433 8C08 CCONPVVGMRFKY3H2SV6MLO Nieznany

○

Security and
Performance Management

Terms you’ll need to understand:

✓ IP access control lists

✓ Authentication

✓ Authorization

✓ Accounting

✓ Remote Authentication Dial-In User Service (RADIUS)

✓ Terminal Access Controller Access Control System

(TACACS)

✓ Private Internet Exchange (PIX) Firewalls

✓ Demilitarized zones (DMZ)

✓ Encryption

✓ Weighted Fair Queuing (WFQ)

✓ Priority queuing

✓ Custom queuing

Techniques you’ll need to master:

✓ Describing why security and traffic filtering is important

on Cisco routers

✓ Determining the proper placement of Access Control Lists

to efficiently filter traffic

✓ Understanding the characteristics of AAA, RADIUS,

and TACACS

✓ Knowing the queuing methods available on Cisco routers

○

Chapter 8

This chapter focuses on methods that can be used to provide you with a secure
network. The aim of this chapter is to familiarize you with common security
options and performance management queuing methods. This chapter covers
the following CCIE blueprint objectives as determined by the Cisco Systems
CCIE program:

➤ Security—Authentication, Authorization, and Accounting (AAA); Terminal

Access Controller Access Control System (TACACS); RADIUS; PIX
firewalls; demilitarized zones (DMZ); encryption; public/private keys; Data
Encryption Standard (DES)

➤ Access Lists—Standard access lists and extended access lists, to include where

and how to place and design them

➤ Performance Management—Traffic management queuing, Weighted Fair

Queuing (WFQ), Resource Reservation Protocol (RSVP), traffic shaping,
load balancing

As with other chapters in this book, additional information is provided for complete-
ness and in preparation for additional subjects as the CCIE Program expands.

Basic Network Security

Network security is one of the primary concerns in today’s networks. Many busi-
nesses must protect sensitive data from competitors or financial details from un-
authorized personnel. A good security policy protects your network against
corruption, failure, and compromised data.

Cisco IOS provides a number of security features, including the following:

➤ Authentication, Authorization, and Accounting (AAA)

➤ Support for security server protocols, including RADIUS, TACACS, Extended

TACACS, and TACACS+

➤ Traffic Filtering options using access lists

➤ Firewalls and DMZs

➤ Network data encryption

➤ Traffic-filtering options using access lists

All the security methods described in this chapter are designed to stop unauthorized
access to your router network. This section covers the security methods outlined
in the preceding list, beginning with a discussion of Access Control Lists.

○

Security and Performance Management

Standard and Extended IP Access Lists

Standard and extended access lists are used to filter IP traffic. An access list is
basically a set of permit or deny statements. Standard access lists are used to con-
trol IP traffic based on the source address only. Extended access lists can filter on
source and destination addresses. Extended access lists can also be used to filter
on specific protocols and port numbers. Let’s look at how a Cisco router handles
access lists.

Access Lists on Cisco Routers

By default, a Cisco router permits all IP and TCP traffic unless an access list is
defined and applied to the appropriate interface. Figure 8.1 illustrates the steps
taken if an access list is configured on a Cisco router.

If an incoming packet is received on a router and no access list is defined, the
packet will be forwarded to the IP routing software. If an access list is defined
and applied, the packet will be checked against the list, and the appropriate per-
mit or deny action will be taken. The default action taken by any access list is to
permit any explicitly defined statements and then to deny everything else.

Note: If the keyword out or in is not applied by the administrator when defining an
IP filter on an interface, the default action is to apply the filter on the Outbound traffic.

Standard IP Access Lists (1 through 99)

As mentioned earlier in this chapter, standard IP access lists are used for filtering
on the source address only. The Cisco IOS syntax is as follows:

Incoming

packet

Drop

packet

Process

packet

Process

packet

Access

list

configured?

packet

permitted?

Yes

Figure 8.1

Access list decision taken by a Cisco router.

○

Chapter 8

access-list access-list-number {deny | permit} source ...

...[source-wildcard]

The following describes the purpose of each field:

➤ access-list-number—A number from 1 through 99 that defines a standard

access list number. New versions of IOS 12.0 or later also have standard ac-
cess lists ranging from 1300-1999.

➤ deny—IP packet will be denied if a match is found.

➤ permit—IP packet will be permitted if it matches the criteria as defined by

the administrator.

➤ source—Source IP address or network. Any source address can be applied by

using the keyword any.

➤ source-wildcard (optional)—Wildcard mask that is to be applied to the source

address. This is an inverse mask, which is further explained with a few ex-
amples later in this section. The default is 0.0.0.0, which specifies an exact
match.

After applying the access list command as described in the preceding text, you
must apply the access list to the required interface using the following command:

ip access-group {access-list-number | name}{in | out}

The following describes the purpose of each field:

➤ access-list-number—A number in the range from 1 through 99 that defines

a standard access list number.

➤ name—If you are using named access lists then that “name” will be refer-

enced here.

➤ in—keyword that designates the access list as an inbound packet filter.

➤ out—keyword that designates the access list as an outbound packet filter.

This is the default action.

The wildcard mask mentioned earlier in the access-list command is used to match
the source address. When the wildcard mask is set to binary 0, the corresponding
bit field must match—if it is set to binary 1, then the router does not care to
match any bit or it is an inconsequential e bit. For example, the mask 0.0.255.255
means that the first two octets must match but the last two octets do not need to
match. Hence, the commonly used phrases care bits (0’s) and don’t care bits (1’s).

