index [ptgmedia.pearsoncmg.com] · cli (command line interface) aaa configuration aaa accounting...
TRANSCRIPT
Index
AAAA (Authentication, Authorization,
Accounting)access modes, 495-496components of, 495configuring via CLI
aaa accounting command, 503-504aaa authentication ppp command, 501aaa authorization command, 502aaa new-model command, 499RADIUS configuration, 498radius-server host command, 499radius-server key command, 501TACACS+ configuration, 499tacacs-server host command, 500tacacs-server key command, 501username root password command,
501configuring via SDM, 504-505, 508debugging, 510
debug aaa accounting command, 512debug aaa authentication command,
511debug aaa authorization command,
511debug radius command, 512debug tacacs command, 513
aaa accounting command, AAA configuration, 503-504
aaa authentication ppp command, AAA configuration, 501
aaa authorization command, AAA configuration, 502
aaa new-model command, AAA configuration, 499
AAL5MUX (virtual circuit multiplexed PPP over AAAL5), 131-134
AAL5SNAP (LLC encapsulated PPP over AAL5), 131-135
Access Layer (hierarchical network model), 17
access link failures, 358-359access-class command, Telnet access security,
473ACL (Access Control Lists)
crypto ACL, configuring for site-to-site IPsec VPN, 297
Interface ACL, configuring for site-to-site IPsec VPN, 299
ADSL (Asymmetrical DSL) connections, 89CAP, 90-91data transmission, 93
PPP, 95PPPoA, 101-102PPPoE, 96-101RFC 1483/2684 bridging, 94
DMT, 91-92G.Lite ADSL, 87G.Lite VDSL, 87physical connectivity, 151-152troubleshooting
cable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,
156flapping interfaces, 152LED, 154no shutdown command, 153physical layer, 150-156RADSL, 87show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,
155-156tangled wires, 154
Advanced Firewall Wizard (SDM), 547, 550, 553-555
aggressive mode (IKE), 264AH (Authentication Headers), 259ALG (Application Layer Gateways), Cisco
IOS Firewall, 524-526amplifiers, cable connections, 55amplitude, DSL connections, 84antenna sites (cable connections), 56anti-replay (IPsec), 258AP (Access Points)
DSAP, 133router security, 467-468SSAP, 133
Application Layer (SONA), 15architectures (network)
branch network architectures, 19-21cable networks, 65-66campus network architectures, 17-19data center architectures, 21enterprise edge architectures, 23-24SONA, 11-12
Application Layer, 15interactive services layer, 13-15ISL, 13network infrastructure layer, 13
teleworker architectures, 24-25, 33access methods, 41authentication, 42bandwidth, 41Business-Ready Teleworker, 36cable connections, 54-69connection management, 42connection requirements, 40corporate components, 43DSL connections, 81-102DSL connections, PPPoA, 130-141DSL connections, PPPoE, 113-123
enterprise architecture frameworks, 37enterprise architecture frameworks,
goals of, 38home office components, 43IIN, 36IP telephony, 43IPsec VPN, 42, 46QoS, 42Remote Access VPN, 42, 46remote connectivity, 38-39, 46security, 42traditional teleworkers versus
business-ready teleworkers, 45video, 43
WAN/MAN architectures, 25-26ARP (Address Resolution Protocol)
gratuitous ARP, router security threats, 440IP switching, MPLS, 180proxy ARP, router security threats, 440
asymmetric encryption, 267-269ATM (Asynchronous Transfer Mode)
Ethernet/ATM interfaces, PPPoE, 114-115pings, troubleshooting data link layers
(ADSL connections), 157PPPoA configuration, 134-135PVC, 115
attack-drop.sdf ips-sdf command, IOS router IPS configuration, 573
attenuation (signal), DSL connections, 86ATU-C (ADSL Transmission Unit-Central),
DSL connections, 84authentication. See also AAA (Authentication,
Authorization, Accounting)data origin authentication, IPsec, 258GLA, Easy VPN, 382peer authentication, 262-263, 288RADIUS protocol, 497security authentication, logins, 469
632
TACACS+ protocol, 497teleworker architectures, 42user authentication, Easy VPN, 384Xauth, Easy VPN, 382-383
Authentication phase (PPP), troubleshooting data link layers (ADSL connections), 157
Authentication Proxy (Cisco IOS Firewall), 529
Authentication tab (VPN Client), 419authorization, 497. See also AAA
(Authentication, Authorization, Accounting)
AutoSecure, router security, 441-443, 448-450
Bback office, 64Backbone Layer (hierarchical network
model). See Core Layer (hierarchical network model)
backup GRE tunnels, 341Backup Servers tab (VPN Client), 422backups (WAN), 368-369bandwidth, telework architectures, 41banners, 476-477BGP (Border Gateway Protocol), IP
switching, 179biometrics, IPsec peer authentication, 262block-for option (logins), 470Bottom-of-Stack bit (MPLS labels), 192bottom-up, 149-160BPDN (Virtual Private Dialup Networks), 230branch network architectures, 19-21branch offices, remote network connection
requirements, 27-28bridge taps, DSL connections, 86broadband cable connections, 54business applications, Application Layer
(SONA), 15business-ready teleworkers versus traditional
teleworkers, 45
CC networks, MPLS VPN, 237CA (Certification Authorities), PKI, 270cable connections
amplifiers, 55antenna sites, 56
benefits of, 59broadband, 54cable modem provisioning process, 67-69CATV, 55, 58coaxial, 55, 58distribution networks, 57DOCSIS, 61-64downstream, 55drawbacks to, 66fiber optic cable, 86headends, 56, 65-66HFC, 55hybrid fiber-coaxial networks, 63-64interference, 58modulation, 56network architectures, 65-66nodes, 57NTSC cable system standard, 56PAL cable system standard, 56pinout issues, troubleshooting, ADSL
connections, 154radio frequency signals, 59-61RF splitters, 66SECAM cable system standard, 56subscriber drops, 57taps, 55teleworker architectures, 41, 46transportation networks, 56upstream, 55, 66
