Thursday, 1 November 2012

Securing Borderless Networks + NFP

Here's a few more revision points,this time with relation to securing borderless networks:

Borderless Network Components:
Borderless End Zone
Borderless Datacenter
Borderless Internet
Policy Management

SecureX and context aware security:
Context awareness
AnyConnect client
TrustSec
Security Intelligence Operations

Protecting the planes
Management:
AAA, NTP, SSH, SSL, Protected Syslog, SNMPv3, Parser views

Control:
CoPP, CPPr, Authenticated routing protocol updates

Data:
ACLs, Private VLANs, STP guards, IOS IPS, Zone Based Firewalls (IOS)

Management Plane Best Practices:
Strong Passwords, User authentication and AAA, RBAC, encrypted management protocols, logging, NTP, Secure system files





Monday, 29 October 2012

CCNA Security Buzzwords

So I've made a slight detour on the CCNA Wireless, it's been replaced by the CCNA Security, and my aim is before the end of the year!

Here's some buzzwords which I feel like I'll have to know and be able to explain should the needs arise. I'm not going to explain them here because it forces me to remember what each means (rather than just reading it) hopefully fixing them in my brain:

Asset
Vulnerability
Threat - Latent, Realised, Threat Vector / Agent
Risk
Countermeasure - Administrative, Physical, Logical

Classifications:
Governmental - Unclassified, SBU (sensitive but unclassified), Confidential, Secret, Top Secret
Public Sector - Public, Sensitive, Private, Confidential
Criteria - Value, age, replacement cost, usefulness lifetime
Roles - Owner, Custodian (implementation), User

Attack Methods:
Covert Channel
Trust Exploitation
Password Attacks
Botnet
DoS / DDoS

Secure Network Architecture Guidelines:
Rule of least privilege
Defence in Depth
Separation of Duties
Auditing


The 5 stages of the Secure Network Lifecycle are:
Initiation
Acquisition and Development
Implementation
Operations and Maintenance
Disposition

Methods to determine the financial impact:
Qualitative
Quantitative


That'll do for now although I may well add more as time goes on

Cisco Telepresence (Very Much the Basics!)

2 Months between posts! very bad, I'm trying to get back on the blogging bandwagon again so here we go!

Cisco Telepresence is a fantastic thing however it's a tad complicated and you really need to know what you are doing to begin looking at it. Here are a few bits I've picked up along the way, serves as a reasonable crash course in Telepresence:

In any Telepresence deployment there are 4 elements which must be present:
  1. Endpoints
  2. Call Control
  3. Conferencing
  4. Scheduling and Management
End points - The endpoints are the phones, video screens and software clients which the user interfaces when they make a video call

Call Control - This is dependant on what endpoints you choose but essentially the call control sets up and controls / directory. The two options are CUCM (Call/Communications Manager) or Cisco VCS.
CUCM is used for IP Telephony, immersive multi-screen telepresence (TX9000) and standards based endpoints such as the MX200 / MX300. 
VCS is the platform for standards based Telepresence endpoints. VCS Control is the platform for use within an enterprise and VCS Expressway can be used to extend communications to other businesses and remote workers.
The most complete solution would consist of both CUCM and VCS with a SIP trunk between them. 

An interesting product here is the VCS Starter Pack Express which is an introduction package for SMBs interested in Telepresence. Limited funcationality and up to 50 registrations and 25 calls:

Conferencing - This is the conferencing bridge element which allows for multi party calls rather than just point to point.
An interesting product here is the MCU5300 series it is essentially stackable conference MCU resources, so you buy them as you need them:

Scheduling and Management - As implied this is the management and scheduling element and the Cisco product for this is Telepresence Management Suite (TMS):

Wednesday, 22 August 2012

Juniper Line Card Types (DPC, MPC Etc)

I'm going to build on this post as I come across each of the different types but it can get very confusing talking about the different types of Juniper Line Cards, so here is a reference:

DPC - Dense Port Concentrator
ichip based cards which are available for the MX series routers
They come in 3 variations:
DPCE-R - Routing and Switching, operate as complete L3 router or Full L2 switch
DPCE-X - Limited Scale L3. Cost optimized line case
DPCE-Q - Enhanced Queueing, up to 64,000 queues per card. Per VLAN queueing.

MPC - Modular Port Concentrator
trio based cards for the MX series routers. They support full LS, L2 and application services. MICs are used inside MPCs to provide interfaces.
MPC1 - 32k IFL, port queues, 30Gbps
MPC2 - 64k IFL, port queues, 60Gbps
MPC1-Q - 32k IFL, VLAN queues, 128k I/E queues, 30Gbps
MPC2-Q - 64k IFL, VLAN queues, 256k I/E queues, 60 Gbps
MPC2-E-Q - 64k IFL, VLAN queues, 512k queues, 60Gbps

MX-FPC - MX Flexible Port Concentrator
These are used to add non-Ethernet interfaces to an MX series chassis. They take up 2 slots and have reduced performance (2.5 Gbps Type 2 or 10Gbps Type 3)

More to come as I come across them...


Tuesday, 14 August 2012

Calculating Packets Per Second of Devices

So here's a topic which just keeps cropping up and I look it up every time, so I'm sticking it on the blog so that I've got a reference for the future and hopefully I'll remember it a bit better for next time!

You will often have to calculate the required packets per second of a device to make sure it is "powerful enough" to handle the job given to it. Alternatively you may be sizing a device for a link, for example a router for a WAN connection, and you want to make sure it can handle wire speed on the link. Here is my calculations for this.

I'll use the standard example of a 1 gigabit WAN connection 1Gbps, this is 1,000,000,000 bits:
In order to work out the required pps (Packets Per Second) of a device for the WAN link we need to consider the maximum and minimum packet sizes. Bear in mind the packet size in reality will vary so the actual number is anyone's guess but this gives you a great boundary.

The minimum packet size is 84 bytes (46 payload, 4 CRC, 2 MAC type, 6 MAC source address, 6 MAC destination address, 8 preamble, 12 inter frame gap).
The maximum packet size is 1538 bytes (same as above but with 1500 payload instead of 46)

The calculation is:
Convert bits into bytes -- 1,000,000,000 bits per second / 8 = 125,000,000 bytes per second
Convert bytes into packets -- 125,000,000 bytes per second / 84 = 1,488,096 packets per second

The above works out the minimum packets per second, changing 84 to 1538 works out the maximum packets per second:
Convert bytes into packets -- 125,000,000 bytes per second / 1538 = 81,274 packets per second

From this we know if all the packets were the minimum sized we'd need a more powerful device to handle wirespeed, but this is theoretical because you wont be able to guarantee the size of all packets, apart from in very special cases.

