Packet Magazine Aug 04

8/10/2019 Packet Magazine Aug 04

1/82

CISCO SYSTEMS USERS MAGAZINE THIRD QUARTER 2004

CISCO.COM/PACKET

ROUTING INNOVATIONRising Expectationsin IP Networking 34

Cisco CRS-1:Reinventing the Router 41

Deploying Video Telephony 23

Detecting Network Threats 13

SPECIAL REPORT:Intelligent Networking 53

R ep rintedw ithp erm ission from Packet m agazine (Vo lum e16 N o 3)cop yright 20 04byC iscoSystem sInc Allrightsrese rved


2/82

34

Market demands and sophisticated new applications areaccelerating architectural innovation in IP routing. Cisco turnsthe corner with the new CRS-1 Carrier Routing System andenhancements to Cisco IOS Software.

Turning the Corner on Innovation 34

An intelligent, systems-based approach to networking cansubstantially reduce complexity while increasing functionality.Learn more about Ciscos vision of the smarter network.

Intelligent Networking 53

ON THE COVER

CISCO SYSTEMS USERS MAGAZINE THIRD QUARTER 2004VOLUME 16, NO. 3PACKET

53 SPECIAL REPORT

With unparalleled capacity and raw horsepower, the CiscoCRS-1 provides the fault-tolerant, multiple-service networkingservice providers require to sustain anticipated growth in IPservices over the next decade.

From its public debut in 1987 to the recent delivery ofCisco IOS XR for fault-tolerant routing at 92 Terabit-per-secondspeeds, Cisco IOS Software continues to evolve with the times.

IOS: Routings Crown J ewel 47

Reinventing the Router 41

R eprintedw ithp erm ission from Packet m agazine (Vo lum e16N o3)cop yrigh t 2004byC iscoSystem sInc Allrigh tsreserved


3/82

IP VPNs Gain Momentum 81

Small and midsized companies can save time and money by out-tasking their IP VPNsto a managed services provider.

Wholesale BLISS 71

Z-Tel Communications taps Cisco BLISS solution for unique wholesaler/retailer opportunity.

Turbo-Charged TAC 57

A virtual customer interaction network for Mercedes-Benz USA accelerates autodiagnosis and puts the brakes on telephony costs.

VIDEO TELEPHONY: Deploying Video Telephony 23

Cisco CallManager 4.0 extends voice features to video over a common, user-friendlyinfrastructure that can be deployed to the desktop.

TECHNOLOGY

From the Editor 1

Innovation and Standardization

User Connection 5CIPTUG IP Telephony Feature RequestSystem Cisco Career CerticationsUpdates

Tech Tips & Training 9Is Your Network Ready for Voice?

Threat Detection Insiders Tips on Earn-ing Your CCIE in Security IP Multicastat a Glance Reader Tips

Technically Speaking 84

IP Security or Secure Sockets Layer?Ciscos Pete Davis discusses why youdont have to choose one over the other.

New Product Dispatches 85Whats new from Cisco over the pastquarter

NetPro Expert 89Expert advice on outdoor wireless LANinfrastructure

Mail 3

Calendar 5Acquisitions 7Networkers 6Tech Tips 21Advertiser Index 88Cache File 90The 5th Wave 90

IN EVERY ISSUE

SERVICE PROVIDER SOLUTIONS

SECURITY: Deector Shield 28

Routed Radio 61

Radio Meets Multicast 63

Virtual Firewall Management 67

Taking to the ROADM 75

Calculating New Routes Faster 78

ENTERPRISE SOLUTIONS

SMALL AND MIDSIZED BUSINESSES

57

71

81

DEPARTMENTS

Fruits of Cisco Riverhead Networks acquisition help to mitigate distributed denial-of-service attacks.

New Cisco Catalyst 6500 Series Wireless LAN Services Module blends wired andwireless networks.

Radio broadcaster GWR Group lowers costs by replacing satellite, data, and voicenetworks with multicast VPN.

Network administrators can manage multiple security contexts using Cisco PIX

Device Manager Version 4.0.

Recongurable optical add/drop multiplexer (ROADM) technology poised to spur metrodense wavelength-division market.

Cisco IOS Software enhancements speed IS-IS network convergence.



4/82

FROM THE EDITOR

Innovation andStandardization

If youre a regular reader of Packet , youve no doubt noticed our new look. Packet hbeen redesigned to mat ch a new loo k and f eel that ha s been incorporated througho ut allof Ciscos communications vehicles. From the commercials you see on TV, to the boxesthat deliver your latest netwo rking components, the company is adhering to a cohesivedesign philosophy that is collectively referred to in marketing circles as a corporate identi ty system . The theory is, if youre spending money on individual communications, eachwith its own audience, objectives, and agenda, you also want them to work together foa higher purposein this case, to build brand aw areness in the marketplace. A corpo-rate identity system makes individual components (whether a w hite paper, da ta sheet, ora magazine) work together for a greater good.

As I sat down to write this letter, I thought, how can I tie Packets redesign int o thiissues theme of rout ing in novati on? Then it occurred to me: w hat w e are experiencina t Packet is the same inevitable evolution that occurs in the world of networkinginnovation to standardizationthe standardization of the most practical and useful inno

vations to serve a greater good, that of w idespread a doption a nd integration.To a dvance the state of the art in any given eld, t here must be innovation. Throughoutits 20-year history, C isco has pioneered many innovat ions that continue to profoundlyaffect not only networking, but, to quote Cisco Chief Executive Ofcer John Chamberthe very w ay the w orld w orks, lives, plays, and learns. H ow ever, as important innovation is, working with the standards bodies ensures that the advancementsachieved ca n be used by everybody. Few compa nies have invested as much effort in standard s development as C isco. A few examples of the companys contributions to industry standards include Border Gateway Protocol (BGP), Dynamic PackTran sport/Resilient Pa cket Ring (DP T/RP R), Mult iproto col Lab el Sw itching (MPLS),and Lay er 2 Tunneling Prot ocol (L2TP). For more Cisco inno vat ions, see Turning theCorner on Innovation, page 34.

Co mpanies reap huge benefits from standa rds-based netw orking technologies. Whileit might seem that conformance to industry standards would stifle creativity, theopposite is true. When all products and technologies adhere to industry standards,vendors must differentiate their products by other means. This competition betweennetwork equipment suppliers brings out the best in each vendor and continuallypushes technology forward.

O ver the years, Packet has won its share of awards for innovative design, photographand illustrations. So, while we may have a smaller design palette with which to stretcour creative muscle, w e will continue to w ork hard to d ifferentiate ourselves w ith innovative editorial. To tha t end, a new column, NetPro Ex pert (see page 89), has beenadd ed to help satiate your a ppetite for technical tips and ad vice. Each q uarter, this column w ill provide excerpts from a particularly interesting Q&A session held w ith one ofCiscos technical experts on the popular Cisco N etw ork ing Professionals Connectio n

online community ( cisco .co m/go /netpro ).

Look for more integration with NetPro forums on our new-ly designed Packet Online Website, coming soon. And let usknow what you think of our new look by writing to us [email protected].

David [email protected]

CISCO SYSTEMS THIRD QUARTER 2004 PACKET

PACKET MAGAZINEDavid BallEditor-in-Chief Jere KingPublisherJennifer RedovianManaging EditorSusan Bo rtonSenior EditorJoanie Wexler

Contributing EditorRobert J. SmithSunset Custom PublishingProduction M anager

Michelle Gervais, Nicole Mazzei,Ma rk Ryan, N orma TennisSunset Custom PublishingProductionJeff Brand, Bob Jo nesArt Direction and Packet RedesignEmily BurchDesignerEllen SokoloffDiagram IllustratorBill LittellPrint Production M anagerCecelia G lover Taylo rCirculation DirectorValerie MarliacPromotions ManagerScott G riggs, Jorda n ReederCover Photograph

Special Thanks to the Following Contributors:Leonard Bonsall, Jeff Brand, Karen Dalal,Bob Jones, Janice King, Valerie Ma rliac,Sa m MasudAdvertising Information:Kristen Bergma n, [email protected] Pa cket ma gazine at cisco.co m/packet .Publisher Information:Packet maga zine (ISSN 1535-2439) is

published quarterly by Cisco Systems anddistributed free of charge to users of Ciscoproducts. Application t o ma il at PeriodicalsRates pending at San Jose, Ca lifornia, andadditional mailing offices.POSTMASTER: Please send direct address cor-rections and o ther correspondence to pa [email protected] or to Packet in care of:Packet MagazinePO Box 2080Skokie, Illinois 60076-9324USAPhone: 847-647-2293Aironet, Catalyst, CCDA, CCIE, CCNA, Cisco, Cisco IOS, CiscoNetworking Academy, Cisco Press, the Cisco Powered Networklogo, the Cisco Systems logo, Cisco Unity, IOS, iQ, Packet, PIX,SMARTnet, and StackWise are registered trademarks or trade-marks of Cisco Systems, Inc., and/or its a fliates in the USA andcertain other countries. All other trademarks mentioned in this

publication are the property o f their respective owners.Packet copyright 2004 by Cisco Systems, Inc. All rightsreserved. Printed in the USA.

No pa rt of this publication may be reproduced in any form, orby any means, without prior written permission from CiscoSystems, Inc.

