A CPE router can connect multiple users via a single ADSL connection using Natpat and DHCP

Either the PC or the router can be the PPPoE client. The figure shows a router as a client. In the PPPoE architecture, the PPPoE client functionality is used to connect to the ADSL service. The PPPoE client first encapsulates the end-user data into a PPP frame, and then the PPP frame is further encapsulated inside an Ethernet frame. The IP address allocation for the PPPoE client is based on the same principle as PPP in dial mode, which is via IP Control Protocol (IPCP) negotiation, with...

Administratively Down State for an ATM Interface

This topic describes troubleshooting situations in which the interface is down because of an administrative action. This is the simplest problem to resolve. Is the ATM Interface in an Administratively Down State ATM interface is administratively disabled. ATM0 is administratively down, line protocol is down < rest of the output omitted > Enable administratively disabled interface. Enter configuration commands, one per line. End with CNTL Z. router(config) interface atm 0 router(config-if)...

ADSL operation and performance is influenced by different impairments

ADSL service is deployed between ADSL modems at the subscriber and the CO locations. The CPE ADSL modem is known as the ADSL Transmission Unit-Remote (ATU-R). The CO modem is also called ADSL Transmission Unit-central office (ATU-C). Special devices called DSLAMs are located at the CO a DSLAM encompasses multiple ATU-Cs. The basic line-coding techniques associated with ADSL are as follows Single-carrier Carrierless Amplitude and Phase Modulation (CAP) Multicarrier with DMT Discrete Multi-Tone...

Advanced Monitoring

The basic Cisco IOS web interface also allows you to use the web interface to enter Cisco IOS CLI commands to monitor and troubleshoot the router. Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. The table lists two of the most useful show commands for determining the status of...

Advanced Options

General DN5AMIMS j Split Tunneling Client Settings XAuth Options Backup Servers- Specify a list of up to ten backup servers. This list will be pushed to the Easy VPN clients, connection to the local Easy VPN seiverfails, clients will try a backup servep. This will restrict VPN connections to devices running Black Ice orZone Alarm personal firewalls. This will allow a non-split tunneling connection to access the local stub network at the same time as the client. This should be enabled if PFS is...

After the Introduction of the PHP

A label is removed on the router before the last hop within an MPLS domain. The term pop means to remove the top label in the MPLS label stack instead of swapping it with the next-hop label. The last router before the egress router, therefore, removes the top label. PHP slightly optimizes MPLS performance by eliminating one LFIB lookup at the egress edge LSR. 3-36 Implementing Secure Converged Wide Area Networks (ISCW) v1.0

AH Authentication and Integrity

Step 1 The IP header and data payload is hashed. Step 2 The hash is used to build an AH header, which is appended to the original packet. Step 3 The new packet is transmitted to the IPsec peer router. Step 4 The peer router hashes the IP header and data payload. Step 5 The peer router extracts the transmitted hash from the AH header. Step 6 The peer router compares the two hashes. The hashes must exactly match. Even if one bit is changed in the transmitted packet, the hash output on the...

Asymmetric Encryption RSA

Based on Diffie-Hellman key exchange (IKE) principles Public key to encrypt data, and to verify digital signatures Private key to decrypt data, and to sign with a digital signature Perfect for insecure communication channels The Diffie-Hellman key agreement was invented in 1976 during collaboration between Whitfield Diffie and Martin Hellman, and was the first practical method for establishing a shared secret over an unprotected communications channel. The method was followed shortly afterwards...

Authenticate Peer Identity

There are these three data origin authentication methods Preshared keys A secret key value entered into each peer manually, used to authenticate the peer RSA signatures Uses the exchange of digital certificates to authenticate the peers RSA encrypted nonces Nonces (a random number generated by each peer) are encrypted and then exchanged between peers. The two nonces are used during a peer authentication process. 2006 Cisco Systems, Inc. IPsec VPNs 4-55 The purpose of IKE Phase 2 is to negotiate...

Backing Up a WAN Connection with an IPsec VPN

IPsec VPNs can be used as cost-effective and fast backups for an existing WAN. IPsec VPNs can be used as cost-effective and fast backups for an existing WAN. - Using an IGP (e.g., GRE over IPsec or VTI) Use IGP metrics to influence primary path selection Optionally, use HSRP to track PVC status on remote site - Using floating static routes for VPN destinations 6Ci Sy , m , ''. The figure illustrates a scenario in which the WAN is backed up by an IPsec VPN. A failure of the primary permanent...

Backup GRE Tunnel Information

Backup GRE tunnel can be configured for VPN resilience. If the primary GRE tunnel is down, the router will detect this loss of connectivity and will provide stateless failover by choosing the backup GRE tunnel. 1 Create a backup secure GRE tunnel for resilience IP address of the backup GRE tunnel's destination (Backup VPN Peer) Backup GRE tunnel can be configured for VPN resilience. If the primary GRE tunnel is down, the router will detect this loss of connectivity and will provide stateless...

Basic MPLS Concepts Example

Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels. Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels. In this example, assume that the Edge-2 router is informed that, in order to reach the 10.1.1.1 network, it should assign a label of 25 to the packet and forward the packet to the core router. The core router is informed that when it receives a packet...

Basic MPLS Features

MPLS is a switching mechanism in which packets are forwarded based on labels. Labels usually correspond to IP destination networks (equal to traditional IP forwarding). Labels can also correspond to other parameters - Outgoing interface on the egress router MPLS was designed to support forwarding of non-IP protocols as well. MPLS is a switching mechanism that assigns labels (numbers) to packets, then uses those labels to forward packets. The labels are assigned at the edge of the MPLS network,...