cache-driven switching, 179campus network architectures, 17-19CAP (Carrierless Amplitude Phase), ADSL,
90-91CATV (Community Antenna Television) cable
connections, 55, 58CE routers, MPLS VPN, 237-238CEF (Cisco Express Forwarding)
frame mode MPLS, configuring for, 211-214
IOS switching, 179switching, MPLS, 180
cell mode MPLS (Multiprotocol Label Switching), 192
central sites, remote network connection requirements, 27
Character mode (AAA), 495-496Checksum Present option (GRE headers), 334Cisco IOS Firewall, 519
ALG, 524-526Authentication Proxy, 529
authentication
633
capabilities of, 531DMZ, 523-524IPS, 529layered device structure, 523-524packet filtering, 524-525recognized protocols list, 529-530stateful packet filtering, 524-528
CLI (Command Line Interface)AAA configuration
aaa accounting command, 503-504aaa authentication ppp command, 501aaa authorization command, 502aaa new-model command, 499RADIUS configuration, 498radius-server host command, 499radius-server key command, 501TACACS+ configuration, 499tacacs-server host command, 500tacacs-server key command, 501username root password command,
501firewall configurations
applying inspection rules to interface, 542
inspection rules definitions, 541interface selection, 540IP ACL configuration, 541packet direction selection, 540verifying configuration, 543-544
passwords, 472-473role-based, 480
root view access, 482superview configuration, 483
router access security, 466CM (Cable Modems), 64CMTS (Cable Modem Termination Systems),
64coaxial cable connections, 55, 58collaboration applications, Application Layer
(SONA), 15copy flash, 573-574confidentiality (data), IPsec, 257configuration mode, password configuration,
472configure terminal command, 480configuring
AAA via CLIaaa accounting command, 503-504aaa authentication ppp command, 501
aaa authorization command, 502aaa new-model command, 499RADIUS configuration, 498radius-server host command, 499radius-server key command, 501TACACS+ configuration, 499tacacs-server host command, 500tacacs-server key command, 501username root password command,
501AAA via SDM, 504-505, 508Easy VPN modes, 385Easy VPN servers, 385
Easy VPN Server Wizard, 389-395SDM, 386user configuration, 388
GRE tunnels, 335-336intrusion systems, 571
commands, 572-574SDM, 576-582verification, 574-575
site-to-site IPsec VPNapplying crypto maps to interfaces,
298configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,
295-296configuring ISAKMP policies, 293SDM, 303-314
VPN Client, 414, 418-424Connection Entries screen (VPN Client), 419connection signatures (intrusion systems), 570control planes (MPLS architectures), 189Core Layer (hierarchical network model), 17corporate components, teleworker
architectures, 43CPE (Customer Premises Equipment), 113
PPPoE on ATM interfaces configuration option, 114
PPPoE on Ethernet interfaces configuration option, 114
provider-facing interface, 114router configuration, 120-122, 136-140subscriber-facing interface, 114
crosstalk, DSL connections, 86crypto ACL (Access Control Lists),
configuring, 297
crypto ACL
634
crypto ipsec security-association command, configuring IPsec transform sets, 296
crypto ipsec transform-set command, configuring IPsec transform sets, 296
crypto isakmp identity hostname command, Easy VPN, 383
crypto isakmp keepalive command, DPD, 361crypto map command
HSRP, 365site-to-site IPsec VPN, 298
crypto maps, 297-298
Ddata center architectures, 21data confidentiality (IPsec), 257data integrity (IPsec), 257data link layers (ADSL connections),
troubleshooting, 156-160data origin authentication (IPsec), 258data planes (MPLS architectures), 189data transfers, site-to-site IPsec VPN, 292data transmission, ASDL, 93
PPP, 95PPPoA, 101-102PPPoE, 96-101RFC 1483/2684 bridging, 94
DDoS (Distributed Denial of Service) attacks, 568
debug aaa accounting command, debugging AAA, 512
debug aaa authentication command, debugging AAA, 511
debug aaa authorization command, debugging AAA, 511
debug atm events command, troubleshooting data link layers (ADSL connections), 156
debug atm packets command, troubleshooting data link layers (ADSL connections), 156
debug crypto isakmp command, troubleshooting Easy VPN servers, 398
debug ip cef command, CEF configuration (frame mode MPLS), 214
debug ip cef events command, CEF configuration (frame mode MPLS), 214
debug ip inspect command, verifying firewall configurations, 544
debug mpls ldp bindings command, frame mode MPLS, 219-220
debug radius command, debugging AAA, 512debug tacacs command, debugging AAA, 513delay option (logins), 470device failures, 358-359DHCP (Dynamic Host Configuration
Protocol), configuring DSL routers, 118-119
dialer interfacesPPPoA, configuring for, 135-136PPPoE, configuring for, 115
Dial-Up tab (VPN Client), 422Diffie-Hellman key exchanges
asymmetric encryption, 268-269site-to-site IPsec VPN, 287
digital certificatesIPsec peer authentication, 262-263PKI, 270
discovery phase (PPPoE), 97-98distributed mode CEF, configuring for frame
mode MPLS, 211Distribution Layer (hierarchical network
model), 17distribution networks, cable connections, 57DMT (Discrete Multi-Tone), ADSL, 91-92DMZ (Demilitarized Zones), firewalls, 435,
523-524DOCSIS (Data-Over-Cable Service Interface
Specifications), 61-64DoS (Denial of Service) attacks, 568DoS signatures (intrusion systems), 570downstream
cable connections, 55DSL connections, 84
DPD (Dead Peer Detection), 265, 360-361DSAP (Destination Service Access Points),
133DSL (Digital Subscriber Line) connections, 81
