The IIN is a model designed to demonstrate how networks evolve to meet business needs.
The IIN is comprised of four road maps, each suiting a particular business type:
IIN has three phases:
SONA has three layers:
Layer 2 technologies include frame relay and ATM
Relatively secure (separate from the Internet), but not flexible
Not typically available to residential premises
Requires a layer 2 connection to ride
Provides security and QoS
Most popular solution (most easily available, cheapest)
A secure layer 3 VPN is formed across existing public infrastructure
The Radio Frequency (RF) range is 5 MHz to 1 GHz.
DOCSIS allows for channel widths of 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz.
DOCSIS 1.0 and 1.1 utilize TDMA; DOCSIS 2.0 can utilize TDMA or synchronous code division multiple access (S-CDMA).
Media access control is done on a request/grant system, minimizing collisions.
DOCSIS 2.0 provides for up to 40 Mbps downstream and 30 Mbps upstream. DOCSIS 3.0 is capable of up to 160/120 Mbps.
ADSL can typically reach only 18,000 feet from the CO.
Load coils placed to extend voice signals disrupt data signals.
Bridge taps (unterminated wire split) introduce additional interference.
Crosstalk occurs between pairs within a cable bundle.
CAP operates with three frequency bands:
CAP is based on quadrature amplitude modulation (QAM).
CAP is legacy and nonstandard, giving way to DMT.
DMT uses orthogonal frequency-division multiplexing (OFDM) and operates on multiple carriers (channels) within each frequency range.
The available frequency range of 0 to 1.1 MHz is divided into 256 channels of 4.312 kHz each.
Channels are dynamically allocated to find the combination of channels with the least interference.
Simple multi-protocol encapsulation over ATM, defined in the RFCs 1483 and 2684.
Defined in RFC 2516.
Connection setup occurs in two phases:
The CPE router performs the discovery phase to determine the MAC address of its peer.
PPPoE frame structure:
VER (4 bits) - Version; always 0x1
TYPE (4 bits) - Type; always 0x1
CODE (8 bits) - Determines stage of the discovery process; always 0x00 during session phase
SESSION_ID (16 bits) - Carries the PPP session ID (once established); constant for the duration of the session
LENGTH (16 bits) - Length of the payload
The session phase consists of normal PPP operation; LCP and NCP negotiation.
RFC 2516 defines a Maximum Receivable Unit (MRU) (MTU) of 1492 (6-byte PPPoE header + a 2-byte PPP protocol ID field).
PPPoA uses ATM Adaptation Layer 5 (AAL5) and Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) for encapsulation on virtual circuits.
Ethernet frames are appended with an 8-byte segmentation and reassembly (SAR) trailer and padding so that their length extends to a multiple of 48, then split into 53-bye ATM cells for transmission.
Virtual circuits are specified as a pairing of a Virtual Path Identifier (VPI) (8 bits) and a Virtual Circuit Identifier (VCI) (16 bits).
PPPoA also performs discovery and session phases similar to PPPoE.
Several components of PPPoE over DSL need to be configured:
Ethernet interface:
interface Ethernet0/0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
ATM interface:
interface ATM0/0
no ip address
dsl operating-mode auto
pvc 8/35
pppoe-client dial-pool-number 1
interface Dialer0
ip address negotiated
ip mtu 1492
encapsulation ppp
dialer pool 1
interface Ethernet0/0
ip nat inside
!
interface Dialer0
ip nat outside
!
ip nat inside source list 100 interface dialer0 overload
access-list 100 permit ip 172.16.0.0 0.0.255.255 any
ip dhcp exclude-address 172.16.0.1 172.16.0.9
!
ip dhcp pool LAN
import all
network 172.16.0.0 255.255.0.0
default-router 172.16.0.1
ip route 0.0.0.0 0.0.0.0 interface dialer0
show pppoe session all can be used to verify active PPPoE sessions.
PPPoA is defined in RFC 2364 as PPP over AAL5.
Three types of PPPoA are available:
Provides a separate virtual circuit for each routed protocol to be transported.