This publication is distributed on an as-is basis, without w ar-ranty of a ny kind either express or implied, including but not lim-ited to the implied w arranties of merchantability, tness for a pa-rticular purpose, or noninfringement. This publication couldcontain technical inaccuracies or typographical errors. Laterissues may modify or update information provided in this issue.Neither the publisher nor a ny contributor shall have any liabilityto a ny person for a ny loss or da mage caused directly or indirectlyby the informa tion conta ined herein.

This magazine is printed on recycled paper.

10%TOTAL RECOVERED FIBER

R eprintedw ithp erm ission from Packet m agazine (Vo lum e16 N o 3)cop yright 2004byC iscoS ystem sInc Allrigh tsrese rved


5/82

MAIL

A Question of TimingIn reference to Yang Difeis ReaderTip [Second Quarter2004], Im surprisedthat an editors notewasnt included. I likethe functionality of thereload command anduse it frequently whenperforming remoteadministration, butreload in 60 gives you one heck of a w ait-ing period for the router to revert to itsprior configuration. I prefer to makechanges to my equipment in small incre-ments and use an appropriate reload in

time of between 2 and 5 minutes. If youmisconfigure a WAN interface and loseyour connection, youve probably alsolost the connectivity for several users.G erri Costa, Prom asa, N ew O rleans,L ouisiana, USA

Diary Inspires Interest After reading the second installment ofJimmy Kyrianniss Deployment D iary[First Quart er 2004], I went ba ck and readthe rst part of the series [Second Quarter2003]. On page 47, Kyriannis says he test-

ed the new core while a leaf off the cur-rent production network with 2 millionindependent connections. He also statedthat later they would test with 5 millionconnections. H ow can any one possibly testthis many connections? I think its ques-tionable that anywhere close to 2 millionconnections or ow s w ould exist at anyone time on a large campus network giventhe brief, transitory nature of many typesof connections between routers.M ik e G ranger, ED S Cor p., Lo uisville,Colo rado, USA

The foll owi ng is a response from author Jimm y K yri annis.Editors

The manner in which I conducted the testis fairly straightforward. To validate theCisco Express Forwarding-based load-sharing algorithm, I didnt actually haveto establish a complete connection withany end systems, but I did need to showthat the trafc successfully traversed theTetrahedron Core as described in theload-sharing algorithm documentation.Heres a brief outline of my test method.

1. I placed a UNIX system on a network that was attached to an access routerconnected to the Tetrahedron Core.That network was a /24 subnet, mean-ing that it could support a maximum256 IP addresses.

2. I configured the UNIX system to use250 IP addresses on its single GigabitEthernet interface.

3. I wrote an execution script to do thefollowing:

Randomly select a source IP address fromone of the above 250 (in some of the tests,I used just a single source IP address)

Randomly select any global destinationIP addresses, up to a total of 5 million

Execute a traceroute from that selectedsource IP address to that destination IPaddress using a max ttl that would ensurethat the trafc would get past the far-endaccess router attached to the TetrahedronCore and not actually reach its destina-tion out on the Internet. (I think I wouldget more than a few complaints if I actu-ally did contact 5 million systems!)

Collect the output of all of the traceroutes

4. I then wrote an analyzer script that

took the output of the traceroutes andreported on the statistical distribution of paths through the Tetrahedron Core thateach src-dst-ip ow selected.

It was interesting to discover that theCisco Express Forwarding load-balancingalgorithm did not yield fairly distributedusage across all links until 16,384 desti-nations were selected. My impression isthat this is a mathematical artifact of thebucket algorithm developed by Ciscoengineers; this didnt bother me, because

on a large-scale campus network such asours we see far more than 16,384 owsrunning through the core at any par-ticular time.

C ase of Mistaken Identity I am anxiously waiting, no doubt alowith many other Packet readers, to hethe explana tion as to w hy Ciscos Secrity Advocate, M r. Aceves, is weariAlisons badge in the photo on page 3[First Quarter 2004]. In most companies am sure there are policies which greatlfrow n upon such activities.Colin A. K opp, Province of Br itish

Colu mbi a, Victor ia, B.C., Canada

We receiv ed a r ecord-br eaki ng num ber of letters regardi ng the photo in the article Securi ty Ad vocates, in w hi ch Richard Aceves is shown w eari ng someone elses empl oyee id enti cation bad ge. Borr ow in g badges i s not a securi ty best pr acti ce, and is certai nly not a poli cy that PacketCi sco condones. W hen our photographer suggested th e shoot tak e place in t he lab,Ri chard di scovered th at hi s access to t he lab had expi redCi sco requi res peri odi c electr ostati c discharge concepts ex ams

for conti nu ed access to t he labs. The lab manager w as aw are of the sit uati on, and Richard was allowed to borrow a badge fr om on e of hi s empl oyees to pr oceed wi th the photo shoot. Unfortunately, we di d not spot the err ant badge in the pho- to unt il the article had already gone to pri nt, but it is grati fyi ng to see how many of our readers are payi ng such close attenti on.Edi tor

Send your comments to Packet

We welcome your comments andquestions. Reach us through e-mail [email protected]. Be sure toinclude your name, company affilia-tion, and e-mail address. Letters maybe edited for clarity and length.

Note: The Packet editorial staff cannotprovide help-desk services.

Correction

The article Branching Out [SecondQuarter 2004, page 80] contained factu-al errors regarding First Albany Capitalsnetwork deployment. A corrected ver-sion of the article is available atcisco.com/packet/163_2a1 . We apolo-gize for the errors.Editors



6/82

USER CONNECTION

User Group Inuences New CiscoIP Telephony Features


What started with a long list of features, a request for help inprioritizing them, and a point system using so-called Cisco bucksback in 2001 has evolved into a valuable program for learningw hich Cisco IP telephony prod uct features users really w ant.

Over the past few years, Cisco and C IPTUG the of cial usersgroup for companies that operate C isco IP telephony prod uctshave honed a process for gathering the most desired hardwareand softw are feature ideas from CIPTUG members and prioritiz-ing them for Cisco product mana gers.

This process is a great mechan ism to receive customer input fo rour product development, says Ma rc Ayres, product ma nager inthe Voice Technology G roup a t C isco. Its an excellent tool, its

been forma lized, and w e take the results seriously. We listen to a llcustomer feedback, from the product enhancement requests weget from our sales force to the one-on-one customer meetings andEBCs [Executive Brieng Centers].

CIPTUG leaders say the ability to w ork collectively to communi-cate w ith Cisco is central to the programs inuence. All alone,you are one of thousands of companies out there pitching yourideas and needs to C isco, says Ma rk Melvin, Feature AdvocacyCo mmittee chairperson for C IPTUG and IP telephony netw orkengineer for Cisco G old Pa rtner APPTIS, Inc. Youre muchmore likely to get an important featureget it soonerby par-ticipating in this process.

Customers Have Their SayThe results speak for themselves. In October 2003, more than 50IP telephony feature requestsor one-third of the total ideas atthe timew ere ranked a s priorities by voting CIPTUG membersand shared with Cisco. Of that list, Cisco committed to develop-ing 22, and all 22 have already been released or are on theroad map fo r an upcoming release.

In the most recent voting period, during M ay of t his year, 51 of 144features spanning six product categories received enough points tomake the priority list that Cisco product managers are reviewingnow. It helps to know tha t many compa nies from different indus-tries would use a particular f eature, Ayres says. Were listeningbut cant guarantee well be able to fulll every request because so

many va riables go into selecting a feature for a product.

One such variable is the fact that, because Cisco adheres toindustry standards and incorporates open application-program-ming interfaces in its product d esign, many companies are creat-ing features and applications that work with Cisco IP telephonyproducts. A new enhancement to the CIP TUG feature requestsystem will give Cisco the ability to flag feature requests thatwould be better addressed by third-party ecosystem partners.M elvin expla ins, This gives the membership one more avenuefor sharing their needs and increases the likelihood the featurewill be implemented.

The Process in ActionC IPTUG members can submit feature ideas to the groups Websit(ciptug.org ) at any time. Cisco and C IPTUG are wo rking with sproduct categories: Cisco CallManager, Cisco Unity unifimessaging software, voice gateways, IP phones, wireless phones, and man agement to ols such as C iscoWorks IP TelephonyEnvironment Monitor (ITEM).

In ad dition t o a llocating 200 points across the suggested featureseach company can ad d comments about how that feature woulbe used or what it might look like displayed on a phone odevice. D emographic da ta on the voting companiesinformation such as the industry and how many phones are installedalso tells Cisco how broa d the use of a feature could be.

Cisco product ma nagers and C IPTUG members meet frequentlto discuss new feature requests and to improve the featurrequest system.

The more tha n 200 members of C IPTUG comprise companies inall industries. We have a diverse set of users, from nance thealthcare to education to retail, Melvin says, With inpfrom call-center operators, insurance companies, universitiesand many cities and school systemsthe diversity makes ouinput even more va luable.

