%Model% Archives %%page%%

« Older Entries

Tag Archive for 'Model'

Enhanced Interior Gateway Routing Protocol – Tables

Published

Deon Botha

on August 8, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs and EIGRP

. 0 Comments

EIGRP builds and maintains three tables,

A Neighbour table – used to make sure all ACKs are received.
A Topology Table – used to understand paths through the network.
An IP Routing Table – the best paths from the Topology table.

Creating the Neighbour Table

As previously stated, the neighbour table is maintained through Hello packets (These are multicast announcements that the router is alive).

Hello packets place the router into an adjacent routers’ neighbour tables.
- Reciprocal Hellos build the local Neighbour Table.
- Once the Neighbour Table is built, Hellos continue periodically to maintain neighbourship.

Each Layer-3 Protocol supported by EIGRP (IPv4, IPv6, IPX and AppleTalk) has its own separate Neighbour Table. Information about neighbours, routes, or costs are not shared between protocols.

Contents of the Neighbour Table (Resource 1, 2)

The Layer-3 Address of the neighbour (IP Address)
The interface through which the neighbours Hello was heard (fe0/1)
The holdtime (how long the neighbour table waits without hearing a Hello from a neighbour before declaring the neighbour unavailable and purging the database). Holdtime is three times (x3) the value of the Hello timer by default.
The uptime (period since the router first heard from the neighbour).
The sequence number. The neighbour table tracks all the packets sent between neighbours (both the last sequence number sent to the neighbour and the last sequence number received from the neighbour).
Retransmission timeout (RTO), the time a router will wait on a connection-orientated protocol without ACK before retransmitting the packet.
Smooth Round Trip Time (SRTT), calculates the RTO. The SRTT is the time (milliseconds) that it takes a packet to be sent to a neighbour and a reply to be received.
The number of packets in a queue, which is a means by which administrators can monitor congestion on the network.

Becoming a Neighbour

All EIGRP routers periodically announce themselves with the Hello packet using multicast (224.0.0.10). On hearing a Hello (receiving) routers add an entry in the Neighbour Table (the continued receipt of Hello packets maintain the neighbour table).

If a Hello packet is not received from a neighbour within the holdtime (3x the Hello timer) the neighbour is removed from the Neighbour Table.

LAN = Hello timer 5 seconds, Holdtimer 15 seconds.
DS1 (1.5Mbps) or slower WAN links = Hello timer 60 second, Holdtimer 180 seconds.

To become a neighbour, the following conditions must be met:

The router muse hear a Hello packet from a neighbour,
The EIGRP Autonomous System (AS) number in the Hello packet must be the same as the receiving router,
the K-values used to calculate the metric must be the same.

Creating the Topology Table

After a router knows who neighbours are, it can create a Topology Table, assign Successors and Feasible Successors for each route (The Topology Table has a record of all routes not only Successors and Feasible Successors). The other routes are referred to as possibilities.

The topology table includes the following information:

Whether the route is passive or active.
Whether an update has been sent to the neighbour.
Whether a query packet has been sent to a neighbour
- if positive at least 1 route will be market active.
Whether a query packet has been sent
- if positive another field will track whether any replies have been received from neighbours.
That a reply packet has been sent in response to a query packet from a neighbour.
Prefixes, masks, interface, next-hop, and Feasible and Advertised Distance from remote networks.

The Topology Table is built from Update Packets that are exchanged by neighbours and by Replies to Queries sent by the router.

Queries and Responses used by EIGRP are sent reliably as multicast using RTP. If a router does not hear an ACK within the allotted time, it retransmits the packet as a unicast (16 times) after which the router marks the neighbour as dead.

Each time the router sends a packet, RTP increments the sequence number by one. The router must hear an ACK from EVERY router before it can send the next packet.

When all this is done the router has an understanding of the topology, it then runs DUAL to determine the BEST PATHS to the remote network. The result is entered into the Network Table.

Maintaining the Topology Table

The Topology Table may be recalculated because

A new network is added,
Successors change,
A network is lost.

Adding a Network to the Topology Table

As soon as Router A becomes aware of the new network (right),
1. It starts sending Hello packets out the new interface.
  1. No one answers (there is no router out the interface).
    - There will be no entries in the Neighbour Table because no neighbours responded to the Hello.
    - There is however a new entry in the Topology Table because it is attached to a new network.
EIGRP, sensing a change, must send an update to all neighbours on it’s old interface, informing neighbours of the change. These updates are tracked in the Topology Table and the Neighbour Table because updates are connection-orientated and ACKs from neighbours must be received within a timeframe.
Router A has completed its work.
1. Neighbours on the old network will update their sequence numbers in their Neighbour Tables and add the new network to the Topology Table.
  1. They will calculate FD and the Successor to place in the Routing Table.

Deleting a Path or Router from the Topology Table

If a network connected to Router A is disconnected (right),
1. Router A updates its Topology Table and Routing Table and sends an update to its neighbours.
When a neighbour receives the update ,
1. it updates the neighbour table and the topology table.
The neighbour searches for an alternate route to the network. It examines the Topology table for alternatives (none will be found there is only one path).
The neighbour then sends out a query to its neighbours requesting that they look in their tables for paths to the remote network.
1. This marks the route active in the Topology Table.
The query is tracked and when all replies are in the Topology Table and Neighbour Table is updated.
DUAL (which starts as soon as network change registers) runs to determine the best path, which is placed in the routing table.
Before routers respond, routers query their own neighbours (the search for alternative paths extends or diffuses throughout the entire organization).
If no alternative is found, the neighbours reply to the query stating that they have no path.
When no router can supply a path to the network, all the routers remove the network from their Routing Table and Topology Table.

Finding an alternate path to Remote Network

The router marks the routes that were reached by sending the traffic to that neighbour.
The router looks in the topology table to determine if there is an alternate route (Feasible Successor).
If a successor is found, the router adds the feasible successor to it’s routing table. If the router did not have a feasible successor, it would have placed the route into an active state while sending queries to neighbours for an alternate path.
After interrogating the topology table, if a feasible route is found, the neighbour replies with the alternative path. This path is placed in the Topology Table.
If no answer is heard, the messages are propagated through the network.

Creating the Routing Table

The Routing Table in EIGRP is built from the Topology Table using DUAL. The Topology Table holds all routing information known to the router and from this information successors and feasible successors are selected. Successors are passed to the Routing Table and used for routing decisions.

EIGRP Path Selection

Go here for more information on the metric.

Updating the Routing Table in Passive Mode with DUAL

When a path is lost, DUAL first looks in the Topology Table for a FD; If none the router stays in passive mode (as opposed to active mode where the router actively queries for alternative paths).

The FD from Router A to Router G is 10 ( A – D – G)
The AD from Router A to Router G is 5 (advertised from Neighbour D)
- Because 10 > 5 (FD > AD). The FD meets the feasibility condition allowing it to become FD.
- If the link between Router D and Router G goes down. Router A looks in its Topology Table.
- The Alternative Routes through Routers A to D to E to G (A-D-E-G) have an AD of 19
  - Because 10 < 19 (original FD), it does not qualify as a feasible successor.
- The Path through Router D to H to F to G (D-H-F-G) has an AD of 20
  - Because 10 < 20 (original FD), it does not qualify as a feasible successor.
- The Path through Router A to E to G has an AD of 7
  - Because 10 > 7 (original FD), it does qualify as a feasible successor.
- After the link between Router D and G dies, the Routing Table would be updated from the Topology Table while the router remains in Passive Mode.

Updating the Routing Table in Active Mode with DUAL

When no alternative route is found in the Routing Table, the following actions occur. The Topology Table of Router A starts with a path (successor) of A to D to G to X. The FD is 20, and the AD from Router D is 15. When Router D dies, Router A must find an alternate path to X.

The router rejects neighbours Router B, Router C, Router E and Router F as Feasible Successors.
- Router B 20 < 27
- Router C 20 < 27
- Router E 20 = 20
- Router F 20 < 21
  - Because all neighbours have a AD greater than or equal to the successors FD. They do not meet Feasibility requirements.
Router A goes into Active Mode and sends out queries.
Both Router E and F reply
- Router E 20 > 5
- Router F 21 > 5
  - The network returns to Passive Mode. The FD is acceptable, the Topology Table and Routing Table will be updated.
  - Router E is selected as the best route based on a lower FD
The result is placed in the Routing Table as the valid neighbouring router.
Router F will be the feasible successor.

EIGRP Network Design

EIGRP is designed to work in very large networks.
EIGRP is very design Sensitive.
Scaling a network properly is a major concern.
New demands are constantly driving the networks to use applications that require more bandwidth with less delay; while networks are becoming larger and more complex.

