ONT Study Notes - IT Dualism

ONT Study Notes by Rofi Neron
VoIP networks – Foundations
Reasons to migrate to ITP=IP Telephony:
MACS=Moves, Adds and Changes -> IPT make moving easy
Bandwidth -> with IPT you can compress data=>more calls per same bandwidth
Lower cost -> use the WAN for phone calls
New apps and devices
more efficient use of bandwidth and equipment
consolidated network expenses
improved employee productivity
access to new communication devices
MCU=Multipoint Control Units
Application & Database servers
Call agents
Video end point
DSP->devices that convert analog to digital
Phase One migration -> keep existing system and connect PBX to the router
The router can convert the calls to VoIP and save cost=>QoS with low cost
Phase Two migration -> IP systems only replacing phones and PBX
Cisco IP phone can show on screen display bringing new apps via the phones
Call control => routing voice around the network
Distribution->every device has brain=>every router have to be configured with all details
Centralized->call agent is the center point with database for all calls in the network
Cisco Call Manager (CCM) is a centralized solution
IP Phone -> phone with IP
Call agent -> control the network devices
Voice agents -> routers that connect the network
H323 Gateway
MCU -> mix conference calls
FXS =Foreign Exchange Connections -> analog interfaces that connect with old devices
Each analog port can run one call only
FXS ports plug to station
Send\Generate dial tone
ONT Study Notes by Rofi Neron
FXO=Foreign Exchange Office->convert analog to VoIP to a branch office
Receive dial tone
E&M=RecEive and TrandMit->create direct trunk between PBXs or PBX to router
FXS, FXO and E&M are all analog=>one call per line
How does voice become a packet?
4 step recipe to turn voice into bits:
1. Sampling -> take many samples of the analog signal
2. Quantization -> calculate a number representing each sample
3. Encoding -> convert that number to binary
4. Compression (optional) -> compress the signal
Nyquist theorem -> Quantization Process
take 8000 samples every second and put it to binary => can regenerate voice
Each 1 = 1/8000 of a second
8 bits X 8000 times = 64000 bps = 64kbps=>standard PBX frequency
Quantization error -> high frequency => static
Quantizaion techniques
Waveform Algorithm (encode everything): PCM, ADPCM
Source Algorithm (encode changes): CS-ACELP, LDCELP
Waveform CODECs
6.711 uses PCM coding -> 64 kbps -> with the header data 80kbps
6.726 uses ADPCM coding -> 32 kbps
AD=Adaptive Differential -> most numbers do not changes, do not send same numbe
twice but only the change=difference which can be used in 4 bits
PCM->better phone quality and more bandwidth
ADPCM->less bandwidth and chance for quantization error
Source CODECs
Cisco’s G729 usese 8kbps -> using codes and send the codes to the other side
Understanding DSP
DSP=Digital Signal Processors:
->convert analog to digital
->conference calls
->echo cancellation
->voice activity detect
->comfort noise
ONT Study Notes by Rofi Neron
Streaming Voice Protocols
RTP -> reordering function & time-stamping function
UDP -> multiplexing multiple streams from one device (adding port numbers)
CODEC considerations – how to calc the amount of bandwidth required for VoIP
Per call bandwidth consumption table from cisco
Different codecs consume different amount of bandwidth
How much voice per one packet
typically 20ms to 40ms, cisco default is 20ms
larger sample size lead to smaller amounts of network overhead
larger sample size cause more delay and have more impact when packets drop
Factoring in network overhead
Data Link Layer:
->Ethernet 18bytes
->FR 6bytes
->PPP 6bytes
->Ethernet trunk (802.1q) 22bytes
Network / Transport Layer
->IP 20bytes
->UDP 8 bytes
->RTP 12bytes
=>network/transport layer header is 40bytes
IPSec transport mode 30-53bytes
IPSec tunnel mode 50-73bytes
L2TP/GRE 24bytes
MPLS 4bytes
PPPoE 8bytes
The overhead is typically more than the actual audio inside
Data Link Overhead -> encapsulation of the IP packet in a frame that appropriate for the
data link layer protocol provisioned for that link
Security and Tunneling Overhead -> IPSec secure transmission of IP packets in Transport
mode (encryption only to the payload of the packet) or Tunnel mode (encryption to the
whole packet)
Bandwidth calc formula:
Total packet size / Payload size
Total bandwidth requirement / Codec bandwidth requirements
VAD=Voice Activity Detection stops sending traffic during silence
VAD save the bandwidth -> when there is silence no data is sent -> 35% of a call is
ONT Study Notes by Rofi Neron
VAD is a 2 way mechanism -> one side is not sending data (listening)
The total size of a L2 frame encapsulationg a VoIP packet depend on:
• Packet rate and packetization size
• IP overhead
• Data link overhead
• Tunneling overhead
VoIP – Implementation
Campus IPT design:
CCM cluster will describe how the calls are processed (it is not a load balancing
Switch support PoE
Gateways (voice gateways) route calls to\from PSTN, provide SRST
Servers – apps like voice mail
Central Site model:
CCM on the HQ and branches go over WAN
SRST is important in this model -> they keep phones up when CCM is down or when
there is a power outage.