ADSL, 89CAP, 90-91data transmission, 93-102DMT, 91-92G.Lite ADSL, 87PPP, 95PPPoA, 101-102PPPoE, 96-101RADSL, 87RFC 1483/2684 bridging, 94VDSL, 87
crypto ipsec security-association command
635
amplitude, 84ATU-C, 84ATU-R, 84bridge taps, 86crosstalk, 86defining, 83downstream, 84DSLAM, 84fiber optic cable, 86frequency, 84impedence mismatch, 86interference, 86limitations of, 85line code, 84load coils, 85-86maximum data rates, 84microfilters, 84modulation, 84nature, 84NID, 85phases, 85POTS, 83-85PPPoA
AAL5MUX, 131-134AAL5SNAP, 131-135ATM interface configuration, 134-135Cisco PPPoA, 131, 134configuration elements, 141CPE router configuration, 136-140DSL dialer configuration, 135-136router configuration, 130-134virtual template configuration, 136
PPPoEconfiguration elements, 123configuring CPE routers, 120-122configuring DHCP for DSL routers,
118-119configuring dialer interfaces, 115configuring PAT, 116-118configuring static default routes for
DSL routers, 119Ethernet/ATM interfaces, 114-115router configuration, 113-114
SDSL, 87-88signal attenuation, 86teleworker architectures, 41, 46topologies, 113
troubleshooting, 149cable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,
156flapping interfaces, 152LED, 154no shutdown command, 153physical layer, 150-156show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,
155-156tangled wires, 154
upstreams, 85wavelengths, 85wire gauge, 86
DSLAM (DSL Access Multiplexers), 84, 113, 130
EEasy VPN (Virtual Private Networks)
connection establishment, 382establishing ISAKMP SA, 384GLA, 382IKE Phase 1, 383IPsec Quick mode, 385mode configuration, 385RRI, 385SA proposal acceptance, 384user authentication, 384Xauth, 382-383
Remote, 379-381server configuration, 385
Easy VPN Server Wizard, 389-395SDM, 386user configuration, 388
server monitoring, 396-397server requirements, 381-382troubleshooting servers, 398-406
edge LSR (Label Switching Routers), 194edge nodes, MPLS, 175edge routers
securingAutoSecure, 441-443, 448-450SDM, 443-447, 450-451
edge routers
636
security threatscommon management services, 438gratuitous/proxy ARP, 440path integrity mechanisms, 439probes/scans, 439-440terminal access security, 440unnecessary services/interfaces,
436-438vulnerable services, 436
egress nodes, MPLS, 175EIGRP (Enhanced Interior Gateway Routing
Protocol), GRE tunnels, 345enable password, password configuration via
configuration mode, 472setup mode, 471
enable secret command, password privilege levels, 478
enable secret password, password configuration via
configuration mode, 472setup mode, 471
encryptionIPsec, 256, 266
asymmetric encryption, 267-269symmetric encryption, 267
packet encryption, 497passwords, 475-476
enterprise edge architectures, 23-24ESP (Encapsulating Security Payload), 258Ethernet/ATM interfaces, PPPoE, 114-115exec-timeout configuraton option, 474Experimental CoS field (MPLS labels), 192exploit signatures (intrusion systems), 570exploits (vulnerability), 568export RT (Route Targets), 242
Ffailed logins, 469failover strategies (IPsec)
stateful strategies, 360, 366-368stateless strategies, 359
DPD, 360-361HSRP, 363-366IGP within GRE over IPsec tunnel,
362failures (networks), 358-359
FIB (Forwarding Information Bases)CEF switching, MPLS, 180frame mode MPLS, 195-198
fiber optic cableDSL connections, 86teleworker architectures, 41
fiber-coaxial networks, 63-64fiber-optic connections, teleworker
architectures, 46firewalls
Cisco IOS Firewall, 519ALG, 524-526Authentication Proxy, 529capabilities of, 531DMZ, 523-524IPS, 529layered device structure, 523-524packet filtering, 524-525recognized protocols list, 529-530stateful packet filtering, 524-528
CLI, configuring viaapplying inspection rules to interface,
542inspection rules definitions, 541interface selection, 540IP ACL configuration, 541packet direction selection, 540verifying configuration, 543-544
DMZ, 435SDM, configuring via
advanced firewalls, 547, 550, 553-555basic firewalls, 544, 547
flapping interfaces, 152forward path (cable connections). See
downstream, cable connectionsframe mode MPLS (Multiprotocol Label
Switching), 190, 193, 207CEF configuration, 211
debug ip cef command, 214debug ip cef events command, 214distributed mode CEF, 211show ip cef command, 212-213show ip cef detail command, 213
FIB, 195-198LFIB, 195-197LIB, 195-196, 202
edge routers
637
MPLS configurationmpls ip command, 214-215mpls label protocol command,
214-215no mpls ip command, 214sample configuration, 215-216tag-switching commands, 215
MTU size configuration, 217debug mpls ldp bindings command,
219-220show mpls ldp neighbor command,
218show mpls forwarding-table command, 199
Frame Type field (AAL5SNAP), 133framing physical layers (ADSL connections),
151frequency, DSL connections, 84full mesh topologies, WAN, 172
GG.Lite ADSL, 87G.SHDSL (Symmetric High-Data-Rate DSL),
88GLA (Group Level Authentication), Easy
VPN, 382gratuitous ARP, router security threats, 440GRE (Generic Routing Encapsulation)
tunnels, 327backup tunnels, 341characteristics of, 332configuring, 335-336creating, 340EIGRP, 345headers, 333-335IGP within GRE over IPsec tunnel, 362IP multicast, 333IPsec VPN, 342-343OSPF, 345RIP, 344routing protocols, 333secure GRE tunnels, 336-337security, 332-333static routing, 343-344validating configurations, 346
GRE over IPsec WizardGRE tunnels
backup tunnels, 341creating, 340
EIGRP, 345OSPF, 345RIP, 344static routing, 343-344
IPsec VPN, 342-343launching, 339validating configurations, 346
H - IHDSL (High-Data-Rate DSL), 88HDSL2 (second-generation HDSL), 88headends (cable connections), 56, 65-66headers
GRE tunnels, 333-335IPsec, 261
HFC (Hybrid Fiber-Coaxial) cable connections, 55
hierarchical network model, 16-17home office components, teleworker
