Wednesday, 27 January 2010

CCNP Revised track

Here it is folks! -https://learningnetwork.cisco.com/docs/DOC-6393

Cisco have announced the new structure for the CCNP and on first glance it looks good.

Reduced from 4 exams to 3, with each one 2 hours long (up from 90 minutes) the emphasis has shifted to more real world application of the subjects including design, deployment, verification and troubleshooting of the subject matter. Expect there to be more configuration type questions on the exam.

If you're like me and are unsure how the new exams affect your studies you can use the Exam Configuration tool -http://www.cisco.com/web/learning/le3/le2/le37/le10/ccnp_exam_combo_tool.html - work out how best to proceed.

For me, I'm taking my ISCW on Friday and am scheduled to start the  BSCI in Feb. So long as I pass the exam first time I think my track will be : BSCI + SWITCH + TSHOOT

So that'll still be 4 exams for me but what you gonna do when the firm is paying :o)

All the best with your studies!
Posted by jdspark at 10:00 0 comments

Tuesday, 5 January 2010

ADSL Coding Techniques

ADSL has a number of coding techniques:
i) Single Carrier - uses Carrierless Amplitude and Phase Modulation (CAP) - Proprietary
ii) Multiple Carrier - uses Discreet MultiTone Modulation (DMT) - Multiple Carrier Standard
iii) Multiple Carrie with G.lite - uses slower speeds but doesn't require the signals to be split at the subscriber end. Most popular method for mass market.
Posted by jdspark at 20:05 0 comments

ADSL Data Rates

ADLS data rates as follows:
Downstream-
ADSL = 8Mbps for 18,000ft
ADSL2= 12Mbps for 8,000ft
ADSL2+= 24Mbps for 5,000ft

Upstream-
1Mbps for upstream data requests.
Posted by jdspark at 20:00 0 comments

Monday, 4 January 2010

DSL Distance Limits

DSL                       Max Data Rate       Distance (Feet/KM)
ADSL                    8M/1M                   18,000/5.5
VDSL                    52M/13M               4,500/1.4
IDSL                     144k/144k              18,000/5.5
SDSL                    768k/768k              22,000/6.7
G.SHDSL             2.3M/2.3M             28,000/8.5

Factors that affect distance:
Signal Attenuation
Bridge Tap - an extra telephone wirte with an un-terminated cable end connected to the local loop, can cause noise, reflection, raqdiate power to reduce signals and therefore speed
Local Coils - Wrap of excess wire along the local loop
Wire Gauage - thickness of wire, high speeds use thick wire
Impodence Mismatch - noise/echo on the line
Crosstalk - interference
AM Radio interference
Fibre Optics - ADSL signals cannot pass thorugh the conversion from Analog to Digital to Analog that occurs if a portion of the telephone circuit traverses fibre.
Posted by jdspark at 11:36 0 comments

DSL Variants

DSL Differs in:
i) Nature - Is it Symmetrical or Asymmetrical?
ii) Max Data Rate - i.e. max speed deployed
iii) Live Coding Technology - technique used to deploy signall to copper wire
iv) Data/Voice Support - Certain DSL types do not support both data and voice at the same time
v) Max Distance - Distance DSL signals can span

DSL            Nature              Max Rate               Data+POTS
ADSL         ASym              8m/1m                     Yes
RADSL      ASym              Adaptable                Yes
VDSL         Both                52m/13m                 Yes
IDSL          Sym                 144k/144k               No
SDSL         Sym                 768k/768k               No
HDSL        Sym                 2M/2M                    No
G.SHDSL  Sym                 2.3M/2.3M              No
Posted by jdspark at 11:28 0 comments

Digital Signals over Radio Waves

Frequency - rate at which current (voltage) cycles occur, that is, number of 'waves' per second

Radio waves occur in electromagnetic spectrum between 1Khz and 1Terahertz.
Cable uses part of RF spectrum.
Cable can transmit simultaneously in both directions, RF portion is split in to :
i) Downstream - Head --> Subscriber at 810Mhz of RF Band (50 --> 860Mhz)
ii) Upstream - Subscriber --> Head with 37Mhz of RF Band (5 --> 42Mhz)

