PACKET
CISCO SYSTEMS USERS MAGAZINE THIRD QUARTER 2004
HR URE 04VL1 O3 NO 16 VOL 2004 QUARTER THIRD ROUTING INNOVATION Rising Expectations in IP Networking 34
Cisco CRS-1: Reinventing the Router 41
Deploying Video Telephony 23
Detecting Network Threats 13
SPECIAL REPORT: Intelligent Networking 53
CISCO.COM/PACKET Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. PACKET CISCO SYSTEMS USERS MAGAZINE THIRD QUARTER 2004 VOLUME 16, NO. 3
34 ON THE COVER Turning the Corner on Innovation 34 Market demands and sophisticated new applications are accelerating architectural innovation in IP routing. Cisco turns the corner with the new CRS-1 Carrier Routing System and enhancements to Cisco IOS® Software.
Reinventing the Router 41 With unparalleled capacity and raw horsepower, the Cisco CRS-1 provides the fault-tolerant, multiple-service networking service providers require to sustain anticipated growth in IP services over the next decade.
IOS: Routing’s Crown Jewel 47 From its public debut in 1987 to the recent delivery of Cisco IOS XR for fault-tolerant routing at 92 Terabit-per-second speeds, Cisco IOS Software continues to evolve with the times.
53 SPECIAL REPORT Intelligent Networking 53
An intelligent, systems-based approach to networking can substantially reduce complexity while increasing functionality. Learn more about Cisco’s vision of the smarter network.
Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECHNOLOGY 57 VIDEO TELEPHONY: Deploying Video Telephony 23 Cisco CallManager 4.0 extends voice features to video over a common, user-friendly infrastructure that can be deployed to the desktop.
SECURITY: Deflector Shield 28 Fruits of Cisco Riverhead Networks acquisition help to mitigate distributed denial-of- service attacks.
ENTERPRISE SOLUTIONS Turbo-Charged TAC 57 A virtual customer interaction network for Mercedes-Benz USA accelerates auto diagnosis and puts the brakes on telephony costs. 71 Routed Radio 61
New Cisco Catalyst® 6500 Series Wireless LAN Services Module blends wired and wireless networks.
Radio Meets Multicast 63 Radio broadcaster GWR Group lowers costs by replacing satellite, data, and voice networks with multicast VPN.
Virtual Firewall Management 67
Network administrators can manage multiple security contexts using Cisco PIX® Device Manager Version 4.0.
81 SERVICE PROVIDER SOLUTIONS Wholesale BLISS 71 Z-Tel Communications taps Cisco BLISS solution for unique wholesaler/retailer opportunity.
Taking to the ROADM 75 Reconfigurable optical add/drop multiplexer (ROADM) technology poised to spur metro dense wavelength-division market.
Calculating New Routes Faster 78
Cisco IOS® Software enhancements speed IS-IS network convergence.
SMALL AND MIDSIZED BUSINESSES IP VPNs Gain Momentum 81 Small and midsized companies can save time and money by out-tasking their IP VPNs to a managed services provider.
IN EVERY ISSUE DEPARTMENTS Mail 3 From the Editor 1 Technically Speaking 84 Calendar 5 Innovation and Standardization IP Security or Secure Sockets Layer? Acquisitions 7 Cisco’s Pete Davis discusses why you User Connection 5 Networkers 6 don’t have to choose one over the other. CIPTUG IP Telephony Feature Request Tech Tips 21 System • Cisco Career Certifications New Product Dispatches 85 Advertiser Index 88 Updates What’s new from Cisco over the past Cache File 90 quarter The 5th Wave 90 Tech Tips & Training 9 Is Your Network Ready for Voice? • NetPro Expert 89 Threat Detection • Insider’s Tips on Earn- Expert advice on outdoor wireless LAN ing Your CCIE in Security • IP Multicast infrastructure at a Glance • Reader Tips
Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. PACKET MAGAZINE FROM THE EDITOR David Ball Editor-in-Chief Jere King Publisher Innovation and Jennifer Redovian Managing Editor Standardization Susan Borton Senior Editor ® Joanie Wexler If you’re a regular reader of Packet , you’ve no doubt noticed our new look. Packet has Contributing Editor been redesigned to match a new look and feel that has been incorporated throughout all Robert J. Smith of Cisco’s communications vehicles. From the commercials you see on TV, to the boxes Sunset Custom Publishing that deliver your latest networking components, the company is adhering to a cohesive Production Manager design philosophy that is collectively referred to in marketing circles as a corporate iden- Michelle Gervais, Nicole Mazzei, tity system. The theory is, if you’re spending money on individual communications, each Mark Ryan, Norma Tennis with its own audience, objectives, and agenda, you also want them to work together for Sunset Custom Publishing Production a higher purpose—in this case, to build brand awareness in the marketplace. A corpo- Jeff Brand, Bob Jones rate identity system makes individual components (whether a white paper, data sheet, or Art Direction and Packet Redesign a magazine) work together for a greater good. Emily Burch Designer As I sat down to write this letter, I thought, how can I tie Packet’s redesign into this Ellen Sokoloff issue’s theme of routing innovation? Then it occurred to me: what we are experiencing Diagram Illustrator at Packet is the same inevitable evolution that occurs in the world of networking— Bill Littell innovation to standardization—the standardization of the most practical and useful inno- Print Production Manager vations to serve a greater good, that of widespread adoption and integration. Cecelia Glover Taylor Circulation Director To advance the state of the art in any given field, there must be innovation. Throughout Valerie Marliac Promotions Manager its 20-year history, Cisco has pioneered many innovations that continue to profoundly Scott Griggs, Jordan Reeder affect not only networking, but, to quote Cisco Chief Executive Officer John Chambers, Cover Photograph the very way the world “works, lives, plays, and learns.” However, as important as Special Thanks to the Following Contributors: innovation is, working with the standards bodies ensures that the advancements Leonard Bonsall, Jeff Brand, Karen Dalal, achieved can be used by everybody. Few companies have invested as much effort in stan- Bob Jones, Janice King, Valerie Marliac, dards development as Cisco. A few examples of the company’s contributions to indus- Sam Masud try standards include Border Gateway Protocol (BGP), Dynamic Packet Advertising Information: Kristen Bergman, 408-525-2542 Transport/Resilient Packet Ring (DPT/RPR), Multiprotocol Label Switching (MPLS), [email protected] and Layer 2 Tunneling Protocol (L2TP). For more Cisco innovations, see “Turning the View Packet magazine at cisco.com/packet. Corner on Innovation,” page 34. Publisher Information: Packet magazine (ISSN 1535-2439) is published quarterly by Cisco Systems and Companies reap huge benefits from standards-based networking technologies. While distributed free of charge to users of Cisco it might seem that conformance to industry standards would stifle creativity, the products. Application to mail at Periodicals Rates pending at San Jose, California, and opposite is true. When all products and technologies adhere to industry standards, additional mailing offices. vendors must differentiate their products by other means. This competition between POSTMASTER: Please send direct address cor- network equipment suppliers brings out the best in each vendor and continually rections and other correspondence to packet pushes technology forward. @external.cisco.com or to Packet in care of: Packet Magazine PO Box 2080 Over the years, Packet has won its share of awards for innovative design, photography, Skokie, Illinois 60076-9324 and illustrations. So, while we may have a smaller design palette with which to stretch USA our creative muscle, we will continue to work hard to differentiate ourselves with inno- Phone: 847-647-2293 vative editorial. To that end, a new column, “NetPro Expert” (see page 89), has been Aironet, Catalyst, CCDA, CCIE, CCNA, Cisco, Cisco IOS, Cisco Networking Academy, Cisco Press, the Cisco Powered Network added to help satiate your appetite for technical tips and advice. Each quarter, this col- logo, the Cisco Systems logo, Cisco Unity, IOS, iQ, Packet, PIX, umn will provide excerpts from a particularly interesting Q&A session held with one of SMARTnet, and StackWise are registered trademarks or trade- marks of Cisco Systems, Inc., and/or its affiliates in the USA and Cisco’s technical experts on the popular Cisco Networking Professionals Connection certain other countries. All other trademarks mentioned in this publication are the property of their respective owners. online community (cisco.com/go/netpro). Packet copyright © 2004 by Cisco Systems, Inc. All rights reserved. Printed in the USA. Look for more integration with NetPro forums on our new- No part of this publication may be reproduced in any form, or by any means, without prior written permission from Cisco ly designed Packet Online Website, coming soon. And let us Systems, Inc. know what you think of our new look by writing to us at This publication is distributed on an “as-is” basis, without war- ranty of any kind either express or implied, including but not lim- [email protected]. ited to the implied warranties of merchantability, fitness for a pa- rticular purpose, or noninfringement. This publication could contain technical inaccuracies or typographical errors. Later issues may modify or update information provided in this issue. Neither the publisher nor any contributor shall have any liability to any person for any loss or damage caused directly or indirectly by the information contained herein. This magazine is printed on recycled paper. David Ball Editor-in-Chief [email protected] 10% TOTAL RECOVERED FIBER