For further clarification, let’s look at some examples of using access lists.

○

Security and Performance Management

Suppose you have found a faulty NIC card with the address 141.108.1.99/24.
You have been asked to stop packets from being sent out Serial 0 on your router
but to permit everyone else. In this situation, you need to deny the host address
141.108.1.99 and permit all other host devices. The following access list would
fulfill this requirement:

access-list 1 deny 141.108.1.99 0.0.0.0

access-list 1 permit 141.108.1.0 0.0.0.255

Next, you would apply the access list to filter outbound (the keyword out is sup-
plied) IP packets on the Serial 0 interface, like this:

Interface Serial 0

ip access-group 1 out

Let’s look at a more complex example of using a standard access list. In this
example, suppose you have 16 networks ranging from 141.108.1.0 to 141.108.16.0,
as shown in Figure 8.2. You have assigned even subnets to the Accounting

Internet

Cisco

Router, R1

7500

141.108.1.0
141.108.3.0
141.108.5.0
141.108.7.0
141.108.9.0
141.108.11.0
141.108.13.0
141.108.15.0

Odd

Networks

141.108.2.0
141.108.4.0
141.108.6.0
141.108.8.0
141.108.10.0
141.108.12.0
141.108.14.0
141.108.16.0

Even

Networks

Sales Department

(denied Internet

access)

Accounting
Deparment

S0/0

Figure 8.2

Standard access list example.

○

Chapter 8

department and odd subnets to Sales. You do not want the Sales department to
access the Internet, as shown in Figure 8.2. To solve this issue, you configure a
standard access list. Figure 8.2 displays a simple requirement to block all odd
networks from accessing the Internet.

You could configure the router to deny all the odd networks, but that would
require many configuration lines.

Note: Access lists are CPU process intensive because the router has to go through every
entry in the access list for each packet until a match is made. If you wish to determine
the actual effect an access list has on your router then compare the CPU processes prior
to and after activating an access list, remember to check on a regular basis in order to
see the big picture.

Instead, let’s say that you permit only even networks with one configuration line.
To accomplish this, you need to convert all networks to binary to see if there is
any pattern that you can use in the wildcard mask. Table 8.1 displays the number
1 through 16 in both decimal and binary format.

Notice that odd networks always end in the binary value of 1 and even networks
end with 0. Therefore, you can apply your access lists to match on the even net-
work and deny everything else. Even numbers will always end in binary 0. You do

Table 8.1

Example calculation of numbers in binary.

Decimal

Binary

00000001

00000010

00000011

00000100

00000101

00000110

00000111

00001000

00001001

00001010

00001011

00001100

00001101

00001110

00001111

00010000

○

Security and Performance Management

not care about the first seven bits, but you must have the last bit set to 0. The
wildcard mask that will apply this condition is 111111110. This converts to deci-
mal value of 254. Hence, the following access list will only permit even networks:

access 1 permit 141.108.2.0 0.0.254.255

The preceding access list will match networks 2, 4, 6, 8, 10, 12, 14, and 16 in the
third octet. The default action is to deny all else, so only even networks will be
allowed and odd networks will be blocked by default. Next, you would apply the
access list to the outbound interface. Listing 8.1 describes the full configuration.

Let’s take a minute to briefly review inverse masks. Assume that you want to let
in a certain number of hosts. If we were routing to these hosts, we would define
the hosts as 150.124.10.0 255.255.255.240. To use the same limits in an access
list, we would take the subnet mask and subtract it from 255.255.255.255 as
follows:

255.255.255.255 minus 255.255.255.240 equals 0.0.0.16

Listing 8.1

Access list example.

Interface 0/0

ip access-group 1 out

access-list 1 permit 141.108.2.0 0.0.254.255

Extended Access Lists

Extended access lists range from 100 through 199 and 2,000 through 2,699. IP
extended access lists (expanded range) in IOS 12.0 and greater. Alternatively, you
can use a named access list with later releases of the IOS 12.0 or later. As men-
tioned earlier in this chapter, extended access lists can be applied to both source
and destination addresses as well as filter protocol types and port numbers. Lets
look at some examples of extended access lists that will allow you to filter several
different types of traffic:

For Internet Control Message Protocol (ICMP), you can also use the syntax
shown in Listing 8.2.

Listing 8.2

Access list for ICMP traffic.

access-list access-list-number [dynamic dynamic-name

[timeout minutes]] {deny | permit} icmp source source-wildcard

destination destination-wildcard [icmp-type [icmp-code]

[icmp-message] [precedence precedence] [tos tos] [log]

For Internet Group Management Protocol (IGMP), you can use the syntax shown
in Listing 8.3.

○

Chapter 8

Listing 8.3

Access list for IGMP traffic.

access-list access-list-number [dynamic dynamic-name

[timeout minutes]] {deny | permit} igmp source source-wildcard

destination destination-wildcard [igmp-type]

[precedence precedence] [tos tos] [log]

For TCP, you can use the syntax shown in Listing 8.4.

Listing 8.4

Access list for TCP traffic.

access-list access-list-number [dynamic dynamic-name

[timeout minutes]] {deny | permit} tcp source source-wildcard

[operator port [port]] destination destination-wildcard

[operator port [port]] [established] [precedence precedence]

[tos tos] [log]

For User Datagram Protocol (UDP), you can use the syntax shown in Listing 8.5.