Factors that can affect of EIGRP include:

Amount of information sent between neighbours.
Number of routers that receive updates.
distance between neighbouring routers.
number of alternative paths to remote networks

Poorly scaled EIGRP networks result in:

A stuck-in-Active route
Network Congestion
Lost routing information
Flapping routes
Retransmission
Low Router memory
Over utilized Router CPU

Other factors (poor design) cause some of these symptoms because resources are overwhelmed with assigned tasks.

EIGRP Design Issues

Major concern in scaling an organizations network is controlling advertisements and limiting query range (NB over slow WAN links). Sending less information about the network there is more bandwidth available to clients and servers. This relieves the network and speeds convergence, it provides less information for alternate paths though.

EIGRP automatically summarizes at classful network boundaries because summarization is generally helpful and EIGRP is built to recognize opportunities such as this to optimize the network (Most Admins disable auto summarization because it does not match their needs, instead manually configure it at interface level).

Certain topologies pose problems for EIGRP networks. Like the hub-and-spoke design often used between remote sites and regional offices. Popular dual-hub configuration provides redundancy and allows for potential for routers to reflect queries back to one another. Summarization and filters make network design work well while also allowing queries to be managed effectively.

Guideline to Scaling Issues

Assign addresses and organize links so that natural points for summarization exist. A hierarhical network design IOW.
Provide sufficient hardware resources (mem and CPU) on network devices.
Use sufficient bandwidth on the WAN links.
Use filters to limit advertisements.
Monitor the network.

I’m very strange. Every time I type Hello, I have a voice in my head going “Hello Kitty”. So share my pain “Hello Kitty”!

Hello Kitty
I’m going to kick myself later when I read over this post again cause this is going to get stuck in my head again.

Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

BSCI Design Foundation – Network Models

Published

Deon Botha

on July 25, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, ECNM, Enterprise Architecture, IIN and SONA

. 0 Comments

Design – Hierarchical

Where networks once were non-hierarchical (layer-1 design, layer-2 design, layer-3 design) they are generally now three-layer hierarchical in design (above). Cisco has been using this model for years and it gave a high-level overview of how a reliable network could be conceived but was largely conceptual because it did not provide specific guidance on “how-to” implement certain things, like:

Implementing redundancy,
Adding Internet Access,
Accounting for remote users,
Locating workgroup and enterprise services

Design – Enterprise Composite Network Model (ECNM)

Revisions to the hierarchical design showed redundant distribution and core devices and connections to make the hierarchical model more fault tolerant. The switch block design (above) explained how redundancy fit into a network, but still did not really adequately specify other parts of the network design. This lead to the Enterprise Composite Network Model (ECNM) development to address the failures of both the hierarchical model and switch block model.

This ECNM is broken into three large pieces:

Enterprise Campus,
Enterprise Edge,
Service Provider Edge.

Enterprise Composite Network Model

ECNM – Campus

The enterprise campus looks very much like the above switch block design with some added details:

Campus Backbone (like the core layer of the hierarchical model),
Building Distribution,
Building Access,
Management,
Server Farm (Enterprise Services).

The ECNM Campus builds onto the Switch block design but gives specific guidance as to where to place servers and management equipment. Take note that the servers look like a switch block and are redundantly attached (dual-homed) to the switches (not really shown nicely in the diagram).

ECNM – Enterprise Edge

The Enterprise edge shows the connections that the enterprise has with the wide area (other networks) and include:

E-Commerce,
Remote Access,
Internet Connectivity,
WAN (Internal links to other branches).

ECNM – Service Provider Edge

The service provider edge includes the public networks that facilitate wide area (other networks) connectivity:

Internet Service Provider (ISP),
Public Switched Telephone Network (PSTN) for dialup,
Frame Relay, ATM, and PPP for private connections.

Multiplexing

Historically voice traffic used one set of circuits and data traffic another. Also if you wanted more than one “number” the telecommunications company installed another physical line to your premises. If you wanted access to a data network they installed a data line for that purpose.

With line technologies like the T-carrier system (USA, Japan, Korea) 24 pulse-code modulated (I don’t know need to ask one the engineers about this), time-division multiplexed speech signals are carried over 2 copper pairs. This type of technology saved the telecommunications companies a lot of money in building out subscriber lines. The problem with T1 as a technology is that it cannot adjust as the customer usage requirements changes (see E-carrier system for Europe and other countries).

As technology changes so does the requirements from that technology; Modern networks are designed to carry voice, video, enterprise applications, normal LAN traffic and management traffic all on the same single secure infrastructure (convergence). The traffic is forced (statistically multiplexed) to share access to the network.

Service-Orientated Network Architecture (SONA) and Intelligent Information Network (IIN)

As covered above “Multiplexing” described the idea of a converged network as a system that integrates what was previously disparate systems (voice, video, data). The traffic types usually found on a converged network would include, but may not be limited to:

voice signalling and bearer traffic,
Core application traffic (ERP and CRM),
Transactional traffic related to database interactions (SQL),
Network management traffic for monitoring and maintaining the network structure (including routing protocol traffic),
Multicast multimedia,
Other traffic (web, e-mail, file transfer).

Each of the above traffic types has its own requirements and expectations that govern its successful execution. These requirements include security, QoS, transmission capacity, and delay.

To support this kind of multiplexed traffic, Cisco routers are able to implement filtering, compression, prioritization, and policing (dedicating network capacity). Except for the filtering process these processes are collectively known as QoS.

As an alternative to QoS, Cisco has an ideal called the Intelligent Information Network (IIN). This vision describes a network that integrates network and application functionality cooperatively allowing the network to be “smart” about how it handles traffic to minimize the footprint of applications. The IIN evolution is described in three phases:

Phase 1: Integrated Transport, deals with a converged network, built along a similar fashion of the ECNM and based on open standards (cross-compatibility)
Phase 2: Integrated Services, posits virtualization of resources such as servers, storage and network access; to move to an “on-demand” model. Don’t think marketing/advertising “virtualization” think practical virtualization the ISR routers (routing, switching, voice, network management, security and wireless) designed as an aio (all-in-one) appliance and Vitalizing Servers (if you have proper designed for the job servers) you can’t be trying this on SMB servers or try recycling 10 year old technology and thinking “bargain let’s load 5 operating systems on this”.
Phase 3: Integrated Applications, using application orientated networking (AON) to make the network “aware” allowing the network to actively monitor and participate in service delivery.

Service-Orientated Network Architecture (SONA) is the practical application or “how-to” of IIN in enterprise networks. SONA breaks down IIN into three layers;

SONA Infrastructure Layer is basically the same as IIN Phase 1,
SONA interactive Services Layer maps to IIN Phase 2,
SONA Application Layer has the same concepts as IIN Phase 3.

Resources:

Aragoen Celtdra on BSCI: Network Architecture and Design

Notes and Notices:

Switch Security Layer-2 Attacks – One

Published

Deon Botha

on May 27, 2008

in 802.1X, AAA, BCMSN, CAM, Certification, Cisco Systems, Concepts and Constructs, MAC Address Flooding, Port Security and TCAM

. 0 Comments

Mac-Address-Flooding

MAC Address Flooding

MAC Address flooding results in a switch’s CAM table overflow, which causes flooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.

A switch has a limited CAM table and can only contain a limited number of entries at one time. If for example an intruder at the beginning of a work day floods a switch with invalid MAC entries then until the invalid entries expire the switch will flood all frames out all ports. This has two negative effects:

Switch traffic is inefficient and voluminous
The attacker/intruder connected to a switch port and capture traffic that is not normally seen on that port.

Mitigation of this attack is to configure port-security and defining the number of MAC addresses allowed on a given port. Port security can also specify the MAC addresses allowed on a port.

Port Security

This is a feature of Cisco Catalyst Switches, it is a security feature that restricts a switch port to a specific number of MAC addresses. These MAC addresses can be dynamically learned or statically configured. When configured the switch will only allow frames on those ports from the configured MAC addresses.

NB if you configure 4 MAC addresses and don’t specify them, the switch will learn 4 addresses dynamically. Those 4 will then be the MAC addresses allowed.

A feature (on some platforms) combine statically configured and dynamically learnt addresses. When configured an interface converts dynamically learnt addresses to “sticky secure” addresses. This adds those addresses to the config as if they were added by switchport port-security mac-address

Port Security – Configuration

Enable Port Security on the Switch:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport port-security

Set the maximum number of MAC addresses that will be allowed on the port (default is one)

switch(config-if)#switchport port-security maximum value

Be sure to set this value to 2 when you have a Cisco IP Phone and a desktop attached to a switchport. I know I didn’t do this and it resulted in a port security violation. My bad.

