Query

serial <= 2.048 kb/s - WFQ

other default - FIFO

EAP

WEP

■ A lack of mutual authentication makes WEP vulnerable to rogue access points.

■ Usage of static keys makes WEP vulnerable to dictionary attacks.

■ Even with use of initialization vector (IV), attackers can deduct WEP keys by capturing

enough data.

■ Configuring clients with the static WEP keys is nonscalable.

LEAP

■ Following are the benefits of LEAP over the basic 802.11 (WEP):

■ Server-based authentication (leveraging 802.1x) using passwords, one-time tokens,

public key infrastructure (PKI) certificates, or machine IDs

■ Usage of dynamic WEP keys (also called session keys) through reauthenticating the user

periodically and negotiating a new WEP key each time (Cisco Key Integrity Protocol or

CKIP)

■ Mutual authentication between the wireless client and the RADIUS server

■ Usage of Cisco Message Integrity Check (CMIC) to protect against inductive WEP

attacks and replays

WPA

■ Authenticated key management—WPA performs authentication using either IEEE 802.1x

or preshared key (PSK) prior to the key management phase.

■ Unicast and broadcast key management—After successful user authentication, message

integrity and encryption keys are derived, distributed, validated, and stored on the client and

the AP

■ Utilization of TKIP and MIC—Temporal Key Integrity Protocol (TKIP) and Message

Integrity Check (MIC) are both elements of the WPA standard and they secure a system

against WEP vulnerabilities such as intrusive attacks.

■ Initialization vector space expansion—WPA provides per-packet keying (PPK) via

initialization vector (IV) hashing and broadcast key rotation. The IV is expanded from 24 bits

(as in 802.11 WEP) to 48 bits.

WPA2

■ AES

■ more CPU-intensive than WPA mostly because of the usage of AES

EAP-FAST

■ Supports Windows single sign-on for Cisco Aironet clients and Cisco-compatible clients

■ Does not use certificates or require Public Key Infrastructure (PKI) support on client

devices

■ Provides for a seamless migration from Cisco LEAP

■ Provides full support for 802.11i, 802.1x, TKIP, and AES

■ Supports password expiration or change (Microsoft password change)

■ EAP-TLS uses the Transport Layer Security (TLS) protocol.

■ EAP-TLS uses Public Key Infrastructure (PKI).

■ EAP-TLS is one of the original EAP authentication methods, and it is used in many

environments.

■ The supported clients for EAP-TLS include Microsoft Windows 2000, XP, and CE, plus

non-Windows platforms with third-party supplicants, such as Meetinghouse.

■ One of the advantages of Cisco and Microsoft implementation of EAP-TLS is that it is

possible to tie the Microsoft credentials of the user to the certificate of that user in a

Microsoft database, which permits a single logon to a Microsoft domain.

PEAP

■ PEAP was developed by Cisco Systems, Microsoft, and RSA Security to the IETF.

■ With PEAP, only the server authentication is performed using PKI certificate.

■ PEAP works in two phases. In Phase 1, server-side authentication is performed and an

encrypted tunnel (TLS) is created. In Phase 2, the client is authenticated using either EAP-

GTC or EAP-MSCHAPv2 within the TLS tunnel.

■ PEAP-MSCHAPv2 supports single sign-on, but Cisco PEAP-GTC supplicant does not

support single logon

Wireless

Autonomous APs— WLSE + WDS

WLSE - centralized configuration, monitoring, and management

WDS -radio monitoring and management communication between the autonomous APs and

CiscoWorks WLSE

LWAP - WLC (controllers) + WCS

WLSE

■ Configuration—One CiscoWorks WLSE console supports up to 2500 APs. Configuration

changes can be performed in mass, individually, or in defined groups as desired or on a

schedule time. All Cisco Aironet APs are supported.

■ Fault and policy monitoring—WLSE monitors device faults and performance threshold

conditions

■ Reporting—WLSE provides the capability to e-mail, print, and export reports. Client,

device, and security information can all be tracked and reported.

■ Firmware—WLSE performs centralized firmware upgrades. Upgrades can be done in mass,

individually, or in defined groups as desired or on a scheduled time.

■ Radio management—WLSE assists in management of the WLAN radio environment. Radio

management features include parameter generation, network status, and reports.

