Cisco IIN = intelligent information network : network for voice/data/video: Integrated transport(everything is sent across the network), services(all services uses same devices: use virtualization), applications SONA = Services Oriented Network Architecture IIN et SONA utilisent le 3 Layer model (core, distribution, access) Câble: Envoi de signaux sur fréquences définie dans DOCSIS (Data-over-Cable Service Interface Specifications) DOCSIS : -L1 définie la BW et la modulation sur les différents canaux (200/400/800kHz,1.6 MHz, 3.2 MHz, and 6.4 MHz) -L2 Définie le multiplexage (uilise MAC): -time division multiple access (TDMA) for version 1.0, 1.1, and 2.0 Freq (UP/DOWN) -synchronous code division multiple access (S-CDMA) in version 2.0. -The DOCSIS MAC protocol uses a request/grant system for transmissions. This means that there is little or no use of contention for bandwidth as in Ethernet networks (and no collisions). -DOCSIS 3.0 was released in August 2006. Expected enhancements may include IPv6 support and channel bonding. Channel bonding allows the use of multiple downstream and upstream channels together, at the same time, CM Provisionning: -L1/L2 Config -DHCP Request (récupère IP TFTP) -CHarge config depuis TFTP -Register (négocie type trafic/QoS) -Communication UP Au niveau du routeur Cable, un peut stocker la conf docsis sur TFTP pour accélerer la reconfig quand ça reboot... FDM = Frequency Division Multiplexing Tap — A device used to divide the input signal RF power to support multiple outlets. Typically, cable operators deploy taps with two, four, or eight ports. Amplifier — A device that magnifies an input signal, thus producing a significantly larger output signal. HFC + Hybrid Fiber Coax, on mets de la fibre pour palier aux limitation du câble CATV = Community Antenna TV Cable ethernet = 10 Base 2/5 TV: NTSC = américains, SECAM = france + europ est, PAL = les autres Cable modem termination system (CMTS)—The CMTS usually resides in the headend. The CMTS modulates the signal to the cable modem (CM) and demodulates the CM response. Cable modem (CM)—The CM is a CPE device that terminates as well as performs modulation and demodulation of signals to and from the CMTS. Typical transmission speeds for CMs range from 1.5 to 6 Mbps. xSDL ==================================== seule l'ADSL authorise voix + data DSL: Layer 1 techno Digital Subscriber Line POTS : 300-3KhZ DSL : 0 - 1 Mhz peut être asym/symetrique ADSL (jusqu'a 8M Down, 1M UP) G.HDSL 2.3M HDSL 2M IDSL 144K SDSL 768K VDSL 52M Down, 13M up (very high speed dsl), pour atteindre les débits maximaux il faut être à moins de 300M du DSLAM -ATU-C—ADSL Transmission Unit–central office, a subscriber-facing DSL modem in the provider’s CO. -ATU-R—ADSL Transmission Unit–remote, a provider-facing DSL modem in the subscriber home. This could be a DSL-capable router or DSL modem. -DSLAM—A single chassis containing multiple ATU-C units RFC 2684 defines the transport of multiple protocols over a single ATM virtual circuit. RFC 2684 also defines the transport of individual protocols over individual circuits. load coil, amplifier, mais amplifie le POTS, pas les signaux DSL, donc DTC si tas un load coil sur le fil de ta maison à chez ton telco impededance mismatch : câbles abimés crosstalk: etalement des frequences et le débit up peut par exemple empiéter sur le down. bridge tap = paire non encore utlisisée par les telco qui peuvent générer du bruit si tu traffic y transite http://en.wikipedia.org/wiki/Bridge_tap Avant un filtres par prise Maintenant un filtre pour toute la maison, et une ligne DSL séparée. ppp auth callin coté client (callin = authenticate remote on incomming call, vu que le client initie le call, pas d'auth vers le remote) ==ATM Data payload 1–1452 TCP header 20 IP header 20 PPP header 2 PPPoE header 6 Ethernet header 18 AAL5 trailer8 bytes + 1–40 bytes padding ATM cell header5 bytes per cell ATM cell payload48 bytes per cell AAL5 trailer8 bytes + 1–40 bytes padding ATM cell header5 bytes per cell ATM cell payload48 bytes per cell ATM adaptation layer 5 (AAL5) adds an 8-byte trailer to the whole of the frame and then adds padding to reach the next 48-byte multiple. Every ATM cell has a 48-byte payload and a 5-byte header, without exception: total frame : 1492 + 2 + 6 + 18 = 1518 bytes atm cell count: (1518 ÷ 48) = (31 cells + 30 bytes) or 32 cells atm overhead (5 bytes per cell):32 cells * 5 byte header = 160 bytes Total atm frame: 1518 + 8(AAL5) + 10(AAL5 48Bytes multiple paddong) + 160 (ATM cell Overhead) = 1696 bytes 100(1696 ÷ 1452) = 116.80% – 100% = 16.80% overhead SAR = Segmentation and reassembly ATM uses virtual circuits that are identified by unique connection identifiers. Each connection identi?er is a pair of numbers denoting both a virtual path identifier (VPI) and a virtual circuit