solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page i about itfaqnet.com Syngress Publishing is a proud sponsor of itfaqnet.com, one of the web’s most comprehensive FAQ sites for IT professionals. This is a free service that allows users to query over 10,000 FAQs pertaining to Cisco net- working, Microsoft networking. Network security tools, .NET development, Wireless technology, IP Telephony, Storage Area Networking, Java develop- ment and much more. The content on itfaqnet.com is all derived from our hundreds of market proven books, written and reviewed by content experts. So bookmark ITFAQnet.com as your first stop for mission critical advice from the industry’s leading experts. www.itfaqnet.com 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page ii Charles Riley Technical Editor Cisco Internetworking PERIOD PERIOD BOOK BOOK BEST DAMN Michael E. Flannagan, CCIE | Ron Fuller, CCIE | Umer Khan, CCIE | Wayne A. Lawson II, CCIE | Keith O’Brien, CCIE | Martin Walshaw, CCIE | 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library™,”“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 MAXLM3V343 002 G4MBTT6CVF 003 8J9HRQGU3N 004 Z2B4PKURTY 005 U8J3N5R33S 006 X6B7MATTY6 007 G8TR2SH2AK 008 9BKTHQM4S7 009 SW4KP7V6FH 010 5BVF7UM39Z PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 The Best Damn Cisco Internetworking Book Period Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-91-4 Technical Editor: Charles Riley Cover Designer: Michael Kavish Technical Reviewer: Jason Campbell Page Layout and Art by: Patricia Lupien Acquisitions Editor: Catherine B. Nolan Copy Editor: Judy Eby, Amy Thomson, Beth Roberts Indexer: J. Edmund Rush Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page iv v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise. Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page v 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page vi vii Charles Riley (CCNP, CSS-1, CISSP, CCSA, MCSE, CNE-3) has a long tenure in information technology, and can remember when the Cisco AGS+ was new. Charles has co-authored several books including Routing and Configuring Cisco Voice over IP, Second Edition. Some go bungee jumping, others crochet. Charles writes and tries dangerous network configurations on a non-production rack at home. The middle son of a tenant farmer and his wife, Charles initially planned to continue the Riley tradition of farming. However, with the collapse of the farm and the kick of an ill-tempered bovine, educa- tion became more attractive to the young cowherd. Moving to the metropolis of nearby Remington, he was enticed with the opportunities that urban living offered. Exhausting the educational offerings of Remington, Charles matriculated at the Model Secondary School for the Deaf in Washington, D.C. before attending Gallaudet University (www.gallaudet.edu). Quick to a decision and even quicker to change his mind, he moved to Florida where he graduated from the University of Central Florida in 1989. Upon graduation, Charles was contacted by and offered a position with the U.S.Army, a relationship that lasted over 10 years. He started as a U.S. Army telecommunications specialist at Fort Huachuca, Arizona, eventually finishing his Army stretch as the network manager of the 7th Army Training Command in Grafenwoehr, Germany. As a consultant for Sprint, he designed and implemented robust networking solutions for large Fortune 500 and privately held companies. He continues unabated in networking today. I am blessed to have my wife, René, and daughter,Tess.Your love and support during the countless midnight hours spent crafting this book made it all possible. You lift me when the load is heavy. Everything has a beginning. My writing started with a wonderful teacher, Barbara Gantley, who saw my potential before I did; your patience and dedication was inexhaustible.You embody all that great teachers are. I hope my antics and inappropriately timed sense of humor never made you reconsider your choice of career. Technical Editor 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page vii viii Scott Dentler (CISSP, CCSE, CCSA, MCSE, CCNA) is an IT consultant who has served with companies such as Sprint and H&R Block, giving him exposure to large enterprise networks and corporate environments. He is currently pro- viding systems support for a campus network at a Medical Center with national affiliations. Scott’s background includes a broad range of Information Technology facets, including Cisco Routers and Switches, Microsoft NT/2000/XP, Check Point firewalls and VPNs, Red Hat Linux, network analysis and enhancement, network design and architecture, and network IP