DOCSLIB.ORG

Policy Defined Segmentation with Cisco Trustsec

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Policy Defined Segmentation with Cisco Trustsec Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker – Consulting System Engineer CCIE #: 2926 Abstract . This session will explain how TrustSec Security Group Tagging can be used to simplify access controls and provide software-defined segmentation. We will cover how to extend context-aware controls from the access layer to data centers in order to reduce operational effort, support compliance initiatives and facilitate BYOD. The session is targeted at network and security architects who want to know more about Secure Access using the TrustSec solution. Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda . TrustSec Overview . Classification . Transport . Enforcement . MACSec Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public . TrustSec Overview . Classification . Transport . Enforcement . MACSec Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public SANS - 20 Critical Security Controls… . Control # 1: Inventory of Authorized and Unauthorized devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access . Control # 7: Wireless Access Control The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems. Control # 14: Controlled Access Based on the Need to Know The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification. Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public The challenge with current access controls… . Protected assets are defined by their network connection – Policies are statically and manually configured – Rules are based on network topology (subnets, addresses) – IP Address does not provide user context or meaning . Method does not facilitate key Business / IT requirements like: . Frequent organizational changes . Mobile workforces . Device choice . Virtualization Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Traditional Segmentation Steps replicated across floors, buildings and sites ACL Aggregation Layer VLAN Addressing DHCP Scope Redundancy Routing Static ACL Access Layer Quarantine Voice Data Suppliers Guest SimpleMore PoliciesSegmentation using morewith 2VLANs VLANs Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 9 User to Data Center Access Control with TrustSec SGT . Regardless of Data Center Data Center topology or location, Firewall policy (Security Group Tag) stays Campus Core with users, devices and servers Access Layer Employee Tag Supplier Tag Guest Tag Quarantine Tag Voice Voice Employee Suppliers Guest Quarantine Building 3 Main Building WLAN Data VLAN Data VLAN Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Campus segmentation with TrustSec SGT . Enforcement is Data Center Data Center Firewall based on the Security Group Tag, Campus Core can control communication in same VLAN Access Layer Employee Tag Supplier Tag Guest Tag Quarantine Tag Voice Voice Employee Employee Guest Quarantine Building 3 Main Building Data VLAN (200) Data VLAN (100) Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 11 High OPEX Security Policy Maintenance NY 10.2.34.0/24 10.2.35.0/24 NY 10.2.36.0/24 PCI 10.3.102.0/24 DC-PCI1 Servers SF 10.3.152.0/24 DC-PCI2 LA 10.4.111.0/24 DC-PCI3 SJC …. DC-RTP (VDI) Traditional ACL/FW Rule Source Destination permit NY to PCI1 for HTTPS deny NY to PCI2 for SQL deny NY to PCI3 for SSH permit SF to PCI1 for HTTPS deny SF to PCI2 for SQL ACL for 3 source objects & 3 destination objects deny SF to PCI3 for SSH permit LA to PCI1 for HTTPS deny LA to PCI2 for SQL deny LA to PCI3 for SSH Permit SJC to PCI1 for HTTPS deny SJC to PCI2 for SQL Adding source Object deny SJC to PCI3 for SSH permit NY to VDI for RDP deny SF to VDI for RDP Adding destination Object deny LA to VDI for RDP deny SJC to VDI for RDP Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Reduced OPEX in Policy Maintenance NY DC-PCI1 PCI SF DC-PCI2 Servers LA DC-PCI3 Employee SJC DC-RTP (VDI) Security Group Filtering VDI Servers BYOD Source SGT: Destination SGT: Employee (10) PCI-Servers (50) Policy Stays with BYODUsers /(200) Servers regardless VDIof location (201) or topology Permit Employee to PCI-Servers eq HTTPS SimplerPermit AuditingEmployee Process to (Low PCI- ServersOpex Cost)eq SQL SimplerPermit Security Employee Operation to (Resource PCI-Servers Optimization) eq SSH Permit Employee to VDI eq RDP Deny BYOD Clear to ROI PCIin OPEX-Servers Deny BYOD to VDI eq RDP Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Extensive Policy Enforcement Comprehensive Contextual Identity Comprehensive Secure Access Guest access Profiling Posture Who What Where When How CONTEXT Vicky Sanchez Personal iPad Employee, Marketing Employee Owned Wireless