Distributed multi-cluster design
Separate sites with their own database.
H.323 gatekeeper -> it is not a requirement, provide a central dial plan (DP) and CAC
we can create a trust between the 2 sites. On a larger scale you can use a central point that
each site synch with – the gatekeeper=>easier management
CAC=Call Admission Control – protect voice calls from other voice calls
QoS-> When we have too many calls and the bandwidth over the configured limit the
voice on all calls will have bad quality
CAC protect the calls:
Local CAC Mechanism -> local to the gateway.
Measurement based Mechanism -> configuring the router to send probes, measure traffic
and emulate traffic sent across the network. When the probe get back to the router you
can set levels of service
Resource based Mechanism -> using one or more points to run the voice data
VIC2FXS or NMHD2VE module
1750, 1760, 2801 – can take the card natively
Show voice port summary -> output of all VIC ports installed
Dial peer allow to create routing for voice, like a phone book
->dial-peer voice 10 pots ->number like ACL, meaningless
-- >destination-pattern 1111 ->logical number
-- >port 1/1/1 ->what port it is going out
ONT Study Notes by Rofi Neron
debug dialpeer -> show the full process of dialing
show dial-peer voice summary->list of all configured peers (like a routing list)
between 2 routers:
dial-peer voice 1234 pots
port 2/0
dial-peer voice 4321 voip
destination-pattern 1234
session target ipv4:
ONT Study Notes by Rofi Neron
QoS = Quality of Service
Problems (or enemies) of QoS:
Lack of bandwidth -> QoS cannot help when there is no bandwidth left
Packet loss -> voice packet lost affect the quality of call
Delay -> not an issue with data but voice\video are heavily affected
Jitter = Delay Variation -> variable form of delay. A difference from when a packet is
sent to the next packet => overall delay
Voice have a delay tolerance of 150ms 1-way
QoS Tools:
Classification -> identify and grouping different traffic types
not critical apps and important apps. Matching the different types of applications
MATCHing is done using ACL (port, source\dest IPs, interface, NBAR) ->this is very
processor intensive
Marking -> tags the packet so it can be quickly recognized elsewhere on the network
Marking put a tag in the header so other routers can process it faster
FIFO = First In First Out -> whoever came first will be forwarded, when the buffer is
full it will drop the rest of the traffic without looking at the data
Random Early Detection = RED -> when the buffer is close to full the router can start
freeing space and drop packets out of the queue
Weighted Random Early Detection = WRED -> Cisco proprietary, allow the router to
aim at the traffic it drops.
Policing -> drop or mark packets when the limit is reached
Shaping -> queue packets when the limit is reached, not dropping it
Queuing -> method to priorities packets
QoS Implementation Models and Methods
The process:
1. Network audit
2. Identify application requirements
3. Divide traffic into groups (classes) -> recommended 4-11 classes
4. Create and apply policies to those groups
3 QoS Models:
1. Best-Effort -> get there when possible
2. Integrated Services (IntServ) -> dedicated tube for this traffic over RSVP =>
nothing else can use this bandwidth even when not being used
if one of the routers on the path doesn’t support RSVP QoS will not be achieved
3. Differentiated Services (DiffSev) -> label per packet
ONT Study Notes by Rofi Neron
Old School CLI -> per interface basis QoS => not efficient for the processor and chance
of misconfiguring
MQC = Modular QoS CLI -> allow to define all policies in global configuration mode =>
creating class-map and a policy-map that apply what we want to do with it. Then under
the interface we configure what to do with it.