CIPTUG Member BenetsIn add ition to t he feature request program, C IPTUG offers Web

based presentations, discounts on training and books, collaborative opportunities through its dedicated Website, and an annualusers event. The 2004 meeting w ill feature prod uct roa dma p pre-sentat ions, panel discussions, a pa rtner exhibit area, a nd opportunities to speak o ne on o ne w ith C isco t echnology experts. Theevent takes place September 2729 in Orlando, Florida. Formore informatio n, visit ciptug.org .

cisco.com/warp/public/688/events.html

September 510

September 2830

November 46

November 1619

December 1316

March 810, 2005

Cisco Powered Network Operations Symposium, Paris, France

Networkers J apan, Tokyo, J apan

Networkers China, Beijing, China

Networkers Mexico, Mexico City, Mexico

Networkers EMEA, Cannes, France

Networkers Korea, Seoul, Korea

CISCO WORLDWIDE EVENTS



7/82

USER CONNECTION

6 PACKET THIRD QUARTER 2004 CISCO SYSTEMS

Acquired

Actona Technologies

KeyTechnology

Developer of wide-area le-services software that helps compa-nies store and manage data across geographically distributedofces. Actona technology will help Cisco expand the functional-ity of its branch-ofce access routers with intelligent network

services that allow users at remote sites to access and transferles as quickly and easily as users at headquarters sites. Theacquired technology also allows enterprises to centralize leservers and storage and better protect and cost-effectively man-age their remote ofce data. Actonas 48 employees based in theUS and in Haifa, Israel, will join the Routing Technology Group atCisco. Actona was founded in 2000.

Develops trafc engineering solutions and software for routingoptimization. Parcs route server algorithms, which break up net-work routing problems involving complex quality-of-service con-straints, can help service providers deliver high-quality serviceswhile improving network utilization and reducing capital expendi-tures. Cisco will incorporate the technology into its MultiprotocolLabel Switching Management product line as part of the Cisco IPSolution Center. Parcs employees will join Ciscos Network Man-agement Technology Group.

Employees

48

Location

Los Gatos, California, USA

London, United Kingdom

Recently Announced Cisco Acquisitions

Parc Technologies 20

High-end routing company that develops concurrent servicesrouters and has expertise in silicon and software development. The Procket engineering team and intellectual property areexpected to make valuable contributions to the evolution of serviceprovider and enterprise networks, as well as Ciscos next-genera-tion routing technologies. About 120 employees from the company,which was founded in 1999 to build customized semiconductors forrouters, will join Ciscos Routing Technology Group.

Milpitas, California, USAProcket Networks 120



8/82

A new stora ge netwo rking specialization is the lat estoffering of the Cisco Career Certications program.

Engineers w ith routing and sw itching expertise whoare called upon to support storage-area networksthat are built with Cisco equipment need to know how to operate that equipment, says Cindy H off-mann, a program manager in the Internet LearningSolutions Group a t C isco. The Cisco specializationtrains candida tes to plan, d esign, implement, trouble-shoot, and operate Cisco MDS 9000 Series storagenetw orking products.

Like most Certications courseware, content for the

storage tra ck is developed by Cisco experts but deliv-ered by Cisco Learning Partners or training compa-nies authorized by Cisco.

The Cisco Quali ed Specialist program, w hich allowsprofessionals to specialize in a particular technologysuch as IP telephony, netw ork security, or w ireless, isbuilt upon the core, associate-level CCNA a ndC C D A certications. The optical track is one excep-tionit does not require CCNA or CCDA statusbecause general know ledge of netw orking is not nec-essary for managing an optical network.

Cisco also offers a storage specialization for its

resellers through the Cisco C hannel Partner Pro gram.

For more information, visit cisco .co m/packet/163_3e1 .

Get Your Certicate by E-MailFor certified professionals who prefer to receive anelectronic certicate or want to receive their certi-cate more q uickly, Cisco has a n a nswer.

Candidates who complete the CCNA, Cisco Quali-ed Specialist, or any career certication other thanCCIE (CCIE recipients receive a plaque) can now receive the certicate electronically so it can be print-ed or shared w ith others through e-mail.

In May of this year, Cisco began offering candidateswho complete their certications a choice of a papercertificate or electronic delivery of a PDF file thatcannot be modied. Either option generates the cer-tificate, a wallet card, and a letter signed by CiscoCEO John Chambers.

Candidates who receive their first certification arenotied by Cisco through e-mail and can select eithera paper or electronic certicat e free of charge at thattime. Opting for both is US$15. Already-certied indi-viduals who want to order an additional paper or

electronic certificate can do so for $15 per order.Additional or new orders can be made on the CiscoCertications Community Website ( cisco .co m/go/cert -community ) or the Cisco Career Certications Track-ing System (cisco .co m/go /cert ifi ca tio ns/login ). Elec-tronic delivery takes a few days, while the papercerticate typically reaches recipients in 6 to 8 weeks.

Some people w ant a printed certicate provided by

Cisco that they can frame and an electronic copy theycan send to prospective employers or friends andfamilyor even print out themselves, says AbbyDo uglas, a program mana ger in the Internet LearningSolutions G roup at Cisco.

As part of the new electronic service, Cisco updatedthe certicate and built a new process for verifyingcerti cate authenticity. It matters to those w ho haveearned a Cisco certication that others cant misrep-resent themselves, says D on Field, senior ma nagerof certifications in the Internet Learning SolutionsG roup at Cisco.

Each certicate has a 16-digit number so that a nyoneexamining the certificate, whether electronic orpaper, can validate its authenticity on Cisco.com. Inaddition, certified individuals can use a Web-basedtool to give others the ability to verify their certica-tions. Because Cisco cannot by la w verify a certi ca-tion unless it has permission or a request from thecertified professional, weve given them control ofthat process, Do uglas explains.

USER CONNECTION


Cisco Career CerticationsLatest Offerings

FRAME IT The certicate that proves an individual has completed a CiscoCareer Certication has a new look and is also available for electronicdelivery.



9/82

With the emergence of new applications such asvoice and video on data networks, it is becomingincreasingly important for network managers toaccurately predict the impact of these new applica-tions on the network. Not long ago, you could allo-cate bandwidth to applications and allow them toadapt to the bursty nature of trafc ows. Unfortu-nately, thats no longer true because today applica-tions such as voice and video are more susceptible tochanges in the transmission characteristics of datanetworks. Therefore, network managers must becompletely aware of network characteristics such as

delay, jitter, and packet loss, and how these charac-teristics affect applications.

Why You Need to Measure Delay, Jitter and Packet LossTo meet todays business priorities and ensure usersatisfaction and usage, IT groups and serviceproviders are moving toward availability and per-formance commitments by IP application service lev-els or IP service-level agreements (SLAs).

Prior to deploying an IP service, network managersmust rst determine how well the network is work-ing, second, deploy the service, such as voice over IP(VoIP), and finally, verify that the service levels are

working correctlywhich is required to optimize theservice deployment. IP SLAs can help meet life-cyclerequirements for managing IP services.

To ensure the successful implementation of VoIPapplications, you first need to understand currenttrafc characteristics of the network. Measuring jit-ter, delay, and packet loss and verifying classes of service (CoS) before deployment of new applicationscan aid in the correct redesign and conguration of trafc prioritization and buffering parameters in datanetwork equipment.

This article discusses methods for measuring delay,

jitter, and packet loss on data networks using featuresin the Cisco IOS Software and Cisco routers.

Delay is the time it takes voice to travel from onepoint to another in the network. You can measuredelay in one direction or round trip. One-way delaycalculations require added infrastructure such asNetwork Time Protocol (NTP) and clock synchro-nization and reference clocks.

NTP is deployed to synchronize router clocks andalso when global positioning system (GPS) or anothertrusted reference time is needed in the network.

Accuracy of clocks and clock drift affect the accuracyof one-way delay measurements. VoIP can typicallytolerate delays of up to approximately 150 ms oneway before the quality of a call is unacceptable tomost users.

Jitter is the variation in delay over time from point topoint. If the delay of transmissions varies too widelyin a VoIP call, the call quality is greatly degraded. Theamount of jitter that is tolerable on the network isaffected by the depth of jitter buffer on the networkequipment in the voice path. When more jitter buffer

is available, the network is more able to reduce theeffects of the jitter for the benefit of users, but abuffer that is too big increases the overall gapbetween two packets. One-way jitter measurement ispossible and does not require clock synchronizationbetween the measurement routers.

Packet loss severely degrades voice applications andoccurs when packets along the data path are lost.

Measuring Network PerformanceKey capabilities in the Cisco IOS Software can helpyou determine baseline values for VoIP applicationperformance on the data network. The ability togather data in real time and on demand makes itfeasible for IT groups and service providers to create

or verify SLAs for IP applications; baseline valuescan then be used to substantiate an IP SLA for VoIP.Cisco IOS Service Assurance Agent (SAA) techno-logy is a component of an IP SLA solution and theRound Trip Time Monitor (RTTMON) MIB, whichenable the testing and collection of delay, jitter, andpacket loss measurement statistics. Active monitor-ing with traffic generation is used for edge-to-edgemeasurements in the network to monitor the net-work performance.

You can use the CiscoWorks Internetwork Per-formance Monitor (IPM) network management

CISCO SYSTEMS THIRD QUARTER 2004 PACKE

Is Your Network Ready for Voice?Measuring Delay, Jitter, and Packet Loss for Voice-Enabled

Data Networks

Your success or failure in deploying new voice

technologies will depend greatly on your ability

to understand the trafc characteristics of thenetwork and then applying your knowledge to

engineer the appropriate network congurations

to control those characteristics.