Downstream Frequency is split in to channels (6Mhz in US, 7-8Mhz in Europe)
TV Spectrum:
VHF low band = tv channels 2-6
VHF Mid band = tv channels 98,99,+14 to 22
VHF High Band= tv channels 7 to 13
VHF Superband = tv channels 23 to 36
VHF Hyperband = tv channels 37+

No channels for Upstream
Posted by jdspark at 11:19 0 comments

New Year - New Updates

Hello, the next few postings are going to be a dump of stats and figures relevant to typical questions that you'd expect to get on the exam.

Apologies if it's a bit dull/brief.

Cheers
Posted by jdspark at 11:10 0 comments

Wednesday, 2 December 2009

IKE - Functions - Dead Peer Detection

Dead Peer Detection -  use to detect a dead IKE peer and perform IKE peer failover
- If a dead IKE peer is detected then the IKE SA and IPSec SA to that peer is torn down.
- DPD has 2 modes of function:
    A) Defualt setting - where a DPD hello is sent every 10 seconds (unless the router receives a hello
        message from the peer first) but does lead to increased network activity from all the hellos.
    b) On demand - the router sends a DPD hello packet in advance of sending some data. This option    reduces uncessary network traffic but could result in you only finding out there is a network issue when data needs to be sent, not prior.

- Implemented using  -
  #crypto isakmp keepalives [frequency] [retries] [periodic | on-demand]-
   where frequency = number of seconds between DPD messages
             retries = number of seconds between DPD retries id the DPD message fails
             periodic = DPD messages are sent at regular intervals
            on-demand = DPD retries are sent on demand - this is default behaviour.

E.g - #crypto isakmp keepalives 10 3 periodic

By implementiung this you can then specifiy a second remote peer within your IPsexc crypto map to establish your SA:
for example - #crypto map TEST 10 ispec-isakmp
          # set peer 172.31.1.100 default
          # set peer 172.31.1.200

The Default option indicates that this should be used first to establish an SA, the second peer is used if the first remote peer is detected to be dead.
Posted by jdspark at 11:15 0 comments

Sunday, 15 November 2009

IPSec - the basics

Following on from GRE (which I'll come back to on another occasion), IPSec is an IETF standard (RFC 2401 - 2412) which can be considered to be a 'suite' of protocols.

IPsec operates at the Nework layer of the OSI model, and authenticates every packet, offers data integrity for every packet, and provides confidentiality.

IPsec is available from IOS 11.3(T) and PIX OS 5.0 or later.

IPsec is main up of 3 components:
  1. Internet Key Exchange (IKE) - UDP 500, which is a framework for negotiating security parameters and authentication keys.
  2. Encapsulation Security Payload (ESP)  - IP port 50, encrypts (using DES, 3DES, AES), secures (MD5 or SHA-1), and authenticates data (MD5 or SHA-1).
  3.  Authentication Header (AH) - IP port 51, offers secures data and offers authentication (MD5 or SHA-1).
 IPsec creates secure tunnels, known as Security Associations (SA), between 2 peers such as routers. Tunnels are unidirectional and are established via ESP or AH.

Internet Key Exchange Overview
IPsec uses IKE to authenticate peers and generate symmetrical encryption keys for data communications
Symmetrical keys are generated by Diffe Helman (DH)

IKE also manages the negotiation between peers for settings such as what data to be protected, key strengths, hash method to use (outlined later).

You can manually set the parameters in IPSec for the generation of keys, refresh interval of the keys, an SA characteristics however it's much easier to have IKE configure this automatically. IKE achieves this using ISAKMP or Internet Security Association and Key Management Protocol.

