WAN Backed Up by an IPsec VPN

This chapter has focused on how to ensure that the loss of one IPsec VPN can be easily recovered by a second. Both stateful and stateless methods were examined. IPsec VPN tunnels can also be used to back up normal WAN connections. Most of Part III, IPsec VPNs, of this book deals with IPsec VPNs, which offer confidentiality to data as it passes from one site to another. A normal WAN connection is simply a PVC, such as a Frame Relay or ATM link between sites. No confidentiality or integrity is...

Mpls Wan Connectivity

With the history lesson done, the conversation now moves to MPLS. Simply put, MPLS extends Layer 3 natively across the distance between central, branch, and SOHO sites. The MPLS network, though owned by the service provider, is an extension of the enterprise network. Picture the entire WAN, which was previously a Layer 2 obstacle, as a single router with multiple interfaces. It contains a routing table with all of the route entries of the enterprise network. The WAN provides any-to-any...

PPP over ATM

PPPoA is similar in operation to PPPoE. In fact, both implementations use RFC 1483 2684 functions. Unlike RFC 1483 2684 bridging, PPPoA is a routed solution. PPPoA uses ATM adaptation layer 5 (AAL5) framing along with Logical Link Control Subnetwork Access Protocol (LLC SNAP) encapsulation on virtual circuits. Both permanent virtual circuits (PVC) and switched virtual circuits (SVC) are possible in PPPoA installations however, only PVC implementations are addressed at this time. An overall...

Reverse Route Injection

Reverse Route Injection (RRI) is the process of injecting a static route into the Interior Gateway Protocol (IGP) routing table. This static route points to the client's destination network. This is useful when per-client static IP addressing is used with VPN Clients rather than per-VPN address pools. RRI should be enabled on the dynamic crypto map when per-user IP addresses are used in environments where multiple VPN Servers are used. The redistribution of the RRI ensures reachability to the...

Easy VPN Server Wizard

Returning the discussion to the actual Easy VPN Server configuration, the Easy VPN Server Wizard is now ready to be run. AAA and necessary user information and privilege levels have been set. Click the Launch the Selected Task button on the Easy VPN Server screen to launch the wizard. The initial screen is a summary of tasks to be performed similar to that shown on the first page of the Easy VPN Server Wizard. If AAA has not already been configured, the wizard prompts you for the required AAA...

Step 3 Configure the Crypto ACL

An extended access list is used to determine interesting traffic. The access lists are shown in the dashed circles. At the remote office, the access list is number 170, while at the central office, the list is number 155. Each list defines the source and destination addresses of traffic that will travel through the IPsec tunnels. Usually, it is very important that the two lists be mirror images of each other. The source address in one list must be the destination address in the other and vice...

Monitoring the Easy VPN Server

Show Crypto Ipsec

At the top of the main SDM page is a row of buttons listed as Home, Configure, Monitor, Refresh, Save, and Help. The Home and Configure settings have been discussed in some detail in this chapter. This section discusses the monitoring of an Easy VPN Server. Figure 16-12 shows the Easy VPN Monitor page. Figure 16-12 Easy VPN Server Monitoring Figure 16-12 Easy VPN Server Monitoring As shown in the figure, each individual Easy VPN Server group configured in the router will be monitored....

DSL Operating Mode

If the DSL modulation is set incorrectly, the connection cannot train up. The service provider should be consulted to determine whether or not the chipset (Alcatel, for example) contained in the DSL router or modem is supported. The modulation type should be configured according to that used by the provider. Table 7-2 shows the supported types. Table 7-2 Supported DSL Operating Modes Table 7-2 Supported DSL Operating Modes Automatic negotiation of the modulation type with the DSLAM On Cisco DSL...

Describing Network Requirements

Throughout the history of networking, individuals, companies, and other organizations have made it their goals to better use technology. Where a technology did not exist, new ones sprang to life. The process of topological development and evolution in the industry has been nothing short of astounding. Technology has advanced immeasurably in a relatively short period of time. However, the network has always been viewed as just another tool to facilitate connectivity between the user community...