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 1 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. MAIL
A Question of Timing on a large-scale campus network such as In reference to Yang Difei’s Reader Correction ours we see far more than 16,384 flows Tip [Second Quarter The article “Branching Out” [Second running through the core at any par- 2004], I’m surprised Quarter 2004, page 80] contained factu- ticular time. that an editor’s note al errors regarding First Albany Capital’s wasn’t included. I like network deployment. A corrected ver- sion of the article is available at the functionality of the cisco.com/packet/163_2a1. We apolo- Case of Mistaken Identity reload command and gize for the errors.—Editors I am anxiously waiting, no doubt along use it frequently when with many other Packet readers, to hear performing remote the explanation as to why Cisco’s “Secu- administration, but 1. I placed a UNIX system on a network rity Advocate,” Mr. Aceves, is wearing reload in 60 gives you one heck of a wait- that was attached to an access router Alison’s badge in the photo on page 37 ing period for the router to revert to its connected to the Tetrahedron Core. [First Quarter 2004]. In most companies I prior configuration. I prefer to make That network was a /24 subnet, mean- am sure there are policies which greatly changes to my equipment in small incre- ing that it could support a maximum frown upon such activities. ments and use an appropriate reload in 256 IP addresses. —Colin A. Kopp, Province of British time of between 2 and 5 minutes. If you Columbia, Victoria, B.C., Canada misconfigure a WAN interface and lose 2. I configured the UNIX system to use your connection, you’ve probably also 250 IP addresses on its single Gigabit We received a record-breaking number of lost the connectivity for several users. Ethernet interface. letters regarding the photo in the article —Gerri Costa, Promasa, New Orleans, “Security Advocates,” in which Richard Louisiana, USA 3. I wrote an execution script to do the Aceves is shown wearing someone else’s following: employee identification badge. Borrowing badges is not a security best practice, and Diary Inspires Interest Randomly select a source IP address from is certainly not a policy that Packet or After reading the second installment of one of the above 250 (in some of the tests, Cisco condones. When our photographer Jimmy Kyriannis’s “Deployment Diary” I used just a single source IP address) suggested the shoot take place in the lab, [First Quarter 2004], I went back and read Richard discovered that his access to the the first part of the series [Second Quarter Randomly select any global destination lab had expired—Cisco requires periodic 2003]. On page 47, Kyriannis says he test- IP addresses, up to a total of 5 million electrostatic discharge concepts exams ed the new core while a “leaf” off the cur- for continued access to the labs. The lab rent production network with 2 million Execute a traceroute from that selected manager was aware of the situation, and independent connections. He also stated source IP address to that destination IP Richard was allowed to borrow a badge that later they would test with 5 million address using a max ttl that would ensure from one of his employees to proceed connections. How can anyone possibly test that the traffic would get past the far-end with the photo shoot. Unfortunately, we this many connections? I think it’s ques- access router attached to the Tetrahedron did not spot the errant badge in the pho- tionable that anywhere close to 2 million Core and not actually reach its destina- to until the article had already gone to connections or “flows” would exist at any tion out on the Internet. (I think I would print, but it is gratifying to see how one time on a large campus network given get more than a few complaints if I actu- many of our readers are paying such the brief, transitory nature of many types ally did contact 5 million systems!) close attention.—Editor of connections between routers. —Mike Granger, EDS Corp., Louisville, Collect the output of all of the traceroutes Colorado, USA 4. I then wrote an analyzer script that The following is a response from author took the output of the traceroutes and Jimmy Kyriannis.—Editors reported on the statistical distribution of paths through the Tetrahedron Core that The manner in which I conducted the test each src-dst-ip flow selected. Send your comments to Packet is fairly straightforward. To validate the We welcome your comments and Cisco Express Forwarding-based load- It was interesting to discover that the questions. Reach us through e-mail at sharing algorithm, I didn’t actually have Cisco Express Forwarding load-balancing [email protected]. Be sure to to establish a complete connection with algorithm did not yield fairly distributed include your name, company affilia- any end systems, but I did need to show usage across all links until 16,384 desti- tion, and e-mail address. Letters may be edited for clarity and length. that the traffic successfully traversed the nations were selected. My impression is Tetrahedron Core as described in the that this is a mathematical artifact of the Note: The Packet editorial staff cannot load-sharing algorithm documentation. bucket algorithm developed by Cisco provide help-desk services. Here’s a brief outline of my test method. engineers; this didn’t bother me, because
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 3 USER CONNECTION User Group Influences New Cisco IP Telephony Features
What started with a long list of features, a request for help in The Process in Action prioritizing them, and a point system using so-called “Cisco bucks” CIPTUG members can submit feature ideas to the group’s Website back in 2001 has evolved into a valuable program for learning (ciptug.org) at any time. Cisco and CIPTUG are working with six which Cisco IP telephony product features users really want. product categories: Cisco CallManager, Cisco Unity™ unified messaging software, voice gateways, IP phones, wireless IP Over the past few years, Cisco and CIPTUG—the official users phones, and management tools such as CiscoWorks IP Telephony group for companies that operate Cisco IP telephony products— Environment Monitor (ITEM). have honed a process for gathering the most desired hardware and software feature ideas from CIPTUG members and prioritiz- In addition to allocating 200 points across the suggested features, ing them for Cisco product managers. each company can add comments about how that feature would be used or what it might look like displayed on a phone or “This process is a great mechanism to receive customer input for device. Demographic data on the voting companies—informa- our product development,” says Marc Ayres, product manager in tion such as the industry and how many phones are installed— the Voice Technology Group at Cisco. “It’s an excellent tool, it’s also tells Cisco how broad the use of a feature could be. been formalized, and we take the results seriously. We listen to all customer feedback, from the product enhancement requests we Cisco product managers and CIPTUG members meet frequently get from our sales force to the one-on-one customer meetings and to discuss new feature requests and to improve the feature EBCs [Executive Briefing Centers].” request system.