IKE has 2 phases in its method for setting up an IPSec tunnel.
Phase1 - Authenticates the actual peer so each peer knows the other peer is who it says it is. Operates in either 'Main Mode' or 'Agressive Mode'
Phase1.5 - is optional and it is at this stage you can authenticate an actual user. This may be via a RADIUS server, local accounts on the terminating peer (i.e router), or other means.
Phase2 - Establishes the actual IPSec tunnel and operates in 'Quick Mode'

IKE Modes
Main Mode - consists of 3 exchanges, the initiator sends a propsal to the peer containing what encryption, authentication, key duration settings to use (amoungst others).
The remote peer selects an appropriate proposal and replies
DH public keys and then exchanged resulting in all further comms being encryped in the inital IKE tunnel (SA)
A 3rd exchange authenticates the ISAKMP session.
Once complte phase 2 ocurs.
Aggressive Mode - Everything is sent over in a single exchange and the remote peer then responds accordingly
Quick Mode - Within IKE phase2, the IPSec SA is established but comms are protected by the IKE SA configured in Phase1.
Quick mode negotiates the SA for data to be exchanged.
Posted by jdspark at 21:01 0 comments

Thursday, 5 November 2009

Generic Routing Encapsulation – GRE

  •  GRE is IP protocol 47 (that's Protocol NOT port)
  • GRE can encapsulate a wide variety of protocol packets inside IP tunnels
  • Creates virtual Point-to-Point links to Cisco router (prepriortary)
  • Uses IP for transport
  • Additional Header supports any other layer3 protocol in the payload (eg IPX, AppleTalk, et al)
  • Stateless – Tunnel end point doesn’t keep any information on the state/availability of the remote end point.
  • Offers NO security, confidentiality, integrity checking, data authentication
  • Uses 24-byte overhead by default – 20-byte IP header plus 4-byte GRE header
  • 4-byte header contains GRE flag setting out a checksum, key (if used), sequence number, version number, protocol type id field.
  • Protocol typre id field is used to identify the protocol of the payload, e.g, 0x800 indicates IP. This is the field that allows GRE to tunnel any protocol.
 Benefits:
  •  Good at tunneling
  •  Supports multiple protocols
  • Allows routing protocols (OSPF, EIGRP) to be used
Costs:
  • Poor security – only plain text authentication used
  • Cannot accommodate confidentiality, integrity, and data authenication
GRE and IPSEC
  •  GRE can be used in conjunction with IPSEC
  •  IPSEC offers confidnetiality via 3DES or AES (for example)
  •  Authentication is provided via a HMAC such as MD5 or SHA-1
  •  Integrity is via MD5 or SHA-1
  •  IPSEC is not perfect though, older IOS’ don’t support IP multicast
  •  IPSEC was designed to support IP only
 Configure a basic GRE tunnel in IOS
  •  Here is a typical GRE tunnel config.
  • Each router needs needs a tunnel interface on the end points of the tunnel
  • Simplest type of tunnel
 R1(config)#int tu0
R1(config-if)#tunnel source S0/0
R1(config-if)#tunnel dest 192.168.20.1
R1(config-if)#ip address 172.16.10.1 255.255.255.0

R2(config)#int tu0
R2(config-if)#tunnel source s0/1
R2(config-if)#tunnel dest 192.168.10.1
R2(config-if)#ip address 172.16.10.2 255.255.255.0

*use the ? to inspect further options in tunnel interface mode

Note
  • The ‘int tu0’ cmd creates the GRE tunnel
  • ‘ip address’ is a network used exclusively by the tunnel end points
  •  ‘tunnel source’ is a physical interface on the route
  •  ‘tunnel dest’ is the ip of the physical interface on the remote router
  •  Default mode of the tunnel is GRE and so we have not needed to configure the mode in this example
  • GRE can pass OSPF/EIGRP so you use this in association with IPSEC (which cannot) if you are wishing to distribute routing information
  • Where you use IPSEC and GRE the ipsec crypto map will be assigned to the physical interface NOT the tunnel interface
  • IPSEC will be discussed in further detail later.
Posted by jdspark at 08:56 0 comments
Subscribe to: Posts (Atom)