%Authentication% Archives %%page%%

Tag Archive for 'Authentication'

Open Shortest Path First – OSPF Fundamentals – Multiple Areas

Published

on March 3, 2009

in BDR, BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, DR and OSPF

. 0 Comments

An OSPF area is a logical grouping of routers that runs OSPF with identical topological databases. An area is a subdivision of the OSPF routing domain. Each area runs SPF separately and summaries are passed between each area.

Problems associated with OSPF in a Single Area

Consider a growing OSPF network with a single area. Several problems come out in relation to capacity capabilities:

The SPF algorithm runs more frequently the larger the network gets, the greater the probability of a network change and a recalculation of the entire area (iow the more resources OSPF chews up). Each of these recalculations in a large network takes longer and involves more “work” with each recalculation for a small area (the expenditure of scarce resources time, cpu, memory, etc).
The larger the OSPF area, the greater the size of the routing table (duh). The routing table is not sent out (like in Distance Vector Routing Protocols). In OSPF this means that the the greater the size of the table the longer the lookup becomes. The memory requirements on the router also increase as the size of the routing table increases.
In a large network, the routers topological database increases in size and eventually becomes unmanageable (the topological database is exchanged between adjacent routers at least every 30 minutes).

As the various databases (Routing Table, Topological Database, Neighbor Table) increase in size and the calculation increase in frequency the CPU utilization increases and memory availability decreases (inverse relationship). This can affect network latency or cause link congestion, resulting in various additional problems (convergence times, loss of connectivity, loss of packets, system hangs) which is bad for networks.

Area Structure

OSPF creates a two-level hierarchy of areas.

Area Zero (Naught) a.k.a the backbone are or transit area. This is always the central area; all the other areas (stub areas that move towards the edge) attach to Area Zero. Area Zero forms the top level in the hierarchy and remaining areas form the bottom level of the hierarchy. This hierarchical design supports summarization and minimizes routing table entries.

Routers within Area Zero are called backbone routers. Routers that link to Area Zero and another area are called Area Border Routers (ABR). OSPF routers that redistribute routing information from another protocol are called Autonomous System Boundary Routers (ASBR).

OSPF Type Packets

As OSPF link-state information is shared between areas, an intricate set of mechanisms is followed, relying on a number of different OSPF packet types. All OSPF traffic is transmitted inside IP Packets. Receivers recognize OSPF traffic because it is marked as IP Protocol (89).

OSPF includes five packet types:

Hello Packets – Establish communication with directly attached neighbors.
Database Descriptor (DBD) - Sends a list of router IDs from whom the router has an Link State Advertisements (LSA) and the current sequence number. This information is used to compare information about the network.
Link State Requests (LSR) – Follow the Database Descriptors (DBDs) to ask for any missing Link State Advertisements (LSAs)
Link State Update (LSU) – Replies to a link-state request with the requested data.
Link State acknowledgments (LSAck) - Confirm receipt of link-state information.

All OSPF packets have a common format that contains the following nine fields:

Version – All packets are assumed to be Version 2 (at least for this part of Cisco stuff)
Type - There are five packet types, numbered 1 to 5
Packet Length - The length in bytes
Router ID – 32-bit identifier for the router
Area ID – 32-bit identifier for the area
Checksum - Standard 16-bit check sum
Authentication Type - OSPFv2 supports three authentication methods:
1. no authentication
2. plain text passwords
3. MD5 hashes
Authentication Data – 64-bit data, either empty, with a plain-text word, or with a “message digest” of a shared secret
Data – Values being communicated

And this took me almost 2 weeks. Shame on me.

Notes and Notices: This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I cannot lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Tuning EIGRP

Published

Deon Botha

on September 2, 2008

in BSCI, BSCI Notes, Bandwidth, Certification, Cisco Systems and Hold Timer

. 0 Comments

Some South African/Anglo-African humour that is making me smile:

“Tune” to talk, especially to talk nonsense (“Are you tuning me?”)

But back to the topic at hand;

One can fine tune the EIGRP process in many ways. The most important of tuning methods would be the summarization of routes and load balancing. Other techniques however do exist and these include the frequency of the hello and hold timers and setting bandwidth.

The trade off to playing with timers would be that by decreasing hello traffic the network will take longer to notice failures, which in turn will delays convergence.

To go over some stuff from previous posts; EIGRP only sends updates when a new route is advertised or an existing route is withdrawn (changes state to down). A Link failure causes an interface to change state without delay (duh). But when a failed neighbour is not directly connected (on the other side of a Ethernet switch for example), the only way to notice failure would be that no hellos are received. The idea and concept of Neighbourship is important in EIGRP because it alerts the router to topology changes and because the router is responsible to the rest of the network to publicize the lost routes.

When fiddling with timers think about the wider ramifications. In most cases defaults are there for a reason. Instead of improving performance the opposite will most probably happen. (I.E. timers are changed per interface and changing timers on one side of a link and not the other side creates problems with neighbourship that forms and dissolves periodically).

Timer Values are based on the speed of the interface. Because the timers are assumed to be based on this speed, they will usually be the same (Timers are not communicated between neighbours and are not a requirement for neighbourship).

If Router A has a hello interval of 5 seconds and a hold time of 15 seconds (3x hello) and Router B has a hello interval of 30 seconds and a hold time of 90 seconds (3x hello), then the two routers will be neighbours for 15 seconds and then down for 15 seconds.

The Hello Timer

Tuning the Hello Timer directly affect the ability of the EIGRP Process to notice a change in the state of a neighbour. Only after a router’s interface is recognized as being down, or a router has failed to hear from a neighbour after a certain amount of time, does the router declare the neighbour dead and take action to update the Routing Table and neighbours.

For the above stated reasons, use of the

Router(config-if)#ip hello-interval eigrp autonomous-system-number seconds

command is typically used to decrease (AND NOT INCREASE) the amount of time between Hellos to ensure that the network converges QUICKER and not SLOWER (which would be done by INCREASING THE TIME). This however means MORE traffic devoted to EIGRP and more space used by EIGRP.

The defaults are as follows:

High Bandwidth links (every 5 seconds)
- Broadcast Media (Ethernet, Token Ring, FDDI)
- Point-to-Point Serial Links (PPP or HDLC Leased Circuits, Frame Relay Point-to-Point subinterfaces, and ATM)
- Point-to-point subinterfaces
- High Bandwidth (T1/E1 and greater) multipoint circuits (ISDN PRI and Frame Relay)
Lower Bandwidth Links (every 60 seconds)
- Multipoint Circuits (T1/E1 and slower, Frame Relay Multipoint interfaces, ATM multipoint interfaces, and ATM)
- Switched Virtual Circuits and ISDN BRIs

The Command to set how often hellos are sent to neighbours is applied to an interface and does not affect the ENTIRE EIGRP process:

Router(config)#interface serial 0/0 Router(config-if)#ip hello-interval eigrp autonomous-system-number seconds

To use this in an example we can change the hello timer of a WAN link, that is running on EIGRP AS 1. Doing so will not affect other interfaces running EIGRP AS 1 only this particular WAN link.

