Posts tagged cisco
Stubby Post: Cisco Has Changed the Internet*
Mar 9th
* For definitions of “changed” and “Internet”
Today Cisco announced their new CRS-3 that replaces the CRS-1. The CRS-3 has some damn impressive numbers for sure with 322Tbps, or about 1 LOC/sec (that’s a Library of Congress per second). In three to five years, it might enable some technologies that we can’t use today, but I think “chang[ing] the Internet” is a bit of a stretch. I’m sure it’s ultra-cheap, too.
NBAR and HTTP Data Conversations
Mar 7th
I’m still working on the ONT test and doing labs, so I marked up a lab for me to work. I’m using the same setup as I did last time. The two routers are 3640s running 12.4(25b).
Part of the lab was to identify HTTP traffic coming into F0/0 and mark it as CS3. That’s pretty easy, right? Of course, the lab I made up was a little more complicated, but the point comes clear with a simpler example.
class-map match-all HTTP match protocol http ! policy-map PM-F0/0-IN class HTTP set dscp cs3 ! interface FastEthernet0/0 service-policy input PM-F0/0-IN
I fired off a small script on TestHost1 to repeatedly do NMap scans on TCP/80 of TestHost2 to generate some traffic.
root@bt:~#while ( true ) do nmap -sT -p 80 -v -n 172.16.2.101; done
I let that run for a while and checked out the service policy on F0/0; there were absolutely no matches on that class.
R1#sh policy-map int f0/0 input class HTTP
FastEthernet0/0
Service-policy input: PM-F0/0-IN
Class-map: HTTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
QoS Set
dscp cs3
Packets marked 0
I thought that was strange, so I kept the script running and captured the traffic coming out of S1/0. Looking at the packets in Wireshark showed that none of the HTTP packets were showing up as being marked as CS3; they’re all set to the default DSCP value.
No matter how many NMap scans cycled through, the class never incremented a bit. I let it run for two full minutes and generated a few hundred HTTP packets, but there was still nothing.
On a whim, I enabled NBAR protocol discovery on F0/0 to see if that would shed any light on my mess. Guess what I found. That’s right; there were no HTTP matches to NBAR, either. That makes sense since the class-map I defined uses the NBAR protocol. Alright, so it seems that it’s NBAR that doesn’t see the packets as HTTP, but why?
Looking through the packet captures again, I noticed that there was no real data in the streams. I saw the 3-way TCP handshake (a.k.a., my signature wrestling move) and then a RST,ACK. I only told NMap to check if the port was open, so I changed the while loop a bit and enabled version detection with the “-sV” flag. This time when I can the script, NMap was actually getting the HTTP banner. It was much traffic, but it was an actual HTTP conversation, so I checked NBAR again. Success! The same for the class, too.
For craps and smiles, I created a class-map that matched SIP, added it to the same policy-map, and set NMap after TCP/5060 without version detection. Without having a real SIP conversation, the class counters incremented as long as I was sending packets. That would seem unexpected until you realize that NBAR has some advanced knowledge of HTTP; you can actually match on URLs, hostnames, and MIME-types. I guess that means it also know when a real HTTP conversation is taking place.
To finish out the testing, I added an ACL to the router that matched any-any-eq-80. I made the class-map into a match-any and added the ACL. Since the ACL just matches the destination port and doesn’t care what the content is, every packet sent matched the class as expected. I remember reading several places and seeing a couple videos that said that you can use NBAR matching and ACLs interchangeably. That may not really be true when it comes to HTTP.
Send any Cisco learning credits questions my way.
QoS Pre-classify and Class-map Order
Mar 6th
I’m still studying for the ONT test, so I did some labs tonight. One of them was to demonstrate the qos pre-classify command for tunnel interfaces. When you have a packet sent over a GRE tunnel, the ToS field gets copied to the GRE packet, but there’s no way to see the original packet’s higher-level headers on the way out the interface. This can be a problem if your service policy needs to see protocol, port, IPs, etc. The fix for that is to enable qos pre-classify on the tunnel interface and cyrpto map; doing so will provide a copy of the original packet to the physical interface to classify the packet thoroughly.