TECH TIPS & TRAINING

Reprinted with permission from Packet magazine (Volume 16 No 3) copyright 2004 by Cisco Systems Inc All rights reserved


10/82


application or the IOS command-line interface(CLI) to configure and retrieve data from theRTTMON MIB, or choose from a wide selection of Cisco ecosystem partners and public domain soft-ware to configure and retrieve the data. In addition,the CiscoWorks IPM features are now also availablein the WAN Performance Utility (WPU) module of CiscoWorks IP Telephony Environment Monitor(ITEM) network management software.

Deploying Delay/Jitter Agent RoutersYou can measure delay, jitter, and packet loss bydeploying almost any Cisco IOS device, from aCisco 800 Series Router on up.

Two deployment scenarios are possible: You caneither purchase dedicated routers for SLA measure-ments or use current routers within the network.Place the routers in a campus network along withhosts to provide statistics for end-to-end connections.

It is not practical to measure every possible voice pathin the network, so place the dedicated routers in typi-cal host locations to provide a statistical sampling of typical voice paths.

In the case of VoIP deployments using traditionalphones connected to Cisco routers using FXS stationports, the router to which the phones are connected

also serves as the delay/jitter measurement device.Once deployed, the operation collects statistics andpopulates Simple Network Management Protocol(SNMP) MIB tables in the probe router. You canthen access the data either through the CiscoWorksIPM, or through simple SNMP polling tools andother third-party applications.

Additionally, after baseline values have been estab-lished, you can congure operations to send alerts to anetwork management system (NMS) station if thresh-olds for delay, jitter, and packet loss are exceeded.

Simulating a Voice CallOne of the strengths of using Cisco IOS SAA as thetesting mechanism is that you can simulate a voice call.In Cisco IOS Software Release 12.3(4)T and later, youcan congure the VoIP codec directly in the CLI andsimulate a voice call. This release also includes voicequality estimates, Mean Opinion Scores (MOS), and

Planning Impairment Factor (PIF) scores.Earlier versions of the Cisco IOS Software enableyou to estimate a VoIP codec using the correctpacket size, spacing, and interval for the measure-ment data and enter the appropriate parameters.The CoS can be set on data or VoIP tests, whichallows you to verify how well QoS is working in the




11/82

network. Examples of how to simulate a voice callare shown below.

With Cisco IOS Software Release 12.3(4)T or later,you can use the VoIP jitter operation to simulate atest call:

rtr 1type jitter dest-ipaddr 10.1.1.2 dest-port 14384codec g711alawrtr schedule 1 start-time now

With earlier IOS releases before 12.3(4)T you canuse the rtp/udp even port numbers in the range of 16384 to 32766. The user then approximates 64kbit/s, and the packet size is 200 bytes {(160 bytesof payload + 40 bytes for IP/UDP/RTP (uncom-pressed) }. You can simulate that type of traffic bysetting up the jitter operation as shown below.

The jitter operation accomplishes the following: Send the request to rtp/udp port number 14384 Send 172 byte packets (160 payload + 12 byte RTP

header size) + 28 bytes (IP + UDP) Send 3000 packets for each frequency cycle Send every packet 20 milliseconds apart for a dura-

tion of 60 seconds and sleep 10 seconds before start-ing the next frequency cycle

The parameters in the example above give you 64kbit/s for the 60-second test period.

((3000 datagrams * 160 bytes per datagram)/ 60 sec-onds)) * 8 bits per byte = 64 kbit/s

The conguration on the router would look like this:

rtr 1type jitter dest-ipaddr 10.1.1.2 dest-port 14384 num-packets 3000request-data-size 172**frequency 70rtr schedule 1 start-time now

Note that IP+UDP is not considered in the request-data-size, because the router internally adds them tothe size automatically.

Delay/Jitter Probe Deployment ExampleThe two routers below would simulate voice calls of 64 kbit/s every 60 seconds and record delay, jitter,and packet loss in both directions. Note that thedelay calculations are round-trip times and must bedivided by two to arrive at the amount of one-waydelay unless NTP is implemented for one-way delaymeasurements.

router1#rtr responderrtr 1type jitter dest-ipaddr 10.1.2.1 dest-port 14384

codec g711alawtos 160frequency 60

rtr schedule 1 start-time now

router2#rtr responderrtr 1type jitter dest-ipaddr 10.1.1.1 dest-port 14385codec g711alawtos 160frequency 60

rtr schedule 1 start-time now

Command-Line Data ExamplesTo view the results you can use the IOS show com-mand at the command line for the jitter operation.Additionally, you can use the command-line data for

real-time monitoring and troubleshooting of delay,jitter, and packet loss. For an example of the CLIoutput, refer to cisco.com/packet/163_4b1 .

Monitoring ThresholdsYou can use the CLI, CiscoWorks IPM, or the WPUin CiscoWorks ITEM to configure features andmonitor data. You can use this data to manage IPSLAs that have been created for VoIP. After youhave determined baseline values, you can reconfig-ure the jitter operations to monitor the network.When predetermined delay and jitter service-levelthresholds are reached or exceeded, NMS stationswill be alerted.

After you have established baseline values throughthe initial data collection, you can monitor the delay,jitter, and packet loss levels in the network with theembedded alarm features of Cisco IOS SAA.

The Cisco IOS SAA threshold command sets the risingthreshold (hysteresis) that generates a reaction eventand stores history information for the operation. CiscoIOS SAA can measure and create thresholds forround-trip time delay, average jitter, connectivity loss,one-way packet loss, jitter, and delay.

Sample Service Assurance Threshold Conguration

router1#rtr 100rtr reaction-conguration 100 threshold-falling 50threshold-type immediate action trapOnly

Understanding the traffic characteristics of the net-work before you deploy new advanced applicationsis the key to successful implementations. Delay, jit-ter, and packet loss greatly affect VoIP applications.Your success or failure in deploying new voice tech-nologies will depend greatly on your ability tounderstand the trafc characteristics of the networkand then applying your knowledge to engineer the





12/82


appropriate network configurations to controlthose characteristics.

This article was developed by the Cisco AdvancedServices Network Reliability Improvement team,which specializes in network high availability andoperational best practices. In addition to using thetechniques discussed in this article, you should havegood operational practices in place to achieve higherlevels of availability such as 99.999 (five nines)percent.


FURTHER READING Cisco IOS SAA technology

cisco.com/go/saa Cisco IOS SAA for VoIP

cisco.com/packet/163_4b2 CiscoWorks Internetwork Performance Monitor (IPM)

cisco.com/packet/163_4b3 CiscoWorks ITEM

cisco.com/packet/163_4b4 White papers on operational best practices for

network availabilitycisco.com/packet/163_4b5

Cisco Network Availability ImprovementServices programcisco.com/packet/163_4b6



13/82

Networks are continually becoming more intelligentand complex. Because the network plays an increas-ingly critical role in the daily functioning of mostbusiness environments, it is also rapidly evolving asthe choice target of threats and attacks. The ever-increasing complexity of networks and intelligentservices is often dwarfed by the increased sophisti-cation of emerging network threats and attacks.

Three key areas of security that must be addressedearly on are threat detection and identification ,attack containment , and mitigation . This article

provides insight into the first of these importantsecurity areasthreat detection and identificationand focuses on some key Cisco IOS Software fea-tures that enable you to inspect traffic and identifypotential threats.

First, Assess the RiskThreats can be classied by source, internal or exter-nal; or by type, spoofing, spam, denial of service(DoS), or worms. Basic categories of attacks thatthreaten a network device or the network infrastruc-ture can be broadly classied as follows:

Spoong and impersonation A hacker gains access

by making the network think that he is a trustedsender. This can be due to weak or compromised useraccounts and passwords or by spoong IP addresses.Probes and scans such as port scanning, icmpunreachable messages, network commands such aswhois, nger, ping, and the like, help in mining infor-mation about the network topology. In addition, pro-tocol analysis on captured data that contains sensi-tive information also helps forge identity and spoof IP addresses.

DoS/distributed DoS (DDoS) These attacks arecaused by flooding the network with requests thatcan fill circuits with attack traffic, overwhelm net-

work devices, slow down critical network services,and ultimately impact the networks ability to sup-port services. The main characteristic of anyDoS/DDoS attack is hijacking a system by bom-barding it with a spate of spurious traffic to processin a short span of time. Examples of such attacksinclude TCP SYN flooding, ICMP echo requests,TTL expiration, and UDP (fraggle) and fragmenta-tion attacks.

Malicious code Examples of malicious code includeviruses and various worms such as Nimda, CodeRed, and Slammer. Once launched, worms are self-

replicating programs and can rapidly propagatewithout any manual intervention. Viruses are self-replicating programs that usually require some formof human intervention to infect other systems. Mali-cious worms can propagate Internet-wide in a matterof a few minutes, leading to serious denial of service,downtime, and data loss in the infected hosts.

Spam Although an indirect threat, spam is rapidlygaining ground as one of todays main security con-cerns. Consulting firm Ferris Research estimatesthat spam now represents more than half of Internet

e-mail traffic volume, and the cost of spam to enter-prises in the US has more than doubled in the pastyear. To propagate spam, senders are increasinglyrelying on various tactics such as unauthorizedBorder Gateway Protocol (BGP) route injection, ASroute hijacking, and asymmetrical routing withspoofed IP addresses.

How to Identify and Classify ThreatsThe rst step in attack detection is gathering relevantinformation about its characteristics and devising arelevant threat classication strategy. This discussionfocuses on identifying and classifying threats basedon attack types.

