A CPE router can connect multiple users via a single ADSL connection using Natpat and DHCP

Either the PC or the router can be the PPPoE client. The figure shows a router as a client. In the PPPoE architecture, the PPPoE client functionality is used to connect to the ADSL service. The PPPoE client first encapsulates the end-user data into a PPP frame, and then the PPP frame is further encapsulated inside an Ethernet frame. The IP address allocation for the PPPoE client is based on the same principle as PPP in dial mode, which is via IP Control Protocol (IPCP) negotiation, with...

Administratively Down State for an ATM Interface

This topic describes troubleshooting situations in which the interface is down because of an administrative action. This is the simplest problem to resolve. Is the ATM Interface in an Administratively Down State ATM interface is administratively disabled. ATM0 is administratively down, line protocol is down < rest of the output omitted > Enable administratively disabled interface. Enter configuration commands, one per line. End with CNTL Z. router(config) interface atm 0 router(config-if)...

ADSL operation and performance is influenced by different impairments

ADSL service is deployed between ADSL modems at the subscriber and the CO locations. The CPE ADSL modem is known as the ADSL Transmission Unit-Remote (ATU-R). The CO modem is also called ADSL Transmission Unit-central office (ATU-C). Special devices called DSLAMs are located at the CO a DSLAM encompasses multiple ATU-Cs. The basic line-coding techniques associated with ADSL are as follows Single-carrier Carrierless Amplitude and Phase Modulation (CAP) Multicarrier with DMT Discrete Multi-Tone...

Advanced Monitoring

The basic Cisco IOS web interface also allows you to use the web interface to enter Cisco IOS CLI commands to monitor and troubleshoot the router. Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. The table lists two of the most useful show commands for determining the status of...

Advanced Options

General DN5AMIMS j Split Tunneling Client Settings XAuth Options Backup Servers- Specify a list of up to ten backup servers. This list will be pushed to the Easy VPN clients, connection to the local Easy VPN seiverfails, clients will try a backup servep. This will restrict VPN connections to devices running Black Ice orZone Alarm personal firewalls. This will allow a non-split tunneling connection to access the local stub network at the same time as the client. This should be enabled if PFS is...

After the Introduction of the PHP

A label is removed on the router before the last hop within an MPLS domain. The term pop means to remove the top label in the MPLS label stack instead of swapping it with the next-hop label. The last router before the egress router, therefore, removes the top label. PHP slightly optimizes MPLS performance by eliminating one LFIB lookup at the egress edge LSR. 3-36 Implementing Secure Converged Wide Area Networks (ISCW) v1.0

AH Authentication and Integrity

Step 1 The IP header and data payload is hashed. Step 2 The hash is used to build an AH header, which is appended to the original packet. Step 3 The new packet is transmitted to the IPsec peer router. Step 4 The peer router hashes the IP header and data payload. Step 5 The peer router extracts the transmitted hash from the AH header. Step 6 The peer router compares the two hashes. The hashes must exactly match. Even if one bit is changed in the transmitted packet, the hash output on the...

Allocating Labels

Every LSR allocates a label for every destination in the IP routing table. Labels have local significance. Label allocations are asynchronous. Although any of the routers could be first to generate a label, for this example it is assumed that router B is the first router to generate the label. Router B generates a locally significant and locally unique label (for this example, 25), and assigns it to IP network X. Note Labels 0 to 15 are reserved. 2006 Cisco Systems, Inc. Frame Mode MPLS...

AM radio interference

The DSL types are limited in distance and speed. Speed is inversely proportional to distance longer distance in the local loop means lower maximum speed that a particular DSL connection supports. The maximum speed that can be achieved by certain DSL connections is also influenced by various impairments in the local loop that attenuate or distort the signal, such as the following Signal attenuation Attenuation means signal loss over distance and is determined by the distance between a subscriber...

Asymmetric Encryption RSA

Based on Diffie-Hellman key exchange (IKE) principles Public key to encrypt data, and to verify digital signatures Private key to decrypt data, and to sign with a digital signature Perfect for insecure communication channels The Diffie-Hellman key agreement was invented in 1976 during collaboration between Whitfield Diffie and Martin Hellman, and was the first practical method for establishing a shared secret over an unprotected communications channel. The method was followed shortly afterwards...

Authenticate Peer Identity

There are these three data origin authentication methods Preshared keys A secret key value entered into each peer manually, used to authenticate the peer RSA signatures Uses the exchange of digital certificates to authenticate the peers RSA encrypted nonces Nonces (a random number generated by each peer) are encrypted and then exchanged between peers. The two nonces are used during a peer authentication process. 2006 Cisco Systems, Inc. IPsec VPNs 4-55 The purpose of IKE Phase 2 is to negotiate...

Backing Up a WAN Connection with an IPsec VPN

IPsec VPNs can be used as cost-effective and fast backups for an existing WAN. IPsec VPNs can be used as cost-effective and fast backups for an existing WAN. - Using an IGP (e.g., GRE over IPsec or VTI) Use IGP metrics to influence primary path selection Optionally, use HSRP to track PVC status on remote site - Using floating static routes for VPN destinations 6Ci Sy , m , ''. The figure illustrates a scenario in which the WAN is backed up by an IPsec VPN. A failure of the primary permanent...

