%Enterprise% Archives %%page%%

Tag Archive for 'Enterprise'

Linksys Brand to Disapear

Published

on August 28, 2008

. 0 Comments

Cisco acquired Linksys back in 2003 and the Linksys brand has been around in some way or form since then, kind of, I haven’t had problems with the product myself but have had logistics problems with the brand and this comes from up-channel from various distributors where they can’t promise due dates and shipping from Linksys.

This is a problem for the Linksys brand because although the brand as a whole has a great price point for Home, Home Office (SOHO) and Small, Medium Business (SMB) Market segments the availability sucks and not being able to promise delivery or give an indication of delivery makes using the brand as a plausible solution pointless. While an Enterprise customer might be willing to understand and “deal” that no stock is kept in a Emerging market of their class of products and that the lead time to delivery is longer that understanding is lacking with SMB customers where deals are lost on cents and the ability to start installation tomorrow.

There was talk about a year back from the channel and some of my networking buddies that the Linksys brand would be integrated into the Cisco “stable” for good, meaning that the Linksys brand would phase out totally and only one would emerge. There were obviously two views to this; while one said “Great Cisco all the way” and the other said “Linksys is a strong brand on its own, why kill it?”.

Be that as it may the first steps of the brand integration process has started. How this whole change management process will work is that soon the “Linksys a division of Cisco” will become “Linksys by Cisco” with Linksys and Cisco sharing as much product space and font size and finally only “Cisco” will be on the packaging and product. This process happens over years to get customers use to the idea and “new” packaging and branding and is the eventual process after the companies have assimilated into each other and adopted each others cultures and views.

Wasn’t around back in the day but I suppose the Catalyst Switching platform followed the same routine as this. I know that the IBM and Lexmark Printing and Imaging System did this back in the day.

Cisco’s winner for an Extreme Business Makeover

Published

Deon Botha

on August 14, 2008

in Cisco Systems and Vine

. 0 Comments

Pimping

Last night in Johannesburg (13th August 2008) Cisco announced the winner of the Extreme Business Makeover Competition.

This competition might just be the thing a growing SMB needs to get more competitive, agile and ready for business in the fast paced economy of today so that the SMB can communicate at the speed of business unlike Extreme Makeover: Home Edition that’s the show where the people go and demolish the families house, build a totally new house and pimp it out with stuff the family couldn’t afford in the first place in a month of Sundays.

Where this prize from Cisco will be different from the Extreme Makeover: Home Edition is that

Cisco products are reliable in that they generally don’t just break down,
Cisco products and solutions are well integrated and
If one compares apples with apples Cisco products are cost effective (I’m not going to go get technical here but comparing other SMB products and what you get between vendors I feel Cisco is very well priced with lots of Enterprise Class Technology).

For SMB companies that are struggling with managing vast amounts of data in a secure, reliable and cost effective manner there really is only one technology partner that offers you complete peace of mind in one neat package. All this while offering employees, customers, partners, and vendors access information anywhere and any time without breaking the bank.

On the topic of breaking the bank generally SMB business have cash-flow issues because operational activities take precedence over large capital expenditure projects and Cisco knows this and run amazing leasing deals and rentals offers (recently prime less 4%) for those of us not lucky enough to get this kit for free.

But now back to the competition; The competition was launched in March 2008 and invited local businesses to compete for the first price of a total network transformation featuring all the pimped out Cisco products and solution worth R 300,000 ( $ 37,500 USD). In Cisco products and solutions that should do some heavy pimping!

The winner of the first prize was a company by the name of redpeg a SETA accredited education and training services provider that offers training programs and workplace interventions. The company broadly operates within the workplace HIV/Aids arena and consults to businesses of all sizes to enable them to build capacity to implement manageable and sustainable HIV/Aids workplace programmes.

BSCI Design Foundation – Routing Protocols

Published

Deon Botha

on July 25, 2008

in BGP, BSCI, BSCI Notes, CIDR, Certification, Cisco Systems, Concepts and Constructs, EIGRP, IGRP, IS-IS, OSPF, RIP, RIPv2 and VLSM

. 2 Comments

Routing protocols employ one of two basic strategies to communicate/propagate routing information:

Distance vector routing protocols work by passing copies of their routing tables to their neighbours (a.k.a routing by rumour).
Link State routing protocols work by advertising a list of neighbours and the network attachment state to their neighbours until all routers have a copy of all the lists, routers then run the Shortest Path First Algorithm to analyse all paths and determine the best paths available.

Distance vector routing are less processor and memory intensive than link state routing, but can have loops because routing decisions are made on incomplete information.

Link state routing is loop-proof because routers know all possible routes, but link state routing requires more CPU time and memory.

Classless and Classful Routing

An important characteristic of routing protocols is how they advertise their routes. Older routing protocols (RIP and IGRP) assumed the subnet mask the same as the one the receiving on the interface or that it is the default one (Class A is /8, Class B is /16 and Class C is /24). This is called classful because the assumption is based on the Class of the IP address.

Modern routing protocols (OSPF, IS-IS, and EIGRP) explicitly advertise the mask. There is no assumption made with regard to the mask, it is clearly indicated. This is called classless because no assumption is made and an address alone is not a good indicator subnet mask.

Variable Length Subnet Masks (VLSM) refers to the property of a network that allows different subnet masks to be mixed throughout the network.

Classless Interdomain Routing (CIDR) is a property of a network that allows classful networks to be aggregated.

Classless routing protocols support both VLSM and CIDR.

Interior and Exterior Gateway Protocols

Most protocols are “Interior Gateway”, meaning that they are designed to be run inside a network (inside the trusted boundaries of the company).

BGP on the other hand is an exterior gateway protocol (EGP) and is used for routing between autonomous systems (AS) on the Internet (outside the trusted boundaries of the company). As BGP is the only EGP you will have to consider using it if you connect your network to the Internet.

Convergence Times

A distinguishing characteristic of routing protocols is the speed of convergence times. To explain convergence, when a routing protocol is forwarding data, it is converged. In this state the routing protocol has shared routing table information and each router in the topology knows the best paths available. If there was a change (a router going down, another router being added, etc) this would require all routers to share information again because there are routes they do not have information on. The time between network change and forwarding would be “convergence”. This is generally classed as either slow or fast.

Fast convergence would mean that the routing protocol is able to recognize a problem on the network and fix that problem faster than a user can call to report a given problem.

Slow protocols, such as RIP and IGRP, can take up to minutes to converge when a problem occurs.

Fast protocols (OSPF, IS-IS, EIGRP) generally take less than 10 seconds to converge.

Proprietary and Open Standard Protocols

The important aspects to look for in routing protocols is speed of convergence and whether the protocol is classless (OSPF, IS-IS, and EIGRP). While OSPF and IS-IS are open standards (plays well with other vendors kit), EIGRP is Cisco proprietary (Cisco Only). Of the three protocols EIGRP is the easiest to configure and maintain but requires a pure Cisco environment to run.