Before the Introduction of the PHP

Double lookup is not an optimal way of forwarding labeled packets. A label can be removed one hop earlier. The check marks show which tables are used on individual routers. The egress router in this example must do a lookup in the LFIB table to determine whether the label must be removed and if a further lookup in the FIB table is required. PHP removes the requirement for a double lookup to be performed on egress LSRs. 2006 Cisco Systems, Inc. Frame Mode MPLS Implementation 3-35

BGP that supports address families other than IPv4 addresses is called multiprotocol Bgp Mpbgp

With the deployment of a single routing protocol, BGP, to exchange all customer routes between PE routers, an important issue arises how can BGP propagate several identical prefixes belonging to different customers between PE routers The only solution to this dilemma is the expansion of customer IP prefixes with a unique prefix that makes them unique even if they had previously overlapped. A 64-bit prefix called the RD is used in MPLS VPNs to convert non-unique 32-bit customer IPv4 addresses...

Building the IP Routing Table

IP routing protocols are used to build IP routing tables on all LSRs. FIBs are built based on IP routing tables, initially with no labeling information. As a starting point for this example, the IGP has converged and the FIB table on router A contains the entry for network X that is mapped to the IP next-hop address B. However, at this time, a next-hop label is not available, which means that all packets are forwarded in a traditional way (as unlabeled packets). 3-24 Implementing Secure...

Cable System Components

A location with the main receiving antennas and satellite dishes A facility where signals are received, processed, formatted, and combined Transmits cable signals through distribution network to subscribers Links a remote antenna site to a headend Comprised of trunk and feeder cables Devices and parts used to connect to the distribution network The cable system consists of these major components Antenna site An antenna site is a location chosen for optimum reception of over-the-air, satellite,...

Cable System Standards

Technical standard for analog TV system used in North America Uses a 6-MHz modulated signal Color encoding system used in broadcast television systems in most of the world Uses 6-MHz, 7-MHz, or 8-MHz modulated signal An analog color TV system used in France and some Eastern European countries Uses an 8-MHz modulated signal NTSC is a North American TV technical standard for analog TV systems. The standard was created in 1941 and is named after the National Television System Committee formed in...

CEF Switching Review

CEF uses a complete IP switching table, the FIB table, which holds the same information as the IP routing table. The generation of entries in the FIB table is not packet-triggered but change-triggered. When something changes in the IP routing table, the change is also reflected in the FIB table. Because the FIB contains the complete IP switching table, the router can make definitive decisions based on the information in it. Whenever a router receives a packet that should be CEF-switched, but...

Cisco Easy VPN Components

Cisco Easy VPN consists of two components Cisco Easy VPN Server and Cisco Easy VPN Remote. Cisco Easy VPN Server enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, in which the remote office devices use the Easy VPN Remote feature. Using this feature, security policies defined at the headend are pushed to the remote VPN device, ensuring that those connections have up-to-date policies in...

Cisco Easy VPN Server Configuration Tasks for the Easy VPN Server Wizard

This section describes how the Easy VPN Server wizard guides you through the configuration steps. The Easy VPN Server wizard guides you through a set of steps which includes the configuration of these parameters Selecting the interface on which to terminate IPsec tunnels IKE policies (for example, encryption algorithm, Hash-based Message Authentication Code (HMAC), priority, lifetime, and Diffie-Hellman group) Group policy lookup method (local, RADIUS, or TACACS+) User authentication (local or...

Cisco Enterprise Architecture

The Cisco Enterprise Data Center Architecture A cohesive, adaptive network architecture that supports the requirements for consolidation, business continuance, and security, while enabling emerging service-oriented architectures, virtualization, and on-demand computing. IT staff can easily provide departmental staff, suppliers, or customers with secure access to applications and resources. This simplifies and streamlines management, significantly reducing overhead. Redundant data centers...

Cisco Hierarchical Network Model

Traditionally, the three-layer hierarchical model has been used in network design. The model provides a modular framework that allows flexibility in network design, and facilitates ease of implementation and troubleshooting. The hierarchical model divides networks or their modular blocks into the access, distribution, and core layers, with these features Access layer Used to grant user access to network devices. In a network campus, the access layer generally incorporates switched LAN devices...

Cisco IOS Platform Switching Mechanisms

The Cisco IOS platform supports three IP switching mechanisms Routing table-driven switching process switching - Full lookup is performed at every packet Cache-driven switching fast switching - Most recent destinations are entered in the cache - First packet is always process-switched Because Cisco Express Forwarding (CEF) provides the foundation for MPLS switching, it is important to understand the purpose of CEF and how it functions, and how the network uses CEF information when forwarding...

Cisco Router and SDM

The main page of the SDM consists of two sections About Your Router This section displays the hardware and software configuration of the router. Configuration Overview This section displays basic traffic statistics. There are two important icons in the top horizontal navigation bar The Configure icon enters the configuration page. The Monitor icon enters the page where the status of the tunnels, interfaces, and device can be monitored. 4-70 Implementing Secure Converged Wide Area Networks...

Cisco SDM Features

Smart wizards for these frequent router and security configuration issues - Avoid misconfigurations with integrated routing and security - Secure the existing network infrastructure easily and cost-effectively - Uses Cisco TAC- and ICSA-recommended security configurations Startup wizard, one-step router lockdown, policy-based firewall and ACL management (firewall policy), one-step VPN (site-to-site), and inline IPS Guides untrained users through workflow Startup wizard, one-step router...