Listing 8.5

Access list for UDP traffic.

access-list access-list-number [dynamic dynamic-name

[timeout minutes]] {deny | permit} udp source source-wildcard

[operator port [port]] destination destination-wildcard

[operator port [port]] [precedence precedence] [tos tos] [log]

As you can see, extended access lists have a range of options to suit any require-
ment. The most commonly used extended access list options are:

➤ access-list-number—Provides a number ranging from 100 through 199 that

defines an extended access list.

➤ deny—Denies access if the conditions are matched.

➤ permit—Permits access if the conditions are matched.

➤ protocol—Specifies the protocol you are filtering. Some common options

include eigrp, gre, icmp, igmp, igrp, ip, ospf, tcp, and udp.

➤ source—Specifies the source address.

➤ source-wildcard—Specifies the wildcard mask.

➤ destination—Identifies the destination network.

➤ destination-wildcard—Identifies the destination mask.

You should be able to demonstrate your understanding of standard and
extended access lists. You are not expected to memorize the available
options in an extended access list. The options are provided in this
chapter for your reference only. When constructing access lists the
built in help feature is extremely helpful.

○

Security and Performance Management

The example in Listing 8.6 permits Domain Naming System (DNS) packets,
ICMP echo and echo replies, OSPF, and BGP packets. (BGP runs over TCP
using port 179). In Listing 8.6, the access list numbered as 100 is not concerned
about specific host addresses or networks, but rather ranges of networks.

Listing 8.6

Extended access list example.

access-list 100 permit tcp any any eq smtp

! Permits Simple Mail Transfer Protocols

access-list 100 permit udp any any eq domain

! Permits DNS queries

access-list 100 permit icmp any any echo

! Permits ICMP ping requests

access-list 100 permit icmp any any echo-reply

! Permits ICMP replies

access 100 permit ospf any any

! Permits OSPF packets

access 100 permit tcp any any eq bgp

! Permits BGP to any device

In Listing 8,6, the any keyword is shorthand for 0.0.0.0 255.255.255.255, which
means that the address of the device is irrelevant. This address can be entered in
shorthand as any. If any IP packet arrives to the router and does not match the
specified criteria, the packet will be dropped.

The Cisco CD documentation provides additional quality examples of access
lists. You should take some time to study Cisco’s examples. For further informa-
tion, see the “Need to Know More” section at the end of this chapter.

Authentication, Authorization, and Accounting (AAA)

AAA provides a method used to identify which users are logged into a router and
each user’s authority level. AAA also provides the capability to monitor user ac-
tivity and provide accounting information.

To start AAA on a Cisco router, you issue the aaa new-model IOS
command.

Let’s now define the what Authentication, Authorization, and Accounting is and
a common example on a Cisco router.

Authentication

Authentication allows the administrators to identify who can connect to a router,
by including the user’s user name and password. Normally, when a user connects
to a router remotely via Telnet, the user only needs to supply a password and the

○

Chapter 8

administrator has no way of knowing the user’s user name. With AAA authenti-
cation, whenever a user logs on, the user must enter a user name and password
pair (which has been assigned by the administrator).

The following code snippet shows an example of a remote user accessing an AAA-
configured Cisco router:

User Access Verification

Username: benjamin

Password: xxxxxxxx

San-Fran>

As you can see in the preceding code, the user must enter a valid username and
password to gain access to the router. Typically, there is a database that contains
the valid usernames that reside locally on the router or on a remote security server.

Authorization

Authorization comes into play after authentication. Authorization allows ad-
ministrators to control the level of access users have after they successfully gain
access to the router. Cisco IOS allows certain access levels (called privilege levels)
that control which IOS commands the user can issue. For example, a user with a
0 privilege level cannot issue any IOS commands. A user with a privilege level of
15 can perform all valid IOS commands. The local or remote security server can
grant access levels.

You can display your privileged level on a Cisco router with the show privilege
command, as shown in the following code snippet:

R1#show privilege

Current privilege level is 15

Keep in mind that the higher the privilege, the more capabilities a user has with
the IOS command set.

Accounting

Accounting occurs after the authentication and authorization steps have been
completed. Accounting allows administrators to collect information about users.
Specifically, administrators can track which user logged into which router, which
IOS commands a user issued, and how many bytes were transferred during a
user’s session. For example, accounting enables administrators to monitor which
routers have had their configurations changed. Accounting information can be
collected by a router or by a remote security server. To display local account infor-
mation on a Cisco router collecting accounting information, you issue the show
accounting IOS command.

○

Security and Performance Management

Note: You must use AAA if you intend to use RADIUS or TACACS security server
protocols.

After AAA is configured, you can use external security servers to run external
security protocols—such as RADIUS or TACACS—that will stop unauthorized
access to your network. Both RADIUS and TACACS can be implemented on
Cisco routers, so we’ll review these two protocols in the upcoming sections.

Remote Authentication Dial-In User Service (RADIUS)

RADIUS is a client-server based system that secures a Cisco network against
intruders. RADIUS is a protocol that is implemented in IOS that sends authen-
tication requests to a RADIUS server. A RADIUS server is a device that has the
RADIUS daemon or application installed. RADIUS must be used with AAA to
enable the authentication, authorization, and accounting of remote users.

When a RADUIS server authenticates a user, the following events occur:

➤ The remote user is prompted for a username and password.

➤ The username and password is encrypted and sent across the data network.

The RADIUS server accepts or rejects a user name and password pair. In some
instances, a user might be asked to enter more information (this is called a chal-
lenge response). For example, if a user’s password has expired, a RADUIS server
will prompt the user for a new password.