Backing Up a WAN Connection with an IPsec VPN Example Using GRE over IPsec

Interface Seri al0 0.1 lp addr 192.166.123.6 255.255.255.252 delay 100 router eigrp 1 network 192.166.0.0 mask 0.0.255.255 network 10.D.0.0 mask 0.0.0.255 interface Tunnel0 ip addr 192.168.194.6 255.255.255.252 delay 500 description tunnel protection ipsec profile IPSEC router eigrp 1 network 192.168.0.0 mask 0.0.255.255 network 10.0.0.0 mask 0.0.0.2550.0.0.0 mask 0.0.0.255 The VPN links, however, are configured with longer delay to influence the EIGRP process to prefer the primary WAN link as...

Backup GRE Tunnel Information

Backup GRE tunnel can be configured for VPN resilience. If the primary GRE tunnel is down, the router will detect this loss of connectivity and will provide stateless failover by choosing the backup GRE tunnel. 1 Create a backup secure GRE tunnel for resilience IP address of the backup GRE tunnel's destination (Backup VPN Peer) Backup GRE tunnel can be configured for VPN resilience. If the primary GRE tunnel is down, the router will detect this loss of connectivity and will provide stateless...

Bandwidth versus distance

Transmission in DSL can be categorized in terms of direction as follows Downstream Transmission from a CO toward a subscriber. Upstream Transmission from a subscriber toward a CO. The DSL types fall into two major groups, taking into account downstream and upstream speeds Symmetrical DSL Communication in which transmission speeds available for upstream and downstream communication between the source and destination nodes are the same. Asymmetrical DSL Communication in which different...

Basic MPLS Concepts Example

Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels. Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels. In this example, assume that the Edge-2 router is informed that, in order to reach the 10.1.1.1 network, it should assign a label of 25 to the packet and forward the packet to the core router. The core router is informed that when it receives a packet...

Basic MPLS Features

MPLS is a switching mechanism in which packets are forwarded based on labels. Labels usually correspond to IP destination networks (equal to traditional IP forwarding). Labels can also correspond to other parameters - Outgoing interface on the egress router MPLS was designed to support forwarding of non-IP protocols as well. MPLS is a switching mechanism that assigns labels (numbers) to packets, then uses those labels to forward packets. The labels are assigned at the edge of the MPLS network,...

Before the Introduction of the PHP

Double lookup is not an optimal way of forwarding labeled packets. A label can be removed one hop earlier. The check marks show which tables are used on individual routers. The egress router in this example must do a lookup in the LFIB table to determine whether the label must be removed and if a further lookup in the FIB table is required. PHP removes the requirement for a double lookup to be performed on egress LSRs. 2006 Cisco Systems, Inc. Frame Mode MPLS Implementation 3-35

BGP that supports address families other than IPv4 addresses is called multiprotocol Bgp Mpbgp

With the deployment of a single routing protocol, BGP, to exchange all customer routes between PE routers, an important issue arises how can BGP propagate several identical prefixes belonging to different customers between PE routers The only solution to this dilemma is the expansion of customer IP prefixes with a unique prefix that makes them unique even if they had previously overlapped. A 64-bit prefix called the RD is used in MPLS VPNs to convert non-unique 32-bit customer IPv4 addresses...

Building the IP Routing Table

IP routing protocols are used to build IP routing tables on all LSRs. FIBs are built based on IP routing tables, initially with no labeling information. As a starting point for this example, the IGP has converged and the FIB table on router A contains the entry for network X that is mapped to the IP next-hop address B. However, at this time, a next-hop label is not available, which means that all packets are forwarded in a traditional way (as unlabeled packets). 3-24 Implementing Secure...

Cable System Benefits

Cable is cost-effective as broadcast architecture is cascaded to users. Cable supports different services Inexpensive high-speed Internet access enables the application of advanced SOHO and teleworker deployments. The development of cable systems enabled the employment of new services the cable system is capable of supporting telephony and data services, in addition to analog and digital video services. With the advent of high-speed data, telephony, and other similar services, larger cable...

Cable System Components

A location with the main receiving antennas and satellite dishes A facility where signals are received, processed, formatted, and combined Transmits cable signals through distribution network to subscribers Links a remote antenna site to a headend Comprised of trunk and feeder cables Devices and parts used to connect to the distribution network The cable system consists of these major components Antenna site An antenna site is a location chosen for optimum reception of over-the-air, satellite,...

Cable System Standards

Technical standard for analog TV system used in North America Uses a 6-MHz modulated signal Color encoding system used in broadcast television systems in most of the world Uses 6-MHz, 7-MHz, or 8-MHz modulated signal An analog color TV system used in France and some Eastern European countries Uses an 8-MHz modulated signal NTSC is a North American TV technical standard for analog TV systems. The standard was created in 1941 and is named after the National Television System Committee formed in...

CAP Modulation

CAP is an easily implemented modulation method used in many of the early installations of ADSL. CAP modulation creates three separate channels on the wire by dividing the signals into three distinct bands Voice channel Voice traffic is carried in the 0-4 kHz band. Upstream channel The range of 25-160 kHz is allocated for upstream data traffic. Downstream channel The range of 240 kHz to 1.5MHz is allocated for downstream data traffic. The actual width of the downstream channel (the upper...

CEF Switching Review

CEF uses a complete IP switching table, the FIB table, which holds the same information as the IP routing table. The generation of entries in the FIB table is not packet-triggered but change-triggered. When something changes in the IP routing table, the change is also reflected in the FIB table. Because the FIB contains the complete IP switching table, the router can make definitive decisions based on the information in it. Whenever a router receives a packet that should be CEF-switched, but...