CIPTUG leaders say the ability to work collectively to communi- The more than 200 members of CIPTUG comprise companies in cate with Cisco is central to the program’s influence. “All alone, all industries. “We have a diverse set of users, from finance to you are one of thousands of companies out there pitching your healthcare to education to retail,” Melvin says, “With input ideas and needs to Cisco,” says Mark Melvin, Feature Advocacy from call-center operators, insurance companies, universities, Committee chairperson for CIPTUG and IP telephony network and many cities and school systems—the diversity makes our engineer for Cisco Gold Partner APPTIS, Inc. “You’re much input even more valuable.” more likely to get an important feature—get it sooner—by par- ticipating in this process.” CIPTUG Member Benefits In addition to the feature request program, CIPTUG offers Web- Customers Have Their Say based presentations, discounts on training and books, collabora- The results speak for themselves. In October 2003, more than 50 tive opportunities through its dedicated Website, and an annual IP telephony feature requests—or one-third of the total ideas at users event. The 2004 meeting will feature product roadmap pre- the time—were ranked as priorities by voting CIPTUG members sentations, panel discussions, a partner exhibit area, and oppor- and shared with Cisco. Of that list, Cisco committed to develop- tunities to speak one on one with Cisco technology experts. The ing 22, and all 22 have already been released or are on the event takes place September 27–29 in Orlando, Florida. For roadmap for an upcoming release. more information, visit ciptug.org.
In the most recent voting period, during May of this year, 51 of 144 features spanning six product categories received enough points to make the priority list that Cisco product managers are reviewing now. “It helps to know that many companies from different indus- tries would use a particular feature,” Ayres says. “We’re listening but can’t guarantee we’ll be able to fulfill every request because so many variables go into selecting a feature for a product.”
One such variable is the fact that, because Cisco adheres to industry standards and incorporates open application-program- CISCO WORLDWIDE EVENTS ming interfaces in its product design, many companies are creat- September 5–10 Cisco Powered Network Operations Symposium, Paris, France ing features and applications that work with Cisco IP telephony September 28–30 Networkers Japan, Tokyo, Japan products. A new enhancement to the CIPTUG feature request November 4–6 Networkers China, Beijing, China system will give Cisco the ability to flag feature requests that November 16–19 Networkers Mexico, Mexico City, Mexico would be better addressed by third-party ecosystem partners. December 13–16 Networkers EMEA, Cannes, France Melvin explains, “This gives the membership one more avenue for sharing their needs and increases the likelihood the feature March 8–10, 2005 Networkers Korea, Seoul, Korea will be implemented.” cisco.com/warp/public/688/events.html
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 5 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. USER CONNECTION
Recently Announced Cisco Acquisitions
Acquired Key Technology Employees Location Actona Technologies Developer of wide-area file-services software that helps compa- 48 Los Gatos, California, USA nies store and manage data across geographically distributed offices. Actona technology will help Cisco expand the functional- ity of its branch-office access routers with intelligent network services that allow users at remote sites to access and transfer files as quickly and easily as users at headquarters sites. The acquired technology also allows enterprises to centralize file servers and storage and better protect and cost-effectively man- age their remote office data. Actona’s 48 employees based in the US and in Haifa, Israel, will join the Routing Technology Group at Cisco. Actona was founded in 2000.
Parc Technologies Develops traffic engineering solutions and software for routing 20 London, United Kingdom optimization. Parc’s route server algorithms, which break up net- work routing problems involving complex quality-of-service con- straints, can help service providers deliver high-quality services while improving network utilization and reducing capital expendi- tures. Cisco will incorporate the technology into its Multiprotocol Label Switching Management product line as part of the Cisco IP Solution Center. Parc’s employees will join Cisco’s Network Man- agement Technology Group.
Procket Networks High-end routing company that develops concurrent services 120 Milpitas, California, USA routers and has expertise in silicon and software development. The Procket engineering team and intellectual property are expected to make valuable contributions to the evolution of service provider and enterprise networks, as well as Cisco’s next-genera- tion routing technologies. About 120 employees from the company, which was founded in 1999 to build customized semiconductors for routers, will join Cisco’s Routing Technology Group.
6 PACKET THIRD QUARTER 2004 CISCO SYSTEMS Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. USER CONNECTION Cisco Career Certifications Latest Offerings
A new storage networking specialization is the latest offering of the Cisco Career Certifications program.
“Engineers with routing and switching expertise who are called upon to support storage-area networks that are built with Cisco equipment need to know how to operate that equipment,” says Cindy Hoff- mann, a program manager in the Internet Learning Solutions Group at Cisco. “The Cisco specialization trains candidates to plan, design, implement, trouble- shoot, and operate Cisco MDS 9000 Series storage networking products.”
Like most Certifications courseware, content for the storage track is developed by Cisco experts but deliv- ered by Cisco Learning Partners or training compa- FRAME IT The certificate that proves an individual has completed a Cisco nies authorized by Cisco. Career Certification has a new look and is also available for electronic delivery.