Now Option 1 you can set whether the MAC address(es) learnt must be aged out after X time

switch(config-if)#switchport port-security aging 1-1024

Now optional 2 specify the MAC addresses that will be allowed on the port (this can also be dynamically learnt thats why its optional)

switch(config-if)#switchport port-security mac-address mad-address switch(config-if)#switchport port-security mac-address mad-address

Finally set the action to be taken if something goes wrong (mac address attack)

switch(config-if)#switchport port-security violation {shutdown/restrict/protect}

Protect Mode drops the frame and leaves no syslog message, Restrict mode drops the frame and logs the drop + a SMTP trap is sent, and finally shutdown logs + SMTP traps + errdisables the interface (CAT OS, Cisco IOS).

Port security has a feature called “sticky MAC address” that can limit switch port access to a single, specific MAC address without the network administrator having to gather MAC addresses of every legitimate device and manually associate it with a particular switch port (This cannot be used where Voice VLANs are in use).

switch(config-if)#switchport port-security mac-address sticky

Last but not least lets check port-security:

switch(config)#show port-security

Authentication

Authentication, authorization and accounting (AAA) network security services provide a framework through which acess control is set up on a network. Authentication is the way a user is identified before being allowed access to the network and network services. AAA authentication is configured by defining a list of named authentication methods and then applying that list to various interfaces. The list defined the type of authentication (enable password, Kerberos 5, Kerberos 5-Telnet Authentication, Line Password, Local database, Local database with case sensitive, No Authentication, RADIUS, TACACS+) to be performed and the sequence in which they will be performed.

The only exception is the “default” list. The default list is automatically applied to all interfaces if no other method/list is defined. A defined method/list overrides the default list.

802.1x

IEEE 802.1x defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. Until a workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port. After authentication normal traffic can pass through.

With 802.1x port-based authentication, the devices in the network have specific port roles:

Client: the end-device that requests access to the LAN and switch. The end-device must be running 802.1x compliant software. (the port the end-device (client) is attached to is the supplicant)

Authentication server: performs the actual authentication. The server authenticates the identity of the client and lets the switch know whether to let the end-device access the LAN. As the switch is acting as a proxy the authentication service is transparent to the end-device. The RADIUS security system with Extensible Authentication Protocol (EAP) is the only supported authentication server.

Switch (authenticator): controls physical access onto the network. Acts as an intermediary (proxy service) between client and authentication server. The switch uses a RADIUS software agent responsible for encapsulating and decapsulating EAP frames and interacting with the authentication server.

802.1x Configure

Enable AAA

switch#configure terminal switch(config)#aaa new-model

You Radius Server Location

switch(config)#radius-server host 000.000.000.000auth-port port key auth-key

Create a 802.1x port-based authentication method list

switch(config)#aaa authentication dot1x default group radius

Globally configure 802.1x port-based autnetication

switch(config)#dot1q system-auth-control

OR enter enable 802.1x on an interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#dot1x port-control auto

Definition

Content Addressable Memory (CAM)is a specialized type of memory think of it as the opposite of Random Access Memory (RAM). With RAM an Operating Sysem (OS) provides an address, and receives the data stored at the supplied address. With CAM, the OS supplies the data, and the CAM returns a list of addresses where the data is stored, if any. Also a CAM searches the entire memory in one operation therefore is faster than RAM.

Binary CAMssearch only for 1 and 0’s (ON or OFF). A MAC address table in switches commonly get stored inside binary CAMs (sometimes even called a CAM Table).

A Ternary CAM (TCAM)allows the OS to match a third state, “X.” The “X” state is a “mask” and could be anything. Routers can store their entire routing table in these TCAMs, allowing for very quick lookups.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Switch Security – Wireless

Published

Deon Botha

on May 27, 2008

in 802.11, Access Point, BCMSN, BPDU Guard, Certification, Cisco Systems, Concepts and Constructs, Root Guard, STP and Wireless

. 0 Comments

This post will be broken into five (including this one) smaller posts. This is taking me far longer than I imagined to finish “Switch Security” (the last section of work before revision) as a section and I have had a few too many close calls in losing this draft post as it gets bigger and bigger.

Security has in the past been focused from the outside in and at the upper layers of the OSI model. Think of the deployment in most situations of a firewall (at the edge). Firewall and security devices often focus on edge routing devices and layer-3 and layer-4 information, stateful packet inspection, etc.

This being said internal communication is often open and unhindered. This is because out of the box “internal” trusted devices forward and just “trust” all. If an attack is launched from inside the network (trusted) then it often goes without notice for a long time. Many security features are available for internal network devices but they must be activated to work.

Access Points

With the large scale adoption of Access Points (APs) and other Wireless devices many employees want the same devices at work as those they enjoy at home. This brings with it the problem of employees plugging wireless AP devices into the office network (Malicious Rogues) when the IT department has no knowledge and has not given consent for these devices to operate on the enterprise network. This is a serious breach of company security because the APs are plugged into a network point (trusted) behind the firewall (untrusted) intentionally hidden from view (behind credenzas, filing cabinets, etc) and network view (SMTP, etc). Because John Doe office employee isn’t thinking about the L33t Hacker or Security ramifications they make the wireless AP work (without any security measures whatsoever).

To mitigate against Spanning Tree Protocol (STP) manipulation, use root guard and the BPDU guard enhancement commands. These commands enforce the placement of the root bridge in the network and enforce the STP domain borders. BPDU guard is best deployed towards user-facing ports to prevent rogue switch-network extensions by an attacker.

Notes and Notices:

QoS and Voice Traffic

Published

Deon Botha

on May 22, 2008

in AutoQoS, BCMSN, Certification, Cisco Systems, CoS, Concepts and Constructs, NBAR, QoS and Trunk

. 1 Comment

Definitions

ingress: arrives/come in/enter

egress: leaving/exit/to go

Its the new words of the day so its going to be used alot

Introduction

Regardless of the speed of individual switches (slower/older vs. faster/newer switches) or links (10/100), speed mismatches (ingress 1000/egress 100), many-to-one switching fabrics(multiple access layer switches into a distribution layer switch), and aggregation (multiple devices communicating through a single connection or to a single device or server) may cause a device to experience congestion, which can result in latency that result in dropped packets.

If and inevitably when congestion occurs (I have heard of enterprise pay-rolls that cause certain amounts of congestion on a network at the end of each month) and congestion management features are not in place (QoS, load balancing on servers, etc) then some packets will be dropped, causing retransmission (TCP) that inevitably increase overall network load and if voice and video are on the network (UDP) the inevitable will be angry employees. QoS can to an extent mitigate latency caused by congestion.

QoS is implemented by classifying and marking traffic at one device while allowing other devices to prioritize or to queue the traffic according to those marks applied to individual frames or packets.

LAN-Based Classification and Marking of Traffic

Classification and marking of traffic is the process of identifying traffic for prioritization as that traffic moves across the network. Traffic is classified by examining information at various layers of the Open Systems Interconnection (OSI) model. IP traffic can be classified according to any values configurable in an access control list (ACL) or any of these layers:

Layer-2 parameters: MAC Address, Multiprotocol Label Switching (MPLS), ATM Cell Loss Priority (CLP) bit, Frame Relay discard eligible (DE) bit, ingress interface
Layer-3 parameters: IP precedence, DiffServ Code Point (DSCP), QoS group, IP Address, ingress interface
Layer-4 parameters: TCP or User Datagram Protocol (UDP) ports, ingress interface
Layer-7 parameters: Application signature, ingress interface

QoS marks (values) establish priority levels (priority classes of service) for network traffic as it is processed by each switch (Access, Distribution, or Core). Once traffic is marked with a QoS value, then QoS policies on switches and interfaces will handle traffic accordingly at the frame and packet level. As a result of classification and marking, traffic will be prioritized accordingly at each switch to ensure that delay-sensitive traffic receives priority processing (voice, video) while non-delay sensitive data traffic waits it’s turn as each switch manages congestion, delay, and bandwidth allocation.

Layer-2 Qos

QoS layer-2 classification occurs by examining information in the Ethernet or 802.1Q header (trunking), like destination MAC Address, Virtual Local Area Network (VLAN) ID. QoS layer-2 markings occur in the priority field of the 802.1q header (LAN layer-2 headers have no place for this so 802.1Q encapsulation must occur). The priority field is 3 bits long (a.k.a 802.1p User Priority or class of Service (CoS) value).

The 3-bit Priority field can carry a value of 1 to 7; 1 is associated with delay tolerant traffic like TCP/IP traffic. Voice traffic receiving a higher priority for Call Signalling receiving a 3 value and Voice bearer traffic 5 value.