Router(config)#interface serial 0/0 Router(config-if)#ip hello-interval eigrp 1 10

The Hold Timer

The Hold Time as talked about here and is how long a router will wait for a hello before pronouncing the neighbour unavailable/dead. By Default the hold time is 3 times the hello time. TAKE NOTE that by changing the hello interval does not automatically change the hold time.

The hold timer for an interface must be changed manually using the following command:

Router(config-if)#ip hold-time eigrp autonomous-system-number seconds

Using this in the same example as above for the Hello time:

Router(config)#interface serial 0/0 Router(config-if)#ip hold-time eigrp 1 30

Authentication

EIGRP support two kinds of Authentication, simple passwords and MD5 hashes.

Simple passwords are sent as plain-text and matched to the key on the receiver. Simple passwords are not secure, because any listener can see this traffic and read the key value.
Hash keys, sent as MD5 values, are secure because the listener cannot use the value in one transmission to compute the key.

Using MD5 authentication, the router generates a had value for every EIGRP transmission and checks the hash of every received EIGRP packet.

To specify MD5 Authentication:

Router(config)#interface serial 0/0 Router(config-if)#ip authentication mode eigrp autonomous system md5

Once the MD5 authentication is set now comes the key:

Router(config-if)#ip authentication key-chain eigrp autonomous system chain-name

Then the key-chain is configured and the key is specified:

Router(config-if)#key chain chain-name Router(config-if)#key my-chain Router(config-keychain-if)#key-string key

An example using the WAN interface from above:

Router(config)#interface serial 0/0 Hello Interval Set Router(config-if)#ip hello-interval eigrp 1 10 Hold Interval Set Router(config-if)#ip hold-time eigrp 1 30 MD5 Authentication Set Router(config-if)#ip authentication mode eigrp 1 md5 MD5 Key Set Router(config-if)#ip authentication key-chain eigrp 1 My-Chain MD5 key-chain Set Router(config-if)#key chain My-Chain Router(config-if)#key 1 Router(config-keychain-if)#key-string cisco

Authentication results are not shown under show commands. A successful neighbourship means it works. You can however check command process using debug eigrp packets

Optional EIGRP Commands Over a WAN

EIGRP has some design and configuration issues when it comes to the WAN environment. In the WAN one must deal with limited capacity to a greater degree than at other points of the network (For example the LAN). EIGRP is limited in that it restricts its use of bandwidth to NO MORE than 1/2 the link capacity. This is superior to the considerations made by other protocols. Although EIGRP by default is usually sufficient, one might need to make small adjustments at times.

EIGRP Defaults in Bandwidth Utilization
Routers understand link capacity most of the time (MOST being important here). Serial interfaces are however problematic (and the exception to the rule) because they usually attach to a DSU. The router therefore assumes a default speed of 1544 kbps (which is in most cases on the WAN not true).

If the link is actually 56 kbps, then EIGRP would calculate incorrectly and -even limiting itself to 722 kbps -could saturate the link. This could result in dropped EIGRP and data packets because of congestion and dropped data.

The show interface command will allow you to check that the interface bandwidth is accurate. The output shows the configured bandwidth of the link.

The set bandwidth does not actually affect the speed of the link, but this value is used for routing protocol calculations and load calculations. Using the following command you can set the bandwidth:

Router(config)#interface serial 0/0 Router(config-if)#bandwidth speed-of-line

Configuring Bandwidth over an Non-Broadcast Multi-access (NBMA) Cloud

EIGRP plays well over WANs, including point-to-point and NBMA environments like Frame Relay and ATM. The NBMA topology can include either point-to-point subinterfaces or multipoint interfaces.

Cisco IDs three rules when configuring EIGRP over an NBMA cloud:

EIGRP traffic should not exceed the committed information rate (CIR) capacity of the virtual circuit (VC).
EIGRP aggregated traffic over all the VCs should not exceed the access line speed of the interface.
The bandwidth allocated to EIGRP on each VC must be the in the same directions.

Configuring Bandwidth over a Multipoint Network

In addition to being used in the EIGRP metric, the bandwidth command influences how EIGRP uses NBMA VCs. If a serial line has many VCs in a multipoint configuration, EIGRP will assume that each VC has an even share of the bandwidth. EIGRP will confine itself to using half that share for itself. This won’t work if a 56 kbps link has bandwidth set to 128 kbps because EIGRP will assume 64 kbps is for it’s own use.

The bandwidth command should reflect the access-link speed into the Frame Relay cloud. Your company might have five PVCs from your routers serial interface, each carrying 56 kbps. The access link will need a capacity of 5 * 56 kbps (280 kbps).

Configuring Bandwidth over a Hybrid Multipoint Network

If the multipoint network has different speeds allocated to the VCs, a more complex solution is needed.

Take the lowest CIR and multiply it by the total number of circuits. Apply the product (total) as the bandwidth of the physical interface. The problem with this configuration is that EIGRP will underutilize higher bandwidth links.
If possible, it is muse easier to configure and manage an environment that has used subinterfaces, where a VC is logically treated as a separate interface. The bandwidth command can be configured on each subinterface, which will allow different speeds on each VC. In this solution, subinterfaces are configured for each VC and the CIR is configured as the bandwidth. This is the preferred solution.

Configuring a Pure Point-to-Point Network

If there are many VCs, there might not be enough bandwidth at the access speed of the interface to support the aggregate EIGRP traffic. The subinterfaces should be configured with a bandwidth that is much lower than the real speed of the circuit. In this case, it is necessary to use the bandwidth-percent command that indicates to EIGRP that it can still function.

The ip bandwidth-percent eigrp command adjusts the percentage of capacity that EIGRP may use FROM THE default 50%. You would use the command because the bandwidth command does not reflect the TRUE speed of the link (The bandwidth command might have been altered to manipulate the routing metric and path selection of a routing protocol).

Router(config)#interface serial 0/0 Router(config-if)#ip bandwidth-percent eigrp autonomous-system-number percent

Software Study Resources:

The Command Memorizer was originally developed by a CCIE Candidate (David Bombal) for his own use and is now available to anyone who wants to use it.Command Memorizer helped him pass the CCIE Lab on the first attempt, and although I am not a CCIE candidate “officially” I have fiddling with it and finding it useful to test my command line retention and overall progress towards CCIE readiness as I do my current CCNP.The proof will be in the pudding as the Command Memorizer boasts 1000s of commands and hundreds of scenarios to test command line knowledge and retention. It has a section for EIGRP and I also like knowing where I am on my long road to Cisco.

Like most study aids / study tools this tool / aid has a specific focus. The Command Memorizer only works when used in conjunction with theoretical backing because you need to know what a command does and how it relates to the technology area. IOW You need to make the connection before you can start drilling actual commands repetitively to get them to start flowing and become second nature.

For a disclosure statement on my relationship with Configure Terminal.

Cisco Press Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Internetworking Technology Handbook – Intro to the Wan

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

Switch Security Layer-2 Attacks – Four

Published

Deon Botha

on May 28, 2008

in ACL, BCMSN, CDP, Certification, Cisco Systems, Concepts and Constructs, SSH, Telnet and VTY

. 0 Comments

CDP

Cisco Discovery Protocol (CDP) is a useful and great protocol when you are sitting on the other side of the office/country/planet and don’t know what you are working with on a network but CDP has some holes for attackers to leverage that can cause problems.

