Wide-Area Networking Review

© 2002, Cisco Systems, Inc. All rights reserved. 1

 WAN Overview

• WANs connect remote sites.

• Connection requirements vary depending on user
requirements, cost, and availability.
WAN Connection Types: Layer 1
 Interfacing Between
WAN Service Providers

• Provider assigns connection parameters

to subscriber.
Serial Point-to-Point Connections
Typical WAN Encapsulation
Protocols: Layer 2
 Summary
– A WAN makes data connections across a broad
geographic area so that information can be
exchanged between distant sites.
– Some of the WAN connection types available are
leased line, circuit-switched, and packet-switched.
– Cisco routers support the EIA/TIA-232, EIA/TIA-449,
V.35, X.21, and EIA/TIA-530 standards for serial
connections.
– To encapsulate data for crossing a WAN link, you can
choose from a variety of Layer 2 protocols, including
HDLC, PPP, SLIP, X.25/LAPB, Frame Relay, and ATM.
 Configuring Serial
Point-to-Point Encapsulation

© 2002, Cisco Systems, Inc. All rights reserved. 8

 Objectives
• Upon completing this lesson, you will be able to:
– Use Cisco IOS commands to configure serial interfaces
using HDLC and PPP encapsulation for leased-line
connections, given a functioning router
– Use show commands to identify anomalies in HDLC and
PPP encapsulation for leased-line connections, given an
operational router
– Use debug commands to identify events and anomalies in
PPP configuration for leased-line connections, given an
operational router
 HDLC Frame Format

• Uses a proprietary data field to support

multiprotocol environments

• Supports only single-protocol environments

Configuring HDLC Encapsulation

Router(config-if)#encapsulation hdlc

• Enables HDLC encapsulation

• Uses the default encapsulation on synchronous
serial interfaces
 An Overview of PPP

• PPP can carry packets from several protocol suites

using NCP.
• PPP controls the setup of several link options using LCP.
 Layering PPP Elements

• PPP: A data link with network layer services

PPP LCP Configuration Options
PPP Session Establishment

•Two PPP authentication protocols:

PAP and CHAP
PPP Authentication Protocols

• Passwords sent in clear text

• Peer in control of attempts
 Challenge Handshake
Authentication Protocol

• Hash values, not actual passwords, are sent across link.

• The local router or external server is in control of
attempts.
 Configuring PPP and
Authentication Overview
 Configuring PPP

Router(config-if)#encapsulation ppp

• Enables PPP encapsulation

 Configuring PPP
Authentication
Router(config)#hostname name

• Assigns a host name to your router

Router(config)#username name password password

• Identifies the username and password of remote

router
 Configuring PPP
Authentication (Cont.)

Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}

• Enables PAP and/or CHAP authentication

CHAP Configuration Example
 Verifying the HDLC and PPP
Encapsulation Configuration
Router#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
 Verifying PPP Authentication

• debug ppp authentication shows successful CHAP output.

 Summary
– HDLC is the Cisco default data-link layer protocol for
encapsulating data on synchronous serial data links.
– PPP encapsulates network layer protocol
information over point-to-point links.
– Configurable aspects of PPP include methods of
authentication, compression, and error detection,
as well as whether or not multilink is supported.
– PPP session establishment progresses through three
phases: link establishment, authentication, and
network layer protocol.
 Summary (Cont.)
– When configuring PPP authentication, you can
select PAP or CHAP. In general, CHAP is the
preferred protocol.
– You enable PPP with the encapsulation ppp
command and PPP authentication with the ppp
authentication command.
– Use the show interface command to verify proper
configuration of PPP encapsulation.
– The debug ppp authentication command displays
the authentication exchange sequence.
Establishing Frame Relay
Connections
 Frame Relay Overview

© 2002, Cisco Systems, Inc. All rights reserved. 28

 Objectives
• Upon completing this lesson, you will be
able to:
– Describe the features and operation of a Frame
Relay network
– Define important Frame Relay terms including
local access rate, virtual circuit, PVC, SVC, DLCI,
CIR, InARP, LMI, FECN, and BECN
Frame Relay Overview

– Connections made by virtual circuits

– Connection-oriented service
 Frame Relay Stack
OSI Reference Model Frame Relay
Application

Presentation

Session
Transport
Network IP/IPX/AppleTalk, etc.
Data-Link Frame Relay
EIA/TIA-232,
Physical EIA/TIA-449, V.35,
X.21, EIA/TIA-530
Frame Relay Terminology
 Selecting a Frame Relay Topology

• Frame Relay default: nonbroadcast, multiaccess (NBMA)

 Reachability Issues with Routing
Updates

• Problem:
– Broadcast traffic must be replicated for
each active connection.
– Split-horizon rule prevents routing updates received on
one interface from being forwarded out the same interface.
 Resolving Reachability Issues

• Split horizon can cause problems in NBMA environments.

• Subinterfaces can resolve split horizon issues.
• Solution: A single physical interface simulates multiple logical interfaces.
Frame Relay Address Mapping

– Use LMI to get locally significant DLCI from the Frame Relay
switch.
– Use Inverse ARP to map the local DLCI to the remote router’s
network layer address.
Frame Relay Signaling

– Cisco supports three LMI standards:

• Cisco
• ANSI T1.617 Annex D
• ITU-T Q.933 Annex A
Frame Relay Inverse ARP
and LMI Signaling
Stages of Inverse ARP
and LMI Operation
How Service Providers Map Frame
Relay DLCIs: Service Provider View
How Service Providers Map Frame
Relay DLCIs: Enterprise View
 Service Provider
Frame Relay-to-ATM Interworking
FRF.8 Service Interworking
 Summary
– Frame Relay is an ITU-T and ANSI standard that defines the
process for sending data over a public data network.
– The core aspects of Frame Relay function at the lower two
layers of the OSI reference model.
– Knowing the terms that are used frequently when
discussing Frame Relay is important to understanding the
operation and configuration of Frame Relay services.
– Frame Relay allows you to interconnect your remote sites
in a variety of topologies including star, full mesh, and
partial mesh.
– A Frame Relay NBMA topology may cause routing update
reachability issues, which are solved by using subinterfaces.
 Summary (Cont.)
– A Frame Relay connection requires that, on a VC, the local DLCI
be mapped to a destination network layer address such as an IP
address.
– LMI is a signaling standard between the router and the Frame
Relay switch that is responsible for managing the connection
and maintaining status between the devices.
– Service providers map Frame Relay DLCIs so that DLCIs with
local significance appear at each end of a Frame Relay
connection.
– FRF.5 provides network interworking functionality that allows
Frame Relay end users to communicate over an intermediate
ATM network that supports FRF.5. FRF.8 provides service
interworking functionality that allows a Frame Relay end user
to communicate with an ATM
end user.
 Configuring Frame Relay