architectures, 43honeypots (intrusion systems), 570HSRP (Hot Standby Router Protocol), IPsec
stateful failover strategies, 366stateless failover strategies, 363-366
hub-and-spoke topologies, 170, 173hybrid fiber-coaxial networks, 63-64
IDS (Intrusion Detection Systems), 567-568honeypots, 570malicious traffic identification, 569scope of, 568-569signatures
connection, 570DoS, 570exploit, 570reactions, 571string, 570viewing via SDM, 582
IDSL (ISDN DSL), 88IGP within GRE over IPsec tunnels, 362IIN (Intelligent Information Networks), 9
features of, 10integrated applications phase, 11integrated services phase, 10integrated transport phase, 10teleworker architectures, 36
IKE (Internet Key Exchange), 258aggressive mode, 264
IKE (Internet Key Exchange)
638
DPD, 265ISAKMP, 263main mode, 264mode configuration, 266NAT traversal, 265-266Oakley protocol, 263phases of, 263quick mode, 265transform sets, site-to-site IPsec VPN,
286-287Xauth, 266
impedance mismatch, DSL connections, 86import RT (Route Targets), 242ingress nodes, MPLS, 175inside local/global addresses, PAT
configuration, 116Installation Directory (VPN Client), 417integrated applications phase (IIN), 11integrated services, remote network
connection requirements, 28-29integrated services phase (IIN), 10integrated transport phase (IIN), 10integrity (data), IPsec, 257interactive services layer (SONA), 13-15Interface ACL (Access Control Lists),
configuring, 299interference
cable connections, 58DSL connections, 86
intrusion systemsIDS, 567
anomaly-based malicious traffic identification, 569
connection signatures, 570DoS signatures, 570exploit signatures, 570honeypots, 570policy-based malicious traffic
identification, 569scope of, 568-569signature-based malicious traffic
identification, 569signatures, reactions to, 571signatures, viewing via SDM, 582string signatures, 570
IPS, 567anomaly-based malicious traffic
identification, 569connection signatures, 570
DoS signatures, 570exploit signatures, 570honeypots, 570IOS router configuration, 571-575policy-based malicious traffic
identification, 569scope of, 568-569SDM configuration, 576-582signature-based malicious traffic
identification, 569signatures, reactions to, 571signatures, viewing via SDM, 582string signatures, 570
IOS routersas NIPS devices, 570IPS configuration, 571
commands, 572-574verification, 574-575
IOS switching (CEF), 179IP addresses, sockets, 117ip inspect command, defining firewall
inspection rules, 541ip ips fail closed command, IOS router IPS
configuration, 572ip ips name command, IOS router IPS
configuration, 574ip ips name testips list 123 command, IOS
router IPS configuration, 572ip ips sdf builtin command, IOS router IPS
configuration, 572ip ips testips in command, IOS router IPS
configuration, 573IP multicast, GRE tunnels, 333IP switching, MPLS
ARP, 180BGP, 179
IP telephony, teleworker architectures, 43ipc zone default command, IPsec stateful
failover strategies, 368IPS (Intrusion Prevention Systems), 529,
567-568honeypots, 570IOS router configuration, 571
commands, 572-574verification, 574-575
malicious traffic identification, 569scope of, 568-569SDM configuration, 576-582
IKE (Internet Key Exchange)
639
signaturesconnection, 570DoS, 570exploit, 570reactions, 571string, 570viewing via SDM, 582
IPS Wizard (SDM), 577-582IPsec (IP Security), 251
AH, 259anti-replay, 258data confidentiality, 257data integrity, 257data origin authentication, 258encryption, 256, 266-269ESP, 258GRE tunnels, 327
backup tunnels, 341characteristics of, 332configuring, 335-336creating, 340EIGRP, 345headers, 333-335IP multicast, 333IPsec VPN, 342-343launching GRE over IPsec Wizard,
339OSPF, 345RIP, 344routing protocols, 333secure GRE tunnels, 336-337security, 332-333static routing, 343-344validating configurations, 346
headers, 261IKE, 258
agressive mode, 264DPD, 265ISAKMP, 263main mode, 264mode configuration, 266NAT traversal, 265-266Oakley protocol, 263phases of, 263quick mode, 265Xauth, 266
peer authentication, 262-263PKI, 270-271Quick mode, Easy VPN, 385site-to-site IPsec VPN, 283-285
applying crypto maps to interfaces, 298
configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,
295-296configuring ISAKMP policies, 293Diffie-Hellman key exchanges, 287IKE transform sets, 286-287IPsec transform sets, 289-291IPsec tunnel termination, 292monitoring tunnels, 314-316peer authentication, 288SA, 291-292SDM, 300-314secure data transfers, 292specifying interesting traffic, 284
stateful failover strategies, 360, 366-368stateless failover strategies, 359
DPD, 360-361HSRP, 363-366IGP within GRE over IPsec tunnels,
362transform sets
configuring for site-to-site IPsec VPN, 295-296
site-to-site IPsec VPN, 289-291transport mode, 259-260tunnel mode, 260VPN, 251
GRE tunnels, 342-343teleworker architectures, 42, 46WAN backups, 368-369
ISAKMP (Internet Security Association and Key Management Protocol), 263, 293
ISL (Infrastructure Services Layer), SONA, 13
ISL (Infrastructure Services Layer)
640
J - K - LKey Present option (GRE headers), 334
labels (MPLS architectures), 175-177, 190Bottom-of-Stack bit, 192distributing, 199
interim packet propagation, 201label allocation, 201LDP, 199-200packet propagation, 200
Experimental CoS field, 192frame-mode MPLS, 193Label field, 191label stacks, 175, 192-193label swaps, 175PHP, 201structures of, 190TTL field, 192
LAN (Local Area Networks), VLAN, 230layer 1 (ADSL connections). See physical
layers (ADSL connections)layer 1 VPN overlays, 230Layer 2 remote connections, teleworker
architectures, 38layer 2 VPN overlays, 231Layer 3 remote connections. See service