Develop a network baseline. A vast majority of DoSattacks are designed to overload network devices.These attacks are usually characterized by anomaliessuch as an overwhelmingly large number of inputbuffer drops, signicantly higher than usual CPU uti-lization levels, or link saturation. To identify suchdeviations from expected behavior, we rst need todetermine the normal behavior under a no-threatcondition. This is typically accomplished by a processcalled network baselining , which helps security man-agers to define network performance and networkresource usage for different time periods, under typi-cal operating conditions. Investigating current link

usage levels, CPU usage, memory usage, syslogentries, and other overall performance parametersare an important part of baseline proling. Any devi-ations or policy violations from the network baselineshould be investigated carefully, as they are potentialindicators of an attack or anomaly. Examples of suchbehavior include:



Threat DetectionIdentifying and Classifying Network Threats with Cisco IOS Software

By Ramya Venkatraman

RAMYA VENKATRAMANis a technical marketing engineer in CiscosInternet Technologies Division. For the past four years, she hasworked in numerous QoS and security projects at Cisco, and hasbeen a regular speaker at Networkers and a periodic contributor toPacket . She can be reached at [email protected].

Discover moreabout defend-ing your net-work againstthreats at theCisco Network-ing Profession-als ConnectionSecurityforum: cisco.

com/discuss/ security.



14/82

Large number of input buffer drops and mallocfailures; could be indicators of an attack induced toexhaust resources or cause excessive memory frag-mentation

Unexplained spikes in CPU usage; could be caused byhacker-initiated scans and probes that usually con-sume a lot of processing power

A sudden increase in link utilization levels; could bethe result of DoS attacks or worm activity that gen-erates inordinately large volumes of trafc

Any other abnormal behavior such as inexplicablesyslog entries, large number of threshold breaches,RMON alerts, and so on

Cisco IOS for Threat Detection and ClassicationGiven its ubiquitous presence across communicationnetworks, Cisco IOS Software is the ideal platform to

launch security policies to thwart attacks and helpdefend networks. Following are some ways to proac-tively identify and classify various network attacksusing tools already built into Cisco IOS Software.

NetFlow with Anomaly DetectionCisco NetFlow is the primary and most widelydeployed DoS identication and network trafc owanalysis technology for IP networks in the industry

today. It is supported in most Cisco platforms viaASICs or Cisco IOS and Cisco Catalyst OperatingSystem (CatOS) software, and provides valuableinformation about trafc characteristics, link usage,and trafc proling on the network.

NetFlow classies packets by way of ows. Each owis dened by its unique seven-key characteristics: theingress interface, IP protocol type, type-of-service (ToS)byte, source and destination IP addresses, and sourceand destination port numbers. This level of ow granu-larity allows NetFlow to easily handle large-scale trafcmonitoring. The NetFlow seven-tuple provides enoughdata for baseline proling and determining the who,what, when, where, and how of network trafc.

A network trafc anomaly is an event or condition inthe network characterized by a statistical abnormali-ty compared to typical trafc patterns gleaned frompreviously collected proles and baselines. NetFlow

allows users to identify anomalies by producingdetailed accounting of trafc ows. Deviations fromthe typical trafc patterns are indicative of changingtraffic patterns, an early sign of potential attacks.NetFlow is usually deployed across the edge of aservice providers network to monitor edge and peerinterfaces, as these are the typical ingress pointsfor most attacks. The router maintains a live CiscoIOS NetFlow cache to track the current ows.





15/82

The show ip cache flow command can be used toview a snapshot of the high-volume ows stored inthe router cache (see gure).

IP ow information can be exported from the Net-Flow cache to an external collector for further analy-sis. Flow data from multiple collectors can be mappedto identify the network nodes under attack and also todetermine the attack characteristics. Analysis of thisexported data is helpful in determining the necessarythreat classication criteria enforced by IOS featuressuch as ingress access control lists (ACLs), Network-Based Application Recognition (NBAR), and UnicastReverse Path Forwarding (uRPF).

There are several freeware tools that can analyzeNetFlow data, including cflowd, flow-tools, andautofocus. Vendors such as Arbor, Mazu, and Adlexprovide GUI-based collector application tools forlarge-scale data collection from multiple collectors,

analysis for DoS/DDoS attack detection, and cen-tralized reporting. For example, security engineerscan detect and prevent DoS attacks by using CiscoNetFlow to collect attack information such assource and destination IP, port number, packet size,and protocol type, and then send the information toa threat detection correlation tool, such as Panoptis,for anomaly detection.

Access Control Lists with IP OptionsCisco IOS access lists are the most commonly adopt-ed technique to classify and deny access to a router atthe network edge. An ACL with a series of permitstatements is used to filter and characterize traffic

flows of interest and trace spoofed packet flowsback to their point of origin. Increasing numbers of DoS attacks are associated with various optionsbeing set in the IP header. Cisco IOS ACLs also havethe capability of ltering packets based on various IPoptions in the packet header. ACL counters are usedto determine which ows and protocols are potentialthreats due to their unexpectedly high volume. Afterthe suspect flows are identified, permit ACLs withlogging option can be used to capture additionalpacket characteristics.

Consider the following example:

access-list 101 permit icmp any any echo-replyaccess-list 101 permit icmp any any echoaccess-list 101 permit udp any any eq echoaccess-list 101 permit udp any eq echo anyaccess-list 101 permit tcp any any establishedaccess-list 101 permit tcp any anyaccess-list 101 permit ip any any

interface serial 0/0ip access-group 101 in

Access-list 101 permits all packets, but the individualaccess list entries (ACEs) can be used to categorize

the most common attack vectors, namely ICMPflooding, UDP echo attacks, and TCP SYN floods.Now the user can issue the show access-list commandto display the access-list packet match statistics anddiagnose for any potential threats.

Router # show access-list 101Extended IP access list 101

permit icmp any any echo-reply (2354 matches)permit icmp any any echo (1368 matches)permit udp any any eq echo (18 matches)permit udp any eq echo any (7 matches)permit tcp any any established (100 matches)permit tcp any any (25 matches)permit ip any any (1015 matches)

The output indicates a large number of incomingICMP echo request and reply packetsan indicationof a potential ICMP flood attack or smurf attack.The log-input keyword is enabled to collect further

information on the suspect packet stream such as theinput interface or source IP address.

access-list 101 permit icmp any any echo-replylog-inputaccess-list 101 permit icmp any any echo log-input

IP Source TrackerTo effectively block or limit an attack directed towarda host, we must first trace the origin of the threat.Source tracking is the process of tracing the source of the attack through the network from the victim back



show ip cache flow

Source Interface

router_A#sh ip cache flowIP packet size distribution (85435 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .00

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes2728 active, 1368 inactive, 85310 added463824 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondslast clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active (Sec) I---------- Flows /Sec /Flow /Pkt /Sec /FlowTCP-X 2 0.0 1 1440 0.0 0.0TCP-other 82580 11.2 1 1440 11.2 0.0Total: 82582 11.2 0.0 12

SrcIF SrcIPaddress DstIf DstIPaddress Pr SrcP DstPEt0/0 132.122.25.60 Se0/0 192.168.1.1 06 9 AEE 0007Et0/0 139.57.220.28 Se0/0 192.168.1.1 06 7 08D 0007Et0/0 165.172.153.65 Se0/0 192.168.1.1 06 C B46 0007

Flow info Summary

Flow Details

SHOW THE FLOWThe show ip cache ow command enables a snapshot of high-volume ows stored in the router cache.



16/82

to the attacker. Though ACLs can be leveraged totraceback attacks, there is a potential performanceimpact when excessive packet lters are inserted intoan actual production network environment. The CiscoIP Source Tracker feature generates all the essentialinformation to trace the ingress point of attack intothe network all the way to the network edge, withminimal impact on performance.

After a host is diagnosed to be under attack via Net-Flow, users can enable simultaneous tracking of multiple destination IP addresses on the entirerouter by globally enabling the ip source-track com-mand. Each line card CPU collects data about thetraffic flow to individual destination IP addresses inan easy-to-use format and periodically exports thisdata to the router. The show ip source-track com-mand can be used to display complete flow infor-mation for each inbound interface on the routerincluding detailed statistics of the traffic destined to

each IP address. This statistical granularity allowsusers to determine which upstream router to analyzenext. By determining the source port of attack oneach device, a hop-by-hop traceback to the attackeris possible. This step is repeated on each upstreamrouter until the entry point of attack on a borderrouter is identified.

Following is a sample configuration for IP sourcetracking on all port adapters in a router to collecttrafc ow statistics to host address 172.10.1.1 for 3minutes, create an internal system log entry, andexport packet and flow information for viewing tothe route processor every 60 seconds.

Router(cong)# ip source-track 172.10.1.1Router(cong)# ip source-track syslog-interval 3Router(cong)# ip source-track export-interval 60

To display detailed information of the ow, enter theshow ip source-track command

Router# show ip source-track 172.10.1.1

Address SrcIF Bytes Pkts Bytes/s Pkts/s172.10.1.1 PO1/2 131M 511M 1538 6172.10.1.1 PO2/0 144G 3134M 6619923 143909

The output indicates interface POS 2/0 as the poten-tial upstream attack path. You can now disable ipsource-track on the current router and enable it onthe upstream router to track the next preceding hop.

