index [ptgmedia.pearsoncmg.com] · cli (command line interface) aaa configuration aaa accounting...

Index

AAAA (Authentication, Authorization,

Accounting)access modes, 495-496components of, 495configuring via CLI

aaa accounting command, 503-504aaa authentication ppp command, 501aaa authorization command, 502aaa new-model command, 499RADIUS configuration, 498radius-server host command, 499radius-server key command, 501TACACS+ configuration, 499tacacs-server host command, 500tacacs-server key command, 501username root password command,

501configuring via SDM, 504-505, 508debugging, 510

debug aaa accounting command, 512debug aaa authentication command,

511debug aaa authorization command,

511debug radius command, 512debug tacacs command, 513

aaa accounting command, AAA configuration, 503-504

aaa authentication ppp command, AAA configuration, 501

aaa authorization command, AAA configuration, 502

aaa new-model command, AAA configuration, 499

AAL5MUX (virtual circuit multiplexed PPP over AAAL5), 131-134

AAL5SNAP (LLC encapsulated PPP over AAL5), 131-135

Access Layer (hierarchical network model), 17

access link failures, 358-359access-class command, Telnet access security,

473ACL (Access Control Lists)

crypto ACL, configuring for site-to-site IPsec VPN, 297

Interface ACL, configuring for site-to-site IPsec VPN, 299

ADSL (Asymmetrical DSL) connections, 89CAP, 90-91data transmission, 93

PPP, 95PPPoA, 101-102PPPoE, 96-101RFC 1483/2684 bridging, 94

DMT, 91-92G.Lite ADSL, 87G.Lite VDSL, 87physical connectivity, 151-152troubleshooting

cable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,

156flapping interfaces, 152LED, 154no shutdown command, 153physical layer, 150-156RADSL, 87show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,

155-156tangled wires, 154

Advanced Firewall Wizard (SDM), 547, 550, 553-555

aggressive mode (IKE), 264AH (Authentication Headers), 259ALG (Application Layer Gateways), Cisco

IOS Firewall, 524-526amplifiers, cable connections, 55amplitude, DSL connections, 84antenna sites (cable connections), 56anti-replay (IPsec), 258AP (Access Points)

DSAP, 133router security, 467-468SSAP, 133

Application Layer (SONA), 15architectures (network)

branch network architectures, 19-21cable networks, 65-66campus network architectures, 17-19data center architectures, 21enterprise edge architectures, 23-24SONA, 11-12

Application Layer, 15interactive services layer, 13-15ISL, 13network infrastructure layer, 13

teleworker architectures, 24-25, 33access methods, 41authentication, 42bandwidth, 41Business-Ready Teleworker, 36cable connections, 54-69connection management, 42connection requirements, 40corporate components, 43DSL connections, 81-102DSL connections, PPPoA, 130-141DSL connections, PPPoE, 113-123

enterprise architecture frameworks, 37enterprise architecture frameworks,

goals of, 38home office components, 43IIN, 36IP telephony, 43IPsec VPN, 42, 46QoS, 42Remote Access VPN, 42, 46remote connectivity, 38-39, 46security, 42traditional teleworkers versus

business-ready teleworkers, 45video, 43

WAN/MAN architectures, 25-26ARP (Address Resolution Protocol)

gratuitous ARP, router security threats, 440IP switching, MPLS, 180proxy ARP, router security threats, 440

asymmetric encryption, 267-269ATM (Asynchronous Transfer Mode)

Ethernet/ATM interfaces, PPPoE, 114-115pings, troubleshooting data link layers

(ADSL connections), 157PPPoA configuration, 134-135PVC, 115

attack-drop.sdf ips-sdf command, IOS router IPS configuration, 573

attenuation (signal), DSL connections, 86ATU-C (ADSL Transmission Unit-Central),

DSL connections, 84authentication. See also AAA (Authentication,

Authorization, Accounting)data origin authentication, IPsec, 258GLA, Easy VPN, 382peer authentication, 262-263, 288RADIUS protocol, 497security authentication, logins, 469

632

TACACS+ protocol, 497teleworker architectures, 42user authentication, Easy VPN, 384Xauth, Easy VPN, 382-383

Authentication phase (PPP), troubleshooting data link layers (ADSL connections), 157

Authentication Proxy (Cisco IOS Firewall), 529

Authentication tab (VPN Client), 419authorization, 497. See also AAA

(Authentication, Authorization, Accounting)

AutoSecure, router security, 441-443, 448-450

Bback office, 64Backbone Layer (hierarchical network

model). See Core Layer (hierarchical network model)

backup GRE tunnels, 341Backup Servers tab (VPN Client), 422backups (WAN), 368-369bandwidth, telework architectures, 41banners, 476-477BGP (Border Gateway Protocol), IP

switching, 179biometrics, IPsec peer authentication, 262block-for option (logins), 470Bottom-of-Stack bit (MPLS labels), 192bottom-up, 149-160BPDN (Virtual Private Dialup Networks), 230branch network architectures, 19-21branch offices, remote network connection

requirements, 27-28bridge taps, DSL connections, 86broadband cable connections, 54business applications, Application Layer

(SONA), 15business-ready teleworkers versus traditional

teleworkers, 45

CC networks, MPLS VPN, 237CA (Certification Authorities), PKI, 270cable connections

amplifiers, 55antenna sites, 56

benefits of, 59broadband, 54cable modem provisioning process, 67-69CATV, 55, 58coaxial, 55, 58distribution networks, 57DOCSIS, 61-64downstream, 55drawbacks to, 66fiber optic cable, 86headends, 56, 65-66HFC, 55hybrid fiber-coaxial networks, 63-64interference, 58modulation, 56network architectures, 65-66nodes, 57NTSC cable system standard, 56PAL cable system standard, 56pinout issues, troubleshooting, ADSL

connections, 154radio frequency signals, 59-61RF splitters, 66SECAM cable system standard, 56subscriber drops, 57taps, 55teleworker architectures, 41, 46transportation networks, 56upstream, 55, 66

cache-driven switching, 179campus network architectures, 17-19CAP (Carrierless Amplitude Phase), ADSL,