The Cisco Qualified Specialist program, which allows professionals to specialize in a particular technology electronic certificate can do so for $15 per order. such as IP telephony, network security, or wireless, is Additional or new orders can be made on the Cisco built upon the core, associate-level CCNA® and Certifications Community Website (cisco.com/go/cert- CCDA® certifications. The optical track is one excep- community) or the Cisco Career Certifications Track- tion—it does not require CCNA or CCDA status ing System (cisco.com/go/certifications/login). Elec- because general knowledge of networking is not nec- tronic delivery takes a few days, while the paper essary for managing an optical network. certificate typically reaches recipients in 6 to 8 weeks.
Cisco also offers a storage specialization for its “Some people want a printed certificate provided by resellers through the Cisco Channel Partner Program. Cisco that they can frame and an electronic copy they can send to prospective employers or friends and For more information, visit cisco.com/packet/163_3e1. family—or even print out themselves,” says Abby Douglas, a program manager in the Internet Learning Get Your Certificate by E-Mail Solutions Group at Cisco. For certified professionals who prefer to receive an electronic certificate or want to receive their certifi- As part of the new electronic service, Cisco updated cate more quickly, Cisco has an answer. the certificate and built a new process for verifying certificate authenticity. “It matters to those who have Candidates who complete the CCNA, Cisco Quali- earned a Cisco certification that others can’t misrep- fied Specialist, or any career certification other than resent themselves,” says Don Field, senior manager CCIE® (CCIE recipients receive a plaque) can now of certifications in the Internet Learning Solutions receive the certificate electronically so it can be print- Group at Cisco. ed or shared with others through e-mail. Each certificate has a 16-digit number so that anyone In May of this year, Cisco began offering candidates examining the certificate, whether electronic or who complete their certifications a choice of a paper paper, can validate its authenticity on Cisco.com. In certificate or electronic delivery of a PDF file that addition, certified individuals can use a Web-based cannot be modified. Either option generates the cer- tool to give others the ability to verify their certifica- tificate, a wallet card, and a letter signed by Cisco tions. “Because Cisco cannot by law verify a certifica- CEO John Chambers. tion unless it has permission or a request from the certified professional, we’ve given them control of Candidates who receive their first certification are that process,” Douglas explains. notified by Cisco through e-mail and can select either a paper or electronic certificate free of charge at that time. Opting for both is US$15. Already-certified indi- viduals who want to order an additional paper or
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 7 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING Is Your Network Ready for Voice?
Measuring Delay, Jitter, and Packet Loss for Voice-Enabled Data Networks
With the emergence of new applications such as Accuracy of clocks and clock drift affect the accuracy voice and video on data networks, it is becoming of one-way delay measurements. VoIP can typically increasingly important for network managers to tolerate delays of up to approximately 150 ms one accurately predict the impact of these new applica- way before the quality of a call is unacceptable to tions on the network. Not long ago, you could allo- most users. cate bandwidth to applications and allow them to adapt to the bursty nature of traffic flows. Unfortu- Jitter is the variation in delay over time from point to nately, that’s no longer true because today applica- point. If the delay of transmissions varies too widely tions such as voice and video are more susceptible to in a VoIP call, the call quality is greatly degraded. The changes in the transmission characteristics of data amount of jitter that is tolerable on the network is networks. Therefore, network managers must be affected by the depth of jitter buffer on the network completely aware of network characteristics such as equipment in the voice path. When more jitter buffer delay, jitter, and packet loss, and how these charac- is available, the network is more able to reduce the teristics affect applications. effects of the jitter for the benefit of users, but a buffer that is too big increases the overall gap Why You Need to Measure Delay, Jitter and Packet Loss between two packets. One-way jitter measurement is To meet today’s business priorities and ensure user possible and does not require clock synchronization satisfaction and usage, IT groups and service between the measurement routers. providers are moving toward availability and per- formance commitments by IP application service lev- Packet loss severely degrades voice applications and els or IP service-level agreements (SLAs). occurs when packets along the data path are lost.
Prior to deploying an IP service, network managers Your success or failure in deploying new voice must first determine how well the network is work- ing, second, deploy the service, such as voice over IP technologies will depend greatly on your ability (VoIP), and finally, verify that the service levels are working correctly—which is required to optimize the to understand the traffic characteristics of the service deployment. IP SLAs can help meet life-cycle requirements for managing IP services. network and then applying your knowledge to
To ensure the successful implementation of VoIP engineer the appropriate network configurations applications, you first need to understand current to control those characteristics. traffic characteristics of the network. Measuring jit- ter, delay, and packet loss and verifying classes of service (CoS) before deployment of new applications Measuring Network Performance can aid in the correct redesign and configuration of Key capabilities in the Cisco IOS Software can help traffic prioritization and buffering parameters in data you determine baseline values for VoIP application network equipment. performance on the data network. The ability to gather data in real time and on demand makes it This article discusses methods for measuring delay, feasible for IT groups and service providers to create jitter, and packet loss on data networks using features or verify SLAs for IP applications; baseline values in the Cisco IOS® Software and Cisco routers. can then be used to substantiate an IP SLA for VoIP. Cisco IOS Service Assurance Agent (SAA) techno- Delay is the time it takes voice to travel from one logy is a component of an IP SLA solution and the point to another in the network. You can measure Round Trip Time Monitor (RTTMON) MIB, which delay in one direction or round trip. One-way delay enable the testing and collection of delay, jitter, and calculations require added infrastructure such as packet loss measurement statistics. Active monitor- Network Time Protocol (NTP) and clock synchro- ing with traffic generation is used for edge-to-edge nization and reference clocks. measurements in the network to monitor the net- work performance. NTP is deployed to synchronize router clocks and also when global positioning system (GPS) or another You can use the CiscoWorks Internetwork Per- trusted reference time is needed in the network. formance Monitor (IPM) network management
