Network and Software: July 2008

Monday, July 21, 2008

Configure DHCP

Configuring DHCP Server
a Cisco router running IOS can be configured as a DHCP server. the steps to configure a Cisco router to be a DHCP server are:

step 1. Define a range of addresses that should not be used for address allocation. this could be some static ip addresses assigned to servers or printers, switch management IP address and gateway/router address. the command to specify the excluded addresses are

ip dhcp excluded-address low-addess [high-address]

low-address: the (lowest) address of the reserved address that should not be used for DHCP address allocation.
highest-address: optional, if you want to specify a range of reserved address, this should be the highest address of the range.

a best practice is to configure these reserved addresses first at the global configuration level to prevent DHCP assigns these reserved addresses accidentally.

step 2. create a DHCP pool. using the command

ip dhcp pool pool-name

pool-name : the name of the pool te be created.

after entering the command, you'll be at the DHCP configuration level. at this configuration level you can configure specifics of the pool

step 3. configure the specifics of the pool. here you need to configure the network address the pool is assigned to, and the gateway address of the network. to define the network of the pool use the command

network network-number {mask | /prefix-length}

network-number : the network address
mask : subnet mask of the address

to define a default gateway for the network enter the following command

default-router address {address2 .. address8}

typically the gateway address is the address of the router's LAN interface connected to the network. at least one address is required but you can list up to eight addresses.

there are some optional configurations for the DHCP pool. some of those optional commands are

define DNS server

dns-server address {address2 .. address8}

define the domain name

domain-name domain

define the duration of the lease

lease { days [hours] [minutes] | infinite }

define the NetBIOS WINS server

netbios-name-server address {address2 .. address8}

here is an example to configure DHCP for network 192.168.10.0/24. with 192.168.10.1 - 192.168.10.10 and 192.168.10.100 addresses should not be used in DHCP address allocation. here we create a DHCP pool named "pool1"

ip dhcp excluded-address 192.168.10.1 192.168.10.10

ip dhcp excluded-address 192.168.10.100

ip dhcp pool pool1

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

end

to verify the DHCP configuration you can use the command "show ip dhcp binding" at privileged EXEC mode. it will show information of current bindings of the addresses in the pool to clients. use the command "show ip dhcp server" to see DHCP statistic and message received/sent by the server. to see information of the pools that have been created use the command "show ip dhcp pool".

administrators can also specify which MAC addresses to service and assign them the same address everytime they boot.

DHCP services can be disabled with the command "no service dhcp". reenable it with the command "service dhcp".

you can also configure a router to be a DHCP server using SDM. click the configure tab, in the task list. click the DHCP folder > DHCP pool and click the add button. a dialog box will appear with some text-fields that you can fill in to specify the pool parameters such as the pool's name, pool network, starting and ending address of the pool, lease time, etc.. when you've finished specifying the parameters, klik the ok button. SDM automatically exclude IP address used by the interface connected to the LAN of the pool.

Configure DHCP Client
sometimes, Cisco routers on a SOHO network needs to get its IP address automatically assigned by the ISP. this could be done, by using the command "ip address dhcp" at the interface that should get its address from a DHCP server.
example, a cisco router is connected to an ISP through the interface Serial0/0/0. ISP will automatically assign this interface an address, so this interface address should not be configured manually. the commands are

interface serial0/0/0

ip address dhcp

no shutdown

DHCP Relay
in most enterprise environments, servers are located in a seperate network (the server farm) including the DHCP server. a problem arise as when a client need an address from a DHCP server on a seperate network. DHCPDISCOVER message is a broadcast message and a router won't forward the message to any other network. (this problem is not specific only to DHCP service, some other services use broadcasts. Cisco routers and other devices use broadcast to locate a TFTP server or an authentication server, eg TACACS server).
the problem can be solve by configuring intervening routers and switches to act as a DHCP relay agent with the Cisco IOS helper address feature. this enable routers to forward DHCP messages to the DHCP servers. to configure a router as a relay agent, use the following command at the interface receiving the broadcast (nearest/directly connected to the client)

ip helper-address forward-address

forward-address : an ip address to which broadcasts will be forwarded.

using that command, broadcasts received at the interface will be forwarded to the specified address as a unicast.

example, host1 on subnet 192.168.10.0 needs to renew its address from a DHCP server on subnet 192.168.20.0. both devices are seperated by a router. host1 (subnet 192.168.10.0) is connected to the router by the FastEthernet0/0 interface. the DHCP server address is 192.168.20.254. assume that you're at the global configuration level of the router. enter the following commands at the router.

interface FastEthernet0/0

ip helper-address 192.168.20.254

as default, ip helper-address forward the follwoing eight UDP services:

Port 37: time
Port 49: TACACS
Port 53: DNS
Port 67: DHCP/BOOTP client
Port 68: DHCP/BOOTP server
Port 69: TFTP
Port 137: NetBIOS name service
Port 138: NetBIOS datagram service

to add additional services to be forwarded use the command "ip forward-protocol".

DHCP

routers, servers and any other devices of which location is usually not te be moved or changed physically/logically may be given static IP address. however, client workstations in an organization are likely to be moved physically/logically. this can be a burden for network administrators having to give a new IP address for those workstations everytime they are moved. DHCP services help network administrator do this task. with DHCP services, IP addressing can be made automatically and transparently. usually network administrators use a seperate server for offering DHCP services. in a small organization or SOHO envinronment, a cisco router can be used as a DHCP server. IOS has a feature set called Easy IP offers full-featured DHCP server.

DHCP servers assign not only IP address to a client but also the subnet mask, a gateway address and also DNS server address. DHCP works in a client/server environment.

The main task of a DHCP server is to provide IP addressess to clients. DHCP includes three different IP address alocation mechanism:

Manual allocation. the Administrator assigns a pre-allocation IP address for a corresponding workstation. DHCP will only allocate the address to the specified client.
Automatic allocation. DHCP automatically assigns an IP address selected from a pool to a device. there's no lease and the address is permanently assigned to the device
Dynamic allocation. DHCP automatically assigns an IP address selected from a pool to a device. the given IP address is leased to the device for a period of time or until the client tells that it's no longer needs the address. this ensures that hosts moved or no longer needs the address don't hold the addresses. when the lease time expires, DHCP server returns the address to the pool for reallocations. clients must contact the DHCP server periodically to extend the lease (when the lease time expires).

DHCP Operations

Discover. when a client boots or wants to join a network, it will send a DHCPDISCOVER message to find a DHCP server in the network. because the client doesn't have a valid address. it uses an L2 or L3 broadcast addresses to communicate with the server.
Offer. when the DHCP server receives the DHCPDISCOVER message, it will find an available IP address from the pool and try to offer it to the requesting client. the offer will be sent as a DHCPOFFER message to client as a unicast packet (under some circumstances, the packet is broadcasted rather than unicasted) using the L2 MAC address of the server as the source and the L2 MAC address of the requesting client as the destination.
Request. after the client receives the DHCPOFFER, it sends back a DHCPREQUEST message. this message has two purposes, it's used as a lease origination and lease renewal and verification. when used as a lease origination, the DHCPREQUEST sent request that the IP information be verified after it has been assigned. this provide error checking so that the assignment is valid. DHCPREQUEST also serves as a binding acceptance notice to the selected server and an implicit decline to any other servers that may have provided the host a binding offer (many organizations use multiple DHCP servers).
Acknowledge. after receiving the DHCPREQUEST message, the DHCP server then will send a DHCPACK message to the requesting client. the DHCPACK message is a duplicate of the DHCPREQUEST message with just a simple change in the message type field. when the client receives the DHCPACK message, it will then logs the configuration information and sends an ARP broadcast to the network for the leased IP, if there's no reply then the client knows that it's a valid ip address and start using it. the time that the address is leased is different as network administrators set it at the server, the default time is three days.

BOOTP
BOOTP (RFC 951) is a predecessor of DHCP and share some operational characteristics (both BOOTP and DHCP are client/server based and use UDP ports 67 and 68). BOOTP is a way to download address and boot configurations for diskless workstations (example, automated cash register system at super market). three primary differences between DHCP and BOOTP are:

BOOTP is used for manual pre-configuration while DHCP is used for dynamic address allocation. when a client requests an address from a BOOTP server, the server searches the client MAC address, if it exists in the server database, the server will give the address and configuration to the client bound to the client's MAC. this means that, the binding must be configured/entered manually to the server.
DHCP uses leasing system. a client is given a leased address for a period of time. when the time is over. the address can be allocated to any other client. while BOOTP has its clients reserved IP address which cannot be allocated to any other client.
BOOTP only supports 4 configuration parameters. DHCP supports over 20 configuration parameters (domain name, WINS).

For compatibility reason, DHCP messages have the same format as BOOTP messages. except that DHCP messages have additional fields called DHCP options which varies in length. the fields in a DHCP message are:

Operational Code (OP). 1 byte. specifies the general type of the message. 1 indicates a request mesasge, 2 is a reply message.
Hardware Type. 1 byte. indicates the type of the hardaware used in the network. example, 1 is ethernet, 15 is frame relay and 20 is a serial line. this is the same code used in ARP messages.
Hardware Address legnth. 1 byte. specify the length of the hardware address.
Hops. 1 byte. set to 0 by clients before transmitting a request and used by realy agents to control the forwarding of DHCP messages.
Transaction Identifier. 4 bytes. generated by a client to match its request with the replies from the server.
Seconds. 2 bytes. number of seconds elapsed since a client attempt to request or renew its address. DHCP servers use this to prioritize clients requests.
Flags. 2 bytes. only one bit is used, the broadcast bit. the client that doesn't know its address sends a request setting the broadcast bit to 1. the receiving server will send the reply as a broadcast message.
Client IP address. 4 bytes. sets by the client when it has a valid and usable address while in the bound state. otherwise it is set to 0. (the client cannot use this during the process of acquiring an address.
Your IP Address. 4 bytes. IP address the server offers to the client.
Server IP Address. 4 bytes. address of the server, the server always includes its IP address in a field called the Server Identification DHCP Option. the client should set this address it has known the address of the server.
Gateway IP Address. 4 bytes. routes DHCP messages between different networks. this facilitate DHCP communication between different subnets or networks.
Client Hardware Address. 16 bytes. the Physical layer address of the client.
Server Name. 64 bytes. a server sending DHCPACK or DHCPOFFER message may include its name in this field. the name could be its nickname or its DNS domain name.
Boot Filename. 128 bytes. optionally, used by a client to request a particular type boot file in a DHCPDISCOVER message. used by a serer to fully specifies a boot file directory and filename in a DHCPOFFER message.
Options. variable length. holds some option parameters, used by DHCP. both client and server may use this field.

if a client is configured to acquire its address automatically, it will send a DHCPDISCOVER when it boots or senses an active network connection. because the client has no idea the subnet that it belongs to, it sends the DHCPDISCOVER message as an IP broadcaset (address of 255.255.255.255). the source IP address (the client address) is set to 0.0.0.0. the server notes the Gateway Address of the message sent from the client, if it's undefined then the server knows that the client is on the same subnet as the server. clients send mesages to the server on port 67, servers send messages to the client on port 68.

Wednesday, July 16, 2008

VPN

Tunneling enable users to access private networks from public networks. tunneling encapsulates an entire packet within another packet and sends the new composite packet over a network. three classes of tunneling protocol:

Carrier protocol. the protocol over which the information is travelling (Frame-relay, ATM, MPLS)
Encapsulating protocol. the protocol that wraps around the original data (GRE, L2F, L2TP)
Passenger protocol. the protocol over which the original data was sent over (IPv4, AppleTalk, IPv6, IPX)

Tunneling works as the original data is wrapped by the encapsulating protocol, then as leaving the VPN gateway ("tunnel interfaces"), the data will be encapsulated by the carrier protocol with the source and destination adress are the "tunnel interface"s address, when the data arrived at the other end of the VPN gateway, the original data will be extracted and sent over the destination.

for the message to be private, it must be encrypted. VPN encryption rules include an algorithm and a key. the message will be encrypted using the combination of the algorithm and the key. the result is a cipher text, that's very difficult if not impossible to be decrypted without the correct key. there are two kinds of encryption algorithm, symmetric algorithm which uses the same key for the encryption and decryption process, and asymmetric algorithm that uses different keys for the encryption and decryption process. some common used encryption algorithm are:

Data Encryption Standard (DES). a symmetric key encryption. developed by IBM, uses 56-bit key giving high-performance encryption.
Triple DES (3DES). developed from DES. a symmetric key cryptosystem. it encrypts a message with one key, decrypts it with another key and finally encrypts it with another different key. this provides more strength than DES.
Advanced Encryption Standard (AES). developed by the National Institute of Standards and Technology. replacing DES. it offers more strength than DES and more efficient than 3DES. it offers using three different key-lengths: 128, 192 and 256 bit keys.
Rivest, Shamir, and Adleman (RSA). named as its founders. this is an asymmetric cryptosystem. it uses a key bit length of 512, 768, 1024 or larger.

a Hash is a string generated from a text. it's generated using algorithms that there will be no two different texts that will produce the same hash value. the hash is smaller than the text. it can be used to guarantee that a message hasn't been modified. the sender can generate a hash of the message and send it along with the message to the receiver. the receiver then receive the message and will generate a hash value from the message again. the result then will be matched with the hash value sent by the sender. if both hashes are the same, then the message hasn't been changed/modified.

a keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. a HMAC has two parameters: a message input and a secret key known only to the sender and the receiver of the message. two commons HMAC algorithm are:

Message Digest 5 (MD5), uses 128-bit shared key. the 128-bit key is combined through the message and produces a 128-bit hash. the hash is appended with the message and sent to the destination.
Secure Hash Algorithm 1 (SHA-1), uses 160-bit shared key. the 160-bit key is combined through the message and produces a 160-bit hash. the hash is appended with the message and sent to the destination.

both ends on VPNs connectin must be authenticated. so that a secure connection and communication can be made. two peer authentication in VPNs are:

Pre-Shared Key (PSK), a secret key shared between the two parties. a PSK is entered manually at each party and is used to authenticate the peer. it uses symmetric key cryptosystem. the key shared is combined with other information to form the authentication key.
RSA signature, exchange digital certificates to authenticate the peers. local device (local end) derives a hash and encrypts it with its private key. the encrypted hash (digital signature) is sent along with the message. the remote end will decrypt the hash using the public key of the local end. if the decrypted hash matched the recomputed hash, the signature is genuine.