90-91CATV (Community Antenna Television) cable

connections, 55, 58CE routers, MPLS VPN, 237-238CEF (Cisco Express Forwarding)

frame mode MPLS, configuring for, 211-214

IOS switching, 179switching, MPLS, 180

cell mode MPLS (Multiprotocol Label Switching), 192

central sites, remote network connection requirements, 27

Character mode (AAA), 495-496Checksum Present option (GRE headers), 334Cisco IOS Firewall, 519

ALG, 524-526Authentication Proxy, 529

authentication

633

capabilities of, 531DMZ, 523-524IPS, 529layered device structure, 523-524packet filtering, 524-525recognized protocols list, 529-530stateful packet filtering, 524-528

CLI (Command Line Interface)AAA configuration

aaa accounting command, 503-504aaa authentication ppp command, 501aaa authorization command, 502aaa new-model command, 499RADIUS configuration, 498radius-server host command, 499radius-server key command, 501TACACS+ configuration, 499tacacs-server host command, 500tacacs-server key command, 501username root password command,

501firewall configurations

applying inspection rules to interface, 542

inspection rules definitions, 541interface selection, 540IP ACL configuration, 541packet direction selection, 540verifying configuration, 543-544

passwords, 472-473role-based, 480

root view access, 482superview configuration, 483

router access security, 466CM (Cable Modems), 64CMTS (Cable Modem Termination Systems),

64coaxial cable connections, 55, 58collaboration applications, Application Layer

(SONA), 15copy flash, 573-574confidentiality (data), IPsec, 257configuration mode, password configuration,

472configure terminal command, 480configuring

AAA via CLIaaa accounting command, 503-504aaa authentication ppp command, 501

aaa authorization command, 502aaa new-model command, 499RADIUS configuration, 498radius-server host command, 499radius-server key command, 501TACACS+ configuration, 499tacacs-server host command, 500tacacs-server key command, 501username root password command,

501AAA via SDM, 504-505, 508Easy VPN modes, 385Easy VPN servers, 385

Easy VPN Server Wizard, 389-395SDM, 386user configuration, 388

GRE tunnels, 335-336intrusion systems, 571

commands, 572-574SDM, 576-582verification, 574-575

site-to-site IPsec VPNapplying crypto maps to interfaces,

298configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,

295-296configuring ISAKMP policies, 293SDM, 303-314

VPN Client, 414, 418-424Connection Entries screen (VPN Client), 419connection signatures (intrusion systems), 570control planes (MPLS architectures), 189Core Layer (hierarchical network model), 17corporate components, teleworker

architectures, 43CPE (Customer Premises Equipment), 113

PPPoE on ATM interfaces configuration option, 114

PPPoE on Ethernet interfaces configuration option, 114

provider-facing interface, 114router configuration, 120-122, 136-140subscriber-facing interface, 114

crosstalk, DSL connections, 86crypto ACL (Access Control Lists),

configuring, 297

crypto ACL

634

crypto ipsec security-association command, configuring IPsec transform sets, 296

crypto ipsec transform-set command, configuring IPsec transform sets, 296

crypto isakmp identity hostname command, Easy VPN, 383

crypto isakmp keepalive command, DPD, 361crypto map command

HSRP, 365site-to-site IPsec VPN, 298

crypto maps, 297-298

Ddata center architectures, 21data confidentiality (IPsec), 257data integrity (IPsec), 257data link layers (ADSL connections),

troubleshooting, 156-160data origin authentication (IPsec), 258data planes (MPLS architectures), 189data transfers, site-to-site IPsec VPN, 292data transmission, ASDL, 93

PPP, 95PPPoA, 101-102PPPoE, 96-101RFC 1483/2684 bridging, 94

DDoS (Distributed Denial of Service) attacks, 568

debug aaa accounting command, debugging AAA, 512

debug aaa authentication command, debugging AAA, 511

debug aaa authorization command, debugging AAA, 511

debug atm events command, troubleshooting data link layers (ADSL connections), 156

debug atm packets command, troubleshooting data link layers (ADSL connections), 156

debug crypto isakmp command, troubleshooting Easy VPN servers, 398

debug ip cef command, CEF configuration (frame mode MPLS), 214

debug ip cef events command, CEF configuration (frame mode MPLS), 214

debug ip inspect command, verifying firewall configurations, 544

debug mpls ldp bindings command, frame mode MPLS, 219-220

debug radius command, debugging AAA, 512debug tacacs command, debugging AAA, 513delay option (logins), 470device failures, 358-359DHCP (Dynamic Host Configuration

Protocol), configuring DSL routers, 118-119

dialer interfacesPPPoA, configuring for, 135-136PPPoE, configuring for, 115

Dial-Up tab (VPN Client), 422Diffie-Hellman key exchanges

asymmetric encryption, 268-269site-to-site IPsec VPN, 287

digital certificatesIPsec peer authentication, 262-263PKI, 270

discovery phase (PPPoE), 97-98distributed mode CEF, configuring for frame

mode MPLS, 211Distribution Layer (hierarchical network

model), 17distribution networks, cable connections, 57DMT (Discrete Multi-Tone), ADSL, 91-92DMZ (Demilitarized Zones), firewalls, 435,

523-524DOCSIS (Data-Over-Cable Service Interface

Specifications), 61-64DoS (Denial of Service) attacks, 568DoS signatures (intrusion systems), 570downstream

cable connections, 55DSL connections, 84

DPD (Dead Peer Detection), 265, 360-361DSAP (Destination Service Access Points),

133DSL (Digital Subscriber Line) connections, 81

ADSL, 89CAP, 90-91data transmission, 93-102DMT, 91-92G.Lite ADSL, 87PPP, 95PPPoA, 101-102PPPoE, 96-101RADSL, 87RFC 1483/2684 bridging, 94VDSL, 87

crypto ipsec security-association command

635

amplitude, 84ATU-C, 84ATU-R, 84bridge taps, 86crosstalk, 86defining, 83downstream, 84DSLAM, 84fiber optic cable, 86frequency, 84impedence mismatch, 86interference, 86limitations of, 85line code, 84load coils, 85-86maximum data rates, 84microfilters, 84modulation, 84nature, 84NID, 85phases, 85POTS, 83-85PPPoA