Cisco SONA Framework

With its vision of the IIN, Cisco is helping organizations to address new IT challenges, such as the deployment of service-oriented architectures, web services, and virtualization. The Cisco Service-Oriented Network Architecture (SONA) is an architectural framework that guides the evolution of enterprise networks to an IIN. The SONA framework provides these advantages to enterprises Outlines the path towards the IIN Illustrates how to build integrated systems across a fully converged IIN...

Commonly Used Hash Functions

SHA-1 provides 160-bit output (only first 96 bits used in IPsec). SHA-1 is computationally slower than MD5, but more secure. MD5 creates a 128-bit hash, while SHA-1 creates a 160-bit hash. In the case of SHA-1, only 96 bits of this hash are used for IPsec. The initialization vector (IV) is used as an initial value to start creating a hash. Implementing Secure Converged Wide Area Networks (ISCW) v1.0

Component Architecture of LSR

The primary function of an LSR is to forward labeled packets. Therefore, every LSR needs a Layer 3 routing protocol (for example, OSPF, EIGRP, or IS-IS) and a label distribution protocol (for example, LDP). LDP populates the LFIB table in the data plane that is used to forward labeled packets. 3-18 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 Edge LSRs also forward IP packets based on their IP destination addresses and, optionally, label them if a label exists. A received IP...

Configuration of a PPPoE Client

This topic describes how to configure a PPPoE client. After the PPPoE virtual private dialup network (VPDN) group has been defined, the ATM interface must be configured. Configure the Ethernet interface (ADSL interface) of the Cisco router with an ATM PVC and encapsulation, as follows To configure a PPPoE client on an Ethernet interface, use the interface ethernet command in global configuration mode to enter interface configuration mode. Next, enable the PPPoE on Ethernet interface. Finally,...

Configuration of the Dsl Atm Interface

This topic lists commands and explains the procedure, in four steps, to configure a DSL ATM interface. Use the dsl operating-mode auto interface configuration command to specify that the router automatically detect the DSL modulation that the service provider is using and set the DSL modulation to match. An incompatible DSL modulation configuration can result in failure to establish a DSL connection to the DSLAM of the service provider. Use the pvc interface configuration command to set the...

Configure a connection to the Internet through dialup networking

Complete these tasks to configure the Cisco VPN Client for Easy VPN Remote access Step 1 Install a Cisco VPN Client on the remote user PC. Step 2 Create a new client connection entry. Step 3 Configure client authentication properties. Step 4 Configure transparent tunneling. Step 5 Enable and add backup servers. Step 6 Configure a connection to the Internet through dial-up networking. 4-192 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 2006 Cisco Systems, Inc.

Configure a DHCP Server

Router(config) ip dhcp pool pool_name Enables a DHCP pool for use by hosts and enters DHCP pool configuration mode. Imports DNS and WINS information from IPCP. Specifies the network and subnet mask of the pool. router(dhcp-config) default-router address Specifies the default router for the pool to use. The Cisco IOS DHCP Server feature is a full implementation that assigns and manages IP addresses from specified address pools within the router to DHCP clients. After a DHCP client has booted,...

Configuring GRE over IPsec Siteto Site Tunnel Using SDM

Create Site to Site VPN V le to Site VPN SDM can guide you through Site to Site VPN configuration tasks. Select a 1 Create Site to Site VPN V le to Site VPN SDM can guide you through Site to Site VPN configuration tasks. Select a 1 Create a secure GRE t unnel .(GRE. ov To create a GRE over IPsec site-to-site VPN, follow this procedure Step 1 Use a web browser to connect to an HTTP server of a router. Click the Configure icon in the top horizontal navigation bar to enter the configuration page....

Configuring GRE over IPsec Siteto Site Tunnel Using SDM Cont

GRE tunnel IP address is required to establish a tunnel with the peer. This entry can be a private address. IP address ofthe Tunnel Destination GRE tunnel IP address is required to establish a tunnel with the peer. This entry can be a private address. 8 Back I Next> __ _Cancel Help The figure illustrates these configuration steps for implementing a GRE tunnel Step 1 The GRE tunnel source IP address is taken from a configured interface or manually specified. It must still be a valid IP address...

Configuring MPLS on a Frame Mode Interface

This topic describes how to enable MPLS on a frame mode interface. This topic describes how to enable MPLS on a frame mode interface. Enable Tag Distribution Protocol (TDP) or Label Distribution Protocol (LDP) on the interface by using either tag switching or label switching. You enable the support for MPLS on a device by using mpls ip global configuration command, although this should be on by default, and then individually on every frame mode interface that participates in MPLS processes....

Configuring MPLS on a Frame Mode Interface Example

You must globally enable CEF switching, which automatically enables CEF on all interfaces that support it. CEF is not supported on logical interfaces, such as loopback interfaces. Non-backbone (non-MPLS) interfaces have an input ACL that denies TCP sessions on the well-known port number 711 (TDP uses TCP port 711). If using LDP, filter on UDP port 646, (LDP uses UDP port 646). This is just as a precaution because without the mpls ip command on the interface, LDP cannot be established on Serial...