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 9 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING
application or the IOS command-line interface also serves as the delay/jitter measurement device. (CLI) to configure and retrieve data from the Once deployed, the operation collects statistics and RTTMON MIB, or choose from a wide selection of populates Simple Network Management Protocol Cisco ecosystem partners and public domain soft- (SNMP) MIB tables in the probe router. You can ware to configure and retrieve the data. In addition, then access the data either through the CiscoWorks the CiscoWorks IPM features are now also available IPM, or through simple SNMP polling tools and in the WAN Performance Utility (WPU) module of other third-party applications. CiscoWorks IP Telephony Environment Monitor (ITEM) network management software. Additionally, after baseline values have been estab- lished, you can configure operations to send alerts to a Deploying Delay/Jitter Agent Routers network management system (NMS) station if thresh- You can measure delay, jitter, and packet loss by olds for delay, jitter, and packet loss are exceeded. deploying almost any Cisco IOS device, from a Cisco 800 Series Router on up. Simulating a Voice Call One of the strengths of using Cisco IOS SAA as the Two deployment scenarios are possible: You can testing mechanism is that you can simulate a voice call. either purchase dedicated routers for SLA measure- In Cisco IOS Software Release 12.3(4)T and later, you ments or use current routers within the network. can configure the VoIP codec directly in the CLI and Place the routers in a campus network along with simulate a voice call. This release also includes voice hosts to provide statistics for end-to-end connections. quality estimates, Mean Opinion Scores (MOS), and It is not practical to measure every possible voice path Planning Impairment Factor (PIF) scores. in the network, so place the dedicated routers in typi- cal host locations to provide a statistical sampling of Earlier versions of the Cisco IOS Software enable typical voice paths. you to estimate a VoIP codec using the correct packet size, spacing, and interval for the measure- In the case of VoIP deployments using traditional ment data and enter the appropriate parameters. phones connected to Cisco routers using FXS station The CoS can be set on data or VoIP tests, which ports, the router to which the phones are connected allows you to verify how well QoS is working in the
10 PACKET THIRD QUARTER 2004 CISCO SYSTEMS Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING
network. Examples of how to simulate a voice call codec g711alaw are shown below. tos 160 frequency 60 With Cisco IOS Software Release 12.3(4)T or later, you can use the VoIP jitter operation to simulate a rtr schedule 1 start-time now test call: router2# rtr 1 rtr responder type jitter dest-ipaddr 10.1.1.2 dest-port 14384 rtr 1 codec g711alaw type jitter dest-ipaddr 10.1.1.1 dest-port 14385 rtr schedule 1 start-time now codec g711alaw tos 160 With earlier IOS releases before 12.3(4)T you can frequency 60 use the rtp/udp even port numbers in the range of 16384 to 32766. The user then approximates 64 rtr schedule 1 start-time now kbit/s, and the packet size is 200 bytes {(160 bytes of payload + 40 bytes for IP/UDP/RTP (uncom- Command-Line Data Examples pressed) }. You can simulate that type of traffic by To view the results you can use the IOS show com- setting up the jitter operation as shown below. mand at the command line for the jitter operation. Additionally, you can use the command-line data for The jitter operation accomplishes the following: real-time monitoring and troubleshooting of delay, jitter, and packet loss. For an example of the CLI ■ Send the request to rtp/udp port number 14384 output, refer to cisco.com/packet/163_4b1. ■ Send 172 byte packets (160 payload + 12 byte RTP header size) + 28 bytes (IP + UDP) Monitoring Thresholds ■ Send 3000 packets for each frequency cycle You can use the CLI, CiscoWorks IPM, or the WPU ■ Send every packet 20 milliseconds apart for a dura- in CiscoWorks ITEM to configure features and tion of 60 seconds and sleep 10 seconds before start- monitor data. You can use this data to manage IP ing the next frequency cycle SLAs that have been created for VoIP. After you The parameters in the example above give you 64 have determined baseline values, you can reconfig- kbit/s for the 60-second test period. ure the jitter operations to monitor the network. When predetermined delay and jitter service-level ((3000 datagrams * 160 bytes per datagram)/ 60 sec- thresholds are reached or exceeded, NMS stations onds)) * 8 bits per byte = 64 kbit/s will be alerted.
The configuration on the router would look like this: After you have established baseline values through the initial data collection, you can monitor the delay, rtr 1 jitter, and packet loss levels in the network with the type jitter dest-ipaddr 10.1.1.2 dest-port 14384 num- embedded alarm features of Cisco IOS SAA. packets 3000 request-data-size 172** The Cisco IOS SAA threshold command sets the rising frequency 70 threshold (hysteresis) that generates a reaction event rtr schedule 1 start-time now and stores history information for the operation. Cisco IOS SAA can measure and create thresholds for Note that IP+UDP is not considered in the request- round-trip time delay, average jitter, connectivity loss, data-size, because the router internally adds them to one-way packet loss, jitter, and delay. the size automatically. Sample Service Assurance Threshold Configuration Delay/Jitter Probe Deployment Example router1# The two routers below would simulate voice calls of rtr 100 64 kbit/s every 60 seconds and record delay, jitter, rtr reaction-configuration 100 threshold-falling 50 and packet loss in both directions. Note that the threshold-type immediate action trapOnly delay calculations are round-trip times and must be divided by two to arrive at the amount of one-way Understanding the traffic characteristics of the net- delay unless NTP is implemented for one-way delay work before you deploy new advanced applications measurements. is the key to successful implementations. Delay, jit- ter, and packet loss greatly affect VoIP applications. router1# Your success or failure in deploying new voice tech- rtr responder nologies will depend greatly on your ability to rtr 1 understand the traffic characteristics of the network type jitter dest-ipaddr 10.1.2.1 dest-port 14384 and then applying your knowledge to engineer the
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 11 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING
appropriate network configurations to control FURTHER READING those characteristics. ■ Cisco IOS SAA technology ◆◆◆ cisco.com/go/saa This article was developed by the Cisco Advanced ■ Cisco IOS SAA for VoIP Services Network Reliability Improvement team, cisco.com/packet/163_4b2 which specializes in network high availability and ■ CiscoWorks Internetwork Performance Monitor (IPM) operational best practices. In addition to using the cisco.com/packet/163_4b3 techniques discussed in this article, you should have ■ CiscoWorks ITEM good operational practices in place to achieve higher cisco.com/packet/163_4b4 levels of availability such as 99.999 (“five nines”) ■ White papers on operational best practices for percent. network availability cisco.com/packet/163_4b5 ■ Cisco Network Availability Improvement Services program cisco.com/packet/163_4b6
12 PACKET THIRD QUARTER 2004 CISCO SYSTEMS Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING Threat Detection