Let’s now examine the RADIUS configuration tasks required on a Cisco router.

Note: A RADIUS server is usually software that runs on a variety of platforms,
including Microsoft NT servers or a Unix host. RADIUS can be used to authenticate
router users, authenticate vendors, and even to validate IP routes.

Configuring RADIUS

The steps required to enable RADIUS are:

1. Use the aaa new-model command. AAA must be used with RADIUS.

2. Specify the RADIUS server with the radius-server host command.

3. Specify the password used between the router and the RADIUS server.

The following example displays the required configuration for a Cisco router to
authenticate users from the RADIUS server with the host address 10.99.34.50.
The password or key used between the router and RADIUS server is set to ccie:

radius-server host 10.99.34.50

radius-server key ccie

○

Chapter 8

Please refer to the “Need To Know More?” section at the end of this chapter for
additional RADIUS references. Table 8.2 summarizes some useful RADIUS
commands.

To enable RADIUS to operate with AAA, you must use the keyword
radius when applying any AAA commands.

Now, let’s move on to TACACS, which is an alternative protocol to RADIUS.

Terminal Access Controller Access Control
System (TACACS)

Cisco IOS supports three versions of TACACS—TACACS, extended TACACS,
and TACACS+. All three methods authenticate users and deny access to users
who do not have a valid username and password pairing.

The first version of TACACS provides simple password verification and authen-
tication. Accounting is very limited in that only requests and denials are listed.
Next, extended TACACS replaced the first version of TACACS.

TACACS+, also referred to as TACACS plus, provides detailed accounting and
has to be used along with AAA (in other words, the aaa new-model command
must be enabled). TACACS+ supersedes the earlier releases of TACACS.

In general, TACACS provides a centralized security system that validates users
from any remote location. Typically, TACACS runs on a Windows NT station or

Table 8.2

Summary of common RADIUS commands.

Command

Description

radius-server transmit <retries>

Indicates the number of retries a router will
attempt before giving up.

radius-server timeout <seconds>

Indicates the number of seconds a router
will wait before giving up on a response
from the RADIUS server.

radius-server dead-time <minutes>

Specifies the number of minutes before a
router will decide that the RADIUS server is
unreachable.

ip radius source-interface <sub interface>

Specifies the interface for outgoing RADIUS
packets.

radius server-host <ip address>

Specifies a remote RADIUS server. You can
specify more than one.

radius server-key <password>

Specifies the password used between the
router and the RADIUS server.

○

Security and Performance Management

Unix operating system. When a TACACS server authenticates a user, the follow-
ing events occur:

1. The remote user is prompted for a username and password.

2. The user name and password is sent across the data network and is authen-

ticated.

3. The TACACS server accepts or rejects the username and password pair. The

user might be asked to enter more information (this is called a challenge re-
sponse). For example, a challenge response might appear when an error oc-
curs during authentication. Further, a user might be prompted for additional
information if TACACS is configured to require additional information.

Let’s now examine the TACACS+ configuration tasks required on a Cisco router.

TACACS+ requires AAA, but TACACS and extended TACACS cannot
use AAA.

Configuring TACACS+

The steps required to enable TACACS+ are:

1. Use the aaa new-model command. AAA must be used with TACACS+.

2. Specify the TACACS+ server with the tacacs-server host command.

3. Specify the authentication key used between the router and the TACACS+

server.

4. Finally, because TACACS+ must be used in conjunction with AAA, you

must specify TACACS+ authentication, authorization, and accounting.

The following example displays the required configuration for a Cisco router to
authenticate users from the TACACS+ server with the host address 10.99.34.50:

aaa new-model

aaa authentication enable default tacacs+

! Sets router to use the tacacs server to authenticate enable

! password

aaa authorization exec tacacs+

! Sets tacacs+ plus to authorize exec commands on local router

aaa accounting exec start-stop tacacs+

! Accounting information is gathered for exec commands.

radius-server host 10.99.34.50

tacacs-server key ccie

○

Chapter 8

In the preceding example, the password or key used between the router and
TACACS server is set to ccie. You can set other configurations options to enable
complex AAA commands. Table 8.3 lists some useful TACACS+ commands.

Note: See the “Need to Know More?” section at the end of this chapter for more
references on TACACS examples.

TACACS+ vs. RADIUS

Comparing the two server protocols RADIUS and TACACS+ shows that both
require AAA to be enabled on a Cisco router (unless you use the older versions
of TACACS+, namely TACACS and extended TACACS). RADIUS and
TACACS+ both require a user name and password pair to obtain access. The
difference between the two protocols lies in the protocol itself and the fact that
TACACS+ is a centralized validation service while RADIUS is based on client-
server technologies.

Next, we’ll cover another common method of securing your network—using
firewalls.

Private Internet Exchange (PIX) Firewalls

The Private Internet Exchange (PIX) firewall prevents unauthorized connec-
tions between two or more networks. The latest release versions of Cisco code for
the PIX firewall also performs many advanced security features, such as AAA
services, access lists, FTP logging, and also Cisco IOS-like interface commands.
For a full description of all the features of a PIX firewall, refer to the “Need to
Know More” section at the end of this chapter. The PIX firewall can also protect
one or more networks from an outer, unprotected network. Further, the PIX
firewall optionally supports multiple outside or perimeter networks, known as
demilitarized zones (DMZs).