As a result of Layer-2 Classifications and marking, these QoS operations can occur:

Input queue scheduling: when a frame enters a port, it can be assigned to one of a number of port-based queues before being scheduled for switching to an egress port. Typically, multiple queues are used where traffic requires different levels of service.
Policing: is the process of inspecting a frame to see if it has exceeded a predefined rate of traffic within a certain time frame that is typically a fixed number internal to a switch. If a frame is determined to be in excess of the predefined rate limit, it can either be dropped, or the CoS value be marked down.
Output Queue Scheduling: is where the switch will place the frame into an appropriate egress queue for switching. The switch will perform buffer management on this queue by ensuring that the buffer does not overflow.

Layer-3 QoS

QoS layer-3 classification occurs by examining information of the header values such as destination IP address or protocol. Qos Layer-3 markings occurs in the Type of Service (ToS) byte in the IP header. The first three bits of the ToS byte are occupied by IP precedence, which correlates to three CoS bits carried in the Layer-2 header.

The ToS byte can also be used for DSCP marking that allows prioritization hop by hop as packets are processed on each switch and interface.

Trust Boundaries

In QoS campus implementations, trust boundaries are defined/created where existing QoS values that are attached to frames and packets are to be accepted or altered. These “trusts” are established by configuring trust levels on the ports of key peripheral network devices where QoS policies will be enforced (trusted) as traffic makes its way into/onto the network. At this entry point traffic will be allowed or not allowed to retain its original QoS markings or will be ascribed new markings (best practice is to mark traffic as close to the source as possible).

In practice this means that if you have a network with a Desktop/Notebook attached to a Cisco IP Phone attached to a Catalyst Switch attached to a Cisco Router the trust boundary can be set at the Cisco IP Phone. Where the IP Phone attaches priority values which are then trusted.

Otherwise if there is a Desktop/Notebook with Softphone attached to a Catalyst Switch attached to a Router the trust boundary can be set to the Desktop/Notebook. Where the softphone attaches priority values which are then trusted.

Configuration IP Phone Attachment

This goes hand in hand with how to configure VLANs first off we create a VLAN

switch#configure terminal switch(config)#vlan 10 name 001-WORK-STATION switch(config)#vlan 100 name 001-IP-PHONE

Now we need to assign the Data and Voice VLAN to a interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport voice vlan 100 switch(config-if)#switchport access vlan 10

Now we need to setup trust as they arrive at the switch port

switch(config-if)#mls qos trust cos

Finally set the trust conditional to a Cisco IP Phone being attached

switch(config-if)#mls qos trust device cisco-phone

Auto QoS

Cisco AutoQoS gives the ability to deploy QoS features for converged IP Telephony and allow for telephony networks to be deployed quicker and efficiently than if it had to be done manually. Cisco AutoQoS generates traffic classes and policy map command-line (CLI) templates across platforms that are the same where doing things manually might not have the same congruence. Cisco AutoQoS simplifies and automates the QoS CLI (MQC) definition of traffic classes and the creation and configuration of traffic policies.

AutoQos can be beneficial in these scenarios:

SMB that deploy IP Telephony quickly but lack experience and staffing to deploy IP QoS Services.
Large enterprises that need to deploy Cisco Systems Telephony solutions on a large scale, while reducing costs, complexity, and time frame for deployment, and ensuring that the appropriate QoS for voice applications is being set in a consistent fashion.
International enterprises or service providers requiring QoS for VoIP where little expertise exists in different regions of the world and where provisioning QoS remotely and across different time-zones is difficult.
Service providers requiring a template-driven approach to deliver managed services and QoS for voice traffic of customer premises devices.

Cisco AutoQoS simplifies and shortens the deployment cycle in the following ways:

Application classification: By leveraging intelligent classification on routers Cisco network-based application recognition (NBAR) provides stateful and deep packet inspection. Cisco AutoQos uses Cisco Discovery Protocol (CDP) for voice packets to ensure that end-device attached to the Local Area Network (LAN) is really an Cisco IP Phones (keep in mind that CDP is Cisco Proprietary).
Policy Generation: Cisco AutoQos evaluates the network environment and generates the initial policy. This feature automatically generates interface configurations, policy maps, class maps, and Access Control Lists (ACL).
Configurations: Using one command, Cisco AutoQoS configures the port to prioritize voice traffic without affecting other network traffic, while still offering the flexibility to adjust QoS settings for unique network requirements. Cisco AutoQoS will automatically detect Cisco IP Phones and enable QoS settings, in turn it will also disable QoS settings to prevent malicious activity when a Cisco IP Phone is relocated or moved.
Monitoring and reporting: Cisco AutoQoS provides visibility into the Class of Service (CoS) deployed via system logging and Simple Network Management Protocol (SNMP) traps, with notification of abnormal events(VoIP packet drops).
Consistency: Cisco AutoQoS configurations are consistent among router and switch platforms. This level of consistency ensures seamless QoS operation and interoperability within the network.

Cisco Catalyst Switch Configuration – Cat OS

To configure the global QoS settings

Console> (enable) set qos autoqos ......... All ingress and egress QoS scheduling parameters configured on all ports. CoS to DSCP, DSCP to CoS. Precedence to DSCP and policed dscp maps configured. Global QoS configured, port specific autoqos recommended: set port qos <mod/port> autoqos trust <cos/dscp> set port qos <mod/port> autoqos voip <ciscoipphone/ciscosoftphone>

To configure Cisco AutoQoS settings and the trusted boundary features on/for Cisco IP Phones, CDP V.2 or later needs to be enabled on a port. If the trusted boundary feature is enabled. You will receive a syslog warning message if CDP is not running or CDP V.1 is running.

CDP need not be enabled if you do not use the ciscoipphone QoS configuraiton.
Console> (enable) set port qos 4/1 autoqos voip ciscoipphone Warning: CDP is disabled or CDP version 1 is in use. Ensure that CDP version 2 is enabled globally, and also ensure that CDP is enabled on the port(s) you wish to configure autoqos on. Port 4/1 ingress QoS configures for ciscoipphone. It is recommended to execute the "set qos autoquos" gloval command if not executed previously. Console> (enable)

To configure the port-specific QoS macro that handles all inbound QoS configurations that are specific to a particular port. This should only be used when the port connects to other known switches or servers because the port tursts all inbound traffic marked.
Console> (enable) set port qos 4/1 autoqos voip code/dscp

Cisco Catalyst Switch Configuration – Cisco IOS

When Cisco AutoQos in enabled on the first interface, QoS is globally enabled. This would be like configuring this command

switch#configure terminal switch(config)msl qos

To in turn enable QoS on an interface use this command that tells the switch that the interface is connected to a trusted router/switch and that the VoIP classifications in the ingress packet should be trusted:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip trust

OR that the interface is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the IP Phone is detected; this enabled CDP to detect the IP Phones absence or presence.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip cisco-phone
To check config use the following command
switch#show auto qos interface-id

Cisco AutoQoS Automation

Cisco AutoQoS automates several things when configured. It enforces trust boundaries on Cisco Catalyst switches access ports, uplinks and downlinks. Enables Catalyst strict priority queuing (PQ) (a.k.a expedited queuing) with weighted round-robin (WRR) scheduling for voice and data traffic. It configures queue admission criteria and finally modifies queue sizes and weights as needed.

Notes and Notices:

Planning Voice on a Data Network

Published

Deon Botha

on May 21, 2008

in BCMSN, Certification, Cisco Systems and VoIP

. 0 Comments

There are numerous benefits to packet switched telephony:

More efficient use of bandwidth and kit: Traditional telephony networks use a 64-kbps (For argument lets say 1B Channel on a ISDN line) channel for every voice call. Packet telephony shares bandwidth among multiple logical connections and offloads traffic volumes from existing voice switches.
Lower costs for telephony network transmissions: A substantial amount of equipment is needed to combine 64-kbps (ISDN) channels into a high-speed link for transport across a network (Lets say an ISDN PRI). Packet telephony statistically multiplexes voice traffic alongside data traffic. This consolidation represents substantial savings on CAPEX and OPEX.
Consolidated voice and data network expenses: Data networks functioning separately from voice networks become major traffic carriers. The underlying voice networks can be converted to utilize the packet-switched architecture to create a single integrated communications network with a common switching and transmission system. The benefit is CAPEX and OPEX savings.
Increased revenues from new services: Packet telephony enables new integrated services, such as broadcast-quality audio, unified messaging, and real-time voice and data collaboration. These services increase employees productivity and profit margins well above those of basic voice services. In addition, these services enable companies and service providers to differentiate themselves and improve their market position.
Greater innovation in services: Unified communications use the IP infrastructure to consolidate communications methods that were previously independent (Fax, voicemail, email, wireline telephone, cellular phone, and the web). The IP Infrastructure provides users with a common method to access messages and initiate real-time communications – independent of time, location, or device.
Adding to new communications devices acket technology can reach devices that are largely inaccessible to the time-division multiplexing (TDM) infrastructures of today (pcs, wireless devices, household appliances, PDAs). Access to these devices enable companies and service providers to increase the volume of communications they deliver, the breadth of service they offer, and the number of subscribers they serve. Packet technology, therefore, enables companies to market new devices, including videophones, multimedia terminals, and advanced IP Phones.
Flexible new pricing structures: Companies and services providers with packet-switched networks can transform their service and pricing models. Because network bandwidth can be dynamically allocated, network usage no longer needs to be measured in minutes or distance. Dynamic allocation gives service providers the flexibility to meet the needs of their customers in ways that bring them the greatest benefits.