If you can work out the average packet size within the environment you will be able to workout more accurately the device requirements, but from here is it a bit of a guessing game do you plan for the lowest possible packet size to ensure the device can handle wirespeed or do you pick a more realistic but unknown value somewhere in the middle. That answer is up to you.

Monday, 13 August 2012

450Mbps Wireless. Spatial Streams and 4x4 MIMO

So I've not posted for a while, which is bad and I will definitely start again soon. But in the mean time I've learnt something very interesting about 802.11n wireless, spatial streams and 450Mbps that I want to jot down.

802.11n radios give 300Mbps with 2x2 antennas, this is 2 transmit and 2 receive. They also utilise 2 spatial streams. The maths behind this is that each channel gives 75Mbps, 2 channels (2 x 20MHz channels = 40MHz) gives 150Mbps. 2 spatial thus gives 300Mbps. Note that each side needs the same setup to achieve these rates, this is critical.

MIMO allows multiple datastreams to be sent simultaneously however there are two sides to this coin. Each MIMO stream can be used to send the same data, thus you have multiple redundant copies of the data and the connection is very reliable, this is Diversity. The other extreme is throughput where each stream sends different data but there is no redundancy in the path so it is potentially faster but also less reliable. Most commonly a balance in the middle is used to give you reliable throughput.

Thus APs can theoretically achieve 450Mbps by using 3x3 radios with 3 spatial streams, the problem is this is a extreme throughput situation and you will likely not get the fastest possible speeds due to distances and errors in the transmission. If one of the streams experiences deep fading (low signal) the transmission fails or slows down to a lower transmission rate.

Cisco has a solution to the above in the 3600 AP. It has 4x4 radios and 3 spatial streams meaning that three can send and receive while the remaining is used for diversity to help achieve the reliable throughput needed. It's worth noting that this is custom silicon as well and only available to Cisco, at the time of writing anyway.

References:
There's a fantastic video from techwize tv called 'fundamentals of spatial streams'. Currently on this page:
http://www.cisco.com/en/US/products/ps11983/index.html

Friday, 27 July 2012

Logarithm

So here's an interesting topic and one I think I'll remember because I already half know it under another guise.

The reason I'm posting about logarithms is because wireless networking uses a logarithmic scale in decibels. Binary is also a logarithmic scale.

Logarithm is essentially the power of, or "base". For example the logarithm of binary is base 2.

For example:
Log10 (1000) = 3 - You read this as Log of 1000 to base 10 is 3 - 10 x 10 x 10 = 1000 = 10 power3

References:
http://en.wikipedia.org/wiki/Logarithm

Monday, 23 July 2012

CCNA Wireless Revision

So I'm starting to get down to revision for the CCNA Wireless. I'm trying to pick a specialisation and I figure the best way to do this is get immersed enough with each technology without going too deep, see if I can find something that I really enjoy and will be happy for the next few years focusing on.

I'm starting with wireless because it's interesting, it's very relevant and the knowledge will definitely be useful even if I decide to go a different way.

I haven't decided exactly how I'm going to do this yet but I'll be posting my revision notes up somewhere on this blog any comments are welcome, I'd also love to hear from anyone who's recently done the CCNA wireless especially because there is very little current study material out, only the old stuff IUWNE 640-721 when really I need 640-722. Hopefully it'll be released soon! If not well then, we'll just crack on and see what happens.

Wednesday, 18 July 2012

Wireless Authentication - 4 Way Handshake

The authentication process for WPA is known as the 4 way handshake, this is required for a client to be authenticated onto the network.

At the start of the process the client and the AP both know the passphrase (PSK) and the Pairwise Master Key (PMK) which is computed from the PSK and SSID.

The first step is for the AP and Client to form a new key called the Pairwise Transient Key (PTK), this key is a function of the PMK, a random number from the AP (A-nonce) a random number from the client (S-nonce) and the MAC address of the AP and client.
  1. The AP sends an A-nonce to the client
  2. The client sends a S-nonce to the AP as well as a MIC. - The AP uses the MIC to verify that the client has the PMK. If the MIC is incorrect then the PTK and PMK are incorrect because the PTK is derived from the PMK.
  3. The AP sends a GTK (group Temporal Key) to the client, plus a MIC.
  4. The client sends an acknowledgement to the AP
The client and AP can now install the key and begin encrypting the traffic.

This 4 way handshake is also used for WPA Enterprise as well as WPA PSK, the difference being that the PMK is derived from the clients authentication with the RADIUS server with EAP

Here is a good reference from Wikipedia which details a drawing to help remember the process:
http://upload.wikimedia.org/wikipedia/commons/a/ac/4-way-handshake.svg

Full article is below:
http://en.wikipedia.org/wiki/IEEE_802.11i-2004

Wednesday, 11 July 2012

TOS / COS - Type of Service / Class of Service

Type of Service (TOS) is an 8 bit field in the IP header which can be used for differentiating the treatment for that packet. TOS is an older method not used as much any more because it has been superseded by the Class of Service (COS). This redefining of the TOS field is called the Differentiated Services (DiffServ) Framework.

COS uses 6 bits in the DiffServ field, called the DiffServ Code Point (DSCP). 6 bits allows 64 classes, which can be the predefined classes or manually chosen. The queueing and forwarding treatment of the IP packet is called Per Hop Behaviour (PHB).

The last 2 bits in the DiffServ field is the ECN - Explicit Congestion Notification. This can be used to signal congestion.

Routing Protocols Interesting Tidbit

Here's something I didn't realise; BGP and RIP are actually application layer protocols, in regards to the TCP/IP Stack, because BGP uses TCP to send messages, and RIP uses UDP. In contrast other routing protocols, such as OSPF, are at the Internet layer (Network layer in the OSI model) because they encapsulate messages directly into IP packets.

Tuesday, 10 July 2012

Home Network Update - New Items

So I've sourced a few items from the wonderful place which is eBay and I've got a few ideas for them:
Cisco2811-SEC/K9 - Cisco 2811 router with security licence
AIR-AP1131AG-E-K9 - Cisco 1131 autonomous access point

The 2811 was at a price I couldn't refuse, so I'm not 100% sure what to do with it yet, but I'll have a think and implement it somehow. I'm umming and ahhing about converting it to run CCME? That would be a really interesting little project, I've got a couple of phones lying around, so I'd only need PVDMs, CCME software, and licenses.

The access point is an easy one, it'll extend the wireless network, hopefully giving me decent signal throughout the house, but it'll be interesting to see exactly how this works without a controller...

Next purchases will likely be a small switch of some kind, 2960C maybe, because I'm rapidly running out of ports. I also want an ASA5505 because I'm starting to worry I can't achieve what I wanted to with my little 877W and it's IOS SSL WebVPN.