Connection between subscriber and CO

Several years ago, research by Bell Labs identified that a typical voice conversation over a local loop only required the use of bandwidth of 300 Hz to 3 kHz. For years the bandwidth above 3 kHz went unused. Advances in technology allowed DSL to use the additional bandwidth from 3 kHz up to 1 MHz to deliver high-speed data services over ordinary copper lines. For example, asymmetric DSL (ADSL) uses a frequency range from approximately 20 kHz to 1 MHz. In order to deliver high-bandwidth data...

Control Plane Components Example

Information from control plane is sent to data plane. The figure illustrates the two components of the control plane OSPF, which receives and forwards a routing update for IP network 10.0.0.0 8. LDP, which receives label 17 to be used for packets with destination address 10.x.x.x. A local label 24 is generated and sent to upstream neighbors when the packets are destined for 10.x.x.x. LDP inserts an entry into the LFIB table of the data plane, where an incoming label 24 is mapped to an outgoing...

Course Goal and Objectives

This topic describes the course goal and objectives. The goal of the ISCW course is to expand the reach of the enterprise network to teleworkers and remote sites. The theme of implementing a highly available network with connectivity options, such as VPN and wireless, is highlighted. Implementing Secure Converged Wide Area Networks Implementing Secure Converged Wide Area Networks Upon completing this course, you will be able to meet these objectives Describe the remote connectivity requirements...

Creating a Custom IKE Policy

Configure IKE Policy Priority. 2 Encryption. 3DES Hash. HA_1 Encryption algorithm DES, 3DES, AES Authentication method preshared secrets or digital certificates Diffie-Hellman group 1, 2, or 5 Encryption algorithm (most commonly 3DES or AES you can also use Software Encryption Algorithm SEAL to improve crypto performance on routers without hardware IPsec accelerators DES is no longer advised because it can be broken in a relatively short time) Authentication method (preshared secrets or digital...

Data Cable Technology Issues

The data cable technology issues relate to the fact that subscribers in a certain service area share a coaxial cable line. A shared coaxial cable line has these consequences Bandwidth available to a subscriber may vary based on how many subscribers use the service at the same time. The cable operator can resolve this issue by adding RF channels and splitting the service area into multiple smaller areas. There is a risk of privacy loss. This can be addressed by encryption and other privacy...

Data circuits are offloaded from the voice switch

The major benefit of ADSL is the ability to provide data services along with voice. When analog voice is integrated with ADSL, the POTS channel is split off from the ADSL modem by filters or splitters, which guarantees uninterrupted regular phone service even if ADSL fails. A user is able to use the phone line and the ADSL connection simultaneously without adverse effects on either service if filters or splitters are in place. ADSL offloads the data (modem) traffic from the voice switch and...

Data over ADSL

DSL is a high-speed Layer 1 transmission technology that works over copper wires. The DSL Layer 1 connection from the CPE is terminated at the DSLAM. The data link layer protocol that is usually used over DSL is ATM. A DSLAM is basically an ATM switch containing DSL interface cards (ATU-Cs). The DSLAM terminates the ADSL connections, and then switches the traffic over an ATM network to an aggregation router. The aggregation router is the Layer 3 device where IP connection from the subscriber...

Dead Peer Detection

- Keepalives in periodic intervals DPD - Keepalives in periodic intervals if no data transmitted DPD also has an on-demand approach. The contrasting on-demand approach is the default. With on-demand DPD, messages are sent on the basis of traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. If a router has no traffic to send, it never sends a DPD message. If a peer...

Debug PPP Authentication

CPE debug ppp authentication CPE configure terminal Enter configuration commands, one per line. End with CNTL Z. CPE(config) interface ATM 0 0 CPE(config-if) no shutdown 00 19 05 LINK-3-UPDOWN Interface ATM 0 0, changed state to up 00 19 06 LINEPROTO-5-UPDOWN Line protocol on Interface ATM0 0, changed state to up 00 19 29 DIALER-6-BIND Interface Vi2 bound to profile Di1 00 19 29 Vi2 PPP Using dialer call direction 00 19 29 Vi2 PPP Treating connection as a callout 00 19 29 Vi2 PPP Authorization...

Default GRE Characteristics

GRE is now a standard tunneling method described by these Internet Engineering Task Force (IETF) standards RFC 1701 and RFC 2784, describing a general-purpose GRE that can also be used by non-IP protocols in the transport network RFC 1702, describing how GRE can be used to transport arbitrary Layer 3 payloads over IP networks RFC 3147, describing GRE over Connectionless Network Service (CLNS) networks RFC 4023, describing Multiprotocol Label Switching (MPLS) encapsulation inside GRE

Determine if the PPPoE connect phase is successful

CPE show pppoe session Total PPPoE sessions 1 Get the status of the PPPoE session. Get the status of the PPPoE session. The significant fields shown in the output are 15 13 41.991 Sending PADI Interface Ethernet1 A broadcast Ethernet frame that requests a PPPoE server. 15 13 44.091 PPPOE we've got our pado and the pado timer went off This is a unicast reply from a PPPoE server (similar to a DHCP offer). 15 13 44.091 OUT PADR from PPPoE Session This is a unicast reply that accepts the offer. 15...

Determining the Layer to Troubleshoot Cont

Displays information specific to the ADSL for a specified ATM interface. Displays information specific to the ADSL for a specified ATM interface. Start troubleshooting Layer 1 by verifying whether a Cisco Systems CPE router is trained and successfully initialized to the DSLAM using the show dsl interface atm command. When a router is successfully trained to the DSLAM, the modem status field will have the value Showtime. Along with that value, the command will also display the upstream and...