Identifying and Classifying Network Threats with Cisco IOS Software
By Ramya Venkatraman
Networks are continually becoming more intelligent replicating programs and can rapidly propagate and complex. Because the network plays an increas- without any manual intervention. Viruses are self- ingly critical role in the daily functioning of most replicating programs that usually require some form business environments, it is also rapidly evolving as of human intervention to infect other systems. Mali- the choice target of threats and attacks. The ever- cious worms can propagate Internet-wide in a matter increasing complexity of networks and intelligent of a few minutes, leading to serious denial of service, services is often dwarfed by the increased sophisti- downtime, and data loss in the infected hosts. cation of emerging network threats and attacks. Spam—Although an indirect threat, spam is rapidly Three key areas of security that must be addressed gaining ground as one of today’s main security con- early on are threat detection and identification, cerns. Consulting firm Ferris Research estimates attack containment, and mitigation. This article that spam now represents more than half of Internet provides insight into the first of these important e-mail traffic volume, and the cost of spam to enter- security areas—threat detection and identification— prises in the US has more than doubled in the past and focuses on some key Cisco IOS® Software fea- year. To propagate spam, senders are increasingly tures that enable you to inspect traffic and identify relying on various tactics such as unauthorized potential threats. Border Gateway Protocol (BGP) route injection, AS route hijacking, and asymmetrical routing with Discover more First, Assess the Risk spoofed IP addresses. about defend- Threats can be classified by source, internal or exter- ing your net- nal; or by type, spoofing, spam, denial of service How to Identify and Classify Threats work against (DoS), or worms. Basic categories of attacks that The first step in attack detection is gathering relevant threats at the threaten a network device or the network infrastruc- information about its characteristics and devising a Cisco Network- ture can be broadly classified as follows: relevant threat classification strategy. This discussion ing Profession- als Connection focuses on identifying and classifying threats based “Security” Spoofing and impersonation—A hacker gains access on attack types. forum: cisco. by making the network think that he is a “trusted” com/discuss/ sender. This can be due to weak or compromised user Develop a network baseline. A vast majority of DoS security. accounts and passwords or by spoofing IP addresses. attacks are designed to overload network devices. Probes and scans such as port scanning, icmp These attacks are usually characterized by anomalies unreachable messages, network commands such as such as an overwhelmingly large number of input whois, finger, ping, and the like, help in mining infor- buffer drops, significantly higher than usual CPU uti- mation about the network topology. In addition, pro- lization levels, or link saturation. To identify such tocol analysis on captured data that contains sensi- deviations from expected behavior, we first need to tive information also helps forge identity and spoof determine the normal behavior under a no-threat IP addresses. condition. This is typically accomplished by a process called network baselining, which helps security man- DoS/distributed DoS (DDoS)—These attacks are agers to define network performance and network caused by flooding the network with requests that resource usage for different time periods, under typi- can fill circuits with attack traffic, overwhelm net- cal operating conditions. Investigating current link work devices, slow down critical network services, usage levels, CPU usage, memory usage, syslog and ultimately impact the network’s ability to sup- entries, and other overall performance parameters port services. The main characteristic of any are an important part of baseline profiling. Any devi- DoS/DDoS attack is hijacking a system by bom- ations or policy violations from the network baseline barding it with a spate of spurious traffic to process should be investigated carefully, as they are potential in a short span of time. Examples of such attacks indicators of an attack or anomaly. Examples of such include TCP SYN flooding, ICMP echo requests, behavior include: TTL expiration, and UDP (fraggle) and fragmenta- tion attacks. RAMYA VENKATRAMAN is a technical marketing engineer in Cisco’s Malicious code—Examples of malicious code include Internet Technologies Division. For the past four years, she has worked in numerous QoS and security projects at Cisco, and has viruses and various worms such as Nimda, Code been a regular speaker at Networkers and a periodic contributor to Red, and Slammer. Once launched, worms are self- Packet®. She can be reached at [email protected].
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 13 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING
■ Large number of input buffer drops and malloc today. It is supported in most Cisco platforms via failures; could be indicators of an attack induced to ASICs or Cisco IOS and Cisco Catalyst® Operating exhaust resources or cause excessive memory frag- System (CatOS) software, and provides valuable mentation information about traffic characteristics, link usage, and traffic profiling on the network. ■ Unexplained spikes in CPU usage; could be caused by hacker-initiated scans and probes that usually con- NetFlow classifies packets by way of flows. Each flow sume a lot of processing power is defined by its unique seven-key characteristics: the ingress interface, IP protocol type, type-of-service (ToS) ■ A sudden increase in link utilization levels; could be byte, source and destination IP addresses, and source the result of DoS attacks or worm activity that gen- and destination port numbers. This level of flow granu- erates inordinately large volumes of traffic larity allows NetFlow to easily handle large-scale traffic monitoring. The NetFlow seven-tuple provides enough ■ Any other abnormal behavior such as inexplicable data for baseline profiling and determining the “who, syslog entries, large number of threshold breaches, what, when, where, and how” of network traffic. RMON alerts, and so on A network traffic anomaly is an event or condition in Cisco IOS for Threat Detection and Classification the network characterized by a statistical abnormali- Given its ubiquitous presence across communication ty compared to typical traffic patterns gleaned from networks, Cisco IOS Software is the ideal platform to previously collected profiles and baselines. NetFlow launch security policies to thwart attacks and help allows users to identify anomalies by producing defend networks. Following are some ways to proac- detailed accounting of traffic flows. Deviations from tively identify and classify various network attacks the typical traffic patterns are indicative of changing using tools already built into Cisco IOS Software. traffic patterns, an early sign of potential attacks. NetFlow is usually deployed across the edge of a NetFlow with Anomaly Detection service provider’s network to monitor edge and peer Cisco NetFlow is the primary and most widely interfaces, as these are the “typical” ingress points deployed DoS identification and network traffic flow for most attacks. The router maintains a live Cisco analysis technology for IP networks in the industry IOS NetFlow cache to track the current flows.