Routing Protocol and the ECNM

The ECNM mentioned in previous posts can assist in showing where a particular routing protocol will run in the enterprise. Using information discussed above and using the ECNM the above diagram shows what the advanced routing protocols (EIGRP, OSPF, IS-IS) are best suited for when considering size of network, speed of convergence, VLSM, open or proprietary, and support staff knowledge needs.

The object (ideal) is to have a single routing protocol running throughout the enterprise (reality however is another story) where the enterprise edge will require BGP as the only EGP and at least one if not more of the IGPs within the enterprise boundaries depending on needs/requirements of end-points or design specifications.

In Summation

Older routing protocols (RIP, RIPv2 and IGRP) are slow because they send a full copy of their information periodically, these periodic transmissions act as both routing advertisement and keepalive message. In addition to being slow they consume a lot of bandwidth relative to their function (RIP every 30 seconds).

More modern routing protocols are faster because they separate the routing advertisements and the keepalive messages. Updates are only sent out when new networks need to be advertised or old networks need to be withdrawn; otherwise routers just need to verify that neighbours are still alive (EIGRP every 5 seconds).

RIP and IGRP

These are older distance vector routing protocols that are slow and classful. Some legacy systems (UNIX) expect to learn their default gateway by eavesdropping on RIP advertisements. If you deploy RIP use RIPv2 which is classless.

EIGRP

A modern distance vector routing protocol. It is classless and fast as well as being easy to configure and maintain. Some organizations refuse to implement proprietary standards though (EIGRP provides equivalent performance to OSPF but is easier to implement and maintain).

OSPF

OSPF is a modern classless and fast link-state routing protocol. OSPF has a steep learning curve and uses more processor time and memory than EIGRP. This is the open standard if an organization supports a heterogeneous mixture of routers or has a philosophical problem with proprietary standards.

IS-IS

This routing protocol was developed to compete with OSPF and the two are more similar than they are dissimilar. It is moderately difficult to find anyone who has experience working with IS-IS even if it is open, fast, and classless. There is still however some interest in IS-IS because it can be adapted to support MPLS and IPv6.

BGP

BGP is a routing protocol used between AS on the Internet and you will have to use it to connect your network to the Internet.

Resources:

Internetworking Technology Handbook Routing Basics

Internetworking Technology Handbook RIP

Internetworking Technology Handbook IGRP

Internetworking Technology Handbook OSPF

Internetworking Technology Handbook EIGRP

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

BSCI Design Foundation – Network Models

Published

Deon Botha

on July 25, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, ECNM, Enterprise Architecture, IIN and SONA

. 0 Comments

Design – Hierarchical

Where networks once were non-hierarchical (layer-1 design, layer-2 design, layer-3 design) they are generally now three-layer hierarchical in design (above). Cisco has been using this model for years and it gave a high-level overview of how a reliable network could be conceived but was largely conceptual because it did not provide specific guidance on “how-to” implement certain things, like:

Implementing redundancy,
Adding Internet Access,
Accounting for remote users,
Locating workgroup and enterprise services

Design – Enterprise Composite Network Model (ECNM)

Revisions to the hierarchical design showed redundant distribution and core devices and connections to make the hierarchical model more fault tolerant. The switch block design (above) explained how redundancy fit into a network, but still did not really adequately specify other parts of the network design. This lead to the Enterprise Composite Network Model (ECNM) development to address the failures of both the hierarchical model and switch block model.

This ECNM is broken into three large pieces:

Enterprise Campus,
Enterprise Edge,
Service Provider Edge.

Enterprise Composite Network Model

ECNM – Campus

The enterprise campus looks very much like the above switch block design with some added details:

Campus Backbone (like the core layer of the hierarchical model),
Building Distribution,
Building Access,
Management,
Server Farm (Enterprise Services).

The ECNM Campus builds onto the Switch block design but gives specific guidance as to where to place servers and management equipment. Take note that the servers look like a switch block and are redundantly attached (dual-homed) to the switches (not really shown nicely in the diagram).

ECNM – Enterprise Edge

The Enterprise edge shows the connections that the enterprise has with the wide area (other networks) and include:

E-Commerce,
Remote Access,
Internet Connectivity,
WAN (Internal links to other branches).

ECNM – Service Provider Edge

The service provider edge includes the public networks that facilitate wide area (other networks) connectivity:

Internet Service Provider (ISP),
Public Switched Telephone Network (PSTN) for dialup,
Frame Relay, ATM, and PPP for private connections.

Multiplexing

Historically voice traffic used one set of circuits and data traffic another. Also if you wanted more than one “number” the telecommunications company installed another physical line to your premises. If you wanted access to a data network they installed a data line for that purpose.

With line technologies like the T-carrier system (USA, Japan, Korea) 24 pulse-code modulated (I don’t know need to ask one the engineers about this), time-division multiplexed speech signals are carried over 2 copper pairs. This type of technology saved the telecommunications companies a lot of money in building out subscriber lines. The problem with T1 as a technology is that it cannot adjust as the customer usage requirements changes (see E-carrier system for Europe and other countries).

As technology changes so does the requirements from that technology; Modern networks are designed to carry voice, video, enterprise applications, normal LAN traffic and management traffic all on the same single secure infrastructure (convergence). The traffic is forced (statistically multiplexed) to share access to the network.

Service-Orientated Network Architecture (SONA) and Intelligent Information Network (IIN)

As covered above “Multiplexing” described the idea of a converged network as a system that integrates what was previously disparate systems (voice, video, data). The traffic types usually found on a converged network would include, but may not be limited to:

voice signalling and bearer traffic,
Core application traffic (ERP and CRM),
Transactional traffic related to database interactions (SQL),
Network management traffic for monitoring and maintaining the network structure (including routing protocol traffic),
Multicast multimedia,
Other traffic (web, e-mail, file transfer).

Each of the above traffic types has its own requirements and expectations that govern its successful execution. These requirements include security, QoS, transmission capacity, and delay.

To support this kind of multiplexed traffic, Cisco routers are able to implement filtering, compression, prioritization, and policing (dedicating network capacity). Except for the filtering process these processes are collectively known as QoS.

As an alternative to QoS, Cisco has an ideal called the Intelligent Information Network (IIN). This vision describes a network that integrates network and application functionality cooperatively allowing the network to be “smart” about how it handles traffic to minimize the footprint of applications. The IIN evolution is described in three phases:

Phase 1: Integrated Transport, deals with a converged network, built along a similar fashion of the ECNM and based on open standards (cross-compatibility)
Phase 2: Integrated Services, posits virtualization of resources such as servers, storage and network access; to move to an “on-demand” model. Don’t think marketing/advertising “virtualization” think practical virtualization the ISR routers (routing, switching, voice, network management, security and wireless) designed as an aio (all-in-one) appliance and Vitalizing Servers (if you have proper designed for the job servers) you can’t be trying this on SMB servers or try recycling 10 year old technology and thinking “bargain let’s load 5 operating systems on this”.
Phase 3: Integrated Applications, using application orientated networking (AON) to make the network “aware” allowing the network to actively monitor and participate in service delivery.