Internet is a public network and it reaches almost everwhere in the world. the fact that internet is a worldwide network, makes internet an option for oranizations and corporations to connect their teleworkers with the organization's private network. but the fact that it is a public network, makes it fragile to security risks. with VPN technology, organizations can create a private network from the internet and can safely transfer their private data over the internet from branches and remote teleworkers. instead of using a dedicated layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed over the internet.

the benefits of using VPN are:

cost saving. unlike a leased line which requires an expensive cost to establish a connection between sites. VPN uses the public network Internet, which is cheaper.
security. VPN encrypts and authenticates its data. protecting the data from unauthorized access.
scalability. anyone, anywhere within an ISP area can connect to the VPN. organizations can add new users, big or small organizations without adding significant infrastructure.

Types of VPN:

site-to-site VPN. a site-to-site VPN is used to connect between company intranets or a company intranet with a business partner extranet. for example it can connect a branch with the headquarter office. a site-to-site VPN uses a VPN gateway at each site to send and receive TCP/IP traffic. a VPN gateway in a site-to-site VPN could be a router, PIX firewall appliance or an Adaptive Security Appliance (ASA). the VPN gateway is responsible for encrypting outgoing traffic and decrypting incoming traffic.
remote access VPN. remote access VPNs are used to connect mobile users and teleworkers as well as extranet consumer-to-business. since most teleworkers have access to the internet, they can establish a remot VPN connection to the company. each host typically has a VPN client software. this software will encrypts/decrypts incoming/outgoing traffic. at the company site, a VPN gateway which could be a PIX firewall, a router, an ASA or a VPN concentrator will do the encrypts and decrypts tasks.

a VPN creates a virtually private network which must maintain confidentiality and security. it must protect data against sniffing activity, sender authentication and message integrity.
typically a VPN would require the following components:

a network with servers and workstations.
an access to the internet.
VPN gateway capable devices, such as routers, firewalls, VPN concentrators and ASAs. at the endpoints that establish and manage VPN connections.
appropriate software to create and manage VPN tunnels.

Most VPN can do both

Encapsulation. also called as tunneling, this enables data to be transferred between private networks over a shared public network.
Encryption. codes data to another format using a secret key. decryption decodes the encrypted data to its original format.

Keypoints of security in VPNs are:

data confidentiality. guarantees that data are not stolen as they travel across a shared networks. VPNs achieve this using encapsulation and encryption.
data integrity. guarantees that the data received by the receiver are the same as the data sent by the sender. this means that data are not modified. VPNs usually use hashes to ensure data integrity. a hash is like a seal that guarantees that no one has read the content of the message.
authentication. this guarantees that only authorized users may participate in the private network. unauthorized users must not be given access to the private network. VPNs achieve this by using passwords, digital certificates or other authenticate mechanisms.

IPsec is a protocol suite for securing communications in IP networks. there are two frameworks for IPsec:

Authentication Header (AH), provides authentication and integrity. use this when confidentiality (ecnryption) is not needed or permitted. this makes AH weaker, that's why AH is often used along with ESP.
Encapsulation Security Payload (ESP), provides authentication, integrity and confidentiality (encryption). although encryption and and authentication are optional, at a minimum, one of them must be selected.

we can choose and implement standards for encrytion, authentication and key exchange

IPsec Framework Choices

IPsec Protocol - ESP, AH, ESP + AH
Encryption - DES, 3DES, AES
Authentication - MD5, SHA
DH - DH1, DH2, DH5

DH allows two parties to establish a shared secret key used for the encryption and hash algorithm.

Friday, July 11, 2008

Configuring SSH on a Router

How to enable SSH on a router
1. set router hostname

hostname R2

2. set a domain name
enter the following command at the global level to set the domain name to cisco.com

ip domain-name cisco.com

3. generate asymmetric keys
to generate a key that the router uses to encrypt its SSH management traffic, enter the command "crypto key generate rsa". you'll be asked to enter the size of the key modulus in range of 360 - 2048. for best practice, cisco recommends a minimum length of 1024. longer means more security. AFTER YOU GENERATE THE KEY, YOU WILL NOTICE THAT SSH HAS BEEN ENABLED.

4. configure local authentication and vty
to simplify the example, we will use local username (you can use third party authentication server such as TACACS+ or RADIUS) first you must create a local user. to create a username student with the encrypted password cisco, enter the command "username student secret cisco" at the global configuration level. next enter the vty line configuration "line vty 0 4", enable login to look for local "login local", set the transport to ssh "transport input ssh".

5. configure SSH timeouts (optional)
this provides additional security. enter both command at global configuration level

ip ssh time-out 15

ip ssh authentication-retries 2

to connect to the router using SSH then you must connect to it with a SSH client (PuTTY, TeraTerm). you'll be prompted for username and password, enter the password and username you've configured. in the above example you enter the local created username (student with password cisco).

Securing Cisco Routers

Routers role in security

advertise networks and filter who can use them
provide access to network segment and subnetworks

Routers can be attacked in these puposes:

compromising the access control can expose network configuration details, facilitating attacks against other network components.
compromising the route tables can reduce performance, deny network communication services and expose sensitive data.
misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.

Securing routers at the network perimeter is an important first step in securing a network.
some concerns securing a router:

physical security
update router IOS whenever possible
backup router configuration and IOS
harden the router to eliminate the potential abuse of unused ports and services

some steps securing a router
1. manage router security
use strong password, to avoid the expose of passwords use "enable secret" instead of "enable password". secret means the password is encrypted using md5 (type 5). while entering the global command "service password-encryption" will encrypt passwords with simple algorithm, which cisco called type 7. cisco recommends type 5 than type 7.

2. secure remote administrative access to routers
remote access to routers is preffered when there are so many routers and switches. security should be controlled for VTY, TTY (asynchronous access through modem) and AUX lines. ensure that connections through those lines require password.
You can PREVENT CONNECTION to any line by entering the command "login" and "no password".
VTY line can be configured to receive just connections that are using the specified protocol. use the command "transport input". for example to allow VTY connection using SSH only enter the command "transport input ssh".
cisco IOS device has a limit number of VTY lines, usually 5. this can be DoS attacked. to avoid this, you can configure one of the VTY line to be set just accept connection from a single, specific administrative workstation. this is achieved by using ACL and "ip access-class" command at the line configuration. other way is to set VTY timeouts using the "exec-timeout" command. this will close idle connections passed the time configured.
Other concern is to encrypt traffic of the remote connections. to achieve this use SSH instead of telnet. not all cisco images support SSH. cisco routers can act as a SSH client and server, by default both mode are enabled when SSH is enabled.

3. logging router activity
logging can give you records of what has happened to a router. a log can be saved to the router memory or to a log host. a log host is preferable because it provides a central place for logging. logging can be one of eight levels, with level 7 means the system is unstable and will include all router information. logs should be reviewed regularly, this will give you the sense of your usual network activity. you may also want to use the NTP to get the time of the events, this makes troubleshooting easier.

4. sercure vulnerable router services and interfaces
Cisco routers support some network services. these services sometimes are good for nothing. General security practice for routers is to configure the router to only support needed traffic and services. You can entirely disabled a service on a router or restricting its access. if a particular portion of a network segment needs a service but the rest doesn\ not, the restriction features should be employed to limit the scope of the service. Some services that is recommended to be disabled are:

TCP small servers
UDP small servers
CDP (if there are some IP phone, consideration should be taken before turning off this service)
Finger
HTTP server
Proxy ARP
IP Mask reply, etc..

commands needed to turn off a service usually started with the "no" command followed by the service name, for example:

no service tcp-small servers

no ip http server

no cdp run

some services that should be secured if needed are:

SNMP, use versions 3. version 1 and 2 pass managemenet information and password in clear text
NTP, to reject NTP message at a particular interface, use an access-list
DNS, name queries are sent to broadcast address, fake name server could reply to a query. Explicitly specify the name server addresses using the command

ip name-server addresses

5. secure routing protocols
Routers are also at risk from attacks. Anyone with a packet sniffer can read information propagating between routers. Two kinds of attack in general:

Disruption of peers
Falsification of routing information

disruption of peers is less critical, because routing protocol can heal themselves, getting backup route. Falsification of routing information is done by giving false routing update to a router. this can be protected by authenticating routing protocol information. Authentication through MD5 consists of 3 key elements, the key (similar to a password), the data and the signature (result of the combination of the key and the data through MD5 algorythm). RIPv2, EIGRP, OSPF, IS-IS and BGP support various forms of MD5 authentication.

securing RIPv2 routing protocol
step 1. Prevent RIP routing update propagation. First set ALL INTERFACES in a router into passive mode. Then bring up only those interfaces that are required for sending and receiving RIP updates. Passive interface receives updates but does not send them.

passive-interface default

that command entered at the global level configuration will disable routing advertisements on all interfaces. to bring up a particular interface enter the command enter the command

no passive-interface serial0/0/0

that command will bring up interface serial0/0/0 to send routing updates.

step 2. Prevent Unauthorized Reception of RIP Updates. This can be done by setting up MD5 authentication to routing updates. To enable the encryption, first you must create a key for the md5 and then apply each interface participating in routing updates to send encrypted updates. The commands to create MD5 key are:

key chain RIP_KEY

key 1

key-string cisco

"key chain RIP_KEY", will create a key named RIP_KEY. we can create multiple key, but in the example "key 1" is used to create the key 1, "key-string cisco" tells that key 1 is contain a key string "cisco".

the commands to implement MD5 authentication on an interface are (entered at interface level configuration):

ip rip authentication mode md5

ip rip authentication key_chain RIP_KEY

the command "ip rip authentication mode md5" tells that rip will use md5 authentication while "ip rip authentication key_chain RIP_KEY" tells to use the RIP_KEY that has been created.
ONCE THIS AUTHENTICATION IS CONFIGURED ON A ROUTER THE REST PARTICIPATING ROUTERS MUST BE CONFIGURED WITH THE SAME CONFIGURATION AND KEY.

step 3. Verify the Operation of RIP Routing. this is done to check wether routing updates are propagated properly. This can be done with the "show ip route" command.

securing EIGRP routing protocol. the steps are similar to RIP steps (create key chain, apply authentication mode to interfaces). the difference is on the applying the authentication mode to an interface. the commands to configure md5 authentication in eigrp process 1 are:

key chain EIGRP_KEY

key 1

key-string cisco

interface s0/0/0

ip authentication mode eigrp 1 md5

ip authentication key-chaing eigrp 1 EIGRP_KEY

securing OSPF routing protocol. The logic of the steps is still the same with RIP and EIGRP. But the commands are different. the commands to configure md5 authentication on ospf process 10 area 0 are:

interface s0/0/0

ip ospf message-digest-key 1 md5 cisco

ip ospf authentication message-digest

router ospf 10

area 0 authentication message-digest

6. control and filter network traffic

Cisco provides an auto secure to enable you to use a single command to disable processes and services not needed. you can enter the command "auto secure" at privileged EXEC mode. this command has two modes, interactive mode and non-interactive mode. with interactive mode you'll be asked several question to enable or disable services and other security feature. Non-interactive mode will auto configure the router with the recommended Cisco default settings. default mode is interactive mode.

Network Security

Three types of vulnerability

Technology vulnerability. vulnerability at the design of the technology (HTTP, FTP, ICMP vulnerability)
Configuration vulnerability. easy guessed password, misconfiguration, lack of security default setting
Policy vulnerability. lack of written policy, bad logical access control

Types of network attacks

Reconnaissance. information gathering. precedes another type of attack.Internet Queries (nslookup, whois), ping sweeps (fscan, gscan), port scans (nmap, superscan), packet sniffers (wireshark)
Access, getting access. usually involve running a hack, script, tool that exploits vulnerability. Password attacks, brute forcing (cain, l0phtcrack) Trust exploitation, compromise another system by a mean to compromise other system.Port redirection, a type of trust exploitation. using a software to alter traffic to access another system through a system that has been compromised (netcat) Man-in-the-middle,
Denial of service. corrupt system, service with the purpose of crashing the system to deny user request. Syn-flood. TCP threeway handshake, attacker floods a server with syn TCP message, the server replies with a SYN-ACK message for each SYN message. the server will provides resources for each request. while the attacker never finish the threeway handshake mechanism, running out the resources of the server DDoS (SMURF, MyDoom, Trible flood network)
Malicious scripts/softwares. worms, viruses, trojan horses. damaging hosts / corrupting a system and replicate itself.

*****************
Physical security
*****************

Hardware. lock access to physical equipment, disallow unauthorized access.
Environment. temperature control, humidity
Electrical. install UPS and generator in condition of power loss. avoid voltage spikes
Maintenance. neat cabling and labeling.

Security should be the main concern whenever designing a network. a firewall alone is not enough. an integrated approach involving firewall, intrusion prevention and VPN.
the PIX has evolved to what is called Cisco Adaptive Security Appliance (ASA). Cisco ASA integrates firewall, void security, SSL and IPsec VPN, IPS and content security services.

**********************
Network Security Wheel
**********************
Step 1. Secure
Create the security policy. some concerns:

threat defense
stateful inspection and packet filtering
intrusion prevention system
vulnerability patching
disable unnecessary services
VPN
truns and identity, systems on the outside of the firewall should never be absolutely trusted by systems on the inside of a firewall.
autehtication
policy enforcement, ensure that users and end devices are in compliance with the corporate policy.

step 2. Monitor
active monitor by auditing log files even to the host level (some OS includes auditing functionality). passive monitor by using IDS devices, this requires less attention from network administrator.

step 3. Test
actively test the network. try to penetrate the network, using some tools (Nessus, Nmap).

step 4. Improve
analyze the data colected during the monitoring and testing phases. and augment necessary improvement.

to keep the network as secure as possible, the cycle of the security wheel must be continually repeated.