Friday, 6 July 2012

Wireless Connection Process

Below is the process a wireless client goes through in order to get access to a wireless network:

Step 1 - Start
This is the initial connection between the client and AP. This is where L2 security authentication and encryption mechanisms are in place, for example: none, static WEP, 802.1X, WPA / WPA2.

Step 2 - DHCP
L3 operations start here, an IP address is attained as well as L3 security elements, such as authentication via a webpage at a hotspot. This could be the first phase if L2 security isn't configured.

Step 3 - Mobility
The clients final IP address is applied here and it can fully function at L3. The address could have well changed here from step 2 if web authentication was used.

Step 4 - Run
The client is live and sending data.

Layer 2 security comprises of:
Authentication - 802.1X or PSK
Encryption - None, WEP, WPA or WPA2 (TKIP or AES)


Thursday, 5 July 2012

Cisco WLC Interfaces

Ports on a WLC are physical interfaces. below are the different types of ports:
Service Port - RJ45 connection used for Out Of Band (OOB) management. It cannot carry traffic and is not auto sensing so it must connect to a switch access port and must have the correct cable. No default gateway can be set so the management station should be on the same subnet or a static route will need to be defined.
Console Port - standard DB9 console port
Utility Port - For future use
Distribution Ports - These ports are for controlling APs and network connectivity.

Interfaces on a WLC are logical and need to be mapped to a port. Many interfaces can be mapped to a single port. Interfaces are either predefined or user defined. user defined interfaces are dynamic and are used for VLANs for WLAN access. Predefined interfaces are static. Interfaces need to be on all controllers in the mobility group in order to ensure seamless roaming otherwise clients will drop and need to re-associate. Types of static interfaces:
Management - This interface is used for in band management for example connections to AAA and L2 communications to other controllers. This interface should be in a different subnet from the service port. This address is used for the GUI
AP Manager - This interface is used for WLC to AP communications at L3. This address is also the tunnel source address when packets are sent from the WLC to the AP and destination address visa versa. It should be in the same subnet as the management interface. If the distribution ports are grouped in a LAG then only a single AP manger port is needed. All LWAPP traffic goes through this interface
Virtual - This interface is used to support Mobility Management (mobile client uses the same virtual IP address when roaming across controllers), DHCP relay (DHCP address for clients) and L3 security (redirect for the web page authentication).
Service port - This controls the above mentioned service port

Dynamic interfaces are also known as VLAN interfaces. They are user defined interfaces and are used to carry the data from wireless clients. They are created with the following details:
VLAN ID, Physical port assignment, DHCP server information, ACL information.
Dynamic interfaces can be assigned to many different types of ports: Distribution, WLANs, L2, management, L3 and AP manager interfaces. WLANs are associated with a SSID and dynamic interface. Up to 512 dynamic interfaces can be configured on a WLC.

Lightweight AP Architecture Part 2 - Roaming

AP Modes of Operation:
Local Mode - This mode is the standard AP mode, it handles data transfer for clients and also monitors all channels. It uses a 180 secs cycle in the 2.4GHz frequency where is spends 13 seconds on it's assigned channel, then spends 60msec scanning another channel, where after it returns to it's assigned channel for 13 sec and the cycle continues. In the 5GHz frequency the AP spends 10sec on the assigned channel due to the large number of channels.
Monitor Mode - Only allows for monitoring and no client data traffic. The AP can be used as a sensor for wireless IDS (scanning for rouge APs and clients), data gathering for performance related issue troubleshooting, as a site survey tool, as a triangulation point when using the Wireless Location Appliance. Each channel is scanned for 1.1ms and the channels to be scanned are set on the AP.
Sniffer Mode - The AP captures frames on a specific channel and sends the frames to a device running an analyser e.g. wireshark. Sniffer mode causes a reboot of the AP.
Rogue detection mode - AP is connected to a trunk link and operates with using it's radios. The controller updates the AP with the MAC addresses of known rouge APs and clients. The AP listens on the wired network for ARP packets and if it sees the rogues MAC then sends an alarm to the WLC. Stations cannot associate in rouge detection mode.
H-REAP Mode - H-REAP APs are deployed at remote sites that do not warrant a WLC. If the connection to the WLC is lost the AP continues to function. There are a number of restrictions on the WAN link required for H-REAP: cannot be less than 128kbps, round trip latency cannot exceed 100ms, at least 500bytes MTU, code updates over 4MB cannot be received. The AP also needs to have at least 32MB of memory because it needs to store additional information such as: DTIM period, beacon period, time between beacon frames, preambles, power level, country code, black list of forbidden MACs. Also, an AP in H-REAP mode cannot used L2 or L3 broadcasts to find it's WLC, it needs to use DHCP option 43, DNS, or OTAP via another AP.
Bridging Mode - The AP is used as a point-to-point or point-to-multipoint bridge. Only some models can handle this: 1130AG, 1240 and 1500 series.

Roaming:
A Mobility domain is a group of controllers. Clients roam between APs attached to WLC in a mobility group. Clients can only roam between mobility groups if they are part of the same mobility domain. If they are not then a complete re-authentication process has to take place. In order for a controller to be part of a mobility domain it must be configured with MAC and IP addresses which map to existing WLC in the group. They also need the same domain name and the same virtual gateway address. Up to 24 controllers can be part of a group.
In order for roaming to occur there are a few more prerequisites: The controllers must have the same code version, the same LWAPP mode and the same ACLs, the same SSIDs. When roaming occurs either the new WLC can handle all the APs connections (asymmetric tunnelling) or traffic can be sent back to the old controller (symmetric tunnelling).

Layer 2 roaming:
When an client roams to a new AP within the same subnet the AP authenticates with the new AP and traffic is tunnelled back to the original controller. Intra-controller roaming is when the client roams between APs on the same controller and typically takes about 10 msec. Inter-controller roaming is when a client roams between APs to 2 different controllers and typically takes about 20msec.