Diffie Hellman Key Exchange

Public key cryptosystems rely on a two-key system Public key, which is exchanged between end users Private key, which is kept secret by the original owners The Diffie-Hellman public key algorithm states that if user A and user B exchange public keys and a calculation is performed on their individual private key and on the public key of the other peer, the end result of the process is an identical shared key. The shared key will be used to encrypt and decrypt the data. Security is not an issue...

Diffie Hellman Key Exchange Cont

Generate large integer p Send p to peer B 3. Generate public key Ya g a Xa mod p 4. Send public key YA * 5. Generate shared secret number ZZ YBA XA mod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) 1. Generate large integer q Send q to peer A Receive p 3. Generate public key Yb 9 a Xb mod p 5. Generate shared secret number ZZ Yaa Xb mod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) The Diffie-Hellman key exchange is a public key exchange method that provides a way...

Docsis

Data-Over-Cable Service Interface Specifications (DOCSIS) is an international standard developed by CableLabs, a nonprofit research and development consortium for cable-related technologies. CableLabs tests and certifies cable equipment vendor devices (cable modem CM and CMTS) and grants DOCSIS-certified or Qualified status. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system and permits the addition of high-speed data transfer to an...

DSL Variants Examples

ADSL is designed to deliver more bandwidth downstream than upstream, and supports data and voice simultaneously over existing copper lines. ADSL is oriented towards residential subscribers, where usually more bandwidth is required in the downstream for applications such as downloading music, movies, playing online games, surfing the Internet, or receiving e-mail with large attachments. The downstream rate ranges from 256 kbps to 8 Mbps, while upstream speed can reach 1 Mbps. RADSL refers to...

Enabling AAA

PS Cisco Router and Security Device Manager (SDM) 10.1.1.1 Configure Monitor IS Refresh Save Create Easy VPN Server Edit Easy VPN Server SDM can guide you through Easy VPN Server configuration tasks. Create Easy VPN Server Edit Easy VPN Server SDM can guide you through Easy VPN Server configuration tasks. T hgw shjJd be aHeasi or< u t account wih ptwtege level 15 or nvuVe SDM on tNs wlp Ii* ervitjlng AA6 Plws* contigwc 4' pitnfeg- level 15 01 in root Ven belore enabhng AAA d on the router....

Endto End Routing Information Flow

These steps describe the stages of routing information flow from the IPv4 routing updates entering the MPLS VPN backbone through their propagation as VPNv4 routes across the backbone Step 1 PE routers receive IPv4 routing updates from the CE routers and install them in the appropriate VRF table. Step 2 The customer routes from VRF tables are exported as VPNv4 routes into MPBGP and propagated to other PE routers. Step 3 The PE routers receiving MPBGP updates import the incoming VPNv4 routes into...

Enterprise Architecture Framework

Proper prioritization and delivery of traffic across the WAN using various QoS mechanisms Proper prioritization and delivery of traffic across the WAN using various QoS mechanisms Each building block addresses different enterprise network requirements The WAN building block Used to connect the campus, data center, branch, and teleworker into an enterprise network. The Enterprise Campus architecture Addresses the core infrastructure intelligent switching and routing integrated with advanced...

Example Configuring the PPPoE Dialer Interface

2-70 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 2006 Cisco Systems, Inc. This topic describes how to configure addressing translations using PAT. One of the main features of Network Address Translation (NAT) is static PAT, which is also referred to as overload in Cisco IOS configuration. You can translate several internal addresses using NAT into just one or a few external addresses by using PAT. PAT uses unique source port numbers on the inside global IP address to...

Example DHCP Server Configuration

In this example, a DHCP address pool with the name MyPool is configured. The CPE router will act like a DHCP server to the hosts, connected to the Ethernet 0 0 interface. Hosts will get IP addresses from range 10.0.0.2 to 10.255.255.254 with the subnet mask 255.0.0.0. The IP address 10.0.0.1 is excluded from this range, because it is already used on the router interface. Hosts will get a default route pointing to the router interface IP address 10.0.0.1, and other parameters that the router...

Example Integrated Services for Secure Remote Access

The figure shows a sample converged network with integrated services. DSL and cable have been deployed as two of the advanced physical layer technologies, and MPLS VPNs and IPsec VPNs have been deployed as two of the advanced secured connectivity technologies. Internet access is migrating from dialup modems with slow connections to broadband access, using a variety of technologies with much faster transport speeds. The technology takes advantage of existing telephone and cable television...

Example PAT Configuration

The access list will match any source address in the 10.0.0.0 8 network. In this example, the Dialer0 interface is the outside interface, and the Ethernet0 0 interface is the inside interface. The 10.x.x.x source addresses will be translated using PAT to the Dialer0 IP address. The Dialer0 interface receives its IP address from the service provider aggregation router using IPCP. 2006 Cisco Systems, Inc. Teleworker Connectivity 2-73

Failures

IPsec VPNs can experience any one of a number of different types of failures IPsec VPNs can experience any one of a number of different types of failures IPsec should be designed and implemented with redundancy and high-availability mechanisms to mitigate these failures. IPsec-based VPNs provide connectivity between distant sites using an untrusted transport network. Network connectivity consists of links, devices, or sometimes just paths across networks whose topology is not known. Any of...