Wednesday, July 9, 2008

Complex Access List

omplex ACL can be based on standard and extended ACLs. complex ACLs provide more functionality. Kinds of complex ACLs are:

Dynamic ACL (lock-and-key): create dynamic entries on the run. each user whose traffic wants to be passed through a router, must be authenticated through a telnet connection to the corresponding router.
Reflexive ACL: inbound traffic is limited to only traffic in response to sessions that originate from inside the router.
Time-based ACL: enable you to control traffic based on the time of day and week.

Dynamic ACL
dynamic ACLs are sometimes called lock-and-key ACLs. Dynamic ACLs are dependant to telnet authentication (local or remote) and extended ACLs. Dynamice ACL starts from an extended ACL applied to block traffic through the router. until users who want their traffic to be passed through the router must telnet to the router and authenticate. then a single-entry dynamic ACL is added to the extended ACL. this entry will exist for a particular period of time (absolute timeouts and idle time are possible). Dynamic ACL is available for IP traffic only.

you can use dynamic ACLs when you want to grant access to a remote host/a group of remote hosts to a host within you network. Before the 'outside' hosts given the permission to access you 'inside' host, they must first authenticate theirselves at the firewall router. it can also be applied when some of your 'inside' hosts want to connect to a remote (outside) host.

the steps of configuring a dynamic ACL are:

step 1. create a user, this user can be created at local or on a remote server (RADIUS or TACACS+). username and password of this user will be used to connect to the router using telnet (vty).
step 2. create the dynamic ACL. remember that dynamic ACLs are extended ACLs.
step 3. apply the ACL at the correct interace.
step 4. configure telnet connection. with "login" command to specify where to search for userlist (local/remote) and "autocommand" to enable the dynamic ACL.

example scenario

H1 ---------------- R1 --------------- R2 -------------- H2
192.168.10.10 192.168.20.20

we want to enable H1 to connect to H2 by creating a dynamic ACL. assume that R2 is connected to R1 from interface FastEthernet0/1, then we can apply the dynamic ACL at 'inbound' FastEthernet0/1 of R2 and ip address of FastEthernet0/1 is 192.168.15.1. and for simplicity we use local authentication. enter R2 CLI, the commands are:

step 1. create a local user

username joe password 0 cisco

step 2. create dynamic ACL

access-list 101 permit any host 192.168.15.1 eq telnet

access-list 101 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

first entry allow telnet connections to the R2 from Fa0/1. second entry is the dynamic ACL, which allow traffic from network 192.168.10.0 to 192.168.20.0, and when an authentication is made, it will exist for 15 minutes and will be closed whether in used or not.

step 3. apply ACL.

interface FastEthernet0/1

ip access-group 101 in

step 4. configure telnet connection

line vty 0 4

login local

autocommand access-enable host timeout 5

the "autocommand" will be executed once a telnet connection is made and the telnet session is dropped. the user can connect to 192.168.20.0 network, if user idle for 5 minutes, the connection is closed.

Reflexive ACL
reflexive ACL used to allow IP traffic for sessions originating from your inside network while denying sessions from outside of your network.this limits inbound IP traffic to only traffic in response to session that originates from inside. even if reflexive ACLs seems to be the same as extended ACLs that use the "established" keyword, the differ in that "established" parameter only work for TCP traffic while a reflexive ACL works for any IP traffic (TCP, UDP, ICMP). "established" option also doesn't work with applications that dynamically alter the source port for the session.

reflexive ACL works by examining the outbound traffic pass a router. when the router sees a new outbound connection, it adds an entry to a temporary ACL that allow replies back in. Reflexive ACLs contain only temporary entries. when the session ends, the entries are removed.

reflexive ACL can only be defined with extended named IP ACLs. it can be used for any other protocols and extended numbered ACLs. reflexive ACLs are not applied directly to an interface but are "nested" within an extended named ACL.

steps to create a reflexive ACL are:

step 1. create an extended named ACL, which keeps track of traffic from inside.
step 2. create another extended named ACL, which will permit traffic from outside that are in response to sessions initiated from insdie.
step 3. apply both ACLs at the correct interface in opposite direction.

example scenario,

                  Inside network
       SW1 --------------------- R1 -------------------- Internet
                   192.168.10.0

a network administrator wants to allow inside hosts to only browse web, while traffic from internet may enter his network only if the traffic is a reply for a session requested from a host inside his network. assume that R1 is connected to the Internet through the serial0/0/0 interface. and he wants to apply the ACLs in that interface, the commands are:

step 1. create ACL, which keeps track traffic from inside

ip access-list extended HTTP_OUTBOUND

permit tcp 192.168.10.0 0.0.0.255 any reflect TCPTRAFFIC

step 2. create ACL, permit traffic from outside in response of sessions from inside

ip access-list HTTP_INBOUND

evaluate TCPTRAFFIC

step 3. apply both ACL

interface serial0/0/0

ip access-group HTTP_OUTBOUND out

ip access-group HTTP_INBOUND in

Time-Based ACL
time-based ACL has similar function with extended ACL, except that time-based ACL has the ability to do access control based on time (the time could be time of day and week). Time-based ACLs are implemented by first creating a time range that defines a specific times of day and week. This time range is idientified with a name and we refer to it by a fungction.

steps to implement a time-based ACL are:

step 1. Define the time range of when the ACL will operate.
step 2. Create the ACL and apply the time range to the corresponding entry.
step 3. Apply the ACL to the interface.

example scenario,
a network administrator allow telnet connection from internet to inside network (192.168.10.0) only on Sunday at 7:00 to 15:00. this ACL will be implemented at interface serial0/0/0 which is the interface of the firewall router that directly connected to outside network. the commands are

step 1. Define the time range

time-range EVERYSUNDAY

periodic Sunday 7:00 to 15:00

step 2. create the ACL

access-list 101 permit tcp any 192.168.10.0 0.0.0.255 eq telnet time-range EVERYSUNDAY

step 3. apply the ACL

interface serial0/0/0

ip access-group 101 in

Extended Access List

extended ACLs provide a greater range of criteria when filtering packets. while standard ACLs only filter for source IP address. Extended ACLs filter packets from source/destination IP address, source/destination port number (service) and protocol used. extended ACLs are numbered from 100-199 and 2000-2699. extended ACLs can be named as well.

extended ACLs has the ability to filter packets from their source/destination port number. you can specify the port number as a number or the name of a well-known port. for example the following access-lists have the same function

access-list 110 permit tcp 206.124.16.0 0.0.0.255 any eq 21

and

access-list 110 permit tcp 206.124.16.0 0.0.0.255 any eq ftp

both permit packets from network 206.124.16.0 to any host that are destined to port 21 (ftp runs on port 21).

you may notice the "eq" keyword on both of the access-list before the port number. "eq" means equal. the available keywords are:

eq : equal, use this to permit/deny packets of which source/destination port number is equal to the specified number
lt : lower than, use this to permit/deny packets of which source/destination port number is lower than the specified number
gt : greater than, use this to permit/deny packets of which source/destination port number is greater than the specified number
neq : not equal, use this to permit/deny packets of which source/destination port number is not equal to the specified number

the complete syntax is

access-list access-list-number {deny|permit|remark} protocol source [source-wildcard][operator operand] [port port-number or name] destination [destination-wildcard][operator operand] [port port-number or name] [established]

access-list-number:a number identifying the access-list. for extended ACL, this could be 100 to 199 or 2000 to 2699.
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read
protocol: the protocol of the packet. name this with one of TCP, UDP, ICMP, etc. to match every internet protocol, fill it with IP.
source: address of the network or host from which the packet is sent, two ways to specify the source

32bit, four part dotted-decimal format
any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255

source-wildcard: wildcard bits for the source IP address. two ways to specify source-wildcard

32bit, four part dotted-decimal format
any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255

destination: address of the network or host that the packet is destined to, two ways to specify the source

32bit, four part dotted-decimal format
any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255

destination-wildcard: wildcard bits for the destination IP address. two ways to specify destination-wildcard

32bit, four part dotted-decimal format
any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255

operator: optional, this will be used to compares source or destination ports. fill this with one of eq, gt, lt, neq.
port: optional, the port (source/destination) number or name of the service of the packet.
established: optional for TCP packets only. a match occurs the TCP packet has the ACK or RST bits set, which indicates that the packet belongs to an existing connection.

here is an example of allowing only host in network 192.168.1.0 to allow only web browsing (http).

access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80

access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443

access-list 115 permit tcp any 192.168.1.0 0.0.0.255 established

the "access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443" is required for https. while the "access-list 115 permit tcp any 192.168.1.0 0.0.0.255 established" is required because http traffic flows in two direction. you request a page and the server sends you the page. this ACL enables you to receive the page that have been requested by you (this actually pass every tcp packets that belongs to any existing connection, since there can be only http/https traffic going out from the network, theorotically there can be only http/https connection made from inside).

after creating the ACLs, you can apply the extended ACL the same way as you apply a standard ACL to an interface. from the example above, you can apply both ACL in an interface with one at a direction and the other for the opposite direction depends on which interface you are trying to apply those ACLs. assume that we want to apply both ACLs to interface FastEthernet0/1 which is directly connected to network 192.168.1.0 then the commands would be:

interface FastEthernet0/1

ip access-group 110 in

ip access-group 115 out

you can create a named IP extended ACL the same way as you create one for the standard ACL.
the steps are:

step 1. at the global configuration level. enter the command "ip access-list extended name" with name is the name of the extended ACL you want to be.
step 2. after entering the command you'll be at the ACL configuration level. create statements and conditions as required with the permit/deny/remark keywords. the syntax is the same as creating a statement in extended ACL, except that you don't have to specify the "access-list access-list-number" anymore.
step 3. you can verify the ACL that you've created with the command "show access-lists name" at the pivileged EXEC mode.

Standard Access List

to create a statement of standard ACL, enter the following command at global configuration level

access-list access-list-number [deny|permit] [remark] source source-wildcard [log]

access-list-number: number of the access list, this can be 1-99 or 1300-1999 (standard ACL)
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read.
source: address of the network or host from which the packet is sent, two ways to specify the source

32bit, four part dotted-decimal format
any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255

source-wildcard: wildcard bits for the source address. two ways to specify source-wildcard

32bit, four part dotted-decimal format
any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255

log: logs information about packets that match the entry, logs are sent to the console (level of the details the messages shown in the console is controlled by the "logging console" command)

Removing an ACL
enter the following command at the global configuration level

no access-list access-list-number

access-list-number:number of the access list to be removed, this can be 1-99 or 1300-1999 (standard ACL)

Wildcard Mask
wildcard mask and subnet mask are both 32bits long, subnet mask is used to determine parts of the ip address to be the network id and the host id. wildcard mask is used to filter ip adresses to determine whether to permit or deny the pakcets. subnet mask uses binary 1s to make a match while 0s means not a match. wildcard mask uses binary 1s to ignore the corresponding ip address bit while 0s means that the corresponding bit should match.
example:

00000000 -> all address bit should match
00001111 -> matches first four bits, ignores four last bit
11110000 -> ignores first four bits, matches four last bit
11111111 -> ignore all bits in this octet

you can calculate a wildcard mask easily by subtracting the subnet mask from 255.255.255.255. example:
1. say that you want to filter the whole network of 192.168.1.0 because its subnet mask is 255.255.255.0, you can do

255.255.255.255
255.255.255.000 -
---------------
000.000.000.255 -> wildcard mask

2. you want to filter only the first 14 hosts of 192.168.1.0

255.255.255.255
255.255.255.240 -
---------------
000.000.000.015

3. you want to filter hosts from network 192.168.1.0 and 192.168.2.0, because bits of the network part that's the same between 192.168.1.0 and 192.168.2.0 is the first 22bits, you can do

255.255.255.255
255.255.252.000 -
---------------
000.000.003.255

you can avoid calculating the wildcard mask by using the host and any keyword:

host, is a substitute of the 0.0.0.0 means that all bits of the ip address should match. is used when you just want to filter a single host.
any, is a substitute of the 255.255.255.255 means to ignore all bits. used when you don't care from which the packet is sent.

example

access-list 1 permit any
access-list 1 permit host 192.168.10.10

Applying access-list to an interface
enter the following command at the interface configuration level

ip access-group [access-list-number | access-list-name] [in|out]

access-list-number: the number of the access-list that you want to apply
access-list-name: the name of the access-list that you want to apply
in : apply the access-list at inbound direction
out: apply the access-list at outbound direction

for example, let's say that you want to apply access-list 1 on interface Serial0/0 at outbound direction, you would enter the command

interface serial0/0/0

ip access-group 1 out

in addtion to restricting the remote connection through SSH only, you can also increase security by applying an access-list to the vty lines, the command is

access-class access-list-number [in [vrf-also] | out]

access-list-number: the number of the access-list that you want to apply
in : restricts incoming connection between a particular Cisco device and the addresses in the access-list.
out: restricts outgoing connections between a particular Cisco device and the addresses in the access list.

somethings to note about applying access-list on vty lines are:

apply the access-list to all of the lines. users can connect to any of it.
only numbered access-list can be applied at the vty lines.

example applying access-list 1 to incoming connection of vty 0-4.

line vty 0 4

login

password cisco

access-class 1 in

Editing Numbered Access-List
there's no built in editing feature to edit a change in an ACL. you cannot selectively insert or delete lines. to edit a numbered ACL, do the following:

step 1. show the ACL to be edited from the running-configuration with the command "show running-configuration | include access-list", the "include access-list" is used to only show access-list configuration.
step 2. select all the lines of the ACL that you want to be edited, copy it to a text editor. edit the ACL as required in the text editor.
step 3. back to the CLI. in global configuration mode, delete the ACL using "no access-list access-list-number" command. then paste the edited ACL from the text editor to the CLI.