© 2002, Cisco Systems, Inc. All rights reserved. 46

 Objectives
• Upon completing this lesson, you will be able to:
– Use Cisco IOS commands to configure a Frame Relay
network, given a functioning router
– Use show commands to identify anomalies in the Frame
Relay PVCs, given a functioning router and an operational
Frame Relay network
– Use debug commands to identify events and anomalies in
the Frame Relay PVCs, given a functioning router and an
operational Frame Relay network
Configuring Basic Frame Relay
Configuring a Static Frame Relay
Map
 Configuring Subinterfaces
– Point-to-point
• Subinterfaces act like leased lines.
• Each point-to-point subinterface requires its own subnet.
• Point-to-point is applicable to hub and spoke topologies.
– Multipoint
• Subinterfaces act like NBMA networks, so they do not resolve the split-
horizon issues.
• Multipoint can save address space because it uses a single subnet.
• Multipoint is applicable to partial mesh and full mesh topologies.
Configuring Point-to-Point
Subinterfaces
Multipoint Subinterfaces
Configuration Example
 Verifying Frame Relay Operation
Router#show frame-relay traffic

• Displays Frame Relay traffic statistics

Router#clear frame-relay-inarp

• Clears dynamically created Frame Relay maps, created by using Inverse ARP

Router#show interfaces type number

• Displays information about Frame Relay DLCIs and the LMI

Router#show frame-relay lmi [type number]

• Displays LMI statistics

Router#show frame-relay map

• Displays the current Frame Relay map entries

Router#show frame-relay pvc [type number [dlci]]

• Displays PVC statistics

 show interfaces Example
Router#show interfaces s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>

– Displays line, protocol, DLCI, and LMI information

 show frame-relay lmi Example

Router#show frame-relay lmi

LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0

– Displays LMI information

 show frame-relay pvc Example
Router#show frame-relay pvc 100

PVC Statistics for interface Serial0 (Frame Relay DTE)

DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0

input pkts 28 output pkts 10 in bytes 8398

out bytes 1198 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 10 out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47

– Displays PVC traffic statistics

show frame-relay map Example

Router#show frame-relay map

Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active

– Displays the route maps, either static or dynamic

 clear frame-relay-inarp Example

Router#show frame-relay map

Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
Router#clear frame-relay-inarp
Router#show frame map
Router#

• Clears dynamically created Frame Relay maps

Troubleshooting Basic Frame Relay
Operations
Router#debug frame-relay lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
Router#
1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8C 8B
1w2d:
1w2d: Serial0(in): Status, myseq 140
1w2d: RT IE 1, length 1, type 1
1w2d: KA IE 3, length 2, yourseq 140, myseq 140
1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8D 8C
1w2d:
1w2d: Serial0(in): Status, myseq 142
1w2d: RT IE 1, length 1, type 0
1w2d: KA IE 3, length 2, yourseq 142, myseq 142
1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0

• Displays LMI debug information

 Summary
– A basic Frame Relay configuration assumes one or more
physical interfaces, and LMI and Inverse ARP are running
on the remote routers. In this type of environment, the LMI
notifies the router about the available DLCIs.
– When the remote router does not support Inverse ARP, or
when you want to control routed broadcast traffic, you
must define the address-to-DLCI table statically.
– You can configure Frame Relay subinterfaces in either
point-to-point or multipoint mode.
– After you configure Frame Relay, you can verify that the
connections are active using the available show commands.
– Use the debug frame-relay lmi command to verify and
troubleshoot a Frame Relay connection.
 Configuring ISDN BRI and PRI

© 2002, Cisco Systems, Inc. All rights reserved. 61

 Objectives
• Upon completing this lesson, you will be able to:
– Configure ISDN BRI and ISDN PRI, given a functioning
router and a physical ISDN connection
– Use show commands to identify the anomalies in the
ISDN BRI and PRI configurations, given a functioning
router and a physical ISDN connection
– Use debug commands to identify the anomalies in the
ISDN BRI and PRI configurations, given a functioning
remote access router and a physical ISDN connection
 What Is ISDN?

• Voice, data, video, and special services

 ISDN Standards

– Standards from the ITU-T (formerly CCITT)

 ISDN Access Options

•BRI and PRI are used globally for ISDN.

BRI and PRI Call Processing
ISDN Functions and Reference
Points

• Functions are devices or

hardware.
• Reference points are
demarcations or interfaces.
Cisco ISDN BRI Interfaces
Cisco ISDN PRI Interfaces
 ISDN Switch Types

• Many providers use many different switch types.

• Services vary by region and country.

 Configuring ISDN BRI
Step 1: Specify the ISDN switch type.
Router(config)#isdn switch-type switch-type

Router(config-if)#isdn switch-type switch-type

• The command specifies the type of ISDN switch with

which the router communicates.
• Other configuration requirements vary for specific
providers.
 Configuring ISDN BRI (cont.)
Step 2: (Optional) Setting SPIDs
Router(config-if)#isdn spid1 spid-number [ldn]

– Sets a B channel SPID required by many service

providers

Router(config-if)#isdn spid2 spid-number [ldn]

• Sets a SPID for the second B channel

 Configuring ISDN PRI
Step 1: Specify the ISDN switch type.
Router(config)#isdn switch-type switch-type

Step 2: Select the controller.

Router(config)#controller controller slot/port

Step 3: Establish the interface port

to function as PRI .
Router(config-controller)#pri-group timeslots range
 ISDN PRI Examples
T1 Sample Configuration
Router(config)#controller T1 3/0
Router(config-controller)#framing esf
Router(config-controller)#linecode b8zs
Router(config-controller)#pri-group timeslots 1-24
 
Router(config-controller)#interface Serial3/0:23
Router(config-if)#isdn switch-type primary-5ess
Router(config-if)#no cdp enable

E1 Sample Configuration
Router(config)#controller E1 3/0
Router(config-controller)# framing crc4
Router(config-controller)# linecode hdb3
Router(config-controller)# pri-group timeslots 1-31
 
Router(config-controller)#interface Serial3/0:15
Router(config-if)# isdn switch-type primary-net5
Router(config-if)# no cdp enable
Verifying the ISDN Configuration
Router#show isdn active

• Displays current call information

Router#show interfaces bri0

• Displays statistics for the BRI interface configured

on the router

Router#show isdn status

• Displays the status of an ISDN connection

 Troubleshooting the ISDN
Configuration
Router#debug isdn q921

• Shows ISDN Layer 2 messages

Router#debug isdn q931

• Shows ISDN call setup and teardown activity (Layer 3)