Single policy can be applied to multiple interfaces
This is eth Cisco recommended way
Cisco AutoQoS -> one command that configure QoS on the router. Apply Csico’s best
practice on the specific interface. The command is autoqos
SDM -> manage any modern router via GUI. Similar to autoqos
QPM -> plug-in for CiscoWorks for network wide QoS, allow monitoring across the
1. create class-maps
2. create policy-maps
3. apply service policy to interface
class-map -> match-all by default, AND statement | match-any is an OR statement
class-map CNAME -> name is case sensitive
match -> many options like access-group, protocol, dest\source address and more
match protocol => NBAR = Network Based Application R
show class-map -> output all created class-maps
policy-map PNAME-> only one policy per direction per interface
class CNAME -> using the class-map created earlier
police 56000 -> when traffic over 56k it will be dropped
class CNAME2
police 80000 -> under the same policy, apply different rules for different class-maps
show policy-map -> output of all existing policy-maps
int e0/0
service-policy input PNAME -> inbound
service-policy output PNAME -> outbound
show policy-map interface -> all data on the specific interface
Classification and Marking – L2 concepts
Classification -> inspecting one or more aspects of a packet to see what the packet is
Marking -> writing information to a packet to easily identify it on other network devices
ONT Study Notes by Rofi Neron
Marking within the network allow to save processing resources => not required if
resources are not an issue
Marking become more important going to the internet => allow ISP to ensure QoS
Packet structure:
L2->data link address (CoS, dlci, MPLS tags, MAC address)
L3->source IP \ dest IP
L4 -> source \ dest ports
L5-7 -> application data
QoS = Quality of Service
CoS = Class of Service => L2 marking used on Ethernet
ToS = Type of Service => L3 marking = 1byte (8bits)
L2 Marking:
Frame Relay DE bit: 0 or 1 => 0=no 1=maybe, possible. DE=Discard Eligible
you can mark the traffic that will become the DE
MPLS Exp bits: similar to CoS
Ethernet trunk CoS: 3 bits
CoS work by using 3bits -> only working on trunk connections (isl \ dot1q)
Ethernet CoS can get to 8 levels of service:
000=best effort
001=low data -> like web traffic
010=high data -> apps like Citrix that require constant connection
011=voice signal -> hold music
100=video -> video streaming
101=voice -> top class of traffic
110=reserved -> that is for routing update traffic, STP etc
111=reserved -> used by the router by default
L2 is stripped at every router
L3 is going all the way => much more important
L3 Marking:
ToS byte -> between Dest IP and L4
L3 marking has the ability to carry from router to router
The original TCP/IP standard define a ToS byte
The first implementation of marking using the ToS byte was IP Precedence
IP Precedence only used the left-most 3 bits
The IP Precedence marking strategies are the same as the CoS marking strategies
DSCP = Differentiated Services Code Point
DSCP Marking strategies:
-> Introduced more usable markings
ONT Study Notes by Rofi Neron
-> Maintained backwards compatibility with IP precedence
000 | 000 | 00
Left part -> PHB = Per-Hop Behavior => major class
Middle part -> Drop Probability => minor class => break the tie if left part is equal
Right part-> Flow Control => PCs can be told to slow down to prevent packet loss -> no
included in DSCP marking
PHB can be one of the 3 things: (6 & 7 are reserved for network routing data)
Expedited forwarding (EF -5)
Assured Forwarding (AF4, AF3, AF2, AF1)
Best Effort (0)
Drop Probability currently only uses the left-most 2 bits and can be one of 3:
High drop preference: 11
Medium drop preference: 10
Low drop reference: 01
PHB->higher is better
Drop Probability->higher is worse
EF 101 110
High Drop
Medium Drop
Best Effort 000 000
Low Drop
DSCP: which is better?
