Wednesday 2 December 2009

IKE - Functions - Dead Peer Detection

Dead Peer Detection -  use to detect a dead IKE peer and perform IKE peer failover
- If a dead IKE peer is detected then the IKE SA and IPSec SA to that peer is torn down.
- DPD has 2 modes of function:
    A) Defualt setting - where a DPD hello is sent every 10 seconds (unless the router receives a hello
        message from the peer first) but does lead to increased network activity from all the hellos.
    b) On demand - the router sends a DPD hello packet in advance of sending some data. This option    reduces uncessary network traffic but could result in you only finding out there is a network issue when data needs to be sent, not prior.

- Implemented using  -
  #crypto isakmp keepalives [frequency] [retries] [periodic | on-demand]-
   where frequency = number of seconds between DPD messages
             retries = number of seconds between DPD retries id the DPD message fails
             periodic = DPD messages are sent at regular intervals
            on-demand = DPD retries are sent on demand - this is default behaviour.

E.g - #crypto isakmp keepalives 10 3 periodic

By implementiung this you can then specifiy a second remote peer within your IPsexc crypto map to establish your SA:
for example - #crypto map TEST 10 ispec-isakmp
          # set peer 172.31.1.100 default
          # set peer 172.31.1.200

The Default option indicates that this should be used first to establish an SA, the second peer is used if the first remote peer is detected to be dead.

Sunday 15 November 2009

IPSec - the basics

Following on from GRE (which I'll come back to on another occasion), IPSec is an IETF standard (RFC 2401 - 2412) which can be considered to be a 'suite' of protocols.

IPsec operates at the Nework layer of the OSI model, and authenticates every packet, offers data integrity for every packet, and provides confidentiality.

IPsec is available from IOS 11.3(T) and PIX OS 5.0 or later.

IPsec is main up of 3 components:
  1. Internet Key Exchange (IKE) - UDP 500, which is a framework for negotiating security parameters and authentication keys.
  2. Encapsulation Security Payload (ESP)  - IP port 50, encrypts (using DES, 3DES, AES), secures (MD5 or SHA-1), and authenticates data (MD5 or SHA-1).
  3.  Authentication Header (AH) - IP port 51, offers secures data and offers authentication (MD5 or SHA-1).
 IPsec creates secure tunnels, known as Security Associations (SA), between 2 peers such as routers. Tunnels are unidirectional and are established via ESP or AH.

Internet Key Exchange Overview
IPsec uses IKE to authenticate peers and generate symmetrical encryption keys for data communications
Symmetrical keys are generated by Diffe Helman (DH)

IKE also manages the negotiation between peers for settings such as what data to be protected, key strengths, hash method to use (outlined later).

You can manually set the parameters in IPSec for the generation of keys, refresh interval of the keys, an SA characteristics however it's much easier to have IKE configure this automatically. IKE achieves this using ISAKMP or Internet Security Association and Key Management Protocol.

IKE has 2 phases in its method for setting up an IPSec tunnel.
Phase1 - Authenticates the actual peer so each peer knows the other peer is who it says it is. Operates in either 'Main Mode' or 'Agressive Mode'
Phase1.5 - is optional and it is at this stage you can authenticate an actual user. This may be via a RADIUS server, local accounts on the terminating peer (i.e router), or other means.
Phase2 - Establishes the actual IPSec tunnel and operates in 'Quick Mode'

IKE Modes
Main Mode - consists of 3 exchanges, the initiator sends a propsal to the peer containing what encryption, authentication, key duration settings to use (amoungst others).
The remote peer selects an appropriate proposal and replies
DH public keys and then exchanged resulting in all further comms being encryped in the inital IKE tunnel (SA)
A 3rd exchange authenticates the ISAKMP session.
Once complte phase 2 ocurs.
Aggressive Mode - Everything is sent over in a single exchange and the remote peer then responds accordingly
Quick Mode - Within IKE phase2, the IPSec SA is established but comms are protected by the IKE SA configured in Phase1.
Quick mode negotiates the SA for data to be exchanged.