allocation and addressing. Scott Dentler is a contributing author for Snort 2.0 Intrusion Detection (Syngress Publishing, ISBN: 1-931836-74-4), and Cisco Security Professional’s Guide to Secure Intrusion Detection Systems (ISBN: 1-932266-69-0). Additionally, Scott would like to offer his sincere thanks to Alicia Jensen for her unwavering support during the production of this book. Michael E. Flannagan (CCIE #7651, CCDP, CCNA, 3COM-CSA) is Network Consulting Engineer and Team Leader in the Network Supported Accounts (NSA) Group at Cisco Systems. Mike is a member of the global Quality of Service (QoS) Team and has extensive network design experience, with emphasis on Routing Protocol design and Quality of Service mechanisms. Mike’s experience, prior to joining Cisco Systems, includes enterprise network architecture, IT management, and consulting. Mike’s QoS testing and research was used to recommend the implementation of various QoS mechanisms for one of the world’s largest pharmaceutical companies, and he has participated in large- scale QoS designs for several major US companies. In addition to holding various certifications from Cisco, 3Com, and Nortel Networks, Mike has passed both the CCIE Routing/Switching and the CCIE Design written exams and is currently preparing for his CCIE Lab exams. He lives in Morrisville, NC. Ron Fuller (CCIE #5851, CSS-Level 1, CCNP, CCDP, MCNE) is a Senior Network Engineer with a large financial institution in Columbus, OH. He cur- rently provides design and engineering support for the network infrastructure. His specialties include Cisco routers and LAN switches, strategic network planning, network architecture and design, and network troubleshooting and optimization. Ron’s background includes senior systems engineering responsibilities for Cisco Special Contributor Contributors 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page viii ix and Novell resellers in Central Ohio. Ron has also acted as contributing author to the book Administering Cisco QoS in IP Networks (Syngress Publishing, ISBN: 1-928994-21-0). He currently resides in Sunbury, OH with his family, Julie and Max. Martin Walshaw (CCIE #5629, CCNP, CCDP) is a Systems Engineer working for Cisco Systems in South Africa. His areas of specialty include IP Telephony (including all voice and video applications such as IPCC) and security, both of which keep him busy night and day. During the last 14 years, Martin has dabbled in many aspects of the IT industry, ranging from programming in RPG III and Cobol to PC sales. When Martin is not working, he likes to spend time with his expectant wife Val and his son Joshua. Without their patience, understanding, sup- port, and most importantly love, projects such as this would not be possible. Wayne A. Lawson II (CCIE # 5244, CCNA, CCDA, NNCSE, CNX, MCSE, CNE, Banyan CBE) is a Systems Engineer with Cisco Systems in Southfield, Michigan. His core area of expertise is in the Routed Wide Area Network (WAN) and Campus Switching. He has provided pre- and post-sales technical support for various dot-com start-ups on redundant ISP access, failsafe security, content networking and verification for local premise, as well as geographical load balancing. His internetworking proficiency includes Layer One and Two, Layer Three, IBM & Voice Technologies, and Network Management and Monitoring Technologies. Wayne received the “Top Performer” award at Cisco 2000 National Sales Meeting for achieving Cisco’s highest level of technical certification. He has also contributed to Syngress Publishing’s Building Cisco Remote Access Networks (ISBN: 1-928994-13-X). Wayne lives in Holly, MI. Keith O’Brien (CCIE #2591) is a Consulting Systems Engineer with Cisco Systems specializing in packet voice technologies and multiservice networking. Keith has over 13 years of experience in IT, including large-scale routing, remote access, IP multicast and campus switch designs. Before joining Cisco, Keith worked at MCI Telecommunications, designing international voice and data net- works. Keith holds a Bachelors of Science degree in Electrical Engineering from Lafayette College and a Masters of Science degree from Stevens Institute of Technology. Jason Sinclair (CCIE #9100, CCNP, CCNA) is the Manager of the Network Control Center at PowerTel Ltd., which is Australia’s third largest telecommuni- cations carrier. Jason is responsible for all operational aspects of the PowerTel voice, data and IP networks. Jason’s technical background is predominantly in large scale IP, Internet, VoIP and DLSW networking. He has also designed and 253_BDCisco_FM.qxd 10/16/03 10:38 AM Page ix [...]