The basic components for voice on a IP network are as follows:

IP Phones: The end-device on desks
Gatekeeper: Provides Connection Admission Control (CAC), bandwidth control and management and address translation.
Gateway: Provides translation between voice over Internet Protocol (VoIP) and non-VoIP networks, such as the public switched telephone network (PSTN). It provides physical access for local analog and digital devices (telephones, fax machines, and PBXs)
Multipoint Control Unit: Provides real-time connectivity for participants in multiple locations to attend the same videoconference or meeting.
Call Agent: Provides call control for IP Phones, CAC, bandwidth control and management, and address translation.
Application Server: Provides services such as voicemail, unified messaging, and Cisco CallManager Attendant Console.
Videoconference Station: Provides access for end-users participation in videoconferencing. This station has a video camera and a microphone. The user can view video streams and hear the audio that originates from the remote user station.

There are other components not listed here like voice applications, interactive voice response (IVR) systems, and softphones that meet the specific needs of enterprise.

Voice and Data Traffic Characteristics

Voice traffic has extremely stringent QoS requirements (because it is extremely delay sensitive). Voice traffic generates a smooth demand on bandwidth and has minimal impact on other traffic (60 – 120 bytes), as long as voice traffic is managed. Because of the resulting time sensitive nature User Datagram Protocol (UDP) is used to package voice packets; TCP retransmit capabilities have no value (because if it needs to be retransmitted then there is delay in the actual conversation occuring NOW).

For voice quality, delay should be no more than 150ms (one-way) and less than 1% packet loss. A typical voice call requires 17 – 106 kbps of guaranteed priority bandwidth, plus additional 150bps per call for voice-control traffic. Multiplying this out for the maximum calls expected during busiest times the overall bandwidth requirements for voice traffic can be calculated.

Because Data traffic is not as delay sensitive and can tolearate high drop rates the restransmit capabilities of TCP has become important, as a result many applications use by default TCP.

In networks, important business critical applications are ussually easy to identify. Most applications can be identified based on TCP or UDP port numbers (HTTP, HTTPS, FTP, TELNET, SQL, ETC). Some application use dynamic port numbers that, to some extent, make classification more difficult. Cisco IOS software supports network-based application recognition (NBAR), which can be used to recognize dynamic port applications.

VoIP Call Flow

As I mentioned in a previous post (see HSRP Accross Trunk Links) and some other places its best practice to setup voice and data on separate VLANs (I did in my own network). This is done so that QoS can be applied to prioritize the VoIP traffic as it traverses the network. If this is not done then voice and data traffic contend for available traffic without consideration for other devices (one or the other is going to suffer).

A major component of designing a successful IP Telephony network is bandwidth provisioning. The bandwidth requirement is calculated by adding the total required bandwidth for voice, video and data together; the sum should not be more than 75% of the link total.

For a traffic perspective IP Telephony consists of two types of traffic:

Voice Carrier Stream consists of Real-Time Transport Protocol (RTP) packets that contain actual voice samples.
Call Control Signaling that contains packets belonging to one of several protocols used to set up, maintain, tear down, or redirect calls. Depending on the end-point this could be H.323 or Media Gateway Control Protocol (MGCP)

Auxiliary VLANs

Some Cisco Catalyst switches offer a unique feature called “Auxiliary VLAN“. This feature allows one to overlay a voice topology over an existing data network. One can segment phones into a separate logical network, even though the data and voice network are physically the same.

The auxiliary VLAN feature places the phones into their own VLANs without any end-user configuration. Additionally VLAN assignment can be maintained even if the phone is moved.

How this works is that when a phone is plugged into the switch (whichever port), the phone will request a DHCP address, and the phone is placed in a VLAN automatically. With phones in their own VLANs administrators can troubleshoot and identify problems easily. This also makes enforcement of QoS and security policies easier.

QoS

QoS is the application of features and functionality required to actively manage and satisfy the networking requirements of applications that are sensitive to loss, delay and delay variations (jitter). QoS allows preference to be given to critical application flows for the available bandwidth.

Cisco IOS implementations allows for QoS to provid these features:

Priority access to resources: QoS allows administrators to control which traffic it allows to access specific network resources such as bandwidth, kit, and WAN links.
Efficient management of network resources: If network management and accounting tools indicate that specific traffic is experiencing latency, jitter, and packet loss, then QoS tools can be used to adjust how traffic is handled.
Tailored service: The control provided by QoS enables Internet Service Providers to offer carefully tailored grades of service to their customers.
Coexistance of mission-citical applications: QoS technologies ensure that mission-critical applications receive priority access to network resources while providing adequate processing for applications that are not delay sensitive.

High Availability

Traditional Telephony networks strive to provide 99.999 (5.25 minutes) of downtime a year. This is less downtime than most data networks. To provide the same experience this means choosing hardware and software with a low mean time between failure (MTBF) or installing redundant links and hardware.

Availability is when a user wants to make a call the network is able to respond to that need. Efforts to ensure availability would include proactive management to predict failure and taking steps to correct problems in design of the network as it grows. When the converged network goes down things downtime can be minutes, hours or days. This is unacceptable in a converged network where downtime means no phone calls. Providing for uninterpretable power supplies (UPS), lighting arrestors and other means to ensure availability at all costs.

High Availability encompases many areas of a network. In a fully redundant network these components need to be duplicated:

Servers and call managers,
Acces layer devices (layer-2 switches)
Distribution layer devices (routers or Layer-3 switches)
Core layer devices (layer-3 switches)
Interconnections (WAN links, PSTN Gateways, ISP links)
Power supplies and UPSs

Notes and Notices:

Implementation of a WLAN

Published

Deon Botha

on May 20, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This post brings together the theory into a more practical setting. This post covers the two types of Wireless Local Area Network (WLAN) implementations that Cisco offers namely autonomous WLAN Access Points (AP) and lightweight APs (LAP) with WLAN Controller (WLC).

For ease of my own use and understanding, I am going to use the proper acronums an Autonomous Access Point (AP), a lightweight Access Point (LAP) this is however not to be confused (NB) with Lightweight Access Point Protocol (LWAPP).

So take note of when I talk about hardware and the protocol in my notes. So to round up an AP is a full IOS Access Point able to be used in a stand-alone environment and can be downgraded for use (in most cases) to become an LAP; a LAP is a less extensive IOS feature-set and needs to be used in conjunction with a Wireless LAN Controller (WLC), then finally LWAPP is the protocol.

Autonomous APs

Jumping right in an AP implementation has various components, some of which are considered needed and some of which are considered optional:

A Cisco AP that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-AP1131AG-x-K9 is a Aironet (AIR) product, is an autonomous Access Point (AP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Wireless Domain Services (WDS) for radio frequency (RF) management and fast, secure roaming. You can run Cisco Structured Wireless Aware Network (SWAN) WDS on Cisco Aironet APs, Cisco Catalyst Switches and Cisco Routers. The following list supports SWAN WDS Aironet 1230 AG, 1240AG, 1200, 1130 AG 1100 Series APs, Catalyst 6500 Series Wireless LAN Services Module (WLSM), Cisco 3800, 3700 Series Integrates Services Routers (ISR) and some models of 2800 and 2600 series ISR that run Cisco IOS version 12.3(11)T or later.
CiscoWorks Wireless LAN Solution Engine (WLSE) for Management (optional).
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Lightweight APs

A Cisco Lightweight Access Point (LAP) that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-LAP1131AG-x-K9 is a Aironet (AIR) product, is an Lightweight Access Point (LAP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Cisco Wireless LAN Controller (WLC) for configuration of the Access Points.
Cisco Wireless Control System (WCS) for management (optional).
Cisco Wireless Location Appliance for location tracking
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Comparison of WLAN Solutions

The above two bullet lists should show that autonomous and lightweight WLAN solutions have some differences.

The main difference being in Autonomous mode the Cisco IOS feature set is more extensive and as the name denotes autonomy meaning “the right to govern itself” so each AP is configured individually and manage themselves (this can and probably will at some point lead to configuration errors if there are more than a couple of APs). Centralized management is possible through WLSE. Redundancy is achieved at the AP level (do the math if its cheaper to add APs than to add a WLC then this is the option).