Configuring MPLS on a Frame Mode Interface

The second step of MPLS configuration entails the setting of interface parameters. This means that a label distribution protocol needs to be configured so that label information exchange can being. In some environments, the Cisco proprietary Tag Distribution Protocol (TDP) is used. TDP was used prior to the existence of a standardized label exchange mechanism. TDP is not typically used at this time. Instead, the Label Distribution Protocol (LDP) is used in most deployments. To enable MPLS...

Hybrid Fiber Coaxial Networks

Fiber dramatically cuts the number of amplifiers needed in the distribution and transport networks. The degree to which fiber is installed varies from provider to provider. Some providers have opted to go entirely fiber into the subscriber premises. Fiber transports the signal using either laser or light emitting diode (LED) technologies depending on the type being deployed. Fiber has a number of benefits over traditional cable. Fiber is thin and lightweight, able to cover longer distances with...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 10-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you to determine how to spend your limited study time. Table 7-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz...

Traditional WAN Connections

To know where one is going, one must know where one has been. In learning any relatively new technology, it is useful to begin on common or well-known ground and progress into the unknown from that point. MPLS is somewhat of a departure for WAN connections in a number of ways. Traditional WAN connections are Layer 2 and classified as point-to-point or multipoint connections. These networks do not understand Layer 3 quality of service (QoS). At best, they understand traffic shaping. In really...

Teleworker Components

Teleworker solutions present a number of challenges in terms of deployment and support. The deployment must be almost entirely automated, thereby limiting user involvement. It also must be supportable and manageable from a corporate IT policy standpoint. The solution comprises three distinct components IP telephony video components Not every solution will include components for IP telephony and video from day one. However, in the evolution of the network as well as keeping on the path to the...

PPP Negotiation

The Point-to-Point Protocol (PPP) is key to the success of the connectivity for DSL. If the ATM configuration and encapsulation have been found to be properly configured and trained, the PPP connectivity is the next item on the troubleshooting list. PPP connections go through three distinct phases during negotiation Link Control Protocol (LCP) phase Parameters related to establishing, configuring, and testing the connection are negotiated. This phase is mandatory. Authentication phase User...

PPP Session Phase

Once the PPPoE Session phase begins, PPP data is sent as in any other PPP encapsulation. That is to say that the LCP negotiation takes place and NCPs are opened as needed. All Ethernet frames are unicast between the aggregation router and PPPoE client at this point. RFC 2516 specifies a Maximum Receivable Unit (MRU) for PPPoE negotiated payload size at 1492 bytes. The PPPoE header is 6 bytes in length with a Protocol-ID field of 2 bytes. This keeps PPPoE in line with Ethernet's 1500-byte...

Step 3 IKE Phase

The actual IPsec tunnels are established in IKE phase 2. IKE phase 1 creates a very secure communications channel (its own SAs) so that the IPsec tunnels (SAs) can be created for data encryption and transport. IPsec parameters are negotiated via the IKE SAs. The following functions are performed in IKE phase 2 Negotiation of IPsec security parameters via IPsec transform sets Establishment of IPsec SAs (unidirectional IPsec tunnels) Periodic renegotiation of IPsec SAs to ensure security An...

Psec

IPsec is best thought of as a set of features that protects IP data as it travels from one location to another. The locations involved in the VPN typically define the type of VPN. A location could be an end client (such as a PC), a small remote office, a large branch office, a corporate headquarters, a data center, or even a service provider. The combination of any two of these locations determines the type of VPN in use. For example, a small remote office connecting to a corporate headquarters...

Internet Key Exchange IKE

A secure IPsec connection between two devices can initially be established by configuring encryption keys in both devices. However, the failure to periodically change these keys makes the network susceptible to brute-force password attacks. The need to manually change the IPsec keys every hour or every day can prove troublesome. If dozens or hundreds of IPsec connections are in use, manual key maintenance can be a nightmare. The IKE protocol, as described earlier, is a means of dynamically...

Where to Begin

The easiest way to determine which layer you should begin to troubleshoot is to issue the command show ip interface brief, as demonstrated in Example 7-1. Example 7-1 show ip interface brief Command Output Helps You Discern at Which OSI Layer the Problem Originate The output of this command differs slightly depending on your configuration. However, the essential information provided is all there. The interface Status and Protocol columns provide excellent information. If the status of ATM0 and...