CDP uses clear-text and unauthenticated to send information about network topology between network devices. An attacker can use a packet sniffer to get information about network infrastructure that we don’t really want them to have.

CDP isn’t needed on ports that no network management is done (this isn’t the case for Cisco IP Phones). You can also go ballistic and disable CDP totally thats up to you. To disable CDP use the following commands

CDP per-port

switch(config)#configure terminal switch(configp)#interface gigabitethernet 0/1 switch(config-if)#no cdp enable

CDP Globally

switch(config)#configure terminal switch(config)#no cdp run

Be careful with this, CDP is used in conjunction with or as support for other Cisco protocols

Telnet

Telnet has a few problems:

All usernames, passwords, and data sent over a public network (read: Internet) is sent in clear text and is thus vulnerable.
A user with an account on the system can gain elevated privelages.
A remote attacker could crash the Telnet service, preventing legitimate service rendering.
A remote attacker could find an enabled guest account that may be present anywhere in the trusted domain of the server.

iow Dont Telnet over the internet

SSH

SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.

switch(config)#configure terminal switch(config)#line vty 0-15 switch(config-line)#transport input ssh

VTY Access Control Lists (ACL)

One can associate ACLs to permit or deny access to a vty port to a switch.

The Number of VTYs differ make sure you get it right and configure an ACL on ALL the VTY connections and don’t leave one open

switch(config)#configure terminal switch(config)#access-list 12 permit 192.168.0.0 0.0.255.255 switch(config)#line vty 0 15 switch(config-line)#access-class 12 in

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Switch Security Layer-2 Attacks – One

Published

Deon Botha

on May 27, 2008

in 802.1X, AAA, BCMSN, CAM, Certification, Cisco Systems, Concepts and Constructs, MAC Address Flooding, Port Security and TCAM

. 0 Comments

Mac-Address-Flooding

MAC Address Flooding

MAC Address flooding results in a switch’s CAM table overflow, which causes flooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.

A switch has a limited CAM table and can only contain a limited number of entries at one time. If for example an intruder at the beginning of a work day floods a switch with invalid MAC entries then until the invalid entries expire the switch will flood all frames out all ports. This has two negative effects:

Switch traffic is inefficient and voluminous
The attacker/intruder connected to a switch port and capture traffic that is not normally seen on that port.

Mitigation of this attack is to configure port-security and defining the number of MAC addresses allowed on a given port. Port security can also specify the MAC addresses allowed on a port.

Port Security

This is a feature of Cisco Catalyst Switches, it is a security feature that restricts a switch port to a specific number of MAC addresses. These MAC addresses can be dynamically learned or statically configured. When configured the switch will only allow frames on those ports from the configured MAC addresses.

NB if you configure 4 MAC addresses and don’t specify them, the switch will learn 4 addresses dynamically. Those 4 will then be the MAC addresses allowed.

A feature (on some platforms) combine statically configured and dynamically learnt addresses. When configured an interface converts dynamically learnt addresses to “sticky secure” addresses. This adds those addresses to the config as if they were added by switchport port-security mac-address

Port Security – Configuration

Enable Port Security on the Switch:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport port-security

Set the maximum number of MAC addresses that will be allowed on the port (default is one)

switch(config-if)#switchport port-security maximum value

Be sure to set this value to 2 when you have a Cisco IP Phone and a desktop attached to a switchport. I know I didn’t do this and it resulted in a port security violation. My bad.

Now Option 1 you can set whether the MAC address(es) learnt must be aged out after X time

switch(config-if)#switchport port-security aging 1-1024

Now optional 2 specify the MAC addresses that will be allowed on the port (this can also be dynamically learnt thats why its optional)

switch(config-if)#switchport port-security mac-address mad-address switch(config-if)#switchport port-security mac-address mad-address

Finally set the action to be taken if something goes wrong (mac address attack)

switch(config-if)#switchport port-security violation {shutdown/restrict/protect}

Protect Mode drops the frame and leaves no syslog message, Restrict mode drops the frame and logs the drop + a SMTP trap is sent, and finally shutdown logs + SMTP traps + errdisables the interface (CAT OS, Cisco IOS).

Port security has a feature called “sticky MAC address” that can limit switch port access to a single, specific MAC address without the network administrator having to gather MAC addresses of every legitimate device and manually associate it with a particular switch port (This cannot be used where Voice VLANs are in use).

switch(config-if)#switchport port-security mac-address sticky

Last but not least lets check port-security:

switch(config)#show port-security

Authentication

Authentication, authorization and accounting (AAA) network security services provide a framework through which acess control is set up on a network. Authentication is the way a user is identified before being allowed access to the network and network services. AAA authentication is configured by defining a list of named authentication methods and then applying that list to various interfaces. The list defined the type of authentication (enable password, Kerberos 5, Kerberos 5-Telnet Authentication, Line Password, Local database, Local database with case sensitive, No Authentication, RADIUS, TACACS+) to be performed and the sequence in which they will be performed.

The only exception is the “default” list. The default list is automatically applied to all interfaces if no other method/list is defined. A defined method/list overrides the default list.

802.1x

IEEE 802.1x defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. Until a workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port. After authentication normal traffic can pass through.

With 802.1x port-based authentication, the devices in the network have specific port roles:

Client: the end-device that requests access to the LAN and switch. The end-device must be running 802.1x compliant software. (the port the end-device (client) is attached to is the supplicant)

Authentication server: performs the actual authentication. The server authenticates the identity of the client and lets the switch know whether to let the end-device access the LAN. As the switch is acting as a proxy the authentication service is transparent to the end-device. The RADIUS security system with Extensible Authentication Protocol (EAP) is the only supported authentication server.

Switch (authenticator): controls physical access onto the network. Acts as an intermediary (proxy service) between client and authentication server. The switch uses a RADIUS software agent responsible for encapsulating and decapsulating EAP frames and interacting with the authentication server.

802.1x Configure

Enable AAA

switch#configure terminal switch(config)#aaa new-model

You Radius Server Location

switch(config)#radius-server host 000.000.000.000auth-port port key auth-key

Create a 802.1x port-based authentication method list

switch(config)#aaa authentication dot1x default group radius

Globally configure 802.1x port-based autnetication

switch(config)#dot1q system-auth-control

OR enter enable 802.1x on an interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#dot1x port-control auto

Definition

Content Addressable Memory (CAM)is a specialized type of memory think of it as the opposite of Random Access Memory (RAM). With RAM an Operating Sysem (OS) provides an address, and receives the data stored at the supplied address. With CAM, the OS supplies the data, and the CAM returns a list of addresses where the data is stored, if any. Also a CAM searches the entire memory in one operation therefore is faster than RAM.

Binary CAMssearch only for 1 and 0’s (ON or OFF). A MAC address table in switches commonly get stored inside binary CAMs (sometimes even called a CAM Table).

A Ternary CAM (TCAM)allows the OS to match a third state, “X.” The “X” state is a “mask” and could be anything. Routers can store their entire routing table in these TCAMs, allowing for very quick lookups.