Creating Named Access-List
first, you can create a named ACL with a command entered at the global configuration level, the syntax is:

ip access-list [standard | extended] name

name: the name of the access-list

then you will be in the access list configuration level. you can create statements for the ACL. to create a statement use the "permit" or "deny" command. you can also create a comment for each statment using the "remark" command. the syntax is:

[permit | deny | remark] {source [source-wildcard]} [log]

then you can apply the ACL to an interface by first enter the corresponding interface configuration level and enter the following command:

ip access-group name [in | out]

name: the name of the access-list

after you create an ACL (numbered or named) you can verify the ACL by using the command "show access-list" at the privileged EXEC mode.

Editing Named Access List
since Cisco IOS Software Realese 12.3, named ACLs are easier to be edited. you can edit individual entries in a named ACL. when you use the "show access-list" command, you can see that each entry in a named ACL, has a sequence number in front of it (the number usually starts from 10 and has an interval of 10 for the next entry). you can delete an entry or insert an entry without remaking the whole ACL.

let's say you want to insert an entry between the first entry and the second entry. you can enter the ACL configuration level using the command "ip access-list [standard | extended] name" command, and then enter the following

sequence-number [permit | deny] {source [source-wildcard]} [log]

sequence-number: a number that will determine the order of the statement in the list. if you want this entry to be between the first and the second entry, enter a number between 10 and 20.

Access List General

Access-List is a router configuration script that controls whether a router should permit or deny packets based on the information found in the packet header. ACLs are also used for selecting some types of traffic to be analyzed, forwarded or processed in other ways.

Access List enables you to control traffic flowing into or out of your network. it can permit or deny traffic from or destined to certain host/network, or it can even deny or permit traffic from or destined to certain port. and in addition to permitting or denying, access list can be used to classify traffic to enable priority processing.

Packet filtering controls access to a network by analyzing incoming or outgoing packets and decide to pass or to drop them based on some filter rules. these filter rules are defined using Access-List. a router can act as a packet filter. when a packet arrives at the router, the router extracts information from the packet header and decides according to the filter rules wether to pass or to halt the packet. Access-List works on layer 3 of the OSI layer model. but recall that, ACL can also use upper layer information such as the protocol used and the source/destination port number (service).

you can have one access-list per protocol, per direction (inbound and outboundand) and per interface (the three Ps). each interface has two direction which are in and out direction, while each direction may receive packets from different protocols (IP, IPX, AppleTalk). you can apply an ACL on interface FastEthernet0/0 at inbound direction for IP, and also an ACL for FastEthernet0/0 at inbound direction for IPX, because both are applied for different protocols.

Some guidelines on using ACLs:

use ACL in the firewall to control traffic flowing between you internal network and the external network.
use ACL on a router between certain parts of your internal network. this could be between a less controlled area in your network and a network that has more sensitive data.
use ACL for each network protocol at the border router interfaces.

How Access-List Works
you can set ACLs in inbound or outbound direction, the difference is:

inbound, incoming packets is checked for a match in the ACL before the packets are routed. therefore, an inbound ACL is efficient because a dropped packet need not to be routed.
outbound, packet has been routed from incoming interface to the outgoing interface. then the packet is checked for a match in ACL if the outgoing interface has an outgoing ACL applied to it. this is less efficient, imagine a packet has been routed just to be dropped at the outgoing interface.

ACL works in a sequential manner. it reads each statement one-by-one from top to down. when it reads a statement, it checks whether it mathes the information extracted from the packet header. if it matches, it decides to permit or to deny the packet based on the statement. if it doesn't, it reads the next statement if there's any (that's why you should put the most frequent used ACL at the top of the list). if that is the last statement of the list, then the packet will be dropped. this should be kept in mind, that if a packet doesn't match any statement in the ACL, then it will be dropped. this is often called "implicit deny any statement".

because of the "implicit deny any statement", when you define an inbound ACL for traffic filtering, you should include explicit access-list criteria statements to permit routing updates. if not, communication of the routing protocol could also be blocked.

Two types of cisco ACLs,

Standard ACL, filter packets based on source IP address only. the destination address or the port destination doesn't matter. (numbered 1 to 99 and 1300 to 1999 are standard IP ACL)
Extended ACL, filter packets based on some attributes, the source/destination address, source/destination port (service) and the protocol used. (numbered 100 to 199 and 2000 to 2699 are extended IP ACL)

NOTE: since Cisco IOS Software Reales 12.0.1, the standard and extended ACL numbers has been extended to 1300 to 2700.

Numbered and Named ACL
numbering access-list can give you the idea whether the ACL is a standard or an extended ACL. this can be used in a small network where the traffic generally homogeneous. But numbered ACL doesn't give you the purpose of the ACL, because of this since Cisco IOS version 11.2, you can give a name to an ACL to identify an ACL.

Numbered ACL

Standard IP ACL, numbered from 1 to 99 and 1300 to 1999
Extended IP ACL, numbered from 100 to 199 and 2000 to 2699
ACL numbered 200 to 1299 are used for other protocols than IP. for example, ACL numbered 600 to 699 are used for AppleTalk and ACL numbered 800 to 899 are used for IPX.

Named ACL
certain rules in naming an ACL:

names can contain alphanumeric characters
suggested to use CAPITAL LETTERS for the name
names cannot contain any spaces or punctual characters, and must begin with a letter
entries in named ACL can be edited

the placement of ACLs plays an important role in the network performance. the place you apply ACLs can reduced unwanted traffic. imagine packets that has been routed just to be dropped at the last router. the basic rule in placing ACLs are:

Extended ACL, place as close as possible to the source of the traffic to be denied.
Standard ACL, place as close as possible to the destination of traffic to be denied. because standard ACL only cares about the source of the traffic, if you put it near the source, some other traffic destined to other network that should be allowed, could be blocked also.

ACL best practices

Create ACLs based on the organization security policy.
Prepare a description of the ACLs that you want to create (this will avoid creating potential problems).
Use a text editor to create, edit and save ACLs (this way, you can create a library of ACL that is reusable).
Test ACLs created on a Lab environment before deploying it on the production network (avoid costly errors).

Tuesday, July 8, 2008

Password Recovery

enable password and enable secret are used to control access to the privileged EXEC mode. lost password can be recovered while lost secret should be replaced by a new one because it's encrypted. for security reason, you recover lost password or secret by connectring your PC to the device through a console cable. the configuration register, is something similar to the BIOS configuration in a PC. for example, BIOS determine from which hard disk should the PC boot. for a router, the configuration register, which is represented by a single hexadecimal value, tells the router what steps to take when booting. configuration register has many uses, password recovery might be the most used one.

the steps are:

step 1. connect your PC to the router.
step 2. record the configuration register by entering the command "show version" (the configuration register information usually will be at the last line). if you don't have access to the user EXEC mode anymore. you can safely assume that the configuration register value is 0x2102 (the configuration register is usually set to 0x2102 or 0x102).
step 3. turn off the router and then turn it back on.
step 4. press Break on the keyboard, within 60 seconds of power up to put router into ROMmon.
step 5. change the configuration register value to 0x2142 in ROMmon by entering the command "confreg 0x2142". this will cause the boot process to bypass the startup-configuration where the forgotten password is stored.
step 6. reboot the router by entering the command "reset" in ROMmon. the router will then reboot and ignores the saved configuration.
step 7. ignore the initial setup procedure by typing "no" at boot process.
step 8. go to the privileged EXEC mode with the command "enable".
step 9. copy your startup-configuration to running-configuration with the command "copy startup-config running-config".
step 10. now you use "show running-config" to see the password. if your password is encrypted, then you have to set a new password. (you will also see that all interfaces are on shutdown state).
step 11. to set a new password go into the global configuration level with the command "configure terminal".
step 12. set a new secret with the command "enable secret password". for example if you want to set the password to cisco then type "enable secret cisco".
step 13. because all interfaces are in shutdown state, issue "no shutdown" on every interface that should be up. issue "show interface brief" to confirm it.
step 14. reset the configuration register to the its value (that you've recorded) with the command "config-register confreg-value". enter the command "config-register 0x2102", if you want to set it to 0x2102.
step 15. all is set, then you might want to copy the running-configuration to the startup-configuration so that your new password is stored in startup-configuration.

Recovering IOS Image

IOS Image is crucial for a router to run. However if the IOS Image is accidentally deleted from the flash, the router can still operate as long as it's not rebooted, because it's running IOS from RAM. If somehow it's rebooted or you have to reboot it for some reason, then the router won't be able to run IOS anymore, it will boot into ROMmon. You can recover from this state by copying IOS Image that has been backup previously to an TFTP server. But the steps/commands are different because we are dealing with ROMmon (you still can type "?" to see available commands in ROMmon). the steps are:

step 1. Connect the router directly to the TFTP server. first you have to connect the router to the TFTP server from the first ethernet port of the router (this depends on the router, some router is FastEthernet0/0). And give the TFTP server a static IP address, for example 192.168.20.1.
step 2. Set ROMmon variables. turn on the router then you'll see ROMmon prompt. some notes about variables in ROMmon:

Variable names are case sensitive
Don't include any spaces before and after the = symbol
Navigational key are not operatable

enter the following variables to the ROMmon, the value for each variable is just an example, you can change it like you need.

IP_ADDRESS=192.168.20.2
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=192.168.20.1
TFTP_SERVER=192.168.20.1
TFTP_FILE=c1841-ipbase-mz.123-14.T7.bin

step 3. enter the "tftpdnld" command. this will download the specified file from the TFTP server. before the transfer begin you'll be warned that all existing data in flash will be deleted. type "y" to continue. then you will see some exclamation marks "!", one exclamation mark shows you that a UDP packet has been successfully transferred. after it finished, use the "reset" command to reboot the router with the IOS Image in the flash.

Recovering Using Xmodem
there's also another way for recovering a IOS Image to a router. another way is using xmodem (ROMmon supports Xmodem), but the transfer progress is slower than using the "tftpddnld" command because the transfer is accomplished using the console cable. that is, copy of the IOS Image is not taken from a TFTP server but might be from an Administrator PC. the steps are:

step 1. connect a PC that has the IOS Image to the router. Open connection with the router to enter the ROMmon command prompt.
step 2. use the "xmodem" command at the ROMmon command prompt. the syntax is

xmodem [-cyr] [filename]

c : specifies CRC-16
y : specifies the Ymodem protocol
r : copies the image to RAM

example,

xmodem -c c1841-ipbase-mx.123-14.T7.bin

by entering this command at the router, will make the router ready to receive the specified file.

step 3. from the software that you use to make a connection to the router through the console cable, choose to send a file. Depends on the software that you use, there should be a menu to send a file. if you use HyperTerminal the menu is Transfer > Send File.
step 4. browse for the file that you want to transfer, specify the protocol to be used to xmodem, then send the file. after the transfer has been done the router will reload automatically with the new IOS Image.

Maintain Cisco IOS

Over time, a router will need update or updgrade. Either an update or updgrade for the IOS image or the configuration file. an update replaces one release with another without upgrading the feature set. it may fix a bug or replace a release that is no longer supported. an upgrade replaces one release with another with an upgraded feature set. the upgrade might include additional technologies or new features. updates are free while updgrades are not.

NOTE: IT'S NOT ALWAYS GOOD TO REPLACE A ROUTER IOS IMAGE WITH THE NEWEST RELEASE. SOMETIMES THE NEWEST RELEASE IS NOT A STABLE RELEASE.

Cisco provides guidelines on updating/upgrading IOS version. Following the guideline can

reduce operational, planning and management cost. The phases that cisco reccomends are:

Plan, set goals, resources, hardware and software and create schedule
Design, choose IOS releases to be used and the migrating strategy.
Implement, execute the migration plan.
Operate, monitor the migration progress and backup copies of old images and configuration.

Cisco also provides a number of tools on cisco.com. some of the tools are:

Cisco IOS reference guide, cover basics of cisco IOS software family.
Cisco IOS software technical documents, documentation of each IOS release.
Software Center, place to download IOS images.

an attacker who has compromised a router can delete its IOS image or configuration file. to mitigate from this attack, a network administrator must know how to maintain a device file systems.

each Cisco IOS device has a feature called the Cisco IOS IFS (Integrated File System) which can be used to see, navigate and manipulate directories in a Cisco device. you can enter the command "show file systems" at privileged EXEC mode to see available directories in the device. each directory and files in the file system has its own permission mode, read only (ro), write only (wo) and read and write (rw). Then you can see files in each directory ("dir"), change working directory ("cd dir_name") and print current working directory("pwd").

if you want to copy a file in IOS, you can specify the file that you want to copy. File location in IOS devices is specified using the URL convention. in my opinion, as like other OS, IOS has as much the same way to locate a file except that in IOS you first specify the prefix of the file location. the prefix can be tftp, flash, system (RAM) and nvram. for example if you want to specify the "backup-config" file which is located in the "configs" folder in a tftp server of which ip address is 192.168.20.30 you enter "tftp://192.168.20.30/configs/backup-config", file in flash memory you enter "flash:configs/backup-config", in ram "system:running-config", while in nvram "nvram:startup-config".

after specifying the file location, then you can copy the file using the command

copy source-url destination-url

instead of providing the full url, we can also use the simple syntax to copy a file. for example to copy running-configuration in RAM to startup-configuration in NVRAM

copy running-config startup-config

instead of

copy system:running-config nvram:startup-config

to copy running-configuration to a remote location

copy running-config tftp:

to copy a configuration file from a remote location to the ram

copy tftp: running-config

**************************
Cisco IOS Naming Convetion
**************************
knowing the convention of the file can help a network administrator in upgrading and selecting new IOS images. let's see an example of an IOS image name

c1841-ipbase-mz.123-14.T7.bin

the name can be divided into some parts.

the first part is "c1841", this means that the image runs on 1841 seri platform.
the second part contains the feature set. in this case is "ipbase", this means basic IP internetworking. some other possibilities are:

- "i", ip feature set.
                    - "j", enterprise feature set (all protocols), PLUS feature set (extra queueing, manipulation or translations).
                    - "56i", 56-bit IPSec DES encryption.
                    - "k2", 3DES IPSec encryption (168 bit)

the third part indicates where the image run and wether it's compressed or not. in this case "mz" means that the file runs on RAM and is compressed.
the fourth part is the version number, "123-14.T7".
the last part is the file extention. "bin" indicates that the file is binary executable.

you can use TFTP to maintain IOS images and configuration files for routers in a network. with TFTP you can have a central place to upload and download IOS images and configuration files. The TFTP server can be another router, a workstation or a host.

things to do before changing IOS image on a router:

Determine memory required for the update, install additional memory if current one is not enough
Set up and test file transfer capability between the router and the file server
Schedule the update/upgrade, because it needs some downtime. usually updates are performed out of peak hour.

