658 Chapter 6 • Quality of Service (QoS) Per-Interface Compression (Link Compression) Per-interface compression handles larger packets and higher data rates. It is applied to the entire data stream to be transported—that is, it compresses the entire WAN link as if it was one applica- tion. Per-interface compression uses STAC or Predictor to compress the traffic, which in turn is encapsulated in a link protocol such as PPP or LAPB.This last step applies error correction and ensures packet sequencing. Per-Virtual Circuit Compression (Payload Compression) Per-virtual circuit compression is usually used across virtual network services such as X.25 (Predictor or STAC) and Frame Relay (STAC).The header is unchanged during per-virtual cir- cuit compression; instead, the payload portion is compressed. Payload compression is appropriate for routers with a single interface, but does not scale well in scenarios with multiple virtual cir- cuit destinations. Continuous-mode compression algorithms cannot be applied realistically due to the multiple dictionary requirements of the multiple virtual circuit destinations. It places a heavy load on the router for CPU and memory. Packet-mode compression algorithms, which use fewer dictionaries and less memory, are better suited for packet networks. Performing compression before or after WAN encapsulation on the serial interface is a prime goal. Applying compression on an already encapsulated data payload reduces the packet size, but not the number of packets.This suits Frame Relay and Switched Multimegabit Data Service (SMDS). Applying compression before WAN serial encapsulation will benefit the user from a cost perspective when using X.25, where service providers charge by the packet.This method reduces the number of packets transmitted over the WAN. To configure compression, use the compress interface configuration command.To disable compression on the interface, use the no form of this command, as illustrated below. router(config-if)# compress {stac | predictor | mppc(ignore-pfc)} router(config-if)# no compress {stac | predictor | mppc(ignore-pfc)} Another form of payload compression used on Frame Relay networks is FRF.9. FRF.9 is a compression mechanism for both switched virtual circuits (SVC) and permanent virtual circuits. Cisco currently supports FRF.9 mode 1 and is evaluating mode 2, which provides flexibility during the LCP compression negotiation. To enable FRF.9 compression on a Frame Relay interface you can use either the frame-relay payload-compress frf9 stac or frame-relay map payload-compress frf9 stac commands. Per-interface compression adds delay at each hop due to compression and decompression on every link between the endpoints. External compression devices or integrated compression hard- ware can relieve the router of compression duties. Otherwise, a router must have sufficient CPU and RAM for compression and dictionaries, respectively. www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 658 Quality of Service (QoS) • Chapter 6 659 Hardware Compression Cisco has developed hardware compression modules to relieve the primary CPU of the router. On the 2600 and 3660 routers, there is an Advanced Integration Module (AIM) slot that can be popu- lated with compression modules. For the 7000, 7200, and 7500 series routers, there are Compression Service Adapters (CSAs) that offload the compression from the primary CPU. CSAs require a VIP2-40 or greater.The 7200 VXR series does not support CSA-based compression. The 2600 can use an AIM-COMP2= to increase its compression capabilities from 256 Kbps to 8 Mbps of compressed data throughput. On the 3660, the AIMCOMPR4= module increases compression throughput from from 1024 Kbps to 16 Mbps. There are two available modules for the 7X00 routers: the SA-COMP/1 and the SA- COMP/4.Their function is identical, but the SA-COMP/4 has more memory to maintain a larger dictionary.The SA-COPMP/1 and SA-COMP/4, while supporting 16 Mbps of band- width, can support up to 64 and 256 compression contexts, respectively. One context is essentially one bi-directional reconstruction dictionary pair.This may be a point-to-point link or a point- to-point Frame Relay sub-interface. Verifying Compression Operation To verify and monitor the various compression techniques, use the following show and debug commands: For IP header