■ Deployment wizard—WLSE provides a deployment wizard that discovers, uploads

configurations, and manages all deployed AP

WCS has three versions:

■ WCS Base

■ WCS Location

■ WCS Location + 2700 Series Wireless Location Appliance

■ Configuration for controllers and managed APs using customer-defined templates

■ Status and alarm monitoring of all managed devices with automated and manual client

monitoring and control functions

■ Automated monitoring of rogue APs, coverage holes, security violations, controllers, and APs

■ Event log information for data clients, rogue APs, coverage holes, security violations,

controllers, and APs

■ Automatic channel and power level assignment using radio resource management (RRM)

■ User-defined audit status, missed trap polling, configuration backups, and policy cleanups

IPT basics

Signaling protocols

1) H.323 - ITU standart

2) MGCP - IETF st

3) SIP - IETF st

Regardless of the signaling

protocol used, a phone call has three main stages:

• call setup
• call maintenance
• call teardown.

1) Call setup

During call setup, the destination telephone number must be resolved to an IP address, where the

call request message must be sent; this is called call routing. Call admission control (CAC) is an

optional step that determines whether the network has sufficient bandwidth for the call. If bandwidth

is inadequate, CAC sends a message to the initiator indicating that the call cannot get through

because of insufficient resources. (The caller usually hears a fast busy tone.)

If call routing and CAC succeed, a call request message is sent toward the destination. If the

destination is not busy and it accepts the call, some parameters for the call must be negotiated

before voice communication begins. Following are a few of the important parameters that must be

negotiated:

■ The IP addresses to be used as the destination and source of the VoIP packets between the call

end points

■ The destination and source User Datagram Protocol (UDP) port numbers that the RTP uses at

each call end point

■ The compression algorithm (codec) to be used for the call; for example, whether G.729,

G.711, or another standard will be used

2) Call maintenance

Call maintenance collects statistics such as packets exchanged, packets lost, end-to-end delay, and

jitter during the VoIP call. The end points (devices such as IP phones) that collect this information

can locally analyze this data and display the call quality information upon request, or they can

submit the results to another device for centralized data analysis.

3)Call teardown

is simply "hanging up" and sending appropriate notification to the other end point and any control devices so that the resources can be made free.

Analog-to-digital conversion involves four major steps:

1. Sampling

2. Quantization

3. Encoding

4. Compression (optional)

Cisco IPS/IDS

ISR Built-in NIPS config

Step 1 Specify the location of the SDF—Various SDFs can exist in the Cisco IOS

device, but only one can be referenced.

! step 1 – define the location of the SDF

Router(config)#ip ips sdf ?

builtin Use the built in signature definition file

location Location of the signature definition file

Step 2 Configure the failure parameter—This tells the Cisco IOS device what

to do if the signature microengine (SME) is not available to scan the traffic.

! step 2 – define the behavior if an SME fails

Router(config)#ip ips fail ?

closed Do not forward traffic of the failed module.

Router(config)#ip ips fail closed

Step 3 Create an IPS rule—This creates a name that is later applied to an interface.

The rule uses the SDF previously defined. Optionally, an access control list

(ACL) can be applied to restrict which traffic is scanned.

! step 3 – create an IPS rule, and optionally apply an ACL

Router(config)#ip ips name ?

WORD Name of IPS rule

Router(config)#ip ips name testips ?

list Specify an access list to match

Router(config)#ip ips name testips list 123

Step 4 Apply the IPS rule to an interface—Once the rule has been created, it must

be applied to an interface to become operational.

! step 4 – apply the IPS rule to

Router(config)#interface fastethernet 0/0

Router(config-if)#ip ips testips ?

in Inbound IPS

out Outbound IPS

Router(config-if)#ip ips testips in

Router(config-if)#

Additional config

VPN Statefull

IPsec stateful failover uses two protocols for proper and continual operation: 

■ HSRP—Monitors both the inside and outside interfaces. If either goes down, the entire router 

is deemed unworthy and ownership of the IKE and IPsec SA processes is passed to the 

standby router. When this transition occurs, the standby router becomes the active HSRP 

router.

■ Stateful Switchover (SSO)—Shares the IKE and IPsec SA information between the active 

and backup routers. At any time, either router knows enough to be the active IPsec VPN 

router.

There are some limitations/restrictions: 

■ Both the active and standby devices must run an identical Cisco IOS release.

■ The active and standby devices must be connected via LAN ports, either directly or through 

a switch. WAN interfaces are not supported.

■ Both the inside and outside interfaces must be connected via LAN ports.

■ Only “box-to-box” failover is supported. Intrachassis (card-to-card) failover is not currently 

supported.