AAL5MUX, 131-134AAL5SNAP, 131-135ATM interface configuration, 134-135Cisco PPPoA, 131, 134configuration elements, 141CPE router configuration, 136-140DSL dialer configuration, 135-136router configuration, 130-134virtual template configuration, 136

PPPoEconfiguration elements, 123configuring CPE routers, 120-122configuring DHCP for DSL routers,

118-119configuring dialer interfaces, 115configuring PAT, 116-118configuring static default routes for

DSL routers, 119Ethernet/ATM interfaces, 114-115router configuration, 113-114

SDSL, 87-88signal attenuation, 86teleworker architectures, 41, 46topologies, 113

troubleshooting, 149cable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,

156flapping interfaces, 152LED, 154no shutdown command, 153physical layer, 150-156show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,


upstreams, 85wavelengths, 85wire gauge, 86

DSLAM (DSL Access Multiplexers), 84, 113, 130

EEasy VPN (Virtual Private Networks)

connection establishment, 382establishing ISAKMP SA, 384GLA, 382IKE Phase 1, 383IPsec Quick mode, 385mode configuration, 385RRI, 385SA proposal acceptance, 384user authentication, 384Xauth, 382-383

Remote, 379-381server configuration, 385

Easy VPN Server Wizard, 389-395SDM, 386user configuration, 388

server monitoring, 396-397server requirements, 381-382troubleshooting servers, 398-406

edge LSR (Label Switching Routers), 194edge nodes, MPLS, 175edge routers

securingAutoSecure, 441-443, 448-450SDM, 443-447, 450-451

edge routers

636

security threatscommon management services, 438gratuitous/proxy ARP, 440path integrity mechanisms, 439probes/scans, 439-440terminal access security, 440unnecessary services/interfaces,

436-438vulnerable services, 436

egress nodes, MPLS, 175EIGRP (Enhanced Interior Gateway Routing

Protocol), GRE tunnels, 345enable password, password configuration via

configuration mode, 472setup mode, 471

enable secret command, password privilege levels, 478

enable secret password, password configuration via

configuration mode, 472setup mode, 471

encryptionIPsec, 256, 266

asymmetric encryption, 267-269symmetric encryption, 267

packet encryption, 497passwords, 475-476

enterprise edge architectures, 23-24ESP (Encapsulating Security Payload), 258Ethernet/ATM interfaces, PPPoE, 114-115exec-timeout configuraton option, 474Experimental CoS field (MPLS labels), 192exploit signatures (intrusion systems), 570exploits (vulnerability), 568export RT (Route Targets), 242

Ffailed logins, 469failover strategies (IPsec)

stateful strategies, 360, 366-368stateless strategies, 359

DPD, 360-361HSRP, 363-366IGP within GRE over IPsec tunnel,

362failures (networks), 358-359

FIB (Forwarding Information Bases)CEF switching, MPLS, 180frame mode MPLS, 195-198

fiber optic cableDSL connections, 86teleworker architectures, 41

fiber-coaxial networks, 63-64fiber-optic connections, teleworker

architectures, 46firewalls

Cisco IOS Firewall, 519ALG, 524-526Authentication Proxy, 529capabilities of, 531DMZ, 523-524IPS, 529layered device structure, 523-524packet filtering, 524-525recognized protocols list, 529-530stateful packet filtering, 524-528

CLI, configuring viaapplying inspection rules to interface,

542inspection rules definitions, 541interface selection, 540IP ACL configuration, 541packet direction selection, 540verifying configuration, 543-544

DMZ, 435SDM, configuring via

advanced firewalls, 547, 550, 553-555basic firewalls, 544, 547

flapping interfaces, 152forward path (cable connections). See

downstream, cable connectionsframe mode MPLS (Multiprotocol Label

Switching), 190, 193, 207CEF configuration, 211

debug ip cef command, 214debug ip cef events command, 214distributed mode CEF, 211show ip cef command, 212-213show ip cef detail command, 213

FIB, 195-198LFIB, 195-197LIB, 195-196, 202

edge routers

637

MPLS configurationmpls ip command, 214-215mpls label protocol command,

214-215no mpls ip command, 214sample configuration, 215-216tag-switching commands, 215

MTU size configuration, 217debug mpls ldp bindings command,

219-220show mpls ldp neighbor command,

218show mpls forwarding-table command, 199

Frame Type field (AAL5SNAP), 133framing physical layers (ADSL connections),

151frequency, DSL connections, 84full mesh topologies, WAN, 172

GG.Lite ADSL, 87G.SHDSL (Symmetric High-Data-Rate DSL),

88GLA (Group Level Authentication), Easy

VPN, 382gratuitous ARP, router security threats, 440GRE (Generic Routing Encapsulation)

tunnels, 327backup tunnels, 341characteristics of, 332configuring, 335-336creating, 340EIGRP, 345headers, 333-335IGP within GRE over IPsec tunnel, 362IP multicast, 333IPsec VPN, 342-343OSPF, 345RIP, 344routing protocols, 333secure GRE tunnels, 336-337security, 332-333static routing, 343-344validating configurations, 346

GRE over IPsec WizardGRE tunnels

backup tunnels, 341creating, 340

EIGRP, 345OSPF, 345RIP, 344static routing, 343-344

IPsec VPN, 342-343launching, 339validating configurations, 346

H - IHDSL (High-Data-Rate DSL), 88HDSL2 (second-generation HDSL), 88headends (cable connections), 56, 65-66headers