Service-Orientated Network Architecture (SONA) is the practical application or “how-to” of IIN in enterprise networks. SONA breaks down IIN into three layers;

SONA Infrastructure Layer is basically the same as IIN Phase 1,
SONA interactive Services Layer maps to IIN Phase 2,
SONA Application Layer has the same concepts as IIN Phase 3.

Resources:

Aragoen Celtdra on BSCI: Network Architecture and Design

Notes and Notices:

Network Community Online

Published

Deon Botha

on July 20, 2008

in Asides and Off-Topic

. 1 Comment

This post is kind-of off-topic but I feel it’s needed at this point. At the end of this month Network Ninja will have been online for 4 months, it’s hopefully going to be a double anniversary as it will hopefully also mark my first active step towards becoming a full fledged Cisco CCNP Certified bloke.

As to why I have been very quiet as of late when it comes to BCMSN topics I am booked in on Monday morning (tomorrow) for the BCMSN exam at 8:30am GMT+2 and I have been reading and re-reading my own notes (fixing spelling and typos while doing this). Hopefully I bring back good news otherwise its going to be a close call otherwise I am just going to make another booking and get back to the drawing board, I am at the moment looking at my own study limits to see what kind of time I need to give myself to make notes, study and get the material from my short term to long term memory, I feel prepared and feel good about this but with me and my horror history with exams who knows (I’m not a glass half full, glass half empty kind of person… There is no stupid glass, it’s a figment of your imagination).

Combined with all of the above I think its also time to say Thank You/Dankie/Ke a leboga/Ngiyabonga to all the online Cisco Networkers and people I have made contact with along the way that I have received active and passive support from (blog posts that helped me understand something, exhanged emails, twitters, IMs, skype, etc) in the last 4 months.

Thanks to blindhog.net – Josh Horton is the man behind Blindhog and his site is dedicated to helping people learn Cisco, Linux and VOIP technologies with the help of video tutorials. He has a good series of video-torials on GNS3 over at his blog head on over at check them out.

Tip of the hat to www.bitbucketblog.com – Is a blog by a CCIE member busy with his CCIE Security. Bitbucketblog has some good write ups and prep notes. Alot of the CCIE stuff still goes over my head but it’s valuable stuff none the less. Head on over and check it out!

Shout out to Baby, You can Route My World! – A fellow lamb to the CCNP slaughter Aragoen Celtdra is busy with the routing track of the CCNP while I am doing the Switching track. Aragoen is excellent at taking the core of the material and condensing it into great bullet form study sheets. If you don’t like my long winded notes head on over to his bog and give his notes a squiz.

A Networkers Blog – A CCIE blog full of tidbits and interesting posts. Well worth visiting.

Richard Bannister’s CCIE Blog – The CCIE notes and study blog of Richard Bannister, the blog showcases the trials and tribulations of a studying CCIE and what it takes on a weekly basis to study. Richard posts on his study schedule on a weekly basis, what he has covered and his thoughts on the weeks content.

The Life of a CCIE Training Advisor – The blog of Mike a training advisor over at IPexpert and Proctor Labs, really nice guy whose job it is to help the CCIE community at large get Blended Learning Solutions. Get in touch with Mike for some training material, labs etc. I’m sure he can help you out.

CCIE Pilot – The blog of Mar Apuhin a studying CCIE Routing and Switching that is in the last days before LAB. Head on over there and send your words of encouragement.

CCIE Pursuit Blog – A great blog filled to the brim with posts relating to things concerning CCIE study and all things CCIE.

Colin McNamara – The blog of Colin McNamara covering “Technical reviews and articles from a CCIE with extensive experience in designing and implementing converged enterprise networks”.

Arden Packeer – The blog of Arden Packeer a CCIE based in OZ. His blog description is almost like my blog name (never noticed that until I was writing this up). Arden has a pet project going called ccieMagazine head on over there and show some support.

Etherealmind – The blog of Greg Ferro a CCIE his blog covers not only CCIE topics and is well worth following; Greg has a really cool Network Dictionary and also a great style of posting.

Last but not least thanks goes to JP for the things that you pass on and have organized, really appreciate it.

That all having been said after tomorrow I will hopefully be charting a course for the next 4 months to be able to keep on track with my initial plans for my studies.

Switch Security Layer-2 Attacks – Two

Published

Deon Botha

on May 27, 2008

in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs, Switch Spoofing, Trunk, VACL, VLAN and VLAN Hopping

. 2 Comments

VLAN Hopping

VLAN Hopping is a network attack whereby an end-device sends packets to/or collects packets from a VLAN that should not be accessible to that end-device. This is done by tagging the invasive traffic with a specific VLAN ID (VID) or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be done by switch spoofing or double tagging.

In a Switch spoofing attack the attacker configures an end-device to spoof itself as a switch (this can be a linux pc). The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunk Protocol (DTP). This is signaling to attempt to establishing a trunk connection with the company switch.

Any switch port configured with DTP auto, upon receipt of a DTP packet generated by the attacking device, will become a trunk port and then accept traffic destined for any VLAN supported on any trunk on that link. The attacker can then send/collect packets from/to any VLAN.

Double Tagging is another method of VLAN Hopping, this is when a workstation generates frames for two 802.1Q headers, this causes the switch to forward the frames onto a VLAN that would normally be inaccessible to the attacker through legitimate means.

The first switch to encounter the double tagged 802.1Q frame strips the first header frame (native VLAN), and forwards the frame out a trunk link, the second switch then forwards the frame according to the other 802.1Q frame header. Should the tag not match the native VLAN of the attacker, the frame will go untagged and flooded to only the original frame.

Best Practices to Mitigate VLAN Hopping

Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic (that means not the Native VLAN either).
When establishing a trunk link, purposefully configure arguments so that:
- The native VLAN will be different form any data VLANs
- Trunking is set up as “on” rather than as negotiated.
- The specific VLAN range will be carried on the trunk

Configuration
To Mitigate against VLAN hopping attacks the following is the config. First select a range of interfaces:
switch#configure terminal switch(config)#interface range gigabitethernet 0/1-48

Now configure the ports as access ports this in turn will turn off DTP

switch(config-if)#switchport mode access

Assign the ports to an unused VLAN (not the Native VLAN)

switch(config-if)#switchport access vlan vlan-id

NB the above commands will not work in VoIP (voice) networks. Cisco IP Phones use trunks (DTP).

