Network Model Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

Network Modelling

*** Theory ***

  • Three Layer Model (3 Layers)
    • Core – Low latency, fast switching, Advanced QoS, Redundancy, Root Bridges
    • Distribution – Handle routing, High Speed ports,
    • Access – VLAN, Basic QoS, Traffic Filtering, Redundant uplinks, future growth, high port density
  • Cisco Enterprise Architecture (6 Modules)
    • Campus – Core layer of campus network.
    • Edge – Internet connectivity, DMZ, VPNs
    • WAN – PPP, Frame, DSL, MPLS
    • Branch – Remote Office
    • Teleworker – SOHO / Mobile Users
    • Data Centre – DR
  • Intelligent Information Network (Vision)
    • SONA – Single Vendor and Virtualisation
      • Application Layer – How end users interact
      • Interactive Service Layer – Virtualisation
      • Network Infrastructure layer

    *** Other ***

    • Reconinsense Attack –Uses packet sniffers etc . Combat with switched infrastructure.
    • DoS Attacks – Can use IP spoofing and DoS attacks
    • Virus – requires human assistance to spread
    • Worm – Saved in memory, spreads automatically
    • ip inspect – is IOS firewall (formly CBAC). Inside interface inspects inbound and outside interface inspects outbound

Advertisements

Cable Network Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

IPSec


*** Theory ***

  • DOCSIS – Standard governing how cable operators reserve bandwidth for data transfers. When modem boots up it finds a DOCSIS channel (scans for RF for QAM lock). CMTS sends 3 messages (MAP, UCD, SYNC) to modem. It then requests IP from DHCP Server. Modem gets config file via TFTP (address given by DHCP). Modem then register with CMTS and negotiates QoS etc
  • ADSL – Up to 8MB DL and 1MB UL. Limited to 18,000 feet limitation. Can use phone via POTS Splitter.
    • Coding methods
      • CAP – Single Carrier Method – Divides phone line into three separate channels. (V, Upstream, Downstream) – Been replaced by DMT
      • G.Lite – one of two multicarrier methods “splitterless ADSL”. Limited to 1.5MBPS DL and 512 KBPS UL = slow
      • DMT – The 2nd multicarrier method – Uses 256 channels to carry data
    • HDSL – Same UP/DL rate (Symmetric). Can’t use the phone
    • HDSL2 – Allows for VOIP
    • RADSL – UL/DL are adjusted dynamically
    • Satellite – Very slow.  DL 500K and UL 50K (On a clear day!)
      • Problems
        • Attenuation – Signal gets weak
        • Impedance Mismatch – Bad splice or corrosion
        • Cross talk (Inside)
        • AM Radio (Outside)
      • ATM – Uses DSLAM Switches (has DSL card) for data transport.
        • PPPoE vs PPPoA – Key difference is oA uses routing and oE uses bridging
        • PPPoE (RFC 2516) – Typically uses Chap.  Host devices uses discovery to get MAC of PPPoE Server. This creates SESSION_ID.
          • Interface setups
            • Connection to DSLAM – No IP address need and dial pool number (needed) which binds a dialler interface to an Ethernet one.
            • Dialler
              • Ip mtu 1492 – Reduce from 1500 to allow for PPPoE headers
              • Ip address negotiated – Allows for DHCP address to be given
              • Ip nat outside (if using Nat)
          • Default route should be dialler interface
          • Use dialler interface when using NAT inside for PAT.
      • PPPoA – If encapsulation is running under PVC, you are running PPPoA
        • Interface Setups
          • Connecting to DSLAM (ATM 0/0)
            • No ip address
            • Dsl operating-mode auto / Auto negotiate modulation with downstream router
            • Pvc 100/120 / Like DLCI
            • Pppoe-client-dialer-pool-number-1
      • RFC 1483/2684 Bridging – Easy to setup. Multiprotocol. Single user environment. Uses lots of broadcasts, not scalable, can be attacked.

      IPSec Crib Notes

      These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

      IPSec

      *** Theory ***

      • VPNs
        • Data origin ,e.g. AH, ESP
        • Encryption
          • (S) Symmetric Encryption – Same key for enc/decryption. Aka secret key.
          • (A) Asymmetric Encryption – 2 keys. Public and Private.  Encrypt with public, decrypt with private. Private always stay local.
          • DH – Allows the exchange of secret keys over a non-secure connection
            • (S) DES is 56bit
            • (S) 3DES is 3 DES keys on top of each other. So 3 x 56 = 168bit (really 112)
            • (A) AES is the best.
      • Data Integrity AH, ESP
      • Anti replay AH, ESP
        • Mitigate via sequence number on packet.
        • GRE – Encapsulate packet in an IP header. Has no encryption. GRE is multiprotocol. IPSec is really IP only. So GRE over IPSec makes sense.  Can use GRE to send routing protocols over IPSec etc. GRE Encaps first then IPSec encaps
        • L2TP/PPTP – No encryption
        • IPSec – Earlier versions could not carry multicast traffic.
          • Tunnel Mode – Transparent to end host
          • Transport Mode
          • AH (Protocol 51) – Method for authentication and securing data (protects payload of packet. AH less overhead than ESP
          • ESP (protocol 50) – It authenticates, secures and encrypts. Preferred over AH
          • IKE (UDP 500) – negotiates the security parameters and authentication keys
            • Phase 1 – Agreement on methods to exchange data aka SA (Security Association). 1 SA per tunnel.
              • Aggressive Mode – Faster, but not encrypted. 3 Messages,
              • Main Mode – 6 messages. R 1 “DES or 3DES? MD5 or SHA?” R2 “DES and MD5 please” etc DH Keys, Authenticate
        • Phase 1.5 – Known as XAUTH for security
        • Phase 2 – 2 SA per 1 tunnel.
          • Quick Mode – 3 messages
          • Crypto Access List – Defines interesting traffic that starts the IKE/ IPSec process
            • Steps on Cisco Router
              • 1) Create ISAKMP policy 2) Create IPSec transform set 3) Define interesting traffic with crypto access-list 4) Create Crypto Map and apply to interface
          • Dead Peer Detection (DPD) – Keepalive for IPSec.  Sends hello every 10 seconds unless it receives a hello from peer. This means overhead because of enc ry/decryption. Can use on-demand where router sends DPD hello only prior to sending data to peer.
            • Troubleshooting
              • MM_NO_STATE – Phase 1 attribute mismatch
              • MM_KEY_EXCH – Incorrect pre-shared key or peer IP address