... PRI Reference Points and Functional Groups ISDN Protocol Layers U-plane C-plane ISDN Call Setup and Teardown 10 3 10 3 10 4 10 5 10 6 10 6 10 8 10 8 10 9 11 1 11 4 11 5 11 6 11 8 11 8 11 9 12 1 12 2 12 4 12 4 12 6 12 7 12 9 13 0 13 0 13 1 13 1 13 2 13 3 13 5 13 9 14 0 14 0 14 1 14 2 14 2 14 2 14 3 14 3 14 3 253_BDCisco_TOC.qxd 10 /15 /03 5:02 PM Page xvii Contents Dial-on-Demand Routing (DDR) Dialer Interfaces Supported Interfaces ISDN Interfaces... 17 1 17 2 17 2 17 5 17 6 18 1 18 2 18 2 18 5 18 5 18 6 18 6 18 8 18 9 19 0 19 0 19 1 19 3 19 5 19 6 19 6 19 8 19 8 19 9 19 9 200 2 01 202 xvii 253_BDCisco_TOC.qxd xviii 10 /15 /03 5:02 PM Page xviii Contents Infrared Technology Spread Spectrum Technology Frequency Hopping Spread Spectrum (FHSS) Direct Sequence Spread Spectrum (DSSS) DSSS Channel Setup Wireless Networking Standards IEEE 802 .11 802 .11 b 802 .11 a 802 .11 g Wireless Design... Using the Time-to-Live Field TTL Thresholds Administrative Scopes Mapping Multicast IP Addresses to MAC Addresses Participating in Multicasting Internet Group Management Protocol Versions IGMPv1 IGMP version 2 IGMP version 3 Multicasting via Switches CGMP 310 310 311 311 311 312 312 312 313 313 313 315 317 317 319 319 319 320 320 3 21 326 326 327 328 328 329 330 330 332 332 332 333 336 336 337 339 3 41 344... ASA Works Technical Details for ASA Advanced Protocol Handling VPN Support URL Filtering NAT and PAT High Availability 796 799 8 01 804 805 807 809 809 811 811 812 812 813 813 813 813 813 814 814 815 815 815 816 816 817 819 820 820 820 820 8 21 8 21 8 21 822 823 823 823 824 824 xxxv ... Cisco Secure ACS in the Network Configuration Example: Adding and Configuring an AAA Client Cisco IP Security Hardware and Software Cisco PIX Firewall Cisco IOS Firewall Feature Set 699 699 702 703 706 706 708 710 710 712 712 713 713 714 714 715 715 718 720 720 720 7 21 7 21 7 21 722 723 724 724 725 725 725 725 726 726 728 728 729 253_BDCisco_TOC.qxd 10 /15 /03 5:02 PM Page xxxiii Contents Cisco Secure Intrusion... (Transport) TCP UDP The Internet Layer The Network Layer Networking Basics Network Topologies Bus Topology Star Topology Ring Topology Mesh Topology CSMA/CD versus Deterministic Access Ethernet Wireless LANs OSI and Wireless: Layer 2 and Down OSI and Wireless: Layer 3 and Up Cisco Hardware 1 2 2 3 3 3 4 5 5 6 6 6 6 8 8 10 11 14 14 15 15 16 17 17 17 18 22 22 25 26 xiii 253_BDCisco_TOC.qxd xiv 10 /15 /03 5:02 PM... Understanding the Fundamentals of Radio Frequencies Understanding Wireless Radio Signal Transmission and Reception Radio Frequencies Radio Country Options What is Bandwidth? WLAN Frequency Bands Radio Wave Modulation Digital Signal Modulation: Phase Modulation BSPK QPSK Complementary Code Keying Communicating with WLAN Technologies Microwave Technology 14 5 14 6 14 7 14 7 14 8 14 8 14 8 16 1 16 3 16 3 16 8 17 1 17 2 17 2 17 5... Detection Tail Drop 609 610 612 612 613 615 615 616 617 617 618 620 622 622 623 624 624 626 627 630 630 633 634 636 637 638 639 640 6 41 642 643 644 645 646 648 648 649 650 6 51 6 51 xxix 253_BDCisco_TOC.qxd xxx 10 /15 /03 5:02 PM Page xxx Contents Flow-Based WRED Configuring Congestion Avoidance with WRED Verifying WRED Data Compression Overview The Data Compression Mechanism Selecting a Cisco IOS Compression... Extensible Authentication Protocol (EAP) Per-packet Authentication Cisco LEAP Configuration and Deployment of LEAP An Introduction to the 802.1x Standard Ensuring Authorization Where in the Authentication/Association Process Does MAC Filtering Occur? Accounting and Audit Trails Wireless Equivalency Privacy (WEP) 202 203 204 204 205 206 208 208 214 215 215 216 216 216 218 219 220 2 21 2 21 222 222 223... Authentication Proxy How the Authentication Proxy Works Benefits of Authentication Proxy Restrictions of Authentication Proxy Configuring Authentication Proxy Configuring the HTTP Server Configuring the Authentication Proxy Authentication Proxy Configuration Example Cisco Secure ACS Overview of the Cisco Secure ACS Benefits of the Cisco Secure ACS Authentication Authorization Accounting Placing Cisco . Troubleshooting PPP 11 1 Circuit Types and Terminology 11 4 T1 and Fractional T1 11 5 Frame Relay 11 6 Committed Information Rate (CIR) 11 8 Local Management Interface (LMI) 11 8 Frame Relay Topologies 11 9 Subinterfaces. 208 802 .11 208 802 .11 b 214 802 .11 a 215 802 .11 g 215 Wireless Design Considerations 216 Attenuation 216 Multipath Distortion 216 Refraction 218 Accounting for the Fresnel Zone and Earth Bulge 219 RF. advice from the industry’s leading experts. www.itfaqnet.com 253_BDCisco_FM.qxd 10 /16 /03 10 :38 AM Page ii Charles Riley Technical Editor Cisco Internetworking PERIOD PERIOD BOOK BOOK BEST DAMN Michael