Note: When reading documentation surrounding PIX firewalls, realize that inside
networks and outside networks refer to networks that the PIX is connected to. For
instance, inside networks are protected by the PIX, and outside are where the bad
guys are. Consider them as trusted and untrusted, respectively.

Table 8.3

Summary of common TACACS+ commands.

Command

Description

ip tacacs source-interface <sub interface>

Specifies the interface for outgoing
TACACS+ packets.

tacacs server-host <ip address>

Specifies a remote TACACS+ server.

tacacs server-key <password>

Specifies the authentication key used
between a router and a TACACS+ server.

○

Security and Performance Management

A PIX firewall permits a connection based on your security policy. For instance,
you might allow Telnet sessions from inside your network to be initiated from
within your network but not allow them to be initiated into your network from
outside your network.

The PIX firewall’s popularity stems from the fact that it is solely dedicated to
security. A router is still required to connect to wide area networks, such as the
Internet. Some companies use PIX firewalls for internal use only where they
might have sensitive networks, such as payroll or human resources.

Figure 8.3 shows a typical network scenario where a PIX firewall is implemented
between an inside network and an outside network.

Note: Each connection through an PIX firewall requires memory. Depending on the
amount of RAM installed on a PIX, you can support up to 260,000 connections with
128MB.16MB can support up to 32,768 connections, and 32MB of memory can
support up to 65,536 connections. This is also how a PIX is licensed.

Demilitarized zones (DMZ) usually exist as a part of a network that the Internet
community or the general public can access, such as a Web, FTP, or SMTP
servers. FTP servers, for instance, allow external users access to public files such
as Cisco IOS software available online at ftp.cisco.com. The final security option
we’ll look at is encryption.

Inside

DMZ

PIX firewall

FTP server

SMTP

server

Internet

Outside

Internet router

Figure 8.3

PIX location.

○

Chapter 8

Encryption

Encryption ensures that network data, such as IP packets, is not susceptible to
intruders. Intruders may have protocol analyzers (or sniffer-like tools) that are
unable to view the traffic promiscuously. Encryption is used to stop intruders
from using or modifying network traffic.

Cisco IOS provides measures that you can use to ensure that information shared
between any two routers will not be read or corrupted by intruders. To take ad-
vantage of Cisco’s encryption features, a router administrator configures a peer
connection between two routers. After this connection is established, network
data will be encrypted along the route to the remote router. When network data
is received, the data is unencrypted with a public key. The public key is used to
authenticate the correct router and enables the session to move to the next phase,
which involves encrypting and de-encrypting network data. A public key essen-
tially unlocks the door, which enables data to be restored to the proper format.
The public key is essentially available to all who wish to use it. A private key
performs the same functions as the public key, but it must be available only to
authorized network administrators. Let’s view an exchange between two routers
by referring to the routers displayed in Figure 8.4.

Referring to Figure 8.4, suppose the link between routers R1 and R2 is suscep-
tible to “unauthorized” network monitoring. To stop this possibility, you can en-
crypt the data that flows across the link and decrypt the data when it reaches
router R2.

Before we explain the process, you need to know about the Data Encryption Stan-
dard (DES). DES is a standard encryption method that is used to initiate and

FDDI

Token

Ring

Possible intruder

who can look at

network layer

Clear data

Encrypted data

Figure 8.4 Network layer encryption.

○

Security and Performance Management

perform the encryption sessions. The Diffie-Hellman (DH) algorithm is the name
given to the method used to exchange encryption keys, and DES performs the
actual encryption using Digital Signature Standard (DSS), which also defines how
a peer connection is set up.

Network data encryption is supported in IOS release 11.2 and later.

We’ll now examine the steps required to enable encryption on a Cisco router.

Configuring Network Data Encryption

The following steps are required to allow two Cisco routers to encrypt data:

1. Generate private/public keys. One router sends the other router the key (be-

tween these two routers exists a connection that will be encrypted). The key
is then used to unlock the encrypted data. Without a key, encrypted data will
not be readable.

2. Exchange keys. This task involves a phone conversation between two net-

work administrators. The phone call is used to provide the DSS private/
public key. These are the required keys to unlock the encrypted data.

3. Enable DSS encryption. This is the algorithm used to encrypt data. Cisco

IOS supports a number of encryption algorithms. The administrator must
pick one of the following Cisco IOS supported algorithms:

➤ DES with 8-bit Cipher FeedBack (CFB)

➤ DES with 64-bit CFB

➤ 40-bit variation of DES with 8-bit CFB

➤ 40-bit variation of DES with 64-bit CFB

4. Define which interface will run encryption. This tells the router to perform

network layer encryption on the required interface, typically a WAN interface.

To view detailed examples of how encryption is performed on a Cisco router,
please refer to the references listed in the “Need to Know More?” section at the
end of this chapter.

Cisco CCIE program managers are constantly updating the CCIE
blueprint objectives. From time to time, new technologies are added,
such as network data encryption or voice over IP. A general under-
standing of the principles, such as those shown here, is valuable for
CCIE candidates.

○

Chapter 8

Next, we’ll know focus our attention on performance management methods that
you can use to control traffic and queuing.

Performance Management

Cisco IOS enables you to control traffic by allowing you to specify which types of
traffic should be granted higher priority over other protocols. The three traffic-
management options include:

➤ Weighted fair queuing (WFQ)

➤ Priority queuing

➤ Custom queuing

The preceding methods can be used to prioritize the traffic that passes through a
router. Table 8.4 summarizes the three main queuing strategies. In the next few
sections, we’ll take a more detailed look at each queuing method.