14 PACKET THIRD QUARTER 2004 CISCO SYSTEMS Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING
The show ip cache flow command can be used to the most common attack vectors, namely ICMP view a snapshot of the high-volume flows stored in flooding, UDP echo attacks, and TCP SYN floods. the router cache (see figure). Now the user can issue the show access-list command to display the access-list packet match statistics and IP flow information can be exported from the Net- diagnose for any potential threats. Flow cache to an external collector for further analy- sis. Flow data from multiple collectors can be mapped Router# show access-list 101 to identify the network nodes under attack and also to Extended IP access list 101 determine the attack characteristics. Analysis of this permit icmp any any echo-reply (2354 matches) exported data is helpful in determining the necessary permit icmp any any echo (1368 matches) threat classification criteria enforced by IOS features permit udp any any eq echo (18 matches) such as ingress access control lists (ACLs), Network- permit udp any eq echo any (7 matches) Based Application Recognition (NBAR), and Unicast permit tcp any any established (100 matches) Reverse Path Forwarding (uRPF). permit tcp any any (25 matches) permit ip any any (1015 matches) There are several freeware tools that can analyze NetFlow data, including cflowd, flow-tools, and The output indicates a large number of incoming autofocus. Vendors such as Arbor, Mazu, and Adlex ICMP echo request and reply packets—an indication provide GUI-based collector application tools for of a potential ICMP flood attack or smurf attack. large-scale data collection from multiple collectors, The log-input keyword is enabled to collect further analysis for DoS/DDoS attack detection, and cen- information on the suspect packet stream such as the tralized reporting. For example, security engineers input interface or source IP address. can detect and prevent DoS attacks by using Cisco NetFlow to collect attack information such as access-list 101 permit icmp any any echo-reply source and destination IP, port number, packet size, log-input and protocol type, and then send the information to access-list 101 permit icmp any any echo log-input a threat detection correlation tool, such as Panoptis, for anomaly detection. IP Source Tracker To effectively block or limit an attack directed toward Access Control Lists with IP Options a host, we must first trace the origin of the threat. Cisco IOS access lists are the most commonly adopt- Source tracking is the process of tracing the source of ed technique to classify and deny access to a router at the attack through the network from the victim back the network edge. An ACL with a series of permit statements is used to filter and characterize traffic flows of interest and trace “spoofed” packet flows show ip cache flow back to their point of origin. Increasing numbers of router_A#sh ip cache flow DoS attacks are associated with various options IP packet size distribution (85435 total packets): being set in the IP header. Cisco IOS ACLs also have 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 the capability of filtering packets based on various IP .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 000 options in the packet header. ACL counters are used to determine which flows and protocols are potential 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 threats due to their unexpectedly high volume. After .000 .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 the suspect flows are identified, permit ACLs with IP Flow Switching Cache, 278544 bytes logging option can be used to capture additional 2728 active, 1368 inactive, 85310 added Source Interface packet characteristics. 463824 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Flow info Summary Consider the following example: Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active (Sec) Idle (Sec) access-list 101 permit icmp any any echo-reply ------Flows /Sec /Flow /Pkt /Sec /Flow /Flow access-list 101 permit icmp any any echo TCP-X 2 0.0 1 1440 0.0 0.0 9.5 access-list 101 permit udp any any eq echo TCP-other 82580 11.2 1 1440 11.2 0.0 12.0 access-list 101 permit udp any eq echo any Total: 82582 11.2 0.0 12.0 Flow Details access-list 101 permit tcp any any established access-list 101 permit tcp any any SrcIF SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts access-list 101 permit ip any any Et0/0 132.122.25.60 Se0/0 192.168.1.1 06 9 AEE 0007 1 Et0/0 139.57.220.28 Se0/0 192.168.1.1 06 7 08D 0007 1 Et0/0 165.172.153.65 Se0/0 192.168.1.1 06 C B46 0007 1 interface serial 0/0 ip access-group 101 in
SHOW THE FLOW The show ip cache flow command enables a snapshot of high-volume flows stored in Access-list 101 permits all packets, but the individual the router cache. access list entries (ACEs) can be used to categorize
CISCO SYSTEMS THIRD QUARTER 2004 PACKET 15 Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. TECH TIPS & TRAINING
to the attacker. Though ACLs can be leveraged to forwards only packets that have legitimate source traceback attacks, there is a potential performance addresses that are consistent with the IP routing impact when excessive packet filters are inserted into table. If the source IP address is known to be valid an actual production network environment. The Cisco and reachable through the interface on which the IP Source Tracker feature generates all the essential packet was received, the packet is forwarded or else information to trace the ingress point of attack into dropped. Unicast reverse path checks should be the network all the way to the network edge, with deployed at the network edge or the customer edge minimal impact on performance. of an ISP and should not be used in conjunction with asymmetric routing. After a host is diagnosed to be under attack via Net- Flow, users can enable simultaneous tracking of The uRPF feature with ACL logging adds an addi- multiple destination IP addresses on the entire tional diagnostic capability by enabling reverse path router by globally enabling the ip source-track com- forwarding check on an interface in a “pass- mand. Each line card CPU collects data about the through” mode. In this mode, all RPF violations are traffic flow to individual destination IP addresses in logged using the ACL log-input feature. If a packet an easy-to-use format and periodically exports this fails a unicast RPF check, the ACL is checked to data to the router. The show ip source-track com- determine if the packet should be dropped (using a mand can be used to display complete flow infor- deny ACL) or forwarded (using a permit ACL). This mation for each inbound interface on the router feature can be selectively applied to an interface to including detailed statistics of the traffic destined to detect network threats that use spoofed IP address- each IP address. This statistical granularity allows es. The ACL logging counter and match counter sta- users to determine which upstream router to analyze tistics are incremented to reflect statistics for pack- next. By determining the source port of attack on ets with spurious IP addresses. The network each device, a hop-by-hop traceback to the attacker operator can scan the ACL log output and the coun- is possible. This step is repeated on each upstream ters to detect and gather more information on any router until the entry point of attack on a border potential DoS attacks. router is identified. Consider the following example: Following is a sample configuration for IP source tracking on all port adapters in a router to collect int serial0/0 traffic flow statistics to host address 172.10.1.1 for 3 ip address 172.168.100.1 255.255.255.0 minutes, create an internal system log entry, and ip verify unicast reverse-path 101 export packet and flow information for viewing to ! the route processor every 60 seconds. access-list 101 deny ip 172.168.101.0 0.0.0.127 any log-input Router(config)# ip source-track 172.10.1.1 access-list 101 permit ip 172.168.101.128 Router(config)# ip source-track syslog-interval 3 0.0.0.127 any log-input Router(config)# ip source-track export-interval 60 Frames sourced from 172.168.101.75 arriving at To display detailed information of the flow, enter the serial0/0 and failing the uRPF check are logged by the show ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s FURTHER READING 172.10.1.1 PO1/2 131M 511M 1538 6 ■ Cisco Feature Navigator, for Cisco platform and IOS 172.10.1.1 PO2/0 144G 3134M 6619923 143909 release support cisco.com/go/fn The output indicates interface POS 2/0 as the poten- ■ Cisco NetFlow tial upstream attack path. You can now disable ip cisco.com/packet/163_4c2 source-track on the current router and enable it on ■ IP access lists the upstream router to track the next preceding hop. cisco.com/packet/163_4c3 ■ IP access lists with IP options selective drop Unicast Reverse Path Forwarding cisco.com/packet/163_4c4 A large number of DoS and DDoS attackers employ ■ IP Source Tracker spurious or rapidly altering source IP addresses to cisco.com/packet/163_4c5 navigate around threat detection and filtering ■ IP unicast Reverse Path Forwarding mechanisms. The uRPF feature helps mitigate cisco.com/packet/163_4c6 attacks caused by the introduction of spoofed IP ■ RAW IP Traffic Export addresses into a network by discarding IP packets cisco.com/packet/163_4c7 that lack a verifiable IP source address; uRPF