GRE tunnels, 333-335IPsec, 261

HFC (Hybrid Fiber-Coaxial) cable connections, 55

hierarchical network model, 16-17home office components, teleworker

architectures, 43honeypots (intrusion systems), 570HSRP (Hot Standby Router Protocol), IPsec

stateful failover strategies, 366stateless failover strategies, 363-366

hub-and-spoke topologies, 170, 173hybrid fiber-coaxial networks, 63-64

IDS (Intrusion Detection Systems), 567-568honeypots, 570malicious traffic identification, 569scope of, 568-569signatures

connection, 570DoS, 570exploit, 570reactions, 571string, 570viewing via SDM, 582

IDSL (ISDN DSL), 88IGP within GRE over IPsec tunnels, 362IIN (Intelligent Information Networks), 9

features of, 10integrated applications phase, 11integrated services phase, 10integrated transport phase, 10teleworker architectures, 36

IKE (Internet Key Exchange), 258aggressive mode, 264

IKE (Internet Key Exchange)

638

DPD, 265ISAKMP, 263main mode, 264mode configuration, 266NAT traversal, 265-266Oakley protocol, 263phases of, 263quick mode, 265transform sets, site-to-site IPsec VPN,

286-287Xauth, 266

impedance mismatch, DSL connections, 86import RT (Route Targets), 242ingress nodes, MPLS, 175inside local/global addresses, PAT

configuration, 116Installation Directory (VPN Client), 417integrated applications phase (IIN), 11integrated services, remote network

connection requirements, 28-29integrated services phase (IIN), 10integrated transport phase (IIN), 10integrity (data), IPsec, 257interactive services layer (SONA), 13-15Interface ACL (Access Control Lists),

configuring, 299interference


intrusion systemsIDS, 567

anomaly-based malicious traffic identification, 569

connection signatures, 570DoS signatures, 570exploit signatures, 570honeypots, 570policy-based malicious traffic

identification, 569scope of, 568-569signature-based malicious traffic

identification, 569signatures, reactions to, 571signatures, viewing via SDM, 582string signatures, 570

IPS, 567anomaly-based malicious traffic

identification, 569connection signatures, 570

DoS signatures, 570exploit signatures, 570honeypots, 570IOS router configuration, 571-575policy-based malicious traffic

identification, 569scope of, 568-569SDM configuration, 576-582signature-based malicious traffic

identification, 569signatures, reactions to, 571signatures, viewing via SDM, 582string signatures, 570

IOS routersas NIPS devices, 570IPS configuration, 571

commands, 572-574verification, 574-575

IOS switching (CEF), 179IP addresses, sockets, 117ip inspect command, defining firewall

inspection rules, 541ip ips fail closed command, IOS router IPS

configuration, 572ip ips name command, IOS router IPS

configuration, 574ip ips name testips list 123 command, IOS

router IPS configuration, 572ip ips sdf builtin command, IOS router IPS

configuration, 572ip ips testips in command, IOS router IPS

configuration, 573IP multicast, GRE tunnels, 333IP switching, MPLS

ARP, 180BGP, 179

IP telephony, teleworker architectures, 43ipc zone default command, IPsec stateful

failover strategies, 368IPS (Intrusion Prevention Systems), 529,

567-568honeypots, 570IOS router configuration, 571

commands, 572-574verification, 574-575

malicious traffic identification, 569scope of, 568-569SDM configuration, 576-582

IKE (Internet Key Exchange)

639

signaturesconnection, 570DoS, 570exploit, 570reactions, 571string, 570viewing via SDM, 582

IPS Wizard (SDM), 577-582IPsec (IP Security), 251

AH, 259anti-replay, 258data confidentiality, 257data integrity, 257data origin authentication, 258encryption, 256, 266-269ESP, 258GRE tunnels, 327

backup tunnels, 341characteristics of, 332configuring, 335-336creating, 340EIGRP, 345headers, 333-335IP multicast, 333IPsec VPN, 342-343launching GRE over IPsec Wizard,

339OSPF, 345RIP, 344routing protocols, 333secure GRE tunnels, 336-337security, 332-333static routing, 343-344validating configurations, 346

headers, 261IKE, 258

agressive mode, 264DPD, 265ISAKMP, 263main mode, 264mode configuration, 266NAT traversal, 265-266Oakley protocol, 263phases of, 263quick mode, 265Xauth, 266

peer authentication, 262-263PKI, 270-271Quick mode, Easy VPN, 385site-to-site IPsec VPN, 283-285

applying crypto maps to interfaces, 298

configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,

295-296configuring ISAKMP policies, 293Diffie-Hellman key exchanges, 287IKE transform sets, 286-287IPsec transform sets, 289-291IPsec tunnel termination, 292monitoring tunnels, 314-316peer authentication, 288SA, 291-292SDM, 300-314secure data transfers, 292specifying interesting traffic, 284

stateful failover strategies, 360, 366-368stateless failover strategies, 359

DPD, 360-361HSRP, 363-366IGP within GRE over IPsec tunnels,

362transform sets

configuring for site-to-site IPsec VPN, 295-296

site-to-site IPsec VPN, 289-291transport mode, 259-260tunnel mode, 260VPN, 251

GRE tunnels, 342-343teleworker architectures, 42, 46WAN backups, 368-369

ISAKMP (Internet Security Association and Key Management Protocol), 263, 293

ISL (Infrastructure Services Layer), SONA, 13

ISL (Infrastructure Services Layer)

640

J - K - LKey Present option (GRE headers), 334

labels (MPLS architectures), 175-177, 190Bottom-of-Stack bit, 192distributing, 199

interim packet propagation, 201label allocation, 201LDP, 199-200packet propagation, 200

Experimental CoS field, 192frame-mode MPLS, 193Label field, 191label stacks, 175, 192-193label swaps, 175PHP, 201structures of, 190TTL field, 192

LAN (Local Area Networks), VLAN, 230layer 1 (ADSL connections). See physical

layers (ADSL connections)layer 1 VPN overlays, 230Layer 2 remote connections, teleworker

architectures, 38layer 2 VPN overlays, 231Layer 3 remote connections. See service

provider MPLS VPNlayer 3 VPN overlays, 232LCP (Link Control Protocol) phase (PPP),

troubleshooting data link layers (ADSL connections), 157

LDP (Label Distribution Protocol), MPLS architectures, 189, 199-200

LED (light emitting diodes), troubleshooting ADSL connections, 154

LFIB (Label Forwarding Information Base), MPLS architectures, 189, 195-197

LHE (Local Headends), 65-66LIB, frame mode MPLS, 195-196, 202licensing agreements, VPN Client, 416line code