Fiber Benefits

The signal from the antenna is reduced when traveling along the cable. In order to boost the signal, amplifiers are placed approximately every 2000 feet to ensure that all RF signals are delivered to the user, with enough power to receive all channels within the spectrum (50 to 860 MHz) for analog TV, digital TV, and digital data cable modem services. In a 20-mile plant, approximately 52 amplifiers would be used. However, the amplifiers have limitations they introduce noise and distortion, and...

Five Steps of IPsec

The goal of IPsec is to protect data with the necessary security and algorithms. The figure shows only one of two bidirectional IPsec security associations (SAs). IPsec operation can be broken down into five primary steps Step 1 Interesting traffic initiates the IPsec process Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send must be protected. Step 2 Internet Key Exchange (IKE) Phase 1 IKE authenticates IPsec peers and negotiates IKE SAs during this...

Frame Mode MPLS

The ingress edge router performs these tasks after it receives an IP packet It performs a routing lookup to determine the outgoing interface. If the outgoing interface is enabled for MPLS and if a next-hop label for the destination exists, it assigns and inserts a label between the Layer 2 frame header and the Layer 3 packet header. The router then changes the Layer 2 Ethertype value to indicate that this is a labeled packet. The router sends the labeled packet. Note Other routers in the core...

Further Label Allocation

Every LSR will eventually assign a label for every destination. Every LSR will eventually assign a label for every destination. The figure illustrates how an LDP update, advertising label 47 for network X, from router C is sent to all adjacent routers, including router B. Router D also advertises a label for network X. Since network X is directly connected to router D, it sends an implicit null label for this network. Because of this, the pop action for network X is used on router C, using a...

Generic Routing Encapsulation

Uses an additional header to support any other OSI Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk) GRE is a tunneling protocol initially developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols are often used across the tunnel to enable dynamic exchange or routing information in the virtual network. The multiprotocol functionality...

GRE over IPsec

GRE over IPsec is typically used to do the following Create a logical hub-and-spoke topology of virtual point-to-point connections Secure communication over an untrusted transport network (e.g., Internet) Run IP protocols inside the GRE tunnel, which is not the case with the IPsec tunnel The hub-and-spoke topology minimizes the management overhead associated with the maintenance of the IPsec tunnels. Also, most enterprises have concentric traffic patterns, thus are not interested in managing...

GRE over IPsec Characteristics

IPsec encapsulates unicast IP packet (GRE) - Tunnel mode (default) IPsec creates a new tunnel IP packet - Transport mode IPsec reuses the IP header of the GRE (20 bytes less overhead) The top figure shows the tunnel mode in which both tunneling technologies (IPsec and GRE) introduce their own tunnel IP header. The bottom figure illustrates the usage of transport mode in which IPsec reuses the IP header of the packet that it is protecting, and thus reduces the...

HFC Architecture

The HFC architecture is the evolution of an initial cable system and signifies a network that incorporates both optical fiber along with coaxial cable to create a broadband network. By upgrading a cable plant to an HFC architecture, you can deploy a data network over an HFC system to offer high-speed Internet services and you can serve more subscribers. The cable network is segmented into smaller service areas in which fewer amplifiers are cascaded after each optical node typically five or...

How DPD and Cisco IOS Keepalive Features Work

DPD and Cisco IOS keepalives function on the basis of a timer. If the timer is set for 10 seconds, the router will send a hello message every 10 seconds (unless, of course, the router receives a hello message from the peer). The benefit of IOS keepalives and periodic DPD is earlier detection of dead peers. However, IOS keepalives and periodic DPD rely on periodic messages that have to be sent with considerable frequency. The result of sending frequent messages is that the communicating peers...

HSRP for Head End IPsec Routers

Remote sites peer with virtual IP address (HSRP) of the headend. RRI or HSRP can be used on inside interface to ensure proper return path. Remote sites peer with virtual IP address (HSRP) of the headend. RRI or HSRP can be used on inside interface to ensure proper return path. Devices behind the headend VPN routers can find the return path toward remote sites using one of these two mechanisms HSRP on the inside interface, configured similarly to the HSRP on the outside interface Reverse Route...

IKE authentication method

IP addressing and routing for clients You should also install these prerequisite services, depending on the chosen design RADIUS or TACACS+ server installation and configuration. CA installation and configuration if the public key infrastructure (PKI) is used for authentication. The router should also be enrolled with the CA to get the CA certificate and the identity certificate of the router that can later be used to enable PKI for the VPN. DNS resolution for the addresses of the VPN servers....

IKE Proposals

IKE proposals specifythe encryption algorithm, authentication algorithm and key exchangi method that is used by this router when negotiating a VPN connection with the remote device. For the VPN connection to be established with the remote device, the remote device should be configured with at least one of the policies listed below. Cickthe Add button to add more policies and the Edit button to edit an existing policy. 3DES SHA_1 group2 PRE_SHARE SDM Default IKE proposals specifythe encryption...

Interim Packet Propagation

Forwarded IP packets are labeled only on the path segments where the labels have already been assigned. Step 1 An unlabeled IP packet arrives at router A. Step 2 The packet is forwarded based on the information found in the FIB table on router A. Step 3 Label 25, found in the FIB table, is used to label the packet and it is forwarded to the next-hop router, router B. Step 4 Router B must remove the label because LSR B has not yet received any next-hop label (the action in the LFIB is untagged)....