Router#debug ppp authentication

• Displays the PPP authentication protocol messages

Router#debug ppp negotiation

• Displays information on PPP link establishment

Router#debug ppp error

• Displays protocol errors associated with PPP

 Summary
– ISDN defines a digital architecture that provides
integrated voice and data capability using the public
switched network.
– ISDN specifies two standard access methods, BRI
and PRI.
– To establish an ISDN call, the D channel is used between
the routers and switches, and SS7 signaling is used
between the switches.
– ISDN functions are hardware devices while reference
points are interfaces between devices.
– Cisco devices can be physically configured with different
ISDN options, which dictate what additional equipment, if
any, is needed to run ISDN.
 Summary (Cont.)
– You must configure your router to identify the type of
switch it will be communicating with, which depends in
part on the country the
switch is in.
– To enable ISDN BRI, you use isdn switch-type and isdn
spid commands.
– To enable ISDN PRI, use the pri-group command.
– Use show commands to verify that your ISDN
configuration is functioning properly.
– You can use debug commands to troubleshoot your
ISDN configuration.
 What is NAT?
• Similar to Classless Inter-Domain
Routing (CIDR), the original
intention for NAT was to slow the
depletion of available IP address
space by allowing many private IP
addresses to be represented by
some smaller number of public IP
addresses.

79
 Benefits of NAT
• You need to connect to the Internet
and your hosts don’t have globally
unique IP addresses.
• You change to a new ISP that
requires you to renumber your
network.
• You need to merge two intranets
with duplicate addresses.
80
Where NAT is typically
configured

81
Basic NAT

82
 Three types of NAT
• Static
• Dynamic
• Overloading

83
 Static NAT
Let’s take a look at a simple basic static NAT
configuration:
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!

84
 Dynamic NAT
Here is a sample output of a dynamic NAT
configuration:
ip nat pool todd 170.168.2.2 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!

85
Port Address Translation

86
 PAT
Here is a sample output of a PAT configuration:
ip nat pool globalnet 170.168.2.1 170.168.2.1
netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255

87
The MPLS Conceptual
Model
 Basic MPLS Features
– MPLS is a switching mechanism in which packets are
forwarded based on labels.
– Labels usually correspond to IP destination networks
(equal to traditional IP forwarding).
– Labels can also correspond to other parameters:
• Layer 3 VPN destination
• Layer 2 circuit
• Outgoing interface on the egress router
• QoS
• Source address
– MPLS was designed to support forwarding of non-IP
protocols as well.
 Basic MPLS Concepts Example

– Only edge routers must perform a routing lookup.

– Core routers switch packets based on simple label lookups and swap labels.
Router Switching
Mechanisms
MPLS Architecture
 Major Components of MPLS
Architecture
– Control plane:
• Exchanges routing information and labels
• Contains complex mechanisms to exchange routing
information, such as OSPF, EIGRP, IS-IS, and BGP
• Exchanges labels, such as LDP, BGP, and RSVP
– Data plane:
• Forwards packets based on labels
• Has a simple forwarding engine
Control Plane Components Example

– Information from control plane is sent to data

plane.
MPLS Labels
 MPLS Labels
– MPLS technology is intended to be used
anywhere, regardless of Layer 1 media and Layer
2 protocol.
– MPLS uses a 32-bit label field that is inserted
between Layer 2 and Layer 3 headers (frame
mode MPLS).
– MPLS over ATM uses the ATM header as the label
(cell mode MPLS).
 Label Format

• MPLS uses a 32-bit label field that contains this information:

– 20-bit label
– 3-bit experimental field
– 1-bit bottom-of-stack indicator
– 8-bit TTL field
 Label Stack

– Protocol ID (PID) in a Layer 2 header specifies that the payload

starts with a label (or labels) and is followed by an IP header.
– Bottom-of-stack bit indicates whether the next header is another
label or a Layer 3 header.
– Receiving router uses the top label only.
Frame Mode MPLS
Label Switch Routers
 Label Switch Routers

– LSR primarily forwards labeled packets (swap label).

– Edge LSR:
• Labels IP packets (impose label) and forwards them into the MPLS domain
• Removes labels (pop label) and forwards IP packets out of the MPLS
domain
LSR Component
Architecture
 Functions of LSRs

Component Functions
Control plane • Exchanges routing information
• Exchanges labels
Data plane • Forwards packets (LSRs and
edge LSRs)
Component Architecture of LSR
Component Architecture of Edge LSR
 Summary
– MPLS is a switching mechanism that uses labels to forward
packets. The result of using labels is that only edge routers
perform a routing lookup; all the core routers simply forward
packets based on labels assigned at the edge.
– MPLS consists of two major components: control plane and data
plane.
– MPLS uses a 32-bit label field that contains label, experimental
field, bottom-of-stack indicator, and TTL field.
– LSR is a device that forwards packets primarily based on labels.
– Edge LSR is a device that labels packets or removes labels from
packets.
– Exchange routing information and exchange labels are part of
the control plane, while forward packets is part of the data
plane.
The Procedure to
Configure MPLS
The Procedure to Configure MPLS
1. Configure CEF
2. Configure MPLS on a frame mode interface
3. (Optional) Configure the MTU size in label switching
Configuring IP CEF
 Step 1: Configure CEF
1. Configure CEF:
• Start CEF switching to create the FIB table
• Enable CEF switching on all core interfaces
2. Configure MPLS on a frame mode interface
3. (Optional) Configure the MTU size in label switching
 Step 1: Configure CEF (Cont.)
Router(config)#
ip cef [distributed]

– Starts CEF switching and creates the FIB table

– The distributed keyword configures distributed
CEF (running on VIP or line cards)
– All CEF-capable interfaces run CEF switching
Router(config-if)#
ip route-cache cef
• Enables CEF switching on an interface
• Usually not needed
 Monitoring IP CEF
Router#
show ip cef detail

– Displays a summary of the FIB

Router#show ip cef detail
IP CEF with switching (Table Version 6), flags=0x0
6 routes, 0 reresolve, 0 unresolved (0 old, 0 new)
9 leaves, 11 nodes, 12556 bytes, 9 inserts, 0 invalidations
0 load sharing elements, 0 bytes, 0 references
2 CEF resets, 0 revisions of existing leaves
refcounts: 543 leaf, 544 node