Thursday 5 November 2009

Generic Routing Encapsulation – GRE

  •  GRE is IP protocol 47 (that's Protocol NOT port)
  • GRE can encapsulate a wide variety of protocol packets inside IP tunnels
  • Creates virtual Point-to-Point links to Cisco router (prepriortary)
  • Uses IP for transport
  • Additional Header supports any other layer3 protocol in the payload (eg IPX, AppleTalk, et al)
  • Stateless – Tunnel end point doesn’t keep any information on the state/availability of the remote end point.
  • Offers NO security, confidentiality, integrity checking, data authentication
  • Uses 24-byte overhead by default – 20-byte IP header plus 4-byte GRE header
  • 4-byte header contains GRE flag setting out a checksum, key (if used), sequence number, version number, protocol type id field.
  • Protocol typre id field is used to identify the protocol of the payload, e.g, 0x800 indicates IP. This is the field that allows GRE to tunnel any protocol.
 Benefits:
  •  Good at tunneling
  •  Supports multiple protocols
  • Allows routing protocols (OSPF, EIGRP) to be used
Costs:
  • Poor security – only plain text authentication used
  • Cannot accommodate confidentiality, integrity, and data authenication
GRE and IPSEC
  •  GRE can be used in conjunction with IPSEC
  •  IPSEC offers confidnetiality via 3DES or AES (for example)
  •  Authentication is provided via a HMAC such as MD5 or SHA-1
  •  Integrity is via MD5 or SHA-1
  •  IPSEC is not perfect though, older IOS’ don’t support IP multicast
  •  IPSEC was designed to support IP only
 Configure a basic GRE tunnel in IOS
  •  Here is a typical GRE tunnel config.
  • Each router needs needs a tunnel interface on the end points of the tunnel
  • Simplest type of tunnel
 R1(config)#int tu0
R1(config-if)#tunnel source S0/0
R1(config-if)#tunnel dest 192.168.20.1
R1(config-if)#ip address 172.16.10.1 255.255.255.0

R2(config)#int tu0
R2(config-if)#tunnel source s0/1
R2(config-if)#tunnel dest 192.168.10.1
R2(config-if)#ip address 172.16.10.2 255.255.255.0

*use the ? to inspect further options in tunnel interface mode

Note
  • The ‘int tu0’ cmd creates the GRE tunnel
  • ‘ip address’ is a network used exclusively by the tunnel end points
  •  ‘tunnel source’ is a physical interface on the route
  •  ‘tunnel dest’ is the ip of the physical interface on the remote router
  •  Default mode of the tunnel is GRE and so we have not needed to configure the mode in this example
  • GRE can pass OSPF/EIGRP so you use this in association with IPSEC (which cannot) if you are wishing to distribute routing information
  • Where you use IPSEC and GRE the ipsec crypto map will be assigned to the physical interface NOT the tunnel interface
  • IPSEC will be discussed in further detail later.

Tuesday 27 October 2009

Cisco Intelligent Information Network

The Cisco Intelligent Information Network (IIN) is a framework aims to align IT resources with business objectives across multiple products and infrastructure layers.

It aims to provide you with a route map to integrate resources and information assets, and benefit from a truely converged network infrastructure.

IIN helps to reduce maintenance costs of managing separate voice and data infrastructures.

IIN is achieve by following SONA as the architectural framework to guide your network development. Taking advantage of Cisco Unifiied Communication products and allowing you to virtualise your applications and infrastructure across multiple sites. It results in greater speed, enables scalability, and reduce costs.

To attain the goal of implementing IIN you need to progress through 3 phases
i) Integrate teh transport network
ii) Move to intregrate services
iii) Finally, intregrate the applications used in the enterprise.

Friday 23 October 2009

Cisco Service Orientated Network Architecture - SONA


courtesy of cisco.com

Right then, the first topic you'll cover off in each of the CCNP courses is SONA or how Cisco would like you to set up your network in order to sell you everything in their portfilio :o)

It details the common services deployed in the network and aims to reduce the gap between resources and applications.

