network training ppt1

7/28/2019 Network Training Ppt1

1/277

2002, Cisco Systems, Inc. All rights reserved. 1

Wide-Area Networking Review


2/277

WAN Overview

WANs connect remote sites.

Connection requirements vary depending on user

requirements, cost, and availability.


3/277

WAN Connection Types: Layer 1


4/277

Provider assigns connection parameters

to subscriber.

Interfacing Between

WAN Service Providers


5/277

Serial Point-to-Point Connections


6/277

Typical WAN Encapsulation Protocols:

Layer 2


7/277

Summary

A WAN makes data connections across a broad

geographic area so that information can be exchanged

between distant sites.

Some of the WAN connection types available are

leased line, circuit-switched, and packet-switched.

Cisco routers support the EIA/TIA-232, EIA/TIA-449,

V.35, X.21, and EIA/TIA-530 standards for serial

connections. To encapsulate data for crossing a WAN link, you can

choose from a variety of Layer 2 protocols, including

HDLC, PPP, SLIP, X.25/LAPB, Frame Relay, and ATM.


8/277 2002, Cisco Systems, Inc. All rights reserved. 8

Configuring Serial

Point-to-Point Encapsulation


9/277

Objectives

Upon completing this lesson, you will be able to: Use Cisco IOS commands to configure serial interfaces

using HDLC and PPP encapsulation for leased-line

connections, given a functioning router

Use show commands to identify anomalies in HDLC and

PPP encapsulation for leased-line connections, given an

operational router

Use debug commands to identify events and anomalies in

PPP configuration for leased-line connections, given an

operational router


10/277

Supports only single-protocol environments

HDLC Frame Format

Uses a proprietary data field to support

multiprotocol environments


11/277

Router(config-if)#encapsulation hdlc

Enables HDLC encapsulation

Uses the default encapsulation on synchronous

serial interfaces

Configuring HDLC Encapsulation


12/277

PPP can carry packets from several protocol suites

using NCP.

PPP controls the setup of several link options using LCP.

An Overview of PPP


13/277

Layering PPP Elements

PPP: A data link with network layer services


14/277

PPP LCP Configuration Options


15/277

PPP Session Establishment

Two PPP authentication protocols:

PAP and CHAP


16/277

Passwords sent in clear text

Peer in control of attempts

PPP Authentication Protocols


17/277


18/277

Configuring PPP and

Authentication Overview


19/277

Router(config-if)#encapsulation ppp

Enables PPP encapsulation

Configuring PPP


20/277

Router(config)#hostname name

Assigns a host name to your router

Router(config)#username name passwordpassword

Identifies the username and password of remote

router

Configuring PPP

Authentication

f


21/277

Router(config-if)#ppp authentication

{chap | chap pap | pap chap | pap}

Enables PAP and/or CHAP authentication

Configuring PPP

Authentication (Cont.)


22/277

CHAP Configuration Example


23/277

Router#show interface s0

Serial0 is up, line protocol is up

Hardware is HD64570

Internet address is 10.140.1.2/24

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation PPP, loopback not set, keepalive set (10 sec)

LCP Open

Open: IPCP, CDPCPLast input 00:00:05, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

38021 packets input, 5656110 bytes, 0 no buffer

Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

38097 packets output, 2135697 bytes, 0 underruns

0 output errors, 0 collisions, 6045 interface resets

0 output buffer failures, 0 output buffers swapped out

482 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

Verifying the HDLC and PPP

Encapsulation Configuration


24/277

debug ppp authentication shows successful CHAP output.

Verifying PPP Authentication


25/277

Summary

HDLC is the Cisco default data-link layer protocolfor encapsulating data on synchronous serial datalinks.

PPP encapsulates network layer protocolinformation over point-to-point links.

Configurable aspects of PPP include methods ofauthentication, compression, and error detection,

as well as whether or not multilink is supported. PPP session establishment progresses through

three phases: link establishment, authentication,and network layer protocol.


26/277

Summary (Cont.)

When configuring PPP authentication, you canselect PAP or CHAP. In general, CHAP is thepreferred protocol.

You enable PPP with the encapsulation ppp

command and PPP authentication with the pppauthentication command.

Use the show interface command to verify properconfiguration of PPP encapsulation.

The debug ppp authentication command displaysthe authentication exchange sequence.


27/277

Establishing Frame Relay

Connections


28/277


Frame Relay Overview


29/277

Objectives

Upon completing this lesson, you will be

able to:

Describe the features and operation of a Frame

Relay network

Define important Frame Relay terms including

local access rate, virtual circuit, PVC, SVC, DLCI,

CIR, InARP, LMI, FECN, and BECN


30/277

Frame Relay Overview

Connections made by virtual circuits

Connection-oriented service


31/277

Frame Relay Stack

OSI Reference Model Frame Relay

Physical

Presentation

Session

Transport

Network

Data-Link

Application

EIA/TIA-232,

EIA/TIA-449, V.35,

X.21, EIA/TIA-530

Frame Relay

IP/IPX/AppleTalk, etc.


32/277

Frame Relay Terminology


33/277

Frame Relay default: nonbroadcast, multiaccess (NBMA)

Selecting a Frame Relay Topology

Reachability Issues with Routing


34/277

Reachability Issues with Routing

Updates

Problem: Broadcast traffic must be replicated for

each active connection.

Split-horizon rule prevents routing updates received on

one interface from being forwarded out the same interface.


35/277

Resolving Reachability Issues

Split horizon can cause problems in NBMA environments.

Subinterfaces can resolve split horizon issues.

Solution: A single physical interface simulates multiple logical interfaces.


36/277

Frame Relay Address Mapping

Use LMI to get locally significant DLCI from the Frame Relayswitch.

Use Inverse ARP to map the local DLCI to the remote router s

network layer address.


37/277

Frame Relay Signaling

Cisco supports three LMI standards: Cisco

ANSI T1.617 Annex D

ITU-T Q.933 Annex A

Frame Relay Inverse ARP


38/277

Frame Relay Inverse ARP

and LMI Signaling


39/277

Stages of Inverse ARP

and LMI Operation

d


40/277

How Service Providers Map Frame

Relay DLCIs: Service Provider View

d


41/277

How Service Providers Map Frame

Relay DLCIs: Enterprise View

i id


42/277

Service Provider

Frame Relay-to-ATM Interworking


43/277

FRF.8 Service Interworking


44/277

Summary

Frame Relay is an ITU-T and ANSI standard that defines theprocess for sending data over a public data network.

The core aspects of Frame Relay function at the lower two

layers of the OSI reference model.

Knowing the terms that are used frequently whendiscussing Frame Relay is important to understanding the

operation and configuration of Frame Relay services.

Frame Relay allows you to interconnect your remote sites

in a variety of topologies including star, full mesh, andpartial mesh.

A Frame Relay NBMA topology may cause routing update

reachability issues, which are solved by using

subinterfaces.


45/277

Summary (Cont.) A Frame Relay connection requires that, on a VC, the local

DLCI be mapped to a destination network layer address

such as an IP address.

LMI is a signaling standard between the router and the

Frame Relay switch that is responsible for managing the

connection and maintaining status between the devices.

Service providers map Frame Relay DLCIs so that DLCIs

with local significance appear at each end of a Frame Relay

connection.