Layer 3 roaming:
In L3 roaming either the client changes subnets but retains it's old IP address or it re-authenticates. The controller creates a tunnel which makes the client and network think the subnet hasn't changed. If both the to and from traffic is tunnelled between the new and old controller this is known as symmetric tunnelling. If the traffic from the client uses normal IP routing and just the return traffic is tunnelled between the controllers this is known as asymmetric tunnelling. L3 roaming is a quick process because unlike L2 roaming not all the client information is handed over. Instead the old controller marks the client data as an anchor entry and the new controller marks it as foreign entry.
Asymmetric routing path is:
client -> foreign controller -> destination
destination -> anchor controller -> client
Symmetric routing path is:
client -> foreign controller -> anchor controller -> destination
destination -> anchor controller -> foreign controller -> client
The option on the controller which determines if symmetric or asymmetric tunnelling is used is called Symmetric Mobility Tunnelling.
If you want one controller to have symmetric tunnelling and the rest to be asymmetric, for example a guest WLAN which is only allowed internet access. To do this a special anchor must be defined, a mobility anchor. When using a mobility anchor all traffic to and from the client must go through this anchor, regardless of where the client is located. The client gets it's IP address and security configuration from this mobility anchor. It is possible to have redundant mobility anchor controllers. Anchors must be connected to a VLAN trunk port in order to all stations to keep their IP addresses when roaming

Lightweight AP Architecture

AP Discovery of WLC:
When the AP first boots up it tried to discover as many controllers as possible, and will try to associate to the WLC with the highest remaining percentage capacity.
If the AP and controller are not on the same subnet then it wont reach a controller with L2 discovery so it will try L3. Here are the L3 options, and it's worth noting that the AP will try all options before choosing a controller:
  • Subnet broadcast - Default mode. The AP sends out a local subnet broadcast and WLC that receives this broadcast sends a response, much like in DHCP. The AP stores addresses of previous controllers even after it's rebooted so it tries these too
  • Over-The-Air Provisioning (OATP) Mode - The AP listens for over-the-air RRM packets which include the address of an associated WLC. This method should really be disabled because of the security implication of sending OTA RRM packets in plain text, plus it wastes bandwidth
  • AP Priming - This connects the AP and WLC together before they are deployed, the AP keeps the WLC address even on reboots. If the controller is part of a mobility group it learns all the IP addresses of WLC in the group. 
  • DHCP option mode - The WLC address can be received in the DHCP reply. This should be set as an option in the DHCP server. 
  • DNS/DHCP mode - The WLC IP address can be attained from the DNS server. Once the AP has a IP address it will do a hostname lookup for a controller record called CISCO-LWAPP-CONTROLLER. 
If the WLC is not configured for L3 mode it will not respond to any of these methods.

If the AP receives a number of replies it uses a specific order to try and associate to a WLC. If the AP hasn't been primed with a WLC it will try to look for a master controller, this is defined when the mobility domain is created. If the AP was primed it will try to associate with it's primary controller, then secondary then tertiary.  If all this fails then the AP will resort to the controller with the AP-Manager which has the highest percentage of available capacity.

AP Joining to WLC:
The LWAPP join message sent by the AP includes:

  • The MAC address of the WLC and type of controller
  • The hardware and software version of the AP, it's name and the number of radios it has and types of radios
  • The X.509 certificate used to initiate a secure LWAPP connection
The AP now tests the network to see if it supports jumbo frames and it does this by sending 2 different join request packets, one of 1596 bytes and one of 1500 bytes. Once the controller receives the join request it sends ta join reply including:
  • A result code, which will either be 0 or 1 (0 = success, 1 = failure) if it fails the status message will say why
  • The X.509 certificate of the controller
  • A payload check to test for jumbo frame support

If everything goes well the AP will download the code and or configuration. if not then the AP goes back into the discovery phase and starts again.

Radio Resource Management (RRM):
RRM performs the following functions - Radio resource monitoring, client and network load balancing, dynamic channel assignment, coverage hole detection and correction, dynamic transmit power control, interference detection and avoidance.
The characteristics considered to manage channel assignment are: Noise, Client Load, 802.11 interference, utilisation, AP energy received.
It can manage power levels of APs (best practice is neighbours at -65dBm), influence the choice of AP by the stations by making overcrowded APs refuse associations. It can enhance roaming by comparing the RSSI and SNR of stations with regard to each AP.

Wednesday, 4 July 2012

Cisco Unified Wireless Network (CUWN)

CUWN was introduced to address the following challenges:

  • Integrating device types so that they work well together
  • Ensure a consistent security configuration despite increasing numbers of APs
  • Monitoring environment for new sources of interference and redeploy if necessary
  • Managing channel allocation to minimise co and adjacent channel interference
CUWN elements - Clients, APs, Network Unification (devices which join wired and wireless networks; WiSM, WLCM), Network Management, Network Services (IDS and admission control)

LWAPP (Lightweight access point protocol) is used to carry data between the APs and WLC. It carries and encapsulates control information over an encrypted tunnel. It encapsulates frames with a 6 byte header which also contains the RSSI and SNR information. Another header is then added with the source and destination address (AP and WLC address). LWAPP operates in L2 or L3 mode, in L2 mode only the MAC addresses are used. Because of this overhead the wireless packets are larger than 1500 bytes, usually 2346 bytes. The fragmentation field for the LWAPP header watches this, the fragments are called segments. 

WCS facilitates the management of several WLC. It is also required for location services (tracking and RFID tags) using the location appliance.

Split MAC is the ability to split 802.11 data link functions between the AP and WLC. The AP handles time real time communication and the WLC handles non-time sensitive. 

Real time Traffic is:
Frame handshake exchange between client and AP done during each frame transfer
Handling of frames for clients in power save mode
Beacon transmission
Responses to probe requests
Real time signal quality information for each received frame
RF channel monitoring including noise, interference, other WLANs and rouge APs
Encryption and decryption, excluding VPN and IPSec clients (Layer 2 wireless)

Non-time sensitive traffic:
802.11 authentication
802.11 association and re-association; also known as mobility
802.11 to 802.3 bridging
The point where all 802.11 frames  terminate at the controller 

Tuesday, 3 July 2012

Wireless Security part 2 - Inc RADIUS

RADIUS:
Some benefits of RADIUS are:
Authorisation
Centralised access and control of that access
Accounting supervision - including client network access and rights
Recording access attempts

Encryption:
The basic encryption process is to take plain text, which is scrambled in a process called the cipher, and this gives cipher text. Types of cipers include stream ciphers which consists of performing modifications to each bit of data, and block ciphers, which performs the modifications on a block of data.

Symmetric and Asymmetric Encryption:
Symmetric encryption is faster than Asymmetric encryption because it requires less processing power. The disadvantage is that it is less secure.

Key Management:
There are 2 methods, a common key across all users or a unique key for each user. An issue with individual keys is with unicast and broadcast  / multicast traffic. Individual keys can be generated in 2 ways, either individuals keys should be configured on the client and APs or they can be derived from a common key and generated for each session the user has with the AP.

Encryption methods:
There are 2 types of encryption methods used: TKIP and AES. Prior to these there was only RC4 with static keys which is insecure and should not be used.
TKIP was a replacement to WEP. It is essentially a wrap around WEP with enhanced 128bit encryption but it is made more secure by the following:
It changes the packet's key. The packets key is made up of 3 things, a base key, the transmitting device's MAC, and the packet serial number. This is important because the serial number is a 48bit number which cycles, so a hacker reusing an old serial (replay attacks) are mitigated. Also the Base key is a unique value, so it can't be reused also.
AES is used in the WPA2 and 802.11i standard. It uses 128bit data encryption. AES is a block cipher. 