When you are ready to perform the update:

shutdown all interface not participating in the update process.
backup old IOS image and configuration file.
Load the update and neccessary configuraiton file to the router.
Test the update to confirm that it has been done successfully. if Test failed, check what went wrong and start over again.

Backing up IOS Image
it's recommended the you follow the step bellow if you want to back up an IOS image to an TFTP server.

step 1. ping the TFTP server to determine there's a connectivity between router and the TFTP server, and that the server is alive.
step 2. Check wether the TFTP server has sufficient memory for the IOS image. you must know the available memory in the TFTP server, and you can check the size of the router's IOS image by entering the command "show flash:".
step 3. Copy the current IOS image to the TFTP server using the command "copy flash: tftp:". during the progress there will be some exclamation marks "!", one exclamation mark shows you that a UDP packet has been successfully transferred.

Upgrading IOS Image
you can update a router's IOS image by transferring the new one from the TFTP server to the router. this can be done with the command "copy tftp: flash:". after entering this command you'll be prompted for TFTP ip address, and the new IOS file name (you're required to enter the appropriate file name). Once this is done, you'll be prompted wether you want to erase flash memory. erase flash memory when the router doesn't have enough memory fot the new IOS
image. during the progress there will be some exclamation marks "!", one exclamation mark
shows you that a UDP packet has been successfully transferred.

***************************************
TroubleShooting Cisco IOS Configuration
***************************************
after having all devices in a network the right IOS Image and configuration, we can tune configuration for individual devices to improve their performance in the network. There two common commands that most used in daily activity, "show" and "debug". "show" will lists the
parameter onfiguration while "debug" will show you traffic flow through interface, that is allowing you to trace the execution of process.

we use the "debug" command when troubleshooting, finding bugs, etc. when you enter a command to a router, actually there you initiate many more process than just the command you've just entered. therefore just tracing the configuration line by line sometimes won't help finding the error. using the "debug" command will help you to show the flow of packets, and check wether everything is working properly. all "debug" commands are entered at the privileged EXEC mode. some note on using "debug" command:

plan debugging properly. without proper precautions, debugging can make things worse
debugging can generate too much output. Know what you're looking for before start debugging things.
debugging's output can vary between each protocol. some generate a single output for a single packet, while others may generate multiline output for a packet. a basic understanding of how the protocol works usually needed on debugging the protocol.

some other tools that can help to optimize the usage of "debug" are:

"service timestamps" command will give a timestamp to each debug messages or log messages. this can give you the idea of when an event happened and the duration between events.
"show processes" will show you the CPU used for each process. this information can help you determine wether the CPU has the sufficient process time for debugging or not.
"no debug all" this will turn of every debugging process that has been started.
"terminal monitor", displays debug outputs and system error messages for the current terminal and session. when you telnet to a device, and use the "debug" command, you won't see the debug output unless you've entered this command.

NOTE:output from debugging is given high priority by the CPU. it's a good choice to use "debug"during quiet hours so that is doesn't interfere with the production traffic. and always turn off debugging by entering the command "no debug all" when debuggin process has been finished

Monday, July 7, 2008

AAA

AAA stands for Authentication (verifying user's identity), Authorization (limiting access to certain feature) and Auditing (recording actions taken by a user).

normal authentication examples enable secret, enabling password for line connection (console, vty)

normal authentication (non-AAA) is usually used in small environment or as backup to AAA

creating user locally in a device with the command username. if you want to add a user name joe with password cisco, the command would be like this

username joe password cisco

each user can be assigned different privilege level (1-15). higher number means more privilege.

AAA uses an external server to store user name and password

RADIUS and TACACS+ are two protocols used for authentication and authorization. both are widely used. cisco generally recommends TACACS+ over RADIUS as it's cisco proprietary. RADIUS couldn't limit the commands a user can execute

to configure RADIUS / TACACS+ authentication. first enter this command

aaa new-model

then specify the host located
example for tacacs server:

tacacs-server host 192.168.1.10 key password

example for radius server:

radius-server host 10.100.200.200 key password

radius-server host 10.100.200.201 key password

you can specify more than one server. they will be queried depends on the order (if the server is unavailable, the next server will be queried). key is the password for connecting to the server itself, if required.

then create method-lists as needed. method-list will specify how AAA should treat users. should it challenge users for password and where to look for the password. there are some method i don't cover here (local, tacacs+, radius, krb5, line, none). AAA can authenticate not only login but also ppp, ARAP, etc.. Here an example of method list:

aaa authentication login My-Method group tacacs+ local

My-Method is the name of the method list.

here there are two metods tacacs+ and local. should the tacacs+ guery failed (incorrect password is not concerned as a failure) the local password list will be used.
then apply the method list to interface / line as needed. here an example

line vty 0 4

login authentication My-Login

here, i'm applying the GAD-Login method list created earlier to VTY lines 0-4. this
will have the effect challenging telnet sessions to the router with whatever authentication methods exist in the GAD-Login method list.

*be carefull when configuring AAA for the first time. You can easily lock yourself out of the router by enabling AAA authentication without configuring any users.

Multilayer Switch

Multilayer switch is a switch with the ability to do the task of layer 3 routing and some task of the above layer.

Layer 3 switching means routing approximately at the speed of switching. High-end Cisco Layer 3 switches are now able to perform this second function, at the same speed as the Layer 2 switching function

most multilayer switch today doesn't have any visible router module. its ability is contained in its supervisor (CPU). but older chasis based switch can be a multilayer switch with a multi layer switch function card (MSFC) module. in this kind of multilayer switch you go to the router OS with the 'session slot-number' command where the slot-number is the number of the slot where the module is installed you can obtain this number by executing show module command.

with multilayer switch, routing inter vlan can be done by the swithc itself. this is done by creating an Switched Virtual Interface (SVI) for each vlan. with the command

interface vlan vlan-number

different series of cisco multilayer switch give different feature and flexibility. you must choose either a switch with limited routing capabilities, or a router with limited switching capabilities. 6500 switches has become the widley deployed in enterprise environment.

6500 switches come in different sizes from 3 slots up to 13 slots. 6500 has many modules that makes it very expandable Firewall Services Modul (FWSM - firewall and security), Content Switching Module (CSM - load balancing) and Network Analysis Modules (NAM - network monitoring) all in one chassis.

6500 switches is highly redundant. they support dual power supply and dual supervisor.
enhanced chasis type is recognized with the letter e in the end of the series number(6500e).
enhanced chasis use high-speed fans to cool these power-hungry modules.

Supervisor - over the years, different supervisor models have been introduced to offer greater speed and versatility. increased functionality has also been made available via a add-on daughter cards.

Modules
daughter card is an add-on for a module.
there are fabric-enabled module and nonfabric-enabled module
line cards (offers connectivity, such as copper or fiber ethernet) and service module (offers functionality such as FWSM, CSM)

*Ethernet Module, provide connectivity for ethernet (RJ42, GBIC) available from 4 ports. 48 ports with speed up to 1000 mbps.and even 96 port RJ-21 connector module supporting 10/100 mbps.

*Firewall Services Module (FWSM), provide firewall services just like PIX.

*Content Switch Module (CSM).

*Network Analysis Module, packet capturing, monitoring traffic. controlled through a web-browser which can be tedious when seeing a large scale of traffic.

*Intrusion Detection System Module (IDSM), act like an IDS appliance.

*FlexWAN Module, allow the connection of WAN links such as T1, DS3, OC3.

*Communication Media Module (CMM), provide telephony integration (analog telephone, fax machines, modem)

*************
3750 switches
*************
3750 switches, successor of 3550 switches. have the ability of stacking (the ability to link together some switches, usually of the same type to form a single logical switch with a single management IP address. once you telnet or SSH to the IP address, you can control the stack as if it were a single device).

FlexLink support failover (a pair of link, where one is the primary link and the other is the backup link). flexlink is used on switches where you don't want to run STP.

Port Security. you can specify certain MAC addresses that you allow or deny the right to use the port.

Sunday, July 6, 2008

Serial PPP

Computer make use of relatively short parallel connections between interior components, but use a serial bus to convert signals for most external communications

Serial : sends information accross one wire, one data bit at a time. the 9-pin serial connector on most PCs uses two loops of wire, one in each direction for data communication, plus additional wires to control the flow of information.
Parallel : sends the bits over more wire simultaneosly. 25-pin parallel on your PC, eight data-carrying wires to carry 8 bits simultaneously.

theoritically parallel is faster 8 times than serial connections, in reality there are some problems with parallel connection such as:
Clock Skew : all the bits in parallel connections don't leave the transmitter and received at the receiver at the same time. some bits get there later. the receiver must wait until the bits have arrived and synchronize itself with the transmitter.
Cross Talk : because paralles use more wires, there is much probability of having a corrupted data through cross talks.

three key serial communication standard:
RS-232 - uses 9 pins. RJ-45 conform to the RS-232 standard.
RS-232 pins:
pin 1 - Data Carrier Detect (DCD)
pin 2 - Receive pin (RxD). used to carries data from the serial device to the computer
pin 3 - Transmit pin (TxD). used to carries data from the computer to the serial device
pin 4 - Data Terminal Ready (DTR) indicates the modem that the computer is ready
pin 5 - ground
pin 6 - Data Set Ready (DTS) indicates that the dataset is on
pin 7 - Request to Send (RTS) requests clearance to send data to a modem
pin 8 - Clear to Send (CTS) acknoledge the RTS signal of the computer.
pin 9 - Ring Indicater (RI) receipt of a telephone ring signal
V.35 - typically used for modem-to-multiplexer communication. ITU standard for high-speed, synchronous data exchange combines the bandwidth of several telephone circuits. in US V.35 is the interface standard used by most routers and DSUs that connect to T1 carriers.
HSSI - High-Speed Serial Interface (HSSI) support transmission rates up to 52Mb/s. commonly used for connecting routers on LANs with WANs over high-speed lines such as T3 lines.

TDM. slices time into smaller intervals so that the link carries the bits from multiple input sources.
T1/E1 and ISDN telephone lines are common example of synchronous TDM

Statistical time-division multiplexing (STDM). channels compete for free slot (int TDM when a channel has nothing to send then the slot is empty, wasting resources). STDM requires each transmission to carry identification information.
SONET is an example of STDM

Telco (24 Ds0 is multiplexed int one Ds1/T1)
Ds0 - 64 kb/s
Ds1 - 1.544 mb/s (24 DS0)
Ds2 - 6.312 mb/s (96 Ds0, 2T1c - T1c = 2 T1)
Ds3 - 45 Mb/s (7 T2)

*******
DTE-DCE
*******
DTE : end of CPE, usually a router
DCE : end of the WAN provider's side. usually a modem or CSU/DSU. the device that convert user data received from DTE to the form acceptable to the WAN. responsible for providing clocking signal.

there are times when you want to connect two DTE devices (such as routers, computers, terminals or printers) directly without the DCE. a special cable called null modem eliminates the needs of a DCE. with a null modem connection, Tx and Rx lines are crosslinked (crosslinked at the DCE cable). remember that one of the device must provide the clocking signal, one of the device must be the DCE (DCE is the device with the female interface connector).

Universal Asynchronous Receiver/Transmitter (UART) is a chip on a PC motherboard that converts the parallel stream bits to the serial stream bits and vice-versa to support communication with external device such as modem. because mose data flow in a PC is in parallel form.

cisco has introduced a smart serial cable (serial interfaces on most cisco routers). smart serial interface is smaller (thinner) which has 26-pin than the DB-60 connector.

*****************
WAN Encapsulation
*****************
on each wan connection, data is encapsulated. the encapsulation depends on the technology used for wan connection
HDLC - the default encapsulation for point-to-point, dedicated links and circuit-swicthed connections when the link uses two cisco devices.
PPP - provides router-to-router and host-to-host networkc connections over synchronous and asynchronous circuits. PPP can work with several layer 3 protocol (IP, IPX) and has some authentication mechanism (CHAP, PAP).
SLIP - Standard Line Internet Protocol. standard point-to-point protocol for serial connections using TCP/IP. SLIP has been largely replaced by PPP.
X.25 - uses LAPB (Link Access Procedure, Balanced) encapsulation.
Frame Relay - industry standard form packet switched wan connection. successor of X.25
ATM - international standard for cell relay. data is sent on fixed length. ATM takes advanages of high-speed transmission, such as E2, SONET and T3.

HDLC - bit-oriented synchronous data link layer protocol developed by the ISO (current standard for HDLC is ISO 13239). HDLC defines layer 2 framing standard that allows flow control and error control through the use of acknowledgements (sequence number).
-------------------------------------------------------------------
When you want to transmit frames over synchronous or asynchronous links, you must remember that those links have no mechanism to mark the beginnings or ends of frames. HDLC uses a frame delimiter, or flag, to mark the beginning and the end of each frame.
You use Cisco HDLC as a point-to-point protocol on leased lines between two Cisco devices. If you are connecting to a non-Cisco device, use synchronous PPP.
-------------------------------------------------------------------

Saturday, July 5, 2008

Routing Behaviour

Routing Behaviour - routing behaviour is different from routing protocol. routing protocol (classless/classfull) determines how to populate the routing table, while routing behaviour determines how to search the routing table after it's populated.

what is a match? For there to be a match between the destination IP address of a packet and a route in the routing table, a minimum number of left-most bits must match between the IP address of the packet and the route in the routing table. The subnet mask of the route in the routing table is used to determine the minimum number of left-most bits that must match. (Remember, an IP packet only contains the IP address and not the subnet mask.)

level 1 routes = classfull address, supernet
level 2 routes = subnets

level 1 route that has level 2 routes is called a parent route while those level 2 routes are called child routes.