Introducing the Sdm Vpn Wizard Interface

To select and start a VPN wizard, follow this procedure Step 1 Click the Configure icon in the top horizontal navigation bar to enter the configuration page. Step 2 Click the VPN icon in the left vertical navigation bar to open the VPN page. Step 3 Choose the Site to Site VPN wizard from the list. Here you can create two types of site-to-site VPNs classic and Generic Routing Encapsulation (GRE) over IPsec. 2006 Cisco Systems, Inc. IPsec VPNs 4-73 This topic describes the components and the...

Psec and NAT The Problem

The IPsec VPN tunnel will not work if there are no port numbers in the IPsec headers that can be used to create and maintain translation tables. The Layer 4 port information is encrypted and therefore cannot be read. 2006 Cisco Systems, Inc. IPsec VPNs 4-15 The IPsec NAT traversal feature, which was introduced in Cisco IOS software Release 12.2(13)T, enables IPsec traffic to travel through NAT or PAT devices in the network by encapsulating IPsec packets in a UDP wrapper.

Psec Headers

Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP Confidentiality (DES, 3DES, or AES) only with ESP Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP Confidentiality (DES, 3DES, or AES) only with ESP The AH provides authentication and integrity checks on the IP datagram. Authentication means the packet was definitely sent by the apparent sender. Integrity means the packet was not changed. The ESP header provides information that indicates encryption of...

Psec NAT Traversal

Need NAT traversal with IPsec over TCP UDP UDP encapsulation of IPsec packets UDP encapsulated process for software engines NAT traversal is negotiated with these factors UDP encapsulation of IPsec packets for NAT traversal UDP encapsulated process for software engines During IKE phase 1 negotiation, two types of NAT detection occur before IKE quick mode begins NAT support and NAT existence along the network path. To detect NAT support, the vendor ID string is exchanged with the remote peer....

Psec Security Features

IPsec is the only standard Layer 3 technology that provides IPsec is the only standard Layer 3 technology that provides Data confidentiality The IPsec sender can encrypt packets before transmitting them across a network, thereby preventing anyone from eavesdropping on the communication. If intercepted, the communications cannot be read. Data integrity The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that there has been no alteration to the data during transmission....

Psec Stateful Failover Cont

IPsec stateful failover works in combination with HSRP and SSO. SSO is responsible to synchronize ISAKMP and IPsec SA database between HSRP active and standby routers. RRI is optionally used to inject the routes into the internal network. Stateful failover for IPsec, introduced in Cisco IOS software Release 12.3(11)T, enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically...

Psec Stateful Failover Example

Configure IPC to exchange state information between head-end devices. Enable stateful redundancy. In the figure, the crypto map redundancy is configured with the stateful keyword, which requires HSRP to be configured in combination with SSO. The right part of the configuration example shows how the HSRP profile named VPNHA is configured to exchange IPsec state with the other HSRP router using Stream Control Transmission Protocol (SCTP) on source and destination port 12345. 2006 Cisco Systems,...

Psec Transform Sets

In the example, Router A sends IPsec transform set 30 and 40 to Router B. Router B compares its set, transform set 55, with those received from Router A. In this instance, there is a match. The Router A transform set 30 matches the Router B transform set 55. These encryption and authentication algorithms form an SA. The transform set 40 on router A is not used. 2006 Cisco Systems, Inc. IPsec VPNs 4-57 When security services are agreed upon between peers, each VPN peer device enters the...

Is Data Being Received from the ISP

Router show interfaces atm 0 ATM0 is up, line protocol is up Hardware is DSLSAR (with Alcatel ADSL Module) MTU 4470 bytes, sub MTU 4470, BW 128 Kbit, DLY 1600 usec, reliability 255 255, txload 1 255, rxload 1 255 Encapsulation ATM, loopback not set Keepalive not supported Encapsulation(s) AAL5, PVC mode 24 maximum active VCs, 256 VCS per VP, 1 current VCCs VC idle disconnect time 300 seconds Last input 01 16 31, output 01 16 31, output hang never Last clearing of show interface counters never...

Label Distribution and Advertisement

The allocated label is advertised to all neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the destination. MPLS adds a new piece of information that must be exchanged between adjacent routers. There are two possible approaches to propagating this additional label information between adjacent routers Extend the functionality of existing routing protocols Create a new protocol dedicated to exchanging labels Extending the functionality of existing router...

Label Format

The 32-bit MPLS label contains four fields. The table describes the fields contained in the 32-bit MPLS label. 32-Bit Label Fields The actual label. Values 0 to 15 are reserved. Undefined in the RFC. Used by Cisco to define a class of service (CoS) (IP precedence). MPLS allows multiple labels to be inserted. The bottom-of-stack bit determines if this label is the last label in the packet. If this bit is set (1), it indicates that this is the last label. Has the same purpose as the TTL field in...

Launching the Siteto Site VPN Wizard Cont

Step by step wizard allows you to specify either the SDM default configuration oryour own custom configuration. This wizard will guide you through the necessary steps to configure one end of a site-to-site VPN tunnel on this router. The peer device must be configured with identical VPN configuration forthe tunnel to work. Please select one of the following setup and ick on the next button to begin. Quick setup asks for minimal information and uses SDM defaults. This is recommended if you are...

Layer 1 Issues

- ADSL_CD light is on Proceed to Layer 2 troubleshooting - ADSL_CD light is off Continue with Layer 1 troubleshooting Check whether the DSL (ATM) port on the Cisco router is plugged into the wall jack if not, connect the port to the wall jack with a standard telephone cable (4-pin or 6-pin RJ-11 cable). Check the correctness of cable pinouts. Verify with service provider that DSL service has been enabled. You can monitor the status of the ATM interface on the router by checking the status of...