Notes and Notices:

Implementation of a WLAN

Published

Deon Botha

on May 20, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This post brings together the theory into a more practical setting. This post covers the two types of Wireless Local Area Network (WLAN) implementations that Cisco offers namely autonomous WLAN Access Points (AP) and lightweight APs (LAP) with WLAN Controller (WLC).

For ease of my own use and understanding, I am going to use the proper acronums an Autonomous Access Point (AP), a lightweight Access Point (LAP) this is however not to be confused (NB) with Lightweight Access Point Protocol (LWAPP).

So take note of when I talk about hardware and the protocol in my notes. So to round up an AP is a full IOS Access Point able to be used in a stand-alone environment and can be downgraded for use (in most cases) to become an LAP; a LAP is a less extensive IOS feature-set and needs to be used in conjunction with a Wireless LAN Controller (WLC), then finally LWAPP is the protocol.

Autonomous APs

Jumping right in an AP implementation has various components, some of which are considered needed and some of which are considered optional:

A Cisco AP that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-AP1131AG-x-K9 is a Aironet (AIR) product, is an autonomous Access Point (AP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Wireless Domain Services (WDS) for radio frequency (RF) management and fast, secure roaming. You can run Cisco Structured Wireless Aware Network (SWAN) WDS on Cisco Aironet APs, Cisco Catalyst Switches and Cisco Routers. The following list supports SWAN WDS Aironet 1230 AG, 1240AG, 1200, 1130 AG 1100 Series APs, Catalyst 6500 Series Wireless LAN Services Module (WLSM), Cisco 3800, 3700 Series Integrates Services Routers (ISR) and some models of 2800 and 2600 series ISR that run Cisco IOS version 12.3(11)T or later.
CiscoWorks Wireless LAN Solution Engine (WLSE) for Management (optional).
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Lightweight APs

A Cisco Lightweight Access Point (LAP) that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-LAP1131AG-x-K9 is a Aironet (AIR) product, is an Lightweight Access Point (LAP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Cisco Wireless LAN Controller (WLC) for configuration of the Access Points.
Cisco Wireless Control System (WCS) for management (optional).
Cisco Wireless Location Appliance for location tracking
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Comparison of WLAN Solutions

The above two bullet lists should show that autonomous and lightweight WLAN solutions have some differences.

The main difference being in Autonomous mode the Cisco IOS feature set is more extensive and as the name denotes autonomy meaning “the right to govern itself” so each AP is configured individually and manage themselves (this can and probably will at some point lead to configuration errors if there are more than a couple of APs). Centralized management is possible through WLSE. Redundancy is achieved at the AP level (do the math if its cheaper to add APs than to add a WLC then this is the option).

In Lightweight mode a Wireless LAN Controller takes the centralized configuration and means the APs are dependant on the WLC (read point of failure) and pushed the configs to the APs. This gives congruence between the APs on the network without much hard work. Centralized management is possible through WCS. Redundancy is achieved at the WLC level (do the math if its cheaper to add a WLC than to just add APs then this is the option).

LAP Solution

LAP architecture splits processing of the 802.11 protocol between two devices; the LAP and the WLC. The processing of the 802.11 data and management protocols and the AP functionality is also divided between the two devices. This approach is called split MAC.

The LAP handles the portions of the protocol that have real-time requirements:

Frame Exchange handshake between a end-device and AP when transferring a frame over the air.
Transmission of beacon frames.
Buffering and transmission of frames for end-devices in power save operation
Response to probe request frames from end-devices
Forwarding notifications of received probe requests to the controller
Providing real-time signal quality information to the controller with every received frame.
Monitoring each radio channel for noise, interference, and presence of other WLANs.
Monitoring of presence of other LAPs.

The remaining functions are all handled by the WLC because either the function is not time-sensitive or a system wide visibility is required by the function.

802.11 authentication
802.11 association and re-association (mobility)
802.11 frame translation and bridging

The control (management) traffic between the AP and the WLC is encapsulated using LWAPP and encrypted using Advanced Encryption Standard (AES); the data from the LAP and the WLC is also encapsulated using LWAPP but not encrypted. The data is switched once it reaches the WLC where it receives VLAN tagging, quality of service (QoS).

Layer-2 and Layer-3 Mode of LWAPP

Layer-2 LWAPP is in an Ethernet Frame. For layer-2 mode, the WLC and WLAP must be in the same broadcast domain and IP subnet.

Layer-3 LWAPP is in a User Datagram Protocol (UDP)/IP Packet. The WLC and WLAP can be in the same or different broadcast domains and IP Subnets. For layer-3 operation WLAP need IP Addresses. They must obtain these IP Addresses via DHCP.

So to bring this together; think of a network in your mind, if the network is flat/or the WLAP and WLC are located on the same network segment; iow is a switched network then the LAWPs can use either layer-2 or layer-3 mode. If the WLAPs and the WLC find themselves spread across the enterprise (physically) meaning that they would be in different subnets and on different segments (I’m thinking big business) you must use layer-3 mode.

LAP Association

There is a nice explanation on this document. A LAP will search for a WLC first using LWAPP layer-2 mode, then layer-3 mode. The process runs as followings; the LAP requests an IP Address via DHCP, the LAP then sends a LWAPP discovery request to the management IP address of the WLC via a broadcast.

The LWC responds with a discovery response from the management IP Address. This response includes the number of AP associated to the Access Point Manager interface and the Access Point Manager IP address.

The LAP then chooses the Access Point Manager with the least number of associated APs and sends a join request.

All following communication between the LAP and the WLC is done via the Access Point Manager IP Address.

Cisco Aironet WLC

The Cisco Aironet standalone WLCs range (2106, 4402 and 4404) are designed for Small and medium enterprise/business (SMB) to medium to large enterprise.

The 2106 Series allows Small and medium sized enterprise/business (SMB) environments to support up to six LAPs and are fairly cost effective (this is objective). With integrated DHCP services, zero-touch AP configuration, the Cisco 2106 is built for SMB companies that don’t have on-site IT support, like branch offices with distributed offices (i.e. corporate infrastructure and support teams to lean on when things go wrong).

The Cisco 4400 series is built for medium to large enterprise/business.

Cisco 4402
- 2 GigabitEthernet (GE) ports
- Configurations that support 12, 25, and 50 APs
- One Expansion Slot
Cisco 4404
- 4 GE ports
- Support for 100 APs
- Two Expansion slots

Optional redundant power supplies to ensure maximum availability can be purchased for the 4400 Series.

WLC are also available for the Cisco Catalyst 6500 and Cisco Integrated Sercies Routers (ISR) in the form of Integrated Controllers of Controller Modules.

Notes and Notices:

WLAN Standards

Published

Deon Botha

on May 15, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This is a generally a nice to know topic; if you don’t want to know the basics on “how” it works but rather just care that it works this might not be “light” reading.