AF31 vs AF33 => both AF3, 1<3 low drop vs high drop AF31 win
AF43 vs AF31 => AF4 win over class
011110 vs 011010 => first 3 bites tied. 110 is high vs 101 low drop => 011010 win
10 or 14 => 10=001010 vs 14=001110 =>001 is tied. 010<110 10 win
20 or 26 => 20=010100 vs 26=011010 => 010=AF2 011=AF3 => 26 win over class
The level of preferences is just for marking, it does not define treatment
Same case with classification
NBAR = Network Based Application Recognition
Look at the app data inside the packet, not just the port number
Today it is also a security tool => Application Tunneling -> check if the app uses the port
it suppose to
When an application uses port 80 to hide its real port that is blocked, NBAR can identify
and block the application though it says port 80
ONT Study Notes by Rofi Neron
NBAR supported applications
Cisco PDLM allow updating the application list without upgrading the IOS version.
Download from Cisco.
You cannot create a custom PDLM
Officially it is a classification feature
class-map match-any SCUM_TRAFFIC
match protocol bittorrent-> there is no nbar syntax
match protocol edonkey
match protocol skype
show class-map SCUM_TRAFFIC
policy-map KILL_SCUM > aplly action on the class-map
the policy-map should be applied on an Interface
loading a pdlm file->copy to flash and then->ip nbar pdlm FILE_NAME
you can map an application to a different port
ip nbar port-map dns tcp 6836->add this port to the default 53
ip nbar custom APP udp ->create a custom app->nbar will search in the payload of the
application. ACL can do the same process but not the payload scanning
int f0/1
ip nbar protocol-discovery->make the router like a sniffer
show ip nbar protocol-discovery stats bit-rate top 10->show the 10 most used protocols
load-interval->allow to adjust the rate on the interface stats
Queuing basics
Occur during congestion
Congestion caused by:
speed mismatch
link aggregation
Queuing strategies: FIFO
Single queue
No delay guarantee
No bandwidth guarantee
Queuing strategies: Priority Queuing
4 queues: High, Medium, Normal, Low
ONT Study Notes by Rofi Neron
Strict priority
Delay guarantee (for one queue)
Some bandwidth guarantee (can guarantee for High only)
Delay guarantee->can the packet get from A to B in x time
Bandwidth guarantee->move to the front of the line
Queuing strategies: Custom Queuing
16 queues
round robin
no delay guarantee
bandwidth guarantee
Uses ACL to set a rule, up to 16 rules that set bites per traffic
Not recommended for VoIP
Queuing strategies: Weighted Fair Queuing
Per-flow queue -> priorities small talkers over high talkers
weighted fair
no delay guarantee
no bandwidth guarantee
This is not configurable=>should not be used for VoIP
Queuing strategies: Class-Based WFQ (CBWFQ)
Up to 256 class maps => queues
no delay guarantee
bandwidth guarantee->some of the traffic get bandwidth guarantee and the rest of it fair
Good for network without VoIP and Video
Queuing strategies: Low Latency Queuing (LLQ)
Delay guarantee for PQ
bandwidth guarantee
Priority up to 33%\
Sum of all guarantees up to 75%
Total link capacity = 100%
Queuing configuration:
WFQ is on most routers by default
show interface e0/0 -> show Queuing strategy parameter
no fair-queue->disable WFQ
by default handle 256 conversations. Each queue drop packets from the most aggressive
queue once its feeling up too quick. It is based on 1 conversation per queue
ONT Study Notes by Rofi Neron
one of the requirements might be raising the number 256
fair-queue 100 2048 0->threshold by default=64, we change to 100. 2048 is the number
of queues (up from 256). 0 is the RSVP
hold-queue 4096 out->that will be the limit for out of memory. Beyond will be dropped
show queue e0/0
Data only network (no VoIP) scenario:
http, https, ftp need at least 20%
x-windows applications need at least 10%
SQL server replication need at least 25%
Everything else can share leftover bandwidth
class-map match-any WEB_TRAFFIC
match protocol http
match protocol secure-http
match protocol ftp
show class-map->will show all class maps
class-map X_WINDOWS
match protocol xwindows
class-map SQL
match protocol sqlserver
next we create a policy map to apply the class maps
policy-map CBWFQ
bandwidth percent 20->bandwidth remaining (percent) uses whatever left under the class
and assign X percent of that remaining amount
exit->from class, still under the same policy map
bandwidth percent 10
class SQL
bandwidth percent 25
now we’re left with the everything left part:
class class-default=>everything else
show policy-map->show all the policies we’ve created. Still need to apply
int s0/0
service-policy input CBWFQ=>will result in error, can only be output
service-policy output CBWFQ
it will require to disable old policy if exist (like fair-queue)
show policy-map interface s0/0->report a 5 minutes stat page for each class
bandwidth statement is a minimum=>if there is available extra bandwidth it will use it
LLQ configuration:
ONT Study Notes by Rofi Neron
Add a priority queue, that is the only change. Same config with 1 additional item:
VoIP needs the 1st 10% of bandwidth
Adding “regular” 10% in addition to the existing policy will not do it right because it uses
round robin. VoIP cannot use round robin.