provider MPLS VPNlayer 3 VPN overlays, 232LCP (Link Control Protocol) phase (PPP),
troubleshooting data link layers (ADSL connections), 157
LDP (Label Distribution Protocol), MPLS architectures, 189, 199-200
LED (light emitting diodes), troubleshooting ADSL connections, 154
LFIB (Label Forwarding Information Base), MPLS architectures, 189, 195-197
LHE (Local Headends), 65-66LIB, frame mode MPLS, 195-196, 202licensing agreements, VPN Client, 416line code
DSL connections, 84physical layers (ADSL connections), 151
load coils, DSL connections, 85-86logins
failed logins, 469password checks, 473routers, banners, 476-477
security, 469-470show login command, 470
LSH (Label-Switched Hops), MPLS, 175LSP (Label-Switched Paths)
MPLS, 175MPLS VPN, 237
LSR (Label Switching Routers)edge LSR, 194MPLS, 175, 177-178
Mmain mode (IKE), 264malicious traffic identification (intrusion
systems), 569maximum data rates, DSL connections, 84microfilters, DSL connections, 84modems (cable), provisioning process, 67-69modulation
cable connections, 56DSL connections, 84
MPLS (Multiprotocol Label Switching) architectures, 170, 174, 185
CEF switching, FIB, 180cell mode MPLS, 192control planes, 189data planes, 189domains, 175edge nodes, 175egress nodes, 175frame mode MPLS, 190, 207
CEF configuration, 211-214FIB, 195, 197-198LFIB, 195-197LIB, 195-196, 202MPLS configuration, 214-216MTU size configuration, 217-220show mpls forwarding-table
command, 199ingress nodes, 175labels, 176-177, 190
Bottom-of-Stack bit, 192distributing, 199-200distributing, interim packet
propagation, 201distributing, label allocation, 201distributing, packet propagation, 200Experimental CoS field, 192
Key Present option (GRE headers)
641
frame-mode MPLS, 193Label field, 191label stacks, 175, 192-193label swaps, 175PHP, 201structures of, 190TTL field, 192
LDP, 189LFIB, 189LSH, 175LSP, 175LSR, 175-178, 194nodes, 175packets, role of, 176routers, role of, 176RSVP, 189standard IP switching
ARP, 180BGP, 179
TDP, 189TE, 192terminology of, 175VPN, 177, 192, 225, 229, 236
C networks, 237CE routers, 237-238end-to-end routing updates, 242-243LSP, 237P networks, 237P routers, 237-239packet forwarding, 243-244PE routers, 237-239PHP, 237, 244PoP, 237RD, 237-241RT, 237, 242teleworker architecture remote
connections, 39terminology of, 237VLAN, 230VPDN, 230VRF, 237
VPN with TE, 192mpls ip command, MPLS configuration
(frame mode MPLS), 214-215mpls label protocol command, MPLS
configuration (frame mode MPLS), 214-215MTU (Maximum Transmission Units), sizing,
217-220
NNAT (Network Address Translation), PAT,
116-118NAT traversal, 265-266nature, DSL connections, 84NCP (Network Control Protocol) phase
(PPP), troubleshooting data link layers (ADSL connections), 157
networked infrastructure layer (SONA), 13networks, 5
branch network architectures, 19-21cable network architectures, 65-66campus network architectures, 17-19data center architectures, 21distribution networks, cable connections, 57enterprise edge architectures, 23-24failures, 358-359hierarchical network model, 16-17hybrid fiber-coaxial networks, 63-64IIN, 9
features of, 10integrated applications phase, 11integrated services phase, 10integrated transport phase, 10
remote connection requirementsbranch offices, 27-28central sites, 27integrated services, 28-29SOHO sites, 28
requirements, 9SONA, 11-12
Application Layer, 15interactive services layer, 13-15ISL, 13networked infrastructure layer, 13
teleworker architectures, 24-25, 33access methods, 41authentication, 42bandwidth, 41Business-Ready Teleworker, 36cable connections, 54-69connection management, 42connection requirements, 40corporate components, 43DSL connections, 81-102DSL connections, PPPoA, 130-141DSL connections, PPPoE, 113-123enterprise architecture frameworks, 37
networks
642
enterprise architecture frameworks, goals of, 38
home office components, 43IIN, 36IP telephony, 43IPsec VPN, 42, 46QoS, 42Remote Access VPN, 42, 46remote connectivity, 38-39, 46security, 42traditional teleworkers versus
business-ready teleworkers, 45video, 43
transportation networks, cable connections, 56
VPN, MPLS, 177WAN/MAN architectures, 25-26
newsignatures.sdf command, IOS router IPS configuration, 573-574
NID (Network Interface Devices), DSL connections, 85
NIPS devices, IOS routers as, 570NLPID (Network Layer Protocol
Independent) field (SNAP headers), 133no mpls ip command, MPLS configuration
(frame mode MPLS), 214no shutdown command, troubleshooting
physical layer (ADSL connections), 153nodes
cable connections, 57MPLS, 175
NTSC (National Television Standards Committee) cable system standards, 56
O - POakley protocol, 263on-failure option (logins), 470on-success option (logins), 470orthogonal waveforms, 91OSPF (Open Shortest Path First), GRE
tunnels, 345OTP (One-Time Passwords), IPsec peer
authentication, 262OUI (Organizationally Unique Identifier)
field (SNAP headers), 133outside local/global addresses, PAT
configuration, 116
P networks, MPLS VPN, 237P routers, MPLS VPN, 237-239Packet mode (AAA), 495-496packets
encryption, 497filtering, 524-528forwarding, MPLS VPN, 243-244MPLS, role in, 176
PAL (Phase Alternating Line) cable system standards, 56
partial mesh topologies, WAN, 171passwords
best practices, 467CLI, 472-473configuration mode, configuring via, 472encryption, 475-476IPsec peer authentication, 262length restrictions, 474login command, checking via, 473OTP, IPsec peer authentication, 262privilege levels, 478-479router AP, 467-468setup mode, configuring via, 471-472unique passwords, 477-478
PAT (Port Address Translation), PPPoE, 116-118
path failures, 358-359path-retransmit command, IPsec stateful