Cisco Easy VPN Components

Cisco Easy VPN consists of two components Cisco Easy VPN Server and Cisco Easy VPN Remote. Cisco Easy VPN Server enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, in which the remote office devices use the Easy VPN Remote feature. Using this feature, security policies defined at the headend are pushed to the remote VPN device, ensuring that those connections have up-to-date policies in...

Cisco Easy VPN Server Configuration Tasks for the Easy VPN Server Wizard

This section describes how the Easy VPN Server wizard guides you through the configuration steps. The Easy VPN Server wizard guides you through a set of steps which includes the configuration of these parameters Selecting the interface on which to terminate IPsec tunnels IKE policies (for example, encryption algorithm, Hash-based Message Authentication Code (HMAC), priority, lifetime, and Diffie-Hellman group) Group policy lookup method (local, RADIUS, or TACACS+) User authentication (local or...

Cisco Enterprise Architecture

The Cisco Enterprise Data Center Architecture A cohesive, adaptive network architecture that supports the requirements for consolidation, business continuance, and security, while enabling emerging service-oriented architectures, virtualization, and on-demand computing. IT staff can easily provide departmental staff, suppliers, or customers with secure access to applications and resources. This simplifies and streamlines management, significantly reducing overhead. Redundant data centers...

Cisco Hierarchical Network Model

Traditionally, the three-layer hierarchical model has been used in network design. The model provides a modular framework that allows flexibility in network design, and facilitates ease of implementation and troubleshooting. The hierarchical model divides networks or their modular blocks into the access, distribution, and core layers, with these features Access layer Used to grant user access to network devices. In a network campus, the access layer generally incorporates switched LAN devices...

Cisco IOS Platform Switching Mechanisms

The Cisco IOS platform supports three IP switching mechanisms Routing table-driven switching process switching - Full lookup is performed at every packet Cache-driven switching fast switching - Most recent destinations are entered in the cache - First packet is always process-switched Because Cisco Express Forwarding (CEF) provides the foundation for MPLS switching, it is important to understand the purpose of CEF and how it functions, and how the network uses CEF information when forwarding...

Cisco Router and SDM

The main page of the SDM consists of two sections About Your Router This section displays the hardware and software configuration of the router. Configuration Overview This section displays basic traffic statistics. There are two important icons in the top horizontal navigation bar The Configure icon enters the configuration page. The Monitor icon enters the page where the status of the tunnels, interfaces, and device can be monitored. 4-70 Implementing Secure Converged Wide Area Networks...

Cisco SDM Features

Smart wizards for these frequent router and security configuration issues - Avoid misconfigurations with integrated routing and security - Secure the existing network infrastructure easily and cost-effectively - Uses Cisco TAC- and ICSA-recommended security configurations Startup wizard, one-step router lockdown, policy-based firewall and ACL management (firewall policy), one-step VPN (site-to-site), and inline IPS Guides untrained users through workflow Startup wizard, one-step router...

Cisco SONA Framework

With its vision of the IIN, Cisco is helping organizations to address new IT challenges, such as the deployment of service-oriented architectures, web services, and virtualization. The Cisco Service-Oriented Network Architecture (SONA) is an architectural framework that guides the evolution of enterprise networks to an IIN. The SONA framework provides these advantages to enterprises Outlines the path towards the IIN Illustrates how to build integrated systems across a fully converged IIN...

Ciscoproprietary PPPoA

With PPPoA, a CPE device encapsulates a PPP session for transport across a DSL access multiplexer (DSLAM). PPPoA is commonly used in small office, home office (SOHO) and branch office environments, although it is not limited to them. It has greater flexibility for the home than the average PPPoE deployment because the customer LAN behind the CPE is under the complete control of the customer and the CPE acts as a router, rather than a bridge for PPPoE (where the CPE bridges the PPPoE frame from...

Clients are preconfigured with a set of IKE policies and IPsec transform sets

Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated and typically requires tedious coordination between network administrators to configure the VPN parameters of the two routers. The...

Commonly Used Hash Functions

SHA-1 provides 160-bit output (only first 96 bits used in IPsec). SHA-1 is computationally slower than MD5, but more secure. MD5 creates a 128-bit hash, while SHA-1 creates a 160-bit hash. In the case of SHA-1, only 96 bits of this hash are used for IPsec. The initialization vector (IV) is used as an initial value to start creating a hash. Implementing Secure Converged Wide Area Networks (ISCW) v1.0

Component Architecture of LSR

The primary function of an LSR is to forward labeled packets. Therefore, every LSR needs a Layer 3 routing protocol (for example, OSPF, EIGRP, or IS-IS) and a label distribution protocol (for example, LDP). LDP populates the LFIB table in the data plane that is used to forward labeled packets. 3-18 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 Edge LSRs also forward IP packets based on their IP destination addresses and, optionally, label them if a label exists. A received IP...

Configuration of a Cisco Router as the PPPoE Client

This topic describes the configuration tasks that are required to configure a Cisco Systems router as a PPPoE client. Configuring DSL requires global and interface configuration commands. Configuration Tasks Configuring the CPE as the PPPoE Client over the Ethernet Interface Use the PPP over Ethernet (PPPoE) DSL configuration steps listed here in addition to dial-on- demand routing (DDR)-derived commands Step 1 Configure the Ethernet interface of the Cisco router with a PPPoE client...