FRF.5 provides network interworking functionality that

allows Frame Relay end users to communicate over an

intermediate ATM network that supports FRF.5. FRF.8

provides service interworking functionality that allows a

Frame Relay end user to communicate with an ATM


46/277


Configuring Frame Relay


47/277

Objectives

Upon completing this lesson, you will be able to: Use Cisco IOS commands to configure a Frame Relay

network, given a functioning router

Use show commands to identify anomalies in the Frame

Relay PVCs, given a functioning router and an operational

Frame Relay network

Use debug commands to identify events and anomalies in

the Frame Relay PVCs, given a functioning router and an

operational Frame Relay network


48/277

Configuring Basic Frame Relay

C fi i St ti F R l


49/277

Configuring a Static Frame Relay

Map


50/277

Configuring Subinterfaces

Point-to-point Subinterfaces act like leased lines.

Each point-to-point subinterface requires its own subnet.

Point-to-point is applicable to hub and spoke topologies.

Multipoint Subinterfaces act like NBMA networks, so they do not resolve the split-

horizon issues.

Multipoint can save address space because it uses a single subnet.

Multipoint is applicable to partial mesh and full mesh topologies.

Configuring Point-to-Point


51/277

Configuring Point to Point

Subinterfaces

Multipoint Subinterfaces


52/277

Multipoint Subinterfaces

Configuration Example


53/277

Verifying Frame Relay Operation

Router#clear frame-relay-inarp

Clears dynamically created Frame Relay maps, created by using Inverse ARP

Router#show interfaces type number

Displays information about Frame Relay DLCIs and the LMI

Router#show frame-relay lmi [type number]

Displays LMI statistics

Router#show frame-relay map

Displays the current Frame Relay map entries

Router#show frame-relay pvc [type number[dlci]]

Displays PVC statistics

Router#show frame-relay traffic

Displays Frame Relay traffic statistics


54/277

show interfaces Example

Displays line, protocol, DLCI, and LMI information

Router#show interfaces s0

Serial0 is up, line protocol is up

Hardware is HD64570

Internet address is 10.140.1.2/24

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)

LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI upLMI enq recvd 0, LMI stat sent 0, LMI upd sent 0

LMI DLCI 1023 LMI type is CISCO frame relay DTE

FR SVC disabled, LAPF state down

Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5

Last input 00:00:02, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops


55/277

Displays LMI information

Router#show frame-relay lmi

LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO

Invalid Unnumbered info 0 Invalid Prot Disc 0

Invalid dummy Call Ref 0 Invalid Msg Type 0

Invalid Status Message 0 Invalid Lock Shift 0

Invalid Information ID 0 Invalid Report IE Len 0

Invalid Report Request 0 Invalid Keep IE Len 0

Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100

Num Update Status Rcvd 0 Num Status Timeouts 0

show frame-relay lmi Example


56/277

Displays PVC traffic statistics

show frame-relay pvc Example

Router#show frame-relay pvc 100

PVC Statistics for interface Serial0 (Frame Relay DTE)

DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0

input pkts 28 output pkts 10 in bytes 8398

out bytes 1198 dropped pkts 0 in FECN pkts 0

in BECN pkts 0 out FECN pkts 0 out BECN pkts 0

in DE pkts 0 out DE pkts 0

out bcast pkts 10 out bcast bytes 1198

pvc create time 00:03:46, last time pvc status changed 00:03:47


57/277

Displays the route maps, either static or dynamic


Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,broadcast,, status defined, active

show frame-relay map Example


58/277

Clears dynamically created Frame Relay maps

clear frame-relay-inarp Example


Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,

broadcast,, status defined, active

Router#clear frame-relay-inarpRouter#show frame map

Router#

Troubleshooting Basic Frame Relay


59/277

Troubleshooting Basic Frame Relay

Operations

Displays LMI debug information

Router#debug frame-relay lmiFrame Relay LMI debugging is onDisplaying all Frame Relay LMI dataRouter#1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up1w2d: datagramstart = 0xE008EC, datagramsize = 131w2d: FR encap = 0xFCF103091w2d: 00 75 01 01 01 03 02 8C 8B1w2d:1w2d: Serial0(in): Status, myseq 1401w2d: RT IE 1, length 1, type 11w2d: KA IE 3, length 2, yourseq 140, myseq 1401w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up1w2d: datagramstart = 0xE008EC, datagramsize = 131w2d: FR encap = 0xFCF103091w2d: 00 75 01 01 01 03 02 8D 8C1w2d:

1w2d: Serial0(in): Status, myseq 1421w2d: RT IE 1, length 1, type 01w2d: KA IE 3, length 2, yourseq 142, myseq 1421w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0


60/277

Summary A basic Frame Relay configuration assumes one or more

physical interfaces, and LMI and Inverse ARP are running

on the remote routers. In this type of environment, the

LMI notifies the router about the available DLCIs.

When the remote router does not support Inverse ARP, or

when you want to control routed broadcast traffic, you

must define the address-to-DLCI table statically.

You can configure Frame Relay subinterfaces in either

point-to-point or multipoint mode.

After you configure Frame Relay, you can verify that the

connections are active using the available show

commands.

Use the debug frame-relay lmi command to verify and

troubleshoot a Frame Relay connection.


61/277


Configuring ISDN BRI and PRI


62/277

Objectives

Upon completing this lesson, you will be able to:

Configure ISDN BRI and ISDN PRI, given a functioning

router and a physical ISDN connection

Use show commands to identify the anomalies in theISDN BRI and PRI configurations, given a functioning

router and a physical ISDN connection

Use debug commands to identify the anomalies in the

ISDN BRI and PRI configurations, given a functioningremote access router and a physical ISDN connection


63/277

What Is ISDN?

Voice, data, video, and special services


64/277

Standards from the ITU-T (formerly CCITT)

ISDN Standards


65/277

BRI and PRI are used globally for ISDN.

ISDN Access Options


66/277

BRI and PRI Call Processing

ISDN Functions and Reference


67/277

ISDN Functions and Reference

Points

Functions are devices or

hardware.

Reference points are

demarcations or interfaces.


68/277

Cisco ISDN BRI Interfaces


69/277

Cisco ISDN PRI Interfaces


70/277

ISDN Switch Types

Many providers use many different switch types.

Services vary by region and country.


71/277

Router(config)#isdn switch-type switch-type

The command specifies the type of ISDN switch with

which the router communicates.

Other configuration requirements vary for specificproviders.

Step 1: Specify the ISDN switch type.

Router(config-if)#isdn switch-type switch-type

Configuring ISDN BRI


72/277

Sets a B channel SPID required by many serviceproviders

Step 2: (Optional) Setting SPIDs

Sets a SPID for the second B channel

Router(config-if)#isdn spid1 spid-number[ldn]

Router(config-if)#isdn spid2 spid-number[ldn]

Configuring ISDN BRI (cont.)


73/277

Configuring ISDN PRI

Router(config)#isdn switch-type switch-type

Router(config)#controller controller slot/port

Router(config-controller)#pri-group timeslots range

Step 1: Specify the ISDN switch type.

Step 2: Select the controller.

Step 3: Establish the interface portto function as PRI .