Adjacency Table has 4 adjacencies

0.0.0.0/32, version 0, receive
192.168.3.1/32, version 3, cached adjacency to Serial0/0.10
0 packets, 0 bytes
tag information set
local tag: 28
fast tag rewrite with Se0/0.10, point2point, tags imposed: {28}
via 192.168.3.10, Serial0/0.10, 0 dependencies
next hop 192.168.3.10, Serial0/0.10
valid cached adjacency
tag rewrite with Se0/0.10, point2point, tags imposed: {28}
Configuring MPLS on a
Frame Mode Interface
 Step 2: Configure MPLS on
a Frame Mode Interface
1. Configure CEF
2. Configure MPLS on a frame mode interface:
• Enable label switching on a frame mode interface
• Start LDP or TDP label distribution protocol
3. (Optional) Configure the MTU size in label switching
 Step 2: Configure MPLS on
a Frame Mode Interface (Cont.)
Router(config-if)#
mpls ip

– Enables label switching on a frame mode

interface
– Starts LDP on the interface
Router(config-if)#
mpls label protocol [tdp | ldp | both]
• Starts selected label distribution protocol on the specified interface
Configuring MPLS on a Frame
Mode Interface: Example 1
Configuring MPLS on a Frame
Mode Interface: Example 2
Defining MPLS VPN
VPN Taxonomy
 VPN Models
• VPN services can be offered based on two
major models:
– Overlay VPNs, in which the service provider
provides virtual point-to-point links between
customer sites
– Peer-to-peer VPNs, in which the service provider
participates in the customer routing
Overlay VPNs: Frame Relay Example
 Overlay VPNs: Layer 3 Routing

– The service provider infrastructure appears as point-to-point links

to customer routes.
– Routing protocols run directly between customer routers.
– The service provider does not see customer routes and is
responsible only for providing point-to-point transport of customer
data.
Peer-to-Peer VPNs
Benefits of VPN Implementations
– Overlay VPN:
• Well-known and easy to implement
• Service provider does not participate in customer
routing
• Customer network and service provider network are
well-isolated
– Peer-to-peer VPN:
• Guarantees optimum routing between customer sites
• Easier to provision an additional VPN
• Only sites are provisioned, not links between them
 Drawbacks of VPN
Implementations
– Overlay VPN:
• Implementing optimum routing requires a full mesh of VCs.
• VCs have to be provisioned manually.
• Bandwidth must be provisioned on a site-to-site basis.
• Overlay VPNs always incur encapsulation overhead (IPsec or GRE).

– Peer-to-peer VPN:
• The service provider participates in customer routing.
• The service provider becomes responsible for customer convergence.
• PE routers carry all routes from all customers.
• The service provider needs detailed IP routing knowledge.
Drawbacks of Peer-to-Peer VPNs
– Shared PE router:
• All customers share the same (provider-assigned or
public) address space.
• High maintenance costs are associated with packet
filters.
• Performance is lower—each packet has to pass a packet
filter.
– Dedicated PE router:
• All customers share the same address space.
• Each customer requires a dedicated router at each POP.
MPLS VPN Architecture
 MPLS VPN Architecture
• An MPLS VPN combines the best features of
an overlay VPN and a peer-to-peer VPN:
– PE routers participate in customer routing,
guaranteeing optimum routing between sites and
easy provisioning.
– PE routers carry a separate set of routes for each
customer (similar to the dedicated PE router
approach).
– Customers can use overlapping addresses.
MPLS VPN Architecture:
Terminology
PE Router Architecture
 IPsec VPNs

IPsec Components and IPsec VPN

Features
IPsec Overview
 What Is IPsec?
– IPsec is an IETF standard that employs cryptographic
mechanisms on the network layer:
• Authentication of every IP packet
• Verification of data integrity for each packet
• Confidentiality of packet payload
– Consists of open standards for securing private
communications
– Scales from small to very large networks
– Is available in Cisco IOS software version 11.3(T) and
later
– Is included in PIX Firewall version 5.0 and later
 IPsec Security Features

• IPsec is the only standard Layer 3 technology that provides:

– Confidentiality
– Data integrity
– Authentication
– Replay detection
 IPsec Protocols
• IPsec uses three main protocols to create a
security framework:
– Internet Key Exchange (IKE):
• Provides framework for negotiation of security parameters
• Establishment of authenticated keys
– Encapsulating Security Payload (ESP):
• Provides framework for encrypting, authenticating, and
securing of data
– Authentication Header (AH):
• Provides framework for authenticating and securing of data
 IPsec Headers

• IPsec ESP provides the following:

– Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP
– Confidentiality (DES, 3DES, or AES) only with ESP
 Peer Authentication

• Peer authentication methods:

– Username and password
– OTP (Pin/Tan)
– Biometric
– Preshared keys
– Digital certificates
Internet Key Exchange
 Internet Key Exchange
• IKE solves the problems of
manual and unscalable
implementation of IPsec by
automating the entire key
exchange process:
– Negotiation of SA characteristics
– Automatic key generation
– Automatic key refresh
– Manageable manual configuration
 IKE Phases
– Phase 1:
• Authenticate the peers
• Negotiate a bidirectional SA
• Main mode or aggressive mode
– Phase 1.5:
• Xauth
• Mode config
– Phase 2:
• IPsec SAs/SPIs
• Quick mode
IKE Modes
IKE: Other Functions
 IKE: Other Functions
– Dead peer detection (DPD):
• Bidirectional
• Sent on periodic intervals
• Sender must receive a reply or disconnect
– IKE keepalives are unidirectional and are sent every 10 seconds.
– NAT traversal:
• Defined in RFC 3947
• Encapsulates IPsec packet in UDP packet
– Mode config (Push Config) and Xauth (User Authentication)
IPsec and NAT: The Problem
 IPsec NAT Traversal
• Need NAT traversal with IPsec over TCP/UDP:
– NAT traversal detection
– NAT traversal decision
– UDP encapsulation of IPsec packets
– UDP encapsulated process for software engines
Symmetric vs. Asymmetric
Encryption Algorithms
 Symmetric vs. Asymmetric
Encryption Algorithms
– Symmetric algorithm:
• Secret key cryptography
• Encryption and decryption
use
the same key
• Typically used to encrypt
the content of a message
• Examples: DES, 3DES, AES
– Asymmetric algorithm:
• Public key cryptography
• Encryption and decryption
use different keys
• Typically used in digital
certification and key
management
• Example: RSA
 Key Lengths of Symmetric vs.
Asymmetric Encryption Algorithms
• Comparable key lengths required for asymmetric keys compared to
symmetric keys

Symmetric Key Length Asymmetric Key Length

80 1024

112 2048

128 3072

192 7680

256 15,360
Security Level of Cryptographic
Algorithms
Security Level Work Factor Algorithms

Weak O(240) DES, MD5

Legacy O(264) RC4, SHA-1

Baseline O(280) 3DES

Standard O(2128) AES-128, SHA-256

High O(2192) AES-192, SHA-384

Ultra O(2256) AES-256, SHA-512

 Symmetric Encryption: DES
– Symmetric key encryption algorithm
– Block cipher: Works on 64-bit data block, uses 56-bit key
(last bit of each byte used for parity)
– Mode of operation: Apply DES to encrypt blocks of data
 Symmetric Encryption: 3DES