DSL connections, 84physical layers (ADSL connections), 151

load coils, DSL connections, 85-86logins

failed logins, 469password checks, 473routers, banners, 476-477

security, 469-470show login command, 470

LSH (Label-Switched Hops), MPLS, 175LSP (Label-Switched Paths)

MPLS, 175MPLS VPN, 237

LSR (Label Switching Routers)edge LSR, 194MPLS, 175, 177-178

Mmain mode (IKE), 264malicious traffic identification (intrusion

systems), 569maximum data rates, DSL connections, 84microfilters, DSL connections, 84modems (cable), provisioning process, 67-69modulation


MPLS (Multiprotocol Label Switching) architectures, 170, 174, 185

CEF switching, FIB, 180cell mode MPLS, 192control planes, 189data planes, 189domains, 175edge nodes, 175egress nodes, 175frame mode MPLS, 190, 207

CEF configuration, 211-214FIB, 195, 197-198LFIB, 195-197LIB, 195-196, 202MPLS configuration, 214-216MTU size configuration, 217-220show mpls forwarding-table

command, 199ingress nodes, 175labels, 176-177, 190

Bottom-of-Stack bit, 192distributing, 199-200distributing, interim packet

propagation, 201distributing, label allocation, 201distributing, packet propagation, 200Experimental CoS field, 192

Key Present option (GRE headers)

641

frame-mode MPLS, 193Label field, 191label stacks, 175, 192-193label swaps, 175PHP, 201structures of, 190TTL field, 192

LDP, 189LFIB, 189LSH, 175LSP, 175LSR, 175-178, 194nodes, 175packets, role of, 176routers, role of, 176RSVP, 189standard IP switching

ARP, 180BGP, 179

TDP, 189TE, 192terminology of, 175VPN, 177, 192, 225, 229, 236

C networks, 237CE routers, 237-238end-to-end routing updates, 242-243LSP, 237P networks, 237P routers, 237-239packet forwarding, 243-244PE routers, 237-239PHP, 237, 244PoP, 237RD, 237-241RT, 237, 242teleworker architecture remote

connections, 39terminology of, 237VLAN, 230VPDN, 230VRF, 237

VPN with TE, 192mpls ip command, MPLS configuration

(frame mode MPLS), 214-215mpls label protocol command, MPLS

configuration (frame mode MPLS), 214-215MTU (Maximum Transmission Units), sizing,

217-220

NNAT (Network Address Translation), PAT,

116-118NAT traversal, 265-266nature, DSL connections, 84NCP (Network Control Protocol) phase

(PPP), troubleshooting data link layers (ADSL connections), 157

networked infrastructure layer (SONA), 13networks, 5

branch network architectures, 19-21cable network architectures, 65-66campus network architectures, 17-19data center architectures, 21distribution networks, cable connections, 57enterprise edge architectures, 23-24failures, 358-359hierarchical network model, 16-17hybrid fiber-coaxial networks, 63-64IIN, 9

features of, 10integrated applications phase, 11integrated services phase, 10integrated transport phase, 10

remote connection requirementsbranch offices, 27-28central sites, 27integrated services, 28-29SOHO sites, 28

requirements, 9SONA, 11-12

Application Layer, 15interactive services layer, 13-15ISL, 13networked infrastructure layer, 13

teleworker architectures, 24-25, 33access methods, 41authentication, 42bandwidth, 41Business-Ready Teleworker, 36cable connections, 54-69connection management, 42connection requirements, 40corporate components, 43DSL connections, 81-102DSL connections, PPPoA, 130-141DSL connections, PPPoE, 113-123enterprise architecture frameworks, 37

networks

642

enterprise architecture frameworks, goals of, 38

home office components, 43IIN, 36IP telephony, 43IPsec VPN, 42, 46QoS, 42Remote Access VPN, 42, 46remote connectivity, 38-39, 46security, 42traditional teleworkers versus

business-ready teleworkers, 45video, 43

transportation networks, cable connections, 56

VPN, MPLS, 177WAN/MAN architectures, 25-26

newsignatures.sdf command, IOS router IPS configuration, 573-574

NID (Network Interface Devices), DSL connections, 85

NIPS devices, IOS routers as, 570NLPID (Network Layer Protocol

Independent) field (SNAP headers), 133no mpls ip command, MPLS configuration

(frame mode MPLS), 214no shutdown command, troubleshooting

physical layer (ADSL connections), 153nodes

cable connections, 57MPLS, 175

NTSC (National Television Standards Committee) cable system standards, 56

O - POakley protocol, 263on-failure option (logins), 470on-success option (logins), 470orthogonal waveforms, 91OSPF (Open Shortest Path First), GRE

tunnels, 345OTP (One-Time Passwords), IPsec peer

authentication, 262OUI (Organizationally Unique Identifier)

field (SNAP headers), 133outside local/global addresses, PAT

configuration, 116

P networks, MPLS VPN, 237P routers, MPLS VPN, 237-239Packet mode (AAA), 495-496packets

encryption, 497filtering, 524-528forwarding, MPLS VPN, 243-244MPLS, role in, 176

PAL (Phase Alternating Line) cable system standards, 56

partial mesh topologies, WAN, 171passwords

best practices, 467CLI, 472-473configuration mode, configuring via, 472encryption, 475-476IPsec peer authentication, 262length restrictions, 474login command, checking via, 473OTP, IPsec peer authentication, 262privilege levels, 478-479router AP, 467-468setup mode, configuring via, 471-472unique passwords, 477-478

PAT (Port Address Translation), PPPoE, 116-118

path failures, 358-359path-retransmit command, IPsec stateful

failover strategies, 368PE routers, MPLS VPN, 237-239Peer-to-Peer VPN (Virtual Private Networks),

232-236peers

authentication, 262-263, 288DPD, 360-361PKI, 270

phases, DSL connections, 85PHP (Penultimate Hop Pop)