VLAN Access Control Lists

There are three kinds of ACLs:

Router Access Control Lists (RACLs)supported in the TCAM hardware on Cisco Multi-layer switches (MLS). Can be applied to any router interface, such as a switch virtual interface (SVI) or Layer 3 routed port.
Port Access Control List (PACL)filters traffic at the port level. PACLs can be applied on a Layer-2 switch port, trunk port, or EtherChannel port.
Vlan Access Control Lists (VACLs)(a.k.a VLAN Access Maps) supported on software on Cisco MLS.

Cisco Catalyst switches support four ACL lookups per packet*:

ingress (1) and egress (2) security lookup
ingress (3) and egress (4) Quality of Service (QoS) look-up

This following section all went over my head or just about and I have no idea whether this works or not or is correct or not for more information.

There are cases where certain Access Control Entries (ACEs) must be combined in each ACLs due to limitations of TCAM hardware. The merge process is also responsible for other functions like expanding ACEs due to a lack of Layer 4 Operations Pointers (L4Op Pointers) or Logical Operational Units (LOUs).

Cisco catalyst Switches use two features to perform a merge

order independent algorithm merge
order dependant algorithm merge

Order Independent Merge (OIM) is based on Binary Decision Diagrams(BDD), ACLs are merged from a series of oder-dependant actions to a set of order-independent masks and patterns. The resulting ACE can be very large, and processor and memory intensive.

Order Dependant Merge (ODM) is not bit-based. The computation is much faster and is less processor intensive.

RACLs are supported in hardware through IP standard and IP extended ACSs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs access list statistics and logging are not supported.

*You can get some switches with two security lookups and 1 QoS lookup in each direction (6 total).

Configuring VACLs

VACLs apply to all traffic on a VLAN. VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs and VLAN access-maps.

VACLs follow route-map conventions, in which map sequences are check in order (top-down).

Each VLAN access map can consist of one or more map sequence, each sequence with a match clause and an action clause. The match clause specifices IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taked when a match occurs. When a flow matches a permit ACL entry, the assciated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If aflow does not match any ACL entry and at least on ACL is configured for that packet, the packet is denied.

Three VACL actions are permitted:

Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)

Two features are supported on Catalyst 6500 only:

VACL Capturewhere Forwarded packets are captured on the capture port. The capture option is only permit ACEs. The capture port can be an IDS port or an Ethernet port. The capture port must be an egress VLAN for layer-3 switched traffic.

VACL Redirect where matching packets are redirected to specific ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

Define a VLAN Access MAP

switch#configure terminal switch(config)#vlan access-map map-name seq# insert to/delete from

Configure the match clause in a VLAN access map sequence

switch(config-access-map)#match options

Configure actions

switch(config-access-map)#action options

Apply the VACL to VLANs

switch(config)#vlan filter map-name vlan-list list

Verify configuration

switch(config)#show vlan access-map map-name

Source for this Config document Section

Private VLANs

Internet Service Providers (ISP) often have devices from multiple clients, in addition to their own servers resident on a single demilitarized zone(DMZ) segment of VLAN. Cisco Catalyst 6500/4500 switches Private Virtual Local Area Networks (PVLAN) to keep some switch ports shared and some switch ports isolated, even if the ports exist in the same VLAN. The 2950 and 3550 support “protected ports”, which are functionally the same on a per-switch basis.

Traditionally ISPs used one VLAN per customer, with each VLAN having its own subnet. A layer 3 device the provides interconnectivity between VLANs and Internet destinations. Problems with this method:

Supporting a VLAN per customer may require a high number of interfaces on ISP network devices.
Spanning Tree becomes more complicated with many VLAN iterations.
Network address space must be divided into many subnets, which wastes space and increases management complexity.
Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer-2 isolation between ports within the same VLAN, thereby eliminating the need for VLAN and IP subnet per customer.

A Port in a PVLAN can be one of three types:

Isolated: port has complete Layer-2 separation from other ports within the same PVLAN, except for promiscuous ports; blocks all traffic to isolated ports except from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Promiscuous: ports can communicate with all ports within the PVLAN. The default Gateway (DG) is probably be hosted as a promiscuous port.
Community: ports communicate among themselves and their promiscuous ports. These interfaces are isolated at Layer-2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

Trunks carry all VLAN traffic so isolated, promiscuous and community PVLAN traffic may enter and leave a switch through trunks

PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure.

As a Primary VLAN: carrying traffic from promiscuous ports to isolated, community and other promiscuous ports in the same primary VLAN.
As an Isolated VLAN: carrying traffic from isolated ports to a promiscuous port.
As a Community VLAN: carrying traffic between secondary VLANs. You can extend PVLANs across multiple devices by trunking primary, isolated, and community VLANs to other devices that support PVLANs.

A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated VLAN or many community VLANs.

Configuring

Step 1: Set VTP Mode to Transparent

switch#configure terminal switch(config)#vtp mode transparent

You may also want to check VTP version, password and domain while you are at VTP configuration

Step 2: Create the secondary VLANs (Isolated and community VLANs are secondary VLANs)

switch#configure terminal switch(config)#vlan 102 switch(config-vlan)#private-vlan isolated switch(config-vlan)#end switch#show vlan private-vlan type

Step 3: Create the primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan primary switch(config-vlan)#end switch#show vlan private-vlan type

Step 4: Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan association add 102 switch(config-vlan)#end switch#show vlan private-vlan type

When associating secondary VLANs with primary VLANs use these best practices:

Make sure that the VLAN IDs contain only one isolated VLAN ID (VID)
Use the remove keyword with the secondary VID to clear association; there can only be one association.
Use the no keyword to clear all association from the primary VLAN.
Do not allow the command to take effect until you exit VLAN configuration submode.

Step 5: Configure an interface as an isolated or community port.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan host switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 6: Associate the isolated port or community port with the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 7: Configure an interface as a promiscuous port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan promiscuous switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 8: Map the promiscuous port to the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan host-association mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 9: Permit Routing of Secondary VLAN Ingress Traffic

switch#configure terminal switch(config)#interface vlan 100 switch(config-if)#private-vlan mapping add 102 switch(config-if)#end switch#show interfaces private-vlan mapping

The sources for this config section include this Cisco 4500 document and this document. Finally CCIE Blog gave me a some insight and hint as to WTF the difference between the host and promiscious ports on the interface config was.

Definition

Logical Operation Unit (LOU) are hardware registers used to store {operator, operand} tuplesfor Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers specified in an IP extended ACL, VACL, or QoS ACL. These tuples are called Layer 4 Operations (L4Op).

Source

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

References I want to rememeber:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, VLAN Access Lists (page. 413-414). Indianapolis: Cisco Press.