Routing table lookup step
step1 - look for level 1 routes, if there's a match forward the packet. if this is a parent route continue to step 2.
step2 - match level2 routes. if there's a match forward the packet.
step3 - if there's no match. if this is classful routing behaviour drop the packet (see, why classful routing behaviour never use the default route to forward packets). if classles check level 1 routes again for supernet.
step4 - if no match for supernet but supplied a default route forward the packet through the default route.
step5 - if there's no default route, drop the packet

recursive lookups = if route entry doesn't specify outgoin interface only the next hop ip address (like BGP entry routes), router will check the routing table again to find out what is the outgoing interface to forward the packet.

classfull routing - prefer classfull entry, default route will not be used when there are no match to forward the packet in the routing table.
classless routing - when there are no match after checking the level2 routes (subnetted entry / network). it will check the level1 routes again to check for lesser match (supernet, summary route, etc)

Wireless LAN

Wireless technologies (area coverage)
------------------------------------------------------------------
PAN (personal area network)
Standards : bluetooth, 802.15.3
Speed : <>range : short
applications: peer-to-peer, device-to-device

LAN
Standards : 802.11
Speed : 11 to 54 mbps
range : medium
applications: enterprise networks

MAN
Standards : 802.11, 802.16 (WiMax), 802.20
Speed : 10-100+ mbps
range : medium-long
applications: last mile access

WAN
Standards : GSM, CDMA, satellite
Speed : 10 kbps - 2 mbps
range : long
applications: mobile data devices
------------------------------------------------------------------

WLAN 802.11 adopts the 802.3 ethernet technology instead of using ethernet switches to connect hosts, WLAN uses Access Points (APs) to connect hosts. and WLAN uses the Collision Avoidance technology rather than the Collision Detection technology. becaues WLAN uses Radio Frequency (RF), it can interfere with other radio frequencies.

WLAN standards
------------------------------------------------------------------
802.11a
data rates : up to 54 mbps
band : 5 Ghz
area : 35 meters
channels : up to 23
modulation : OFDM

802.11b
data rates : up to 11 mbps
band : 2.4 Ghz (ISM band)
area : 35 meters
channels : 3
modulation : DSSS

802.11g
data rates : up to 54 mbps
band : 2.4 Ghz (ISM band)
area : 35 meters
channels : 3
modulation : DSSS | OFDM

802.11n (still in draft, might be available on september 2008)
data rates : up to 248+ mbps
band : unconfirmed
area : 70 meters
channels :
modulation : MIMO-OFDM

*NOTE:
becaues 802.11g support both DSSS and OFDM modulations, 802.11g provides backward compatibility with 802.11b.

*************************
terminology explanations
*************************
-DSSS (Direct Sequence Spread Spectrum)
-OFDM (Orthogonal Frequency Division Multiplexing), a technology running OFDM is faster than
DSSS.
-MIMO (multipe input/multiple output), splits a high data-rate streams into multiple lower rate streams and broadcasts them simultaneously over the available radios and antennae, providing theoritically a data rate of 248mbps using two streams.
-ISM (Industry, Scientific, Medical), 900mhz and 2.4 Ghz bands are allocated by the International Telecommunications Union-Radio (ITU-R) as unlicensed for ISM.
------------------------------------------------------------------

Three organizations influencing WLAN Standards:
- ITU-R, regulates the allocation of RF bands
- IEEE, specifies how RF is modulated to carry information
- Wi-Fi Alliance, devices made by vendors are interoperable

Wi-Fi Alliance is a global, non-profit organization that gives the Wi-Fi certifications. wi-fi certification is used to ensure that products made by different vendors have followed the WLAN standards (certification includes all three WLAN technologies 802.11a/b/g, and WPA-WiFi Protected Access), therefore ensures the interoperability between devices of different vendors

Components of WLAN
Wireless NIC - much like ethernet NIC, WNIC encodes data stream onto an RF signal and use the modulation technique it is configured to use.
Access Point - AP is a layer 2 device that works much like the 802.3 ethernet hub. AP connect wireless devices to the wired lan. therefore, AP convert the TCP/IP data packets of 802.11 to TCP/IP data packets of 802.3
Wireless Router - performs the role of AP, ethernet switch and a router.

CSMA/CA
Carrier Sense - each devices must sense the medium for energy (RF stimulation above a certain threshold) and wait until the medium is free before sending. because RF attenuates, two devices connected to an AP at opposite side, may not sense each other and therefore, collision could occur (this is called 'hidden nodes'). CSMA/CA is a feature to overcome this problem it uses a mechanism called RTC/CTS (request to send / clear to send) a device will request to send to the AP and the AP will allocate the medium to the requesting device for as long as it's required to complete the transmission. if not used, normal collision avoidance is used.

**************
WLAN Operation
**************
WLAN modes : refer to the 802.11a/b/g or n modes. because 802.11g supports backward compatibility with 802.11b. an access point may support both technologies. however, when a 802.11b client connects to the access point, it es other 802.11g point to wait longer to transmit their data. an AP may support a/b/g but with, the 802.11a operating at another radio at different RF band.
SSID : shared service set identifier, is a code attached to all packets on a WLAN to identify each packet as part of the network. the SSID is a case-sensitive alphanumeric ranging from 2 to 32 chars. some WLAN may exist in an area, the SSID is what distinguishes them from each other.
Wireless channel : 2.4 Ghz is divided into 11 channels with each channel is 22-Mhz band. the range between each center channel is only 5Mhz means that there are overlaps channel. if there are three adjacent AP, use channels 1, 6 and 11. if there are just two, choose any channel that are five channels apart.

Beacon - frames used by the WLAN (AP) to advertise its presence. the purpose of beacons are so that wlan clients can sense the presence of the network and allowing them to choose what network to connect to. AP may broadcast beacons periodically.
Probes - frames used by WLAN clients to find their networks.

Association - the join process of a client to the WLAN network, before it can send data over the WLAN. the process goes through three steps.
stage 1, 802.11 probing - although probing may be used to discover WLAN networks. some clients used it to search for a WLAN, the probe request specifies the network name (SSID) and bit rates
stage 2, 802.11 authentication - there are two methods, NULL authentication which the client says "authenticate me" and the AP responds with "yes". this is the most used in almost all 802.11 deployments. the second method is the WEP method which is not recommended. (the shared public keys are flawed).
stage 3, 802.11 association - finalizes the security and bit rates option. establishes data link connecntion between the client and the AP. the client learns about the BSSID (AP's MAC address) and the AP maps a Association Identifier (AID, works equivalently to a port on a switch). the AID keeps track of frames destined to which WLAN client.

Topologies
IBSS (Independent BSS) - usually called ad hoc WLAN, in this topology, there is no AP. every Wireless NIC is set to the ad hoc mode and they connect to each other without any intermediate AP.
BSS - a WLAN where there's only a single AP presents.
ESS (Exrendes Service Set) - when one AP is not enough to provides insufficient RF areas, other APs may be joined to enlarge the area. each AP is differentiated with BSSID, which is the MAC address of the AP.

the common distribution system is multiple AP in ESS appear to be a single BSS. allowing user to roams accross the area from AP to AP. cells represent the coverage area provided by a single channel.

Topology's Terminology
BSS = Basic Service Set
BSA = Basic Service Area, the coverage area of IBSS and BSS
ESA = Extended Service Area, the coverage area of ESS

Planning WLAN
in planning the coverage area of the WLAN, you must place the APs at the correct places so that users can roam from one AP through another AP. the coverage area may overlapped between APs so that there's no gap between AP's coverage area.
the use of nonoverlapping channel in ESS.

********
Security
********
War Driving : originally termed to finding cellular phone numbers to exploit. in WLAN means driving around neighborhood with a laptop an a WIC card to look for an unsecured WLAN system to exploit.
Hackers :
Rouge Access Point : AP that's installed to interfere with the normal WLAN system. if configured correctly, the rouge AP can get clients data and even gain access to the server resources.
MITM : man in the middle, with WLAN a user can get access to the AP without plugging any cable to his device. a user can also use a software AP to act like an AP and intercepts other users data.
DoS : 802.11b/g use the unlicensed 2.4Ghz band. which is used by also many other wlan systems. with the devices of other systems crowding the RF band, attacker can create noise in all of the channels in the band with common available devices. because a user can make his laptop/pc acts as an AP. a user can flood the CTS message so other clients flood the wlan or the attacker can send some disassociate command so a client will try to reassociate which create a burst of traffic.

Securing WLAN
wlan provides two methods of authentication, open and WEP. open means there's no authentication, all users may connect to the AP and gain a connection. while WEP as stated above is a weak authentication method for two reasons. one, the algorithm used to encrypt the data was proved to be crackable. two, scalability was a problem. the 32-bit WEP keys were manually managed, so users entered them by hand, often incorrectly.
to overcome the security issues, a new security standard is created which is 802.11i/WPA2 (WPA2 is the Wi-Fi Alliance implementation of 802.11i). which uses TKIP (Temporal Key Integrity Protocol) to encrypts data. WPA2 also includes a connection to a Remote Authentication Dial in User Service (RADIUS). today 802.11i should be the stadard in enterprise networks.
802.11i uses the 802.1x authentication standards which is EAP (extensible authentication protocol).

Encryption
TKIP - used in WPA, provides backward compatibility for legacy WLAN equipment (TKIP used the same cipher, RC4, as WEP).
AES - Advanced Encruption Standard is the encryption of WPA2 has the same function as TKIP but is the recommended one.

you can do SSID cloaking (disable SSID broadcasting), MAC address filtering and WPA/WPA2 to secure your WLAN.

NOTE:securing you WLAN just through filtering MAC address and not broadcasting the SSID is not a good idea. MAC address can be changed through software use, and SSID can be sniffed because it's sent on clear text.

Friday, July 4, 2008

Cisco Security Device Manager

Cisco Security Device Manager (Cisco SDM) is a web-based device-management tool that can be used to configure LAN, WAN and other security features on Ciscio IOS software-based routers.
Cisco SDM has an easy-to-use interface which will help network administrator to perform day-to-day operations. Cisco SDM is preinstalled by default on all new Cisco routers (Cisco SDM is stored in the flash memory). However, if it's not preinstalled, you can install it on the router or a PC. Advantage of installing on a PC is that is saves router's memory and you can manage other routers from the same PC.

if Cisco SDM is preinstalled on a router, Cisco recommend using Cisco SDM to perform the initial confguration.

with Cisco SDM we can manage ACL, create VPN key. Cisco SDM has smart wizards which will guide users step-by-step through router and security configuration workflow. Cisco SDM can intelligently detect incorrect configuration. Cisco SDM also gives background information in addition to the step-by-step procedures.

Installing Cisco SDM
Cisco SDM can be installed on a deployed router without disrupting the network. The steps are:
step 1. Access the router CLI using telnet or console connection.
step 2. Enable HTPP and HTTPS server on the router.
step 3. Create a user account defined with privilege level 15.
step 4. Create SSH and telenet for local login with privilege level 15.

the commands are (assume that a connection to the router has been established):

ip http server
ip http secure-server
ip http authentication local
username joe privilege 15 secret cisco
line vty 0 4
privilege
login local
transport input telnet ssh

then after enabling Cisco SDM on the router, you can launch the Cisco SDM by connecting to the router through HTTP/HTTPS from a web browser. then you will be prompted to enter a username and a password (if you configure http server authentication to local, it will search and match the username and password to local user list).

Cisco SDM overview page, you can see information about the router such as total amount of memory, version of flash, IOS, hardware installed, active VPN connections and also summary of the configuration.

Cisco SDM offers a feature similar to the "auto secure" in command line (see Network Security) which is called one-step lockdown wizard. to access the wizard you have to select configure -> security audit -> one-step lockdown. click yes at the Cisco SDM warning dialog box. Then Cisco SDM will review the current configuration and check for best security practices. Then Cisco SDM will list some recommended configuration. if you click deliver, then the configuration will be sent to the router.

However there are differences of one-step lockdown wizard with "auto secure" command, those are:
- Cisco SDM disables SNMP, "auto secure" configure SNMP version 3.
- Enables and configures SSH on crypto Cisco IOS images.
- Does not enable service control point, disable file transer services (ftp).

Vlan Trunking Protocol

advantages of VTP:
-dynamic trunk configuration when vlans are added to the network
-dynamic reporting of added vlans across a network

Terminology
vtp domain : switches in the same vtp domain share the same vlan configuration details using vtp advertisements. a router defines the boundary of a domain
vtp modes : a switch can be configured in one of the three modes:
-Server, vtp servers advertise vlan configuration to other vtp-enabled switches in the same domain. VTP SERVERS STORE THE VLAN CONFIGURATION IN NVRAM. at the server is where the vlan can be created, deleted or renamed.
-Client, function the same way as servers, but clients could not create, delete or rename vlans. clients also only store the vlan configuration while the switch on.
-Transparent, transparent switches don't participate in vtp. transparent switches don't store vlans advertised by servers. however, they do advertise / forward vtp advertisement that they receive. vlans can be created, renamed or deleted and local only to that switch.
vtp pruning : VTP-pruning restricts packets from passing to an interfce to a switch that doesn't have the same vlan as the packets come frome. this can save some bandwidth
vtp revision number : each switch running VTP keep track of a revision number. the revision number is a 32-bit and starts from 0. the revision number will determine wether the information received is more recent than the current one or not. everytime a change occure, the revision number is incremented. (a domain name change doesn't increment the revision number but reset it to 0)

VTP Default Settings
version = 1 (vtp has 3 version 1, 2, 3. only one version allowed in a domain)
domain name = null (means no domain)
mode = server
config revision = 0
vlans = 1

when a VTP first starts, by default there are 5 vlans created in a switch.

when a VTP server switch is given a domain name, it will propagate the domain name to all switches for us.

you can reset the revision number of a switch by changin its domain name.

the command "show vtp status" will give you information about the running vtp in the switch. such as the domain name, version number, vtp mode, revision number, vlans information, etc.

the command "show vtp counters" will show you information about how many each information is sent or received.