To enable this on global config the following is required:
class-map VOIP
match protocol rtp audio|video|payload-type->voice =audio
policy-map CBWFQ
class VOIP
priority percent 10
=>voice will get only 10%->even if there is free bandwidth voice will never use it
Congestion Avoidance
Tail Drop -> mechanism routers use by default to drop packets.
TCP Synchronization->all the computers become synched with the bandwidth they can
use on the network=>Unbiased Dropping->when the router is at 100% FULL->as a result
we waste bandwidth at the after peak moment when all the connections are cut down.
RED=Random Early Detection->a way to prevent unbiased dropping.
Randomly drop packets from TCP flow to minimize synchronization
Dropping becomes more aggressive as queues fill
Cisco does not support RED
WRED=Weighted RED->multiple RED profiles:
IP Precedence (8 profiles)
DSCP (64 profiles)
MPD=Mark Probability Denominator->the size of the threshold that lay between the min
& max threshold lines. Min=start dropping. Max=start tail drop. MPD is in the middle
Default MPD is 10
WRED require constant monitoring
WRED configuration:
Using a class-map as before, we create a policy map
policy-map CORP_POLICY
clsaa p2p
police 56000
bandwidth 40
class web
bandwidth 500
random-detect precedence 3 1000 2000 100->set min=1000, max=2000 and
probability=1/100 if IP precedence 3 is set on the packet
class critical
bandwidth 1000
ONT Study Notes by Rofi Neron
instead of IP precedence values we get AF values
random-detect is the only feature that care about the 2nd value
apply the policy on interface
int s0/0
service-polict output CORP_POLICY
bandwidth 1000000
WRED ECN Enhancement
ECN=Explicit Congestion Notification->adds a proactiveness to WRED
Uses last 2 bits of ToS byte
The end point begin the participate in the process
When congestion is experienced the router change the value to 11 and the receiving
computer will cut the speed until the 11 alert is gone
Optional marking:
00->not ECN capable
01->endpoints are ECN capable
10->endpoints are ECN capable
11->congestion experienced
Policing and Shaping
Policing -> drop or remark exceeding traffic
Shaping -> queues excess traffic to send at a desired rate. a much older technique that
been used with older protocols that required specific bandwidth limits.
Shaping used to work per interface->it is now per traffic type. It will queue the excess
traffic and will send them later, if possible
Policing will never try again – if traffic exceed it will permanently drop it
Tc = Time committed => how much traffic will be sent in a specific time frame
Bc = Burst committed => you get what you paid for. Never get extra traffic
Be = Burst excess => the extra bandwidth the ISP allow
Bursting -> ISP allow sending extra traffic in order to allow full usage of the line at all
times. It is a way to avoid time intervals that are not being used
Conform -> sending traffic bellow Bc
Exceed -> traffic between Bc and Be
Violate = De = Discard Eligible -> traffic beyond Be, marked by the ISP as possible
discarded traffic
policy-map DEMO
class p2p
police 56000->bits per second
more options: conform-action | exceed-action
the same command can be typed all in one line
ONT Study Notes by Rofi Neron
policy-map DEMO
class critical
shape average->for traffic you care about->this is queuing data
shape peak->burst even when you have nothing to burst
voice should use average because it cannot allow losing data
Link Efficiency Mechanisms (no config is required for this subject on ONT)
if a data packet is being sent a voice packet will not be able to bypass it even when we
use QoS. The techniques we used before will move the VoIP traffic to the front of the
software queue but it cannot change the hardware queue
There is a 214ms delay on the hardware queue.