The need to prioritize traffic has been brought about due to the large
mix of current protocols in use today. Some networks might have
AppleTalk, IPX, DECnet, OSI, and, of course, IP, so there is a sincere
desire is to ensure that the most critical applications get serviced by a
router as soon as possible.

Weighted Fair Queuing (WFQ)

WFQ is the default queuing method on all Cisco routers with link speeds of less
than 2.048MB. This method ensures that bulk data flow does not overwhelm
interactive data flow. High-volume traffic is given lower priority over lower-vol-
ume traffic. For example, a large FTP data transaction might not be granted the
priority to overwhelm a Telnet connection (lower volume). This setup grants

Table 8.4

Queuing methods characteristics.

WFQ

Priority Queuing

Custom Queuing

No queues

4 queues

16 queues plus
system queue

Default method

interface command

interface configuration

priority-group <queue #>

custom-queue-list
<queue #>

Low volume traffic

High queue has priority

All queues have a

gets priority of

configurable share

bandwidth

Designed for slower

Designed for low-speed links

Primarily used on high-

links

speed links

○

Security and Performance Management

both applications a fair share of the bandwidth. In WFQ, all data flows (called
conversations) are monitored by the router. The router ensures that each conver-
sation is allocated a fair share of bandwidth.

To change how WFQ operates, you issue the fair-queue <congestion
threshold> command on a WAN interface. This threshold only applies
to high-volume traffic and sets the threshold at which packets will be
discarded if the value is reached. The default value is 64 messages,
which means that the Cisco router will allow 64 messages to be
queued before packets are dropped. You can set the value from 1
through 512. WFQ overcomes the limitation of first in first out (FIFO)
queuing. FIFO simply accommodates the packet received first and does
not care if it is a large data transfer (which could possibly consume all
available bandwidth).

Priority Queuing

Priority queuing enables you to select a protocol or protocols and ensure that the
router will service the protocol(s) first regardless if other configured protocols
time out or suffer. This setup is useful in situations in which you have time-
sensitive data that needs to be sent out by the router as soon as it is received. In
priority queuing, there are four basic queues where traffic is categorized—high,
medium, normal, and low queue. Only after the high queue has been serviced
and there are no remaining high queue packets to send will the router turn to the
medium queue, followed by the normal queue, and finally the low queue. You can
specify individual protocol port types, such as application services (Telnet, FTP,
or SMTP for example).

You can configure up to 16 priority queues on a Cisco router (four high,
four medium, four normal, and four low).

The configuration required when using priority queues is to define the priority
list globally then apply the queue to the interface. The following code demon-
strates an example of a router configured to send out IP traffic in the high queue,
followed by IPX in the medium queue, AppleTalk in the normal queue, and all
other traffic in the low queue:

interface serial0

ip address 137.12.1.1 255.255.255.0

ipx network 2000

appletalk cable-range 1-1 1.102

appletalk zone melanie

priority-group 1

○

Chapter 8

priority-list 1 protocol ip high

priority-list 1 protocol ipx medium

priority-list 1 protocol appletalk normal

priority-list 1 default low

The preceding configuration services all IP traffic first, then IPX traffic, followed
by AppleTalk, and finally all other traffic. Some important questions to ask re-
garding this scenario are: What happens if there is a lot of IP based traffic? What
will happen to the other protocols? In short, they will time out and have to wait
until all the IP traffic has been sent.

To view the current queuing strategy, you use the show queuing IOS command.
The following sample is taken from a router configured with priority queuing:

Current priority queue configuration:

R1#show queuing

List Queue Args

1 low default

1 high protocol ip

1 medium protocol ipx

1 normal protocol appletalk

The solution to preventing one protocol from dominating the routers available
bandwidth (as shown in preceding paragraph) of priority queuing is to use cus-
tom queuing, which allows a configurable amount of data to be sent and del-
egates a percentage of bandwidth to all protocols in use.

Custom Queuing

Custom queuing creates 16 configurable queues that allow a fair share of the
bandwidth. For example, a router administrator could use custom queuing to
allocate 50 percent of all traffic to IP traffic, 25 percent of all traffic to IPX traffic,
and 25 percent of all traffic to be made up of all other traffic. This setup ensures
that all traffic types will have a chance to send data.

There is a special system queue when you use custom queuing
number queue 0 for traffic the router needs to send like hello packets
like in OSPF or system keepalive traffic to maintain links. This queue is
not configurable.

Each queue in custom queuing is allocated a set number of bytes. After the set
number has been reached, the router moves on to the next queue. This setup
ensures that all protocols will have some share of the bandwidth, which typically
makes this setup the preferred queuing method.

○

Security and Performance Management

Let’s consider the example of sending IP, IPX, and AppleTalk in relation to cus-
tom queuing. In this example, the queue is defined globally and then applied to
the interface, as shown in the following code:

interface serial 0

ip address 137.12.1.1 255.255.255.0

ipx network 2000

appletalk cable-range 1-1 1.102

appletalk zone simon

custom-queue-list 1

queue-list 1 protocol ip 1

queue-list 1 protocol ipx 2

queue-list 1 protocol appletalk 3

queue-list 1 default 4

The preceding code is designed to place all IP traffic in queue 1, followed by IPX
in queue 2, AppleTalk in queue 3, and all other traffic in queue 4. The default
byte count (unless specified for each queue) is 1,500 bytes. To display the current
queue settings in use, you apply the show queuing command, as shown in the
following example:

R1#show queuing

Current custom queue configuration:

List Queue Args

1 4 default

1 1 protocol ip

1 2 protocol ipx

1 3 protocol appletalk

You can specify a queue-list byte count by using the following command:

queue-list <list-number> queue <queue-number> byte-count ...