The 4 improvements of WPA:
Larger initialisation vector (IV) - increases the level of randomness making the encryption harder to crack
Message integrity check
key management using 802.11x
unicast and broadcast key management


Centralised Key Management:
This is a benefit of 802.11i and WPA2. As a client roams often the reauthentication can take long enough to break the applications connections. Two items which mitigate this are: Key Caching (AP caches the credentials of the client so if it roams away and back the AP already has the details) and preauthentication (If the AP comes close but not enough to associate it will perform the authentication process anyway so that if it comes within range later the authentication is much quicker). 


801.11i:
WPA2 was built with 802.11i in mind, when 802.11i was fully ratified some features were added:
A list of EAP methods that can be used
AES-CCMP instead of RC4
Better key management, for example the master key can be cached permitting a faster reconnect for clients


If performing an upgrade from TKIP to AES the same keys can be used


TKIP is used to encrypt data in WPA where as AES or TKIP can be used in WPA2 or 802.11i

Wireless Security - Inc. EAP, PKI,

DoS Protection:
Management Frame Protection (MFP) can be used to protect against the flooding of probe requests or transmissions. MFP comes in 2 forms, infrastructure and client.
In infrastructure MFP mode controllers generate a signature for each WLAN which is added to each management frame sent. Any attempt to alter this or frames with an unknown SSID are detected by the MIC (Message Integrity Check), an alarm is generated and the controller instructs the AP to drop the frame.
In client mode the client can be configured to detect and drop spoofed or invalid management frames. To support this CCX v5 must be used and WPA2 with TKIP or AES must be used.

Passive vs Active attacks. An Active attack is when the hacker is actively interacting with clients, the AP or the network in real time. A passive attack is usually wireless sniffing, for information gathering, either online (on the fly) or offline for analysis later.
IDS / IPS is used to guard against passive attacks.

Authentication:
The act of identifying a device or person. It should be based on something you know (username and passwords), Something you have (smart card / crypto token) or something you are (biometrics / retina scan etc). Authentication can be per user or per device (certificates).

Two types of authentication are open and shared-key. Open authentication is as it is, you only need the SSID, shared authentication relies on a clear text challenge from the AP, which is then encrypted by the clients WEP key and sent back, if it matches the challenge encrypted by the APs WEP key the user is authenticated. This is not secure as the WEP key can be worked out by a hacker snooping the clear tect challenge, then the encrypted challenge and decipher the WEP key.

EAP can be configured instead as a method of authentication. The AP can be configured to use a RADIUS server, LDAP server or for local-EAP where it does the authenticator and authentication server. Local-EAP supports LEAP, EAP-FAST and EAP-TLS, it is usually used as a backup if the RADIUS server becomes unavailable. A local user director or LDAP directory can be used. Here is the EAP process:

  1. Association request from Client to AP then the AP responds with the authentication response
  2. The EAPOL (over LAN) process starts with an EAPOL request send from the AP to client
  3. The client responds to the AP with an EAPOL response, which the AP forwards to the RADIUS server.
  4. The Server sends a EAP request to the client via the AP, the client sends and EAP response back
  5. If the EAP response is good the server sends back an EAP success and the encryption keys
Certificates and PKI (Public Key Infrasturcture):
Some flavours of EAP require certificates to be used as authentication credentials, this means you must have PKI in your network. A PKI requires a certificate server which issues certificates to devices or users. Certificates consist of a public key private key pair. 
Symmetric keys are both the same, where as Asymmetric the encrypt (public) and decrypt (Private) keys are different. PKI uses asymmetric keys. The certificate server is called the Certificate Authority (CA), this should be trusted by both parties in authentication. 

EAP-TLS:
Is the most secure and also most complicated. Certificates must be installed on both the client and server. Client and authentication server keys must be generated and signed by a PKI, then installed on each device.

EAP-FAST:
Cisco proprietary method of providing the same level of security as EAP-TLS but no PKI or certifictes are needed. It instead creates an encrypted tunnel. the server generates a PAC (Protected Access Credential), this is used in the same way as the key pair used in EAP-TLS. The PAC contains PAK key (like a private key), PAC opaque used to identify the client and retrieve the PAC key and PAC info which contains information about the server authority ID. After the PAC is used to create the tunnel the client is authenticated with passwords or security tokens.

PEAP:
PEAP is in the middle of EAP-TLS and EAP-FAST. It only requires a certificate on the server. The 2 variations are: PEAP-MSCHAPv2 (uses MSCHAPv2 authentication) and PEAP-GTC (uses generic Token Card authentication). Client identifies itself in plain text. Server sends certificate to client to verify identity, Client generates master key, encrypts it with the public key and a secure tunnel is created. Now the client identifies a second time as the transmissions are protected by the tunnel.

LEAP:
This is was developed by Cisco but made available to other devices through licensing and only uses a username and password. However it is no longer secure due to the ease of breaking it.

Friday, 29 June 2012

Wireless Control Frames + Client->AP communication

Here's just a little note at the start of this post about Client and AP communication because I don't want to create a separate post but can't really fit it anywhere else:
Client to AP communication:

  1. Beacons are sent from the AP to make it's presence known
  2. The client sends a probe request
  3. The AP sends a probe response
  4. The client sends authentication information
  5. The client sends an association request
  6. The AP sends an association response
  7. Data is transferred
  8. The AP or Client will disassociate and de-authenticate when they are done
Control Frames:
ACK - When DCF (Distributed Co-ordination Function) is in use, whereby everyone co-ordinates the media access, an ACK is sent in response by the AP to every frame without a CRC error. It is 13 bytes long and only contains a DA (Destination address); the client assumes it is from the AP which it sent the frame to. 
RTS - Request to Send are used when a host wants to send a frame to the AP. The RTS has a source address (SA) and DA, a duration (for the whole transmission including a SIFS, the CTS, another SIFS, the data frame, another SIFS and finally an ACK). 
CTS - Clear to Send only has a DA, the duration (for the remaining, including SIFS, data frame, SIFS and the ACK).
RTS and CTS are protection mechanisms used in the following scenarios:
1) When using 802.11b and 802.11g devices the g host sends a RTS and CTS at 802.11b speeds so the 802.11b hosts know a transmission is about to occur.
2) RTS/CTS is also used in a hidden network, if 2 hosts are so far away from each other that they cannot detect each other. Because the AP is centrally located it sends out a CTS to each AP in turn.