MPLS labels, 201MPLS VPN, 237, 244

physical layers (ADSL connections)dsl operating-mode auto command, 156framing, 151line coding, 151physical connectivity, 151-152PMD sublayers, 151supported DSL operating modes, 155-156TC sublayers, 151

networks

643

troubleshooting, 150-151cable pinout issues, 154dsl operating-mode auto command,

156flapping interfaces, 152LED, 154no shutdown command, 153show dsl interface command, 153show interface command, 153show ip interface command, 152supported DSL operating modes,


physical security, routers, 483pings (ATM), troubleshooting data link layers

(ASDL connections), 157PKI (Public Key Infrastructure)

CA, 270digital certificates, 270distribution mechanism, 270message exchange process, 271peers, 270RA, 270

PMD (physical medium dependent) sublayers (physical layers), 151

PoP (Post Office Protocol), MPLS VPN, 237ports

numbers, sockets, 117PAT, PPPoE, 116-118

POTS (Plain Old Telephone Service), DSL connections, 83-85

PPP (Point-to-Point Protocol)ASDL, 95

PPPoA, 101-102PPPoE, 96-101

data link layers (ADSL connections), troubleshooting, 157-160

PPPoA (Point-to-Point Protocol over ATM)AAL5MUX, 131-134AAL5SNAP, 131-135ASDL, 101-102Cisco PPPoA, 131, 134DSL connections

ATM interface configuration, 134-135configuration elements, 141CPE router configuration, 136-140DSL dialer configuration, 135-136router configuration, 130-134virtual template configuration, 136

PPPoE (Point-to-Point Protocol over Ethernet)

ASDL, 96-101configuration elements, 123discovery phase, 97-98DSL connections

configuring CPE routers, 120-122configuring DHCP for DSL routers,

118-119configuring dialer interfaces, 115configuring PAT, 116-118configuring static default routes for

DSL routers, 119DSL topologies, 113Ethernet/ATM interfaces, 114-115router configuration, 113-114

framing components, 100optimizing MTU, 100-101session phase, 99session variables, 99-100

PPPoE on ATM interfaces configuration option (CPE), 114

PPPoE on Ethernet interfaces configuration option (CPE), 114

preempt command, HSRP, 364preshared keys, IPsec peer authentication,

262privilege levels (passwords), 478-479process switching, 179provider-facing interface (CPE), 114proxy ARP, router security threats, 440PVC (Permanent Virtual Circuits), 115

Q - RQoS (Quality of Service), teleworker

architectures, 42quick mode (IKE), 265Quick Setup option (Site-to-Site VPN

Wizard), 306-307quiet-mode option (logins), 470

RA (Registration Authorities), PKI, 270radio frequency signals, cable connections,

59-61RADIUS protocol, 496

authentication, 497

RADIUS protocol

644

authorization, 497debugging AAA, 512interoperability, 498multiprotocol support, 497packet encryption, 497router management, 497UDP, 496

radius-server host command, AAA configuration, 499

radius-server key command, AAA configuration, 501

RADSL (Rate-Adaptive DSL), 87RD (Route Distinguishers), MPLS VPN,

237-241recon attacks, 569redundancy

costs of, 174WAN, 173

redundancy inter-device command, IPsec stateful failover strategies, 368

redundant hub-and spoke topologies, WAN, 173

Remote Access VPN, teleworker architectures, 42, 46

remote connectivitynetwork requirements

branch offices, 27-28central sites, 27integrated services, 28-29SOHO sites, 28

teleworker architectures, 46Layer 2 connections, 38service provider MPLS VPN, 39site-to-site VPN, 39

remote peer failures, 358-359retransmit-timeout command, IPsec stateful

failover strategies, 368returns (cable connections). See upstream

(cable connections)reverse paths (cable connections). See

upstream (cable connections)RF splitters, cable connections, 66RFC 1483/2684 bridging, ASDL, 94RFC 2364

AAL5MUX option, 131-132AAL5SNAP option, 131-133PPPoA option, 131, 134

RIP, GRE tunnels, 344RJ-11 connectors, troubleshooting, 154

role-based CLI, 480root view access, 482superview configuration, 483

root view access (role-based CLI), 482routers

access, security, 466AP, security, 467-468banners, 476-477CE routers, MPLS VPN, 237-238CPE configuration

PPPoA, 136-140routers 120-122

DSL routers, configuring, 118-119IOS

IPS configuration, 571-575routers as NIPS devices, 570switching, 179

LSRedge LSR, 194MPLS, 175-178

MPLS, role in, 176P routers, MPLS VPN, 237-239PE routers, MPLS VPN, 237-239physical security, 483RADIUS protocol, 497securing

AutoSecure, 441-443, 448-450SDM, 443-447, 450-451

security threatscommon management services, 438gratuitous/proxy ARP, 440path integrity mechanisms, 439probes/scans, 439-440terminal access security, 440unnecessary services/interfaces,

436-438vulnerable services, 436

TACACS+ protocol, 497routing protocols, GRE tunnels, 333RRI (Reverse Route Injection), Easy VPN,

385RSA, asymmetric encryption, 267RSVP (Resource Reservation Protocol),

MPLS architectures, 189RT (Route Targets)

export RT, 242import RT, 242MPLS VPN, 237, 242

RADIUS protocol

645

SSA (Security Associations), site-to-site IPsec

VPN, 291-292scope (intrusion systems), 568-569SDM (Security Device Manager)

AAA configuration, 504-505, 508Advanced Firewall Wizard, 547, 550,

553-555Easy VPN server configuration, 386firewall configurations

advanced firewalls, 547, 550, 553-555basic firewalls, 544, 547

intrusion system configuration, 576-582IPS Wizard, 577-582One-Step Lockdown Wizard, router

security, 447, 450-451router security, 443

access security, 466SDM One-Step Lockdown Wizard, 447,

450-451SDM Secuirty Audit Wizard, 444-447

Security Audit Wizard, router security, 444-447

site-to-site IPsec VPN, 300-304Site-to-Site VPN Wizard, 305-314testing IPsec VPN tunnels, 314