...<byte-count-number>

Note: What happens if you have an IP packet that is 1,499 bytes followed by a second
packet that is also 1,499 bytes? What will the router configured for custom queuing
do if it has been set for a threshold of 1,500 bytes? Will it fragment the second packet
or will it only send the first packet? In this section’s example situation, the router will
send both packets normally. The router will always send the packet in full and will
only move on to the next queue after the byte count has been reached or exceeded. In
this case, 1,499x2= 2,998 bytes. Therefore, 2,998 bytes will be sent before the next
queue is serviced.

○

Chapter 8

Other Traffic-Control Methods

There are other methods of controlling traffic using Cisco IOS. Load-balancing
techniques can be applied to allow traffic to share all available resources. See the
“Need to Know More Section” at the end of this chapter for some excellent refer-
ences on the Internet.

○

Security and Performance Management

Practice Questions

Question 1

What are the three components of AAA? [Choose the three best answers]

❑ a. Accounting

❑ b. Authorization

❑ c. Adapting

❑ d. Authentication

The correct answers are a, b, and d. AAA is used to authenticate, authorize, and
account (AAA). Answer c is incorrect, because adapting is not part of the secu-
rity options available with AAA.

Question 2

What IOS command must be issued to start AAA on a Cisco router?

❍ a. aaa old-model

❍ b. aaa model

❍ c. aaa new model

❍ d. aaa new-model

The correct answer is d. To start Authentication, Authorization, and Accounting
(AAA), the command is aaa new-model. Answers a, b, and c are incorrect, be-
cause they represent invalid IOS commands.

Question 3

Assume you have 128MB of memory installed on a PIX firewall. Approxi-
mately how many connections can be supported?

❍ a. 16

❍ b. 32,768

❍ c. 65,536

❍ d. 260,000

○

Chapter 8

The correct answer is d. With 128MB of random access memory (RAM), the
PIX firewall can support up to 260,000 connections. Answer a is incorrect, be-
cause 16 sessions is supported by all memory options; this does not satisfy the
question, which asks for the number of sessions provided by 128MB of RAM.
Answer b is incorrect, because 16MB of RAM supports 32,768 sessions. Answer
c incorrect, because 32MB of RAM supports 65,536 sessions.

Question 4

What is the name given to the algorithm used to exchange keys between
two encryption devices?

❍ a. Routing algorithm

❍ b. Diffie-Hellman algorithm

❍ c. The switching engine

❍ d. The stac compression algorithm

The correct answer is b. When using encryption between two routers, the algo-
rithm that is used to exchange keys is called the Diffie-Hellman algorithm. This
algorithm is used to initiate and make sure the session between two routers is
secured. Answer a is incorrect, because the routing algorithm is used for routing,
not for encryption. Answer c is incorrect, because a switching engine is used to
switch frames and has nothing to do with encryption. Answer d is incorrect,
because the stac compression algorithm is used by PPP; this compression tech-
nique is used to compress data on a PPP WAN link.

Question 5

How many priority queues are available on a Cisco router?

❍ a. 0

❍ b. 4

❍ c. 12

❍ d. 16

The correct answer is d. You can configure up to 16 priority queues on a Cisco
router. Each priority queue is made up four queues—high, medium, normal, and
low. Answers a, b, and c are incorrect, because 16 is the correct answer.

○

Security and Performance Management

Question 6

What IOS command is used to enable priority queuing on a WAN interface?

❍ a. queue 1

❍ b. priority-queue <queue number>

❍ c. priority-group <queue number>

❍ d. ip access-group <1-99>

The correct answer is c. The IOS syntax to enable priority queuing is priority-
group <queue number>. You can have up to 16 queues. Answers a and b are
incorrect, because they are an invalid IOS commands. Answer d is incorrect,
because the ip access-group <1-99> command is used to filter IP traffic.

Question 7

View the following priority queue:

queue-list 2 protocol decnet 1

queue-list 2 protocol ipx 2

queue-list 2 protocol appletalk 3

queue-list 2 default 4

What queue will IP be placed into?

❍ a. 1

❍ b. 2

❍ c. 3

❍ d. 4

The correct answer is d. This is a trick question because IP has not been defined
in any specific queue, but you can see that DECnet is placed in queue 1 (answer
a), IPX is placed in queue 2 (answer b), and AppleTalk is placed in queue 3
(answer c). The default queue (where any undefined protocols are sent) is num-
ber 4 (answer d). Because IP is an undefined protocol in this case, all IP packets
will be carried in queue 4. Answers a, b, and c are incorrect, because IP packets
are placed in queue 4.

○

Chapter 8

Question 8

What IOS command is used to enable custom queuing of a WAN interface?
Assume the queue list is number 1.

❍ a. custom queue list 1

❍ b. custom-queue-list 1

❍ c. custom-queue list 1

❍ d. priority-group 1

The correct answer is b. The command to enable custom queuing on a WAN
interface is custom-queue-list <queue number>. Answers a, c, and d are incor-
rect, because they are invalid IOS commands.

Question 9

What range does a standard IP access list range from?