Configuration of a PPPoE Client

This topic describes how to configure a PPPoE client. After the PPPoE virtual private dialup network (VPDN) group has been defined, the ATM interface must be configured. Configure the Ethernet interface (ADSL interface) of the Cisco router with an ATM PVC and encapsulation, as follows To configure a PPPoE client on an Ethernet interface, use the interface ethernet command in global configuration mode to enter interface configuration mode. Next, enable the PPPoE on Ethernet interface. Finally,...

Configuration of a Static Default Route

This topic describes how to configure a static default route pointing to the dialer interface. ip route 0.0.0.0 0.0.0.0 interface number The CPE can use a static default route to reach all remote destinations. You can configure a static default route on a Cisco router to allow the router to reach all unknown destinations toward the dialer interface. In most DSL installations, the CPE will not be running a dynamic routing protocol to the aggregation router of the service provider. Therefore, a...

Configuration of the Dsl Atm Interface

This topic lists commands and explains the procedure, in four steps, to configure a DSL ATM interface. Use the dsl operating-mode auto interface configuration command to specify that the router automatically detect the DSL modulation that the service provider is using and set the DSL modulation to match. An incompatible DSL modulation configuration can result in failure to establish a DSL connection to the DSLAM of the service provider. Use the pvc interface configuration command to set the...

Configure a connection to the Internet through dialup networking

Complete these tasks to configure the Cisco VPN Client for Easy VPN Remote access Step 1 Install a Cisco VPN Client on the remote user PC. Step 2 Create a new client connection entry. Step 3 Configure client authentication properties. Step 4 Configure transparent tunneling. Step 5 Enable and add backup servers. Step 6 Configure a connection to the Internet through dial-up networking. 4-192 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 2006 Cisco Systems, Inc.

Configure a DHCP Server

Router(config) ip dhcp pool pool_name Enables a DHCP pool for use by hosts and enters DHCP pool configuration mode. Imports DNS and WINS information from IPCP. Specifies the network and subnet mask of the pool. router(dhcp-config) default-router address Specifies the default router for the pool to use. The Cisco IOS DHCP Server feature is a full implementation that assigns and manages IP addresses from specified address pools within the router to DHCP clients. After a DHCP client has booted,...

Configuring GRE over IPsec Siteto Site Tunnel Using SDM

Create Site to Site VPN V le to Site VPN SDM can guide you through Site to Site VPN configuration tasks. Select a 1 Create Site to Site VPN V le to Site VPN SDM can guide you through Site to Site VPN configuration tasks. Select a 1 Create a secure GRE t unnel .(GRE. ov To create a GRE over IPsec site-to-site VPN, follow this procedure Step 1 Use a web browser to connect to an HTTP server of a router. Click the Configure icon in the top horizontal navigation bar to enter the configuration page....

Configuring GRE over IPsec Siteto Site Tunnel Using SDM Cont

GRE tunnel IP address is required to establish a tunnel with the peer. This entry can be a private address. IP address ofthe Tunnel Destination GRE tunnel IP address is required to establish a tunnel with the peer. This entry can be a private address. 8 Back I Next> __ _Cancel Help The figure illustrates these configuration steps for implementing a GRE tunnel Step 1 The GRE tunnel source IP address is taken from a configured interface or manually specified. It must still be a valid IP address...

Configuring MPLS on a Frame Mode Interface

This topic describes how to enable MPLS on a frame mode interface. This topic describes how to enable MPLS on a frame mode interface. Enable Tag Distribution Protocol (TDP) or Label Distribution Protocol (LDP) on the interface by using either tag switching or label switching. You enable the support for MPLS on a device by using mpls ip global configuration command, although this should be on by default, and then individually on every frame mode interface that participates in MPLS processes....

Configuring MPLS on a Frame Mode Interface Example

You must globally enable CEF switching, which automatically enables CEF on all interfaces that support it. CEF is not supported on logical interfaces, such as loopback interfaces. Non-backbone (non-MPLS) interfaces have an input ACL that denies TCP sessions on the well-known port number 711 (TDP uses TCP port 711). If using LDP, filter on UDP port 646, (LDP uses UDP port 646). This is just as a precaution because without the mpls ip command on the interface, LDP cannot be established on Serial...

Configuring the CPE as the PPPoE Client over the ATM Interface

Configuration Tasks Configuring the CPE as the PPPoE Client over the ATM Interface Configuring the CPE as the PPPoE client over an ATM interface is very similar to configuring it over the Ethernet interface. The only difference is that you configure the ATM interface in the first step rather than an Ethernet interface. Use the PPPoE DSL configuration steps listed here in addition to DDR-derived commands Step 1 Configure the ATM interface (asymmetric DSL ADSL interface) of the Cisco router with...

Connection between subscriber and CO

Several years ago, research by Bell Labs identified that a typical voice conversation over a local loop only required the use of bandwidth of 300 Hz to 3 kHz. For years the bandwidth above 3 kHz went unused. Advances in technology allowed DSL to use the additional bandwidth from 3 kHz up to 1 MHz to deliver high-speed data services over ordinary copper lines. For example, asymmetric DSL (ADSL) uses a frequency range from approximately 20 kHz to 1 MHz. In order to deliver high-bandwidth data...