HQ Wireline Francois Didier 3 p.m. Consultant HQ - Strategy Frank Lee Security Camera Gateway Remote Access Guest Agentless Asset 6 p.m. Chicago Branch Wireless 9 a.m. IDENTITY IEEE 802.1X MAB WebAuth Cisco Switches, Routers, and Wireless Access Points Identity (IEEE 802.1X)-Enabled Network Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Security Group Access . Unique 16 bit (65K) tag assigned to unique role Security Group Tag . Represents privilege of the source user, device, or entity . Tagged at ingress of TrustSec domain . Filtered (SGACL) at egress of TrustSec domain SGSG ACL . No IP address required in ACE (IP address is bound to SGT) . Policy (ACL) is distributed from central policy server (ACS) or configured locally on TrustSec device Customer Benefits . Provides topology independent policy . Flexible and scalable policy based on user role . Centralized Policy Management for Dynamic policy provisioning . Egress filtering results to reduce TCAM impact Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 15 TrustSec In Action Classification ISE Directory Fin Servers SGT = 4 Enforcement Users, Device SGT:5 HR Servers SGT = 10 Switch Router DC FW DC Switch SGT Transport • TrustSec is a context-based firewall or access control solution: • Classification of systems/users based on context (user role, device, location, access method) • The context-based classification propagates using SGT • SGT used by firewalls, routers and switches to make intelligent forwarding or blocking decisions in the DC Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public . Overview . Classification . Transport . Enforcement . MACSec Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Classification Identification and Classification Device Type: Apple iPAD User: Mary Classification Result: Group: Employee Personal Asset SGT Corporate Asset: No Along with authentication, ISE Profiling various data is sent to ISE for device profiling ISE (Identity Services Engine) SGT Security Group Policy ID & ID DC Resource Profiling Data Profiling Access Company NetFlow DCHPDNS asset HTTPOUI RADIUSNMAP SNMP AP Wireless LAN Controller Restricted Employee Internet Only Distributed Personal asset Enforcement based on Security Group Propagate Presentation_ID CiscoClassify and/or its affiliates. All rights reserved. EnforceCisco Public Classification How SGT is Assigned (Tagged)? ISE: Endpoint is classified with SGT SVI interface is Physical Server is mapped to SGT mapped to SGT Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone SRC: 10.1.100.98 Hypervisor SW VLAN is mapped WLC to SGT FW Virtual Machine is ISE: device is mapped to SGT classified with SGT Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Classification summary Dynamic Classification Static Classification • IP Address • VLANs • Subnets 802.1X Authentication • L2 Interface SGT • L3 Interface Web Authentication • Virtual Port Profile • Layer 2 Port Lookup MAC Auth Bypass Common Classification for End Common Classification for Servers, Devices Topology-based policy, etc. Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Dynamic Classification Process in Detail Supplicant Switch / WLC ISE Layer 2 Layer 3 00:00:00:AB:CD:EF EAPoL Transaction RADIUS Transaction EAP Transaction Authentication 1 Policy Authorized MAC: Authorization Evaluation SGT 0 00:00:00:AB:CD:EF Authorized SGT = 5 cisco-av-pair=cts:security-group-tag=0005 2 DHCP 3 DHCP Lease: ARP Probe IP Device Binding: 10.1.10.100/24 Tracking 00:00:00:AB:CD:EF = 10.1.10.100/24 SRC: 10.1.10.100 = SGT 5 3560X#show cts role-based sgt-map all details Make sure that IP Active IP-SGT Bindings Information Device Tracking IP Address Security Group Source ============================================= is TURNED ON 10.1.10.1 3:SGA_Device INTERNAL Presentation_ID 10.1.10.100Cisco and/or its affiliates. All rights reserved. 5:Employee Cisco PublicLOCAL Classification ISE as Centralized Policy Manager Employee Access Match Conditions: - Device Status = Registered Asset - SSID = Corporate-WiFi - Certificate-based Authentication
Load more

Recommended publications
  • The Essential Guide to Audio Over IP for Broadcasters 2 5