The 802.11 header has the field 'frame control', which contains a bit which can be used to denote if power saving mode is being used. The host sends an empty frame, called a null function, with the power saving bit turned on if it is alerting the AP that it is going into power saving mode. A clock is set to wake it up later. The AP buffers all frames for the host and keeps track of each sleeping host. The TIM (Traffic Indication Map) is used by the AP, sent to a host, if it is buffering packets. The Host receives the TIM, and replies so that the AP can send the buffered packets. Power saving mode is not often used because it doesn't save much battery life and adds a lot of overhead onto the network.

Thursday, 28 June 2012

Wireless Frame Transmission - Inc. CSMA/CA

802.11 half duplex uses Carrier Sense Multi Access / Collision Avoidance (CSMA/CA) to ensure than collisions do not happen on the wireless network.
When a host wants to send a frame it picks a random number between 0 and 31 and counts down, 802.11b counts down in 20microsecond intervals, 802.11a and g count in 9 microsecond intervals. This is called the back off timer.
While another host is transmitting on the frequency the host stops counting, waits a length of time based on a mathematical algorithm and then continues it's count down. If the frequency is clear it then can transmit. The total time of this waiting plus the back off timer is called the contention window. The length of time calculated by the mathematical algorithm is called the NAV (Network Allocation Vector). So in actually the host doesn't stop counting and wait it just adds the NAV value onto the time it is counting down.
At the end of all this waiting the host needs to do one final check that the frequency is clear, this is called the Clear Channel Assignment (CCA). This all happens for each frame being sent.
If the frame transmission fails the process must start again, but the host picks a new random number between 0 and 127, then 0 and 255 for the 3rd attempt and 0 and 1023 for the final. After this it gives up.
After the frame is received the AP must send back an acknowledgement. This is sent with a higher priority to ensure that it gets sent and the host doesn't attempt to resend the original frame.
SIFS (Short Interframe Space) = High priority used for ACKs
DIFS = (Distributed Interfame Space) Standard priority used for normal frames

802.11n

802.11n is different in many ways to the older standard 802.11abg.

The way that information is sent at the physical layer is different, in fact items such as reflection and interference can be turned into an advantage instead of an issue.
2 channels are combined to make 40MHz channels rather than the 20 MHz channels of 802.11abg. 802.11n is also able to do away with the side channels which are used for protection, freeing up an additional 11 Mbps for a maximum of 119Mbps per 40MHz channel.
802.11n introduces MAC efficiency. 802.11 needs to acknowledge every frame where as 802.11n can send a number of frames and only have one acknowledgement.
MIMO - This uses multiple input and output antennas so that several frames are sent by several antennas over several paths, the frames are then recombined by the receiving antennas to optimise throughput and multipath resistance. This is known as spatial multiplexing. MIMO works when there are multiple radios on each side. However it can also provide benefits to non-802.11n single radio clients:
Transmit Beam Forming - several beams are sent from the 802.11n device to the non 802.11n client. the client can use the best one.
Maximum Radio Combining - This is similar but in the reverse direction. Multiple signals are sent from the client to the 802.11n AP in phase so that it adds strength to the signal. MRC doesn't resolve multipath in anyway, and in fact is affected by it as normal so it is nowhere near as good as MIMO.
MIMO has 3 critical advantages:

  • It has better sensitivity for the stationary client when receiving, using beam forming
  • It provides better sensitivity for the AP receiving by using MRC
  • Both of the above translates into higher datarate

Wednesday, 27 June 2012

Wireless Transmission Methods

Wireless LANs use a method of transmission called Spread Spectrum. The alternative method is narrow band as used by radio stations. Narrowband uses a single frequency but a very high power level. Spread Spectrum works in an opposite way, this is because it is likely in the unlicensed wireless space that other devices will cause interference. The signal is spread across a number of frequencies and the receiver is set to listen on the same frequencies, this reduces the interference degradation and reduces the power required to send the signal.

There are two types of Spread Spectrum:
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS)

Encoding is the process of transforming a single digit into a sequence of symbols to be transmitted so that if part of the sequence is lost it can still be understood at the receiving end. Modulation is a method through which symbols are represented on the wave.

WLANs today use DSSS, or a version of it. FHSS is used by some cordless phones and Bluetooth. FHSS is not preferred and causes interference with WLANs because it utilizes 75 channels in the spectrum and hops between them, it must use all 75 channels, which is just for 300-400ms. FHSS uses GFSK to encode data (2 level GFSK uses 2 frequencies, 4 level uses 4). FHSS uses little power and mitigates interference by "dancing" around it. DSSS gets around interference by sending a redundant bit pattern (Sequence) for each bit sent, so that if any of the bit pattern is lost we've got a good chance of recovering it, this does of course amount to large overhead. Chips or PN (Pseudorandom Noise) codes is the redundant information coded into each signal. There is 11 bits per bit to be sent. This is really basic 802.11 to achieve 1 and 2mbps.

802.11a and g uses Orthogonal Frequency Division Multiplexing (OFDM). OFDM resists multipath problems by carrying data in 52 sub carriers within the 20MHz radio channel. 48 are for data and 4 are pilot for monitoring interference and path shifts. The carrier is 20MHz and can be bigger, which just means more throughput. Each carrier (or tone) is considered independent to other tones and interference will only degrade that tone, meaning less redundant chips.

Antennas and Misc Information

The radiation pattern created by an antenna depends on the physical characteristics of that antenna, for example the size and shape as well as the materials the antenna is made of. The pattern created is 3 dimensional but the way we draw it is by looking at 2 different views, the H-Plane and E-Plane. The H-Plane is the view from directly above the antenna, so the antenna is in the middle and the radiated pattern shows in front and behind the antenna, as well as left and right. The standard doughnut shape would look like a circle on the H-Plane. This is the horizontal plane, there is no vertical information shown just forwards, back, left and right.
The other plane is the E Plane (often referred to as the vertical plane). It is looking directly at the side of the antenna. So the view you would see is the radiation pattern upwards, downwards and in front and behind, nothing from side to side.

The strength of this pattern is given in dBi. A vendor will pick a reference point where the signal strength is strongest, and assign it a value of 0dB. The other points have -xdB values to show how much the signal is decreased in a given direction.

Polarization is the direction the wave moves and there are 3 options: Vertical (up and down), Horizontal (left and right) as well as circular (the wave circles as it moves forwards). Antennas can use any type of polarisation but it should the same on both ends to prevent signal degradation.

Diversity is implemented by placing multiple antennas on a device. When an AP receives a frame from a client it uses the preamble of the frame to test both antennas signal and then switches the rest of the frame to the antenna with the best signal. This also solves the multipath problem because multipath very rarely affects both antennas equally, so if multipath is affecting one antenna the other one is probably fine or at least not as badly affected.

Antenna types:
Omnidirectional antennas send a signal of the same strength in all directions. But note this is only on the H-Plane, this is why the classic shape is a doughnut, less signal is propagated vertically compared to horizontally. A high gain omnidirectional antenna takes this concept even further, squashing the doughnut down to increase the horizontal directions and reducing the vertical.