Compression – 2 types
Payload Compression algorithms:
Stacker – generic compression type
Predictor – generic compression type
MS Point-to-Point – used for dial up clients
Header Compression:
TCP Header
RTP Header -> can take a 40 bytes header and reduce it to 2-4 bytes => in a voice session
most of the header data doesn’t change=>RTP header strip out all this info and sending
an empty header (with CRC and hash)
This is the most processor intense QoS mechanism
Link Fragmentation and Interleaving
The router takes the packet and chop it to smaller frames=>allow the voice packets to
move forward in the queue
The problem is getting a less efficient traffic
Cisco recommend NOT to use it on links over 768kbps
QoS over VPN
Is it possible?
No -> Unfixable problem - the Internet is not controllable enough to have QoS work
Yes -> Pre Classification – if you use the same ISP on both ends it can assure QoS
Pre classify -> when a packet is sent over vpn it will first be processed by the vpn process
which hide the details of the header but keep marking if available.
The second step is the pre classify command, the QoS process determines which header
you use for classification->this can be a problem. Since the vpn encrypted the data (like
ports or IPs) it cannot sort traffic by type.
The command for pre classify reverse the process so it can see the hidden details.
This command can be applied on the tunnel interface or crypto-map
ONT Study Notes by Rofi Neron
Next Generation SLA
ISP provide L2 connectivity
New generation of SLA provide L3 with 3-5 classes of traffic guarantee
When you have the same ISP end-to-end you can get QoS all the way
Hardcode speed\duplex
Mark ASAP, whenever first available
Queue trunks
Police scum traffic
Priority for voice
WRED for dropping
Make sure Marking match SLA
Use LFI / Shape if necessary
Do the same on both ends to ensure better service
AutoQoS is a way to deploy QoS without knowing everything.
2 types:
VoIP->predefined template for voice
Enterprise->the router monitors the network for 3 days and then prepare a recommended
policy after categorizing the traffic
NBAR is a key component->on production router it can be processor intensive
QoS templates depend on the configured bandwidth per interface=>correct bandwidth
configuration is critical
Requirements for AutoQoS:
Recent IOS (12.1\12.2 and later)->later IOS have better autoQoS
CEF must be enabled (ip cef on global config mode)
Bandwidth must be configured on the interface
IP address must be assigned to the interface
Interface must not be shutdown=>must be turned on (up or down) -> when the interface
is down the autoqos command will not show up
int s0/0
ip address
encapsulation ppp
bandwidth 500
all class-maps and policy-maps should be removed
show run int s0/0->to show run specific interface
int s0/0
auto qos voip->the router will pause for 5-10sec to apply=>the command create about 50
commands that can be viewed via show run
ONT Study Notes by Rofi Neron
no auto qos voip->remove all the configuration, back to the same point
int s0/0
auto discovery qos trust=>Enterprise AutoQoS->trust=should it trust incoming marking
after 3 days it has enough data.
show auto discovery qos->show the results of the collected data
to apply it use auto qos
ONT Study Notes by Rofi Neron
Wireless Network
Wireless in the business world:
Seamless connectivity for devices
Unlicensed RF bands
Cisco’s areas of focus for wireless:
Clients -> the ability for a user to communicate on different devices
Mobility -> ability to remain mobile in different areas
Unification -> unifying the services on wireless systems
Management -> detect weak areas, change settings as required
Advanced Services -> cell that become WiFi as you get in the coverage area
2 major modules for Cisco wireless
Autonomous Access Point – all in one setup:
Add data\management at WAP
Each WAP translates between wired and wireless
Statistics maintained in advanced WAPs
Managed by CiscoWorks WLSE
Lightweight Access Point
Uses a “Split MAC” architecture between WAP and controller
Centrally managed and deployed
Managed by Cisco WCS
CiscoWorks WLSE
Works with autonomous WAPs
Provide centralized config and reporting
Makes the network “self-handling” along with many other cool benefits
WLSE (up to 2500 APs)
WLSE Express (up to 100 APs)
Cisco WCS
Works with lightweight WAPs
Can add Cisco’s patented location system to the wireless mix. Accurate within 10 meters
Base\Location software run on Windows or Red Hat servers
Cisco 2700 location appliance adds historical reporting of location information
Security and 802.1x
1G WEP -> Cisco LEAP -> WPA -> WPA2/802.11i
ONT Study Notes by Rofi Neron
Problems with WEP:
WEP was released without enough security testing
The original standard was 40bit=>40 or 104 bit WEP key + 24 bit IV
IV=Initialization Vector->a random number that combine with the key to create
encryption. It is sent in clear text.