Unicast Reverse Path ForwardingA large number of DoS and DDoS attackers employspurious or rapidly altering source IP addresses tonavigate around threat detection and filteringmechanisms. The uRPF feature helps mitigateattacks caused by the introduction of spoofed IPaddresses into a network by discarding IP packetsthat lack a verifiable IP source address; uRPF

forwards only packets that have legitimate sourceaddresses that are consistent with the IP routingtable. If the source IP address is known to be validand reachable through the interface on which thepacket was received, the packet is forwarded or elsedropped. Unicast reverse path checks should bedeployed at the network edge or the customer edgeof an ISP and should not be used in conjunctionwith asymmetric routing.

The uRPF feature with ACL logging adds an addi-tional diagnostic capability by enabling reverse pathforwarding check on an interface in a pass-through mode. In this mode, all RPF violations arelogged using the ACL log-input feature. If a packetfails a unicast RPF check, the ACL is checked todetermine if the packet should be dropped (using adeny ACL) or forwarded (using a permit ACL). Thisfeature can be selectively applied to an interface todetect network threats that use spoofed IP address-

es. The ACL logging counter and match counter sta-tistics are incremented to reflect statistics for pack-ets with spurious IP addresses. The networkoperator can scan the ACL log output and the coun-ters to detect and gather more information on anypotential DoS attacks.

Consider the following example:

int serial0/0ip address 172.168.100.1 255.255.255.0ip verify unicast reverse-path 101

!access-list 101 deny ip 172.168.101.0 0.0.0.127

any log-inputaccess-list 101 permit ip 172.168.101.1280.0.0.127 any log-input

Frames sourced from 172.168.101.75 arriving atserial0/0 and failing the uRPF check are logged by theACL log statement and dropped by the ACL deny



FURTHER READING Cisco Feature Navigator, for Cisco platform and IOS

release supportcisco.com/go/fn

Cisco NetFlowcisco.com/packet/163_4c2

IP access listscisco.com/packet/163_4c3

IP access lists with IP options selective dropcisco.com/packet/163_4c4

IP Source Trackercisco.com/packet/163_4c5

IP unicast Reverse Path Forwardingcisco.com/packet/163_4c6

RAW IP Trafc Exportcisco.com/packet/163_4c7

Continued on page 88



17/82


18/82


Introduced in 2001, the CC IE Security certificationhas evolved into one of the networking industrysmost respected high-level security certifications. Tobecome a CCIE Security expert you must pass boththe written qualification exam and hands-on labexam security. This article provides tips onresources and materials available to help you pre-pare for the exams.

Exam ChangesThe Cisco Certica tions program a nnounced changesto t he CC IE Security track this year, including signi-

cant changes to the w ritten and lab exams. Blueprintsavailable on the CCIE Website ( cisco .co m/go /ccie )outline the topics covered on the exams, so studythese car efully.

Version 2.0 of the CCIE Security written examstrengthens coverage of technologies that are criticalto h ighly secure enterprise netwo rks. New topics suchas wireless security, the Cisco Catalyst 6500 Seriessecurity modules, and security applications such asVPN Ma nagement Solution (VMS) test candidates onsecurity t echnologies and best practices. The completeblueprint for the security written exam is availableonline at cisco .co m/packet/163_4d1 . Recent changes

are indicated on the blueprint in bold type.

The new revised CCIE Security lab exam precong-ures much of the core routing and switching on thedevices, allowing more exam time for security-specif-ic technolo gies. Topics covered m ore extensively onthe new exam include:

Firewalls (hardware and software)Virtual privat e netwo rks (VPN s)Intrusion protectionIdentity authenticationAdvanced security technologiesMitigation t echniques to respond to netwo rk atta cks

The new content goes into effect at a ll exam locationsbeginning October 1, 2004. The preconguration ofbasic routing and switching does not make the exameasier; candid ates must still cong ure advanced rout-ing and sw itching elements and must be ab le to trou-bleshoot problems that result from the security con-gurations. The complete blueprint for the Securitylab exam is available at cisco .co m/pa cket/163_4d2 .

Planning and ResourcesAn abundance of material is available to help youprepare for CC IE certi cation. H ow ever, be selective

and choose materials that are approved or providedby C isco a nd its Authorized Learning Pa rtners.

Books: M any C isco Press and o ther vendor bo oks areavailable to assist in preparing for CCIE exams.Check the current list on the CCIE Website atcisco .co m/pa cket/163_4d3 . No single resource con-tains all the information you need so plan to addmultiple books to your collection.

Trainings: Although training is not a prerequisitefor CCIE certification, the CCIE Website lists

courses that might be helpful to you in studyingsubject matter you have less direct experience with.For a list of recommended training courses, visitcisco .co m/pa cket /163_4d 4 .

Bootcamps: Many candidates ask me to recommenda security bootcamp. In my opinion, bootcamps areintended to give an overview o f the lab, o ffer tips andtricks for exam taking, and provide mock scenariostha t help you gaug e your readiness. To ga in the mostbenefit, study the technologies involved beforeattending a bootcamp.

Cisco.com Website: Many candidates overlook one

of the best resources for useful ma terial and technicalinformation: Cisco.com. A plethora of sample sce-narios are available on the tech support pages foreach Cisco product and technology. These articlesreect current trends and demands and include sam-ple diagrams, configurations, and invaluable IOS

show and debug command outputs.

Online Forums: Forums can be invaluable for prepa-ration. Qualified CCIE experts and other securityengineers are availab le around the clock to answ eryour queries and work through your technical prob-lems. Some Cisco forums include:

Cisco Networking Professionals Connection:cisco. com/go/netpro

Cisco Certications Community:cisco. com/go/certco mmun ityO nline resource for those who ho ld at least oneCisco certication.

Cisco Certications Online Support:cisco. com/go/certsuppo rtQ &A on certicat ion-related topics.


By Yusuf Bhaiji

Insiders Tips on Earning Your CCIE in Security

Cracking the Code



19/82


Cisco Documentation CD: Make sure you can navi-gate the Cisco documentation CD with confidencebecause this is the only resource you will be allowedto refer to during the exam. Make the CD part ofyour regular study; if you are familiar with it, youcan save time during the exam.

Practice Labs: When studying technologies such asIPSec, AAA (accounting, authentication, a nd a uthor-ization), rew alls, and others, you might nd y ou caneasily ga in pro ciency using them as standa lone tech-nologies, but integrating multiple technologies ismore dif cult. Find practice labs w ith real-w orld sce-narios that require you to integrate multiple tech-nolo gies. Practicing com plex lab exercises w ill devel-op your exam strategy and help you refocus andrevise your study plan.

In add ition to technical skill, good time managementand a solid exam-taking strategy is also important to

your success. Practice labs also help you improveyour time mana gement a nd test-taking a pproach.

Equipment (home lab versus rental racks): Althoughacq uiring a personal ho me lab is ideal, it can b e cost-ly to ga ther all the equipment to build a security ra ck.You can start with just a few devicesfor example,three to fo ur routers, a sw itch, and a Cisco PIX Fire-wall. For the hardware devices that are costly toobta in, such as the IDS Sensor or VPN 3000 Co ncen-trator, consider renting the equipment online fromone of the many vendors that provide such services.Type CC IE rack rental in your favorite onlinesearch engine.

A current list of equipment covered on the C CIE la bexam is available at cisco .co m/pa cket /163_4d5 .

Recipe for SuccessH ere are some important tips and strat egies from myown experience proctoring the lab exam and watch-ing others take it.

Read the entire exam rst. Read the entire test bookbefore you begin your lab exam. Do not skip anydetails or sections.

Redraw your topology. Before you start the lab

exam, I strongly recommend that you redraw yourentire topology w ith all the details availab le. This willhelp you visualize your network and map the entiretopology as packet o w s. This map serves as a snap-shot of yo ur entire netwo rk.

Practice good time management. Make a goodstrategic plan to complete all the sections in the timeprovided. Divide the exam into categories such asLayer 2, Layer 3, backup scenarios, VPN, attacks,etc., and then work out how much time you willspend on each question, keeping in mind the point

value of each question. Allow enough time near theend of the exam to verify your solutions.

Clarify the exam questions. You must clearly under-stand the requirements of each question on the exam.Making assumptions can get you into trouble. Dur-ing the lab, if you are in doubt, approach the proctorand verify your understanding of the requirements.Clarifying a question can make the differencebetw een passing and failing your exam.

Keep a list. D uring your exam , make notes on con g-urations and settings as you work. For example,when configuring your device for a firewall, addaccess control lists (ACLs), configure filters, tunnelendpoints, and tw eak routing. Keep a separat e list forthe items that you have not been able to address orw here you have not a chieved the required result a ndneed to revisit an item.

Expect the unexpected. You might be caught offguard by an unfamiliar exam topic or question. Dontstress too much over this. Work on the things you aremore comfortable with rst and go ba ck to the moredif cult ones.

Practice troubleshooting. You must know how totroubleshoot problems with your configurations byusing the available tools. However, although trou-bleshooting is important, make sure you dont losetoo much time troubleshooting a 2- or 3-point ques-tion. Try to move on a nd return aga in later.

Test your work. Never rely on a configuration you

did in the early hours of the exam. An item that youcongured a few sections earlier could become bro-ken and nonfunctional. Always validate your solu-tions toward the end of the exam. Keep in mind thatpoints are awarded for working congurations only.

Do not memorize. Your goal should be to master thetechnology and the architecture.