Connection Settings

Selectthe type of peer(s) used forthis VPN connection Peer with static IP address Enterthe IP address of the remote peer Authentication ensures that each end ofthe VPIM connection uses the same secret key. f* Pre-shared keys pre-shared key p Re-enter Key p Selectthe interface for this VPN connection Serial0 1 0 Selectthe type of peer(s) used forthis VPN connection Peer with static IP address Enterthe IP address of the remote peer Authentication ensures that each end ofthe VPIM connection uses...

Control Plane Components Example

Information from control plane is sent to data plane. The figure illustrates the two components of the control plane OSPF, which receives and forwards a routing update for IP network 10.0.0.0 8. LDP, which receives label 17 to be used for packets with destination address 10.x.x.x. A local label 24 is generated and sent to upstream neighbors when the packets are destined for 10.x.x.x. LDP inserts an entry into the LFIB table of the data plane, where an incoming label 24 is mapped to an outgoing...

Course Flow

This topic presents the suggested flow of the course materials. The schedule reflects the recommended structure for this course. This structure allows enough time for the instructor to present the course information and for you to work through the lab activities. The exact timing of the subject materials and labs depends on the pace of your specific class. 4 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 2006 Cisco Systems, Inc.

Course Goal and Objectives

This topic describes the course goal and objectives. The goal of the ISCW course is to expand the reach of the enterprise network to teleworkers and remote sites. The theme of implementing a highly available network with connectivity options, such as VPN and wireless, is highlighted. Implementing Secure Converged Wide Area Networks Implementing Secure Converged Wide Area Networks Upon completing this course, you will be able to meet these objectives Describe the remote connectivity requirements...

CPE receives an IP address via IPCP like in the dial model

With PPPoA, a PPP session is established between the CPE and the aggregation router. The CPE device must have a PPP username and password configured for authentication to the aggregation router that terminates the PPP session from the CPE. The aggregation router that authenticates the users can either use a local database on the aggregation router or a RADIUS AAA server. The PPPoA session authentication can be based on PAP or CHAP. After the PPP username and password have been authenticated,...

Creating a Custom IKE Policy

Configure IKE Policy Priority. 2 Encryption. 3DES Hash. HA_1 Encryption algorithm DES, 3DES, AES Authentication method preshared secrets or digital certificates Diffie-Hellman group 1, 2, or 5 Encryption algorithm (most commonly 3DES or AES you can also use Software Encryption Algorithm SEAL to improve crypto performance on routers without hardware IPsec accelerators DES is no longer advised because it can be broken in a relatively short time) Authentication method (preshared secrets or digital...

Creating Users

Confirm New Password I******** Encrypt password using MD5 hash algorithm View Name SDM_Administrator(root) View Details This View user is authorized to use all features in SDM. Click on View Details button to know more about this view Enable Secret password is not configured in the router. Enable Secret password is needed to switch from a different view to the root view. Enable Secret Password Reenter Password To add parameters for the new user, follow this procedure Step 1 Give the...

Data Cable Technology Issues

The data cable technology issues relate to the fact that subscribers in a certain service area share a coaxial cable line. A shared coaxial cable line has these consequences Bandwidth available to a subscriber may vary based on how many subscribers use the service at the same time. The cable operator can resolve this issue by adding RF channels and splitting the service area into multiple smaller areas. There is a risk of privacy loss. This can be addressed by encryption and other privacy...

Data circuits are offloaded from the voice switch

The major benefit of ADSL is the ability to provide data services along with voice. When analog voice is integrated with ADSL, the POTS channel is split off from the ADSL modem by filters or splitters, which guarantees uninterrupted regular phone service even if ADSL fails. A user is able to use the phone line and the ADSL connection simultaneously without adverse effects on either service if filters or splitters are in place. ADSL offloads the data (modem) traffic from the voice switch and...

Data over ADSL

DSL is a high-speed Layer 1 transmission technology that works over copper wires. The DSL Layer 1 connection from the CPE is terminated at the DSLAM. The data link layer protocol that is usually used over DSL is ATM. A DSLAM is basically an ATM switch containing DSL interface cards (ATU-Cs). The DSLAM terminates the ADSL connections, and then switches the traffic over an ATM network to an aggregation router. The aggregation router is the Layer 3 device where IP connection from the subscriber...

Dead Peer Detection

- Keepalives in periodic intervals DPD - Keepalives in periodic intervals if no data transmitted DPD also has an on-demand approach. The contrasting on-demand approach is the default. With on-demand DPD, messages are sent on the basis of traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. If a router has no traffic to send, it never sends a DPD message. If a peer...

Debug PPP Authentication

CPE debug ppp authentication CPE configure terminal Enter configuration commands, one per line. End with CNTL Z. CPE(config) interface ATM 0 0 CPE(config-if) no shutdown 00 19 05 LINK-3-UPDOWN Interface ATM 0 0, changed state to up 00 19 06 LINEPROTO-5-UPDOWN Line protocol on Interface ATM0 0, changed state to up 00 19 29 DIALER-6-BIND Interface Vi2 bound to profile Di1 00 19 29 Vi2 PPP Using dialer call direction 00 19 29 Vi2 PPP Treating connection as a callout 00 19 29 Vi2 PPP Authorization...