Switch Security – Wireless

Published

Deon Botha

on May 27, 2008

in 802.11, Access Point, BCMSN, BPDU Guard, Certification, Cisco Systems, Concepts and Constructs, Root Guard, STP and Wireless

. 0 Comments

This post will be broken into five (including this one) smaller posts. This is taking me far longer than I imagined to finish “Switch Security” (the last section of work before revision) as a section and I have had a few too many close calls in losing this draft post as it gets bigger and bigger.

Security has in the past been focused from the outside in and at the upper layers of the OSI model. Think of the deployment in most situations of a firewall (at the edge). Firewall and security devices often focus on edge routing devices and layer-3 and layer-4 information, stateful packet inspection, etc.

This being said internal communication is often open and unhindered. This is because out of the box “internal” trusted devices forward and just “trust” all. If an attack is launched from inside the network (trusted) then it often goes without notice for a long time. Many security features are available for internal network devices but they must be activated to work.

Access Points

With the large scale adoption of Access Points (APs) and other Wireless devices many employees want the same devices at work as those they enjoy at home. This brings with it the problem of employees plugging wireless AP devices into the office network (Malicious Rogues) when the IT department has no knowledge and has not given consent for these devices to operate on the enterprise network. This is a serious breach of company security because the APs are plugged into a network point (trusted) behind the firewall (untrusted) intentionally hidden from view (behind credenzas, filing cabinets, etc) and network view (SMTP, etc). Because John Doe office employee isn’t thinking about the L33t Hacker or Security ramifications they make the wireless AP work (without any security measures whatsoever).

To mitigate against Spanning Tree Protocol (STP) manipulation, use root guard and the BPDU guard enhancement commands. These commands enforce the placement of the root bridge in the network and enforce the STP domain borders. BPDU guard is best deployed towards user-facing ports to prevent rogue switch-network extensions by an attacker.

Notes and Notices:

QoS and Voice Traffic

Published

Deon Botha

on May 22, 2008

in AutoQoS, BCMSN, Certification, Cisco Systems, CoS, Concepts and Constructs, NBAR, QoS and Trunk

. 1 Comment

Definitions

ingress: arrives/come in/enter

egress: leaving/exit/to go

Its the new words of the day so its going to be used alot

Introduction

Regardless of the speed of individual switches (slower/older vs. faster/newer switches) or links (10/100), speed mismatches (ingress 1000/egress 100), many-to-one switching fabrics(multiple access layer switches into a distribution layer switch), and aggregation (multiple devices communicating through a single connection or to a single device or server) may cause a device to experience congestion, which can result in latency that result in dropped packets.

If and inevitably when congestion occurs (I have heard of enterprise pay-rolls that cause certain amounts of congestion on a network at the end of each month) and congestion management features are not in place (QoS, load balancing on servers, etc) then some packets will be dropped, causing retransmission (TCP) that inevitably increase overall network load and if voice and video are on the network (UDP) the inevitable will be angry employees. QoS can to an extent mitigate latency caused by congestion.

QoS is implemented by classifying and marking traffic at one device while allowing other devices to prioritize or to queue the traffic according to those marks applied to individual frames or packets.

LAN-Based Classification and Marking of Traffic

Classification and marking of traffic is the process of identifying traffic for prioritization as that traffic moves across the network. Traffic is classified by examining information at various layers of the Open Systems Interconnection (OSI) model. IP traffic can be classified according to any values configurable in an access control list (ACL) or any of these layers:

Layer-2 parameters: MAC Address, Multiprotocol Label Switching (MPLS), ATM Cell Loss Priority (CLP) bit, Frame Relay discard eligible (DE) bit, ingress interface
Layer-3 parameters: IP precedence, DiffServ Code Point (DSCP), QoS group, IP Address, ingress interface
Layer-4 parameters: TCP or User Datagram Protocol (UDP) ports, ingress interface
Layer-7 parameters: Application signature, ingress interface

QoS marks (values) establish priority levels (priority classes of service) for network traffic as it is processed by each switch (Access, Distribution, or Core). Once traffic is marked with a QoS value, then QoS policies on switches and interfaces will handle traffic accordingly at the frame and packet level. As a result of classification and marking, traffic will be prioritized accordingly at each switch to ensure that delay-sensitive traffic receives priority processing (voice, video) while non-delay sensitive data traffic waits it’s turn as each switch manages congestion, delay, and bandwidth allocation.

Layer-2 Qos

QoS layer-2 classification occurs by examining information in the Ethernet or 802.1Q header (trunking), like destination MAC Address, Virtual Local Area Network (VLAN) ID. QoS layer-2 markings occur in the priority field of the 802.1q header (LAN layer-2 headers have no place for this so 802.1Q encapsulation must occur). The priority field is 3 bits long (a.k.a 802.1p User Priority or class of Service (CoS) value).

The 3-bit Priority field can carry a value of 1 to 7; 1 is associated with delay tolerant traffic like TCP/IP traffic. Voice traffic receiving a higher priority for Call Signalling receiving a 3 value and Voice bearer traffic 5 value.

As a result of Layer-2 Classifications and marking, these QoS operations can occur:

Input queue scheduling: when a frame enters a port, it can be assigned to one of a number of port-based queues before being scheduled for switching to an egress port. Typically, multiple queues are used where traffic requires different levels of service.
Policing: is the process of inspecting a frame to see if it has exceeded a predefined rate of traffic within a certain time frame that is typically a fixed number internal to a switch. If a frame is determined to be in excess of the predefined rate limit, it can either be dropped, or the CoS value be marked down.
Output Queue Scheduling: is where the switch will place the frame into an appropriate egress queue for switching. The switch will perform buffer management on this queue by ensuring that the buffer does not overflow.

Layer-3 QoS

QoS layer-3 classification occurs by examining information of the header values such as destination IP address or protocol. Qos Layer-3 markings occurs in the Type of Service (ToS) byte in the IP header. The first three bits of the ToS byte are occupied by IP precedence, which correlates to three CoS bits carried in the Layer-2 header.

The ToS byte can also be used for DSCP marking that allows prioritization hop by hop as packets are processed on each switch and interface.

Trust Boundaries

In QoS campus implementations, trust boundaries are defined/created where existing QoS values that are attached to frames and packets are to be accepted or altered. These “trusts” are established by configuring trust levels on the ports of key peripheral network devices where QoS policies will be enforced (trusted) as traffic makes its way into/onto the network. At this entry point traffic will be allowed or not allowed to retain its original QoS markings or will be ascribed new markings (best practice is to mark traffic as close to the source as possible).

In practice this means that if you have a network with a Desktop/Notebook attached to a Cisco IP Phone attached to a Catalyst Switch attached to a Cisco Router the trust boundary can be set at the Cisco IP Phone. Where the IP Phone attaches priority values which are then trusted.