compression: router# show ip tcp header-compression router# debug ip tcp header-compression For RTP header compression: router# show ip rtp header-compression router# debug ip rtp header-compression router# debug ip rtp packets For payload compression: router# show compress {detail-ccp} router# debug compress Due to the volume and amount of data that these commands generate, use them sparingly. Configuring Packet Classification Packet classification can be performed in a variety of manners including IP precedence and policy-based routing (PBR), which support specialized traffic such as VoIP. Each of these methods can be implemented individually, but they can also be mixed such that your policy can set the IP precedence for a packet. We have previously discussed IP precedence and demonstrated its useful- ness to queuing; we will simply rehash it in the context of packet classification, a more pure use of IP precedence. www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 659 660 Chapter 6 • Quality of Service (QoS) IP Precedence Valid values for IP precedence are from zero (low priority, first to be dropped) to seven (high pri- ority, last to be dropped). Actual configuration of IP precedence is very simple and can be done either from a dial peer, a Frame Relay port, or as part of a policy map: Router1(config-dial-peer)#ip precedence precedence IP precedence in a VoIP implementation is often configured on individual dial peers. When performing this configuration, you can either set the precedence bits for all dial peers to be high priority—a six or seven—and leave all other traffic at zero or one, or you can choose to specify a different precedence for each dial peer based on the importance of the communications on that port. For instance, to configure a dial peer to assign a precedence of six, enter the following in global configuration mode: Router1(config)# dial-peer voice 1 voip Router1(config-dial-peer)# ip precedence 6 You can also use IP precedence to classify packets for protocols such as RSVP as shown. ip rsvp precedence conform precedence-value exceed precedence-value Verifying IP Precedence Use show commands to verify IP precedence configuration, such as the show running-config- uration output provided here. ! dial-peer voice 1 voip destination pattern 1234 ip precedence 4 session target ras ! dial-peer voice 2 pots destination pattern 1001 ip precedence 3 port 0/0/0 ! dial-peer voice 3 pots destination pattern 1002 ip precedence 2 port 0/0/1 www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 660 Quality of Service (QoS) • Chapter 6 661 Policy Routing Policy-based routing is a method by which a packet can be directed, based on a given set of cri- teria (policy), to take a path other than that which would have been taken if routed via standard routing protocols. PBR classifies traffic based on configured ACL entries and then applies the configured policy accordingly. Classification and policy application is performed by a packet filter called a route map. Route maps consist of two types of statements: Match and Set.The Match statement compares a packet to either a standard or extended ACL and/or matches packet length.The Set statement deter- mines the action to be performed on matching packets. Set actions can include setting IP prece- dence, IP next-hop, interface, IP default next-hop, or default interface. With Cisco IOS release 12.0 and later, PBR can be fast-switched rather than process- switched, which improves performance. With fast switching, the set IP default next-hop and set default interface commands are not available.The set interface command is available only on point-to-point links unless there is a route-cache entry for the specified interface. When fast- switched PBR is used, a matching packet is forwarded blindly, without checking the routing table to ensure that it is a valid route. Configuring Policy Routing PBR is fairly simple to configure. Begin by creating an ACL for the traffic that is to be classified. Next, create route-map statements that act on the ACLs.A route map that specifies permit applies the policy to any packet that matches the ACL; all others will be routed normally. A deny route map does just the opposite, routing the packets that match and applying the policy to those that do not. Each route-map statement must also have a sequence number.The