In Lightweight mode a Wireless LAN Controller takes the centralized configuration and means the APs are dependant on the WLC (read point of failure) and pushed the configs to the APs. This gives congruence between the APs on the network without much hard work. Centralized management is possible through WCS. Redundancy is achieved at the WLC level (do the math if its cheaper to add a WLC than to just add APs then this is the option).

LAP Solution

LAP architecture splits processing of the 802.11 protocol between two devices; the LAP and the WLC. The processing of the 802.11 data and management protocols and the AP functionality is also divided between the two devices. This approach is called split MAC.

The LAP handles the portions of the protocol that have real-time requirements:

Frame Exchange handshake between a end-device and AP when transferring a frame over the air.
Transmission of beacon frames.
Buffering and transmission of frames for end-devices in power save operation
Response to probe request frames from end-devices
Forwarding notifications of received probe requests to the controller
Providing real-time signal quality information to the controller with every received frame.
Monitoring each radio channel for noise, interference, and presence of other WLANs.
Monitoring of presence of other LAPs.

The remaining functions are all handled by the WLC because either the function is not time-sensitive or a system wide visibility is required by the function.

802.11 authentication
802.11 association and re-association (mobility)
802.11 frame translation and bridging

The control (management) traffic between the AP and the WLC is encapsulated using LWAPP and encrypted using Advanced Encryption Standard (AES); the data from the LAP and the WLC is also encapsulated using LWAPP but not encrypted. The data is switched once it reaches the WLC where it receives VLAN tagging, quality of service (QoS).

Layer-2 and Layer-3 Mode of LWAPP

Layer-2 LWAPP is in an Ethernet Frame. For layer-2 mode, the WLC and WLAP must be in the same broadcast domain and IP subnet.

Layer-3 LWAPP is in a User Datagram Protocol (UDP)/IP Packet. The WLC and WLAP can be in the same or different broadcast domains and IP Subnets. For layer-3 operation WLAP need IP Addresses. They must obtain these IP Addresses via DHCP.

So to bring this together; think of a network in your mind, if the network is flat/or the WLAP and WLC are located on the same network segment; iow is a switched network then the LAWPs can use either layer-2 or layer-3 mode. If the WLAPs and the WLC find themselves spread across the enterprise (physically) meaning that they would be in different subnets and on different segments (I’m thinking big business) you must use layer-3 mode.

LAP Association

There is a nice explanation on this document. A LAP will search for a WLC first using LWAPP layer-2 mode, then layer-3 mode. The process runs as followings; the LAP requests an IP Address via DHCP, the LAP then sends a LWAPP discovery request to the management IP address of the WLC via a broadcast.

The LWC responds with a discovery response from the management IP Address. This response includes the number of AP associated to the Access Point Manager interface and the Access Point Manager IP address.

The LAP then chooses the Access Point Manager with the least number of associated APs and sends a join request.

All following communication between the LAP and the WLC is done via the Access Point Manager IP Address.

Cisco Aironet WLC

The Cisco Aironet standalone WLCs range (2106, 4402 and 4404) are designed for Small and medium enterprise/business (SMB) to medium to large enterprise.

The 2106 Series allows Small and medium sized enterprise/business (SMB) environments to support up to six LAPs and are fairly cost effective (this is objective). With integrated DHCP services, zero-touch AP configuration, the Cisco 2106 is built for SMB companies that don’t have on-site IT support, like branch offices with distributed offices (i.e. corporate infrastructure and support teams to lean on when things go wrong).

The Cisco 4400 series is built for medium to large enterprise/business.

Cisco 4402
- 2 GigabitEthernet (GE) ports
- Configurations that support 12, 25, and 50 APs
- One Expansion Slot
Cisco 4404
- 4 GE ports
- Support for 100 APs
- Two Expansion slots

Optional redundant power supplies to ensure maximum availability can be purchased for the 4400 Series.

WLC are also available for the Cisco Catalyst 6500 and Cisco Integrated Sercies Routers (ISR) in the form of Integrated Controllers of Controller Modules.

Notes and Notices:

Power over Ethernet

Published

Deon Botha

on May 20, 2008

in BCMSN, Certification, Cisco Systems and PoE

. 1 Comment

If you haven’t come across this before, go to some reading. Power over Ethernet (PoE) is a great technology and allows for something akin to USB charging of your cellphone or iPod just from a network perspective. To get this out the way, its expensive, bloody expensive compared to non PoE similar kit but decreases cost and complexity of installations.

When I say something is expensive take the base model of a series, for example 24 port 10/100 which is what everyone uses as a copmarison model and compare that to the same series model 24 port 10/100/1000 PoE. The comparison is not apples with apples, and the price will not reflect true for PoE and Gigabit Ethernet per port. The term you pay peanuts you get monkeys doesn’t apply, you pay for 10/100 you get 10/100 because you need it, you pay 10/100/1000 PoE you get exactly that because you need that.

Most Cisco APs, phones and other end-devices that need external power can be powered using PoE (over a Ethernet Cable) thereby eliminating the need to run AC Power to the AP (standard Ethernet Applies 100m). If there is doubt on this topic ask your Partner and/or Distributor whether it can or read up at Cisco.com

PoE kit supply up to 15W per port which is required for dual-mode APs and most Cisco phones.

PoE Delivery

PoE detection in IEEE 802.3af and Cisco use different methods.

The first step would of course be to detect if power is required.
The second step would be what amount is required.

Cisco uses Cisco Discovery Protocol (CDP) in the powered device to inform the switch about the amount of power used.

PoE can be supplier over wire pairs 1,2 and 3,6 OR 4,5 and 7,8

The IEEE 802.3af specify that both methods must be supported on powered devices.

Midspan PoE

Midspan Power Injection add power to Ethernet cable between switches and end-devices. The spare pairs 4,5 and 7,8 is used for this. This will require 8 wire cabling. This technique does not extend the 100 M wire limit for Ethernet, this also is not available for 1000TX Gigabit Ethernet.

PoE Configuration
To confirugre Inline Power per interface use the following config
switch#configure terminal switch(config)interface gigabitethernet 0/1 switch(config-if)power inline auto | never

To show the inline power configuration globally optionally add the specific interface you want to drill-down

switch#show power inline interface

Notes and Notices:

WLAN Standards

Published

Deon Botha

on May 15, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This is a generally a nice to know topic; if you don’t want to know the basics on “how” it works but rather just care that it works this might not be “light” reading.

There are “generally” (dependant on your country) unlicensed bands:

900-MHz Industrial, Scientific and Medical (ISM) Band (902-MHz to 928-MHz)
2.4-GHz Industrial, Scientific and Medical (ISM) Band (2400-MHz to 2483-MHz) (Japan to 2495-MHz)
5.7-GHz Unlicensed National Information Infrastructure (UNII) Band (5150-MHz to 5350/5725/5825 MHz) (Not all countries support 802.11a)

Radio Frequency Transmission (for dummies i.e. with no electric/electronic engineering background a.k.a ME):

Radio Frequencies (RF) are radiated (why does this not make me feel better I’ve seen what a microwave do when it radiates things) into the air by antennas that create radio waves. When radio waves are propagated through objects, they may be absorbed (walls) or reflected (metal). This absorption may cause areas of low-signal.

Radio wave transmission is affected by the three factors:

Reflection: when RF waves bounce of objects (metal, glass)
Scattering: when RF waves strike uneven surfaces and are reflected in many directions
Absorption: when RF waves are absorbed by objects (concrete, bricks, walls)

Data Transmission over Radio Waves (for dummies i.e. with no eletric/electronic engineering background a.k.a ME):

Higher data rates (faster connection) have shorter range because the receiver needs a stronger signal with a better signal-to-noise ratio (SNR) to retrieve the information.
Higher transmit power results in greater range. To double the range, the power has to be increased by a factor of 4 (four).
Higher data rates require more bandwidth. Increased bandwidth is possible with higher frequencies.
Higher frequencies have shorter range through higher degradation and absorption. More efficient antennas can compensate for this effect.

WLAN Regulations and Standardizations:

Regulatory Agencies control the use and enjoyment of RF bands. The two main regulatory agencies are the FCC (USA) and ETSI (Europe) (South Africa and EMEA region if in doubt follow ETSI).

The network (802) standardization is done by the IEEE. The wireless (802.11) standards are part of the network standard these include 802.11 a/b/g and soon to be finalized/ratified n.

Finally the Wi-Fi Alliance offers certification for vendors of 802.11 products so that their products are interoperable. The Wi-Fi Alliance certifications include all three 802.11 RF technologies and Wi-Fi Protected Access (WPA) security model (2003) based on IEEE 802.11i (ratified 2004).