Otherwise if there is a Desktop/Notebook with Softphone attached to a Catalyst Switch attached to a Router the trust boundary can be set to the Desktop/Notebook. Where the softphone attaches priority values which are then trusted.

Configuration IP Phone Attachment

This goes hand in hand with how to configure VLANs first off we create a VLAN

switch#configure terminal switch(config)#vlan 10 name 001-WORK-STATION switch(config)#vlan 100 name 001-IP-PHONE

Now we need to assign the Data and Voice VLAN to a interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport voice vlan 100 switch(config-if)#switchport access vlan 10

Now we need to setup trust as they arrive at the switch port

switch(config-if)#mls qos trust cos

Finally set the trust conditional to a Cisco IP Phone being attached

switch(config-if)#mls qos trust device cisco-phone

Auto QoS

Cisco AutoQoS gives the ability to deploy QoS features for converged IP Telephony and allow for telephony networks to be deployed quicker and efficiently than if it had to be done manually. Cisco AutoQoS generates traffic classes and policy map command-line (CLI) templates across platforms that are the same where doing things manually might not have the same congruence. Cisco AutoQoS simplifies and automates the QoS CLI (MQC) definition of traffic classes and the creation and configuration of traffic policies.

AutoQos can be beneficial in these scenarios:

SMB that deploy IP Telephony quickly but lack experience and staffing to deploy IP QoS Services.
Large enterprises that need to deploy Cisco Systems Telephony solutions on a large scale, while reducing costs, complexity, and time frame for deployment, and ensuring that the appropriate QoS for voice applications is being set in a consistent fashion.
International enterprises or service providers requiring QoS for VoIP where little expertise exists in different regions of the world and where provisioning QoS remotely and across different time-zones is difficult.
Service providers requiring a template-driven approach to deliver managed services and QoS for voice traffic of customer premises devices.

Cisco AutoQoS simplifies and shortens the deployment cycle in the following ways:

Application classification: By leveraging intelligent classification on routers Cisco network-based application recognition (NBAR) provides stateful and deep packet inspection. Cisco AutoQos uses Cisco Discovery Protocol (CDP) for voice packets to ensure that end-device attached to the Local Area Network (LAN) is really an Cisco IP Phones (keep in mind that CDP is Cisco Proprietary).
Policy Generation: Cisco AutoQos evaluates the network environment and generates the initial policy. This feature automatically generates interface configurations, policy maps, class maps, and Access Control Lists (ACL).
Configurations: Using one command, Cisco AutoQoS configures the port to prioritize voice traffic without affecting other network traffic, while still offering the flexibility to adjust QoS settings for unique network requirements. Cisco AutoQoS will automatically detect Cisco IP Phones and enable QoS settings, in turn it will also disable QoS settings to prevent malicious activity when a Cisco IP Phone is relocated or moved.
Monitoring and reporting: Cisco AutoQoS provides visibility into the Class of Service (CoS) deployed via system logging and Simple Network Management Protocol (SNMP) traps, with notification of abnormal events(VoIP packet drops).
Consistency: Cisco AutoQoS configurations are consistent among router and switch platforms. This level of consistency ensures seamless QoS operation and interoperability within the network.

Cisco Catalyst Switch Configuration – Cat OS

To configure the global QoS settings

Console> (enable) set qos autoqos ......... All ingress and egress QoS scheduling parameters configured on all ports. CoS to DSCP, DSCP to CoS. Precedence to DSCP and policed dscp maps configured. Global QoS configured, port specific autoqos recommended: set port qos <mod/port> autoqos trust <cos/dscp> set port qos <mod/port> autoqos voip <ciscoipphone/ciscosoftphone>

To configure Cisco AutoQoS settings and the trusted boundary features on/for Cisco IP Phones, CDP V.2 or later needs to be enabled on a port. If the trusted boundary feature is enabled. You will receive a syslog warning message if CDP is not running or CDP V.1 is running.

CDP need not be enabled if you do not use the ciscoipphone QoS configuraiton.
Console> (enable) set port qos 4/1 autoqos voip ciscoipphone Warning: CDP is disabled or CDP version 1 is in use. Ensure that CDP version 2 is enabled globally, and also ensure that CDP is enabled on the port(s) you wish to configure autoqos on. Port 4/1 ingress QoS configures for ciscoipphone. It is recommended to execute the "set qos autoquos" gloval command if not executed previously. Console> (enable)

To configure the port-specific QoS macro that handles all inbound QoS configurations that are specific to a particular port. This should only be used when the port connects to other known switches or servers because the port tursts all inbound traffic marked.
Console> (enable) set port qos 4/1 autoqos voip code/dscp

Cisco Catalyst Switch Configuration – Cisco IOS

When Cisco AutoQos in enabled on the first interface, QoS is globally enabled. This would be like configuring this command

switch#configure terminal switch(config)msl qos

To in turn enable QoS on an interface use this command that tells the switch that the interface is connected to a trusted router/switch and that the VoIP classifications in the ingress packet should be trusted:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip trust

OR that the interface is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the IP Phone is detected; this enabled CDP to detect the IP Phones absence or presence.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip cisco-phone
To check config use the following command
switch#show auto qos interface-id

Cisco AutoQoS Automation

Cisco AutoQoS automates several things when configured. It enforces trust boundaries on Cisco Catalyst switches access ports, uplinks and downlinks. Enables Catalyst strict priority queuing (PQ) (a.k.a expedited queuing) with weighted round-robin (WRR) scheduling for voice and data traffic. It configures queue admission criteria and finally modifies queue sizes and weights as needed.

Notes and Notices:

Planning Voice on a Data Network

Published

Deon Botha

on May 21, 2008

in BCMSN, Certification, Cisco Systems and VoIP

. 0 Comments

There are numerous benefits to packet switched telephony:

More efficient use of bandwidth and kit: Traditional telephony networks use a 64-kbps (For argument lets say 1B Channel on a ISDN line) channel for every voice call. Packet telephony shares bandwidth among multiple logical connections and offloads traffic volumes from existing voice switches.
Lower costs for telephony network transmissions: A substantial amount of equipment is needed to combine 64-kbps (ISDN) channels into a high-speed link for transport across a network (Lets say an ISDN PRI). Packet telephony statistically multiplexes voice traffic alongside data traffic. This consolidation represents substantial savings on CAPEX and OPEX.
Consolidated voice and data network expenses: Data networks functioning separately from voice networks become major traffic carriers. The underlying voice networks can be converted to utilize the packet-switched architecture to create a single integrated communications network with a common switching and transmission system. The benefit is CAPEX and OPEX savings.
Increased revenues from new services: Packet telephony enables new integrated services, such as broadcast-quality audio, unified messaging, and real-time voice and data collaboration. These services increase employees productivity and profit margins well above those of basic voice services. In addition, these services enable companies and service providers to differentiate themselves and improve their market position.
Greater innovation in services: Unified communications use the IP infrastructure to consolidate communications methods that were previously independent (Fax, voicemail, email, wireline telephone, cellular phone, and the web). The IP Infrastructure provides users with a common method to access messages and initiate real-time communications – independent of time, location, or device.
Adding to new communications devices acket technology can reach devices that are largely inaccessible to the time-division multiplexing (TDM) infrastructures of today (pcs, wireless devices, household appliances, PDAs). Access to these devices enable companies and service providers to increase the volume of communications they deliver, the breadth of service they offer, and the number of subscribers they serve. Packet technology, therefore, enables companies to market new devices, including videophones, multimedia terminals, and advanced IP Phones.
Flexible new pricing structures: Companies and services providers with packet-switched networks can transform their service and pricing models. Because network bandwidth can be dynamically allocated, network usage no longer needs to be measured in minutes or distance. Dynamic allocation gives service providers the flexibility to meet the needs of their customers in ways that bring them the greatest benefits.