SDSL (Symmetrical DSL), 87-88SECAM (System Electronic Couleur avec

Memoire) cable system standards, 56secure GRE tunnels, 336-337security

authentication, logins, 469GRE tunnels, 332-333logins

block-for option, 470delay option, 470failed logins, 469on-failure option, 470on-success option, 470quiet-mode option, 470security authentication, 469

passwordsbest practices, 467checking via login command, 473CLI, 472-473configuring via configuration mode,

472configuring via setup mode, 471-472

encryption, 475-476length restrictions, 474privilege levels, 478-479router AP, 467-468unique passwords, 477-478

routersaccess, 466physical security, 483

teleworker architectures, 42Telnet, accessing, 473timeout options, configuring, 474

Sequence Number option (GRE headers), 334service password-encryption utility, 476service provider MPLS VPN, teleworker

architecture remote connections, 39session phase (PPPoE), 99session variables (PPPoE), 99-100setup mode, password configuration, 471-472show crypto isakmp sa command, monitoring

Easy VPN servers, 396show dsl interface command, troubleshooting

physical layer (ADSL connections), 153show interface command, troubleshooting

physical layer (ADSL connections), 153show ip cef command, CEF configuration

(frame mode MPLS), 212-213show ip cef detail command, CEF

configuration (frame mode MPLS), 213show ip inspect all command, verifying

firewall configurations, 543show ip inspect command, verifying firewall

configurations, 543show ip interface brief command,

troubleshooting physical layers (ADSL connections), 152

show ip ips configuration command, IOS router IPS configuration, 574

show login command, 470show mpls forwarding-table command, 199show mpls ldp neighbor command, frame

mode MPLS, 218show running-config, password privilege

levels, 479signal attenuation, DSL connections, 86signatures (intrusion systems)

connection, 570DoS, 570exploit, 570reactions, 571

signatures (intrusion systems)

646

string, 570viewing via SDM, 582

site-to-site VPN (Virtual Private Networks)IPsec VPN, 283-285

applying crypto maps to interfaces, 298

configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,

295-296configuring ISAKMP policies, 293Diffie-Hellman key exchanges, 287IKE transform sets, 286-287IPsec transform sets, 289-291IPsec tunnel termination, 292monitoring tunnels, 314-316peer authentication, 288SA, 291-292SDM, 300-314secure data transfers, 292specifying interesting traffic, 284teleworker architecture remote

connections, 39testing tunnels, 314

overview of, 282Site-to-Site VPN Wizard, 305

Quick Setup option, 306-307Step-by-Step Setup option, 307

define connection settings, 308define IKE proposals, 309define IPsec transform sets, 310-311define protected traffic, 311-314

SNAP headers, 133SNMP (Simple Network Management

Protocol), router access security, 466sockets, 117SOHO sites, remote network connection

requirements, 28SONA (Service-Oriented Network

Architecture), 11-12Application Layer, 15interactive services layer, 13-15ISL, 13networked infrastructure layer, 13

splittersPOTS splitters, DSL connections, 85RF splitters, cable connections, 66

SSAP (Source Service Access Points), 133

SSO (Stateful Switchover), stateful failover strategies (IPsec), 366

stateful failover strategies (IPsec), 360, 366-368

stateful packet filtering, Cisco IOS Firewall, 524

stateless failover strategies (IPsec), 359DPD, 360-361HSRP, 363-366IGP within GRE over IPsec tunnels, 362

static default routes, configuring for DSL routers, 119

static routing, GRE tunnels, 343-344Step-by-Step Setup option (Site-to-Site VPN

Wizard), 307define connection settings, 308define IKE proposals, 309define IPsec transform sets, 310-311define protected traffic, 311-314

string signatures (intrusion systems), 570subscriber drops, cable connections, 57subscriber-facing interface (CPE), 114superviews (role-based CLI), 483symmetric encryption, IPsec, 267

TTACACS+ protocol

authentication, 497authorization, 497debugging AAA, 513interoperability, 498multiprotocol support, 497packet encryption, 497router management, 497TCP, 496

tacacs-server host command, AAA configuration, 500

tacacs-server key command, AAA configuration, 501

tag-switching commands, MPLS configuration (frame mode MPLS), 215

tangled wires, troubleshooting ADSL connections, 154

taps, cable connections, 55TC (transmission convergence) sublayers

(physical layers), 151

signatures (intrusion systems)

647

TCP (Transfer Control Protocol), TACACS+ protocol, 496

TDP (Tag Distribution Protocol), MPLS architectures, 189

TE (Traffic Engineering), MPLS TE, 192teleworker architectures, 24-25, 33

Business-Ready Teleworker, 36cable connections

amplifiers, 55antenna sites, 56benefits of, 59broadband, 54cable modem provisioning process,

67-69CATV, 55, 58coaxial, 55, 58distribution networks, 57DOCSIS, 61-64downstream, 55drawbacks to, 66headends, 56, 65-66HFC, 55hybrid fiber-coaxial networks, 63-64interference, 58modulation, 56network architectures, 65-66nodes, 57NTSC cable system standard, 56PAL cable system standard, 56radio frequency signals, 59-61RF splitters, 66SECAM cable system standard, 56subscriber drops, 57taps, 55transportation networks, 56upstream, 55, 66

connection management, 42connection requirements, 40

access methods, 41authentication, 42bandwidth, 41IPsec VPN, 42QoS, 42Remote Access VPN, 42security, 42

corporate components, 43DSL connections, 81

ADSL, 87-91amplitude, 84

ATU-C, 84ATU-R, 84bridge taps, 86crosstalk, 86defining, 83downstream, 84DSLAM, 84fiber optic cable, 86frequency, 84impedence mismatch, 86interference, 86limitations of, 85line code, 84load coils, 85-86maximum data rates, 84microfilters, 84modulation, 84nature, 84NID, 85phases, 85POTS, 83POTS splitters, 85PPPoA, 130-141PPPoE, 113-123SDSL, 87signal attenuation, 86upstreams, 85wavelengths, 85wire gauge, 86

enterprise architecture frameworks, 37-38home office components, 43IIN, 36IP telephony, 43remote connectivity