failover strategies, 368PE routers, MPLS VPN, 237-239Peer-to-Peer VPN (Virtual Private Networks),
232-236peers
authentication, 262-263, 288DPD, 360-361PKI, 270
phases, DSL connections, 85PHP (Penultimate Hop Pop)
MPLS labels, 201MPLS VPN, 237, 244
physical layers (ADSL connections)dsl operating-mode auto command, 156framing, 151line coding, 151physical connectivity, 151-152PMD sublayers, 151supported DSL operating modes, 155-156TC sublayers, 151
networks
643
troubleshooting, 150-151cable pinout issues, 154dsl operating-mode auto command,
156flapping interfaces, 152LED, 154no shutdown command, 153show dsl interface command, 153show interface command, 153show ip interface command, 152supported DSL operating modes,
155-156tangled wires, 154
physical security, routers, 483pings (ATM), troubleshooting data link layers
(ASDL connections), 157PKI (Public Key Infrastructure)
CA, 270digital certificates, 270distribution mechanism, 270message exchange process, 271peers, 270RA, 270
PMD (physical medium dependent) sublayers (physical layers), 151
PoP (Post Office Protocol), MPLS VPN, 237ports
numbers, sockets, 117PAT, PPPoE, 116-118
POTS (Plain Old Telephone Service), DSL connections, 83-85
PPP (Point-to-Point Protocol)ASDL, 95
PPPoA, 101-102PPPoE, 96-101
data link layers (ADSL connections), troubleshooting, 157-160
PPPoA (Point-to-Point Protocol over ATM)AAL5MUX, 131-134AAL5SNAP, 131-135ASDL, 101-102Cisco PPPoA, 131, 134DSL connections
ATM interface configuration, 134-135configuration elements, 141CPE router configuration, 136-140DSL dialer configuration, 135-136router configuration, 130-134virtual template configuration, 136
PPPoE (Point-to-Point Protocol over Ethernet)
ASDL, 96-101configuration elements, 123discovery phase, 97-98DSL connections
configuring CPE routers, 120-122configuring DHCP for DSL routers,
118-119configuring dialer interfaces, 115configuring PAT, 116-118configuring static default routes for
DSL routers, 119DSL topologies, 113Ethernet/ATM interfaces, 114-115router configuration, 113-114
framing components, 100optimizing MTU, 100-101session phase, 99session variables, 99-100
PPPoE on ATM interfaces configuration option (CPE), 114
PPPoE on Ethernet interfaces configuration option (CPE), 114
preempt command, HSRP, 364preshared keys, IPsec peer authentication,
262privilege levels (passwords), 478-479process switching, 179provider-facing interface (CPE), 114proxy ARP, router security threats, 440PVC (Permanent Virtual Circuits), 115
Q - RQoS (Quality of Service), teleworker
architectures, 42quick mode (IKE), 265Quick Setup option (Site-to-Site VPN
Wizard), 306-307quiet-mode option (logins), 470
RA (Registration Authorities), PKI, 270radio frequency signals, cable connections,
59-61RADIUS protocol, 496
authentication, 497
RADIUS protocol
644
authorization, 497debugging AAA, 512interoperability, 498multiprotocol support, 497packet encryption, 497router management, 497UDP, 496
radius-server host command, AAA configuration, 499
radius-server key command, AAA configuration, 501
RADSL (Rate-Adaptive DSL), 87RD (Route Distinguishers), MPLS VPN,
237-241recon attacks, 569redundancy
costs of, 174WAN, 173
redundancy inter-device command, IPsec stateful failover strategies, 368
redundant hub-and spoke topologies, WAN, 173
Remote Access VPN, teleworker architectures, 42, 46
remote connectivitynetwork requirements
branch offices, 27-28central sites, 27integrated services, 28-29SOHO sites, 28
teleworker architectures, 46Layer 2 connections, 38service provider MPLS VPN, 39site-to-site VPN, 39
remote peer failures, 358-359retransmit-timeout command, IPsec stateful
failover strategies, 368returns (cable connections). See upstream
(cable connections)reverse paths (cable connections). See
upstream (cable connections)RF splitters, cable connections, 66RFC 1483/2684 bridging, ASDL, 94RFC 2364
AAL5MUX option, 131-132AAL5SNAP option, 131-133PPPoA option, 131, 134
RIP, GRE tunnels, 344RJ-11 connectors, troubleshooting, 154
role-based CLI, 480root view access, 482superview configuration, 483
root view access (role-based CLI), 482routers
access, security, 466AP, security, 467-468banners, 476-477CE routers, MPLS VPN, 237-238CPE configuration
PPPoA, 136-140routers 120-122
DSL routers, configuring, 118-119IOS
IPS configuration, 571-575routers as NIPS devices, 570switching, 179
LSRedge LSR, 194MPLS, 175-178
MPLS, role in, 176P routers, MPLS VPN, 237-239PE routers, MPLS VPN, 237-239physical security, 483RADIUS protocol, 497securing
AutoSecure, 441-443, 448-450SDM, 443-447, 450-451
security threatscommon management services, 438gratuitous/proxy ARP, 440path integrity mechanisms, 439probes/scans, 439-440terminal access security, 440unnecessary services/interfaces,
436-438vulnerable services, 436
TACACS+ protocol, 497routing protocols, GRE tunnels, 333RRI (Reverse Route Injection), Easy VPN,
385RSA, asymmetric encryption, 267RSVP (Resource Reservation Protocol),
MPLS architectures, 189RT (Route Targets)
export RT, 242import RT, 242MPLS VPN, 237, 242
RADIUS protocol
645
SSA (Security Associations), site-to-site IPsec
VPN, 291-292scope (intrusion systems), 568-569SDM (Security Device Manager)
AAA configuration, 504-505, 508Advanced Firewall Wizard, 547, 550,
553-555Easy VPN server configuration, 386firewall configurations
advanced firewalls, 547, 550, 553-555basic firewalls, 544, 547
intrusion system configuration, 576-582IPS Wizard, 577-582One-Step Lockdown Wizard, router
security, 447, 450-451router security, 443
access security, 466SDM One-Step Lockdown Wizard, 447,
450-451SDM Secuirty Audit Wizard, 444-447
Security Audit Wizard, router security, 444-447