74/277

ISDN PRI Examples

Router(config)#controller T1 3/0

Router(config-controller)#framing esf

Router(config-controller)#linecode b8zs

Router(config-controller)#pri-group timeslots 1-24

Router(config-controller)#interface Serial3/0:23

Router(config-if)#isdn switch-type primary-5essRouter(config-if)#no cdp enable

T1 Sample Configuration

Router(config)#controller E1 3/0

Router(config-controller)# framing crc4Router(config-controller)# linecode hdb3

Router(config-controller)# pri-group timeslots 1-31

Router(config-controller)#interface Serial3/0:15

Router(config-if)# isdn switch-type primary-net5

Router(config-if)# no cdp enable

E1 Sample Configuration


75/277

Verifying the ISDN Configuration

Router#show isdn active

Router#show isdn status

Displays current call information

Displays the status of an ISDN connection

Router#show interfaces bri0

Displays statistics for the BRI interface configured

on the router

Troubleshooting the ISDN


76/277

g

Configuration

Router#debug ppp authentication

Displays the PPP authentication protocol messages

Displays information on PPP link establishment

Router#debug isdn q921

Shows ISDN Layer 2 messages

Shows ISDN call setup and teardown activity (Layer 3)

Router#debug isdn q931

Router#debug ppp negotiation

Displays protocol errors associated with PPP

Router#debug ppp error


77/277

Summary

ISDN defines a digital architecture that providesintegrated voice and data capability using the publicswitched network.

ISDN specifies two standard access methods, BRI

and PRI. To establish an ISDN call, the D channel is used between

the routers and switches, and SS7 signaling is usedbetween the switches.

ISDN functions are hardware devices while reference

points are interfaces between devices.

Cisco devices can be physically configured with differentISDN options, which dictate what additional equipment, ifany, is needed to run ISDN.

( )


78/277

Summary (Cont.)

You must configure your router to identify the type ofswitch it will be communicating with, which depends

in part on the country the

switch is in.

To enable ISDN BRI, you use isdn switch-type and isdnspid commands.

To enable ISDN PRI, use the pri-group command.

Use show commands to verify that your ISDN

configuration is functioning properly.

You can use debug commands to troubleshoot your

ISDN configuration.

h ?


79/277

What is NAT?

79

Similar to Classless Inter-Domain

Routing (CIDR), the original

intention for NAT was to slow the

depletion of available IP addressspace by allowing many private IP

addresses to be represented by

some smaller number of public IPaddresses.

f f


80/277

Benefits of NAT

80

You need to connect to the Internet

and your hosts dont have globally

unique IP addresses.

You change to a new ISP thatrequires you to renumber your

network.

You need to merge two intranetswith duplicate addresses.

Where NAT is typically


81/277

Where NAT is typically

configured

81

B i NAT


82/277

Basic NAT

82

Th f NAT


83/277

Three types of NAT

83

Static

Dynamic

Overloading

S i NAT


84/277

Static NAT

84

Lets take a look at a simple basic static NATconfiguration:

ip nat inside source static 10.1.1.1 170.46.2.2

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.46.2.1 255.255.255.0

ip nat outside!

D i NAT


85/277

Dynamic NAT

85

Here is a sample output of a dynamic NATconfiguration:

ip nat pool todd 170.168.2.2 170.168.2.254

netmask 255.255.255.0

ip nat inside source list 1 pool todd

!interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

P t Add T l ti


86/277

Port Address Translation

86

PAT


87/277

PAT

87

Here is a sample output of a PAT configuration:ip nat pool globalnet 170.168.2.1 170.168.2.1

netmask 255.255.255.0

ip nat inside source list 1 pool globalnet overload

!

interface Ethernet0/0

ip address 10.1.1.10 255.255.255.0ip nat inside

!

interface Serial0/0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!

access-list 1 permit 10.1.1.0 0.0.0.255


88/277

The MPLS Conceptual

Model

B i MPLS F t


89/277

Basic MPLS Features

MPLS is a switching mechanism in which packets areforwarded based on labels.

Labels usually correspond to IP destination networks(equal to traditional IP forwarding).

Labels can also correspond to other parameters: Layer 3 VPN destination

Layer 2 circuit

Outgoing interface on the egress router

QoS

Source address

MPLS was designed to support forwarding of non-IPprotocols as well.

Basic MPLS Concepts Example


90/277

Basic MPLS Concepts Example

Only edge routers must perform a routing lookup.

Core routers switch packets based on simple label lookups and swap labels.


91/277

Router Switching

Mechanisms


92/277

MPLS Architecture

Major Components of MPLS


93/277

j p

Architecture

Control plane: Exchanges routing information and labels

Contains complex mechanisms to exchange routing

information, such as OSPF, EIGRP, IS-IS, and BGP

Exchanges labels, such as LDP, BGP, and RSVP

Data plane:

Forwards packets based on labels

Has a simple forwarding engine

Control Plane Components Example


94/277

Control Plane Components Example

Information from control plane is sent to data

plane.


95/277

MPLS Labels

MPLS Labels


96/277

MPLS Labels

MPLS technology is intended to be usedanywhere, regardless of Layer 1 media and Layer 2

protocol.

MPLS uses a 32-bit label field that is insertedbetween Layer 2 and Layer 3 headers (frame

mode MPLS).

MPLS over ATM uses the ATM header as the label

(cell mode MPLS).

Label Format


97/277

Label Format

MPLS uses a 32-bit label field that contains this information: 20-bit label

3-bit experimental field

1-bit bottom-of-stack indicator

8-bit TTL field

Label Stack


98/277

Label Stack

Protocol ID (PID) in a Layer 2 header specifies that the payloadstarts with a label (or labels) and is followed by an IP header.

Bottom-of-stack bit indicates whether the next header is anotherlabel or a Layer 3 header.

Receiving router uses the top label only.

Frame Mode MPLS


99/277

Frame Mode MPLS


100/277

Label Switch Routers

Label Switch Routers


101/277

LSR primarily forwards labeled packets (swap label).

Edge LSR: Labels IP packets (impose label) and forwards them into the MPLS domain

Removes labels (pop label) and forwards IP packets out of the MPLSdomain


102/277

LSR Component

Architecture

Functions of LSRs


103/277

Component Functions

Control plane Exchanges routing information

Exchanges labels

Data plane Forwards packets (LSRs andedge LSRs)

Component Architecture of LSR


104/277

Component Architecture of LSR

Component Architecture of Edge LSR


105/277

Component Architecture of Edge LSR

Summary


106/277

Summary

MPLS is a switching mechanism that uses labels to forwardpackets. The result of using labels is that only edge routersperform a routing lookup; all the core routers simply forwardpackets based on labels assigned at the edge.

MPLS consists of two major components: control plane and dataplane.

MPLS uses a 32-bit label field that contains label, experimentalfield, bottom-of-stack indicator, and TTL field.

LSR is a device that forwards packets primarily based on labels. Edge LSR is a device that labels packets or removes labels from

packets. Exchange routing information and exchange labels are part of

the control plane, while forward packets is part of the dataplane.