IPsec VPN, 46Layer 2 connections, 38Remote Access VPN, 46service provider MPLS VPN, 39site-to-site VPN, 39

traditional teleworkers versus business-ready teleworkers, 45

video, 43Telnet, 473testing IPsec VPN tunnels, 314timeout options, configuring, 474topologies

DSL, 113full mesh, WAN, 172

topologies

648

hub-and-spokeredundant hub-and-spoke, 173WAN, 170

partial mesh, WAN, 171topology-driven switching, 179transferring data, site-to-site IPsec VPN, 292transport mode (IPsec), 259-260Transport tab (VPN Client), 420-421transportation networks, cable connections,

56Trojan horses, 568troubleshooting

ADSL connectionscable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,

156flapping interfaces, 152LED, 154no shutdown command, 153physical connectivity, 151-152physical layer, 150-156show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,


data link layers (ADSL connections), 156-160

DSL connections, 149cable pinout issues, 154data link layer, 156-160dsl operating-mode auto command,

156flapping interfaces, 152LED, 154no shutdown command, 153physical layer, 150-156show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,


Easy VPN servers, 398-406physical layers (ADSL connections),

150-151cable pinout issues, 154

dsl operating-mode auto command, 156

flapping interfaces, 152LED, 154no shutdown command, 153show dsl interface command, 153show interface command, 153show ip interface brief command, 152supported DSL operating modes,


RJ-11 connectors, 154TTL field (MPLS labels), 192tunnel mode (IPsec), 260tunnels

IPsec VPN tunnels, monitoring, 314-316site-to-site IPsec VPN, IPsec tunnel

termination, 292

U - VUDP (User Datagram Protocol), RADIUS

protocol, 496unique passwords, 477-478Unity protocol, 381upstream (cable connections), 55, 66, 85user authentication, Easy VPN, 384user configuration, Easy VPN server

configuration, 388username root password command, AAA

configuration, 501usernames, IPsec peer authentication, 262

validating GRE over IPsec configurations, 346

VDSL (Very-High-Bit-Rate DSL), 87video, teleworker architectures, 43virtual templates, configuring for PPPoA, 136virtual terminal password (password

configuration via setup mode), 471viruses, 567VLAN (Virtual Local-Area Networks), 230VPN (Virtual Private Networks)

Easy VPN, 379connection establishment, 382-385Remote, 379-381server configuration, 385-395

topologies

649

server monitoring, 396-397server requirements, 381-382troubleshooting servers, 398-406

IPsec VPN, 251GRE tunnels, 342-343teleworker architectures, 42, 46WAN backups, 368-369

layer 1 VPN overlays, 230layer 2 VPN overlays, 231layer 3 VPN overlays, 232MPLS VPN, 177, 192, 225, 229-230, 236

C networks, 237CE routers, 237-238end-to-end routing updates, 242-243LSP, 237P networks, 237P routers, 237, 239packet forwarding, 243-244PE routers, 237-239PHP, 237, 244PoP, 237RD, 237-241RT, 237, 242terminology of, 237VPDN, 230VRF, 237

MPLS VPN with TE, 192Peer-to-Peer VPN, 232

benefits of, 234drawbacks of, 234-236redundant connections, 235

Remote Access VPN, teleworker architectures, 42, 46

site-to-site IPsec VPN, 283-285applying crypto maps to interfaces,

298configuring crypto ACL, 297configuring crypto maps, 297configuring Interface ACL, 299configuring IPsec transform sets,

295-296configuring ISAKMP policies, 293Diffie-Hellman key exchanges, 287IKE transform sets, 286-287IPsec transform sets, 289-291IPsec tunnel termination, 292monitoring tunnels, 314-316peer authentication, 288SA, 291-292

SDM, 300-314secure data transfers, 292specifying interesting traffic, 284

site-to-site VPNoverview of, 282teleworker architecture remote

connections, 39VPN Client

Authentication tab, 419Backup Servers tab, 422configuring, 414, 418-424Connection Entries screen, 419Dial-Up tab, 422Installation Directory, 417installing, 414-417licensing agreements, 416Transport tab, 420-421Welcome screen, 415

VRF (Virtual Routing and Forwarding) tables, MPLS VPN, 237

vulnerabilities (networks), 358-359vulnerability exploits, 568

WWAN (Wide Area Networks)

backups, IPsec VPN, 368-369full mesh topologies, 172hub-and-spoke topologies, 170, 173MPLS, 170, 174

CEF switching, 180domains, 175edge nodes, 175egress nodes, 175ingress nodes, 175label stacks, 175label swaps, 175labels, 175-177LSH, 175LSP, 175LSR, 175-178nodes, 175packets, 176routers, 176standard IP switching, 179-180terminology of, 175VPN, 177

partial mesh topologies, 171redundancy, 173-174

WAN (Wide Area Networks)

650

WAN/MAN (wide-area network/metropolitan-area network) architectures, 25-26

waveforms. See modulation, cable connections

wavelengths, DSL connections, 85Web interfaces, router access security, 466Welcome screen (VPN Client), 415wire gauge, DSL connections, 86wizards

Advanced Firewall Wizard (SDM), 547, 550, 553-555

Easy VPN Server Wizard, 389-395GRE over IPsec Wizard

backup GRE tunnels, 341creating GRE tunnels, 340EIGRP, 345IPsec VPN, 342-343launching, 339OSPF, 345RIP, 344static routing, 343-344validating configurations, 346

IPS Wizard (SDM), 577-582SDM One-Step Lockdown Wizard, router

security, 447, 450-451SDM Security Audit Wizard, router

security, 444-447Site-to-Site VPN Wizard, 305

Quick Setup option, 306-307Step-by-Step Setup option, 307-314

worms, 568

X - Y - ZXauth, 266, 382-383

WAN/MAN (wide-area network/metropolitan-area network) architectures

index [ptgmedia.pearsoncmg.com] · cli (command line interface) aaa configuration aaa accounting...

Documents