Here’s the lab. I was testing from TestHost1 to TestHost2 and configuring R1 to do the pre-classification. Both R1 and R2 are 3640s running IOS 12.4(25b) and have a GRE tunnel between them.
I created a policy map that simply acknowledges the existence of ICMP packets; the router doesn’t do anything except match them in a class-map and smile at them on the way through. Here’s the snippet.
class-map ICMP match protocol icmp ! policy-map PM-S1/0-OUT class ICMP ! interface S1/0 service-policy output PM-S1/0-OUT ! interface tunnel 0 qos pre-classify
Not much going on there. We match ICMP using NBAR’s built-in protocols and do absolutely nothing. I did a few pings and noticed that there were no matches to the ICMP class and that all the packets were classified as class-default . I thought that the pre-classify wasn’t working, so I cursed for a while after making no progress at all. I had no idea what was wrong.
R1#sh policy-map int s1/0
Serial1/0
Service-policy output: PM-S1/0-OUT
Class-map: ICMP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
5 minute rate 0 bps
Class-map: class-default (match-any)
467 packets, 39832 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
I need to stop here so people don’t get confused. The configuration that you see is correct; the problem was actually with the NBAR protocols in the class-map. As Jeremy Stretch notes at the bottom of this article, there’s some issue with matching NBAR protocols. I later used an extended ACL to match ICMP which worked. The same is true for the SSH stuff later. Back to the show.
Here’s what I wound up with after cursing a lot and making random configuration changes to get the blasted thing to work. Notice the order of the classes.
class-map match-any TUNNEL match protocol gre ! policy-map PM-S1/0-OUT class TUNNEL class ICMP
I know that order is going to be important, but these are matching two totally different things, so it shouldn’t matter, right? I checked out the policy-map again and saw that every packet was matching the TUNNEL class-map, and none were matching the ICMP class-map.
R1#sh policy-map int s1/0
Serial1/0
Service-policy output: PM-S1/0-OUT
Class-map: TUNNEL (match-any)
441 packets, 49392 bytes
5 minute offered rate 2000 bps
Match: protocol gre
441 packets, 49392 bytes
5 minute rate 2000 bps
Class-map: ICMP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: access-group name ICMP
0 packets, 0 bytes
5 minute rate 0 bps
Class-map: class-default (match-any)
467 packets, 39832 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
I finally went downstairs, talked it over with my wife who is my rubber duck, and finally figured it wouldn’t hurt to change the order of the classes. Once I put ICMP before TUNNEL, it started matching. I thought that was odd, so I left ICMP and added an SSH class and put it after the TUNNEL class. I saw the ICMP match and the tunnel match, but I didn’t see a single match on SSH even though I was SSHed through (not to) the router.
R1#sh policy-map int s1/0
Serial1/0
Service-policy output: PM-S1/0-OUT
Class-map: ICMP (match-any)
252 packets, 28224 bytes
5 minute offered rate 0 bps
Match: access-group name ICMP
252 packets, 28224 bytes
5 minute rate 0 bps
Class-map: TUNNEL (match-any)
5 packets, 440 bytes
5 minute offered rate 0 bps
Match: protocol gre
5 packets, 440 bytes
5 minute rate 0 bps
Class-map: SSH (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: access-group name SSH
0 packets, 0 bytes
5 minute rate 0 bps
Class-map: class-default (match-any)
547 packets, 46588 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
When I moved SSH above TUNNEL, it started incrementing as it should. The best that I can tell is that both the original packet and the GRE packet are being evaluated when pre-classification is enabled. Since all the packets in the lab are going over a GRE tunnel, GRE will always be matched if you assess before everything else.
For the record, I did this lab twice – once with the GRE tunnel encrypted and once without encryption. The results of the pre-classification were the same in both attempts; GRE matches every time.
Send any ROUTE class vouchers questions my way.
Stubby post: ROUTE Cert Kit Giveaway
Mar 4th
Rofi at ITDualism is giving away a ROUTE cert kit to a random commenter. Swing by there and put your name in the hat.