There are “generally” (dependant on your country) unlicensed bands:

900-MHz Industrial, Scientific and Medical (ISM) Band (902-MHz to 928-MHz)
2.4-GHz Industrial, Scientific and Medical (ISM) Band (2400-MHz to 2483-MHz) (Japan to 2495-MHz)
5.7-GHz Unlicensed National Information Infrastructure (UNII) Band (5150-MHz to 5350/5725/5825 MHz) (Not all countries support 802.11a)

Radio Frequency Transmission (for dummies i.e. with no electric/electronic engineering background a.k.a ME):

Radio Frequencies (RF) are radiated (why does this not make me feel better I’ve seen what a microwave do when it radiates things) into the air by antennas that create radio waves. When radio waves are propagated through objects, they may be absorbed (walls) or reflected (metal). This absorption may cause areas of low-signal.

Radio wave transmission is affected by the three factors:

Reflection: when RF waves bounce of objects (metal, glass)
Scattering: when RF waves strike uneven surfaces and are reflected in many directions
Absorption: when RF waves are absorbed by objects (concrete, bricks, walls)

Data Transmission over Radio Waves (for dummies i.e. with no eletric/electronic engineering background a.k.a ME):

Higher data rates (faster connection) have shorter range because the receiver needs a stronger signal with a better signal-to-noise ratio (SNR) to retrieve the information.
Higher transmit power results in greater range. To double the range, the power has to be increased by a factor of 4 (four).
Higher data rates require more bandwidth. Increased bandwidth is possible with higher frequencies.
Higher frequencies have shorter range through higher degradation and absorption. More efficient antennas can compensate for this effect.

WLAN Regulations and Standardizations:

Regulatory Agencies control the use and enjoyment of RF bands. The two main regulatory agencies are the FCC (USA) and ETSI (Europe) (South Africa and EMEA region if in doubt follow ETSI).

The network (802) standardization is done by the IEEE. The wireless (802.11) standards are part of the network standard these include 802.11 a/b/g and soon to be finalized/ratified n.

Finally the Wi-Fi Alliance offers certification for vendors of 802.11 products so that their products are interoperable. The Wi-Fi Alliance certifications include all three 802.11 RF technologies and Wi-Fi Protected Access (WPA) security model (2003) based on IEEE 802.11i (ratified 2004).

IEEE 802.11b

Ratified Sept 1999

Operates in the 2.4-GHz ISM Band

Specifies direct sequence spread spectrum (DSSS)

Specifies four data rates up to 11-Mbps (1, 2, 5.5, and 11-Mbps)

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

2.4-GHz Channels

Up until this point Wireless channels might not have made “sense” if you weren’t as I joked “previously advantaged” with a electrical or electronic engineering qualification. Those ladies and gents are force fed this amongst other things for at the very least a semester in university so they know this kind of thing backwards (I know how they complained about it). If you are like myself a business grad then this is all new.

What this graph shows (pay attention to the grey highlight) is 3 non-overlapping Channels (except for Japan). If you are in Japan you can use the 14th channel along with 3 others to have access to 4 total channels.

This information is region specific and then also country specific (I know South Africa in general follows ETSI which falls under EMEA). Some countries may allow 14 channels while others may only allow 1 channel.

At a Cisco Tech-Update (I can’t remember the speaker forgive me) Wireless channel usage was explained using the below diagram and it made all the above fall into place for me.

What the diagram shows is the 2.4-Ghz frequency (visually) with the channels laid out how all the channels overlap. This is what 802.11 b/g “looks” like with the 3 non-overlapping channels (black).

Example: Three non-overlapping channels (1, 6, and 11) that do not share RFs. There would be no degradation in throughput if 3 APs were to operate in the same cell using channels 1, 6, and 11.

To show the maths 3 APs on 3 non-overlapping channels (2, 6, and 11) provide an aggregate data-rate for a cell of 33-Mbps (11-Mbps x 3), with an aggregated throughput of approx. 16-Mbps (33-Mbps/2).

Example: Three APs sharing the same channel, in the same cell.

To show the math 3 APs on the same channel(1, 1, and 1) provide an aggregate data rate a 11-Mbps but an aggregated throughput of 6-Mbps. This results from APs sharing a cell.

Example: Three APs sharing overlapping channels, in the same cell.

To show the math 3 APs on overlapping channels (1, 2, and 3) the throughput could drop to well below 1-Mbps due to interference.

Channel Reuse

At the same Tech Update they explained how using the non-overlapping channels a deployment can be done where none of the same channels border. Imagine the cells from top down on an overaly of an office plan looking like the diagram below.

Data Rates

WLAN clients (end-devices) can shift data rates as they move. The closer you are to a AP the better coverage will be (11-Mbps), as you move away from the AP coverage will get worse (5.5-Mbps) and worse (2-Mbps) and worse (1-Mbps) until there is no signal. This data rate shifting occurs without user interaction or connection loss.

This rate shifting also happens on a transmission-by-transmission basis; whereby the AP can support multiple clients at multiple speeds (meaning transmissions 1 might be 11-Mbps and transmission 2 might be 1-Mbps depending on the end-user location).

IEEE 802.11a

Ratified Sept 1999

Operates in the 5-GHz ISM Band

Uses orthogonal frequency-division multiplexing (OFDM)

Specifies eight data rates up to 54-Mbps (6, 9, 12, 18, 24, 36, 48, 54-Mbps)

FCC – 12 to 23 non-overlapping channels

ETSI – up to 19 non-overlapping channels

Regulatory differences across countries

802.11a requires Transmit (Tx) power control and dynamic frequency selection (802.11h)

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

5-GHz Channels

802.11a must comply with two features in 802.11h namely Transmit Power Control (TPC) and Dynamic Frequency Selection (DFS).

TPC links back to the basics, the more Transmit Power pumped into an AP the greater the range (greater range = less data-rate). TPC is where an AP exchanges transmit power information with end-device adapters. This has a twofold advantage:

end-device adapters use only enough power to maintain association with APs at any given data rate. In turn conserving energy (good for mobile devices and at current Eksom).
end-devices contribute less to adjacent cell interference.

DFS is where the AP monitors the available 5-Ghz RF spectrum radar installations in the environment and if found flags the appropriate channel(s) as unavailable. DFS continually monitors the operating environment for changes during operation.

IEEE 802.11g

Ratified June 2003

Operates in the 2.4-GHz ISM Band as 802.11b

Uses direct sequence spread spectrum (DSSS) complementary code keying (CKK) and orthogonal frequency-division multiplexing (OFDM)

Specifies twelve data rates up to 54-Mbps (1, 2, 5.5, 11-Mbps DSSS/802.11b and 6, 9, 12, 18, 24, 36, 48, 54-Mbps OFDM).

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

Security and Mitigation of Wireless Risks

Linking back to the beginning of this post and why Wireless could potentially be a security threat. The process of Wireless is “Radio Frequencies (RF) (that) are radiated into the air by antennas that create radio waves” and in turn your network data travels across radio waves from source (server or point A) to destination (end-device or point B).

This wireless communication if left unsecured, leaves a wide open method of access to anyone that wants to enter, use and abuse your enterprise infrastructure. With the low cost of IEEE 802.11 wireless equipment these days adoption is gaining in the mass market (home, small office/home office (SOHO), small medium business (SMB)). With greater adoption of the mass market the products are easier to use and deploy and implement (graphical user interface (GUI) deployments and out the box operation). This large adoption also makes for sub-business class consumer grade products making a regular appearance in server-rooms, business settings and other environments where they are definitely not meant to be (don’t get me wrong consumer products work great for a family of 5 people but aren’t built or designed to handle with an office of 10 people or a department of 50 people).