Configuration:
interface ATM0/0
no ip address
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp Virtual-Template1
!
interface Virtual-Template1
encapsulation ppp
ip address negotiated
ppp authentication chap
...
Provides a single virtual circuit for all higher-layer protocols.
AAL5SNAP is the default method.
An LLC header is inserted at the beginning of the PDU.
The LLC header contains the following information:
0xFE for SNAP
Set to 0xFE for SNAP
0x03 (unnumbered)
Configured with encapsulation aal5snap.
Allows for multiple PVCs on multiple subinterfaces.
Cisco equipment is required end-to-end.
Configured with encapsulation ciscoppp.
Layer 1 has two sublayers: the transmission convergence (TC) and physical medium dependent (PMD) layers.
Framing is the process of ordering bits for transmission.
Line coding is the process of transmitting bits.
RJ-11/RJ-14 pinout:
auto - Automatic negotiation
ansi-dmt - ANSI T1.413
itu-dmt - G.992.1
splitterless - G.992.2 or G.Lite
Carrierless Amplitude Phase (CAP) cannot be autonegotiated.
debug atm events - Displays the allocated VPI/VCI pair
debug atm packet - Displays VPI/VCI and packet type (MUX vs SNAP)
An ATM ping can be performed to test the ATM circuit:
Router# ping atm interface atm0/0 8 35 seg-loopback
PPP phases:
Monitoring:
debug ppp negotiation
debug ppp authentication
Multiprotocol Label Switching (MPLS) is defined in RFC 3031.
Label switching is not dependent on L3 routing functionality.
MPLS is designed to forward packets on the minimum amount of information required (a short label rather than an entire IP header).
Packets are grouped by destination into Forwarding Equivalence Classes (FECs).
Packets are assigned to an FEC by applying a label at the ingress MPLS node. Packets are relabeled at each Label Switching Router (LSR).
Service providers use MPLS technologies to isolate each customers' routing information, forming an MPLS VPN.
A Penultimate Hop Pop (PHP) occurs when an LSR directly before the egress edge LSR remove the label, so that the egress edge LSR only has to make a routing decision (versus a label and routing decision).
MPLS is CEF switched.
MPLS label structure:
In frame mode MPLS, labels are inserted between the layer 2 and layer 3 headers.
In cell mode MPLS (over ATM), VPI/VCI fields are used to carry label information.
Some instances require stacked labels:
MPLS identifies the upper-layer protocol by replacing the layer 2 header field with an MPLS-specific value. For example, in Ethernet, 0x0800 (IP) would be replaced with 0x8847 (MPLS-IP).
Label Distribution Protocol (LDP) is used to advertise labels to neighboring LSRs (functioning as a routing protocol).
Label distribution can occur in two ways:
Interim packet propagation occurs when an LSR has no label associated with a packet's destination, and falls back to CEF switching (IP routing).
Penultimate Hop Popping (PHP) occurs when an LSR realizes it is the second-to-last router in the LSP, and assigns a packet the reserved label value of 3 (imp-null, implicit null). When the next LSR receives the packet, it knows immediately to discard the label and perform a CEF lookup.
Router(config)# ip cef [distributed]
CEF operation can be verified with show ip cef.
MPLS is enabled by default on routers which support it. It can be disabled with no mpls ip.
MPLS and Label Distribution Protocol (LDP) must be enabled per interface.
Router(config-if)# mpls label protocol ldp
Router(config-if)# mpls ip
The MTU on an MPLS interface must be raised by four bytes for each potential label in a stack.
Router(config-if)# mpls mtu 1512
Setting the MTU with mpls mtu only modifies the MTU for MPLS packets, rather than all interface traffic.
All intermediate devices must support jumbo frames as well.
The status of LDP neighbors can be verified with show mpls ldp neighbor.
Different customer networks can be logically separated using Virtual Routing and Forwarding (VRF), a private routing table on the provider's routers.
A route distinguisher (RD) is a 64-bit prefix prepended to an IPv4 address to create a globally unique VPNv4 address. Each customer is assigned its own RD or RDs.