107/277

The Procedure to

Configure MPLS

The Procedure to Configure MPLS


108/277

The Procedure to Configure MPLS

1. Configure CEF

2. Configure MPLS on a frame mode interface

3. (Optional) Configure the MTU size in label switching


109/277

Configuring IP CEF

Step 1: Configure CEF


110/277

Step 1: Configure CEF

1. Configure CEF: Start CEF switching to create the FIB table

Enable CEF switching on all core interfaces

2. Configure MPLS on a frame mode interface3. (Optional) Configure the MTU size in label switching

Step 1: Configure CEF (Cont )


111/277

ip cef [distributed]Router(config)#

Step 1: Configure CEF (Cont.)

Starts CEF switching and creates the FIB table

The distributed keyword configures distributed

CEF (running on VIP or line cards)

All CEF-capable interfaces run CEF switching

ip route-cache cef

Router(config-if)#

Enables CEF switching on an interface

Usually not needed

Monitoring IP CEF


112/277

Monitoring IP CEF

Displays a summary of the FIB

show ip cef detail

Router#

Router#show ip cef detail

IP CEF with switching (Table Version 6), flags=0x0

6 routes, 0 reresolve, 0 unresolved (0 old, 0 new)

9 leaves, 11 nodes, 12556 bytes, 9 inserts, 0 invalidations

0 load sharing elements, 0 bytes, 0 references

2 CEF resets, 0 revisions of existing leaves

refcounts: 543 leaf, 544 node

Adjacency Table has 4 adjacencies

0.0.0.0/32, version 0, receive

192.168.3.1/32, version 3, cached adjacency to Serial0/0.100 packets, 0 bytes

tag information set

local tag: 28

fast tag rewrite with Se0/0.10, point2point, tags imposed: {28}

via 192.168.3.10, Serial0/0.10, 0 dependencies

next hop 192.168.3.10, Serial0/0.10

valid cached adjacency

tag rewrite with Se0/0.10, point2point, tags imposed: {28}


113/277

Configuring MPLS on a

Frame Mode Interface

Step 2: Configure MPLS on


114/277

a Frame Mode Interface

1. Configure CEF

2. Configure MPLS on a frame mode interface:

Enable label switching on a frame mode interface

Start LDP or TDP label distribution protocol

3. (Optional) Configure the MTU size in label switching

Step 2: Configure MPLS on


115/277

a Frame Mode Interface (Cont.)

Enables label switching on a frame mode

interface

Starts LDP on the interface

mpls ipRouter(config-if)#

mpls label protocol [tdp | ldp | both]

Router(config-if)#

Starts selected label distribution protocol on the specified interface

Configuring MPLS on a Frame


116/277

Mode Interface: Example 1

Configuring MPLS on a Frame

d f l


117/277

Mode Interface: Example 2


118/277

Defining MPLS VPN

VPN Taxonomy


119/277

VPN Taxonomy

VPN Models


120/277

VPN Models

VPN services can be offered based on twomajor models:

Overlay VPNs, in which the service provider

provides virtual point-to-point links betweencustomer sites

Peer-to-peer VPNs, in which the service provider

participates in the customer routing

Overlay VPNs: Frame Relay Example


121/277

y y p

Overlay VPNs: Layer 3 Routing


122/277

The service provider infrastructure appears as point-to-point linksto customer routes.

Routing protocols run directly between customer routers.

The service provider does not see customer routes and isresponsible only for providing point-to-point transport of customerdata.

Peer-to-Peer VPNs


123/277

Benefits of VPN Implementations


124/277

p

Overlay VPN: Well-known and easy to implement

Service provider does not participate in customer

routing

Customer network and service provider network are

well-isolated

Peer-to-peer VPN:

Guarantees optimum routing between customer sites

Easier to provision an additional VPN

Only sites are provisioned, not links between them

Drawbacks of VPN

I l t ti


125/277

Implementations

Overlay VPN: Implementing optimum routing requires a full mesh of VCs.

VCs have to be provisioned manually.

Bandwidth must be provisioned on a site-to-site basis.

Overlay VPNs always incur encapsulation overhead (IPsec or GRE).

Peer-to-peer VPN: The service provider participates in customer routing.

The service provider becomes responsible for customer convergence.

PE routers carry all routes from all customers.

The service provider needs detailed IP routing knowledge.

Drawbacks of Peer-to-Peer VPNs


126/277

Shared PE router: All customers share the same (provider-assigned or

public) address space.

High maintenance costs are associated with packet

filters.

Performance is lowereach packet has to pass a packet

filter.

Dedicated PE router:

All customers share the same address space.

Each customer requires a dedicated router at each POP.


127/277

MPLS VPN Architecture

MPLS VPN Architecture


128/277

An MPLS VPN combines the best features ofan overlay VPN and a peer-to-peer VPN:

PE routers participate in customer routing,

guaranteeing optimum routing between sites andeasy provisioning.

PE routers carry a separate set of routes for each

customer (similar to the dedicated PE router

approach).

Customers can use overlapping addresses.

MPLS VPN Architecture:

T i l


129/277

Terminology

PE Router Architecture


130/277


131/277

IPsec VPNs

IPsec Components and IPsec VPN

Features


132/277

IPsec Overview

What Is IPsec?


133/277

IPsec is an IETF standard that employs cryptographicmechanisms on the network layer:

Authentication of every IP packet

Verification ofdata integrity for each packet

Confidentiality of packet payload

Consists of open standards for securing privatecommunications

Scales from small to very large networks

Is available in Cisco IOS software version 11.3(T) andlater

Is included in PIX Firewall version 5.0 and later

IPsec Security Features


134/277

IPsec is the only standard Layer 3 technology that provides: Confidentiality

Data integrity

Authentication

Replay detection

IPsec Protocols


135/277

IPsec uses three main protocols to create asecurity framework:

Internet Key Exchange (IKE):

Provides framework for negotiation of security parameters

Establishment of authenticated keys

Encapsulating Security Payload (ESP):

Provides framework for encrypting, authenticating, and

securing of data

Authentication Header (AH):

Provides framework for authenticating and securing of data

IPsec Headers


136/277

IPsec ESP provides the following:

Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP

Confidentiality (DES, 3DES, or AES) only with ESP

Peer Authentication


137/277

Peer authentication methods: Username and password

OTP (Pin/Tan)

Biometric

Preshared keys

Digital certificates


138/277

Internet Key Exchange

Internet Key Exchange


139/277

IKE solves theproblems of manual

and unscalable

implementation ofIPsec by automating

the entire key

exchange process:

Negotiation of SA

characteristics

Automatic key

IKE Phases


140/277

Phase 1: Authenticate the peers

Negotiate a bidirectional SA

Main mode or aggressive mode

Phase 1.5:

Xauth

Mode config

Phase 2: IPsec SAs/SPIs

Quick mode

IKE Modes


141/277


142/277

IKE: Other Functions

IKE: Other Functions


143/277

Dead peer detection (DPD): Bidirectional

Sent on periodic intervals

Sender must receive a reply or disconnect

IKE keepalives are unidirectional and are sent

every 10 seconds.

NAT traversal:

Defined in RFC 3947 Encapsulates IPsec packet in UDP packet

Mode config (Push Config) and Xauth (User

Authentication)

IPsec and NAT: The Problem


144/277

IPsec NAT Traversal


145/277

Need NAT traversal with IPsec over TCP/UDP: NAT traversal detection

NAT traversal decision

UDP encapsulation of IPsec packets UDP encapsulated process for software engines


146/277

Symmetric vs. Asymmetric

Encryption Algorithms

Symmetric vs. AsymmetricEncryption Algorithms


147/277

yp g

Symmetric algorithm:

Secret keycryptography

Encryption anddecryption usethe same key

Typically used toencrypt the content ofa message

Examples: DES, 3DES,AES

Asymmetric algorithm:

Public keycryptography

Encryption anddecryptionuse different keys

Typically used in digitalcertification and keymanagement

Example: RSA

Key Lengths of Symmetric vs.