router will apply the statements in order to each packet and classify each based on the first statement it matches. Following the match statements are set statements, which tell the router what policy to apply. Set statements can be used with each other, so it is possible to send a matching packet to a par- ticular interface and to adjust the precedence. After the route-map statements are complete, apply the route map to an interface with the ip policy route-map command. Some PBR applicable commands are: ■ route-map map-name [permit | deny] sequence-number ■ match length min max ■ match ip address [access-list-number | name] ■ set ip precedence [number | name] ■ set ip next-hop ip-address ■ set interface interface-type interface-number ■ set ip default next-hop ip-address ■ set default interface interface-type interface-number www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 661 662 Chapter 6 • Quality of Service (QoS) ■ interface interface-type interface-number ■ ip policy route-map map-name Verifying Policy Routing You should use show commands to verify your policy routing configuration. Our execution of show running-configuration confirms that an IP precedence of 5 is assigned to all H.323 packets, which are sent out interface Serial 0/1: ! interface vlan 1 ip address 10.10.10.1 255.255.255.0 ip policy route-map voip ! route-map voip permit 10 match ip address 101 set ip precedence 5 set interface s0/1 ! access list 101 permit tcp any any eq 1300 ! Call Admission Control Call Admission Control (CAC) describes a method by which a node can prevent over-subscrip- tion of network resources, thus preserving the quality of existing transmissions. Often used with voice applications or videoconferencing, CAC rejects a request for network resources if the requesting application requires more bandwidth than is currently available. For example, if an interface is configured for 128k, and five VoIP calls requiring 24k each are in progress, CAC will prevent a sixth call from being completed, as it would degrade the quality of all six calls.This system ensures that all existing connections maintain the bandwidth they need. When a connection is rejected, the originating node will, depending on the network con- figuration, either look for an alternate path or provide a reorder tone or fast busy signal to the calling party. In Figures 6.17, 6.18 and 6.19, assume that each call requires 24k of bandwidth. In Figure 6.17, two calls exist between Router1 and Router3 (labeled 1 and 2). www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 662 Quality of Service (QoS) • Chapter 6 663 In Figure 6.18, a third call is placed (labeled 3), and Router1 sends the call to the next hop, Router2. However, there is not enough bandwidth to support the new call, so CAC rejects it. In Figure 6.19, after the rejection, Router1 is able to reroute the call via Router4 to com- plete the call. There are several different methods for implementing CAC, but for the purposes of VoIP, the most commonly used are RSVP and H.323 gateway zone bandwidth.The H.323 gatekeeper www.syngress.com Figure 6.17 Rerouting a Call Due to CAC Rejection: Two Calls Exist 56k 56k 56k 56k 128k PBX x2111 x2112 x2113 x1111 x1112 x1113 Router4 Router5 Router1 Router2 Router3 PBX 1 2 Figure 6.18 Rerouting a Call Due to CAC Rejection: Third Call Is Rejected 56k 56k 56k 56k 128k PBX x2111 x2112 x2113 x1111 x1112 x1113 Router4 Router5 Router1 Router2 Router3 PBX 1 2 X 3 Figure 6.19 Rerouting a Call Due to CAC Rejection: Third Call Is Rerouted 56k 56k 56k 56k 128k PBX x2111 x2112 x2113 x1111 x1112 x1113 Router4 Router5 Router1 Router2 Router3 PBX 1 2 X 3 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 663 664 Chapter 6 • Quality of Service (QoS) monitors the network and makes decisions on call admission based on static calculations to either accept or reject a call, similar to the illustration in Figure 6.18.The gatekeeper does not know how much bandwidth is currently being used and makes no bandwidth reservations. Instead, it relies on configured bandwidth for WAN links and preset values for per-call bandwidth use.The gatekeeper then merely subtracts that rate from the total bandwidth for each active call and rejects a call request that would drop the bandwidth below zero. Configuring Call Admission Control (CAC) We will configure an H.323 