    The Essential Guide To Audio OverIP FOR BROADCASTERS Powerful Performance | Powerful Control | Powerful Savings i 1. Why IP for Broadcast Audio? Reasons to Migrate to Audio over IP ..........................................................................................................8 1. Flexibility ..................................................................................................................................................................................8 2. Cost ...........................................................................................................................................................................................8 3. Scalability ................................................................................................................................................................................9 4. Reliability (yes really!) .........................................................................................................................................................9 5. Availability ..............................................................................................................................................................................9 6. Control and Monitoring .....................................................................................................................................................9 7. Network Consolidation ......................................................................................................................................................9
    [Show full text]
  • EDSA-401 ISA Security Compliance Institute – Embedded Device Security Assurance – Testing the Robustness of Implementations of Two Common “Ethernet” Protocols
    EDSA-401 ISA Security Compliance Institute – Embedded Device Security Assurance – Testing the robustness of implementations of two common “Ethernet” protocols Version 2.01 September 2010 Copyright © 2009-2010 ASCI – Automation Standards Compliance Institute, All rights reserved EDSA-401-2.01 A. DISCLAIMER ASCI and all related entities, including the International Society of Automation (collectively, “ASCI”)provide all materials, work products and, information (‘SPECIFICATION’) AS IS, WITHOUT WARRANTY AND WITH ALL FAULTS, and hereby disclaim all warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence, all with regard to the SPECIFICATION, and the provision of or failure to provide support or other services, information, software, and related content through the SPECIFICATION or otherwise arising out of the use of the SPECIFICATION. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION, OR NON- INFRINGEMENT WITH REGARD TO THE SPECIFICATION. WITHOUT LIMITING THE FOREGOING, ASCI DISCLAIMS ALL LIABILITY FOR HARM TO PERSONS OR PROPERTY, AND USERS OF THIS SPECIFICATION ASSUME ALL RISKS OF SUCH HARM. IN ISSUING AND MAKING THE SPECIFICATION AVAILABLE, ASCI IS NOT UNDERTAKING TO RENDER PROFESSIONAL OR OTHER SERVICES FOR OR ON BEHALF OF ANY PERSON OR ENTITY, NOR IS ASCI UNDERTAKING TO PERFORM ANY DUTY OWED BY ANY PERSON OR ENTITY TO SOMEONE ELSE. ANYONE USING THIS SPECIFICATION SHOULD RELY ON HIS OR HER OWN INDEPENDENT JUDGMENT OR, AS APPROPRIATE, SEEK THE ADVICE OF A COMPETENT PROFESSIONAL IN DETERMINING THE EXERCISE OF REASONABLE CARE IN ANY GIVEN CIRCUMSTANCES.
    [Show full text]
  • Ethernet Basics Ethernet Basics
    2016-09-24 Ethernet Basics based on Chapter 4 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Ethernet Basics • History • Ethernet Frames • CSMA/CD • Obsolete versions • 10Mbps versions • Segments • Spanning Tree Protocol 1 2016-09-24 Ethernet – Early History • 1970: ALOHAnet, first wireless packet-switched network - Norman Abramson, Univ. of Hawaii - Basis for Ethernet’s CSMA/CD protocol - 1972: first external network connected to ARPANET • 1973: Ethernet prototype developed at Xerox PARC - (Palo Alto Research Center) - 2.94 Mbps initially • 1976: "Ethernet: Distributed Packet Switching for Local Computer Networks" published in Communications of the ACM. - Bob Metcalfe and David Boggs - sometimes considered “the beginning of Ethernet” Ethernet goes Mainstream • 1979: DEC, Intel, Xerox collaborate on a commercial Ethernet specification - Ethernet II, a.k.a. “DIX” Ethernet - (Digital Equipment Corporation) • 1983: IEEE 802.3 specification formally approved - Differs from Ethernet II in the interpretation of the third header field • 1987: alternatives to coaxial cables - IEEE 802.3d: FOIRL, Fiber Optic Inter-Repeater Link - IEEE 802.3e: 1 Mbps over Twisted Pair wires (whoopee!) • 1990: Twisted-Pair wiring takes over - IEEE 802.3i: 10 Mbps over Twisted-Pair – 10Base-TX, 10Base-T4 2 2016-09-24 the Future is Now (next chapter) (and Now is so Yesteryear…) 1995 – Now: speed and cabling improvements • 1995: 100Mbps varieties • 1999: 1Gbps on twisted-pair • 2003-2006: 10Gbps on optical fiber and UTP • 2010: 40Gbps, 100Gbps (802.3ba) - optical fiber or twinaxial cable - point-to-point physical topology; for backbones • 2016, September: 2.5GBase-T, 5GBase-T ? - who knows? What Is Ethernet? • Protocols, standards for Local Area Networks » Ethernet II, IEEE 802.3 • Specifies Physical-layer components - Cabling, signaling properties, etc.