Asymmetric Encryption Algorithms


148/277

Asymmetric Encryption Algorithms

Symmetric Key Length Asymmetric Key Length

80 1024

112 2048

128 3072

192 7680

256 15,360

Comparable key lengths required for asymmetric keys compared tosymmetric keys

Security Level of Cryptographic

Algorithms


149/277

Algorithms

Security Level Work Factor Algorithms

Weak O(240) DES, MD5

Legacy O(264) RC4, SHA-1

Baseline O(280) 3DES

Standard O(2128) AES-128, SHA-256

High O(2192) AES-192, SHA-384

UltraO

(2256

) AES-256, SHA-512

Symmetric Encryption: DES


150/277

Symmetric key encryption algorithm Block cipher: Works on 64-bit data block, uses

56-bit key (last bit of each byte used for parity)

Mode of operation: Apply DES to encrypt blocksof data

Symmetric Encryption: 3DES


151/277

168-bit total key length

Mode of operation decides how to process DES

three times Normally: encrypt, decrypt, encrypt

3DES requires more processing than DES

Symmetric Encryption: AES


152/277

Formerly known as Rijndael

Successor to DES and 3DES

Symmetric key block cipher

Strong encryption with long expected life

AES can support 128-, 192-, and 256-bit keys; 128-

bit key is considered safe

Asymmetric Encryption: RSA


153/277

Based on Diffie-Hellman key exchange (IKE)

principles

Public key to encrypt data, and to verify digital

signatures

Private key to decrypt data, and to sign with a

digital signature

Diffie-Hellman Key Exchange


154/277


(Cont.)


155/277

(Cont.)


156/277

PKI Environment

PKI Environment


157/277

Certificate Authority


158/277

The trust basis of a PKI system

Verifies user identity, issues certificates by binding

identity of a user to a public key with a digital

certificate

Revokes certificates and publishes CRL

In-house implementation or outsourcing

X.509 v3 Certificate


159/277

PKI Message Exchange


160/277

PKI Credentials


161/277

How to store PKI credentials: RSA keys and certificates

NVRAM

eToken: Cisco 871, 1800, 2800, 3800 Series router

Cisco IOS Release 12.3(14)T image

Cisco USB eToken

A k9 image

Summary


162/277

IPsec provides a mechanism for secure data transmissionover IP networks.

The IKE protocol is a key management protocol standardused in conjunction with the IPsec standard.

IKE has some additional functions: DPD, NAT traversal,encapsulation in UDP packet, config mode, and Xauth.

The two IP protocols used in the IPsec standard are ESPand AH.

For message authentication and integrity check, an HMACis used.

The two types of encryption are symmetric encryption andasymmetric encryption.

PKI provides customers with a scalable, secure mechanismfor distributing, managing, and revoking encryption andidentity information in a secured data network.


163/277

IPsec VPNs

Site-to-Site IPsec VPN Operation


164/277

Site-to-Site IPsec VPN

Operations

Five Steps of IPsec


165/277

Step 1: Interesting Traffic


166/277

Step 2: IKE Phase 1


167/277

IKE Policy


168/277

Negotiates matching IKEtransform sets to protectIKE exchange



169/277

Authenticate Peer Identity


170/277

Peer authentication methods:

Preshared keys

RSA signatures

RSA encrypted nonces

Step 3: IKE Phase 2


171/277

Negotiates IPsec security parameters, IPsec

transform sets

Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure

security

Optionally, performs an additional Diffie-

IPsec Transform Sets


172/277

A transform set is a

combination of

algorithms and

rotocols that enact a

Security Associations


173/277

SA database:

Destination IP

address

SPI

Protocol (ESP

or AH)

Security policy

database:

Encryption

algorithm

Authenticatio

n algorithm Mode

Key lifetime

SA Lifetime


174/277

Data transmitted-based Time-based

Step 4: IPsec Session
http://rds.yahoo.com/S=96062857/K=clocks/v=2/SID=w/TID=YS80_76/l=II/R=1/SS=i/OID=b31de637c8c1ef0e/;_ylt=A0Je5xZWEjREUc8AqBGJzbkF;_ylu=X3oDMTBwYTA5MG5kBHBvcwMxBHNlYwNzcgR2dGlkA1lTODBfNzY-/SIG=1f8vbsuk4/EXP=1144349654/*-http%3A//images.search.yahoo.com/search/images/view?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3F_adv_prop%3Dimages%26imgsz%3Dall%26imgc%3D%26vf%3Dall%26va%3Dclocks%26fr%3Dslv1-%26ei%3DUTF-8&w=454&h=454&imgurl=www.rarity4u.com%2Fcatalog%2Fimages%2FClocks%26Watches_Wall.jpg&rurl=http%3A%2F%2Fwww.rarity4u.com%2Fcatalog%2Findex.php%2Fname%2FWall%2520Clocks%2FcPath%2F45&size=55.1kB&name=Clocks&Watches_Wall.jpg&p=clocks&type=jpeg&no=1&tt=403,320&ei=UTF-8


175/277

SAs are exchanged between peers.

The negotiated security services are applied to

the traffic.

Step 5: Tunnel Termination


176/277

A tunnel is terminated by one of the following:

By an SA lifetime timeout

If the packet counter is exceeded

IPsec SA is removed


177/277

Configuring IPsec

Configuration Steps forSite-to-Site IPsec VPN


178/277

1. Establish ISAKMP policy2. Configure IPsec transform set

3. Configure crypto ACL

4. Configure crypto map5. Apply crypto map to the interface

6. Configure interface ACL


179/277

Site-to-Site IPsec

Configuration: Phase 1

Site-to-Site IPsec Configuration:Phase 1


180/277


181/277

Site-to-Site IPsec Configuration:Phase 2


182/277


183/277

Site-to-Site IPsec

Configuration: Apply VPN

Configuration

Site-to-Site IPsec Configuration:

Apply VPN Configuration


184/277


185/277

Site-to-Site IPsec

Configuration: Interface

ACL

Site-to-Site IPsec Configuration:

Interface ACL


186/277

When filtering at the edge, there is notmuch to see:

IKE: UDP port 500

ESP and AH: IP protocol numbers 50 and 51,respectively

NAT transparency enabled:

UDP port 4500

TCP (port number has to be configured)

Site-to-Site IPsec Configuration:Interface ACL (Cont.)


187/277

Router1#show access-lists

access-list 102 permit ahp host 172.16.172.10 host 172.16.171.20

access-list 102 permit esp host 172.16.172.10 host 172.16.171.20

access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp

Ensure that protocols 50 and 51 and UDP port 500

traffic is not blocked on interfaces used by IPsec.

Summary


188/277

IPsec operation includes these steps: Initiation by interesting

traffic of the IPsec process, IKE Phase 1, IKE Phase 2, datatransfer, and IPsec tunnel termination. To configure a site-to-site IPsec VPN: Configure the ISAKMP

policy, define the IPsec transform set, create a crypto ACL,create a crypto map, apply crypto map, and configure ACL.