ONT – Epic Fail
Feb 16th
I failed the ONT test today. It was an utter lack of subject matter knowledge that did me in from the beginning. When the first three questions mention things that I’ve never even heard, it’s going to be a long test. I’ll take blame on it for sure, but the test was a lot darker than I imagined it would be.
I heard from a couple people that the ONT test was the easiest of the 4 CCNP test. I must say today’s test was a LOT harder than the ISCW test I took back in December. Most of the questions were fair, but there were a few that were down-right evil or unanswerable. Without giving too much away, there were some matching questions that had multiple items with multiple answers, rendering the answer to a guess. I even ran into a CLI question about the WLC, which surely wasn’t mentioned anywhere I studied, and I don’t have a spare sitting around on which to test. The icing, though, was the number of questions about FRTS; I know I need to understand it, but the magical question dice landed on that topic way too many times in my opinion.
At the heart of it, I think my demise stemmed from using only the Cisco Press book. I really needed to get a wider exposure to the topics. Though the CP books might have mentioned some topics that I missed, a lot of it is mentioned in passing but appeared in detail on the test. I would think getting different training would fix that problem and I’ll be using some of our CLCs this week to do just that
The facility was great, though. I was comfortable and couldn’t hear traffic or the lecture across the hall this time. At least I know a good place to take tests now. I hope somebody gets some value from my absolute failure.
Send any test vouchers questions my way.
ONT Notes – WLAN Management
Feb 13th
Elements of Cisco Unified Wireless Network
- Client devices – Cisco compatible extensions on WLAN clients
- Mobility platform – allows configuration of LWAPs through WLCs
- Network unification – integration into the rest of the network with WLCs doing RF management, IPS, etc.
- World-class network management – centralized management through WCS
- Unified advanced services – supports advanced technologies and threat detection
WLAN Implementation
Autonomous and LWAP
| Category | Autonomous | LWAP |
|---|---|---|
| Access Point | Autonomous APs | LWAPs |
| Control | Individual configurations | Configuration through WLCs |
| Dependency | Independent operations | Dependent on WLC |
| Management | CiscoWorks WLSE and WDS | WCS |
| Redundancy | Through APs | Through WLCs |
Wireless LAN Services Engine (WLSE)
- Part of CiscoWorks
- Manages autonomous APs
- Centralized configuration, firmware, and radio management
- Autoconfig of new APs
- Misconfiguration and rogue AP alerts
- Proactive monitoring of APs, bridges, and 802.1x servers
- Supports SSH, HTTP, CDP, SNMP for up to 2500 APs
- WLSE Express supports 100 devices in either automatic or manual setups
Wireless Control System (WCS)
- Supports 50 WLCs and 1500 APs
- Three versions
- Base – can determine with which APs a devices in associated
- Location – Base plus RF fingerprinting
- Location + 2700 Series Wireless Location Appliance – Tracks devices in real time and stores historical location data
ONT Notes – 802.1x and Encryption on LWAPs
Feb 12th
- Traditional WLAN weaknesses
- SSID for security
- Vulnerable to rogue APs
- MAC filtering for security
- WEP
- WEP weaknesses
- Disribution of static keys is not scalable
- WEP keys can be cracked easily
- Vulnerable to dictionary attacks