Using AAA to Scale Access Control 491

Do I Know This Already Quiz 491 Foundation Topics 495 AAA Components 495 AAA Access Modes 495 Understanding the TACACS+ and RADIUS Protocols 496 UDP Versus TCP 496 Packet Encryption 497 Authentication and Authorization 497 Multiprotocol Support 497 Router Management 497 Interoperability 498 Configuring AAA Using the CLI 498 RADIUS Configuration 498 TACACS+ Configuration 499 AAA-Related Commands 499 aaa new-model Command 499 radius-server host Command 499 tacacs-server host Command 500...

Interactive Services Layer

A significant cause of inefficiency within an IT organization is the presence of silos that is, application-specific hardware and software that cannot be reused or shared. As more and more businesses begin to rely on collaborative services, the need to more closely align IT resources and computing platforms becomes more crucial. The Infrastructure Services Layer (ISL) pools these resources in a process known as virtualization. These resources include both the Networked Infrastructure Layer and...

Step 2 Configure the IPsec Transform Sets

The configuration of the IPsec transform sets actually covers three of the IPsec configuration steps mentioned earlier. The IPsec transform set, crypto ACL, and crypto map are tightly woven together. It is difficult to talk about one of them without mentioning the other two. Thus, this section covers all three together. The following list is a reminder of the IPsec security parameters that are negotiated between peers IPsec encryption type (DES, 3DES, or AES) IPsec authentication (MD5 or SHA-1)...

The MPLS Conceptual Model

Traditionally, wide-area network (WAN) connectivity is deployed as a Layer 2 topology configured to transport Layer 3 traffic. The WAN has always been portrayed as a cloud in pictures, diagrams, and documentation. This is due to the fact that a third-party provider owns the network and decides how it is to be constructed, its traffic policies, and the manner in which it is managed. Although most of this still rings true, today's WAN is somewhat different in operation and deployment....

DSL Limitations

DSL is a relatively distance-sensitive technology. As the distance between the subscriber and their local CO increases, the signal quality and connection speeds decrease. ADSL service is limited to a maximum distance of 18,000 feet (5460 m) between the DSL CPE and the DSLAM, although many ADSL providers place an even lower limit on the distance to ensure quality. The 18,000-foot distance limitation for ADSL is not a limitation for voice telephone calls, but for data transmission. Telephone...

Cable Features

Cable systems use coaxial cable at the subscriber premises. The cable itself consists of a copper core surrounded by insulation and grounded shielding of braided wire. Figure 3-2 illustrates the basic anatomy of the coaxial cable. Traditional television signal transmitted over the air lacked in quality and was subject to significant adverse effects from outside interference. It also required an external antenna in many rural and suburban locations. In locations in or near a major city, rabbit...

Packet Propagation

An inbound packet may be forwarded in a number of ways, including with and without label imposition. Incoming labeled packets are forwarded by the LFIB and sent out as labeled packets. The far-end edge LSR will pop the label unless PHP has been implemented. The section Further Label Allocation discusses PHP in more detail. An unlabeled packet can be labeled and forwarded by an edge LSR. There are exceptions to this during network convergence or other conditions that result in incomplete...

PPP over AAL5 Connections

Three separate types of connectivity options are offered under the PPPoA banner Virtual circuit multiplexed PPP over AAL5 (AAL5VCMUX) LLC encapsulated PPP over AAL5 (AAL5SNAP) RFC 2364 defines the AAL5VCMUX and AAL5SNAP options. Cisco PPPoA, as the name implies, is a Cisco proprietary implementation. The sections that follow describe these three different connectivity options in greater detail. NOTE As a general rule, Cisco implements its own proprietary solutions in situations where underlying...

Configure an ATM Interface for PPPoA

In a PPPoA configuration, there is typically a single Ethernet interface and an ATM interface on the CPE router. The Ethernet interface is the subscriber-facing component of the CPE router. Example 6-1 shows how to configure an Ethernet interface. Example 6-1 Subscriber-Facing Ethernet Interface Configuration interface Ethernet0 0 description ****Inside Private Network**** ip address 172.16.0.1 255.255.0.0 Once the Layer 1 connection is established, the router's PPP subsystem will initialize...