To define an IKE policy, use the crypto isakmp policy global

configuration command. To define an acceptable combination of security protocols and

algorithms used for IPsec, use the crypto ipsec transform-setglobal configuration command.

To apply a previously defined crypto map set to an interface, usethe crypto map interface configuration command.

Configure an ACL to enable the IPsec protocols (protocol 50 forESP or 51 for AH) and IKE protocol (UDP/500).


189/277

IPsec VPNs

Configuring IPsec Site-to-Site VPN

Using SDM


190/277

Generic Routing

Encapsulation

Generic Routing Encapsulation


191/277

OSI Layer 3 tunneling protocol: Uses IP for transport

Uses an additional header to support any other OSI

Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)

Default GRE Characteristics


192/277

Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE

Stateless (no flow control mechanisms)

No security (no confidentiality, data authentication, or integrity assurance)

24-byte overhead by default (20-byte IP header and 4-byte GRE header)

Optional GRE Extensions


193/277

GRE can optionally contain any one or more of these fields:

Tunnel checksum

Tunnel key

Tunnel packet sequence number

GRE keepalives can be used to track tunnel path status.

GRE Configuration Example


194/277

GRE tunnel is up and protocol up if: Tunnel source and destination are configured

Tunnel destination is in routing table GRE keepalives are received (if used)

GRE is the default tunnel mode.


195/277

Introducing Secure GRE

Tunnels

Introducing Secure GRE Tunnels


196/277

GRE is good at tunneling: Multiprotocol support

Provides virtual point-to-point connectivity, allowing

routing protocols to be used

GRE is poor at securityonly very basic plaintextauthentication can be implemented using the

tunnel key (not very secure)

GRE cannot accommodate typical security

requirements:

Confidentiality

Data source authentication

D t i t it

IPsec Characteristics

d h l k


197/277

IPsec provides what GRE lacks:

Confidentiality through encryption using symmetricalgorithms (e.g., 3DES or AES)

Data source authentication using HMACs (e.g., MD5 orSHA-1)

Data integrity verification using HMACs IPsec is not perfect at tunneling:

Older Cisco IOS software versions do not support IPmulticast over IPsec

IPsec was designed to tunnel IP only (no multiprotocolsupport)

Using crypto maps to implement IPsec does not allowthe usage of routing protocols across the tunnel

IPsec does not tunnel IP protocols; GRE does

GRE over IPsec


198/277

GRE over IPsec is typically used to do thefollowing:

Create a logical hub-and-spoke topology ofvirtual point-to-point connections

Secure communication over an untrustedtransport network (e.g., Internet)

GRE over IPsec Characteristics


199/277

GRE encapsulates arbitrary payload.

IPsec encapsulates unicast IP packet (GRE):

Tunnel mode (default): IPsec creates a new tunnel IP

packet

Transport mode: IPsec reuses the IP header of the

GRE (20 bytes less overhead)


200/277

High Availability for Cisco

IOS IPsec VPNs

Failures


201/277

IPsec VPNs can experience any one of a number of different types of failures: Access link failure

Remote peer failure

Device failure

Path failure

IPsec should be designed and implemented with redundancy and high-availabilitymechanisms to mitigate these failures.

Redundancy


202/277

Common solutions using one or more of these options: Two access links to mitigate access-link failures

Multiple peers to mitigate peer failure

Two local VPN devices to mitigate device failures

Multiple independent paths to mitigate all path failures

Failure Detection


203/277

Native IPsec uses DPD to detect failures in the path and remote peer failure.

Any form ofGRE over IPsec typically uses a routing protocol to detect failures

(hello mechanism).

HSRP is typically used to detect failures of local devices. VRRP and GLBP havesimilar failure-detection functionality.

Dead Peer Detection

IKE k li


204/277

IKE keepalives: Keepalives in periodic intervals

DPD: Keepalives in periodic intervals if no data transmitted

On-demand option


205/277

IPsec Backup Peer

IPsec Backup Peer


206/277

One HA design option is to use native IPsec and its HAmechanisms: DPD to detect failures

Backup peers to take over new tunnels when primary peerbecomes unavailable

Configuration Example


207/277

Router will first try primary peer.

If primary peer is not available or becomes unavailable (DPD failure detection), the routertries backup peers in order as listed in the crypto map.


208/277

Hot Standby Routing

Protocol

Hot Standby Routing Protocol


209/277

HSRP can be used at: Headend: Two head-end IPsec devices appear as one to remote peers Remote site: Two IPsec gateways appear as one to local devices

Active HSRP device uses a virtual IP and MAC address. Standby HSRP device takes over virtual IP and MAC address when

active HSRP device goes down.

HSRP for Default Gateway at RemoteSite


210/277

All remote devices use virtual IP as default gateway.

Backup router is only used when primary router is down.

HSRP for Head-End IPsec Routers


211/277

Remote sites peer with virtual IP address (HSRP) of the headend.

RRI or HSRP can be used on inside interface to ensure proper return path.


212/277

IPsec Stateful Failover

IPsec Stateful Failover


213/277

IPsec VPNs using DPD, HSRP, or IGPs to mitigatefailures only provide stateless failover.

IPsec stateful failover requires:

Identical hardware and software configuration of IPsec

on active and standby device

Exchange of IPsec state between active and standby

device (i.e., complete SA information)

IPsec Stateful Failover (Cont.)


214/277

IPsec stateful failover works in combination withHSRP and SSO.

SSO is responsible to synchronize ISAKMP and

IPsec SA database between HSRP active and

standby routers.

RRI is optionally used to inject the routes into the

internal network.

IPsec Stateful Failover Example


215/277

Configure IPC to exchange state information between head-end devices.

Enable stateful redundancy.


216/277

Backing Up a WAN

Connection with an IPsec

VPN

Backing Up a WAN Connectionwith an IPsec VPN


217/277

IPsec VPNs can be used as cost-effective and fast backups for an existing WAN.

Switchover options:

Using an IGP (e.g., GRE over IPsec or VTI):

Use IGP metrics to influence primary path selection

Optionally, use HSRP to track PVC status on remote site

Using floating static routes for VPN destinations

IPsec VPN: Example Using GRE over

IPsec


218/277

IGP used todetect PVCfailures

Reroute to GREover IPsectunnel

Summary

High availability requires two components:


219/277

High availability requires two components:

Redundant device, links, or paths

High availability mechanisms to detect failures and reroute

Native IPsec can be configured with backup peers in

crypto maps in combination with DPD. HSRP can be used instead of backup peers.

IPsec stateful failover can augment HSRP to minimize

downtime upon head-end device failures.

IPsec VPNs can be used as a backup for other types ofnetworks.


220/277

IPsec VPNs

Configuring Cisco Easy VPN and Easy

VPN Server Using SDM


221/277

Introducing Cisco Easy VPN

Introducing Cisco Easy VPN


222/277

Cisco Easy VPN has two main functions: Simplify client configuration

Centralize client configuration and dynamically push

the configuration to clients

How are these two goals achieved? IKE Mode Config functionality is used to download

some configuration parameters to clients.

Clients are preconfigured with a set of IKE policies

and IPsec transform sets.