There are many large telco (Telkom) companies that offer pre-configured Wi-Fi combination routers with the DSL accounts. Most if not the majority of users literally plug and play (plug it in and use it with default settings). This is a very conducive environment for “war driving” for the single purpose of free Internet, collecting sensitive information through the use of various freely available tools and applications.

The Process

Anyone implementing Wireless needs to at the very least consider security which is a three step process of Authentication (802.1x or Extensible Authentication Protocol (EAP)), Encryption (Wi-Fi Protected Access (WPA – TKIP, WPA2 – AES or TKIP)) and Intrusion Detection and Protection (IDS and IPS).

Wireless Association

Looking at how end-devices (clients like notebooks, smartphones, PDAs) associate with APs then something I mentioned in a previous post will crystallize.

APs broadcast (send out) beacons with SSIDs (one or many), data rates (depending on distance from AP) and other information. The end-device scans the available channels looking for beacons and responses from APs. The end-device then in turn associates with the AP with the strongest signal.

If you are using a mobile device and moving with your device and signal becomes weak this process will repeat.

It is during this association process that SSID, MAC address and security settings are sent from end-device to the AP and checked. This is what we are going to be talking about in the next couple of paragraphs.

Authentication

When an end-device attempts to associate this is done via the 802.1x protocol. The end-device is called a supplicant which communicates with an autonomous AP* (called the authenticator) that communicates and in turn authenticates to an Authentication, Authorization and Accounting Server (AAA Server) like RADIUS/TACACS+ or Cisco Secure ACS.

*LWAPP uses the WLAN controller that acts as the Athenticator that in turn communicates and authenticates with the AAA Server.

Encryption

After authentication is successful (if unsuccessful the connection is denied) data between the end-device and the AP is sent encrypted in either TKIP or AES encryption.

Definitions

Signal-to-Noise

Notes and Notices:

WLAN Infrastructure Topologies

Published

Deon Botha

on May 14, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 2 Comments

As talked about in the previous post the difference between a wired LAN and a Wireless Local Area Networks (WLANs) is that the Layer-1 transmission medium of a traditional wired local area network (LAN) (CAT-5 cable) is replaced with Radio Frequency (RF) transmissions.

What follows is the pimping of Cisco Aironet products and where they fit into three main wireless categories:

Wireless in-building LANs for client Access: The Cisco Aironet products can plug into an existing wired infrastructure and function like an overlay to the existing LAN or even replace the wired LAN.

Wireless Building-to-Building bridges: The Cisco Aironet products can provide wireless bridging to connect two or more networks that are physically separated to be connected on one LAN without the time or expense required to get physical lines to be installed.

Wireless mesh networks: Mesh networking is a mixture of the above two categories. Mesh networking provide dynamic, redundant, fault-tolerant links for building and client access.

Service Set Identifier (SSID)

Myth: Hidden (not broadcasting) the SSID makes a wireless network secure.

The SSID is the “name” of a wireless cell, this name is used to logically separate WLANs. The SSID must match exactly between the client and the access point for them to connect. The Access Point (AP) sends the SSID out in beacons.

The beacons are broadcasts that an AP sends to advertise available services, these beacons go out whether SSID is hidden or not (Clients can be configured without a SSID, where they learn the SSID from the beacons of the AP).

The Topology Basic

Extended Services Set: Two or more Basic Serve sets (Mobile clients use a single AP to connect) are connected by a common distribution system (backbone) An Extended Service Set includes a common SSID to allow roaming from AP to AP without client config.

The diagram shows the WLAN topology with 2 APs and some devices (Microsoft Icons) that I know to be Wi-Fi capable (from left to right tablet notebook, projector, PDA, smartphone, notebook).

Wireless Cell: The basic area is the RF coverage provided by an AP (Channel 1 or Channel 2 NOT both). This area is also called the “microcell“. To extend/enlarge/make bigger the basic area one simply adds APs (Recently microcell has moved to picocell reducing AP coverage by reducing power and increasing total number of AP deployed).

The basic area of an AP is called the service set, the basic area of the combined APs is called the extended services set (There is a recommended 10 – 15 % overlap between cells for data networks to allow roaming without losing RF connection. There is a 15 – 20% overlap for voice/data/video networks). Bordering cells should be set to different non-overlapping channels for best performance (more on this later).

Access Point: The name is self explanatory reverse the name Point “of” Access. As the name denotes this is the point at which client-devices connect/access the wireless network. The APs connect to then to the Ethernet backbone and facilitate the communication between wired and wireless networks

The AP is the master of a given cell and manages/controls traffic to and from the network (remote devices do not communicate with each other they communicate through the AP).

Picocell: the benefit of a picocell is better coverage, less interference, higher data rates, and fault tolerance through convergence. When an AP goes down, the neighbouring AP expands coverage by increasing power (this increases the RF range) to cover for the lost AP. (Look into WLAN Controllers cause this gets complicated to do manually quickly with say more than 5 APs)

Wireless Repeater

In environments (factory floors, doctors room, large retail, wholesale storehouses) where its just not practical to put down a wired LAN or the application of the network wouldn’t work with a wired system a wireless repeater can be put down.

A wireless repeater is a AP that is not connected to the Wired LAN (Requires 50% overlap of the AP on the Wired LAN side). This setup however has a large throughput impact where throughput is decreased by half due to the receive and retransmit time.

The SSID of the AP (the one on the left) must be configured on the wireless repeater (the one on the right). The wireless repeater uses the same channel as the AP (NB not all implementations support this).

Workgroup Bridge

Cisco Wireless Workgroup Bridge (WGB) (Reference Cisco Q&A Document) that connects to the Ethernet (RJ-45) port of any end-device (if it has a Ethernet port and is therefore network-able) that doesn’t have a WLAN Network Interface Card (NIC) (either because the end-device doesn’t have the option of a Peripheral Component Interconnect (PCI) slot, Personal Computer Memory Card International Association (PCMCIA) slot or USB slot, or software for WLAN connectivity).

A WGB provides a single MAC address connection into an AP and in turn then onto the Wired LAN backbone (The WGB cannot work in peer-to-peer mode). Another option is to connect a remote workgroups wired LAN. To implement a remote workgroup installation (i.e. multiple MAC addresses) the WGB is connected to a hub/switch switch with a Ethernet patch cable (for single MAC Address use a crossover cable) (NB not all implementations support this).

Ad-hoc mode

Wireless Ad Hoc Mode

Ad-Hoc Mode: This is called Independant Basic Service Set (IBSS). Mobile clients connect directly without an AP.

Peer-to-Peer (P2P) a.k.a Ad-hoc mode networking is the opposite of a Server-Client model (duh). This can be in a wired or wireless environment and is where a group of end-devices come together and form an ad-hoc/P2P network with each other to share files, pictures, music, movies and applications (The ease and current application (Kazaa and Torrents) of this type of network is the main reason the RIAA hates ad-hoc/P2P networks).