Interim Packet Propagation

When a packet arrives at an LSR prior to said LSR knowing of a label associated with the necessary FEC to get the packet out, the packet is forwarded based on information stored in the FIB. The packet is, of course, forwarded to the next-hop router listed in the FIB. The receiving downstream router performs a lookup and determines whether it has a label associated with the needed FEC. If so, the receiving downstream router imposes the label and sends the packet on its way. If not, the process...

Configure the PPPoA DSL Dialer and Virtual Template Interfaces

The dialer interface is the DSL provider-facing component of the CPE router. Example 6-4 shows how to configure the basic elements of the dialer interface. Example 6-4 Dialer Interface Configuration interface ATM0 0 no ip address dsl operating-mode auto pvc 8 35 interface Dialer0 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 This configuration specifies that the dialer interface should get its IP address from the provider's DHCP server while specifying the upstream MTU and...

Psec Stateless Failover

There are three primary stateless means to detect and react to a fault. The ideal reaction to a detected fault is to automatically send traffic a different way. The three failure detection methods are as follows An IGP within GRE over IPsec Hot Standby Routing Protocol (HSRP) (or one of the related protocols) The sections that follow discuss each of these methods in greater detail. Dead peer detection is a configuration option during the IPsec VPN setup. DPD also offers a stateless failover...

Topologies for Teleworker Connectivity

Do I Know This Already Quiz 33 Foundation Topics 36 Facilitating Remote Connections 36 IIN and the Teleworker 36 Enterprise Architecture Framework 37 Remote Connection Options 38 Traditional Layer 2 Connections 38 Service Provider MPLS VPN 39 Site-to-Site VPN over Public Internet 39 Challenges of Connecting Teleworkers 40 Infrastructure Options 41 Infrastructure Services 42 Traditional Teleworker versus Business-Ready Teleworker 45 Foundation Summary 46 Q& A 47

Intelligent Information Network

The Intelligent Information Network (IIN) offers companies an understanding of how the role of the network is evolving to meet business needs. The IIN vision is essentially the concept of network simplification through the alignment of technology and business priorities. Beyond evolution, the role of the network is expanding as more and more services become available network offerings. Cisco has established four technological roadmaps specific to the individual business needs of its customers....

Exam Topic List

This chapter covers the following topics that you need to master for the CCNP ISCW exam Cable Access Technologies Defines basic terminology and standards relevant to cable technology, the components of a cable system that provide data services, and features of cable technology Radio Frequency Signals Describes digital cable use of radio frequency bands for signal transmission Data over Cable Describes how data over cable services can be delivered using an HFC architecture Cable Technology...

Lib Lfib and FIB

The LIB, LFIB, and FIB are designations that have nothing to do with political beliefs or untruths, large or small. Neither are they evolutionary results of each other. Well, not in the Darwinian sense, anyway. They are somewhat interconnected and interdependent, however. This is mentioned simply because these are among the most common responses to the introduction of the concepts of all three. Proper configuration of an advanced routing protocol can limit the effects of convergence on the...

Configure a Cisco Router as a PPPoA Client

To clear up a rather widespread misconception, PPPoA is defined in RFC 2364 as PPP over AAL5. However, it is commonly referred to simply as PPP over ATM. Chapter 5, Configuring DSL Access with PPPoE, covered the configuration of PPPoE on a home router for DSL connectivity in some detail. The relative technology behind PPPoA is identical in nature to PPPoE. However, there are some significant differences that exist on the provider-facing side of the configuration, primarily The handling of the...

Optimizing PPPoE MTU

This brief discussion is meant to add a bit of additional value to the overall picture. Perhaps some additional comprehension will result as well because many of the pieces of the PPPoE puzzle must be considered. However, this information does not fall under the category of Exam Objective. Discussions of payload sizing typically end in the assumption that bigger is better. If the MTU is as large as it can be, then the throughput must be optimal as well. Unfortunately, that is not the case. To...