Cisco Easy VPN Components


223/277

Easy VPN Server: Enables Cisco IOS routers,Cisco PIX Firewalls, and Cisco VPN Concentrators

to act as VPN head-end devices in site-to-site or

remote-access VPNs, in which the remote office

devices are using the Cisco Easy VPN Remotefeature

Easy VPN Remote: Enables Cisco IOS routers,

Cisco PIX Firewalls, and Cisco VPN Hardware

Clients or Software Clients to act as remote VPN

clients

Remote Access Using Cisco Easy VPN


224/277


225/277

Describe Easy VPN Server

and Easy VPN Remote

Cisco Easy VPN RemoteConnection Process

1 The VPN client initiates the IKE Phase 1 process


226/277

1. The VPN client initiates the IKE Phase 1 process.

2. The VPN client establishes an ISAKMP SA.

3. The Easy VPN Server accepts the SA proposal.

4. The Easy VPN Server initiates a username and

password challenge.

5. The mode configuration process is initiated.

6. The RRI process is initiated.

7. IPsec quick mode completes the connection.

Step 1: The VPN Client Initiatesthe IKE Phase 1 Process


227/277

Using pre-shared keys? Initiate aggressive mode.

Using digital certificates? Initiate main mode.

Step 2: The VPN Client Establishesan ISAKMP SA


228/277

The VPN client attempts to establish an SA between peer IP addresses by

sending multiple ISAKMP proposals to the Easy VPN Server.

To reduce manual configuration on the VPN client, these ISAKMP proposals

include several combinations of the following:

Encryption and hash algorithms

Authentication methods

Diffie-Hellman group sizes

Step 3: The Cisco Easy VPN ServerAccepts the SA Proposal


229/277

The Easy VPN Server searches for a match:

The first proposal to match the server list is accepted (highest-priority

match).

The most secure proposals are always listed at the top of the Easy VPN

Server proposal list (highest priority).

The ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.

Initiates a Username and Password

Challenge


230/277

If the Easy VPN Server is configured for Xauth,

the VPN client waits for a username/password

challenge:

The user enters a username/password combination.

The username/password information is checked

against authentication entities using AAA.

Step 5: The Mode ConfigurationProcess Is Initiated


231/277

If the Easy VPN Server indicates successful authentication, the VPN clientrequests the remaining configuration parameters from the Easy VPNServer:

Mode configuration starts.

The remaining system parameters (IP address, DNS, split tunneling

information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group

profile; all other parameters are optional.

Step 6: The RRI Process Is Initiated


232/277

RRI should be used when the following conditions occur:

More than one VPN server is used

Per-client static IP addresses are used with some clients (instead ofusing per-VPN-server IP pools)

RRI ensures the creation of static routes.

Redistributing static routes into an IGP allows the servers site routers tofind the appropriate Easy VPN Server for return traffic to clients.

Step 7: IPsec Quick ModeCompletes the Connection


233/277

After the configuration parameters have been

successfully received by the VPN client, IPsec

quick mode is initiated to negotiate IPsec SA

establishment.

After IPsec SA establishment, the VPN

connection is complete.


234/277

Configuring NTP Client

Understanding NTP

NTP is used to synchronize the clocks in the entire


235/277

y

network.

System clock is set by the battery system calendar

during bootup.

System clock can then be modified manually or viaNTP.

NTP runs over UDP port 123; current version is 4.

Only NTP up to version 3 has been documented inRFCs.

Stratum describes how many NTP hops away a

machine is from authoritative time source.

Configuring NTP Authentication

ntp authenticate

Router(config)#


236/277

p

Enables the authentication feature

R1(config)#ntp authentication

R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs

R1(config)#ntp trusted-key 1

ntp authentication-key numbermd5 value

Defines the authentication keys

Used for both peer and server associations

ntp trusted-key key-number

Defines the trusted authentication keys

Required to synchronize to a system (server association)

Router(config)#

Router(config)#

Configuring NTP Associations

Router(config)#


237/277

ntp server {ip-address | hostname} [version number] [keykeyid] [source interface] [prefer]

R1(config)#ntp server 10.1.1.1 key 1

R1(config)#ntp server 10.2.2.2 key 2 prefer

R1(config)#interface Fastethernet 0/1R1(config-if)#ntp broadcast client

Forms a server association with another system

ntp broadcast client

Receives NTP broadcast packets

Router(config-if)#

Configuring Additional NTPOptions

Router(config)#


238/277

ntp access-group {query-only | serve-only | serve | peer}access-list-number

R1(config)#access-list 1 permit host 10.1.1.1

R1(config)#ntp access-group peer 1

R1(config)#ntp source loopack 0

Controls NTP message exchange

ntp source interface

Modifies the source IP address of NTP packets

Router(config)#


239/277

Configuring NTP Server

Implementing NTP Server

Cisco IOS routers work as an NTP server by


240/277

default.

As soon as a router is synchronized to an

authoritative time source, it will allow peers with

lower stratum to synchronize to that router: Requires a peer association

You can make a router an authoritative NTP

server, even if the system is not synchronized to

an outside time source.

Two options to establish a peer association:

Unicast

Configuring NTP Server

ntp peer ip-address [normal-sync][version number] [key

Router(config)#


241/277

ntp master [stratum]

R2(config)#ntp peer 10.1.1.1 key 1

R2(config)#ntp master 3

R2(config)#interface Fastethernet0/0

R2(config-int)#ntp broadcast

Makes the system an authoritative NTP server

ntp broadcast [version number][destination address][key keyid]

Configures an interface to send NTP broadcast packets

Router(config-int)#

keyid] [source interface] [prefer]

Forms a peer association with another system

Router(config)#

NTP Configuration Example


242/277

Source(config)#ntp master 5

Source(config)#ntp authentication-key 1 md5 secretsource

Source(config)#ntp peer 172.16.0.2 key 1

Source(config)#ntp source loopback 0

Intermediate(config)#ntp authentication-key 1 md5 secretsource

Intermediate(config)#ntp authentication-key 2 md5 secretclient

Intermediate(config)#ntp trusted-key 1

Intermediate(config)#ntp server 172.16.0.1

Intermediate(config)#ntp source loopback 0

Intermediate(config)#interface Fastethernet0/0

Intermediate(config-int)#ntp broadcast

Client(config)#ntp authentication-key 1 md5 secretclient

Client(config)#ntp trusted-key 1

Client(config)#interface Fastethernet0/1

Client(config-int)#ntp broadcast client

Summary

Since OOB management provides higher levels of security and performance


243/277

than in-band, the decision to use an in-band solution must be consideredcarefully.

Management communications should use SSH rather than Telnet.

Implementing a router logging facility is an important part of any networksecurity policy.

Syslog is implemented on your Cisco router using syslog router commands.

Network management will be greatly enhanced by implementing the securityfeatures of SNMPv3 rather than earlier versions.

Cisco IOS SNMPv3 server configuration tasks include configuring SNMP-serverengine ID, group names, users, and hosts.

Cisco routers can be configured as NTP servers or clients.

Packet authentication and filtering should be used to protect NTP exchange.


244/277

Cisco Device Hardening

Configuring AAA on Cisco Routers


245/277

Introduction to AAA

AAA Model

Authentication:

h ?


246/277

Who are you? I am user student and my password validateme proves it.