gateway zone bandwidth for CAC. From Gatekeeper Configuration mode, enter the bandwidth command.To configure a specific bandwidth from the current zone to another zone, use the interzone parameter.The total parameter specifies the total bandwidth available within the current zone, and the session parameter specifies a maximum bandwidth for an individual call. Bandwidth is entered in Kbps, and valid values are 1 to 10,000,000Kbps for interzone or total configurations and 1 to 5,000Kbps for session configurations. In Figure 6.20, there are three routers, each with two POTS (plain old telephone service) lines, arranged into two zones, with a gatekeeper. The necessary configuration commands are provided in the following output: hostname Router-1 ! interface ethernet 1/0 ip address 10.10.10.101 255.25.255.0 www.syngress.com Figure 6.20 Call Admission Control IP Cloud Router-1 Router -2 Router-3 Router-gk-1 Zone 2 Zone 1 2002 2001 1002 1001 3001 3002 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 664 Quality of Service (QoS) • Chapter 6 665 h323-gateway voip interface h323-gateway voip id zone1 ipaddr 10.10.10.104 h323-gateway voip h323-id gw_1 h323-gateway voip bind srcarrd 10.10.10.101 ! voice-port 0/0/0 ! voice-port 0/0/1 ! dial-peer voice 1 voip destination pattern …. session target ras ! dial-peer voice 2 pots destination pattern 1001 port 0/0/0 ! dial-peer voice 3 pots destination pattern 1002 port 0/0/1 ! gateway Verifying Call Admission Control Verification of your CAC configuration can be done with simple show commands: hostname Router-2 ! interface ethernet 1/0 ip address 10.10.10.102 255.25.255.0 h323-gateway voip interface h323-gateway voip id zone1 ipaddr 10.10.10.104 h323-gateway voip h323-id gw_2 h323-gateway voip bind srcarrd 10.10.10.102 ! voice-port 0/0/0 ! voice-port 0/0/1 ! ! www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 665 666 Chapter 6 • Quality of Service (QoS) dial-peer voice 1 voip destination pattern …. session target ras ! dial-peer voice 2 pots destination pattern 2001 port 0/0/0 ! dial-peer voice 3 pots destination pattern 2002 port 0/0/1 ! gateway ! hostname Router-3 ! ! interface ethernet 1/0 ip address 10.10.10.103 255.25.255.0 h323-gateway voip interface h323-gateway voip id zone2 ipaddr 10.10.10.104 h323-gateway voip h323-id gw_3 h323-gateway voip bind srcarrd 10.10.10.103 ! voice-port 0/0/0 ! voice-port 0/0/1 ! dial-peer voice 1 voip destination pattern …. session target ras ! dial-peer voice 2 pots destination pattern 3001 port 0/0/0 ! dial-peer voice 3 pots destination pattern 3002 port 0/0/1 ! www.syngress.com 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 666 Quality of Service (QoS) • Chapter 6 667 gateway ! hostname Router-gk-1 ! interface Ethernet 1/0 ip address 10.10.10.104 255.255.255.0 ! gatekeeper zone local zone1 zone local zone2 zone prefix zone1 1… gw-priority 10 gw_1 zone prefix zone1 2… gw-priority 10 gw_2 zone prefix zone2 3… gw-priority 10 gw_3 bandwidth interzone zone1 64 bandwidth total zone zone1 128 Notice that bandwidth is limited to 64Kbps for Zone 1 for interzone calls, with 128Kbps of total bandwidth. Because the gatekeeper assumes 64Kbps per call, this limits Zone 1 to a max- imum of one call from outside the zone and two calls total. Assuming that no calls are currently in progress, if a call is placed from 3001 to 1001, it will be connected. If a call is then attempted from 3002 to 2002, it will be rejected because there is already one interzone call in progress. However, a call from 1002 to 2001 would be allowed because there can be up to two simulta- neous calls within Zone 1. For a graphical representation of this scenario, see Figure 6.21. www.syngress.com Figure 6.21 H.323 Gateway Call Flow IP Cloud Router-1 Router-2 Router-3 Router-gk-1 Zone 2 Zone 1 X Call to 2002 Call to 1001 Call to 2001 2002 2001 1002 1001 3001 3002 253_BDCisco_06.qxd 10/15/03 11:35 AM Page 667 [...]... RADIUS server and passes the user credentials .The server then acts on the configuration information necessary for the client to deliver services to the user Figure 7. 4 illustrates what happens when a user attempts to log in and authenticate to a NAS or router via RADIUS www.syngress.com 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 6 87 Cisco Network Security • Chapter 7 6 87 Figure 7. 