Default GRE Characteristics

GRE is now a standard tunneling method described by these Internet Engineering Task Force (IETF) standards RFC 1701 and RFC 2784, describing a general-purpose GRE that can also be used by non-IP protocols in the transport network RFC 1702, describing how GRE can be used to transport arbitrary Layer 3 payloads over IP networks RFC 3147, describing GRE over Connectionless Network Service (CLNS) networks RFC 4023, describing Multiprotocol Label Switching (MPLS) encapsulation inside GRE

Determine if the PPPoE connect phase is successful

CPE show pppoe session Total PPPoE sessions 1 Get the status of the PPPoE session. Get the status of the PPPoE session. The significant fields shown in the output are 15 13 41.991 Sending PADI Interface Ethernet1 A broadcast Ethernet frame that requests a PPPoE server. 15 13 44.091 PPPOE we've got our pado and the pado timer went off This is a unicast reply from a PPPoE server (similar to a DHCP offer). 15 13 44.091 OUT PADR from PPPoE Session This is a unicast reply that accepts the offer. 15...

Determining the Layer to Troubleshoot Cont

Displays information specific to the ADSL for a specified ATM interface. Displays information specific to the ADSL for a specified ATM interface. Start troubleshooting Layer 1 by verifying whether a Cisco Systems CPE router is trained and successfully initialized to the DSLAM using the show dsl interface atm command. When a router is successfully trained to the DSLAM, the modem status field will have the value Showtime. Along with that value, the command will also display the upstream and...

Diffie Hellman Key Exchange

Public key cryptosystems rely on a two-key system Public key, which is exchanged between end users Private key, which is kept secret by the original owners The Diffie-Hellman public key algorithm states that if user A and user B exchange public keys and a calculation is performed on their individual private key and on the public key of the other peer, the end result of the process is an identical shared key. The shared key will be used to encrypt and decrypt the data. Security is not an issue...

Diffie Hellman Key Exchange Cont

Generate large integer p Send p to peer B 3. Generate public key Ya g a Xa mod p 4. Send public key YA * 5. Generate shared secret number ZZ YBA XA mod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) 1. Generate large integer q Send q to peer A Receive p 3. Generate public key Yb 9 a Xb mod p 5. Generate shared secret number ZZ Yaa Xb mod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) The Diffie-Hellman key exchange is a public key exchange method that provides a way...

Digital certificates

There are these authentication methods Username and password Uses the predefined usernames and passwords for different users or systems. One Time Password (OTP) (Pin Tan) A stronger authentication method using passwords that are generated for each authentication. Biometric Biometrics usually refers to technologies for measuring and analyzing human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements, especially for...

Docsis

Data-Over-Cable Service Interface Specifications (DOCSIS) is an international standard developed by CableLabs, a nonprofit research and development consortium for cable-related technologies. CableLabs tests and certifies cable equipment vendor devices (cable modem CM and CMTS) and grants DOCSIS-certified or Qualified status. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system and permits the addition of high-speed data transfer to an...

DSL Variants Examples

ADSL is designed to deliver more bandwidth downstream than upstream, and supports data and voice simultaneously over existing copper lines. ADSL is oriented towards residential subscribers, where usually more bandwidth is required in the downstream for applications such as downloading music, movies, playing online games, surfing the Internet, or receiving e-mail with large attachments. The downstream rate ranges from 256 kbps to 8 Mbps, while upstream speed can reach 1 Mbps. RADSL refers to...

Enabling AAA

PS Cisco Router and Security Device Manager (SDM) 10.1.1.1 Configure Monitor IS Refresh Save Create Easy VPN Server Edit Easy VPN Server SDM can guide you through Easy VPN Server configuration tasks. Create Easy VPN Server Edit Easy VPN Server SDM can guide you through Easy VPN Server configuration tasks. T hgw shjJd be aHeasi or< u t account wih ptwtege level 15 or nvuVe SDM on tNs wlp Ii* ervitjlng AA6 Plws* contigwc 4' pitnfeg- level 15 01 in root Ven belore enabhng AAA d on the router....

Endto End Routing Information Flow

These steps describe the stages of routing information flow from the IPv4 routing updates entering the MPLS VPN backbone through their propagation as VPNv4 routes across the backbone Step 1 PE routers receive IPv4 routing updates from the CE routers and install them in the appropriate VRF table. Step 2 The customer routes from VRF tables are exported as VPNv4 routes into MPBGP and propagated to other PE routers. Step 3 The PE routers receiving MPBGP updates import the incoming VPNv4 routes into...

Enterprise Architecture Framework

Proper prioritization and delivery of traffic across the WAN using various QoS mechanisms Proper prioritization and delivery of traffic across the WAN using various QoS mechanisms Each building block addresses different enterprise network requirements The WAN building block Used to connect the campus, data center, branch, and teleworker into an enterprise network. The Enterprise Campus architecture Addresses the core infrastructure intelligent switching and routing integrated with advanced...

ESP Protocol

Provides confidentiality with encryption Provides integrity with authentication When both ESP authentication and encryption are selected, encryption is performed first before authentication. One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the receiver can authenticate inbound packets. By doing this, it can detect the problems and potentially reduce the impact of...

Example Configuring the PPPoE Dialer Interface

2-70 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 2006 Cisco Systems, Inc. This topic describes how to configure addressing translations using PAT. One of the main features of Network Address Translation (NAT) is static PAT, which is also referred to as overload in Cisco IOS configuration. You can translate several internal addresses using NAT into just one or a few external addresses by using PAT. PAT uses unique source port numbers on the inside global IP address to...