        MPLS Crib Notes

        These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

        MPLS

        *** Theory ***

        • Nutshell – Tags packets so fewer layer 3 / route-table router lookups are needed. Can run in frame mode or cell (ATM) mode
        • Edge LSR (Entry / Exit points) – Performs routing lookup, assigns label and then sends to LSR. At the exit edge LSR a label lookup is done, only to realise there is no further label so the label is popped and then an IP look up is done to send the packet on its way.  These routers should be powerful. Also handles labelled and non-labelled networks
          • PHP – Instead of the exit edge LSR doing 2 lookups, we can make it more efficient by it requesting the downstream neighbour to pop the label instead so that it only has to do IP Lookup
        • LSR – Uses the label put on by edge LSR to route to next hop. No need to do route lookup. Does label lookup then a label swap
        • Label – Locally significant and identifies FEC. It is inserted between the L2 and L3 layer (aka 2.5). Local significance means multiple interfaces on the same router can use same label values. Label has 4 fields.
          • Label (20bits)
          • Experimental / CoS (3 bits) – Code of service
          • TTL (8 bits) – Time to Live
          • BOS (Bottom of stack, 1 bit) –
        • FEC – Forward Equivalent Class – Group of packets that is forward to the same next hop ip address & assigned the same level of treatment (QoS etc). Or is forwarded based on following;  Interface, IP Prec or DSCP, Src IP, Src or Dst port etc
        • Label Stack – Packet with more than 1 label. Typically used in MPLS VPNs to form encapsulations
        • pre-process – Label is binded to each route prefix. This is then shared to downstream MPLS routers using LDP, TDP , RVSP etc.
        • Process – E-LSR performs IP Lookup then assigns label (push). LSR looks up label table, swaps label to match downstream router and then forwards (swap). Exit E-LSR will remove (pop) label and send to customer. If a LSR has 2 potential next hops, the LSR will perform a label lookup in its LFIB that resides in the data plane. It will see what the upstream router has assigned as it label value and then place that value instead of it own when sending (swap)
          • Dropped packets – If a labelled packet comes in and has no entry in the FLIB. Exception is
            • Interim Packet Propagation – Time between a labelled packet arriving and time that the LSR has an entry in the FLIB for that label. In this case packet uses CEF. If not entry in FIB, then packet is finally dropped
        • Control Plane – Takes care of routing table. Label bindings are exchanged. Label binding allows LSR1 to know what label LSR2 is expecting. The control plane also has routing protocols.
          • LIB – Stores binding between local labels and FEC. Built via LDP/TDP. Sends these binding to neighbour
          • Routing Protocols
          • LDP UDP 646 (Industry and most popular) – Interface can run both LDP and TDP.
          • TDP TCP 711 (Cisco – being phased out) – Carries label information between LSR’s
          • RSVP – Reserve bandwidth for end-to-end for traffic engineering
        • Data / forwarding Plane – Handles forwarding of the traffic. Forwards by labels or address. It is a copy of the routing table but just in a different format
          • FIB – Has route table like information and is built via IGP
            • Distributed CEF – Uses multiple routers for CEF!
        • LFIB – Built by both IGP and LDP/TDP and performs the actual forwarding of labelled packets

        • LSP – Label Switch Path – The path the packet takes
        • Configuration – Must have CEF enabled. MTU should be changed to 1512. Enable MPLS via interface using  mpls ip
        • Before MPLS VPNS
          • Peer to peer – Client sends routes to ISP Edge router and that router shares it with all the other ISP routers. E.g. customer to edge is IGP. Then route redistribution into BGP to share with other routers
            • Bad – Can cause routing loops and have customers with overlapping subnets
        • Overlay – Provides VC but no routing services e.g. Frame Relay

        • MPLS VPNS – Allows MPLS for multiple customer s sharing the same ISP routers
          • VRF – Virtual Router & Forwarding Table – 1 Route table instance per customer = avoids overlapping subnets from different customers.
          • RD – Route Distinguisher – Unique 64 but attached to IP (vpnv4 prefix) & uses MPBGP on PE routers. So any overlapping subnets will have a unique prefix which mitigates this problem
          • BGP – Has attribute called RT. Route Target assigned the vpnv4 prefix

        • MTU – Must set to following otherwise could be seen as jumbo or giant frame which are frames that are dropped or fragmented.
          • PPPoE                                   = 1492
          • .1Q                                         = 1496
          • Ethernet                              = 1500
          • MPLS                                     = 1504
          • MPLS VPN                           = 1508 (As two labels are used)
          • MPLS VPNS + TE               =1512
          • Good practice for MPLS = 1512