step 6 Routing Information

Once both the GRE tunnel and the IPsec tunnels have been configured, the final step is to select a routing protocol to traverse the GRE tunnel. Remember that with a typical IPsec VPN, the only routing option is to configure static routes on each side. These static routes manually determine which prefixes are reachable through the IPsec VPN. Figure 14-8 shows the Select Routing Protocol window of the Secure GRE Wizard. Static Routing is the default option (radio button) in the routing protocol...

Step 7 Validate the GRE over IPsec Configuration

Once you advance beyond either of the routing options (the appropriate Routing Information window), you reach the Summary of the Configuration window. You likely need to use the scrollbar to view the entire configuration created by the Secure GRE Wizard. This window is identical to the summary window at the end of the Site-to-Site VPN Wizard. The differences here are the additional configuration options of the GRE tunnel and the routing protocol (if one was configured). As with the Site-to-Site...

Steps 35 IPsec VPN Information

The outermost layer of the GRE over IPsec tunnel is the IPsec VPN. The various windows used to enter the IPsec information are nearly identical to those used to create a site-to-site IPsec VPN discussed in Chapter 13, Site-to-Site VPN Operations. The first IPsec VPN task is to enter the VPN authentication information. Similar to Figure 13-14, either digital certificates or pre-shared keys can be used. If pre-shared keys are selected, the key must be entered twice to ensure accuracy. The second...

Symmetric DSL Types

Although SDSL methodologies are not as widespread as those in the ADSL offerings, they are just as viable as broadband technologies. SDSL is available in the following forms SDSL (symmetric DSL) Provides identical transfer rates, both downstream and upstream, ranging from as slow as 128 kbps to as fast as 2.32 Mbps. The most typical implementation is 768 kbps. SDSL is a rather general term that encompasses a number of varying vendor implementations providing variable rates of service over a...