Advantages include:
  • Offers a structured path to IIN (the Intelligent Information Network - discussed later)
  • Provides an outline to build integrated systems across a converged network through 3 phases
  • it increases the flexibility and efficiency in the business
SONA incorpates a Network Infrastructure layer, Interactive Services layer, and Application layer.

That's about it. Visit cisco.com for more information.

Monday 5 October 2009

Collision Domains vs Broadcast Domains



Collision Domains

layer 1 of the OSI model

A hub is an entire collision domain since it forwards every bit it receives from one interface on every other interfaces

A bridge is a two interfaces device that creates 2 collision domains, since it forwards the traffic it receives from one interface only to the interface where the destination layer 2 device (based on his mac address) is connected to.

A bridge is considered as an "intelligent hub" since it reads the destination mac address in order to forward the traffic only to the interface where it is connected

A switch is a multi-interface hub, every interface on a switch is a collision domain. A 24 interfaces switch creates 24 collision domains (assuming every interface is connected to something, VLAN don't have any importance here since VLANs are a layer 2 concept, not layer 1 like collision domains)

Broadcast Domains

Layer 2 of the OSI model

A switch creates an entire broadcast domain (provided that there's only one VLAN) since broadcasts are a layer 2 concept (mac address related) routers don't forward layer 2 broadcasts, hence they separate broadcast domains

With all this information, you can say that on your diagram, there are 2 broadcast domains (1 router that separates 2 LAN segments composed by one or many switches, with only 1 VLAN per segment).

There are 8 collision domains, one per pair of devices connected to each other (switch to router, switch to switch, switch to computer etc...) since we are talking about layer 1 concept (physical connection).

Thursday 1 October 2009

Administrative Distance

Administrative distance is the measure used by Cisco routers to select the best path when there are two or more different routes to the same destination from two different routing protocols. Administrative distance defines the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least reliable (believable) using an administrative distance value. A lower numerical value is preferred, e.g. an OSPF route with an administrative distance of 110 will be chosen over a RIP route with an administrative distance of 120.
The following tables gives the default administrative distances used by Cisco routers.
Protocol Administrative distance
Directly connected route / static route using exit interface 0
Static route with next-hop IP address 1
EIGRP summary route 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EGP 140
ODR 160
External EIGRP 170
Internal BGP 200
Unknown 255

Tuesday 29 September 2009

Hexidecimal Conversion Table

Decimal-hexadecimal-binary conversion table

Dec Hex Bin   Dec Hex Bin   Dec Hex Bin   Dec Hex Bin

 
 