identifier (VCI). Valid VPI/VCI pairs vary based on the equipment in use. The valid range of VPIs, supported by the ATM cell header, is 0–255. The valid range of VCIs supported by the User-Network Interface (UNI) cell header is 0–65535. VCIs 0–15 are reserved for use by the ITU and 16–31 are reserved for use by the ATM Forum (the ATM standards body). Therefore, 32 is the first valid VCI for end-user con?gurations. AAL5Mux = un VC par proto (IP/IPX/...) pppoa conf: interface ATM0/0 description ***physical interface bound to dialer0*** no ip address dsl operating-mode auto pvc 8/35 ! Creates ATM PVC protocol ppp virtual-template X/dialer [dialer pool-member X] ??? ! Assigns dial pool ! interface Dialer0 description ***External Provider Network*** ip address negotiated ip mtu 1492 dialer pool X ! Configures MTU =======PPP=========== PPPoE INterprété comme du DDR: Need dialer Intf (interface dialer #) interface dialer # ip add negociated (IPCP) encapsulation ppp IP MTU 1492 (1500 - 8 (en tête PPP)) [ppp auth pap/chap callin] [ip nat outside] ppp chap/pap sent-username/password XXX dialer pool X sur la fast (uniquement 2 commande, et no sh, obvious) pppoe enable pppoe-client dial-pool-number X Mapper le dialer à une int fast (toute la conf logique est faite sur l'intf dialer) via le dialer pool/pppoe-client dial-pool-number PPPoE utilise des virtual access interface. L'ip obtenue par IPCP est vue sur la dialer interface sh pppoe ? (ex session) PADI = PPPoE Active Discovery Initiation (1st packet de l'établissement de la session) PADO = PPPoE Active Discovery Offer (2st packet de l'établissement de la session) (réponse au PADI) PPP Auth w/pap: AUTH-REQ puis AUTH-ACK, si auth pas OK, pas de auth-ack, mais pas d'erreurs, auth-req se répete ? si PPP OK, NAT, default route = good to go :) MPLS Theory LIB Label Information Base : networks <=>labels (locaux et voisins (next hop labels)) LFIB Label Forwarding Information Base : LIB + FIB mappes input label avec output label Control Plane : Protocoles de routages, Label Exchange protocols... Data Plane (Forwarding plane): Routage/switching L3/L2 (ou labels) MPLS = Label (19 Bits), experimental bits (3Bits, ex cisco utilise pour QoS), BS (Bottom of Stack=dernier label, si plusieurs labels)(1bit), TTL (8 Bits) peering system: LDP/TDP forment des adjacences PHP (penultipate hop popping) : Quand un label est final (relié à un réseau), cela est averti (via LDP ?) MPLS config (pre req: activer cef) config)#IP CEF !global config-if)#IP route-cache cef !ou par interface, peu utilisée (commentaire subjectif) config: interface X/X mpls ip mpls label protocol ldp/tdp/both (ldp = standard,tdp = tag distri prot, cisco propriétaire) !si conf des deux coté=>LDP Neighbor UP (show mpls ? : ldp neibors, labels,...) !increment du MTU de 12 octets (= 3 labels (12/4=3)) mpls mtu 1512 (penser à ajouter le "jumbo-frames" sur les switchs qui traitent du MPLS) ========================= device hardenning Disable: — Both TCP and UDP small servers service — CDP — Finger service — IP BOOTP server service — IP directed broadcast — IP gratuitous ARPs — IP identi?cation service — IP mask reply — IP proxy ARPUsing SDM to Secure a Router 451 — IP redirects — IP source route — IP unreachables on all interfaces — MOP service — PAD service — SNMP ¦ Enable: — Firewall (CBAC) on outside interfaces — IP CEF — Password encryption service — Logging — NetFlow switching — Sequence numbers and time stamps on debugs — SSH for access to the router — TCP keepalives for both inbound and outbound Telnet sessions — Telnet settings — uRPF on outside interfaces ¦ Set: — Access class on HTTP server service and VTY lines — Authentication failure rate to less than three retries — Banner — Enable secret password — Minimum password length to greater than or equal to six characters — Scheduler interval and allocation — TCP SYN wait time — Users There are 16 different privilege levels that can be used. Level 0 is user mode. Level 15 is the all-encompassing privileged mode (enable or enable secret password). Levels 1 through 14 are available for customization and use. Example 19-13 shows how to create privilege levels. privilege [mode] level X command mode = exec, configure, interface,... no service password receovery : desactive rommon ==================== IPS 3 types: Suganture, policy, anomaly policy : règles pré établies, peux utiliser un serveur externe (par exemple black list sites web): filtre URL/proto/flood/... anolay: définition d'un pattern (de manière dynamique - statistique ou manuelle), plus dur à implémenter dans les réseaux larges (comportement moins prévisible) copy file ips-sdf : fusionne les règles du fichier avec celle en mémoire, recopier ensuite depuis un ips-sdf vers un autre fichier et modifier le ip ips sdf location pour garder la fusion après reboot router