A Final WordI hope that the preceding tips and information willencourage you to pursue CCIE certication. Achiev-ing your CCIE can be a great source of satisfactionand can boost your career to the next level. The

secret to success on C CIE, a s w ith most endeavors, ismotivation, dedication and consistency. In the longrun, being an expert in the eld of security netw ork-ing is not just a destination, but a n ongoing journey.

For more information, visit the CCIE Website atcisco .co m/go /ccie .


FAHIM HUSSAIN YUSUF BHAIJ I, CCIE No. 9305, is the content leadfor Cisco CCIE security certication and exam proctor in Sydney, Aus-tralia. Bhaiji recently published a book on preparing for CCIE Security,CCIE Security Pract ice Labs (Cisco Press 2004). He can be reached [email protected].



20/82



Reader Tips

CongurationUsing X.25 to Congure Integrated Systems

I use the X.25 Protocol to integrate Call Da ta R ecords(CDR) data for billing systems (mediation). These areprimarily mob ile sw itches using X.25 proto cols to inte-grate the CDR, remote terminal (OMT or CTL) andO MC S. I use X. 25 over TCP /IP (XO T) to integrate a ll

of these functions using reliable IP media. Traditional-ly, X .25 provides 64k bandw idth, but b y changing theclock parameters you can also achieve more than 64k.The following conguration is useful for anyone work-ing with G lobal System for Mo bile Co mmunications(GSM ) operators or for PSTN netw ork providers.

Router #x25 routi ng xot-use-i nterface-defaul ts

i nt e r face Ser i a l x/xdes cr i pt i on XXXXXXXXno i p addressencapsul ati on x25 dce i etf x25 addr es s XXXXXXXX

x25 ht c 32x25 wi n 7x25 wout 7x25 i ps 256x25 ops 256x25 subscri be ow-control always (this is the most

important command)cl ockr at e 64000l apb T1 2000l apb T2 800l apb N2 7l apb k 2

Rout e:

Router # x25 rout e < x. 25 addres s > xot < r emot e I Paddress >

M uhammad Al i , Mobi l ink -GSM , I slamabad,Pakistan

Avoiding Cisco CallManager Application ServerReconguration When Using DID Numbers

Because enterprise-level IP telephony networks are sodependent on system features, when integrating thesenetwo rks with a pplication servers such as C isco IPC CExpress, Cisco Personal Assistant, Cisco Unity , andCisco M eetingplace, I create private internal directory

TIP

TIP

numbers when I configure the computer telephonyinterface (CTI) route points for these services. Manycustomers require that the application servers mustaccommodate PSTN-based calls through the use ofD irect Inwa rd D ial (DID ) access numbers. To dothis, create a CallManager Translation Pattern thatuses a DID number which then redirects calls to theprivate directory number of the specic applicationCTI route point. When a customer wants to add,delete, or cha nge DID numbers, this method is mucheasier to manage instead of doing an elaboratereconguration of CTI route points and applicationserver congurations.

M ichael C otrone, CCIE N o. 8411, D atanet

Services, I nc., Gr eensboro, N ort h Caroli na, U SA

TroubleshootingRecovering Lost Passwords on Remote Devices

Conguring a Simple Network Management Protocol(SNMP) read-write (RW) community ahead of timeenables me to modify t he conguration o f a device if Ineed to recover a lost password from a remote routeror switch. I use these steps:

1. Set the copy mo de (1.- TFTP; 3.-RC P): snmpsetipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.2.83119 i 1

2. Set the source configuration type to copy (1.-Network; 3.-Startup-cong; 4.-Running-Cong):snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.3.83119 i 4

3. Set the destination conguration type to copy (1.-Network; 3.-Startup-cong; 4.-Running-Cong):snmpset ipA ddress RW-Commun ity .1.3.6.1.4.1.9.9.96.1.1.1.1.4.83119 i 1

4. Set the TFTP server IP ad dress: snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.5.83119 a TFTP-SRV- ipAddress

5. Set the name of the le that contains my device con-figuration: snmpset ipA ddress RW-Communi ty .1.3.6.1.4.1.9.9.96.1.1.1.1.6.83119 s My deviceCong.txt

6. Set the create and go comma nd: snmpset ipAddressRW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.14.83119 i 1

Then I modify the password in a file named M y- deviceCong.txt and run the command aga in, modi-fying the follow ing lines:

TIP

Packet thanks all of the readers who submitted

technical tips this quarter. While every effort hasbeen made to verify the following reader tips,Packet magazine and Cisco Systems cannot guar-antee their accuracy or completeness, or be heldresponsible for their use.

R eprinted w ith p erm ission from Packet m agazine (Vo lum e 16 , N o. 3), cop yrigh t 2004 by C isco System s, Inc. All righ ts reserved .


21/82


1. Set source configurat ion type to copy (1.-Network; 3.-Startup-config; 4.-Running-Config):snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.3.83119 i 1

2. Set destination conguration type to copy (1.-Network; 3.-Startup-cong; 4.-Running-Cong):snmpset ipA ddress RW-Commu nity .1.3.6.1.4.1.9.9.96.1.1.1.1.4.83119 i 4

Be careful when you modify and upload the congu-ration to the device, and remember that the destina-tion is Running-Config, so you must ingress to thedevice to change the password again and then writethis to the startup conguration.

For more information about copying congurationsusing SNM P, see cisco .co m/pa cket /163_4f1 .

Rodr igo Bar ro so, Petr obras Energa S.A ., Buenos Ai res, Ar genti na

Troubleshooting DoS AttacksMultiple large-sized packets injected into your net-w ork from a ny source, including a host PC , can bringyour network to a dead crawl. In the worst case, theycan even shut dow n operations. To d etermine whichhost or node is sending or receiving suspisciouslylarge and multiple packets (no pun intended),

enable ip accounting output-packets in the interfacethat you suspect they pass through. Then use thecommand sh ip accounting output-packets to view the output in real time. Even packet and byte sizes aredisplayed, which can help you identify what kind oftraf c is present in y our link. For example:

Rout er( cong)# i nterf ace Fast Et hernet 0/1Rout er( cong-i f )# i p accounti ng out put -packet sRout er# sh i p account i ng out put -packet s

A lf red Ro mero Jr., WeCare Technol ogy Services Corp., M akati City, Philippines

Edit ors note: The preferred, more scalab le, method

is to use NetFlow on ingress interfaces to try to ndthe type of traffic (see cisco .co m/pa cket /163_4f 2 ).Because NetFlow keeps statistics on ows, you canmore easily isolate the prot ocols involved. To enab leNetFlow on interfaces, use the interface con gurationcommand ip route-cache ow. Support for NetFlow can vary d epending on yo ur platform a nd code version.For older platforms that do not support NetFlow, IPaccounting can b e useful, although it tends to negat ive-ly affect performance.

TIP


SUBMIT A TIPHelp yourfellow ITprofessionalsand show off toyour peers bysubmittingyour mostingenioustechnical tip [email protected] knows,you may seeyour namein the nextissue of Packet.When submit-ting a tip,please tell usyour name,company, city,and country.

Learn about wireless security capabilities in Cisco wire-less products. New centrally managed, dynamic per-user,per-session Wired Equivalent Protocol (WEP) capabilitiesin Cisco Aironet Software Release 11.0 and Cisco AccessControl Server (ACS) 2.6 address wireless security issues.cisco.com/packet/163_4g1

Troubleshoot wireless network connectivity. This docu-ment helps you identify and troubleshoot common wirelessnetwork connectivity problems including conguration,interference, and cable issues. cisco.com/packet/163_4g3

Learn about DiffServ tunneling modes for MPLS networks. This document describes the Differentiated Services (Diff-Serv) Tunneling Modes available for implementation inMultiprotocol Label Switching (MPLS)-based networkenvironments. cisco.com/packt/163_4g4

Troubleshoot Cisco IP Phone connection issues. Thisdocument describes how to solve connectivity problemswith the Cisco VT Advantage video telephony solution.cisco.com/packet/162_4g5

Read about best practices for NTP network management. This white paper describes a hypothetical process deni-

tion for conducting network management functions for theNetwork Time Protocol (NTP), which organizations can cus-tomize in order to meet internal objectives. Includesprocess and task denitions, as well as conguration andreport format examples. cisco.com/packet/162_4g6

Learn about security and VPN resources. View the free, on-demand Cisco technical support seminar, Using the Cisco

Technical Support Website for Security and Virtual PrivateNetwork Issues. cisco.com/techsupport/seminars

Tech Tips



22/82

TECHNOLOGY

Deploying Video TelephonyC isco C allManager 4.0 extends voice features to video over a c omm on,user-friendly infrastructure that can be deployed to the desktop.

Video telephony leverages the intelligence of IP telephony to pro-

vide advanced features that are not available in traditional IPvideoconferencing deployments: call forwarding, call hold, callpark, class of service restrictions, ad-hoc conferencing, bandwidthcontrols, enhanced digit manipulation, and call rerouting, to namea few. The result? Enterprises can retain their existing H.320 andH .323 investments w hile bene ting fro m a user-friendly, more fea -ture-rich environment for large-scale video deployments.