– 168-bit total key length

– Mode of operation decides how to process DES three times
– Normally: encrypt, decrypt, encrypt
– 3DES requires more processing than DES
 Symmetric Encryption: AES
– Formerly known as ‘Rijndael’
– Successor to DES and 3DES
– Symmetric key block cipher
– Strong encryption with long expected life
– AES can support 128-, 192-, and 256-bit keys; 128-
bit key is considered safe
 Asymmetric Encryption: RSA

– Based on Diffie-Hellman key exchange (IKE) principles

– Public key to encrypt data, and to verify digital signatures
– Private key to decrypt data, and to sign with a digital signature
– Perfect for insecure communication channels
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
(Cont.)
PKI Environment
PKI Environment
 Certificate Authority
– The trust basis of a PKI system
– Verifies user identity, issues certificates by binding
identity of a user to a public key with a digital
certificate
– Revokes certificates and publishes CRL
– In-house implementation or outsourcing
X.509 v3 Certificate
PKI Message Exchange
 PKI Credentials
• How to store PKI credentials:
– RSA keys and certificates
– NVRAM
– eToken:
• Cisco 871, 1800, 2800, 3800 Series router
• Cisco IOS Release 12.3(14)T image
• Cisco USB eToken
• A k9 image
 Summary
– IPsec provides a mechanism for secure data transmission
over IP networks.
– The IKE protocol is a key management protocol standard
used in conjunction with the IPsec standard.
– IKE has some additional functions: DPD, NAT traversal,
encapsulation in UDP packet, config mode, and Xauth.
– The two IP protocols used in the IPsec standard are ESP
and AH.
– For message authentication and integrity check, an HMAC
is used.
– The two types of encryption are symmetric encryption and
asymmetric encryption.
– PKI provides customers with a scalable, secure mechanism
for distributing, managing, and revoking encryption and
identity information in a secured data network.
 IPsec VPNs

Site-to-Site IPsec VPN Operation

Site-to-Site IPsec VPN
Operations
Five Steps of IPsec
Step 1: Interesting Traffic
Step 2: IKE Phase 1
IKE Policy

– Negotiates matching IKE

transform sets to protect
IKE exchange
Diffie-Hellman Key Exchange
 Authenticate Peer Identity

• Peer authentication methods:

– Preshared keys
– RSA signatures
– RSA encrypted nonces
 Step 3: IKE Phase 2

– Negotiates IPsec security parameters, IPsec transform sets

– Establishes IPsec SAs
– Periodically renegotiates IPsec SAs to ensure security
– Optionally, performs an additional Diffie-Hellman exchange
IPsec Transform Sets

– A transform set is a combination

of algorithms and protocols that
enact a security policy for traffic.
 Security Associations
– SA database:
• Destination IP
address
• SPI
• Protocol (ESP or AH)
– Security policy
database:
• Encryption
algorithm
• Authentication
algorithm
• Mode
• Key lifetime
 SA Lifetime

Data transmitted-based Time-based

 Step 4: IPsec Session

– SAs are exchanged between peers.

– The negotiated security services are applied to
the traffic.
 Step 5: Tunnel Termination

– A tunnel is terminated by one of the following:

• By an SA lifetime timeout
• If the packet counter is exceeded
– IPsec SA is removed
Configuring IPsec
 Configuration Steps for
Site-to-Site IPsec VPN
1. Establish ISAKMP policy
2. Configure IPsec transform set
3. Configure crypto ACL
4. Configure crypto map
5. Apply crypto map to the interface
6. Configure interface ACL
Site-to-Site IPsec
Configuration: Phase 1
Site-to-Site IPsec Configuration:
Phase 1
Site-to-Site IPsec
Configuration: Phase 2
Site-to-Site IPsec Configuration:
Phase 2
Site-to-Site IPsec
Configuration: Apply VPN
Configuration
Site-to-Site IPsec Configuration:
Apply VPN Configuration
Site-to-Site IPsec
Configuration: Interface
ACL
 Site-to-Site IPsec Configuration:
Interface ACL
• When filtering at the edge, there is not
much to see:
– IKE: UDP port 500
– ESP and AH: IP protocol numbers 50 and 51,
respectively
– NAT transparency enabled:
• UDP port 4500
• TCP (port number has to be configured)
 Site-to-Site IPsec Configuration:
Interface ACL (Cont.)

Router1#show access-lists
access-list 102 permit ahp host 172.16.172.10 host 172.16.171.20
access-list 102 permit esp host 172.16.172.10 host 172.16.171.20
access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp

– Ensure that protocols 50 and 51 and UDP port 500

traffic is not blocked on interfaces used by IPsec.
 Summary
– IPsec operation includes these steps: Initiation by interesting
traffic of the IPsec process, IKE Phase 1, IKE Phase 2, data
transfer, and IPsec tunnel termination.
– To configure a site-to-site IPsec VPN: Configure the ISAKMP
policy, define the IPsec transform set, create a crypto ACL,
create a crypto map, apply crypto map, and configure ACL.
– To define an IKE policy, use the crypto isakmp policy global
configuration command.
– To define an acceptable combination of security protocols and
algorithms used for IPsec, use the crypto ipsec transform-set
global configuration command.
– To apply a previously defined crypto map set to an interface,
use the crypto map interface configuration command.
– Configure an ACL to enable the IPsec protocols (protocol 50 for
ESP or 51 for AH) and IKE protocol (UDP/500).
 IPsec VPNs

Configuring IPsec Site-to-Site VPN

Using SDM
Generic Routing
Encapsulation
 Generic Routing Encapsulation

• OSI Layer 3 tunneling protocol:

– Uses IP for transport
– Uses an additional header to support any other OSI
Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)
 Default GRE Characteristics

– Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE

– Stateless (no flow control mechanisms)
– No security (no confidentiality, data authentication, or integrity assurance)
– 24-byte overhead by default (20-byte IP header and 4-byte GRE header)
 Optional GRE Extensions

– GRE can optionally contain any one or more of these fields:

• Tunnel checksum
• Tunnel key
• Tunnel packet sequence number
– GRE keepalives can be used to track tunnel path status.
 GRE Configuration Example

– GRE tunnel is up and protocol up if:

• Tunnel source and destination are configured
• Tunnel destination is in routing table
• GRE keepalives are received (if used)
– GRE is the default tunnel mode.
Introducing Secure GRE
Tunnels
Introducing Secure GRE Tunnels
– GRE is good at tunneling:
• Multiprotocol support
• Provides virtual point-to-point connectivity, allowing routing
protocols to be used
– GRE is poor at security—only very basic plaintext
authentication can be implemented using the tunnel key
(not very secure)
– GRE cannot accommodate typical security requirements:
• Confidentiality
• Data source authentication
• Data integrity
 IPsec Characteristics
– IPsec provides what GRE lacks:
• Confidentiality through encryption using symmetric
algorithms (e.g., 3DES or AES)
• Data source authentication using HMACs (e.g., MD5 or SHA-1)
• Data integrity verification using HMACs
– IPsec is not perfect at tunneling:
• Older Cisco IOS software versions do not support IP multicast
over IPsec
• IPsec was designed to tunnel IP only (no multiprotocol
support)
• Using crypto maps to implement IPsec does not allow the
usage of routing protocols across the tunnel
• IPsec does not tunnel IP protocols; GRE does
 GRE over IPsec

• GRE over IPsec is typically used to do the following:

– Create a logical hub-and-spoke topology of virtual point-to-
point connections
– Secure communication over an untrusted transport network
(e.g., Internet)
 GRE over IPsec Characteristics

– GRE encapsulates arbitrary payload.

– IPsec encapsulates unicast IP packet (GRE):
• Tunnel mode (default): IPsec creates a new tunnel IP packet
• Transport mode: IPsec reuses the IP header of the GRE (20 bytes less
overhead)
High Availability for Cisco
IOS IPsec VPNs
 Failures

– IPsec VPNs can experience any one of a number of different types of failures:
• Access link failure
• Remote peer failure
• Device failure
• Path failure
– IPsec should be designed and implemented with redundancy and high-availability
mechanisms to mitigate these failures.
 Redundancy

• Common solutions using one or more of these options:

– Two access links to mitigate access-link failures
– Multiple peers to mitigate peer failure
– Two local VPN devices to mitigate device failures
– Multiple independent paths to mitigate all path failures
 Failure Detection

• Native IPsec uses DPD to detect failures in the path and remote peer failure.
• Any form of GRE over IPsec typically uses a routing protocol to detect failures
(hello mechanism).
• HSRP is typically used to detect failures of local devices. VRRP and GLBP have
similar failure-detection functionality.
 Dead Peer Detection
– IKE keepalives:
• Keepalives in periodic intervals
– DPD:
• Keepalives in periodic intervals if no data transmitted
• On-demand option
IPsec Backup Peer
 IPsec Backup Peer

• One HA design option is to use native IPsec and its HA

mechanisms:
– DPD to detect failures
– Backup peers to take over new tunnels when primary peer
becomes unavailable
 Configuration Example

– Router will first try primary peer.

– If primary peer is not available or becomes unavailable (DPD failure detection), the router
tries backup peers in order as listed in the crypto map.
Hot Standby Routing
Protocol
 Hot Standby Routing Protocol

– HSRP can be used at:

• Headend: Two head-end IPsec devices appear as one to remote peers
• Remote site: Two IPsec gateways appear as one to local devices
– Active HSRP device uses a virtual IP and MAC address.
– Standby HSRP device takes over virtual IP and MAC address when
active HSRP device goes down.
HSRP for Default Gateway at Remote
Site

– All remote devices use virtual IP as default gateway.

– Backup router is only used when primary router is down.
HSRP for Head-End IPsec Routers

– Remote sites peer with virtual IP address (HSRP) of the headend.

– RRI or HSRP can be used on inside interface to ensure proper return path.
IPsec Stateful Failover
 IPsec Stateful Failover
– IPsec VPNs using DPD, HSRP, or IGPs to mitigate
failures only provide stateless failover.
– IPsec stateful failover requires:
• Identical hardware and software configuration of IPsec
on active and standby device
• Exchange of IPsec state between active and standby
device (i.e., complete SA information)
 IPsec Stateful Failover (Cont.)
– IPsec stateful failover works in combination with HSRP and SSO.
– SSO is responsible to synchronize ISAKMP and IPsec SA database
between HSRP active and standby routers.
– RRI is optionally used to inject the routes into the internal network.
IPsec Stateful Failover Example

– Configure IPC to exchange state information between head-end devices.

– Enable stateful redundancy.
Backing Up a WAN
Connection with an IPsec
VPN
 Backing Up a WAN Connection
with an IPsec VPN

– IPsec VPNs can be used as cost-effective and fast backups for an existing WAN.
– Switchover options:
• Using an IGP (e.g., GRE over IPsec or VTI):
– Use IGP metrics to influence primary path selection
– Optionally, use HSRP to track PVC status on remote site
• Using floating static routes for VPN destinations
Backing Up a WAN Connection with an
IPsec VPN: Example Using GRE over
IPsec

– IGP used to
detect PVC
failures
– Reroute to GRE
over IPsec
tunnel
 Summary
– High availability requires two components:
• Redundant device, links, or paths
• High availability mechanisms to detect failures and reroute
– Native IPsec can be configured with backup peers in
crypto maps in combination with DPD.
– HSRP can be used instead of backup peers.
– IPsec stateful failover can augment HSRP to minimize
downtime upon head-end device failures.
– IPsec VPNs can be used as a backup for other types of
networks.
 IPsec VPNs

Configuring Cisco Easy VPN and Easy

VPN Server Using SDM
Introducing Cisco Easy
VPN
 Introducing Cisco Easy VPN
– Cisco Easy VPN has two main functions:
• Simplify client configuration
• Centralize client configuration and dynamically push
the configuration to clients
– How are these two goals achieved?
• IKE Mode Config functionality is used to download
some configuration parameters to clients.
• Clients are preconfigured with a set of IKE policies
and IPsec transform sets.
 Cisco Easy VPN Components
– Easy VPN Server: Enables Cisco IOS routers,
Cisco PIX Firewalls, and Cisco VPN Concentrators
to act as VPN head-end devices in site-to-site or
remote-access VPNs, in which the remote office
devices are using the Cisco Easy VPN Remote
feature
– Easy VPN Remote: Enables Cisco IOS routers,
Cisco PIX Firewalls, and Cisco VPN Hardware
Clients or Software Clients to act as remote VPN
clients
Remote Access Using Cisco Easy VPN
Describe Easy VPN Server
and Easy VPN Remote
 Cisco Easy VPN Remote
Connection Process
1. The VPN client initiates the IKE Phase 1 process.
2. The VPN client establishes an ISAKMP SA.
3. The Easy VPN Server accepts the SA proposal.
4. The Easy VPN Server initiates a username and
password challenge.
5. The mode configuration process is initiated.
6. The RRI process is initiated.
7. IPsec quick mode completes the connection.
Step 1: The VPN Client Initiates
the IKE Phase 1 Process

– Using pre-shared keys? Initiate aggressive mode.