VPNv4 addresses are communicated between PE routers using MPBGP.
A route target (RT) is an attribute appended to a VPNv4 BGP route to indicate VPN membership.
IPsec features:
IKE handles secure exchange of keys and other information over a nonsecure channel.
Rides TCP port 500.
Provides for both data encryption and integrity.
DES, 3DES, or AES can be used for encryption.
Hash-based Message Authentication Code (HMAC) provides data integrity, using either SHA-1 or MD5.
Defined as IP protocol 50.
Does not provide for data encryption.
Like ESP, uses HMAC to provide data integrity.
Defined as IP protocol 51.
IPsec can use any of the following methods to authenticate a peer:
A bidirectional security association (SA) is established between peers, and peers may optionally be authenticated.
Phase 1 is accomplished in either main mode or aggressive mode.
Parameters such as hash methods and transform sets are negotiated.
Xauth (Extended Authentication) can optionally authenticate the user of the IPsec endpoint.
Unidirectional SA's are set up between endpoints in IKE quick mode using the parameters agreed upon in phase 1. Separate keys are used for each direction.
Six messages are exchanged, in three pairs:
An abbreviated version of main mode:
Used only in phase 2, to setup unidirectional SA's over an established bidirectional SA.
Symmetric algorithms:
Asymmetric algorithms:
An ACL is use to specify which types of traffic are to be placed into the VPN tunnel.
If the VPN tunnel has not yet been established, the first packet of interesting traffic will trigger its setup.
IKE phase 1 is performed in either main mode or aggressive mode.
IKE transform set negotiation, Diffie-Hellman public key exchange, and peer authentication take place in this step.
IKE transform sets are composed of the following parameters:
Candidate transform sets are selected by lowest policy number.
IKE quick mode is used to negotiate IPsec transform sets and establish unidirectional IPsec security associations (SAs) in both directions.
IKE also monitors and reestablishes SAs as needed.
Optionally, IKE quick mode can also perform additional Diffie-Hellman key exchanges when active keys expire.
IPsec transform sets (similar to IKE transform sets) include the following parameters:
The Security Association Database (SAD) maps SAs to peers by their Security Parameter Index (SPI).
The Security Policy Database (SPD) contains the security parameters (transform set) that were agreed upon for each SA.
Interesting traffic is encrypted and/or authenticated through the IPsec tunnel.
If the SA key has expired, the SA is torn down and a new one is established if more traffic needs to be passed.
Tunnels can also be manually deleted by an administrator.
Upon tunnel termination, all SA information for that tunnel is removed from the SAD and SPD.
Define an IKE transform set:
crypto isakmp policy 10
encryption des
hash md5
authentication pre-share
group 1
lifetime 3600
!
crypto isakmp key 0 <secret key> address 192.168.100.1
An example defining ESP with 256-bit AES encryption and SHA-1 authentication in tunnel mode:
crypto ipsec transform-set Foo esp-aes 256 esp-sha-mac
mode tunnel
Optionally, a lifetime for the SA can be configured:
crypto ipsec security-association lifetime seconds 1800
An extended ACL is configured to match interesting traffic.
access-list 123 172.16.0.0 0.0.0.255 10.0.0.0 0.0.255.255
crypto map Tyler 10 ipsec-isakmp
match address 123
set peer 1.2.3.4
set transform-set Foo
interface Serial 0/0
ip address 192.168.200.1
crypto map Tyler
Optionally configure ACLs on public-facing interfaces to only accept IPsec traffic from expected sources.
GRE over IPsec is primarily used to facilitate routing protocols within tunnels.
GRE is stateless.
GRE adds a new 20-byte IP header and its own 4-byte header, and up to 12 bytes of options:
Basic configuration components:
Basic GRE/IP configuration:
Router(config)# interface tunnel0
Router(config-if)# ip address 192.168.0.1 255.255.255.252
Router(config-if)# tunnel source s0/0
Router(config-if)# tunnel destination 10.1.2.3
! GRE/IP is default
Router(config-if)# tunnel mode gre ip
GRE over IPsec configuration under the SDM involves the following steps:
In a stateless failover configuration, routers do not directly track the status of tunnels.