■ Load balancing is not supported. Only one device in a redundancy group can be active at any 

time.

■ IKE keepalive messages are not supported. DPD and periodic DPD are supported.

■ Stateful failover of Layer 2 Tunneling Protocol (L2TP) is not supported.

■ IPsec idle timers are not supported.

Router C:

crypto dynamic-map from-remote 10

 set transform-set trans1

 reverse-route

!

crypto map central-office 10 ipsec-isakmp dynamic from-remote

!

interface fastethernet 1/0

 ip address 172.20.1.1 255.255.255.0

 standby 1 ip 172.20.1.5

 standby 1 priority 150

 standby 1 preempt

 standby 1 name vpn-remote

 crypto map central-office redundancy vpn-remote stateful

!

redundancy inter-device

 scheme standby vpn-remote

!

ipc zone default

 association 1

 protocol sctp

  local-port 12321

 local-ip 10.20.1.1

 retransmit-timeout 300 10000

 path-retransmit 10

 assoc-retransmit 20

  remote-port 12321

 remote-ip 10.20.1.2

MPLS VPN Overview

RD - Route Distiguisher - определяет принадлежность роутов к vrf instatnce. 64-bit value

RT - Route Target - позволяет нескольким клиентам с разными RD взаимодействовать. Можно определить какие роуты будут импортироваться или экспортироваться в зону с другим RD

PPPoE config

int dialer 1

(config-if)#ip mtu 1492 --- PPPoE adds 8 bytes header

(config-if)#ip address negotiate

(config-if)#encapsulation ppp

(config-if)#ppp authentication pap (chap) callin -- callin - one-way auth. ISP wants us to sent our credentials

but don't want to auth itself

Теперь надо привязать виртуальный dialer 1 к физическому интерфейсу через dialer-pool

(config-if)#dialer-pool 1

int fa 4

(config-if)#pppoe enable

(config-if)#pppoe-client dial-pool-number 1

IPv6 Translation

Translation is a different type of solution, allowing IPv6 devices to communicate with IPv4
devices, without requiring either to be dual stack.

Stateless IP/ICMP Translation (SIIT) translates IP header fields, and NAT Protocol Translation (NAT-PT) maps IPv6 addresses to IPv4 addresses. If IPv6 is used on the inside of a network and IPv4 is used on the outside, a NAT-PT device receives IPv6 traffic on its inside interface and replaces the IPv6 header with an IPv4 header before sending it to an outside interface. Reply traffic follows the mapping backwards, enabling two-way communication.
Good NAT implementations interpret application traffic and understand when IP information is included in the application data; NAT-PT inherits this capability. For example, DNS packets
include IP addresses; therefore, NAT-PT must recognize DNS traffic and change the IPv4
addresses into IPv6 addresses, and vice-versa.
IPv4 and IPv6 routing domains can also be connected using application-level gateways (ALG) or proxies. A proxy intercepts traffic and converts between the two protocols; it can increase the transmission speed by responding to some requests using information in its cache. A separate ALG is required to support each protocol, so this method only solves specific types of translation problems.

IPv6 tunneling

1) Manual
2) 6to4
3) Teredo
4) ISATAP

Manual

Example configuration:

Router(config)# interface tunnel0
Router(config-if)# ipv6 address 2001:0:1:5::1/64
Router(config-if)# tunnel source 192.168.1.1
Router(config-if)# tunnel destination 192.168.2.1
Router(config-if)# tunnel mode ipv6ip

6-to-4 Tunnels

6-to-4 tunnels work similar to manual tunnels but are set up automatically.6-to-4 tunnels concatenate 2002::/16 with the 32-bit IPv4 address of the edge router, creating a 48-bit prefix.

Ex: The tunnel interface on Router A has
an IPv6 prefix of 2002:C0A8:501::/48, where C0A8:501 is the hexadecimal equivalent of
192.168.5.1, the IPv4 address of its interface in the IPv4 network.

Teredo
Another type of tunnel is called Teredo (also known as shipworm). Teredo encapsulates IPv6
packets in IPv4/UDP segments and works similarly to other tunnels but with the added benefit of
being able to traverse network address translation (NAT) devices and firewalls. Teredo is described
in RFC 4380, Teredo: Tunneling IPv6 over UDP through Network Address Translations (NAT).

ISATAP
ISATAP treats the IPv4 network as an NBMA network and allows an IPv4 private network to
incrementally implement IPv6 without upgrading the network. ISATAP is documented in RFC
4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).