In a WLAN the coverage is very limited; where all users must be in wireless reception distance of each other. There are a couple of problems with P2P “office” networks one being that security is almost non-existent, other problems being that there is no central location for any files, applications, or printing.

In most P2P environments I have found that the receptionist is given the “server-role” Pc which creates other larger problems. The person at the front desk in a company is the receptionist, in case of a theft the first computer out the door is the server. In most cases the most “spam” is received by a receptionist (classing teddy-bears, hearts and hugs, chain-mail, friend-mail, etc. as spam) being on numerous forwarding lists increases the risk of virus, trojan, worm infection. If the company allows internet access to employees its only a matter of time before the “server” begins doing its own thing.

In a WLAN it is not a good idea (iow just don’t do it) to connect a Server, or a Server-Role computer using Wireless

Roaming

Wireless Roaming

The roaming “feature” on wireless allows a mobile user to move from one cell to another without a drop in signal or need to manually change network settings. Roaming is enabled by complete coverage with wireless cells.

Seamless roaming allows for users to move around from one cell to another.
Power management lengthens the battery life of portable devices (i.e. they don’t have to search for wireless networks all the time)
Dynamic Load Balancing distributes users among access points to increase throughput for each user.
AP with overlapping coverage cells and redundant switches provide fault tolerant WLAN networks.

A user experiences “roaming” when one of the following conditions is met:

The maximum data retry count is exceeded.
The client has missed too many beacons from the access point.
The client has reduced the data rate.
The client intends to search for a new AP at periodic intervals.

Roaming without service interruption requires identical SSIDs, VLANs and IP subnets on all APs. The client initiates the roaming when he/she searches for another AP with the same SSID and then sends a re-authentication request (for voice and video short roaming times are important).

Layer-2 and Layer-3 Roaming

Wireless Layer-2 and Layer-3 Roaming

Roaming from one AP to another AP on the same subnet (Cell 1 to Cell 2) would be considered Layer-2 roaming (data link layer). Roaming between APs that reside on different subnets (Cell 1 to Cell3) would be considered Layer-3 roaming (network layer).

Layer-2 roaming is managed by the AP, using mulicast packets that inform switches that a devices has moved. The protocol between the APs is called Inter-Access Point Protocol (IAPP).

Layer-3 roaming is managed by either Mobile IP or Lightweight Access Point Protocol (LWAPP) with a WLAN controller.

Mobile IP: allows fixed IP addresses in an IP Subnet of a network. It relies on devices like routers (home agents and foreign agents), to runel traffic for a mobile device. This was used in Legacy WLANs.

Wireless VLAN Support

Switches use VLANs to separate traffic. WLAN APs can in turn extend the VLANs by mapping VLANs to SSIDs. The VLANs then share the same wireless cell and channel end result being virtualization of the AP.

Through the use of trunking (ISL or 802.1q) the VLANs can be mapped to APs from a/the switch allowing roaming throughout the enterprise. A Cisco Aironet AP can be configured with 8 – 16 VLANs for system design flexibility. (Some client NICs require SSID broadcast, the AP can be configured for SSID broadcast per VLAN).

Wireless Enterprise (read business) Voice Architecture

Wired LAN Voice (IP Phone) networks can be extended using the 802.11e standard that specifies QoS upstream and downstram for WLAN networks. This is very important because of the delay sensitive nature of voice.

Wireless Mes Networks

A Mesh network infrastructure is decentralized and inexpensive because each node needs to transmit only as far as the next node (WirelessAfrica). The nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach. The result is a network that can span a large area (cost effectively if each node is owned by individuals).

Mesh Networks are reliable because each node connects to several other nodes. Wireless Mesh networks differ from conventional infrastructure wireless networks in that only a subset of nodes need to be directly connected to the wired network. Extra capacity can be added by installing more nodes. Through the use of Cisco Adaptive Wireless Path Protocol (AWP(P)) each device can find a way back to wired APs and thus by extension the network. Paths (of which there are multiple) through the network can change in response traffic load, radio conditions, or traffic prioritization. The network can cover more distance by using wireless to wireless connectivity. Unlicensed bandwidth (cheap) and wireless routing allow microcells to interconnect over wireless backhaul links.

AWP Protocol

AWP allows APs to communicate with each other to determine the best path back to the wired network. After optimal path selection is estalbished, AWP continues to run as a background service to establish alternate paths to the wired network or if topology changes or other conditions causes the link streghth to diminish. (AWP runs on each AP)

AWP is a wireless protocol by design and takes into consideration wireless radio factors like interference to make a mesh network self-configuring and self-healing. Because wireless is dynamic, addition to the network causes AWP to reconfigure paths back to the wired network automatically. AWP also uses stickiness to mitigate route flaps (disconnection/temporary disruption doesnt cause mesh change).

Notes and Notices:

VLAN Trunk Protocol

Published

Deon Botha

on April 10, 2008

in BCMSN, Certification, Cisco Systems, VLAN and VTP

. 1 Comment

VLAN Trunk Protocol (VTP) is what manages a consistent list of VLANs between switches on the enterprise network. All switches that share common information are grouped in VTP management domains. The “global” VLAN information shared between switches are VLAN number, name and description thereby keeping the same VLAN information shared between enterprise switches; more particular information like port assignments is kept local to each switch.

What this means is that you will have VLAN informaiton consistent on all switches of the enterprise but port assignment will have to be done manually on each switch.

Switches within a VTP Domain synchronize their VLAN databases by sending and receiving VTP advertisements over trunk links. VTP advertisements are flooded throughout a VTP domain by switches (every 5 minutes or when a change happens) over VLAN 1 (Cisco default NATIVE VLAN) using layer-2 multicast frame.

Describing the VTP:

VTP is a layer-2 messaging protocol that maintains VLAN configuration consistency between switches by managing the additions, deletions, and name changes of VLANs on all switches in a VTP domain. VTP runs over trunk links allowing interconnected switches to exchange layer-2 frames, synchronizing a single list of configured VLANS.

These are the attributes of VTP:

VTP is a Cisco Proprietary protocol.
VTP will advertise VLANs 1-1005 only.
VTP updates are exchanges only across trunk links.
Each switch operates in a given VTP mode (server, client, transparent) which determines how VTP updates re sent from and received by that switch.

These are the attributes of a VTP Domain:

A switch can only belong to one one VTP Domain.
A VTP Domain may be as small as only one switch.
VTP Updates will be exchanged only with other switches in the same domain.
The way VLAN information is exchanged between switches in the same domain depends upon the VTP mode on the switch (server, client, transparent).
By default, a Cisco Catalyst switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link, or until a management domain is configured.