DPD can operate in either periodic mode or on-demand mode.
Periodic mode:
On-demand mode (default):
DPD configuration:
Router(config)# crypto isakmp keepalive <seconds> [<retries>] [periodic | on-demand]
An IGP such as EIGRP or OSPF is run between peers, treating the tunnels like normal layer 3 links.
HSRP is used on a pair of routers facing a peer, so that either will answer for the VPN peer address.
The HSRP group on an interface must be designated as providing IPsec redundancy with the redundancy command appended to the interface crypto map specification:
crypto map central-office 10 dynamic from-remote
!
interface FastEthernet1/0
ip address 192.168.0.3
standby 1 ip 192.168.0.1
standby 1 name vpn-remote
crypto map central-office redundancy vpn-remote
Stateful failover uses identical active and backup devices running HSRP and Stateful Switchover (SSO).
Inside and outside interfaces on the devices must be LAN interfaces.
Both modes of DPD (periodic and on-demand) are supported.
The HSRP configuration of an interface is similar to the stateless configuration, but with the addition of stateful to the interface crypto map specification:
crypto map central-office 10 dynamic from-remote
!
interface FastEthernet1/0
ip address 192.168.0.3
standby 1 ip 192.168.0.1
standby 1 name vpn-remote
crypto map central-office redundancy vpn-remote stateful
SSO is enabled by specifying the HSRP group as follows:
redundancy inter-device
scheme standby vpn-remote
Inter-device Communication Protocol (IPC) facilitates inter-device communication:
ipc zone default
association 1
protocol sctp
local-port 12321
local-ip 10.10.10.1
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 20
remote-port 12321
remote-ip 10.10.20.1
Stream Control Transmission Protocol (SCTP) is used as the transport protocol. Local and remote port numbers must match.
Easy VPN modes:
Easy VPN connection establishment:
no ip bootp server)
no cdp run)
no service config) (disabled by default)
no ftp-server enable) (disabled by default)
no tftp-server enable) (disabled by default)
no service pad)
no service tcp-small-servers and no service udp-small-servers)
no mop enable) (disabled by default)
no snmp-server enable)
no ip http server and/or no ip http secure-server)
no ip domain-lookup)
no ip icmp redirect)
no ip source-route)
no service finger)
no ip unreachables)
no ip mask-reply) (disabled by default)
no ip directed-broadcast) (disabled by default)
no ip identd)
service tcp-keepalives-in and service tcp-keepalives-out)
no ip arp gratuitous)
no ip arp proxy)
Router# auto secure [management | forwarding] [no-interact | full] [login | ntp |
ssh | firewall | tcp-intercept]
Example base Authentication, Authorization and Accounting (AAA) configuration:
Router(config)# aaa new-model
Router(config)# aaa authentication attempts login 5
Router(config)# aaa authentication login default local
Authentication failure logging generates a syslog message after a number of failed attempts within one minute, and prevents future logins for 15 seconds:
Router(config)# security authentication failure rate <attempts> log
Login blocking:
Router(config)# login block-for <seconds> attempts <number> within <seconds>
Failed login delay:
Router(config)# login delay <seconds>
Success and failure logging:
Router(config)# login on-success log
Router(config)# login on-failure log
Quiet mode maps an access class matching origins exempt from these login restrictions:
Router(config)# login quiet-mode access-class <ACL>
Login restrictions can be viewed with show login.
An access-class can be applied to restrict logins to permitted sources:
Router(config)# line vty 0 15
Router(config-line)# access-class 10 in
An idle timeout can be enforced:
Router(config-line)# exec-timeout <minutes> [<seconds>]
Setting the exec-timeout to 0 disabled the idle timer.
Router(config)# security passwords min-length <characters>
Router(config)# service password-encryption
A message of the day (MOTD) banner can be defined to advertise policy:
Router(config)# banner motd #
*** Unauthorized users will be shot. ***
#
There are 16 privilege levels (0 through 15).