site-to-site IPsec VPN, 300-304Site-to-Site VPN Wizard, 305-314testing IPsec VPN tunnels, 314
SDSL (Symmetrical DSL), 87-88SECAM (System Electronic Couleur avec
Memoire) cable system standards, 56secure GRE tunnels, 336-337security
authentication, logins, 469GRE tunnels, 332-333logins
block-for option, 470delay option, 470failed logins, 469on-failure option, 470on-success option, 470quiet-mode option, 470security authentication, 469
passwordsbest practices, 467checking via login command, 473CLI, 472-473configuring via configuration mode,
472configuring via setup mode, 471-472
encryption, 475-476length restrictions, 474privilege levels, 478-479router AP, 467-468unique passwords, 477-478
routersaccess, 466physical security, 483
teleworker architectures, 42Telnet, accessing, 473timeout options, configuring, 474
Sequence Number option (GRE headers), 334service password-encryption utility, 476service provider MPLS VPN, teleworker
architecture remote connections, 39session phase (PPPoE), 99session variables (PPPoE), 99-100setup mode, password configuration, 471-472show crypto isakmp sa command, monitoring
Easy VPN servers, 396show dsl interface command, troubleshooting
physical layer (ADSL connections), 153show interface command, troubleshooting
physical layer (ADSL connections), 153show ip cef command, CEF configuration
(frame mode MPLS), 212-213show ip cef detail command, CEF
configuration (frame mode MPLS), 213show ip inspect all command, verifying
firewall configurations, 543show ip inspect command, verifying firewall
configurations, 543show ip interface brief command,
troubleshooting physical layers (ADSL connections), 152
show ip ips configuration command, IOS router IPS configuration, 574
show login command, 470show mpls forwarding-table command, 199show mpls ldp neighbor command, frame
mode MPLS, 218show running-config, password privilege
levels, 479signal attenuation, DSL connections, 86signatures (intrusion systems)
connection, 570DoS, 570exploit, 570reactions, 571
signatures (intrusion systems)
646
string, 570viewing via SDM, 582
site-to-site VPN (Virtual Private Networks)IPsec VPN, 283-285
applying crypto maps to interfaces, 298
configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,
295-296configuring ISAKMP policies, 293Diffie-Hellman key exchanges, 287IKE transform sets, 286-287IPsec transform sets, 289-291IPsec tunnel termination, 292monitoring tunnels, 314-316peer authentication, 288SA, 291-292SDM, 300-314secure data transfers, 292specifying interesting traffic, 284teleworker architecture remote
connections, 39testing tunnels, 314
overview of, 282Site-to-Site VPN Wizard, 305
Quick Setup option, 306-307Step-by-Step Setup option, 307
define connection settings, 308define IKE proposals, 309define IPsec transform sets, 310-311define protected traffic, 311-314
SNAP headers, 133SNMP (Simple Network Management
Protocol), router access security, 466sockets, 117SOHO sites, remote network connection
requirements, 28SONA (Service-Oriented Network
Architecture), 11-12Application Layer, 15interactive services layer, 13-15ISL, 13networked infrastructure layer, 13
splittersPOTS splitters, DSL connections, 85RF splitters, cable connections, 66
SSAP (Source Service Access Points), 133
SSO (Stateful Switchover), stateful failover strategies (IPsec), 366
stateful failover strategies (IPsec), 360, 366-368
stateful packet filtering, Cisco IOS Firewall, 524
stateless failover strategies (IPsec), 359DPD, 360-361HSRP, 363-366IGP within GRE over IPsec tunnels, 362
static default routes, configuring for DSL routers, 119
static routing, GRE tunnels, 343-344Step-by-Step Setup option (Site-to-Site VPN
Wizard), 307define connection settings, 308define IKE proposals, 309define IPsec transform sets, 310-311define protected traffic, 311-314
string signatures (intrusion systems), 570subscriber drops, cable connections, 57subscriber-facing interface (CPE), 114superviews (role-based CLI), 483symmetric encryption, IPsec, 267
TTACACS+ protocol
authentication, 497authorization, 497debugging AAA, 513interoperability, 498multiprotocol support, 497packet encryption, 497router management, 497TCP, 496
tacacs-server host command, AAA configuration, 500
tacacs-server key command, AAA configuration, 501
tag-switching commands, MPLS configuration (frame mode MPLS), 215
tangled wires, troubleshooting ADSL connections, 154
taps, cable connections, 55TC (transmission convergence) sublayers
(physical layers), 151
signatures (intrusion systems)
647
TCP (Transfer Control Protocol), TACACS+ protocol, 496
TDP (Tag Distribution Protocol), MPLS architectures, 189
TE (Traffic Engineering), MPLS TE, 192teleworker architectures, 24-25, 33
Business-Ready Teleworker, 36cable connections
amplifiers, 55antenna sites, 56benefits of, 59broadband, 54cable modem provisioning process,
67-69CATV, 55, 58coaxial, 55, 58distribution networks, 57DOCSIS, 61-64downstream, 55drawbacks to, 66headends, 56, 65-66HFC, 55hybrid fiber-coaxial networks, 63-64interference, 58modulation, 56network architectures, 65-66nodes, 57NTSC cable system standard, 56PAL cable system standard, 56radio frequency signals, 59-61RF splitters, 66SECAM cable system standard, 56subscriber drops, 57taps, 55transportation networks, 56upstream, 55, 66
connection management, 42connection requirements, 40
access methods, 41authentication, 42bandwidth, 41IPsec VPN, 42QoS, 42Remote Access VPN, 42security, 42
corporate components, 43DSL connections, 81
ADSL, 87-91amplitude, 84