Wanman Architecture

With all the discussion of service-enabled networking, convergence, QoS, and more, the focus tends to be somewhat removed from an equally crucial component of the bigger picture. The design and construction of the wide-area network (WAN) and (where utilized) metropolitan-area network (MAN) can make or break the overall architectural vision. The transport services necessary for end-to-end connectivity as viewed from the SONA perspective are somewhat different from the traditional view of just...

Label Distribution

By now, it is clear that the processes of label switching and distribution are shockingly similar to routing in a traditional sense. This is true with the significant exception that label switching and distribution do not have any need to analyze network layer information. When the edge LSR adds the label, the packet is predestined to arrive at its appropriate end. This greatly increases the efficiency of the routing process overall. MPLS does add overhead in the form of additional...

Psec Stateful Failover

IPsec stateful failover typically requires a set of identical equipment so that failover can occur, and requires some continuous exchange of data between the devices to track the state of the IPsec VPNs (SA information). This also implies that there are multiple active IPsec VPN tunnels. Thus, the failure of one path can immediately switch the traffic to an alternate and operational IPsec VPN. As described in the previous section on IPsec stateless failover, failover typically involves the...

Cap

CAP is a single-carrier modulation technique that divides the available space into three bands The range from 0 to 4 kHz is allocated for POTS transmission. The range of 25 kHz to 160 kHz is allocated for upstream data traffic. The range of 240 kHz to 1.1 MHz is allocated for downstream data traffic. These ranges may vary slightly based on environmental factors and implementations. Figure 4-2 illustrates the channels on the wire. This figure effectively shows how the voice and downstream...

How This Book Can Help You Pass the Ccnp Iscw Exam

The primary focus of this book is not to teach material in the detail that is covered by an instructor in a 5-day class with hands-on labs. Instead, we tried to capture the essence of each topic and to present questions and scenarios that push the envelope on each topic that is covered for the ISCW exam. The audience for this book includes both candidates who have successfully completed the ISCW class and candidates who have not taken the ISCW class but have a breadth of experience in this...

Configuring CEF

A Cisco proprietary switching mechanism, CEF is extremely fast and efficient. CEF is an advanced Layer 3 switching technology that optimizes the performance and stability of networks with large, dynamic traffic patterns. CEF switching is less CPU intensive than process switching or fast switching, allowing more CPU time to be allocated to services and applications. CEF can be run in central mode or distributed mode. In central mode, only one instance of CEF is running on the router. Distributed...

PPP over Ethernet

Point-to-Point Protocol over Ethernet (PPPoE) is, obviously, a twist on traditional PPP implementations. It is essentially a bridging architecture. Typical bridging implementations include wide-ranging security holes. Adding PPP architecture (using PAP or CHAP authentication) on top of this Ethernet bridging function alleviates the security holes and provides a well-known, robust platform. PPPoE, as defined in RFC 2516, provides the ability to connect a network of hosts over a simple bridging...

Cable Technology Terminology

In any discussion of relatively new or different technologies, a definition of terminology associated with that technology is necessary. This allows a more rapid familiarization with the technology. With cable access, the new terms are quite numerous compared with other networking technologies. The following are terms that will be referenced throughout this chapter Broadband Data transmission using a multiplexing methodology to provide more efficient use of available bandwidth. In cable, the...

Configuring MTU Size

As mentioned previously in this chapter, the addition of one or more labels to a packet traversing an MPLS network might cause the violation of the MTU size parameter. This is one of the most common issues experienced in MPLS deployments and should not be taken lightly by any means. The introduction of jumbo frames, giants, or baby giants, however one might wish to name them, into a LAN environment can have far-reaching effects. This is typically only an issue on LAN interfaces where the MTU...

Siteto Site VPN Wizard

The Site-to-Site VPN Wizard is launched by clicking the Site-to-Site VPN option at the top of the list to the right of the Tasks bar on the SDM Configure page. This option is available only if you previously clicked the Configure button at the top of the SDM screen and selected the VPN option from the Tasks bar. Figure 13-12 shows the initial screen of the Site-to-Site VPN Wizard. This wizard has two tabs at the top of the window Create Site to Site VPN Used to create either a new site-to-site...