– Using digital certificates? Initiate main mode.
Step 2: The VPN Client Establishes
an ISAKMP SA

– The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP
proposals to the Easy VPN Server.
– To reduce manual configuration on the VPN client, these ISAKMP proposals include several
combinations of the following:
• Encryption and hash algorithms
• Authentication methods
• Diffie-Hellman group sizes
Step 3: The Cisco Easy VPN Server
Accepts the SA Proposal

– The Easy VPN Server searches for a match:

• The first proposal to match the server list is accepted (highest-priority match).
• The most secure proposals are always listed at the top of the Easy VPN Server
proposal list (highest priority).
– The ISAKMP SA is successfully established.
– Device authentication ends and user authentication begins.
 Step 4: The Cisco Easy VPN Server
Initiates a Username and Password
Challenge

– If the Easy VPN Server is configured for Xauth, the VPN client waits for a
username/password challenge:
• The user enters a username/password combination.
• The username/password information is checked against authentication entities using AAA.
– All Easy VPN Servers should be configured to enforce user authentication.
Step 5: The Mode Configuration
Process Is Initiated

– If the Easy VPN Server indicates successful authentication, the VPN client requests the
remaining configuration parameters from the Easy VPN Server:
• Mode configuration starts.
• The remaining system parameters (IP address, DNS, split tunneling information,
and so on) are downloaded to the VPN client.
– Remember that the IP address is the only required parameter in a group profile; all
other parameters are optional.
Step 6: The RRI Process Is Initiated

– RRI should be used when the following conditions occur:

• More than one VPN server is used
• Per-client static IP addresses are used with some clients (instead of using per-VPN-server
IP pools)
– RRI ensures the creation of static routes.
– Redistributing static routes into an IGP allows the servers site routers to find the appropriate
Easy VPN Server for return traffic to clients.
 Step 7: IPsec Quick Mode
Completes the Connection

– After the configuration parameters have been successfully

received by the VPN client, IPsec quick mode is initiated to
negotiate IPsec SA establishment.
– After IPsec SA establishment, the VPN connection is complete.
Configuring NTP Client
 Understanding NTP
– NTP is used to synchronize the clocks in the entire
network.
– System clock is set by the battery system calendar
during bootup.
– System clock can then be modified manually or via NTP.
– NTP runs over UDP port 123; current version is 4.
– Only NTP up to version 3 has been documented in RFCs.
– Stratum describes how many “NTP hops” away a
machine is from authoritative time source.
– NTP establishes associations to synchronize time.
 Configuring NTP Authentication
Router(config)#
ntp authenticate
• Enables the authentication feature
Router(config)#
ntp authentication-key number md5 value
• Defines the authentication keys
• Used for both peer and server associations
Router(config)#
ntp trusted-key key-number
• Defines the trusted authentication keys
• Required to synchronize to a system (server association)
R1(config)#ntp authentication
R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs
R1(config)#ntp trusted-key 1
 Configuring NTP Associations
Router(config)#
ntp server {ip-address | hostname} [version number] [key
keyid] [source interface] [prefer]
• Forms a server association with another system

Router(config-if)#
ntp broadcast client
• Receives NTP broadcast packets

R1(config)#ntp server 10.1.1.1 key 1

R1(config)#ntp server 10.2.2.2 key 2 prefer
R1(config)#interface Fastethernet 0/1
R1(config-if)#ntp broadcast client
Configuring Additional NTP Options
Router(config)#
ntp access-group {query-only | serve-only | serve | peer}
access-list-number
• Controls NTP message exchange

Router(config)#
ntp source interface
• Modifies the source IP address of NTP packets

R1(config)#access-list 1 permit host 10.1.1.1

R1(config)#ntp access-group peer 1
R1(config)#ntp source loopack 0
Configuring NTP Server
 Implementing NTP Server
– Cisco IOS routers work as an NTP server by default.
– As soon as a router is synchronized to an authoritative time source,
it will allow peers with lower stratum to synchronize to that router:
• Requires a peer association
– You can make a router an authoritative NTP server, even if the
system is not synchronized to an outside time source.
– Two options to establish a peer association:
• Unicast
• Broadcast
– Same exchange control methods as with client:
• Packet authentication
• Access group filtering
 Configuring NTP Server
Router(config)#
ntp peer ip-address [normal-sync][version number] [key
keyid] [source interface] [prefer]
• Forms a peer association with another system
Router(config)#
ntp master [stratum]
• Makes the system an authoritative NTP server
Router(config-int)#

ntp broadcast [version number][destination address][key keyid]

• Configures an interface to send NTP broadcast packets

R2(config)#ntp peer 10.1.1.1 key 1

R2(config)#ntp master 3
R2(config)#interface Fastethernet0/0
R2(config-int)#ntp broadcast
 NTP Configuration Example

Source(config)#ntp master 5
Source(config)#ntp authentication-key 1 md5 secretsource
Source(config)#ntp peer 172.16.0.2 key 1
Source(config)#ntp source loopback 0

Intermediate(config)#ntp authentication-key 1 md5 secretsource

Intermediate(config)#ntp authentication-key 2 md5 secretclient
Intermediate(config)#ntp trusted-key 1
Intermediate(config)#ntp server 172.16.0.1
Intermediate(config)#ntp source loopback 0
Intermediate(config)#interface Fastethernet0/0
Intermediate(config-int)#ntp broadcast

Client(config)#ntp authentication-key 1 md5 secretclient

Client(config)#ntp trusted-key 1
Client(config)#interface Fastethernet0/1
Client(config-int)#ntp broadcast client
 Summary
– Since OOB management provides higher levels of security and performance
than in-band, the decision to use an in-band solution must be considered
carefully.
– Management communications should use SSH rather than Telnet.
– Implementing a router logging facility is an important part of any network
security policy.
– Syslog is implemented on your Cisco router using syslog router commands.
– Network management will be greatly enhanced by implementing the security
features of SNMPv3 rather than earlier versions.
– Cisco IOS SNMPv3 server configuration tasks include configuring SNMP-server
engine ID, group names, users, and hosts.
– Cisco routers can be configured as NTP servers or clients.
– Packet authentication and filtering should be used to protect NTP exchange.
Cisco Device Hardening

Configuring AAA on Cisco Routers

Introduction to AAA
 AAA Model
– Authentication:
• Who are you?
• “I am user student and my password validateme proves it.”
– Authorization:
• What can you do? What can you access?
• “User student can access host serverXYZ using Telnet.”
• “Assign an IP address and ACL to user student connecting through VPN.”
• “When user student starts an EXEC session, assign privilege level 10.”
– Accounting:
• What did you do? How long and how often did you do it?
• “User student accessed host serverXYZ using Telnet for 15 minutes.”
• “User student was connected to VPN for 25 minutes.”
• “EXEC session of user student lasted 20 minutes and only show commands were
executed.”
 Implementing AAA