Route Maps

■ Each route map statement has permit or deny permission. Traffic that matches a permit is 

affected by the route map. Traffic that matches a deny, or does not find a match in the list, is 

not affected by the route map.

■ Traffic that is not explicitly permitted is implicitly denied.

■ Each route map statement has zero or more match conditions. A statement without a match 

applies to all traffic (like the any option in an access list). 

Route Redistribution

It is important to consider the following rules when redistributing between IP routing protocols:

■ If more than one routing protocol is running on a router, the routing table process will place
the route with the best administrative distance into the routing table.
■ Routing protocols can only redistribute routes they know. Thus, if RIP is being redistributed
into EIGRP, the routing table must have an entry for the RIP network.
■ When a route is redistributed, it inherits the default administrative distance of the new routing
protocol.
■ Redistributed routes are called external. External routes in EIGRP are given a different
(higher) AD, while OSPF tracks the route as external and prefers internal routes.

Potential problems:

■ Routing loops because routers send routing information received from one autonomous 

system back into the same autonomous system.

■ Suboptimal routing decisions are made because of the difference in routing metrics. 

■ The convergence time increases because of the different technologies involved. If the routing 

protocols converge at different rates, this might result in timeouts and the temporary loss of 

networks.

■ The decision-making process and the information sent within the protocols might be 

incompatible and not easily exchanged, leading to errors and complex configuration.

Control Methods:

■ Passive interfaces

■ Static routes

■ Default routes

■ The null interface

■ Distribute lists

■ Route maps

Route-maps

IPv6 basics

IPv6 address format
-8 groups, 4 hex (16 each: 2001:0db8:0000:0000:0000:0000:1428:57ab
-::1/128 - loopback address
Address types
1)Link-local scope - адреса для коннективити внутри L2-домена только. Аналог 169.254.x.x в Windows. Позволяет обмен трафика без настроек внутри сабнета по IP.
-Генерится автоматом при включении хоста.
-Всегда начинается с FE80 (1111 1110 1000), потом 54 bit нулей и последние 64 bit - MAC address c внедренным внутри "FFFE" (Ex: 0019.D122.DCF3 ---> 0019.D1FF.FE22.DCF3 ).
MAC адрес преобразованный таким образом называется EUI-64 (Extended Universal Identifier 64-bit) и служит Interface ID

2) Unique/ Site-local scope - аналог private subnets. Внутренние адреса организации. Depricated ?
3) Global - глобальные адреса.


Address optimization rules:

1) Можно убирать нули идущие подряд
2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8::1428:57ab
NOTE! Символ :: нормально интерпретируется только один раз. Тоесть нельзя полностью убрать нули в двух разделенных другими символами октетах !NOTE

2) Можно убирать ведущие нули
2001:0db8::1428:57ab
2001:db8::1428:57ab

Communication types
1) Unicast - one-to-one, same as IPv4
2) Multicast - same as IPv4, but broadcast now is a kind of multicast group "to all"
3) Anycast - one-to-closest. Фактически встроенный load-balancing. Можно назначить один адрес многим устройствам аля "виртуальный ip в hsrp " и отвечать будет ближайший к клиенту.

IPv6 configuration

(config)#ipv6 unicast-routing
(config)#ipv6 cef
(config-if)# ipv6 address [address]/[prefix] [eui-64]

The eui-64 parameter causes the router to complete the lower order 64 bits of the address using an extended universal identifier 64-bit (EUI-64) format interface ID

Multicast basics

quick facts

-udp only

-224.0.0.0 - 239.255.255.255

|Client| -------|Switch|----------|Router|------|Internet|------|multicast server|

IGMP используется  для организации подписки клиента к мультикаст группе. Служит своего рода source based routing protocol, для нахождения лучшего пути к источнику "вещания" ( например серверу видео stream)

Существует IGMPv3, наиболее используемым является IGMPv2

Если свитч не сконфигурирован для multicast, то по умолчанию он обрабатывает multicast traffic как броадкаст, тоесть рассылает всем.

Есть два метода поддержки multicast свитчом

1) Cisco Group Managment Protocol (CGMP) - cisco proprietary. Роутер по протоколу CGMP сообщает L2-свитчу, для каких маков пересылать трафик

2)IGMP snooping - Стандарт.Фактически весь функционал поддержки multicast переносится на свитч. Необходим L3 свитч. Если клиентов много, может создать сильную нагрузку на свитч.