VTP ONLY COMMUNICATES ON TRUNK PORT

VTP ONLY LEARNS ABOUT NORMAL-RANGE VLANs (vlan ids of 1 to 1005)

VTP DOMAIN NAMES ARE CASE SENSITIVE

VLAN CREATED BEFORE ENABLING VTP WILL BE REMOVED

************
VTP messages
************
VTP messages are encapsulated within an ethernet frame which then encapsulated in trunking protocol (either 802.1Q or ISL). the vtp message (header and message) is at the data portion of the frame. VTP ADVERTISEMENTS ARE SENT PERIODICALLY. VTP sends advertisement to a reserved multicast address which is 01-00-0C-CC-CC-CC.

VTP header - fields and size varies but always contains domain name, domain name length, version, message type, revision number.

VTP message - VTP domain name, md5 digest, updater identity and timestamp message was sent.
for each vlan, the message contains:
-VLAN ID
-VLAN name
-VLAN type
-VLAN state
-additional VLAN configuration information

Type of advertisements
Inside each message there's a field that tells which type the message is.

Summary advertisments :

are sent every 5 minutes by VTP server or client to inform other switches in the domain of the current revision number and also the domain name.
sent immediately after a change occur.
there is a followers field that indicates that this summary is followed by subset advertisement. code for this type is 0x01.

Subset advertisements :
contain vlan information. triggered by:

creating / deleting a vlan
suspanding / activating a vlan
changing the name of a vlan
changing the MTU of the vlan

it may take some subset advertisements to fully update the vlan configuration. there is a seq-number field that tells the sequence of packets, starts with 1. the code for this type is 0x02.

Request advertisements :
a request is sent to a VTP server if:

domain name has been changed.
the switch received a summary with revision number higher than its own.
a subset advertisement is missed for some reasons.
the switch has been reset.

when a VTP server received a request, it reponds by sending a summary advertisement and then a subset advertisement. the type for this message is 0x03.

***********
VTP pruning
***********
when vtp pruning is enabled on a switch, it reconfigures the trunk link based on which ports are configured with which vlans.

essentialy, if you want to enable pruning in your network, configuring the vtp pruning at the vtp servers is enough.

vtp pruning only prunes vlan pruning-eligle. vlans 2 - 1001 are pruning-eligible by default. vlan pruning-eligibles can be changed.

pruning cannot be done to vlans which pruning-ineligible. those vlans are 1 and 1002-1005

*****************
VTP configuration
*****************
To be noticed when configuring VTP servers:

confirm that default settings are present.
always reset the configuration revision number.
configure at least 2 vtp servers in the network. because only on servers we can configure vlans, if one down we still have the other one.
if you set a password for vtp information, ensure that all switches is configured with the same password. switches without password or wrong password reject VTP advertisements.
BY DEFAULT A CISCO SWITCH DOESN'T IMPLEMENT ANY PASSWORD.
create vlan after you've enabled VTP on the vtp server, because vlan created before vtp enabled, are removed.
ensure all switches run the same vtp protocol version.

To be noticed when configuring vtp clients:

confirm that default settings are present.
verify vtp status. confirm that vlans has been updated and revision number is changed.
configure access port, you still need to assign ports to existing VLANs.

(at global configuration)
Configure VTP Domain

vtp domain word

Configure VTP mode

vtp mode word

Configure password

vtp password password

Configure version

vtp version number

word : a string
password : a string used as a password

*********
Common error in configuring VTP

protocol version mismatch. vtp version is incompatbile with different version.
password mismatch / not set on every switch.
different domain name. to solve this only configure domain name on VTP servers, because VTP servers will propagate the domain name to all other switches.

REMEMBER, BECAUSE BOTH VTP SERVERS AND CLIENTS SEND SUMMARY ADVERTISEMENT, BOTH CAN HAVE ITS VLAN CONFIGURATION RUINED WHEN A SERVER / CLIENT RECEIVED A SUMMARY ADVERTISEMENT WITH HIGHER REVISION NUMBER, IT WILL REQUEST FOR VLAN INFORMATION (SUBSET ADVERTISEMENTS) AND CONFIGURE ITS OWN VLAN CONFIGURATION (NO MATTER IF THE SENDING SWITCHES IS A CLEINT AND THE REQUESTING IS A SERVER). ALWAYS RESET THE REVISION NUMBER OF A SWITCH BEFORE ADDING IT TO THE NETWORK.

Wednesday, July 2, 2008

Spanning Tree Protocol

Spanning Tree Protocol is used to give redundancy in layer 2.
STP is enabled by default in cisco switches.

Problem in redundancy is Broadcast Storm. when a broadcast frame is sent, it'll be sent to every port except the incoming port. in a network that has redundant link (more than one link to reach a point/switch), the frame will be sent forever, in a loop or something.

root bridge (switch) is the bridge/switch that all other bridges need to reach via the shortest path possible.

when a switch first boot, it'll asssume that it is the root bridge.

Ethernet frames do not have TTL, so a broadcast storm is possible.

assume that PC1 sends broadcast, a network with redundancy path without STP will cause broadcast storm. a switch that's connected to PC1 records that PC1's mac address it at the connecting port. but then after the broadcast storm, the switch may receive the frame from another switch on another prot. because it's still the same frame with the source MAC address is PC1's. the CAM table in the switch change the records of PC1's MAC address with the associated port. this is called MAC ADDRESS INSTABILITY.

a broadcast storm (loop) repeats over and over again until a link is disconnected or turning off a switch participating in the loop, that's breaking the loop.

loop results in high CPU load and slows down performance because processing the same traffic again and again. until more broadcast frames are sent from other host, then all of the bandwidth is consumed and no other frame can be processed by the switches.

REAL WORLD REDUNDANCY ISSUE : redundancy is needed in a high availability demand network, however cabling that's not well maintained and not labeled may confuse some people. the cables may go into the wall jack and run into the patch pannel that's connected to the distribution layer switches. a common mistake is connecting two devices again, that's making a duplicate connection.

Every bridge in the network that supports spanning tree will send out BPDU every two seconds.

Inside BPDU
the combination of Bridge Priority and Bridge's MAC, makes the Bridge ID. (this is the 802.1D standard )
Bridge Priority (2 bytes) -

|-> 1 2 | 1 2 3 4 5 6 (Bridge ID)

Bridge MAC (6 bytes) -

Steps in STP :
-Elect the root. the switch with the lowest Bridge ID will be the root bridge. Default Bridge Priority value is 0x8000 (32768).
-Every non root switches will have to determine the port nearest/smallest cost needed to reach the root, and put this port in forwarding state. this port is called the root port
-For multiple swtiches occupy a common segment. a port nearest to the root is selected and put this port in forwarding state. this port is called the designated port.
-For all other ports that are receiving BPDU, put this port in blocked state.

Additional Feature:
PortFast, allows a port to bypass all of the other spanning tree states and proceed directly to the forwarding state. Spanning tree takes about 30 seconds to put a normal port into the forwarding state. PortFast should be enabled only on ports that will not have switches connected (the port is connected to a host). if a switch were to be connected to a port configured with PortFast, a loop could occur that would not be detected. PortFast can be used to support DHCP, a host could a send DHCP request before the port is in forwarding state, therefore denying the request.command.
spanning-tree portfast

BPDU Guard, if a PortFast-enabled port receives a BPDU, BPDU Guard automatically disables the port. the port is put into ErrDisable state. when this happen, the interface must be reset. (CNAP version, STP will put the port to the blocking state). command
spanning-tree bpduguard enable

UplinkFast, when a designated port fails, a port with an alternate path to the root bridge is cycled through the listening and learning states then the forwarding state. this can take 45 seconds or more. UplinkFast allows a blocked port to bypass the listening and learning states when the deignated port fails. this allows the network to recover in five secs or less. this feature affect all vlan. it also sets the bridge's priority to 49,512 to ensure that the switch will not become the root bridge (this is why UplinkFast should be configured only on access-layer switches, because it changes the bridge's priority, which is usually an unwanted result in core / distribution layer switches). Command (enter the command not at the interface configuration level, this is a global configuration)
spanning-tree uplinkfast

BackboneFast, when a switch receives a BPDU telling a less desirable root than the current one. it will ignore it until the max_age value exceeded (default value is 20 secs). if BackboneFast is used, it must be enabled on every switch in the network. command (global configuration)
spanning-tree backbonefast

STP works by ensuring that there's only one logical path to all destinations by blocking any other alternate path, that's preventing loops. traffic is prohibited to pass through the link, this doesn't include the BPDU (Bridge Protocol Data Unit). when one of the path is down, the alternate path, if there's any, is taken to forwarding state.

NOTES : if the main path is down, an alternate path is taken to forwarding state. however, if later that the main path is up again, the alternate path is taken to blocking state again and the network will use the main path again to forward traffic.

STP uses Spanning Tree ALgorithm (STA).

Bridge ID contains a priority value, MAC address of the sending switch and an optional extended system ID.
- Bridge priority, 4 bits
- Extend System ID, 12 bits
- MAC address, 48 bits

Ports Role in STP (there are 4 roles):
- Root ports : ports with the bast path (lowest cost) to the root bridge. root ports forward traffic toward the root bridge.only one root port exist per bridge (except root bridge doesn't have any root port). when there are more than one port with equal path cost, the lowest port priority or the lowest port ID is used (if equal port priority value) to determine which will become the port root.
- Designated ports : ports that RECEIVE and forward fames to root bridge. designated ports also forward packets, but since that only one designated port per segment, the broadcasted frame will be discarded. only one designated port allowed in a segment. if multiple switches exist in a segment, an election process determines which will become the designated switch. all ports at the root bridge is designated ports. path cost is the first priority to determine which switch will has its port as a designated port, only if the path costs are equal the Brdige ID is used.
- Non-designated ports : all ports that are configured to be in a blocked state to prevent loops. so it's not forwarding data frames and not populating MAC address table with source addresses.
- Disabled ports : a disabled port is a port that's administratively down. a disabled port doesn't participate in spanning-tree process.

Port States (there are 5 states). each switch port transitions throug five states and three BPDU timers :
- Blocking : receives and process BPDU and also sends BPDU. doesn't forward frames, doesn't learn MAC addresses. this port is a non-designated ports.
- Listening : receives and process BPDU and also sends BPDU informing adjacent switches that the port is preparing to participate in the active technology. doesn't forward frames, doesn't learn MAC addresses.
- Learning : the ports prepare to be active and learning MAC addreses.
- Forwarding : the port is active forwarding traffic and is a part of the topology and also sends and receives BPDU frames.
- Disabled : an administratively down port.

each BPDU contains the sendin switch ID, and the root ID
EVERY SWITCH ASSUME THAT itself is the root bridge when first boot up.

when a switch receive a BPDU that has lower root ID than the current one. it updates the information and send the new BPDU to other adjecent switches.

path cost is the sum of all port cost passed through to the root bridge. inside the BPDU is the path cost not the port cost, so the receiving switch just add its port cost to the path cost received to find out the path cost using that port to the root bridge.

STA (Spanning Tree Algorithm) calculates the best path to the rootbridge by summing each port cost to the rootbridge. each port cost depends on the speed tho port is operating.
Default port cost is determined by IEEE.

10 Gb/s : 2

1 Gb/s : 4

100 Mb/s: 19

10 Mb/s : 100

however, the port cost is configurable.
setting a port cost (at interface configuration level)

spanning-tree cost value

resetting a port cost

no spanning tree cost

BPDU fields
the first 4 fields identifies the protocol, version, message type and status flags.
the next 4 fields identifiy the rootID, the bridgeID, path cost, and port id
the last 4 fields are the BPDU timers which are
-Message age : Records the time since the Root Bridge originally generated the information that the current BPDU is derived from. when a BPDU is sent, the age field is incremented by 1. eventually, the switch discards the BPDU when the age field goes beyond the maximum age.
-Max age : maximum times the switch port save the BPDU configuration. indicates when the current configuration should be deleted. once the message age reaches the maximum age, the switch expires the current configuration and initiates a new election to determine a new root bridge since it assume that is has lost connection to the root. (default 20secs, can be configured 6 to 40 secs).
-Hello time : the interval between sending the bridge configuration messages. (default 2 secs, can be configured 1 to 10 secs).
-Forward delay : the time before a switch transitions to a new state after a topology change. the time that a port spend at the learning and listening states. if configured too fast, possible thsat not all links are ready to change its state, and a temporary loop may occur. (default 15 secs, can be configured 4 to 30 secs).
ONLY THE SWITCH IN THE ROLE OF A ROOT BRIDGE MAY SEND INFORMATION THROUGH THE TREE TO ADJUST THE TIMERS.

it's recommended that the timers are not to be adjusted directly. you can adjust the timer by specifying the largest diameter (number of switch hop from one end to another, STP permits max of 7) of your network.

spanning-tree vlan vlan-id root primary diameter value

value : the max diameter of your network
by entering the commands, the STP timers are proportionally adjusted.

****************************
when STP is enabled (when switch boots), every switch port start from blocking state (which by default lasts for 20 secs) and moves to listening state after it decides that it's a root port or a designated port.
****************************

when a switch receives a BPDU. it compares the root ID in the BPDU with the local root ID. if the BPDU root ID is lower than the local one. it updates the local's root ID and path cost to the root. then it sends BPDU with the new root ID and path cost within its own BPDU.

Because the needs to identify vlan (some STP environment runs different STP instance for each vlan, such as PSVT+) 802.1D bridge ID standard is modified to add extended system ID information (Extended system ID = vlan id).
Bridge ID with extended system ID enabled.

| bridge priority | Extend System ID | MAC address |
4 bits 12 bits 48 bits

Extended system ID = vlan id
STP was used before vlan is common use in netwrok infrastructure. when vlan became common, extended system id is added to tell which vlan does the BPDU is associated with.
when you increment the bridge priority by 1, the bridge id increments by 4096 (2^12). therefore, you can set bridge id in multiples of 4096. (bridge priority can be set from 1 to 65535).