The basic components for voice on a IP network are as follows:

IP Phones: The end-device on desks
Gatekeeper: Provides Connection Admission Control (CAC), bandwidth control and management and address translation.
Gateway: Provides translation between voice over Internet Protocol (VoIP) and non-VoIP networks, such as the public switched telephone network (PSTN). It provides physical access for local analog and digital devices (telephones, fax machines, and PBXs)
Multipoint Control Unit: Provides real-time connectivity for participants in multiple locations to attend the same videoconference or meeting.
Call Agent: Provides call control for IP Phones, CAC, bandwidth control and management, and address translation.
Application Server: Provides services such as voicemail, unified messaging, and Cisco CallManager Attendant Console.
Videoconference Station: Provides access for end-users participation in videoconferencing. This station has a video camera and a microphone. The user can view video streams and hear the audio that originates from the remote user station.

There are other components not listed here like voice applications, interactive voice response (IVR) systems, and softphones that meet the specific needs of enterprise.

Voice and Data Traffic Characteristics

Voice traffic has extremely stringent QoS requirements (because it is extremely delay sensitive). Voice traffic generates a smooth demand on bandwidth and has minimal impact on other traffic (60 – 120 bytes), as long as voice traffic is managed. Because of the resulting time sensitive nature User Datagram Protocol (UDP) is used to package voice packets; TCP retransmit capabilities have no value (because if it needs to be retransmitted then there is delay in the actual conversation occuring NOW).

For voice quality, delay should be no more than 150ms (one-way) and less than 1% packet loss. A typical voice call requires 17 – 106 kbps of guaranteed priority bandwidth, plus additional 150bps per call for voice-control traffic. Multiplying this out for the maximum calls expected during busiest times the overall bandwidth requirements for voice traffic can be calculated.

Because Data traffic is not as delay sensitive and can tolearate high drop rates the restransmit capabilities of TCP has become important, as a result many applications use by default TCP.

In networks, important business critical applications are ussually easy to identify. Most applications can be identified based on TCP or UDP port numbers (HTTP, HTTPS, FTP, TELNET, SQL, ETC). Some application use dynamic port numbers that, to some extent, make classification more difficult. Cisco IOS software supports network-based application recognition (NBAR), which can be used to recognize dynamic port applications.

VoIP Call Flow

As I mentioned in a previous post (see HSRP Accross Trunk Links) and some other places its best practice to setup voice and data on separate VLANs (I did in my own network). This is done so that QoS can be applied to prioritize the VoIP traffic as it traverses the network. If this is not done then voice and data traffic contend for available traffic without consideration for other devices (one or the other is going to suffer).

A major component of designing a successful IP Telephony network is bandwidth provisioning. The bandwidth requirement is calculated by adding the total required bandwidth for voice, video and data together; the sum should not be more than 75% of the link total.

For a traffic perspective IP Telephony consists of two types of traffic:

Voice Carrier Stream consists of Real-Time Transport Protocol (RTP) packets that contain actual voice samples.
Call Control Signaling that contains packets belonging to one of several protocols used to set up, maintain, tear down, or redirect calls. Depending on the end-point this could be H.323 or Media Gateway Control Protocol (MGCP)

Auxiliary VLANs

Some Cisco Catalyst switches offer a unique feature called “Auxiliary VLAN“. This feature allows one to overlay a voice topology over an existing data network. One can segment phones into a separate logical network, even though the data and voice network are physically the same.

The auxiliary VLAN feature places the phones into their own VLANs without any end-user configuration. Additionally VLAN assignment can be maintained even if the phone is moved.

How this works is that when a phone is plugged into the switch (whichever port), the phone will request a DHCP address, and the phone is placed in a VLAN automatically. With phones in their own VLANs administrators can troubleshoot and identify problems easily. This also makes enforcement of QoS and security policies easier.

QoS

QoS is the application of features and functionality required to actively manage and satisfy the networking requirements of applications that are sensitive to loss, delay and delay variations (jitter). QoS allows preference to be given to critical application flows for the available bandwidth.

Cisco IOS implementations allows for QoS to provid these features:

Priority access to resources: QoS allows administrators to control which traffic it allows to access specific network resources such as bandwidth, kit, and WAN links.
Efficient management of network resources: If network management and accounting tools indicate that specific traffic is experiencing latency, jitter, and packet loss, then QoS tools can be used to adjust how traffic is handled.
Tailored service: The control provided by QoS enables Internet Service Providers to offer carefully tailored grades of service to their customers.
Coexistance of mission-citical applications: QoS technologies ensure that mission-critical applications receive priority access to network resources while providing adequate processing for applications that are not delay sensitive.

High Availability

Traditional Telephony networks strive to provide 99.999 (5.25 minutes) of downtime a year. This is less downtime than most data networks. To provide the same experience this means choosing hardware and software with a low mean time between failure (MTBF) or installing redundant links and hardware.

Availability is when a user wants to make a call the network is able to respond to that need. Efforts to ensure availability would include proactive management to predict failure and taking steps to correct problems in design of the network as it grows. When the converged network goes down things downtime can be minutes, hours or days. This is unacceptable in a converged network where downtime means no phone calls. Providing for uninterpretable power supplies (UPS), lighting arrestors and other means to ensure availability at all costs.

High Availability encompases many areas of a network. In a fully redundant network these components need to be duplicated:

Servers and call managers,
Acces layer devices (layer-2 switches)
Distribution layer devices (routers or Layer-3 switches)
Core layer devices (layer-3 switches)
Interconnections (WAN links, PSTN Gateways, ISP links)
Power supplies and UPSs

Notes and Notices:

Implementation of a WLAN

Published

Deon Botha

on May 20, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This post brings together the theory into a more practical setting. This post covers the two types of Wireless Local Area Network (WLAN) implementations that Cisco offers namely autonomous WLAN Access Points (AP) and lightweight APs (LAP) with WLAN Controller (WLC).