Level 0 is user mode, level 15 is privileged mode, and levels 1 through 14 are customizable.
Router(config)# privilege <mode> level <level> <command>
Router(config)# enable secret level <level> <password>
Role-based CLI allows for users to belong to multiple views rather than a privilege level.
Router(config)# parser view <name>
Router(config-view)# secret <password>
Router(config-view)# commands <type> {include | exclude | include-exclusive}
{<line> | all}
Router# enable view <name>
Superviews link individual views:
Router(config)# parser view <name> superview
Router(config-view)# secret <password>
Router(config-view)# view <name>
Password recovery can be disabled to prevent someone with physical access to a device from rebooting into ROMMON:
Router(config)# no service password-recovery
Authentication, Authorization, and Accounting (AAA) has two access modes:
Developed by Cisco, defined in RFC 1492.
TACACS+ uses TCP.
TACACS+ allows for encryption of the entire packet body.
TACACS+ separates authentication and authorization, allowing a different backend to be used for each.
TACACS+ has better multiprotocol support than RADIUS.
Only TACACS+ provides command-specific authorization.
Configuration example:
aaa new-model
tacacs-server host 10.18.0.27
tacacs-server key SharedSecret
username Steve secret <hash>
aaa authentication ppp dial-list tacacs+ local
aaa authorization commands 15 tacacs+ if-authenticated none
aaa accounting network start-stop tacacs+
Defined in RFC 2865
RADIUS uses UDP.
RADIUS only encrypts passwords within an access-request packet.
RADIUS combines authentication and authorization.
Configuration example:
aaa new-model
radius-server host 10.18.0.27
radius-server key SharedSecret
username Steve secret <hash>
aaa authentication ppp dial-list radius local
aaa authorization network radius local
aaa accounting network mynetwork start-stop group radius
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug radius
debug tacacs
Provides authentication and authorization for services via TACACS+ or RADIUS.
Supported protocols:
Responds to suspect traffic with one or more actions:
Apply ACL and inspection rules in the inbound direction on untrusted interfaces.
Example to allow SMTP and HTTP inbound to their respective servers:
ip access-list extended FROM_OUTSIDE
permit tcp any host 10.0.24.89 eq 25
permit tcp any host 10.0.22.103 eq 80
deny ip any any log
Router(config)# ip inspect name <name> <protocol> [alert {on | off}]
[audit-trail {on | off}] [timeout <seconds>]
The default timeout between alerts is 10 seconds.
Enable audit trail tracking via syslog:
Router(config)# ip inspect audit-trail
Router(config)# logging on
To turn on real-time alerts (default):
Router(config)# no ip inspect alert-off
Apply the ACL and inspect rule:
Router(config)# ip access-group FROM_OUTSIDE in
Router(config)# ip inspect SMTP-AND-HTTP in
show ip inspect [name <name> | config | interface | session | statistics | all]
debug ip inspect ...
IDS/IPS categories:
Network (NIDS/NIPS) - A dedicated device on the network; unable to assess the effectiveness of an attack
Host (HIDS/HIPS) - Software running on end hosts
Signature-based - Matches a specific byte pattern or content
Policy-based - Configurable policy to allow or deny certain traffic types and sources/destinations
Anomaly-based - Looks for traffic patterns which deviate from the norm
A honeypot is a device deployed with the intention of attracting attackers, possibly to distract them from legitimate devices.
Attack categories:
Signatures:
Cisco IOS uses signatures stored in Signature Definition Files (SDFs). SDFs can be moved, modified, and merged together.
Signature reaction:
Specify the location of the SDF:
Router(config)# ip ips sdf {builtin | location}
Configure the failure parameter:
Router(config)# ip ips fail closed
Create an IPS rule:
Router(config)# ip ips name <name> [list <ACL>]
Apply the IPS rule to an interface:
Router(config-if)# ip ips <name> {in | out}
show ip ips configuration