the static WEP key remain the same while IV rotate->over time you start sending
duplicates=>easy to decrypt and break into the network
better WEP keys – Lucent cracked up 40 bit to 104 bit encryption
Dynamic WEP keys – Cisco and MS designed rotating WEP keys->allow the WEP key
to be changed automatically
Wireless VPNs – many people started using VPN technology on top of VPNs
WPA (around 2002)
The WiFi alliance released an interm solution to WEP
WPA=WiFi Protected Access added 3 areas:
Temporal key integrity protocol (TKIP) -> a replacement for WEP encryption
Message integrity code (MIC)->20 bit hashing mechanism to ensure data integrity
802.1x->per port/per user authentication
Industry challenge – use existing hardware for WPA
The answer – TKIP:
IV expanded from 24 to 48 bits, also used as a sequence number that help with the
Shared secret key used as seen to generate other keys
First generated key=session key
->hash = sender MAC + seed key + first 32 bits of IV=>session key for 1 session
->stays the same for the session as long as first 32 bits of IV does not change
Second generated key=per packet key
->hash = the session key + lower 16 bits of IV
->result is 104 bit per-packet key
using the same hardware we get a powerful fix for WEP
Designed for data integrity
Existing wireless hardware could only handle a 20 bit hash key (low protection)
Countermeasures to fight intruders when altered data packet is detected:
->wireless link of compromised devices disabled for 60 seconds
->session keys regenerated when the device come back
802.1x standard defines authentication for port-based access control
Consists of the following pieces:
Client< EAP>Authenticator<Radius>Authentication Server
ONT Study Notes by Rofi Neron
EAP is an empty “container” allowing authentication methods to change with no
hardware upgrades=>a shell for a packet, within will be authentication method
Many EAP methods already exist
EAP methods
Cisco LEAP->supported on Cisco devices->easy to setup, can use the windows sign on to
authenticate with a RADIUS server=>it can apply permissions based on username
Microsoft PEAP->more secure than LEAP, require CA certificate on each client. Require
access to each PC and install the CA=>more configurations \ more secure
EAP-TLS->industry standard, certificate based authentication
EAP-FAST->industry standard, PAC-based system->combine LEAP with PEAP
Final standard: WPA2 = 802.11i
WPA2 is identical to the original WPA with the exception of AES encryption standard
AES is more sophisticated and secure than TKIP
WPA2 with AES require hardware upgrade
WPA2 can be run using TKIP (backwards compatible)
WPA/WPA2 modes:
Both can be run in one of 2 modes:
Enterprise mode
->authentication through EAP/802.1x
->TKIP or AES encryption
Personal mode
->authentication through pre-shared key
->TKIP or AES encryption
Cisco Wireless Configuration
->Basic configuration
Step 1->get DHCP address or use the default IP address
Other way->show cdp neighbors command=>show cdp details for full info
Default username\pwd->Cisco for both username and password (and exec mode pwd)
Most tasks will be done via GUI->http://ipaddressofAP
Services->HTTP=>enable HTTPS
Express Setup->allow basic configs like static\DHCP, SNMP, 802.11G\802.11A
Express Security->configuring SSID, VLAN and security method – WAP, EAP or
WPA=>associating SSID with VLAN is a powerful feature
To get more specific settings we can use the Security tab
Wireless QoS
Typical L2 switches use 802.1p tagging to designated marking and priority
WiFi alliance approved standard for handling packets is WMM=WiFi Multimedia
(Voice, Video, Data)=>WMM\802.1e
WMM change the 8 levels of marking in CoS to 4 levels: Platinum, Gold, Silver &
ONT Study Notes by Rofi Neron
WMM is performed between client and WAP
WMM allows the clients and WAPs to schedule RF windows or timeslots for higher
priority traffic
The wireless controller converts WMM timeslots back to 802.1p