IEEE 802.11b

Ratified Sept 1999

Operates in the 2.4-GHz ISM Band

Specifies direct sequence spread spectrum (DSSS)

Specifies four data rates up to 11-Mbps (1, 2, 5.5, and 11-Mbps)

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

2.4-GHz Channels

Up until this point Wireless channels might not have made “sense” if you weren’t as I joked “previously advantaged” with a electrical or electronic engineering qualification. Those ladies and gents are force fed this amongst other things for at the very least a semester in university so they know this kind of thing backwards (I know how they complained about it). If you are like myself a business grad then this is all new.

What this graph shows (pay attention to the grey highlight) is 3 non-overlapping Channels (except for Japan). If you are in Japan you can use the 14th channel along with 3 others to have access to 4 total channels.

This information is region specific and then also country specific (I know South Africa in general follows ETSI which falls under EMEA). Some countries may allow 14 channels while others may only allow 1 channel.

At a Cisco Tech-Update (I can’t remember the speaker forgive me) Wireless channel usage was explained using the below diagram and it made all the above fall into place for me.

What the diagram shows is the 2.4-Ghz frequency (visually) with the channels laid out how all the channels overlap. This is what 802.11 b/g “looks” like with the 3 non-overlapping channels (black).

Example: Three non-overlapping channels (1, 6, and 11) that do not share RFs. There would be no degradation in throughput if 3 APs were to operate in the same cell using channels 1, 6, and 11.

To show the maths 3 APs on 3 non-overlapping channels (2, 6, and 11) provide an aggregate data-rate for a cell of 33-Mbps (11-Mbps x 3), with an aggregated throughput of approx. 16-Mbps (33-Mbps/2).

Example: Three APs sharing the same channel, in the same cell.

To show the math 3 APs on the same channel(1, 1, and 1) provide an aggregate data rate a 11-Mbps but an aggregated throughput of 6-Mbps. This results from APs sharing a cell.

Example: Three APs sharing overlapping channels, in the same cell.

To show the math 3 APs on overlapping channels (1, 2, and 3) the throughput could drop to well below 1-Mbps due to interference.

Channel Reuse

At the same Tech Update they explained how using the non-overlapping channels a deployment can be done where none of the same channels border. Imagine the cells from top down on an overaly of an office plan looking like the diagram below.

Data Rates

WLAN clients (end-devices) can shift data rates as they move. The closer you are to a AP the better coverage will be (11-Mbps), as you move away from the AP coverage will get worse (5.5-Mbps) and worse (2-Mbps) and worse (1-Mbps) until there is no signal. This data rate shifting occurs without user interaction or connection loss.

This rate shifting also happens on a transmission-by-transmission basis; whereby the AP can support multiple clients at multiple speeds (meaning transmissions 1 might be 11-Mbps and transmission 2 might be 1-Mbps depending on the end-user location).

IEEE 802.11a

Ratified Sept 1999

Operates in the 5-GHz ISM Band

Uses orthogonal frequency-division multiplexing (OFDM)

Specifies eight data rates up to 54-Mbps (6, 9, 12, 18, 24, 36, 48, 54-Mbps)

FCC – 12 to 23 non-overlapping channels

ETSI – up to 19 non-overlapping channels

Regulatory differences across countries

802.11a requires Transmit (Tx) power control and dynamic frequency selection (802.11h)

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

5-GHz Channels

802.11a must comply with two features in 802.11h namely Transmit Power Control (TPC) and Dynamic Frequency Selection (DFS).

TPC links back to the basics, the more Transmit Power pumped into an AP the greater the range (greater range = less data-rate). TPC is where an AP exchanges transmit power information with end-device adapters. This has a twofold advantage:

end-device adapters use only enough power to maintain association with APs at any given data rate. In turn conserving energy (good for mobile devices and at current Eksom).
end-devices contribute less to adjacent cell interference.

DFS is where the AP monitors the available 5-Ghz RF spectrum radar installations in the environment and if found flags the appropriate channel(s) as unavailable. DFS continually monitors the operating environment for changes during operation.

IEEE 802.11g

Ratified June 2003

Operates in the 2.4-GHz ISM Band as 802.11b

Uses direct sequence spread spectrum (DSSS) complementary code keying (CKK) and orthogonal frequency-division multiplexing (OFDM)

Specifies twelve data rates up to 54-Mbps (1, 2, 5.5, 11-Mbps DSSS/802.11b and 6, 9, 12, 18, 24, 36, 48, 54-Mbps OFDM).

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

Security and Mitigation of Wireless Risks

Linking back to the beginning of this post and why Wireless could potentially be a security threat. The process of Wireless is “Radio Frequencies (RF) (that) are radiated into the air by antennas that create radio waves” and in turn your network data travels across radio waves from source (server or point A) to destination (end-device or point B).

This wireless communication if left unsecured, leaves a wide open method of access to anyone that wants to enter, use and abuse your enterprise infrastructure. With the low cost of IEEE 802.11 wireless equipment these days adoption is gaining in the mass market (home, small office/home office (SOHO), small medium business (SMB)). With greater adoption of the mass market the products are easier to use and deploy and implement (graphical user interface (GUI) deployments and out the box operation). This large adoption also makes for sub-business class consumer grade products making a regular appearance in server-rooms, business settings and other environments where they are definitely not meant to be (don’t get me wrong consumer products work great for a family of 5 people but aren’t built or designed to handle with an office of 10 people or a department of 50 people).

There are many large telco (Telkom) companies that offer pre-configured Wi-Fi combination routers with the DSL accounts. Most if not the majority of users literally plug and play (plug it in and use it with default settings). This is a very conducive environment for “war driving” for the single purpose of free Internet, collecting sensitive information through the use of various freely available tools and applications.

The Process

Anyone implementing Wireless needs to at the very least consider security which is a three step process of Authentication (802.1x or Extensible Authentication Protocol (EAP)), Encryption (Wi-Fi Protected Access (WPA – TKIP, WPA2 – AES or TKIP)) and Intrusion Detection and Protection (IDS and IPS).

Wireless Association

Looking at how end-devices (clients like notebooks, smartphones, PDAs) associate with APs then something I mentioned in a previous post will crystallize.

APs broadcast (send out) beacons with SSIDs (one or many), data rates (depending on distance from AP) and other information. The end-device scans the available channels looking for beacons and responses from APs. The end-device then in turn associates with the AP with the strongest signal.

If you are using a mobile device and moving with your device and signal becomes weak this process will repeat.

It is during this association process that SSID, MAC address and security settings are sent from end-device to the AP and checked. This is what we are going to be talking about in the next couple of paragraphs.

Authentication

When an end-device attempts to associate this is done via the 802.1x protocol. The end-device is called a supplicant which communicates with an autonomous AP* (called the authenticator) that communicates and in turn authenticates to an Authentication, Authorization and Accounting Server (AAA Server) like RADIUS/TACACS+ or Cisco Secure ACS.

*LWAPP uses the WLAN controller that acts as the Athenticator that in turn communicates and authenticates with the AAA Server.

Encryption

After authentication is successful (if unsuccessful the connection is denied) data between the end-device and the AP is sent encrypted in either TKIP or AES encryption.

Definitions

Signal-to-Noise

Notes and Notices:

WLAN Infrastructure Topologies

Published

Deon Botha

on May 14, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 2 Comments

As talked about in the previous post the difference between a wired LAN and a Wireless Local Area Networks (WLANs) is that the Layer-1 transmission medium of a traditional wired local area network (LAN) (CAT-5 cable) is replaced with Radio Frequency (RF) transmissions.

What follows is the pimping of Cisco Aironet products and where they fit into three main wireless categories:

Wireless in-building LANs for client Access: The Cisco Aironet products can plug into an existing wired infrastructure and function like an overlay to the existing LAN or even replace the wired LAN.

Wireless Building-to-Building bridges: The Cisco Aironet products can provide wireless bridging to connect two or more networks that are physically separated to be connected on one LAN without the time or expense required to get physical lines to be installed.

Wireless mesh networks: Mesh networking is a mixture of the above two categories. Mesh networking provide dynamic, redundant, fault-tolerant links for building and client access.

Service Set Identifier (SSID)

Myth: Hidden (not broadcasting) the SSID makes a wireless network secure.

The SSID is the “name” of a wireless cell, this name is used to logically separate WLANs. The SSID must match exactly between the client and the access point for them to connect. The Access Point (AP) sends the SSID out in beacons.

The beacons are broadcasts that an AP sends to advertise available services, these beacons go out whether SSID is hidden or not (Clients can be configured without a SSID, where they learn the SSID from the beacons of the AP).

The Topology Basic

Extended Services Set: Two or more Basic Serve sets (Mobile clients use a single AP to connect) are connected by a common distribution system (backbone) An Extended Service Set includes a common SSID to allow roaming from AP to AP without client config.