– Administrative access: Console, Telnet, and AUX

access
– Remote user network access: Dialup or VPN
Router Access Modes
Router Access Modes
AAA Protocols: RADIUS
and TACACS+
AAA Protocols: RADIUS and
TACACS+
 RADIUS Authentication and
Authorization

– The example shows how RADIUS exchange starts once

the NAS is in possession of the username and password.
– The ACS can reply with Access-Accept message, or
Access-Reject if authentication is not successful.
 RADIUS Messages
• There are four types of messages:
– Access-Request
– Access-Challenge, to facilitate challenge-response
authentication protocols
– Access-Accept
– Access-Reject
 RADIUS Attributes
• RADIUS messages contain zero or more AV-pairs, for example:
• User-Name
• User-Password (this is the only encrypted entity in RADIUS)
• CHAP-Password
• Service-Type
• Framed-IP-Address
– There are approximately 50 standard-based attributes (RFC 2865).
– RADIUS allows proprietary attributes.
– Basic attributes are used for authentication purposes.
– Most other attributes are used in the authorization process.
 RADIUS Features
– Standard protocol (RFC 2865)
– Standard attributes can be augmented by proprietary
attributes:
• Vendor-specific attribute 26 allows any TACACS+ attribute to be used
over RADIUS
– Uses UDP on standard port numbers (1812 and 1813; Cisco
Secure ACS uses 1645 and 1646 by default)
– Includes only two security features:
• Encryption of passwords (MD5 encryption)
• Authentication of packets (MD5 fingerprinting)
– Authorization only possible as part of authentication
 TACACS+ Authentication

– The example shows how TACACS+ exchange starts before

the user is prompted for username and password.
– The prompt text can be supplied by the TACACS+ server.
TACACS+ Network Authorization

– The example shows the process of network

authorization which starts after successful
authentication.
TACACS+ Command Authorization

– The example illustrates the command authorization

process which is repeatedly started for every single
command that requires authorization (based on
command privilege level)
TACACS+ Attributes and Features

• TACACS+ messages also contain AV-pairs, such as these:

• ACL
• ADDR
• CMD
• Interface-Config
• Priv-Lvl
• Route
• TACACS+ uses TCP on well-known port number 49.
• TACACS+ establishes a dedicated TCP session for every AAA action.
• Cisco Secure ACS can use one persistent TCP session for all actions.
• Protocol security includes authentication and encryption of all TACACS+
datagrams.
 Configuring the AAA Server

• TACACS+

RADIUS
Configure AAA Login
Authentication on Cisco
Routers Using CLI
 AAA Authentication Commands
Router(config)#

aaa authentication login {default | list_name} group

{group_name | tacacs+ | radius} [method2 [method3
[method4]]]

• Use this command to configure the authentication process.

Router(config)#aaa authentication login default group tacacs+

local line
 Character Mode Login Example

Router#show running-config
...
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login my_list group tacacs+
...
line con 0
line aux 0
line vty 0 4
login authentication my_list

• Because the authentication has not been specified for line con 0 and
aux 0, the default option will be used.
 Verifying AAA Login
Authentication Commands
aaa new-model
!
aaa authentication login default local
aaa authentication login radius_local group radius group radius
aaa authorization exec default local
!
username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1
!
tacacs-server host 10.1.1.10 single-connection key secrettacacs
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key
secretradius
!
line vty 0 4
login authentication radius_local
Troubleshoot AAA Login
Authentication on Cisco
Routers
 Troubleshoot AAA Login
Authentication on Cisco Routers
router#
debug aaa authentication

• Use this command to help troubleshoot AAA authentication problems.

 Troubleshoot AAA Authentication
Example
R2#debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
AAA Authorization
Commands
 AAA Authorization Commands

router(config)#
aaa authorization {network | exec | commands level | config-commands
| reverse-access} {default|list-name} method1 [method2...]

Example:
router(config)#aaa authorization exec default group radius local none
 Authorization Example

R2#show running-config
...
aaa new-model
!
aaa authentication login default local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
...
username admin password 0 cisco123
 Troubleshooting Authorization
router#

debug aaa authorization

• Use this command to help troubleshoot AAA authorization problems.

R2#debug aaa authorization

2:23:21: AAA/AUTHOR (0): user='carrel'
2:23:21: AAA/AUTHOR (0): send AV service=shell
2:23:21: AAA/AUTHOR (0): send AV cmd*
2:23:21: AAA/AUTHOR (342885561): Method=TACACS+
2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel
2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell
2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd*
2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL
AAA Accounting
Commands
 AAA Accounting Commands

router(config)#
aaa accounting {command level | connection | exec | network | system}
{default | list-name} {start-stop | stop-only | wait-start} group
{tacacs+ | radius}

Example:
R2(config)#aaa accounting exec default start-stop group tacacs+
 AAA Accounting Example

R2#show running-config | begin aaa

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
...
tacacs-server host 10.1.1.3
tacacs-server key SeCrEtKeY
...
 Troubleshooting Accounting
router#

debug aaa accounting

• Use this command to help troubleshoot AAA accounting problems.

R2#debug aaa accounting

16:49:21: AAA/ACCT: EXEC acct start, line 10
16:49:32: AAA/ACCT: Connect start, line 10, glare
16:49:47: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78
cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54
elapsed_time=14
 Summary
– Authentication, authorization, and accounting are used to
effectively control network access.
– The router access modes for AAA are character and packet.
– The most popular AAA protocols are TACACS+ and RADIUS.
– AAA can be configured on the router using CLI or SDM.
– SDM simplifies the AAA configuration process.
– One of the troubleshooting tools for login authentication is
the debug aaa authentication command.
– The aaa authorization exec command is used for character
mode while aaa authorization network command is used for
packet mode access authorization.
– The aaa accounting command provides numerous options
for accounting purposes.
 Module Summary
– Attacks can target various components of modern networks, such
as system integrity, confidentiality, and availability.
– Disabled unneeded router services and interfaces make the router
less vulnerable to attacks.
– Administrative access should be secured using password security
features, proper failed login handling, and role-based CLI.
– Network devices should be managed using secure protocols, such
as SNMPv3, SSH, SSL, and authenticated NTP.
– Syslog is the ubiquitous logging protocol.
– ACLs filter malicious traffic and mitigate attacks.
– AAA operations can be offloaded to a TACACS+ or RADIUS server to
increase security and scalability.