Authorization:

What can you do? What can you access?

User student can access host serverXYZ using Telnet.

Assign an IP address and ACL to user student connecting through VPN.

When user student starts an EXEC session, assign privilege level 10.

Accounting:

What did you do? How long and how often did you do it?

User student accessed host serverXYZ using Telnet for 15 minutes.

User student was connected to VPN for 25 minutes.

EXEC session of user student lasted 20 minutes and only show commands were

executed.

Implementing AAA


247/277

Administrative access: Console, Telnet, and AUXaccess

Remote user network access: Dialup or VPN


248/277

Router Access Modes

Router Access Modes


249/277


250/277

AAA Protocols: RADIUS

and TACACS+

AAA Protocols: RADIUS andTACACS+


251/277

RADIUS Authentication andAuthorization


252/277

The example shows how RADIUS exchange

starts once the NAS is in possession of the

username and password.

The ACS can reply with Access-Accept message,

or Access-Reject if authentication is not

successful.

RADIUS Messages

There are four types of messages:


253/277

Access-Request

Access-Challenge, to facilitate challenge-response

authentication protocols

Access-Accept

Access-Reject

RADIUS Attributes

RADIUS t i AV i


254/277

RADIUS messages contain zero or more AV-pairs,for example:

User-Name

User-Password (this is the only encrypted entity in

RADIUS) CHAP-Password

Service-Type

Framed-IP-Address

There are approximately 50 standard-based

attributes (RFC 2865).

RADIUS allows proprietary attributes.

RADIUS Features

St d d t l (RFC 2865)


255/277

Standard protocol (RFC 2865) Standard attributes can be augmented by

proprietary attributes:

Vendor-specific attribute 26 allows any TACACS+

attribute to be used over RADIUS

Uses UDP on standard port numbers (1812 and

1813; Cisco Secure ACS uses 1645 and 1646 by

default)

Includes only two security features:

Encryption of passwords (MD5 encryption)

Authentication of packets (MD5 fingerprinting)

TACACS+ Authentication


256/277

The example shows how TACACS+ exchange

starts before the user is prompted for username

and password.

The prompt text can be supplied by theTACACS+ server.

TACACS+ Network Authorization


257/277

The example shows the process of network

authorization which starts after successful

authentication.

TACACS+ Command Authorization


258/277

The example illustrates the command

authorization process which is repeatedly

started for every single command that requires

authorization (based on command privilegelevel)

TACACS+ Attributes and Features

TACACS+ messages also contain AV pairs such as these:


259/277

TACACS+ messages also contain AV-pairs, such as these:

ACL

ADDR

CMD

Interface-Config

Priv-Lvl

Route

TACACS+ uses TCP on well-known port number 49.

TACACS+ establishes a dedicated TCP session for every AAA action.

Cisco Secure ACS can use one persistent TCP session for all actions.

Protocol security includes authentication and encryption of all TACACS+

datagrams.

Configuring the AAA Server


260/277

TACACS+

RADIUS


261/277

Configure AAA Login

Authentication on Cisco

Routers Using CLI

AAA Authentication Commands

Router(config)#


262/277

aaa authentication login {default | list_name} group

{group_name | tacacs+ | radius} [method2 [method3

[method4]]]

Use this command to configure the authentication process.

Router(config)#aaa authentication login default group tacacs+

local line

Character Mode Login Example

Router#show running-config


263/277

Router#show running config...

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login my_list group tacacs+

...

line con 0

line aux 0

line vty 0 4

login authentication my_list

Because the authentication has not been specified for line con 0 and

aux 0, the default option will be used.

Verifying AAA LoginAuthentication Commands

aaa new-model

!


264/277

aaa authentication login default local

aaa authentication login radius_local group radius group radius

aaa authorization exec default local

!

username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1

!

tacacs-server host 10.1.1.10 single-connection key secrettacacsradius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key

secretradius

!

line vty 0 4

login authentication radius_local


265/277

Troubleshoot AAA Login

Authentication on Cisco

Routers

Troubleshoot AAA LoginAuthentication on Cisco Routers

debug aaa authentication

router#


266/277

debug aaa authentication

Use this command to help troubleshoot AAA authentication problems.

Troubleshoot AAA AuthenticationExample

R2#debug aaa authentication

113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''se '' po t 'tt 1' em add 'as nc/81560' a then t pe ASCII se ice LOGIN p i 1


267/277

ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1

113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''

action=LOGIN service=LOGIN

113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list

113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL

113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER

113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login

(user='(undef)')

113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL

113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS

113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login

(user='diallocal')

113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS

113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL

113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS


268/277

AAA Authorization

Commands

AAA Authorization Commands


269/277

aaa authorization {network | exec | commands level | config-commands

| reverse-access} {default|list-name} method1 [method2...]

router(config)#

router(config)#aaa authorization exec default group radius local none

Example:

Authorization Example

R2#show running-config


270/277

g g...

aaa new-model

!

aaa authentication login default local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ localaaa authorization commands 15 default group tacacs+ local

...

username admin password 0 cisco123

Troubleshooting Authorization

debug aaa authorization

router#


271/277

Use this command to help troubleshoot AAA authorization problems.

R2#debug aaa authorization

2:23:21: AAA/AUTHOR (0): user='carrel'2:23:21: AAA/AUTHOR (0): send AV service=shell

2:23:21: AAA/AUTHOR (0): send AV cmd*

2:23:21: AAA/AUTHOR (342885561): Method=TACACS+

2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel

2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell

2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd*

2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL


272/277

AAA Accounting

Commands

AAA Accounting Commands


273/277

aaa accounting {command level | connection | exec | network |

system} {default | list-name} {start-stop | stop-only | wait-start}

group {tacacs+ | radius}

router(config)#

R2(config)#aaa accounting exec default start-stop group tacacs+

Example:

AAA Accounting Example


274/277

R2#show running-config | begin aaa

aaa new-model

!

aaa authentication login default group tacacs+ localaaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

...

tacacs-server host 10.1.1.3

tacacs-server key SeCrEtKeY

...

Troubleshooting Accounting

debug aaa accounting

router#


275/277

Use this command to help troubleshoot AAA accounting problems.

R2#debug aaa accounting

16:49:21: AAA/ACCT: EXEC acct start, line 10

16:49:32: AAA/ACCT: Connect start, line 10, glare

16:49:47: AAA/ACCT: Connection acct stop:

task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78

cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54

elapsed_time=14

Summary

Authentication, authorization, and accounting are used to

effectively control network access.Th t d f AAA h t d k t


276/277

effectively control network access. The router access modes for AAA are character and packet.

The most popular AAA protocols are TACACS+ and RADIUS.

AAA can be configured on the router using CLI or SDM.

SDM simplifies the AAA configuration process.

One of the troubleshooting tools for login authentication isthe debug aaa authentication command.

The aaa authorization exec command is used for charactermode while aaa authorization network command is usedfor packet mode access authorization.

The aaa accounting command provides numerous optionsfor accounting purposes.

Module Summary

Attacks can target various components of modern

networks, such as system integrity, confidentiality,


277/277

networks, such as system integrity, confidentiality,

and availability.

Disabled unneeded router services and interfaces

make the router less vulnerable to attacks. Administrative access should be secured using

network training ppt1

Documents