Dual Patch antennas are essentially 2 antennas placed back to back, the idea being to radiate in two directions, a good example of this placement would be in the middle of a corridor.

Semidirectional antennas focus the signal but not completely. It is still relatively broad coverage but aimed in a direction. Types of semidirectional antennas include patch and Yagi. Patch is half of the dual patch and Yagi is more focused.

Highly Directional antennas are very focused in a single direction, an example of this is Cisco's parabolic dish.

The accessories which can affect the EIRP include:
Attenuators - These are placed between the radio and antenna to reduce the dB.
Amplifiers - Amplifiers boost the signal and is known as active gain, rather than the passive gain on the antenna. These should be placed as close to the antenna as possible for maximum gain.
Lightning arrestors - These are used to protect the system components and connection back to the wired network from a lightning strike. Another option to installing a lighting arrestor is to install a small run of fibre cable between the AP and network because fibre cable doesn't conduct electricity. Lightning arrestors don't protect from a direct strike, the fibre cable will help more but it has to be at least 1m long.
Splitters - These are used to send signal out more than one antenna, or to receive signal from more than 1 antenna. The downsides of a splitter includes up to 4dB of loss introduced, and the throughput will be halved.
Cables and connectors - As well as increasing the flexibility of antenna placement cables and connections also add loss

Tuesday, 26 June 2012

Measuring Signal Strength - RSSI and SNR

RSSI is the received signal strength and it is measured as a grade value ranging from 0 to 100. Each grade value has an equivlient dBM. RSSI are negative and represent the level of signal loss which can be experienced between the transmitter and receiver with the receiver still being able to receive the signal correctly. Because RSSI is relative and based on grades the RSSI figures cannot always be compared between manufacturers equipment, one may use grades from 0 to 50 and another may use from 0 to 100.

Signal to noise ratio (SNR) is the amount of signal compared to the amount of surrounding noise. A higher value is better for SNR because there is more signal compared to noise.

Measuring Signal Strength:
Signal strength can be measured using two types of values; relative and absolute. The absolute value is a static measurement which is taken at a point in time, which compared to the relative measurement is based on a change from one value to another. Relative measurements are easier so you will most often see these used when describing the signal power.

The measures for absolute measurements include:
Watt - which is the energy spent / emitted / consumed per second. 1 Watt is 1 Joule of energy per second. 1 Watt is also 1 volt with 1 ampere of power. This is confusing and I don't fully understand it! However I'm hoping it will become more apparent through my wireless journey
Milliwatt (mW) - 1W = 1000 mW

The values used for relative measurements are:
Decibel (dB) - A decibel is either a positive or negative change.
Decibel referenced against an isotropic antenna (dBi) - An isotropic antenna doesn't really exist, it is a theoretical antenna which we use as a reference to compare one antenna to another. The isotropic antenna gives out spherical waves which are equal in all directions. Essentially the higher dBi, the higher the gain, and the more acute the angle of coverage.

Decibel referenced against a dipole antenna (dBd) - Dipole antennas do exist and give the classic wireless "doughnut" shape. dBi and dBd can be compared, dBi = dBd + 2.14

Decibel referenced against a milliwatt (dBm) - The arbitrator reference point is 1 milliwatt, so 1 milliwatt = 0dBm, or no change from the reference.

And now the maths, Calculating EIRP (Effective Isotropic Radiated Power):
If the dB is increased by 3, double the Transmit power (Tx)
If the dB is reduced by 3, half the Tx power
If the dB is increased by 10, 10x the Tx power
If the dB is reduced by 10, 1/10 the Tx Power

For example, if a radio transmitter emits a signal at 100mW and an amplifier introduces 3dB gain the signal will double to 200mW. Expanding this if the antenna has 10dB gain then the Tx signal will increase to 2000mW.

EIRP is the amount of signal (or power) leaving the antenna. This consists of connectors, cables, antenna and other factors.

EIRP = Tx Power (dBm) + Antenna Gain (dBi) - Cable Loss (dB)

As a rule of thumb for cable loss 50ft = 3.35dB loss, 100ft = 6.7dB loss.

Here is an example:
Start with Tx Power - +20dBm = 100mW
Add antenna gain - +10dBi = 1000mW
Total power - +30dBm = 1000mW or 1W
Subtract 100ft cable loss (power in half twice) - -6.7dB = 250mW
Total power minus cable loss = 23.3dB = 250mW

Phew that was a long post!

RF Frequency Behaviours - Absorption, Reflection, Refraction, Diffraction, Scattering

There are a number of different factors which can affect wireless signal:
Absorption - When a signal passes through an object a portion of the strength is absorbed as heat, so the signal strength will weaker when it comes out the other side (the amplitude is reduced).

Reflection - This is when a signal hits an object and is reflected off at an angle (which depends on the angle it hit the object at). An amount of the energy is absorbed in the process. A possible outcome of reflection is multipath where several different signals reach the receiver each taking a different path, often arriving later, out of phase of the main stream. Degraded signals arriving is referred to as downfade (120 - 170 degrees). It is also possible to nullify the signal if the angle is correct (180 degrees). Finally it is also possible if the signal goes full circle (360 degrees) it arrives back in phase and the signal is boosted, this is upfade.
Multipath will often degrade the signal, however 802.11n can use it to it's advantage. Multipath can also be called fading.

Refraction - This happens when a signal passes through an object and comes out at a different angle that it went in at. The most common reason for this to occur is passing through different mediums, such as from dry air to wet air.

Diffraction - This is essentially the signal bending round an object. Diffraction commonly cause blind spots where the signal has bent around an object, think of light and an objects shadow.

Scattering - This is similar to refraction but it is more unpredictable. It happens when a signal hits and object and is scattered in many unpredictable directions. This is caused by the properties of the object, common object which causes scattering are: dust, humidity, micro-droplets of water, uneven surfaces, density fluctuations.


RF Signal Basics - Frequency, Wavelength, Amplitude

The frequency of a wireless signal is how often the signal occurs, 1Hz is 1 cycle per second. A cycle is a complete wave, from peak to dip back to the starting peak. The wavelength is the size of each cycle, and which dictates the frequency, the smaller the cycles the more cycles per second. 2 cycles per second = 2Hz, 7 cycles per second = 7Hz etc.

1Hz = 1 cycle per second
1MHz = 1 million cycles a second
1Ghz = 1 billion cycles a second

Lower frequencies can travel further, but they offer less bandwidth.

Amplitude is the strength of the signal. Amplitude reflects the amount of energy injected into one cycle and has a large effect on the signal strength. The increase in RF signal strength is referred to as the gain. The disadvantage of amps is that the signal can be distorted and / or damage the receiver if too much power is pushed into it.