These are the attributes of a VTP Modes:

VTP Mode	Feature
Server	Creates, Modifies, and deletes VLANs at the CLI Generate and forwards VTP advertisements from other switches in the same management domain. May update its own VLAN database with information received from other serves in the management domain Saves VLAN configuration information in “vlan.dat” file in Flash memory
Client	Cannot create, modify, or delete VLANs at the CLI Forwards VTP advertisements received Synchronizes its own VLAN database with latest information received from VTP server in the management domain VLAN information in RAM only, not stored in NVRAM or FLASH; must be repopulated from VTP Server if switch powered down
Transparent	Creates, modifies, and deletes VLANs for the VLAN database on the local switch only Does not generate VTP advertisements Does not update its VLAN database information received from VTP servers in the same management domain Forwards VTP advertisements received from VTP servers in the same VTP domain Always has configuration revision number of 0 Saves VLAN configuration to NVRAM

VTP Versions:

Version 2:

Supports Token Ring Switches.
Consistency checks on new VTP and VLAN configuration parameters.
Propagation of VTP updates that have an unrecognized type, length, or value.
Forwarding of VTP updates from transparent mode switches without checking the version number.

Version 3:

Support for extended VLANs.
Support for the creation and advertisement of private VLANs.
Support for VLAN instances and Multiple Spanning Tree (MSTP) mapping propagation instances.
Improved server authentication.
Protection from the wrong database accidentally being inserted into a VTP domain
Interaction with VTP Version 1 and VTP Version 2.
Ability to be configured on a per-port basis.

VTP Pruning

By default a trunk link carries all traffic for all VLANs in a VTP management domain. It is common however that all switches in the enterprise does not have all VLANs configured on all ports. VTP Pruning increases availability of bandwidth by decreasing traffic on trunk links through restriction of flooded traffic by network devices.

VTP Confiruation Revision Number

When VTP is initially configured the VTP configuration revision number is 0 (zero). Each time a VTP server modifies its VLAN information the configuration revision number is incremented by one. This new revision number is then sent out with the new VTP information and all switches with a lower configuration revision number are updated.

ECNM

There are some guidlines to using VTP in the Campus Infrastructure Model:

VTP Domain is restricted to the building Switch blocks.
VTP keeps VLAN information consistent between building distribution layer and building access layer switches.
VTP configuration errors or failures will be confined to the distribution and access layer switches.
Knowledge of all VLANs does not need to exist on all switches within the Campus infrastructure model.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Cisco Enterprise Wide Network Models

Published

Deon Botha

on April 3, 2008

in BCMSN, Certification, Cisco Systems and Enterprise Architecture

. 2 Comments

The Enterprise-Wide Architecture is the more specific enterprise level solution design model for the SONA Framework which gears and prepares the enterprise for Cisco IIN Vision.

The materials I have found on this reads like marketing and advertising sales copy and my version I am afraid might not come off much better.

The model focuses on the sites or locations of the enterprise namely campus (i.e. HQ, main building/buildings), data centre (i.e. could also be located at HQ unless farmed out or if you think of Google with their non-descript concrete buildings around the world that house their server), branch (1 or many locations), teleworker (road warrior or home office worker), and WAN/WAN with specific solutions and benefits for each location on implementing the design model.

Also have a look at the ECNM that has a look at a more recent model on this topic; look specifically at the sub-modules or modules and find these locations mentioned there.

Definitions

You will see the term Campus used often, this term I encountered in my CCNA studies and it is carried through further into later studies. A Campus is one or more buildings connected using a LAN infrastructure within the same geographic area.

You will also remember LAN being defined from CCNA studies and this applies to the Campus definition, a LAN is a network of connected devices within a limited geographic area.

This would build onto the Campus definition in a meaningful way. So to join the two terms a Campus as used in these posts wont span the globe (corporation sized wan environment) but be a localized collection of enterprise buildings, that could tie into the corporate wan, or not, but share a limited geographic area.

Think in South African terms the Didata Campus or maybe something like the Innovation Hub. Both Examples have multiple buildings located in close proximity of each other and have connectivity between each building. In international terms Microsoft Redmond Complex and the Googleplex come to mind as prime examples.

I am not saying that these companies use Cisco kit or employ this enterprise wide architecture (DD might being a Cisco Gold Partner but would probably use the ECNM), I am using their campuses as examples to illustrate the definition.

Overview

Cisco provides the enterprise-wide architecture which supports integration of the entire enterprise network (campus, data centre, WAN, branches, and teleworkers). This helps enterprises protect data and information securely and grow infrastructure and offerings by allowing employees, partners, suppliers, and customers secure, any time and anywhere access to tools, resources and services when needed as they need it.

Campus

Cisco Enterprise Campus Architecture empowers employees with advanced services (end-to-end) by combining core infrastructure (intelligent routing and switching) with tightly integrated productivity-enhancing technologies (IP Communications, Mobility, advanced services). This strategy allows enterprise to increase revenue, productivity, and customer satisfaction.

The design provides for high availability (resilient multilayer design), optimized bandwidth consumption (multicast), and quality of service (QoS) (multicast) while still addressing security challenges like worms, viruses, and other attacks on the network, even at the port level. This is done by a multilayered approach to design and implementation.

The architectural model is standards based thereby extending support on the network for additions like 802.1x and Extensible Authentication Protocol (EAP), IP Security (IPSec), Multi protocol Label Switching Virtual Private Networks (MPLS VPN), identity management, and Virtual Local Area Networks (VLANs).

Data Centre

The Cisco Enterprise Data Centre Architecture supports the need for operational efficiency, optimization of utilization while enabling innovative service-orientated architectures, virtualization, and on-demand computing that is found within enterprise. This architecture model allows the data centre to scale without large or wholesale infrastructural change.

Branch

The Cisco enterprise Branch Architecture grants enterprise/corporate headquarters (HQ) the ability to extend applications and services (security, IP Communication, ERP, etc) to numerous (1 or 100s) of remote locations. The Cisco Empowered Branch solutions set makes use of the Integrated Services Routers (ISR) product range that includes single device integrated security, network analysis, caching, switching, converged voice and video.*

*With every benefit comes setbacks and in this case combining multiple solutions into a single chassis either fixed or modular comes single point of failure.

Teleworker

The Cisco enterprise Teleworker Architecture allows enterprise to deliver secure any time access to remote small or home office employees over standard broadband access services (ADSL, Wireless DSL, and at a stretch HSDPA & EDGE cellular technologies). This provides business with real time constant uptime allowing access to information when needed by employees ( i.e. resiliency) while allowing for a flexible work environment. Through the use of the integrated security within the ISR platform (800 Series) corporate (i.e. campus) security policies are extended to the network edge while enabling converged network services and applications (i.e. IP Telephony*, ERP solutions, etc) reach into employees homes and small offices.

*Check latency and lag issues of Wireless solutions before trying voice on them. Classic case of try before you buy, and try for a while before mind you if it works today doesn’t mean it will work at the end and beginning of the month.

WAN and MAN

The Cisco WAN and MAN Architecture allows for the convergence of voice, video and data service over a single IP network.

Resources:

Enterprise Architecture

Have a look at Aragoen Celtdra website on this topic (its for the BSCI but still applies).

Notes and Notices:

Network Ninja

Tag Archive for 'Authentication'

Open Shortest Path First – OSPF Fundamentals – Multiple Areas

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Tuning EIGRP

Switch Security Layer-2 Attacks – Four

Switch Security Layer-2 Attacks – One

Implementation of a WLAN

WLAN Standards

WLAN Infrastructure Topologies

VLAN Trunk Protocol

Cisco Enterprise Wide Network Models

Search

About

Latest

Archives

Categories