Methods to set Bridge ID of a switch (at global configuration level)

spanning-tree vlan vlan-id root primary

vlan id : vlan id for this spannting-tree configuration

by entering this command, ensures that this switch will be the root bridge in the network (the bridge priority is set to 24576 or the next 4096 lower value than the lowest bridge priority foun in the network).

spanning-tree vlan vlan-id root secondary

this actually will set the bridge priority to 28672. this to make this switch will be the root bridge, should the primary root happened to fail assuming that all other switches have default priority value (32768).

spanning-tree vlan vlan-id priority value

value : a number in multiple of 4096
this will set the priority value of this switch to a predefined value.

port priority by default it 128. port ID is simply the interface id of the port on the switch (Fa0/1 , Fa0/2, Fa0/3). for interface Fa0/1 port default priority value is 128.1 for Fa0/2 is 128.2.

setting port priority (at interface configuration level)

spanning-tree port-priority value

value : 0 - 240. in multiples of 16

***************
STP Convergence
***************
to make STP steps to convergence easier, the steps are divided into three major steps.

the first step of STP convergence is to elect a root bridge. (the root bridge is the center of all path cost calculations and leads to the assignment of different port roles to prevent loops).
-step in electing the root bridge is actually by comparing the received root ID from BPDU with the switch's local root ID. if the root ID information received from BPDU is lower, than the switch updates the local root ID with the BPDU root ID and the path cost. then the switch's BPDU now advertising the new root ID to other adjacent switches.

next step is to set port roles. the first role needs to be determined is the root port. EVERY SWITCH EXCEPT THE ROOT BRIDGE HAS A ROOT PORT. a root port is simply a port with the lowest path cost (path to the root bridge).
-determining the root port is just by comparing each port's path cost and choose the port that has the lowest cost to be the root port. when there are more than one ports with equal cost (this can happen when a switch is attached to another switch with two physical connection, without etherchannel configured) the port priority will determine who's gonna be the root port.
port roles is determine, as soon as a BPDU telling a new root ID or redundant path is received (becaues the path cost is updated). therefore, a port may change multiple times before it finally settles on its final port after the root ID changes for the last time.

next step is electing designated-port and non-designated port. to finish creating a loop free network, the remaining ports must be configured as designated port or non-designated port. each segment can only has one designated-port. all ports at the root bridge are designated-ports.
-when there are more than one non-root ports connected to the same segment. the lowest path cost port will be the determiner, than if only the path cost are equal the Bridge ID is used. the losing port will become the non-designated port, that is put into blocking state to prevent loops.
determining designated and non-designated ports happen concurrently with the root election and the root port election. therefore the ports role may change mulitple times before the final root bridge is determined.

NOTE THAT WHEN A SWITCH BOOTS, ALL OF ITS PORTS ARE PUT INTO BLOCKING STATE UNTIL THE FIRST 20 SECS. then we may not see the change of the port role (LED color of the port), because STP may converge before 20 secs (in a network with maximum diameter of 7).

*****************
Evolutions of STP
*****************
Cisco propietary
- PVST, Per-Vlan Spanning Tree Protocol. runs on ISL trunking protocol. ISL treats vlan as seperate network, so it can load balance layer 2 traffics by forwarding some vlans traffic on a trunk link and other vlans on another trunk. PVST has some propietary extension such as backbone fast, uplinkfast and portfast.
- PVST+, Per-Vlan Spanning Tree Protocol plus. works as much like PVST, but with additions it supports IEEE 802.1Q trunking protocol, and some propietary extension additions for portfast which are BPDU guard and root guard.
- rapid-PVST+, Rapid Per-Vlan Spanning Tree Protocol plus. based on IEEE 802.1w standard which converges faster than STP (standard 802.1D). supports propietary extensions.

IEEE standard
- RSTP, Rapid spanning Tree Protocol (IEEE standard 802.1w). first introduced in 1982, as an evolution of STP (standard 802.1D). it provides faster convergence and support for cisco-propietary extensions. in 2004 IEEE incorporated RSTP into 802.1D and identified by IEEE 802.1D-2004. now when you hear STP, think of RSTP.
- MSTP, Multiple STP. provides a single spanning-tree for multiple vlans. reducing the number of running instances needed to support a large number of vlans. MSTP was inspired by cisco-propieatary MISTP (Multiple Instances of STP).

More Detail

PVST+
cisco developed PVST+, so that a network can run an STP instance for each vlan in the network. therefore some links can be used to forward some of the vlans traffice while another link use used to forward the rest vlans. this could be achieved by choosing different switch to be the root bridge in each vlan. however, the switch port must accomodate more bandwidth for each STP instance to send its own BPDU.
PSVT is the default STP mode in cisco Catalyst 2960 series.

RSTP
port roles in RSTP, discarding, learning and forwarding. in a properly configured network, RSTP can achieve converge network in as little as a few hundred milliseconds. an alternate port can directly switch to a forwarding port without waiting the network to converge. Brief RSTP characteristics:
- the preffered protocol for preventing layer 2 loops. many of the differences were informed by cisco-propietary enhancements to 802.1D . such as BPDUs carrying and sending information about port roles only to neighboring switches. Generally perform better than the earlier cisco-propietary versions.
- cisco-propietary enhancements to 802.1D such as uplinkfast and backbone fast are not compatible with RSTP.
- much of STP terminology remain in RSTP. Root election process stay the same in RSTP, RSTP BPDUs use the same format as 802.1D except that the version is set to 2 and the flags field uses all 8 bits. RSTP can do compatibility with legacy switches on a per-port basis.
- RSTP able to actively confirm a port to transit to the forwarding state without the use of any timer.
- doesn't use 802.1D timers.

RSTP BPDU. BPDU is sent every 2 secs. in RSTP a lost connection is marked by three consecutive time BPDU is not receive on the link (this means 6 secs) so failures can be detected quickly. RSTP use the flag field (flag field is 8 bits) differently as STP
- bits 0 and 7 are used for topology change notification (bit 7) and the acknowledgement (bit 0) as in 802.1D
- bits 1 and 6 are used for the proposal agreement process (used for rapid convergence)
- bit 2 used to mark the port's state as forwarding
- bit 3 used to mark the port's state as learning
- bit 4 and 5 are used to encode the port's role
00 unknown port
01 alternate or backup port
10 root port
11 designated port

RSTP's edge port = cisco propietary portfast feature, but unlike portfast, edge port that receives a BPDU loses its edge port status immediately and becomes normal spanning-tree port (configuring an edge port to be attached to another switch can have negative implications for RSTP when it is in sync state because a temporary loop can result, possibly delaying the convergence of RSTP due to BPDU contention with loop traffic). edge port is a port that
- will never has a switch connected to it.
- immediately transitions to forwarding.
configuring edge port in cisco by entering the command "spanning-tree portfast" making transitions to RSTP seamless.

link-types
point-to-point:
- attached to switch ports that are opearting in full-duplex mode.
- the link connects to a single switch device.
shared:
- attached to switch ports that are operating in half-duplex mode.
- the port is connected to a shared media where multiple switches might exists (example, interconnected by hub)
edge ports and point-to-point links are candidate for rapid transition to a forwarding state.non-edge ports are categorized into two link types, point-to-point and shared. edge ports are point-to-point links.

Port states. Port roles and states are different things, for example a designated port can be in the discarding state temporarily, even though its final state is to be forwarding. RSTP ports state are:
- discarding, seen at stable active topology and topology synchronization and changes. this sate prevents the forwarding of data frames.
- learning, seen at stable active topology and topology synchronization and changes. this state accepts data frames to populate the MAC table in an effor to limit flooding of unknown unicast frames.
- forwarding, only seen in stable active topology.

STP and RSTP port states association
STP                    RSTP
blocking            discarding
learning            discarding
listening            learning
forwarding       forwarding
disabled            discarding

Port roles. port roles and port states are able to transition independently. RSTP port roles are:
- root port, every non-root bridge has a root port. root ports assume the forwarding state in a stable active topology. root port is the chosen path to the root bridge.
- designated port, every segment will have at least one and only one designated port. designated ports assume the forwarding state in a stable active topology. the designated port will receive frames on the segment that are destined for the root bridge.
- alternate port, alternate ports assume a discarding state in a stable active topology. an alternate port will be present on non-designated switches and will make a transition to a designated port if the current designated path fails.

RSTP speeds up the recalculation process after a topology change, because it converges on a link-by-link basis and doesn't rely on timers expiring before a port can transition. rapid transition can only be achieved on edge ports and point-to-point links.
RSTP calculates with a proposal and agreement process. a switch send a BPDU, when the receiving switch found a new cost path it's synchronizing (during synchronization, all ports are blocked) when the receiving switch agree, the port transition to its state and role.

Rapid PVST+
rapid PVST+ is a cisco implementations of RSTP. it support spanning tree for each vlan and rapid STP variants touse in cisco-based network.
a spanning tree instance is created when an interfae is assigned to a vlan and is removed when the last interface is moved to another vlan.

The Cisco 2960 switch supports PVST+, rapid PVST+, and MSTP, but only one version can be active for all VLANs at any time.

to configure an STP mode on a switch, use the command

spanning-tree mode rapid-pvst

the command will set the running STP protocol to be rapid-pvst+.

to set the link type of a port

spanning-tree link-type type

type : the type you specified for the link, point-to-point or shared.

to clear all detected STP

clear spanning-tree detected-protocols

some tips:
- don't leave up to STP to choose the bridge. usually you can figure out the best root brdige for each vlan. generally choose the most powerfull bridge at the center of the network or near the server so you can reduce the hop for the clients to access the servers.
- prune any vlan that you don't need off your trunks.
- know the redundant links and the blocked links. and reduced the number of blocked port by STP (by physically removing the link from the port) only to give redundancy.
- keep STP alive, STP is not very processor-intensive, STP doesn't significantly reduce the available bandwidth. if a technician makes a connection error over the patch panel and the STP is disabled, the network can be brought to down.
- keep off data traffic from administrative vlan. usually a switch has an IP address associated with the administrative vlan, so that network administrator can remotely connect to the switch.
- segment the bridging domains using high-speed layer 3 switches.

Inter-VLAN Routing

VLAN creates a logical broadcast domain, therefore hosts on different vlan couldn't communicate to each other directly. for the hosts to communicate, their traffic must be routed.

***********************
Inter-vlan routing ways
***********************
in traditional way. a switch is physically connected to a router with some physicall connection and each connection is assigned to each vlan, giving the ability for the router to receive different vlan traffic and route it to other vlan interface (each vlan is associated with a subnet address).
configuring the router is simply just by adding physical interfaces between the router and the switch and giving the ip address associated with the default gateway of each vlan. each physicall interface is connected to a access port on the switch.
this way is limited to the number of ports available on the switch as vlan increase.

new technology, some routers software permits configuring its interfaces as a trunk link and making subinterfaces of the physical interface with each subinterface associated with each vlan. permitting a single physical connection to the switch while still able to route for inter-vlan traffic. (this usually called router-on-a-stick)
functionally, the router on a stick is the same with the traditional inter vlan routing. but instead of using physical interfaces, router on a stick uses the combination of a trunk link and some subinterfaces. subinterfaces must be specified to work on what vlan (using the command "encapsulation dot1q vlan-id").
because a single physicall connection is shared over many vlans, bandwidth used for inter-vlan traffic is shared among all other vlans.

some switches able to do layer 3 switching. replacing the needs of a router to perform basic routing. layer 3 switch use Switched Virtual Interface (SVI) with each SVI is associated with different vlan, giving the ability to perform routing inter vlan with a single physical connection. (SVI is much like a layer 3 physical interface).

***********
Configuring
***********
Traditional way
configure each switch ports. configure each switch port connected to the router as a access port for different vlan on each connection.
add the corresponding default gateway ip address for each vlan at each physical interface (you don't need to configure the vlan id that the interface is working on).

Router-on-a-stick
you must configure each switch ports. configure the switch connecting to the router as a trunk link. You cannot use the switchport mode dynamic auto or switchport mode dynamic desirable commands because the router does not support dynamic trunking protocol.
at the router, you don't need to give an ip address, just perform no shutdown at the physical interface. you assign the ip address at each subinterface. and remember to specify on which vlan does the subinterface is working on by entering the command "encapsulation dot1q vlan-id" (this command is for subinterfaces only) with vlan-id is the id of the vlan. you don't have to perform the "no sh" command at each subinterface, all subinterfaces will be enabled when the physical interface is enabled.

Network and Software

Blog Archive

My Blog List

Monday, July 21, 2008

Configure DHCP

DHCP

Wednesday, July 16, 2008

VPN

Friday, July 11, 2008

Configuring SSH on a Router

Securing Cisco Routers

Network Security

Wednesday, July 9, 2008

Complex Access List

Extended Access List

Standard Access List

Access List General

Tuesday, July 8, 2008

Password Recovery

Recovering IOS Image

Maintain Cisco IOS

Monday, July 7, 2008

AAA

Multilayer Switch

Sunday, July 6, 2008

Serial PPP

Saturday, July 5, 2008

Routing Behaviour

Wireless LAN

Friday, July 4, 2008

Cisco Security Device Manager

Vlan Trunking Protocol

Wednesday, July 2, 2008

Spanning Tree Protocol

Inter-VLAN Routing

Google Search

Labels

News

Recent Visitors

Blog Archive

My Blog List

Monday, July 21, 2008

Wednesday, July 16, 2008

Friday, July 11, 2008

Wednesday, July 9, 2008

Tuesday, July 8, 2008

Monday, July 7, 2008

Sunday, July 6, 2008

Saturday, July 5, 2008

Friday, July 4, 2008

Wednesday, July 2, 2008

Google Search

Labels

News

Recent Visitors

Subscribe To