Attenuation is the gradual loss of signal strength

The electrical fields emitted by antennas are called beams or lobes

Wireless Topologies Inc. Workgroup Bridges

Just a quick post to cement in my head the differences in wireless topologies The topologies are:
IBSS (Adhoc), BSS, ESS

IBSS (Independant Basic Service Set) is the adhoc method of wireless connections. WIFI clients communicate directly using their wireless adapters without the use of an access point.

BSS (Basic Service Set) is where wireless clients communicate through a single access point.
A confusing point here is the term Infrastructure Basic Service Set (not to be confused with Independent Basic Service Set). The addition of the word infrastructure implies a connection back to the network, known as the Distribution System (DS). It is common place to use these two terms in place of each other, BSS and Infrastructure BSS.

ESS (Extended Service Set) is essentially multiple access points providing the same SSID allowing clients to roam around the network without loosing the connection. The access points should have a 10 - 20% overlap.

Workgroup Bridges (WGB):
If a group of hosts need to connect to the wireless network but they do not have wireless access themselves a workgroup bridge is used. The bridge provides a wired connection for the host devices and a wireless connection back into the wireless network. The wired and wireless connections are bridged. There are two types of WGB in the Cisco world - universal (uWGB) and autonomous (aWGB).

A aWGB provides a single wireless connection for multiple wired clients and also appears as a non-standard client on the wireless network. Note this is a Cisco proprietary type of WGB.

uWGB is a non-proprietary version which can be used to connect to Cisco or non-Cisco APs. The bridge appears as a normal client to the AP. uWGB supports a single client only.

Thursday, 21 June 2012

Bringing Back the Home Network

I've got a few bits of kit left at home, I used to have much more, but it's all gone one way or another. But I'm actively making a push to restore it and get it back into service!

The 2 bits I've got left are:
Cisco 877W
Cisco 2611XM voice gateway

Seems silly, I've had this equipment for ages now and never really got it up and running (Primarily due to me being lazy!) partially due to it taking up time which I never seem to have. So here is my declaration! It's out on the internet (or at least on my humble little blog) I will get my Home Network back to a decent standard. I need to get rid of the consumer class equipment and bring it back to decent enterprise class kit so that I can practice, play and study. I'm getting back into my craft!

Symmetric Key Algorithms

This is something which I should really know, and every time I hear it and look it up I do know it, I just couldn't recite it if someone asked. So here's a description to read a few times and hopefully cement it there a little more!

Symmetric Key Algorithms use the same keys for both the encryption of plain text and the decryption of cipher text. I.E. the same key is used to be encrypt and decrypt. In practice it is a shared secret password, which both parties know.

Friday, 15 June 2012

Juniper WLC Cluster Licensing - How does this work!

THIS IS NOW INCORRECT. SEE THE NEW POST - ThWh 26/04/2013
http://twhittle1.blogspot.co.uk/2013/04/juniper-wlc-licensing-cluster-update.html

I've left this here for the sake of keeping previous information, this may even apply if you are running old code but as above, please note there is an updated post on Juniper WLAN licensing

So I'm working with some WLC controllers and a thought strikes, if I cluster these together, how does the licensing work? Is it one big pool? Is it individual? Or something different? Well I've done a bit of research and here is the answer:

Each WLC in a cluster has it's own license count. There is no shared pool. If a WLC has licenses for up to 96 WLAs this is how many it will be able to manage. Therefore to achieve redundancy you need to ensure that if an WLC was to fail there would be enough licenses left between the remaining WLC to pick up the load.

For example:
A 3 WLC880R cluster has to support 192 WLA access points. You cannot just divide 192 by 3 (=64) and license each controller for 64 APs because you would not have a redundant WLAN. If a single controller failed then there would only be 128 total licenses remaining between the 2 remaining controllers. This means that you need at least 96 licenses on each controller so that if any single WLC failed the remaining 2 would have 192 licenses between then, enough for each WLA.

The formula that Juniper gives to work it out is:
Maximum Redundancy Capacity == total cluster MP license - largest MX capacity

However I prefer to think of it as:
Min No. Licenses per controller = No. Total APs / (Number of Controllers -1)

Thursday, 14 June 2012

A one liner on Traffic Engineering (TE)

An element of Traffic Engineering is ensuring that a specific path is followed (or avoided). For example in an MPLS environment certain nodes or links can be coloured. If the main path fails the backup path knows which specific links or nodes to follow (or avoid) based on the colouring plan. This ensures that connections that are part of a protected circuit will never travel through a common (busy) point.

Traffic Engineering also allows available bandwidth to be reserved along a path.

Ok slightly more than a one liner but its still quick...

Tuesday, 12 June 2012

Proxies: Forward and Reverse

A proxy server is an intermediate device which sits between two objects, a common example is clients and a single or set of resources.

There are many different types of proxies but the ones I want to talk about here are forward and reverse proxies:
Forward Proxy:
A forward proxy is used to grant access to a collection of clients to a resource, for example the Internet. A client sends the request to the proxy server naming the destination server, so the client much be configured to know about the proxy in place. The proxy then requests the content from the destination server and returns it to the client.

Reverse Proxy:
A reverse proxy appears to the client as an ordinary server, there is no special configuration required on the client. The reverse proxy receives the request from the client and then decides where to send the request to, usually within a pool of resources, it returns the content as though it was the destination server. An example of a reverse proxy would be as a load balancer for a pool of resources.

Thursday, 7 June 2012

Extreme's Universal Port

So this is an interesting feature. Essentially Universal port is "automated edge port provisioning". The following triggers can be used: Time of Day, user authentication, device authentication, identity management, Event Management Systems (EMS). 

Profiles are configured on ports, either locally on the switch, or administered by Ridgeline (Extreme Network Management Software) and activated on the triggers.

XOS supports 3 types of authentication: MAC address based, Web based (username and password), or 802.1x.

Examples of universal port in action are:
Shutting down Phones or other services out of working hours - E.G. 7pm till 7am phones and wireless services power off.
Automatic port parameters provisioning - provisioning of VLANs, QoS, etc for users. This is
great for mobile users too who keep moving ports as their settings go with them.
Broadcast control - If a port detects broadcast traffic, genuine or malformed from a bad NIC, the port can be shut down or rate limited.

This seems like a useful simple little feature and it's mostly self explanatory. Extreme claims you can write the scripts in most languages as well so theoretically easy to implement with loads of possibilities.

Monday, 28 May 2012

Welcome, a little intro

Welcome to my blog which I'll be keeping to keep track of all things networking in my career. I read plenty of other's blogs and it's just a great way to keep track of information and help you learn.

So welcome to anyone who wants to read but if not it's just for me.

Tom