Monthly Archives: May 2012

PPP Wan Conections

WAN encapsulation:

  • Leased Line: PPP, HDLC
  • Packet Switching – Frame Relay, X.25, ATM
  • Circuit Switching – PPP, HDLC
  • Metro Ethernet – Ethernet
  • Broadband – PPPoE, PPPoA, Ethernet

HDLC – Cisco’s default point to point encapsulation for circuit switched and dedicated circuits

PPP –  Router to Router or host to network over synchronous or asynchronous circuits

Frame Relay –  Switched data link layer protocol handles multiple virtual circuits.  Successor to X.25

ATM – International standard for cell relay.  Uses fixed 53 byte cell switched technology.  Allows processing in hardware.

Broadband – PPPoE and PPPoA (256kbps to 24Mbps), provide transmission over the PSTN.  Cable Ethernet, data over cable TV infrastructure, 3-30Mbps.

Metro Ethernet – Point to point and multipoint.  Ethernet over dark fibre, SONET/SDH, RPR.

Overview of PPP

PPP supports 2 types of Physical Interfaces

Asynchronous Serial: POTS dialup

Synchronous Serial: ISDN or leased lines

Link Control Protocol (LLP) is used to negotiate and setup control options on the WAN link.

3 Phases of PPP Session Establishment

  1. Link Establishment: Each PP device sends LCP packets to configure and test the data link.  If a configuration option is not included in an LCP packet the default value is assumed.
  2. Authentication: If used, authentication takes place before the network layer protocol phase.  PAP and CHAP are supported.
  3. Network Layer Protocol: PPP devices send NCP packets to choose and configure the protocol for example IP.

PAP: Passwords are sent i clear text with no protection from playback/replay attacks.

CHAP: Uses 3 way handshake at the stat of the link and periodically thereafter to verify identity of the remote node.

Configuring and Verifying PPP

Enable PPP on an interface

Enable Authentication:

  • Configure router hostname
  • Configure username/password
  • PAP/CHAP

PPP summary

There are two components of PPP;

LCP negotiates the connection

NCP encapsulates the traffic

Facebooktwitterlinkedinby feather

Extending the Network Into the WAN – IPSEC

VPN Benefits

  • Cost savings
  • security
  • scalability
  • Broadband compatibility

VPN Types:

  • Site to Site
  • Remote Access(Easy VPN, IOS IPSEC/SSL VPN)

Easy VPN Restrictions

  • No manual NAT/PAT, auto configuration for the tunnel
  • Only 1 destination peer is supported
  • Destination peer must be a Cisco Easy VPN remote-access server
  • Digital Certificates are not supported
  • Only ISAKMP policy group 2 is supported on IPSEC servers
  • Some Transform sets are NOT supported: ESP-DES & ESP-3DES, ESP-NULL, ESP-SHA-HMAC, ESP NULL ESP-MD5-HMAC, No support for AH either.

IPSEC SSL VPN Restrictions

Is currently supported only in software

Remote access VPN clients

Certicom CLient – Wireless PDA client

VPN 3002 Hardware Client – Network Switch Appliance

VPN Software Client – Cisco VPN Client

Introducing IPSEC

IPSEC is a framework of open standards

IPSEC provides 4 critical functions:

  • Confidentially (encryption)
  • Data Integrity
  • Authentication
  • Anti Replay Protection

DES Data Encryption Standard: 56bit key, symmetric key cryptosystem

3DES – Triple Des: Variant of DES, data broken into 64 bit blocks, each block processed 3 times with an independent 56bit key

AES – Advanced Encryption Standard: Stronger than DES and more efficient than 3 DES, offers 128, 192 and 256bit leys.

Rivest, Shamir and Adleman (RSA): Asymmetrical key crypto system.  Not used for data encryption (IPSEC), IKE uses RSA in peer authentication phase.

Keyed Hash Based Message Authentication Code (HMAC):

HMAC MD5: 128bit Shared secret key

HMAC SHA1 – 160bit secret key

The Two Peer Authentication Methods:

  • PSK: Manually entered into each peer
  • RSA Signatures: Exchange of digital certificates

Two IPSEC framework protocols:

Authentication Header (AH): Verify’s that any message passed from A to B has not been modified.  Does not provide encryption of packets.  Used with ESP to provide encryption and tamper-aware features.

Encapsulating Security Payroll: Can encrypt the IP packet payload and the source/destination.  Provides authentication fro inner IP packet AND ESP header. Encryption and authentication are optional but 1 must be selected.

VPN Summary:

  • VPN’s are less expensive, more secure and easier to scale than WAN’s
  • VPN’s implemented on IOS Routers, ASA’s, VPN Client Software
  • IPSEC is the framework for VPN’s
  • AH and ESP are the 2 main framework protocols.
Facebooktwitterlinkedinby feather

Managing Address Space with NAT and IPv6

Inside local address – Private internal non routable addresses.