 
0 0 00000000   64 40 01000000   128 80 10000000   192 c0 11000000
1 1 00000001   65 41 01000001   129 81 10000001   193 c1 11000001
2 2 00000010   66 42 01000010   130 82 10000010   194 c2 11000010
3 3 00000011   67 43 01000011   131 83 10000011   195 c3 11000011
4 4 00000100   68 44 01000100   132 84 10000100   196 c4 11000100
5 5 00000101   69 45 01000101   133 85 10000101   197 c5 11000101
6 6 00000110   70 46 01000110   134 86 10000110   198 c6 11000110
7 7 00000111   71 47 01000111   135 87 10000111   199 c7 11000111
8 8 00001000   72 48 01001000   136 88 10001000   200 c8 11001000
9 9 00001001   73 49 01001001   137 89 10001001   201 c9 11001001
10 a 00001010   74 4a 01001010   138 8a 10001010   202 ca 11001010
11 b 00001011   75 4b 01001011   139 8b 10001011   203 cb 11001011
12 c 00001100   76 4c 01001100   140 8c 10001100   204 cc 11001100
13 d 00001101   77 4d 01001101   141 8d 10001101   205 cd 11001101
14 e 00001110   78 4e 01001110   142 8e 10001110   206 ce 11001110
15 f 00001111   79 4f 01001111   143 8f 10001111   207 cf 11001111
16 10 00010000   80 50 01010000   144 90 10010000   208 d0 11010000
17 11 00010001   81 51 01010001   145 91 10010001   209 d1 11010001
18 12 00010010   82 52 01010010   146 92 10010010   210 d2 11010010
19 13 00010011   83 53 01010011   147 93 10010011   211 d3 11010011
20 14 00010100   84 54 01010100   148 94 10010100   212 d4 11010100
21 15 00010101   85 55 01010101   149 95 10010101   213 d5 11010101
22 16 00010110   86 56 01010110   150 96 10010110   214 d6 11010110
23 17 00010111   87 57 01010111   151 97 10010111   215 d7 11010111
24 18 00011000   88 58 01011000   152 98 10011000   216 d8 11011000
25 19 00011001   89 59 01011001   153 99 10011001   217 d9 11011001
26 1a 00011010   90 5a 01011010   154 9a 10011010   218 da 11011010
27 1b 00011011   91 5b 01011011   155 9b 10011011   219 db 11011011
28 1c 00011100   92 5c 01011100   156 9c 10011100   220 dc 11011100
29 1d 00011101   93 5d 01011101   157 9d 10011101   221 dd 11011101
30 1e 00011110   94 5e 01011110   158 9e 10011110   222 de 11011110
31 1f 00011111   95 5f 01011111   159 9f 10011111   223 df 11011111
32 20 00100000   96 60 01100000   160 a0 10100000   224 e0 11100000
33 21 00100001   97 61 01100001   161 a1 10100001   225 e1 11100001
34 22 00100010   98 62 01100010   162 a2 10100010   226 e2 11100010
35 23 00100011   99 63 01100011   163 a3 10100011   227 e3 11100011
36 24 00100100   100 64 01100100   164 a4 10100100   228 e4 11100100
37 25 00100101   101 65 01100101   165 a5 10100101   229 e5 11100101
38 26 00100110   102 66 01100110   166 a6 10100110   230 e6 11100110
39 27 00100111   103 67 01100111   167 a7 10100111   231 e7 11100111
40 28 00101000   104 68 01101000   168 a8 10101000   232 e8 11101000
41 29 00101001   105 69 01101001   169 a9 10101001   233 e9 11101001
42 2a 00101010   106 6a 01101010   170 aa 10101010   234 ea 11101010
43 2b 00101011   107 6b 01101011   171 ab 10101011   235 eb 11101011
44 2c 00101100   108 6c 01101100   172 ac 10101100   236 ec 11101100
45 2d 00101101   109 6d 01101101   173 ad 10101101   237 ed 11101101
46 2e 00101110   110 6e 01101110   174 ae 10101110   238 ee 11101110
47 2f 00101111   111 6f 01101111   175 af 10101111   239 ef 11101111
48 30 00110000   112 70 01110000   176 b0 10110000   240 f0 11110000
49 31 00110001   113 71 01110001   177 b1 10110001   241 f1 11110001
50 32 00110010   114 72 01110010   178 b2 10110010   242 f2 11110010
51 33 00110011   115 73 01110011   179 b3 10110011   243 f3 11110011
52 34 00110100   116 74 01110100   180 b4 10110100   244 f4 11110100
53 35 00110101   117 75 01110101   181 b5 10110101   245 f5 11110101
54 36 00110110   118 76 01110110   182 b6 10110110   246 f6 11110110
55 37 00110111   119 77 01110111   183 b7 10110111   247 f7 11110111
56 38 00111000   120 78 01111000   184 b8 10111000   248 f8 11111000
57 39 00111001   121 79 01111001   185 b9 10111001   249 f9 11111001
58 3a 00111010   122 7a 01111010   186 ba 10111010   250 fa 11111010
59 3b 00111011   123 7b 01111011   187 bb 10111011   251 fb 11111011
60 3c 00111100   124 7c 01111100   188 bc 10111100   252 fc 11111100
61 3d 00111101   125 7d 01111101   189 bd 10111101   253 fd 11111101
62 3e 00111110   126 7e 01111110   190 be 10111110   254 fe 11111110
63 3f 00111111   127 7f 01111111   191 bf 10111111   255 ff 11111111