Video communication capab ilities have been integrated into Cis-co CallManager 4.0extending several voice features to videothat benet end users, netw ork ad ministrat ors, and enterprises asa whole (for a comprehensive list of Cisco CallManager videotelephony features, visit cisco .co m/pa cket /163_5a1 ). Among thebenets, users enjoy a simple interface, leveraging the same dial

plan structure as their IP phone deployment in a familiar userenvironment. With the ab ility to create multipoint conferencing,users can also manage more effective meetings and schedules. Foradministrators, video telephony provides a single infrastructurethat leverages a common graphical interface and common fea-tures for a ll voice and video communications. A common IP infra-structure for all communications not only provides an enterprisewith reduced cost of ownership and faster return on investment(ROI), but a lso provides greater reliability and ease of ma intenancebecause video calls do not have to be done over separate ISDNlines. This allow s users to mo re readily and easily a dapt to a systemthat can now be deployed to the desktop.

Video Call Control and Resilience

Video call control within Cisco CallManager 4.0 functionsessentially the same as it does for audio. Call setup signaling ishandled by CallManager, resolving dialed numbers based on thedial plan deployed within the CallManager clusters. The CiscoIO S Gatekeeper provides a logical trunk to the CallManagercluster, which allows existing H.323 and H.320 devices to beintegrated into CallManager (see figure, page 24). Video callstypically include Real-Time Transport Protocol (RTP) streams,in each direction, for audio, video, and far-end camera control(FECC), and a sequence of call control signaling messages. Thisbearer traf c is not ha ndled by C allMa nager but is routed directlybetween endpoints.

Because Cisco CallManager routes all H.323 call signaling (fexam ple, H.225/H .245), the enhanced functio nalit y, such as callforw arding, call park, a nd shared lines, can be transparently provided for H.323 devices. In addition, digit manipulation is noreflected back to the calling endpoint, so there are no speciarequirements for the endpoints to support having their callrerouted o r manipulated.

For video calls, Cisco CallManager 4.0 includes the additionlogic to handle negotiation of the video codec (H.261, H.263

resolution, frame rate, and H.323 annexes. The region and location settings for admission control have also been enhanced tprovide for accounting of video bandwidth on a per-call anaggregate basis. For video calls, the negotiated bandwidth for H.323 device typically includes both audio and video; for example, a 384-kbit/s video ca ll is comprised o f 64-kbit/s aud io a nd320-kbit/s video cha nnels. Video ca pab ilities are provided f orcalls between devices within a cluster and between clusters (foexam ple, via inter-cluster trunks).

Cisco C allM ana ger clustering, as w ell as Cisco IO S G atekeepclustering using the Alternate G at ekeeper (Alt-G K) feature, provide for a resilient environment to protect video telephony fro mcomponent failures. While CallM ana ger and ma ny H .323 device

support Alt-GK, not all H.323 devices do, in which case HoStandby Router Protocol (HSRP) can be used to providresilience of the ga tekeeper elements. Alt-G K is a more ro busimplementation than using HSRP because Alt-GK provides foload balancing and the ability to locate gatekeepers in divernetwo rk locations (H SRP requires that the ga tekeepers be on thsame IP subnet).

Skinny Client Control Protocol (SCCP) video endpointsw hether a Cisco VT Advanta ge USB camera used in conjunctiow ith a C isco IP Pho ne, or a Tandb erg video endpoint tha t useSCCPregister directly to the Cisco CallManager. For calls video-capable endpoints, C allMa nager opens the logical channefor video auto matically if the originating endpoint also has vid

capabilities as defined in the endpoint setup in CallManageSCC P endpoints w ill also provide a richer set of messaging to enusers (for example, indicating the reason fo r a failed call, such aunavailable bandwidth). Endpoint conguration, listed under th Phones menu on CallM ana ger, allow s users to de ne the necesary ad junct de nitions for the endpoint, such as region, locationcall forwarding on busy or no answer, Automated AlternatRouting (AAR) groups, digit manipulation or translations, caling search space, partition, M edia Resource G roup List (MR G Land directory numb er(s).

In addition, SCCP video endpoints behave like an IP phone. Foexample, when users take the device off hook to make a new call,


NETWORKERS 2004

By Tom Schepers

This article is based on a session presented at the Cisco Network-ers 2004 users conference. To learn more about Networkers, visitcisco.com/networkers .



23/82

RINGING UP VIDEOVideo call control withinCisco CallManager 4.0functions essentially thesame as it does for audio.Call setup signaling ishandled by CallManager,resolving dialed numbersbased on the dial plandeployed within the Call-Manager clusters.

dial tone is played; users can press the phones softkeybuttons to invoke features and supplementary services.

Alternate Routing Using the PSTNH.320 gateways can be used for alternate routing of

video calls over the public ISDN network. SCCP,Media G atewa y C ontrol Protocol (MGC P), and IOSH .323 gatewa ys can also be used for alternate routingof video calls as audio-only using the PSTN. CiscoCallManager retries a video call as audio-only undercertain conditions: upon failure of region and loca-tions admission control, when using H.323 videogateways to provide routing over the PSTN in theevent of admission control or possible network fail-ure, or when the gateways are audio-only devices.Unlike with traditional H.323 deployments, the userdoes not have to redial to get the alternate route.Ca llMana ger will manipulate the dialed digits as nec-essary, adding a PSTN access code (9, for example),

along with the long-distance access code and areacode, to create a fully qualified number for routingvia the public network. An SCCP endpoint will pro-vide indications that alternate routing is in effect.AAR is ava ilable for calls between locations mana gedby the same CallManager cluster, and for callsbetw een C allMa nager clusters.

Multipoint ConferencingCisco CallManager supports several methods for usersto participate in multipoint video calls, including adhoc, scheduled, and reservationless. Each methodrequir es a Cisco IP /VC 3500 Series Multipo int

Conference Unit (MCU), which supports both SCCPand H.323 protocols. SCCP is used for ad-hoc confer-ences, and H.323 is used for scheduled and reserva-tionless conferences. With the phone or SCCP videoendpoint interface, a user can establish an ad-hoc

videoconference by pressing the Co nf softkey andthen dialing additional participants into the call. Theparticipants can be on any other SCCP endpoint oraudio-only endpoints, as well as H.323 or H.320video endpoints.

H.323 devices typically register to an H.323 gatekeep-er and are defined w ithin Ca llMa nager as H .323Clients. The administrator can apply settings to eachendpoint, such as directory number, region, location,MR G L, and so on. H .323 MC Us and H .323/H.320gat ewa ys, such as the C isco IP/VC 3500 Series video-conferencing products, also register to the gatekeeperand a re defined in Ca llMa nager as H.323 G ate-

w ays. The ad ministrator can then apply settings tothe device, but instead of dening a directory num-ber, route patterns are used to reach these devices. Aroute patt ern can point either directly to t he device in


THE ELEMENTS OF IP VIDEO TELEPHONY

SchedulingApplications

InteractiveVoice

Response

Directories VoiceMail/

UnifiedMessaging

APPLICATIONS

EndpointsConference

MCUs

IOS GatekeeperCall Processing

Cisco CallM anagerPSTN and

H.320Gateways

VIDEO TELEPHONY INFRASTRUCTURE

H.320Gateway

Endpoints

AccessSwitch

Distribution/Core Switch

WANAggregation

Router

IP WAN

ISDN

BranchRouter

AccessSwitch

Branch

NETWORK INFRASTRUCTURE

Campus

TECHNOLOGY: Video Telephony

TOM SCHEPERS , consulting systemsengineer at Cisco, is the presenter of Designing and Deploying IP Video Tele-phony Networks at the Networkers2004 Cisco users conference. He can bereached at [email protected].

S p e n c e r

T o y



24/82

Ca llMana ger or to a route list containing one or moreroute groups to provide alternate routing in the eventthat o ne of the MCU s or gatewa ys is unavailable.

Alternatively, the route pattern could point to anH.225 gatekeeper-controlled trunk. For calls to anH.323 MCU conference, the route pattern would beconstructed to match t he service prex d ened in theM CU for the type of conference you w ant to join. Forexample, a service for continuous presence, H.263,384-kbit/s, 30-fps conferences may b e de ned a s 82*(where the * can be any digit(s) 0 through 9 and anynumber of digits). The CallManager will be config-ured with a route pattern that states all calls begin-ning with 82 (such as 82XX X) are to be routed to t heMCU, either directly by defining the MCU as anH.323 gateway in CallManager or via the H.225trunk; in the latter case, the gatekeeper receives thecall setup and forwards the call to the MCU regis-tered w ith that service prex.

Likewise, for calls to an H.320 gateway, the routepattern would also be constructed to match the serv-ice prex congured in the gateway. But in this case,the service prefix simply defines how many ISDNchannels the call should use. For example, a 384-kbit /s service may be defined a s service prefix 9# *.The CallManager would be congured with a routepattern that states all calls beginning with 9 (such as9.@, w here @ represents all PSTN pa tterns supportedby the North American Numbering Plan, or NANP)are to be routed to the gateway, either directly bydefining the gateway as an H.323 gateway in Call-Manager or to a pool of gateways contained in a

rout e list/rout e group(s), or via the H .225 trunk. Inthe latter case, the gatekeeper receives the call setupand forwards the call to the gateway(s) registeredw ith that service prex.

With digit manipulation, users do not have to dialthe # chara cter. A user simply dials 9+ 1+ areacode+number, for example, and Ca llManager canprepend the # before routing the call to the gatew ay.

When using the gatekeeper to reach the gate-w ay (s), the gatew ays use Resource AvailabilityIndicat ions/Resource Availa b

Documents

Packet Magazine Aug 04