Example DHCP Server Configuration

In this example, a DHCP address pool with the name MyPool is configured. The CPE router will act like a DHCP server to the hosts, connected to the Ethernet 0 0 interface. Hosts will get IP addresses from range 10.0.0.2 to 10.255.255.254 with the subnet mask 255.0.0.0. The IP address 10.0.0.1 is excluded from this range, because it is already used on the router interface. Hosts will get a default route pointing to the router interface IP address 10.0.0.1, and other parameters that the router...

Example Integrated Services for Secure Remote Access

The figure shows a sample converged network with integrated services. DSL and cable have been deployed as two of the advanced physical layer technologies, and MPLS VPNs and IPsec VPNs have been deployed as two of the advanced secured connectivity technologies. Internet access is migrating from dialup modems with slow connections to broadband access, using a variety of technologies with much faster transport speeds. The technology takes advantage of existing telephone and cable television...

Example PAT Configuration

The access list will match any source address in the 10.0.0.0 8 network. In this example, the Dialer0 interface is the outside interface, and the Ethernet0 0 interface is the inside interface. The 10.x.x.x source addresses will be translated using PAT to the Dialer0 IP address. The Dialer0 interface receives its IP address from the service provider aggregation router using IPCP. 2006 Cisco Systems, Inc. Teleworker Connectivity 2-73

Failure Detection

Native IPsec uses DPD to detect failures in the path and remote peer failure. Any form of GRE over IPsec typically uses a routing protocol to detect failures (hello mechanism). HSRP is typically used to detect failures of local devices. VRRP and GLBP have similar failure-detection functionality. Failures in the IPsec path are typically detected using one of these two mechanisms Dead peer detection (DPD), which is a native Internet Key Exchange (IKE) mechanism similar to old proprietary IKE...

Failures

IPsec VPNs can experience any one of a number of different types of failures IPsec VPNs can experience any one of a number of different types of failures IPsec should be designed and implemented with redundancy and high-availability mechanisms to mitigate these failures. IPsec-based VPNs provide connectivity between distant sites using an untrusted transport network. Network connectivity consists of links, devices, or sometimes just paths across networks whose topology is not known. Any of...

Fiber Benefits

The signal from the antenna is reduced when traveling along the cable. In order to boost the signal, amplifiers are placed approximately every 2000 feet to ensure that all RF signals are delivered to the user, with enough power to receive all channels within the spectrum (50 to 860 MHz) for analog TV, digital TV, and digital data cable modem services. In a 20-mile plant, approximately 52 amplifiers would be used. However, the amplifiers have limitations they introduce noise and distortion, and...

Five Steps of IPsec

The goal of IPsec is to protect data with the necessary security and algorithms. The figure shows only one of two bidirectional IPsec security associations (SAs). IPsec operation can be broken down into five primary steps Step 1 Interesting traffic initiates the IPsec process Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send must be protected. Step 2 Internet Key Exchange (IKE) Phase 1 IKE authenticates IPsec peers and negotiates IKE SAs during this...

Frame Mode MPLS

The ingress edge router performs these tasks after it receives an IP packet It performs a routing lookup to determine the outgoing interface. If the outgoing interface is enabled for MPLS and if a next-hop label for the destination exists, it assigns and inserts a label between the Layer 2 frame header and the Layer 3 packet header. The router then changes the Layer 2 Ethertype value to indicate that this is a labeled packet. The router sends the labeled packet. Note Other routers in the core...

Functions of LSRs

Exchanges routing information Exchanges labels Forwards packets (LSRs and edge LSRs) LSRs of all types must perform these functions Exchange routing information (control plane) Exchange labels (control plane) Forward packets (data plane) Frame mode MPLS forwards packets based on the 32-bit label 2006 Cisco Systems, Inc. Frame Mode MPLS Implementation 3-17

Further Label Allocation

Every LSR will eventually assign a label for every destination. Every LSR will eventually assign a label for every destination. The figure illustrates how an LDP update, advertising label 47 for network X, from router C is sent to all adjacent routers, including router B. Router D also advertises a label for network X. Since network X is directly connected to router D, it sends an implicit null label for this network. Because of this, the pop action for network X is used on router C, using a...

General Parameters

General tab to configure the minimum required parameters for a functional group Enter the preshared secret for the group. Specify an IP address pool from which addresses will be taken and assigned to clients. You have these two options B) Select from an existing pool 4-176 Implementing Secure Converged Wide Area Networks (ISCW) v1.0

Generic Routing Encapsulation

Uses an additional header to support any other OSI Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk) GRE is a tunneling protocol initially developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols are often used across the tunnel to enable dynamic exchange or routing information in the virtual network. The multiprotocol functionality...

GRE over IPsec

GRE over IPsec is typically used to do the following Create a logical hub-and-spoke topology of virtual point-to-point connections Secure communication over an untrusted transport network (e.g., Internet) Run IP protocols inside the GRE tunnel, which is not the case with the IPsec tunnel The hub-and-spoke topology minimizes the management overhead associated with the maintenance of the IPsec tunnels. Also, most enterprises have concentric traffic patterns, thus are not interested in managing...

GRE over IPsec Characteristics

IPsec encapsulates unicast IP packet (GRE) - Tunnel mode (default) IPsec creates a new tunnel IP packet - Transport mode IPsec reuses the IP header of the GRE (20 bytes less overhead) The top figure shows the tunnel mode in which both tunneling technologies (IPsec and GRE) introduce their own tunnel IP header. The bottom figure illustrates the usage of transport mode in which IPsec reuses the IP header of the packet that it is protecting, and thus reduces the...