- No protection against rogue APs
- Benefits of 802.1x
- Centralized authentication through Radius via AAA
- Mutual authentication between client and auth server
- Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
- Automatic dynamic WEP keys
- Roaming
- Requirements of 802.1x
- EAP-capable client (supplicant)
- 802.1x-capable AP (authenticator)
- EAP-capable auth server
| Feature | Cisco LEAP | EAP-FAST | EAP-TLS | PEAP-GTC | PEAP-MSCHAPv2 |
|---|---|---|---|---|---|
| User authentication DB | AD | AD, LDAP | OTP, LDAP, NDS, AD | OTP, LDAP, NDS, AD | AD |
| Requires server certs | No | No | Yes | Yes | Yes |
| Requires client certs | No | No | Yes | No | No |
| Single sign-on | Yes | Yes | Yes | No | Yes |
| Roaming | Yes | Yes | No | No | No |
| Works with WPA/WPA2 | Yes | Yes | Yes | Yes | Yes |
- WPA
- Features
- Authenticated key management – auths prior to key management
- Unicast and broadcast key management – keys are distributed and stored on the client and the AP
- TKIP and MIC
- Temporal Key Integrity Protocol (TKIP) – per-packet keying
- Message Integrity Checking (MIC) – integrity checking
- Initialization vector (IV) expansion – from 24 bits to 48 bits
- Shortcomings
- Relies on RC4
- Firmware support required in NICs, APs
- Susceptible to DoS attacks
- Dictionary attacks can discover PSKs
- Features
- WPA2
- Features
- 802.1x authentication or PSK
- Key distribution and renewal
- Proactive Key Caching (PKC) – allows roaming
- IDS for rogue APs and attacks
- Shortcomings
- Supplicant must have WPA2-compliance firmware
- AAA server must support EAP
- WPA2 uses more CPU, so a hardware upgrade may be required
- Older devices may not be upgradeable and must be replaced
- Features
| Mode | WPA | WPA2 |
|---|---|---|
| Enterprise | Auth: 802.1x/EAP Encryption: TKIP/MIC |
Auth: 802.1x/EAP Encryption: AES-CCMP |
| Personal |
Auth: PSK Encryption: TKIP/MIC |
Auth: PSK Encryption: AES-CCMP |
ONT Notes – QoS On Wireless Networks
Feb 10th
- Wireless LANs (WLANs)
- Extensions to wired LANs
- Carrier sense multiple access collision avoidance (CSMA/CA) as media access method
- Uses distributed coordinated function (DCF) for collision avoidance
- DCF is based on RF carrier sense, inter-frame spacing (IFS), and random wait timers
- Wifi QoS standards
- 802.11e
- IEEE standard
- 0-7 priority levels
- Wifi Multimedia (WMM)
- Four access categories
- Platinum (voice) – 6 or 7 802.11e
- Gold (video) – 4 or 5 802.11e
- Silver (BE) – 0 or 3 802.11e
- Bronze (Background) – 1 or 2 802.11e
- Four access categories
- WMM and 802.11e replace DCF with EDCF
- 802.11e
- Cisco Split-MAC
- Splits functions between Lightweight access points (LWAPs) and WLAN controllers (WLCs)
- LWAPs handle real-time functions
- Beacon generation
- Probe transmission and response
- Power management
- 802.11e/WMM scheduling and queuing
- Packet buffering
- Encryption/decryption
- Control frame/message processing
- WLCs handle non-real-time functions
- Association/disassociation/reassociation
- 802.11e/WMM resource reservation
- 802.1x EAP
- Key management
- Authentication
- Fragmentation
- Ethernet-WLAN bridging
- End-to-end QoS
- Step 1: WLC copies DSCP from switch to outer DSCP and outer 802.1p and sends to LWAP over LWAPP tunnel
- Step 2: LWAP copies outer DSCP from WLC to 802.11e/WMM field and sent to client
- Step 3: LWAP copies 802.11e/WMM value from the client to outer DSCP and sends it to WLC
- Step 4: WLC copies outer DSCP from WLAP to 802.1p (CoS) fields and sends it to the switch
- Web interface (do you even need to know this?)