ATU-C, 84ATU-R, 84bridge taps, 86crosstalk, 86defining, 83downstream, 84DSLAM, 84fiber optic cable, 86frequency, 84impedence mismatch, 86interference, 86limitations of, 85line code, 84load coils, 85-86maximum data rates, 84microfilters, 84modulation, 84nature, 84NID, 85phases, 85POTS, 83POTS splitters, 85PPPoA, 130-141PPPoE, 113-123SDSL, 87signal attenuation, 86upstreams, 85wavelengths, 85wire gauge, 86
enterprise architecture frameworks, 37-38home office components, 43IIN, 36IP telephony, 43remote connectivity
IPsec VPN, 46Layer 2 connections, 38Remote Access VPN, 46service provider MPLS VPN, 39site-to-site VPN, 39
traditional teleworkers versus business-ready teleworkers, 45
video, 43Telnet, 473testing IPsec VPN tunnels, 314timeout options, configuring, 474topologies
DSL, 113full mesh, WAN, 172
topologies
648
hub-and-spokeredundant hub-and-spoke, 173WAN, 170
partial mesh, WAN, 171topology-driven switching, 179transferring data, site-to-site IPsec VPN, 292transport mode (IPsec), 259-260Transport tab (VPN Client), 420-421transportation networks, cable connections,
56Trojan horses, 568troubleshooting
ADSL connectionscable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,
156flapping interfaces, 152LED, 154no shutdown command, 153physical connectivity, 151-152physical layer, 150-156show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,
155-156tangled wires, 154
data link layers (ADSL connections), 156-160
DSL connections, 149cable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,
156flapping interfaces, 152LED, 154no shutdown command, 153physical layer, 150-156show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,
155-156tangled wires, 154
Easy VPN servers, 398-406physical layers (ADSL connections),
150-151cable pinout issues, 154
dsl operating-mode auto command, 156
flapping interfaces, 152LED, 154no shutdown command, 153show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,
155-156tangled wires, 154
RJ-11 connectors, 154TTL field (MPLS labels), 192tunnel mode (IPsec), 260tunnels
IPsec VPN tunnels, monitoring, 314-316site-to-site IPsec VPN, IPsec tunnel
termination, 292
U - VUDP (User Datagram Protocol), RADIUS
protocol, 496unique passwords, 477-478Unity protocol, 381upstream (cable connections), 55, 66, 85user authentication, Easy VPN, 384user configuration, Easy VPN server
configuration, 388username root password command, AAA
configuration, 501usernames, IPsec peer authentication, 262
validating GRE over IPsec configurations, 346
VDSL (Very-High-Bit-Rate DSL), 87video, teleworker architectures, 43virtual templates, configuring for PPPoA, 136virtual terminal password (password
configuration via setup mode), 471viruses, 567VLAN (Virtual Local-Area Networks), 230VPN (Virtual Private Networks)
Easy VPN, 379connection establishment, 382-385Remote, 379-381server configuration, 385-395
topologies
649
server monitoring, 396-397server requirements, 381-382troubleshooting servers, 398-406
IPsec VPN, 251GRE tunnels, 342-343teleworker architectures, 42, 46WAN backups, 368-369
layer 1 VPN overlays, 230layer 2 VPN overlays, 231layer 3 VPN overlays, 232MPLS VPN, 177, 192, 225, 229-230, 236
C networks, 237CE routers, 237-238end-to-end routing updates, 242-243LSP, 237P networks, 237P routers, 237, 239packet forwarding, 243-244PE routers, 237-239PHP, 237, 244PoP, 237RD, 237-241RT, 237, 242terminology of, 237VPDN, 230VRF, 237
MPLS VPN with TE, 192Peer-to-Peer VPN, 232
benefits of, 234drawbacks of, 234-236redundant connections, 235
Remote Access VPN, teleworker architectures, 42, 46
site-to-site IPsec VPN, 283-285applying crypto maps to interfaces,
298configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,
295-296configuring ISAKMP policies, 293Diffie-Hellman key exchanges, 287IKE transform sets, 286-287IPsec transform sets, 289-291IPsec tunnel termination, 292monitoring tunnels, 314-316peer authentication, 288SA, 291-292
SDM, 300-314secure data transfers, 292specifying interesting traffic, 284
site-to-site VPNoverview of, 282teleworker architecture remote
connections, 39VPN Client
Authentication tab, 419Backup Servers tab, 422configuring, 414, 418-424Connection Entries screen, 419Dial-Up tab, 422Installation Directory, 417installing, 414-417licensing agreements, 416Transport tab, 420-421Welcome screen, 415
VRF (Virtual Routing and Forwarding) tables, MPLS VPN, 237
vulnerabilities (networks), 358-359vulnerability exploits, 568
WWAN (Wide Area Networks)
backups, IPsec VPN, 368-369full mesh topologies, 172hub-and-spoke topologies, 170, 173MPLS, 170, 174
CEF switching, 180domains, 175edge nodes, 175egress nodes, 175ingress nodes, 175label stacks, 175label swaps, 175labels, 175-177LSH, 175LSP, 175LSR, 175-178nodes, 175packets, 176routers, 176standard IP switching, 179-180terminology of, 175VPN, 177
partial mesh topologies, 171redundancy, 173-174
WAN (Wide Area Networks)
650
WAN/MAN (wide-area network/metropolitan-area network) architectures, 25-26
waveforms. See modulation, cable connections
wavelengths, DSL connections, 85Web interfaces, router access security, 466Welcome screen (VPN Client), 415wire gauge, DSL connections, 86wizards
Advanced Firewall Wizard (SDM), 547, 550, 553-555
Easy VPN Server Wizard, 389-395GRE over IPsec Wizard
backup GRE tunnels, 341creating GRE tunnels, 340EIGRP, 345IPsec VPN, 342-343launching, 339OSPF, 345RIP, 344static routing, 343-344validating configurations, 346
IPS Wizard (SDM), 577-582SDM One-Step Lockdown Wizard, router
security, 447, 450-451SDM Security Audit Wizard, router
security, 444-447Site-to-Site VPN Wizard, 305
Quick Setup option, 306-307Step-by-Step Setup option, 307-314
worms, 568
X - Y - ZXauth, 266, 382-383
WAN/MAN (wide-area network/metropolitan-area network) architectures