HFC Architecture

The HFC architecture is the evolution of an initial cable system and signifies a network that incorporates both optical fiber along with coaxial cable to create a broadband network. By upgrading a cable plant to an HFC architecture, you can deploy a data network over an HFC system to offer high-speed Internet services and you can serve more subscribers. The cable network is segmented into smaller service areas in which fewer amplifiers are cascaded after each optical node typically five or...

How DPD and Cisco IOS Keepalive Features Work

DPD and Cisco IOS keepalives function on the basis of a timer. If the timer is set for 10 seconds, the router will send a hello message every 10 seconds (unless, of course, the router receives a hello message from the peer). The benefit of IOS keepalives and periodic DPD is earlier detection of dead peers. However, IOS keepalives and periodic DPD rely on periodic messages that have to be sent with considerable frequency. The result of sending frequent messages is that the communicating peers...

HSRP for Head End IPsec Routers

Remote sites peer with virtual IP address (HSRP) of the headend. RRI or HSRP can be used on inside interface to ensure proper return path. Remote sites peer with virtual IP address (HSRP) of the headend. RRI or HSRP can be used on inside interface to ensure proper return path. Devices behind the headend VPN routers can find the return path toward remote sites using one of these two mechanisms HSRP on the inside interface, configured similarly to the HSRP on the outside interface Reverse Route...

HSRP Operation

A large class of legacy hosts that do not support dynamic router discovery are typically configured with a default gateway (router). Running a dynamic router discovery mechanism on every host may not be feasible for a number of reasons, including administrative overhead, processing overhead, security issues, or lack of a protocol implementation for some platforms. HSRP provides failover services to these hosts. Using HSRP, a set of routers works in concert to present the illusion of a single...

IKE authentication method

IP addressing and routing for clients You should also install these prerequisite services, depending on the chosen design RADIUS or TACACS+ server installation and configuration. CA installation and configuration if the public key infrastructure (PKI) is used for authentication. The router should also be enrolled with the CA to get the CA certificate and the identity certificate of the router that can later be used to enable PKI for the VPN. DNS resolution for the addresses of the VPN servers....

IKE Policy

Negotiates matching IKE transform sets to protect IKE exchange In the figure, Router A sends IKE policies 10 and 20 to Router B. Router B compares its IKE policies, policy 15, with those received from Router A. In this instance, there is a match Router A's policy 10 matches Router B's policy 15. In a point-to-point application, each end may only need a single IKE policy defined. However, in a hub and spoke environment, the central site may require multiple IKE policies defined to satisfy all...

IKE Proposals

IKE proposals specifythe encryption algorithm, authentication algorithm and key exchangi method that is used by this router when negotiating a VPN connection with the remote device. For the VPN connection to be established with the remote device, the remote device should be configured with at least one of the policies listed below. Cickthe Add button to add more policies and the Edit button to edit an existing policy. 3DES SHA_1 group2 PRE_SHARE SDM Default IKE proposals specifythe encryption...

Info

Mechanism used for user authentication for VPN clients Mechanism used for user authentication for VPN clients Xauth does not replace IKE. IKE allows for device authentication while Xauth allows for user authentication, which occurs after IKE device authentication. A user authentication option can be a generic username and password, Challenge Handshake Authentication Protocol (CHAP), OTPs, or Secure Key (S Key). Implementing Secure Converged Wide Area Networks (ISCW) v1.0 This topic describes...

Intelligent Information Network

The Cisco vision of the future IIN encompasses these features Integration of networked resources and information assets. The modern converged networks with integrated voice, video, and data require that IT departments more closely link the IT infrastructure with the network. Intelligence across multiple products and infrastructure layers. The intelligence built into each component of the network is extended network-wide and applies end-to-end. Active participation of the network in the delivery...

Interim Packet Propagation

Forwarded IP packets are labeled only on the path segments where the labels have already been assigned. Step 1 An unlabeled IP packet arrives at router A. Step 2 The packet is forwarded based on the information found in the FIB table on router A. Step 3 Label 25, found in the FIB table, is used to label the packet and it is forwarded to the next-hop router, router B. Step 4 Router B must remove the label because LSR B has not yet received any next-hop label (the action in the LFIB is untagged)....

Introducing Secure GRE Tunnels

- Provides virtual point-to-point connectivity, allowing routing protocols to be used GRE is poor at security only very basic plaintext authentication can be implemented using the tunnel key (not very secure) GRE cannot accommodate typical security requirements The main function of GRE is to provide powerful yet simple tunneling. It supports any OSI Layer 3 protocol as payload, for which it provides virtual point-to-point connectivity. It also allows the usage of routing protocols across the...

Introducing the Sdm Vpn Wizard Interface

To select and start a VPN wizard, follow this procedure Step 1 Click the Configure icon in the top horizontal navigation bar to enter the configuration page. Step 2 Click the VPN icon in the left vertical navigation bar to open the VPN page. Step 3 Choose the Site to Site VPN wizard from the list. Here you can create two types of site-to-site VPNs classic and Generic Routing Encapsulation (GRE) over IPsec. 2006 Cisco Systems, Inc. IPsec VPNs 4-73 This topic describes the components and the...