❍ a. 0 through 100

❍ b. 1 through 100

❍ c. 1 through 99

❍ d. 100 through 200

The correct answer is c. Standard IP access lists range from 1 through 99. This is
a tricky question, because most candidates would assume the range is from 1
through 100, which is incorrect. Cisco numbers the access lists from 1 through
99, 100 through 199, 200 through 299, and so on. Answers a, b, and d are incor-
rect, because they present invalid ranges. Cisco IOS release 12.0 has made some
enhancements to the access list ranges to cater to large networks. Standard IP
access lists have been extended to the range 1300 through 1999 in addition to the
range 1 through 99. An extended IP access list range 2000 through 2699 has
been added in additional to the standard range of 100 through199.

○

Security and Performance Management

Question 10

What range does an extended IP access list range from?

❍ a. 1 through 99

❍ b. 100 through 200

❍ c. 100 through 199

❍ d. 1100 through 1199

The correct answer is c. Extended access lists range from 100 through 199. An-
swer a is incorrect, because 1 through 99 is a standard IP access list range. An-
swer b is incorrect, because it presents an invalid access list range. Answer d is
incorrect, because 1100 through 1199 is used for extended MAC address control.

Question 11

What IOS command is issued to display only IP access lists that are configured?

❍ a. show ip acl

❍ b. sh ip access-lists

❍ c. sh ip access lists

❍ d. show access-lists

The correct answer is b. The correct syntax to display IP access lists only is sh ip
access-lists. Answer a is incorrect; the command is an invalid IOS command.
Answer c is incorrect, because the command is missing the dash. Answer d is
incorrect; the command will display all the access lists configured not just IP
access lists, which does not satisfy the question.

Question 12

You have configured an extended IP access list but you haven’t applied it to
any interface. What will the router do?

❍ a. Drop all packets

❍ b. Allow all IP packets

❍ c. Depending on the access list, might drop packets not satisfying

any permit condition

❍ d. Reload the router

○

Chapter 8

The correct answer is b. Configuring an access list without applying it to any
interface will not affect how the router handles IP packets; hence, only answer b
is correct. Answers a and c are incorrect, because the access list has not been
applied to the interface. Answer d is incorrect, because reloading the router will
only cause a network outage.

Question 13

What is true regarding the following standard access list?

Access-list 100 permit TCP 10.99.34.50

0.0.0.0 any

❍ a. This is an extended access list that permits TCP from host

10.99.34.50.

❍ b. This is a standard access list that permits all nodes on

10.99.34.50.

❍ c. This is a extended MAC address list.

❍ d. This access list can only be used for IPX.

The correct answer is a. The question states that this is a standard access list, but
the configuration displays an extended list as the number ranges from 100 through
199 and the source and destination networks are listed. This access list will per-
mit the host 10.99.34.50 to connect to any other IP host using TCP, such as
Telnet for example. Answer b is incorrect; the access list is not in the range from
1 through 99. Answers c and d are incorrect, because extended MAC address lists
range from 1100 through 1199 and IPX access lists can range from 1000 through
1099, 800 through 899, 900 through 999, and 1200 through 1299.

○

Security and Performance Management

Need to Know More?

Cisco IOS Network Security. Cisco Press, Indianapolis, IN, 1998. ISBN
1-57870-160-0. This book provides all the configurable options avail-
able with Cisco IOS. Each chapter provides a brief introduction fol-
lowed by all the IOS command options. It is an excellent resource on
security that details every IOS command available in IOS 12.0. Spe-
cifically you will find topics on AAA, security server protocols, filter-
ing IP traffic, firewalls, and IP encryption configuration examples. This
text is also available in electronic format on the Cisco documentation
CD or online at www.cisco.com/univercd/home/home.htm.

Chappell, Laura: Advanced Cisco Router Configuration (ACRC).
Macmillan Publishing Company, Indianapolis, IN, 1998. ISBN 1-
57870-074-4. Chapter 5 provides an excellent description of queuing
strategies.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
index.htm provides a complete list of features available on a Cisco
PIX firewall.

www.cisco.com provides a wealth of documentation relative to secu-
rity and performance management techniques discussed in this chap-
ter. Search for keywords such as “queuing strategies” and “encryption”.
Also, search for the keywords “DLSw design guide”—you will be re-
warded with some quality queuing examples similar to the examples
discussed in this chapter.

Wyszukiwarka

Podobne podstrony:
433 8C03 6D5LOD4KUALBGAZYU2BPHU Nieznany
433 8C06 IUPZAHYZLTJ5FVC5ASSTC7 Nieznany
433 8C09 XQQ4BS6NLYEERPUAIKQR75 Nieznany (2)
433 8C02 JQVRRLWPBK322K7TFJA45L Nieznany
433 8C05 CWJ323BUNESSWSM7ARIJUO Nieznany
433 8C10 3FPMCIVQISRE4NQU7HR5KM Nieznany (2)
433 8C04 NMVY43YFSQAYQTRGRSPPKV Nieznany
433 8C07 DQEIPY2FHEXNFWINPZ4QPR Nieznany
KPG 433 12 id 249386 Nieznany
4 kanaly Remote Control UHF 433 Nieznany (2)
Gor±czka o nieznanej etiologii
02 VIC 10 Days Cumulative A D O Nieznany (2)
Abolicja podatkowa id 50334 Nieznany (2)
45 sekundowa prezentacja w 4 ro Nieznany (2)
4 LIDER MENEDZER id 37733 Nieznany (2)
Mechanika Plynow Lab, Sitka Pro Nieznany

więcej podobnych podstron