- Controller>QoS Profiles
- Per-User Bandwidth Contracts – set avg data rate, burst data rate, avg real-time rate, and burst real-time rate
- Over the Air QoS
- Maximum RF usage per AP (%)
- Queue Depth – queue size before dropping packets
- Wired QoS Protocol – 802.1p or None
- Controller>WLANs>Edit
- For each WLAN ID, set the QoS value: plat, gold, silver, bronze
- WMM Policy
- Disabled – 802.11e/WMM QoS requests are ignored
- Allowed – 802.11e/WMM QoS requests are sent
- Required – 802.11e/WMM QoS requests are required
- Controller>QoS Profiles
ONT Notes – AutoQoS
Feb 10th
- AutoQoS benefits
- Automates QoS for most deployments
- Protects business-critical apps to maximize availability
- Simplifies QoS deployments
- Reduces configuration errors
- Cheaper, faster, and simpler deployments
- Follows DiffServ
- Allows complete control over QoS configs
- Allows modification of auto-generated configs
- AutoQoS phases of evolution
- AutoQoS VOIP – Early version that configures the basics without discovery
- AutoQoS for Enterprise – Second version that only runs on routers and uses two-step process
- Autodiscovery using NBAR
- Generation of class maps
- AutoQoS key elements
- Application classification
- Policy generation
- Configuration
- Monitoring and reporting
- Consistency
- Interfaces that you can configure AutoQoS on
- Serial ifs with PPP and HDLC
- FR point-to-point subifs (NOT multipoint)
- ATM point-to-point subifs
- FR-to-ATM links
- Prerequsites
- No Qos policy already configured on if
- CEF enabled on if
- Correct bandwidth configured on if
- IP address on low-speed if
- Configuring AutoQoS Enterprise on a router (NOT a switch)
- auto qos discovery – begins discovery process
- auto qos – generates and applies MQC-based policies
- Configuring AutoQoS VOIP
- auto qos voip [ trust | cisco-phone ]
- Verifying AutoQoS on router
- show auto discovery qos – get autodiscovery results
- show auto qos – examine configuration generated
- Number of classes
- Classification options
- Marking options
- Queuing mechanisms
- Other QoS mechanisms
- If, subif, PVC where policy is applied
- show policy-map interface – look at if stats
- Verify AutoQoS VOIP
- show auto qos
- show policy-map interface
- show mls qos maps – shows CoS to DSCP mappings
- Possible issues with AutoQoS
- Too many traffic classes – manually consolidate some
- Configuration doesn’t change – rerun AutoQoS
- Configuration may not fit your situation – fine-tune it by hand
- Fine-tuning AutoQoS
- Use QPM
- CLI
- copy policy into editor, change, reapply
- AutoQoS can match on characteristics besides ACLs and NBAR
- match input interface
- match cos
- match ip precedence
- match ip dscp
- match ip rtp
ONT Notes – Pre-classify and End-to-end QoS
Feb 3rd
- VPNs (Didn’t ISCW cover this?)
- Provide
- Confidentiality
- Integrity
- Authentication
- Types
- Remote-access
- Client-initiated
- NAS-initiated
- Site-to-site
- LAN-to-LAN
- Extranet
- Remote-access
- Provide
- L3 Tunneling protocols
- GRE
- IPSec
- Pre-classify allows traffic to be classified before being sent across a tunnel or crypto-ed.
- qos pre-classify
- Provides a view into the original IP headers
- To classify on pre-tunnel header, apply the policy to the tunnel interface WITHOUT pre-classify.
- To classify on post-tunnel header, apply the policy to the physical interface WITHOUT pre-classify.
- To classify on pre-tunnel header, apply the policy to the physical interface WITH pre-classify.
- SLA – agreement with provider to guarantee QoS mechanisms across their network based on your markings.
- Assures availability, loss, throughput, delay, and jitter.
- End-to-end QoS
- To be effective, each hop in the path must have QoS configured similarly.
- Necessary in three locations
- Campus – within the customer network
- The edges – customer facing the provider, provider facing customer
- On the provider network
- QoS tasks
- Campus access switches
- Speed/duplex settings
- Classification
- Trust
- Phone/access switch configs
- Multiple queues on switch ports, including priority for VOIP
- Campus distribution
- L3 policing and marking
- Multiple queues on switch ports, including priority for VOIP
- WRED
- WAN edge
- SLA definitions
- LLQ
- LFI
- WRED
- Shaping
- Provider cloud
- Capacity planning
- PHB
- LLQ
- WRED
- Campus access switches
- Enterprise campus QoS implementation
- Implement multiple queues to avoid congestion
- Assign VOIP and video to highest priority queue
- Esablish trust boundaries
- Use policing to rate-limit excess traffic
- Use hardware QoS when possible
- Control Plane Policing (CoPP)
- Applies QoS policy to traffic destined for the router
- Routing protocols
- Management protocols
- Can be used to avoid DOS attacks
- Applied to control-plane in global config
- Applies QoS policy to traffic destined for the router