Layer 2 Issues

Verify that a PVC is in use with the ping atm interface atm command. router ping atm interface atm 0 2 32 seg-loopback Type escape sequence to abort. Sending 5, 53-byte segment OAM echoes, timeout is 2 seconds Success rate is 100 percent (5 5), round-trip min avg max 58 58 58 ms Check the VPI VCI settings with the debug atm events command. After establishing that Layer 1 is not an issue, the troubleshooting can continue at Layer 2. First, check whether a permanent virtual circuit (PVC) is...

Learner Skills and Knowledge

- Completed initial configuration of a switch - Basic interswitch connections - Completed initial configuration of a router - Routing (static routing, default routing, default router, default gateway, and basic NAT and PAT) - Concepts linked to routing protocols (classful versus classless, single area OSPF, RIP, EIGRP, administartive distance, and interoperations) - Standard WAN technologies (Frame Relay, PPP, and HDLC) - Fundamental security knowledge, including the presence of hackers,...

LIB and LFIB Setup

When a label is assigned to an IP prefix, it is stored in two tables LIB and LFIB. LIB and LFIB structures have to be initialized on the LSR allocating the label. Untagged action will remove the label from the frame and the router will send a pure IP packet. The LIB table is used to maintain the mapping between the IP prefix (network X), the assigned label (25), and the assigning router (local). The LFIB table is modified to contain the local label mapped to the forwarding action. In this case,...

Lists active IPsec security associations

Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. The table lists two of the most useful show commands to determine the status of IPsec VPN connections. To display all current IKE SAs, use the show crypto isakmp sa command in EXEC mode. QM IDLE status indicates an active IKE SA. To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption...

Local User Database Adding Users

Enterthe username and password Username Joe Confirm New Password Encrypt password using MD5 hash algorithm A User Accounts window opens. Follow this procedure to add a new user account Step 1 Click Add. Step 2 An Add an Account window opens. Enter username in the Username field. Step 3 Enter password and confirm it. Step 4 Use default privilege level 1 for VPN users. Step 6 Click OK in the User Accounts window. When you are back on the User Authentication (XAuth) window, click Next to continue....

Local User Management

To create an administrative user, follow this procedure Step 1 Click the Additional Tasks icon in the Tasks toolbar on the left side of the window. Step 2 Click the User Accounts View option under the Router Access option in the middle part of the window. Step 3 Click Add in the top right side of the window to add a user. 4-162 Implementing Secure Converged Wide Area Networks (ISCW) v1.0

Maximum distance is achieved at lowest data rate

The maximum data rate describes the maximum achievable downstream and upstream bandwidth with the shortest operational distance (distance between the subscriber and the CO). The maximum operational reach is the maximum achievable distance with the lowest operational data rate. The relation between bandwidth and distance is inversely related. ADSL offers greater distance reachability but the achievable speed is degraded as the distance increases. The maximum distance is limited to approximately...

Message Authentication and Integrity Check Using Hash

A MAC is used for message authentication and integrity check. Hashes are widely used for this purpose (HMAC). VPN data is transported over the public Internet. Potentially, this data could be intercepted and modified. To guard against this, each message has a hash attached to the message. A hash guarantees the integrity of the original message. If the transmitted hash matches the received hash, the message has not been tampered with. However, if there is no match, the message was altered. The...

Microfilters at customer premises

POTS splitters are used to separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. In the event of a power failure, the voice traffic will still be carried to the voice switch in the CO. Splitters may be located at the customer premises but are certainly used A microfilter is a passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack. The local loop terminates on the customer premises at the...

Mode config Push Config and Xauth User Authentication

There are some additional functions that can be delivered by IKE, which are used to verify if the peer device is still active, to pass IPsec through Network Address Translation (NAT) devices, or to exchange additional configuration parameters. Dead peer detection (DPD) and Cisco IOS keepalives function on the basis of a timer. If the timer is set for 10 seconds, the router will send a hello message every 10 seconds (unless, of course, the router receives a hello message from the peer). The...

Mode Configuration

Mechanism used to push attributes to IPsec VPN clients The mode configuration option is heavily used for Easy VPN. Easy VPN allows remote clients to receive security policies from an Easy VPN Server, minimizing configuration requirements at the client. Implementing Secure Converged Wide Area Networks (ISCW) v1.0 Cisco Easy VPN greatly simplifies VPN deployment for remote offices and teleworkers. The Cisco Easy VPN solution centralizes VPN management across all Cisco VPN devices, thus reducing...

Modem terminating DSL and enduser PC with PPPoE client

When deploying PPPoE and DSL, these three options are available in regards to the equipment used, DSL termination, and PPPoE client functionality A router with an internal modem and PPPoE client functionality is used to terminate a DSL line and establish a PPPoE session. This option is preferable when support of a PPPoE client software is undesirable. The router can also be a DHCP server, and deploy Network Address Translation (NAT) and Port Address Translation (PAT) to connect multiple users...

Module Objectives

Upon completing this module, you will be able to describe and implement teleworker broadband connectivity. This ability includes being able to meet these objectives Describe the WAN, branch, and SOHO modules that represent remote connections to the enterprise network Configure the PPPoE and PPPoA client over DSL Verify typical broadband configurations 2-2 Implementing Secure Converged Wide Area Networks (ISCW) v1.0