Inside Global Address – Public Address of the router/site.

Outside Local Address – Public address of a host as it appears to the internal network (may be natted).

Outside Global Address – The public P address of a host on the internet (outside your organisation).

Static NAT – Maps Private IP to public IP (1 to 1)

Dynamic NAT – Maps private IP to public IP from a pool of public addresses (address block)

NAT Overloading – Maps private IP’s to single public IP (single to many) on different ports.  Also know as PAT (form of dynamic NAT).

PAT attempts to use the original port, if this is in use it moves to the next available port.  If there are no ports available it will move to the next available public IPand try the ports again.

Resolving Issues

  • Check inbound ACL’s
  • Check ACL is allowing NAT correctly
  • Enough addresses in the pool?
  • NAT inside/outside is applied to the correct interfaces
  • The hits counter in sh ip nat statistics shows that translation is occurring

Transitioning to IPv6

IPv6 Addresses:

  • Leading )’s are optional
  • Successive 0’s can be shortened to :: only once per address
  • Unspecified address is written as :: as it contains only zeros

Broadcasting does not exist in IPv6, this is replaced with multicast and anycast.

Anycast is a cross between unicast and multicast.  Anycast sends a packet to any one member of the group of devices with an anycast address.

At this time anycast address must only be assigned to a IPv6 router.

Global Addresses – Public IP address

Reserved Addresses – Represent 1/256th of the total IPv6 address space.

Private Addresses – Have the first octet value of “FE” with the next hex digit between 8 and F.

Site Local Addresses – Similar to private v4 addresses.  Have a scope of entire site or organisation.  Begins with either:  FEC, FED, FEE or FEF

Link Local Addresses – Used on a particular physical network segment and are NOT routable.  Used for auto address configuration, neighbour discovery and router discovery.

Loopback Address – Single address not a whole block.   Represented as ::1

All zero IPv6 address refers to the host itself when seeking auto config.

Globacl unicast addresses are defined by the Global routing prefix, a subnet ID and an Interface ID.

IANA is currently allocating IPv6 address space in the range of 2001::/16 to the registries.

IPv6 Datalink layer Support

  • Ethernet
  • PPP
  • HDLC
  • FDDI
  • Frame Relay
  • Token Ring
  • ARCNet
  • NBMA
  • ATM
  • IEEE 1394

Datalink layer defines how IPv6 interface identifiers are created and neighbour discovery deals with datalink layer address resolution.

IPv6 Addressing: 2001:0050:0000:0000:0000:0AB4:1E2B:98AA

Rule 1: Eliminate groups of consecutive zeros, this can be done once per address eg: 2001:050::0AB4:1E2B:98AA

Rule 2: Drop leading zeros eg: 2001:50::AB4:1E2B:98AA

Interface identifiers can be though of as the host portion of an IPv6 address, they are used to identify interfaces on a link.

IPv6 Addresses can be assigned by:

  • Statically using a manual interface ID – statically assign both the prefix (network) and interface ID (host)
  • Statically using an EUI-64 interface ID – configure the prefix (network) and derive the interface ID (host) from the layer 2 MAC address of the device.
  • Statless auto configuration – For non pc devices as well as PC’s and to help reduce administration overhead.
  • DHCP for IPv6 – Used in conjunction to statless auto configuration

IPv6 Routing

You must enable IPv6 before unicast routing protocol or static IPv6 route will work. (ipv6 unicast-routing)

RIPng (Next Generation is based off RIPv2 (IPv4)

  • Uses IPv6
  • Sends updates on port 521
  • Includes IPv6 prefix and next hop IPv6 address

Strategies for IPv6 Implementation

Dual Stack – IPv4 and IPv6 connectivity

Tunneling

  • IPv6 over IPv4, v6 encapsulation over v4 requires dual stack routers
  • Dynamic 6 to 4 – IPv6 tunnel over IPv4

Intra Site Tunnel Addressing Protocol (ISATAP) – Uses IPv4 as a link layer to tunnel IPv6 over

Terredo – Host to host automatic tunneling.

Proxying and Translation (NAT-PT) -Translation or proxy of IPv6 to IPv4 or IPv4 to IPv6.

Configuring IPv6

  • Activate IPv6 traffic forwarding
  • Config each interface that requires IPv6
  • IPv6 traffic forwarding is disabled by default
  • Link local address is auto configured when an address is assigned to an interface
  • Host names are assigned with ipv6 host <name>

Configure/Verify RIPng for IPv6

  • Syntax is similar/identical to IPv4
  • No network command instead ipv6 rip (tag) enable
  • Enable on interface using the same tag as when you started the instance

 

 

Facebooktwitterlinkedinby feather