4 Authenticating with RADIUS... to authenticate Client A Server Farm 1 When the connection is established, the NAS contacts the TACACS+ server to obtain an authentication prompt (username/password) to which the user provides their credentials www.syngress.com 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 689 Cisco Network Security • Chapter 7 689 2 The credentials are then sent to the TACACS+ server 3 The TACACS+ server queries the user... compromising an upstream router belonging to the Internet Service Provider (ISP) of one of the hosts, they can monitor the packets moving between the two hosts It is then possible for the malicious individual to analyze and change the packets coming and going to the host It is easy for a maliwww.syngress.com 253_BDCisco_ 07. qxd 674 10/15/03 11: 37 AM Page 674 Chapter 7 • Cisco Network Security cious person to... database and validates the user’s credentials 4 The NAS will eventually receive one of the following responses: I ACCEPT The user is authenticated and the service may begin I REJECT The user is not authenticated, and will either be denied access or reprompted I ERROR Error during authentication either at the TACACS+ server or on the network I CONTINUE Prompted for additional authentication information... integrated with other security negotiations such as Point-to-Point Protocol (PPP) Each of the AAA mechanisms can be tied into separate databases www.syngress.com 253_BDCisco_ 07. qxd 688 10/15/03 11: 37 AM Page 688 Chapter 7 • Cisco Network Security TACACS+ encrypts the entire payload of the packet thus protecting the password, username, and other information exchanged between the client and the server Communication... the group server I ip-address Enters the IP address of the RADIUS server I auth-port port-number (Optional) The UDP port for authentication requests (the default is 1645) www.syngress.com 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 693 Cisco Network Security • Chapter 7 I 693 acct-port port-number (Optional) The UDP port for accounting requests (the default is 1646) The following command enables AAA and... networks grow larger AAA supports the use of standard protocols such as RADIUS,TACACS+, www.syngress.com 253_BDCisco_ 07. qxd 684 10/15/03 11: 37 AM Page 684 Chapter 7 • Cisco Network Security and Kerberos for authentication and the ability to define backup AAA servers if the primary one fails.You configure the type of AAA you want by creating lists that define the method to perform these functions and applying... as Cisco Secure Access Control Server (ACS) or another RADIUS program that services requests from RADIUS clients .The RADIUS server can also act as a proxy to other RADIUS servers or non-RADIUS servers RADIUS encrypts not only the password sent between the Cisco access client and RADIUS server, but between the workstation and the Cisco access client When authorization is needed, the client queries the. .. 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 677 Cisco Network Security • Chapter 7 677 Applying brute force techniques to RSA and other public key encryption (PKE) systems is not quite as simple Because the Rivest, Shamir, Adleman (RSA) algorithm is broken by factoring, if the keys being used are sufficiently small (smaller than any program using RSA would allow), it is conceivable that a person could crack the. .. that belongs in the group server I Server ip-address After using the aaa group server command to define a TACACS+ group server, specify the IP address of a TACACS+ server that belongs in the group server I IP-address Specifies the IP address of the TACACS+ server www.syngress.com 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 691 Cisco Network Security • Chapter 7 691 Optional TACACS+ Commands The following . services that the host is running. NMAP can also identify the operating system www.syngress.com 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 675 676 Chapter 7 • Cisco Network Security (OS) on the target can speed up the cracking process. www.syngress.com 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 676 Cisco Network Security • Chapter 7 677 Applying brute force techniques to RSA and other public. VPN ■ Wireless Security ■ Implementing WEP Chapter 7 669 Best Damn Topics in this Chapter: 253_BDCisco_ 07. qxd 10/15/03 11: 37 AM Page 669 670 Chapter 7 • Cisco Network Security Introduction Threats to