16 PACKET THIRD QUARTER 2004 CISCO SYSTEMS Reprinted with permission from Packet® magazine (Volume 16, No. 3), copyright © 2004 by Cisco Systems, Inc. All rights reserved. Why Should I Care About IP Multicast? router receiving a multicast join message via a switch will reply Many applications used in modern networks require infor- back to the switch with a CGMP join message. This message
Reprinted with permission from IP Multicast mation (voice, video, or data) to be sent to multiple end sta- allows Layer 2 forwarding decisions to be made. tions. When only a few end stations are targeted, sending At a Glance multiple copies of the same information through the net- Courtesy of Cisco Enterprise Marketing IGMP Snooping improves efficiency by enabling a Layer 2 work (unicast) causes no ill effects. However, as the number switch to look at Layer 3 information (IGMP join/leave mes- of targeted end stations increases, the negative effects of Multicast Distribution Trees sages) sent between hosts and routers. When an IGMP host duplicate packets can rise sharply. Deploying applications Multicast-capable routers create distribution trees that con- report is sent through a switch, the switch adds the port such as streaming video, financial market data, and IP trol the path that IP Multicast traffic takes through the net- number of the host to the associated multicast table entry. telephony-based Music on Hold without enabling network work to deliver traffic to all receivers. The two basic types of When the switch hears the IGMP leave group message from a devices for multicast support can cause severe degradation multicast distribution trees are source trees and shared trees. host, the switch removes the host’s table entry. IGMP to network performance. requires a switch to examine all multicast packets and, there-
Packet Source 1 fore, should only be implemented on high-end switches. Unicast Source 2
® Multicast Forwarding magazine (Volume 16, No.3), copyright ©2004 byCisco Systems, Inc. Allrights reserved. In unicast routing, traffic is routed from the source to the des- Source Receivers AB D F tination host. In multicast forwarding, the source is sending C E traffic to several hosts, represented by a multicast group 4 Copies address. The multicast router must determine which direction Sent 3 Copies Receiver 1 Receiver 2 is upstream (toward the source) and which is downstream Sent (toward the hosts). When there is more than one downstream With source trees (or “shortest path trees”), each source path, the best downstream paths (toward the group address) Multicast sends its data to each receiver using the most efficient path. are chosen. These paths may or may not be the same path that Source trees are optimized for latency but have higher mem- would be chosen for a unicast packet, a process called Reverse ory requirements, as routers must keep track of all sources. Path Forwarding (RPF). RPF is used to create distribution Source Receivers trees that loop free. Source 1
Source 2 Protocol Independent Multicast 1 Copy 1 Copy Protocol Independent Multicast (PIM) can work with Sent Sent AB D F whichever unicast routing protocols are used to populate the What Problems Need to Be Solved? unicast routing table. PIM uses the unicast routing informa- Multicasting requires methods to efficiently deploy and scale C E tion to perform the multicast forwarding function, and it distributed group applications across the network. This is uses the unicast routing table to perform the RPF check accomplished by using protocols that reduce the network Receiver 1 Receiver 2 instead of building up a completely independent multicast load associated with sending the same data to multiple routing table. It includes two different modes of behavior for receivers and alleviate the high host/router processing With shared trees, multicast data is sent to a common point dense and sparse traffic environments. requirements for serving individual connections. in the network (known as the rendezvous point or RP) prior to being sent to each receiver. Shared trees require less mem- In PIM Dense Mode, the multicast router floods traffic mes- Internet Group Membership Protocol ory in routers than source trees, but might not always use sages out all ports (a “push” model). If a router has no hosts Internet Group Membership Protocol (IGMP) allows end sta- the optimal path, which can result in packet delivery latency. or downstream neighbors that are members of the group, a tions to join a multicast group. Joining a multicast group can prune message is sent out telling the router not to flood mes- be likened to subscribing to a session or service where multi- A Layer 2 switch will forward all multicast traffic, which sages on a particular interface. Dense mode uses only source cast is used. IGMP relies on Class D IP addresses for creating reduces network efficiency. Two methods—Cisco Group trees. Because of the flood and prune behavior, dense mode multicast groups. When a multicast session begins, the host Management Protocol (CGMP) and IGMP Snooping—were is not recommended. sends an IGMP message throughout the network to discover developed to mitigate this inefficient switch behavior. which end stations have joined the group. The host then sends PIM Sparse Mode uses an “explicit join” model, where traf- traffic to all members of that multicast group. Routers “lis- CGMP allows Cisco Catalyst® switches to make Layer 2 for- fic is sent only to hosts that explicitly ask to receive it. This ten” to IGMP traffic and periodically send out queries to dis- warding decisions based on IGMP information. When config- is accomplished by sending a join message to the RP. Any- cover which groups are active or inactive on particular LANs. ured on switches and routers, CGMP ensures that IP Multicast cast RP provides load balancing, redundancy, and fault tol- Routers communicate with each other using one or more pro- traffic is delivered only to ports that are attached to interested erance by assigning the same IP address to multiple RPs tocols to build multicast routes for each group. receivers or multicast routers. With CGMP running, any within a PIM Sparse Mode network multicast domain. TECH TIPS & TRAINING Cracking the Code
Insider’s Tips on Earning Your CCIE in Security
By Yusuf Bhaiji
Introduced in 2001, the CCIE® Security certification and choose materials that are approved or provided has evolved into one of the networking industry’s by Cisco and its Authorized Learning Partners. most respected high-level security certifications. To become a CCIE Security expert you must pass both Books: Many Cisco Press and other vendor books are the written qualification exam and hands-on lab available to assist in preparing for CCIE exams. exam security. This article provides tips on Check the current list on the CCIE Website at resources and materials available to help you pre- cisco.com/packet/163_4d3. No single resource con- pare for the exams. tains all the information you need so plan to add multiple books to your collection. Exam Changes The Cisco Certifications program announced changes Trainings: Although training is not a prerequisite to the CCIE Security track this year, including signifi- for CCIE certification, the CCIE Website lists cant changes to the written and lab exams. Blueprints courses that might be helpful to you in studying available on the CCIE Website (cisco.com/go/ccie) subject matter you have less direct experience with. outline the topics covered on the exams, so study For a list of recommended training courses, visit these carefully. cisco.com/packet/163_4d4.
Version 2.0 of the CCIE Security written exam Bootcamps: Many candidates ask me to recommend strengthens coverage of technologies that are critical a security bootcamp. In my opinion, bootcamps are to highly secure enterprise networks. New topics such intended to give an overview of the lab, offer tips and as wireless security, the Cisco Catalyst® 6500 Series tricks for exam taking, and provide mock scenarios security modules, and security applications such as that help you gauge your readiness. To gain the most VPN Management Solution (VMS) test candidates on benefit, study the technologies involved before security technologies and best practices. The complete attending a bootcamp. blueprint for the security written exam is available online at cisco.com/packet/163_4d1. Recent changes Cisco.com Website: Many candidates overlook one are indicated on the blueprint in bold type. of the best resources for useful material and technical information: Cisco.com. A plethora of sample sce- The new revised CCIE Security lab exam preconfig- narios are available on the tech support pages for ures much of the core routing and switching on the each Cisco product and technology. These articles devices, allowing more exam time for security-specif- reflect current trends and demands and include sam- ic technologies. Topics covered more extensively on ple diagrams, configurations, and invaluable IOS® the new exam include: show and debug command outputs.