The diagram shows the WLAN topology with 2 APs and some devices (Microsoft Icons) that I know to be Wi-Fi capable (from left to right tablet notebook, projector, PDA, smartphone, notebook).

Wireless Cell: The basic area is the RF coverage provided by an AP (Channel 1 or Channel 2 NOT both). This area is also called the “microcell“. To extend/enlarge/make bigger the basic area one simply adds APs (Recently microcell has moved to picocell reducing AP coverage by reducing power and increasing total number of AP deployed).

The basic area of an AP is called the service set, the basic area of the combined APs is called the extended services set (There is a recommended 10 – 15 % overlap between cells for data networks to allow roaming without losing RF connection. There is a 15 – 20% overlap for voice/data/video networks). Bordering cells should be set to different non-overlapping channels for best performance (more on this later).

Access Point: The name is self explanatory reverse the name Point “of” Access. As the name denotes this is the point at which client-devices connect/access the wireless network. The APs connect to then to the Ethernet backbone and facilitate the communication between wired and wireless networks

The AP is the master of a given cell and manages/controls traffic to and from the network (remote devices do not communicate with each other they communicate through the AP).

Picocell: the benefit of a picocell is better coverage, less interference, higher data rates, and fault tolerance through convergence. When an AP goes down, the neighbouring AP expands coverage by increasing power (this increases the RF range) to cover for the lost AP. (Look into WLAN Controllers cause this gets complicated to do manually quickly with say more than 5 APs)

Wireless Repeater

In environments (factory floors, doctors room, large retail, wholesale storehouses) where its just not practical to put down a wired LAN or the application of the network wouldn’t work with a wired system a wireless repeater can be put down.

A wireless repeater is a AP that is not connected to the Wired LAN (Requires 50% overlap of the AP on the Wired LAN side). This setup however has a large throughput impact where throughput is decreased by half due to the receive and retransmit time.

The SSID of the AP (the one on the left) must be configured on the wireless repeater (the one on the right). The wireless repeater uses the same channel as the AP (NB not all implementations support this).

Workgroup Bridge

Cisco Wireless Workgroup Bridge (WGB) (Reference Cisco Q&A Document) that connects to the Ethernet (RJ-45) port of any end-device (if it has a Ethernet port and is therefore network-able) that doesn’t have a WLAN Network Interface Card (NIC) (either because the end-device doesn’t have the option of a Peripheral Component Interconnect (PCI) slot, Personal Computer Memory Card International Association (PCMCIA) slot or USB slot, or software for WLAN connectivity).

A WGB provides a single MAC address connection into an AP and in turn then onto the Wired LAN backbone (The WGB cannot work in peer-to-peer mode). Another option is to connect a remote workgroups wired LAN. To implement a remote workgroup installation (i.e. multiple MAC addresses) the WGB is connected to a hub/switch switch with a Ethernet patch cable (for single MAC Address use a crossover cable) (NB not all implementations support this).

Ad-hoc mode

Wireless Ad Hoc Mode

Ad-Hoc Mode: This is called Independant Basic Service Set (IBSS). Mobile clients connect directly without an AP.

Peer-to-Peer (P2P) a.k.a Ad-hoc mode networking is the opposite of a Server-Client model (duh). This can be in a wired or wireless environment and is where a group of end-devices come together and form an ad-hoc/P2P network with each other to share files, pictures, music, movies and applications (The ease and current application (Kazaa and Torrents) of this type of network is the main reason the RIAA hates ad-hoc/P2P networks).

In a WLAN the coverage is very limited; where all users must be in wireless reception distance of each other. There are a couple of problems with P2P “office” networks one being that security is almost non-existent, other problems being that there is no central location for any files, applications, or printing.

In most P2P environments I have found that the receptionist is given the “server-role” Pc which creates other larger problems. The person at the front desk in a company is the receptionist, in case of a theft the first computer out the door is the server. In most cases the most “spam” is received by a receptionist (classing teddy-bears, hearts and hugs, chain-mail, friend-mail, etc. as spam) being on numerous forwarding lists increases the risk of virus, trojan, worm infection. If the company allows internet access to employees its only a matter of time before the “server” begins doing its own thing.

In a WLAN it is not a good idea (iow just don’t do it) to connect a Server, or a Server-Role computer using Wireless

Roaming

Wireless Roaming

The roaming “feature” on wireless allows a mobile user to move from one cell to another without a drop in signal or need to manually change network settings. Roaming is enabled by complete coverage with wireless cells.

Seamless roaming allows for users to move around from one cell to another.
Power management lengthens the battery life of portable devices (i.e. they don’t have to search for wireless networks all the time)
Dynamic Load Balancing distributes users among access points to increase throughput for each user.
AP with overlapping coverage cells and redundant switches provide fault tolerant WLAN networks.

A user experiences “roaming” when one of the following conditions is met:

The maximum data retry count is exceeded.
The client has missed too many beacons from the access point.
The client has reduced the data rate.
The client intends to search for a new AP at periodic intervals.

Roaming without service interruption requires identical SSIDs, VLANs and IP subnets on all APs. The client initiates the roaming when he/she searches for another AP with the same SSID and then sends a re-authentication request (for voice and video short roaming times are important).

Layer-2 and Layer-3 Roaming

Wireless Layer-2 and Layer-3 Roaming

Roaming from one AP to another AP on the same subnet (Cell 1 to Cell 2) would be considered Layer-2 roaming (data link layer). Roaming between APs that reside on different subnets (Cell 1 to Cell3) would be considered Layer-3 roaming (network layer).

Layer-2 roaming is managed by the AP, using mulicast packets that inform switches that a devices has moved. The protocol between the APs is called Inter-Access Point Protocol (IAPP).

Layer-3 roaming is managed by either Mobile IP or Lightweight Access Point Protocol (LWAPP) with a WLAN controller.

Mobile IP: allows fixed IP addresses in an IP Subnet of a network. It relies on devices like routers (home agents and foreign agents), to runel traffic for a mobile device. This was used in Legacy WLANs.

Wireless VLAN Support

Switches use VLANs to separate traffic. WLAN APs can in turn extend the VLANs by mapping VLANs to SSIDs. The VLANs then share the same wireless cell and channel end result being virtualization of the AP.

Through the use of trunking (ISL or 802.1q) the VLANs can be mapped to APs from a/the switch allowing roaming throughout the enterprise. A Cisco Aironet AP can be configured with 8 – 16 VLANs for system design flexibility. (Some client NICs require SSID broadcast, the AP can be configured for SSID broadcast per VLAN).

Wireless Enterprise (read business) Voice Architecture

Wired LAN Voice (IP Phone) networks can be extended using the 802.11e standard that specifies QoS upstream and downstram for WLAN networks. This is very important because of the delay sensitive nature of voice.

Wireless Mes Networks

A Mesh network infrastructure is decentralized and inexpensive because each node needs to transmit only as far as the next node (WirelessAfrica). The nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach. The result is a network that can span a large area (cost effectively if each node is owned by individuals).

Mesh Networks are reliable because each node connects to several other nodes. Wireless Mesh networks differ from conventional infrastructure wireless networks in that only a subset of nodes need to be directly connected to the wired network. Extra capacity can be added by installing more nodes. Through the use of Cisco Adaptive Wireless Path Protocol (AWP(P)) each device can find a way back to wired APs and thus by extension the network. Paths (of which there are multiple) through the network can change in response traffic load, radio conditions, or traffic prioritization. The network can cover more distance by using wireless to wireless connectivity. Unlicensed bandwidth (cheap) and wireless routing allow microcells to interconnect over wireless backhaul links.

AWP Protocol

AWP allows APs to communicate with each other to determine the best path back to the wired network. After optimal path selection is estalbished, AWP continues to run as a background service to establish alternate paths to the wired network or if topology changes or other conditions causes the link streghth to diminish. (AWP runs on each AP)

AWP is a wireless protocol by design and takes into consideration wireless radio factors like interference to make a mesh network self-configuring and self-healing. Because wireless is dynamic, addition to the network causes AWP to reconfigure paths back to the wired network automatically. AWP also uses stickiness to mitigate route flaps (disconnection/temporary disruption doesnt cause mesh change).

Notes and Notices:

Network Ninja

Tag Archive for 'Model'

Enhanced Interior Gateway Routing Protocol – Tables

BSCI Design Foundation – Network Models

Switch Security Layer-2 Attacks – One

Switch Security – Wireless

QoS and Voice Traffic

Planning Voice on a Data Network

Implementation of a WLAN

Power over Ethernet

WLAN Standards

WLAN Infrastructure Topologies

Search

About

Latest

Archives

Categories