For ease of my own use and understanding, I am going to use the proper acronums an Autonomous Access Point (AP), a lightweight Access Point (LAP) this is however not to be confused (NB) with Lightweight Access Point Protocol (LWAPP).

So take note of when I talk about hardware and the protocol in my notes. So to round up an AP is a full IOS Access Point able to be used in a stand-alone environment and can be downgraded for use (in most cases) to become an LAP; a LAP is a less extensive IOS feature-set and needs to be used in conjunction with a Wireless LAN Controller (WLC), then finally LWAPP is the protocol.

Autonomous APs

Jumping right in an AP implementation has various components, some of which are considered needed and some of which are considered optional:

A Cisco AP that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-AP1131AG-x-K9 is a Aironet (AIR) product, is an autonomous Access Point (AP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Wireless Domain Services (WDS) for radio frequency (RF) management and fast, secure roaming. You can run Cisco Structured Wireless Aware Network (SWAN) WDS on Cisco Aironet APs, Cisco Catalyst Switches and Cisco Routers. The following list supports SWAN WDS Aironet 1230 AG, 1240AG, 1200, 1130 AG 1100 Series APs, Catalyst 6500 Series Wireless LAN Services Module (WLSM), Cisco 3800, 3700 Series Integrates Services Routers (ISR) and some models of 2800 and 2600 series ISR that run Cisco IOS version 12.3(11)T or later.
CiscoWorks Wireless LAN Solution Engine (WLSE) for Management (optional).
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Lightweight APs

A Cisco Lightweight Access Point (LAP) that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-LAP1131AG-x-K9 is a Aironet (AIR) product, is an Lightweight Access Point (LAP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Cisco Wireless LAN Controller (WLC) for configuration of the Access Points.
Cisco Wireless Control System (WCS) for management (optional).
Cisco Wireless Location Appliance for location tracking
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Comparison of WLAN Solutions

The above two bullet lists should show that autonomous and lightweight WLAN solutions have some differences.

The main difference being in Autonomous mode the Cisco IOS feature set is more extensive and as the name denotes autonomy meaning “the right to govern itself” so each AP is configured individually and manage themselves (this can and probably will at some point lead to configuration errors if there are more than a couple of APs). Centralized management is possible through WLSE. Redundancy is achieved at the AP level (do the math if its cheaper to add APs than to add a WLC then this is the option).

In Lightweight mode a Wireless LAN Controller takes the centralized configuration and means the APs are dependant on the WLC (read point of failure) and pushed the configs to the APs. This gives congruence between the APs on the network without much hard work. Centralized management is possible through WCS. Redundancy is achieved at the WLC level (do the math if its cheaper to add a WLC than to just add APs then this is the option).

LAP Solution

LAP architecture splits processing of the 802.11 protocol between two devices; the LAP and the WLC. The processing of the 802.11 data and management protocols and the AP functionality is also divided between the two devices. This approach is called split MAC.

The LAP handles the portions of the protocol that have real-time requirements:

Frame Exchange handshake between a end-device and AP when transferring a frame over the air.
Transmission of beacon frames.
Buffering and transmission of frames for end-devices in power save operation
Response to probe request frames from end-devices
Forwarding notifications of received probe requests to the controller
Providing real-time signal quality information to the controller with every received frame.
Monitoring each radio channel for noise, interference, and presence of other WLANs.
Monitoring of presence of other LAPs.

The remaining functions are all handled by the WLC because either the function is not time-sensitive or a system wide visibility is required by the function.

802.11 authentication
802.11 association and re-association (mobility)
802.11 frame translation and bridging

The control (management) traffic between the AP and the WLC is encapsulated using LWAPP and encrypted using Advanced Encryption Standard (AES); the data from the LAP and the WLC is also encapsulated using LWAPP but not encrypted. The data is switched once it reaches the WLC where it receives VLAN tagging, quality of service (QoS).

Layer-2 and Layer-3 Mode of LWAPP

Layer-2 LWAPP is in an Ethernet Frame. For layer-2 mode, the WLC and WLAP must be in the same broadcast domain and IP subnet.

Layer-3 LWAPP is in a User Datagram Protocol (UDP)/IP Packet. The WLC and WLAP can be in the same or different broadcast domains and IP Subnets. For layer-3 operation WLAP need IP Addresses. They must obtain these IP Addresses via DHCP.

So to bring this together; think of a network in your mind, if the network is flat/or the WLAP and WLC are located on the same network segment; iow is a switched network then the LAWPs can use either layer-2 or layer-3 mode. If the WLAPs and the WLC find themselves spread across the enterprise (physically) meaning that they would be in different subnets and on different segments (I’m thinking big business) you must use layer-3 mode.

LAP Association

There is a nice explanation on this document. A LAP will search for a WLC first using LWAPP layer-2 mode, then layer-3 mode. The process runs as followings; the LAP requests an IP Address via DHCP, the LAP then sends a LWAPP discovery request to the management IP address of the WLC via a broadcast.

The LWC responds with a discovery response from the management IP Address. This response includes the number of AP associated to the Access Point Manager interface and the Access Point Manager IP address.

The LAP then chooses the Access Point Manager with the least number of associated APs and sends a join request.

All following communication between the LAP and the WLC is done via the Access Point Manager IP Address.

Cisco Aironet WLC

The Cisco Aironet standalone WLCs range (2106, 4402 and 4404) are designed for Small and medium enterprise/business (SMB) to medium to large enterprise.

The 2106 Series allows Small and medium sized enterprise/business (SMB) environments to support up to six LAPs and are fairly cost effective (this is objective). With integrated DHCP services, zero-touch AP configuration, the Cisco 2106 is built for SMB companies that don’t have on-site IT support, like branch offices with distributed offices (i.e. corporate infrastructure and support teams to lean on when things go wrong).

The Cisco 4400 series is built for medium to large enterprise/business.

Cisco 4402
- 2 GigabitEthernet (GE) ports
- Configurations that support 12, 25, and 50 APs
- One Expansion Slot
Cisco 4404
- 4 GE ports
- Support for 100 APs
- Two Expansion slots

Optional redundant power supplies to ensure maximum availability can be purchased for the 4400 Series.

WLC are also available for the Cisco Catalyst 6500 and Cisco Integrated Sercies Routers (ISR) in the form of Integrated Controllers of Controller Modules.

Notes and Notices:

Network Ninja

Tag Archive for 'Enterprise'

Linksys Brand to Disapear

Cisco’s winner for an Extreme Business Makeover

BSCI Design Foundation – Routing Protocols

BSCI Design Foundation – Network Models

Network Community Online

Switch Security Layer-2 Attacks – Two

Switch Security – Wireless

QoS and Voice Traffic

Planning Voice on a Data Network

Implementation of a WLAN

Search

About

Latest

Archives

Categories