    [Show full text]
  • Medium Access Control (MAC)
    1 Medium Access Control 2 Medium Access Control (1) The Network H2 H4 H1 H3 Broadcast networks have possibility of multiple access (MA) to a channel medium access control describes how we resolve the conflict assume only one channel available for communication additional channels would also be the subject of MAC 3 Medium Access Control (2) The Network H2 H4 H1 H3 4 Medium Access Control (3) The Network H2 H4 H1 H3 5 Medium Access Control (4) The Network H2 H4 H1 H3 assume when two frames overlaps at the Rx then both are lost, and thus both must be retransmitted assumption always be true in LANs in broadcast WANs might not be true 6 ALOHA protocol You can do nothing for MAC . The Network The Network The Network The Network H2 H4 H2 H4 H2 H4 H2 H4 H1 H3 H1 H3 H1 H3 H1 H3 ALOHA is contention based: a host may broadcast whenever necessary higher layers spot errors caused by collisions, and do retransmission 7 Performance of ALOHA H n vulnerable period for -1 start (λt) −λt Pn(t)= e t1 + t2 n! H1 To find p from Poisson Equation - t set t = 2T, λ = µG, n = 0: t2 -1 0 (µ 2T ) − H2 p = G e µG2T t1 + t2 - 0! −µG2T vulnerable period for H2 start p = e µ − S = e µG2T Let t1 = t2 = T µG µS successfully sent per second −µG2T µS = µGe µG sent (including failures) per second p is probability frame has no collisions µST frames are delivered in T µ seconds p = S µG −µG2T ρ = µST = µGe T 8 Is ALOHA good? ρ 6 0.4 0.3 0.2 0.1 0.0 - 0.0 0.5 1.0 1.5 2.0 2.5 3.0 µGT load of 50% gives maximum efficiency of 18% not a very satisfactory performance no way of assuring that even this maximum efficiency is reached 9 Improving basic ALOHA 1.
    [Show full text]
  • Ethernet (IEEE 802.3)
    Computer Networking MAC Addresses, Ethernet & Wi-Fi Lecturers: Antonio Carzaniga Silvia Santini Assistants: Ali Fattaholmanan Theodore Jepsen USI Lugano, December 7, 2018 Changelog ▪ V1: December 7, 2018 ▪ V2: March 1, 2017 ▪ Changes to the «tentative schedule» of the lecture 2 Last time, on December 5, 2018… 3 What about today? ▪Link-layer addresses ▪Ethernet (IEEE 802.3) ▪Wi-Fi (IEEE 802.11) 4 Link-layer addresses 5 Image source: https://divansm.co/letter-to-santa-north-pole-address/letter-to-santa-north-pole-address-fresh-day-18-santa-s-letters/ Network adapters (aka: Network interfaces) ▪A network adapter is a piece of hardware that connects a computer to a network ▪Hosts often have multiple network adapters ▪ Type ipconfig /all on a command window to see your computer’s adapters 6 Image source: [Kurose 2013 Network adapters: Examples “A 1990s Ethernet network interface controller that connects to the motherboard via the now-obsolete ISA bus. This combination card features both a BNC connector (left) for use in (now obsolete) 10BASE2 networks and an 8P8C connector (right) for use in 10BASE-T networks.” https://en.wikipedia.org/wiki/Network_interface_controller TL-WN851ND - WLAN PCI card 802.11n/g/b 300Mbps - TP-Link https://tinyurl.com/yamo62z9 7 Network adapters: Addresses ▪Each adapter has an own link-layer address ▪ Usually burned into ROM ▪Hosts with multiple adapters have thus multiple link- layer addresses ▪A link-layer address is often referred to also as physical address, LAN address or, more commonly, MAC address 8 Format of a MAC address ▪There exist different MAC address formats, the one we consider here is the EUI-48, used in Ethernet and Wi-Fi ▪6 bytes, thus 248 possible addresses ▪ i.e., 281’474’976’710’656 ▪ i.e., 281* 1012 (trillions) Image source: By Inductiveload, modified/corrected by Kju - SVG drawing based on PNG uploaded by User:Vtraveller.
    [Show full text]
  • Traffic Generation
    WHITEPAPER Joan d’Austria, 112 - Barcelona - SP - 08018 Chalfont St Peter - Bucks - UK - SL9 9TR www.albedotelecom.com Ethernet Traffic Generation One of the key features of Ether.Genius / Ether.Sync / Ether.Giga tester fami- lies is the ability to generate traffic with deterministic and random bandwidth profiles. The traffic generation feature can be used to stress the network, sim- ulate user traffic and, if a suitable payload is configured, to measure critical net- work performance parameters like bit errors, packet loss or latency. The above mentioned Ethernet testers manufactured by ALBEDO, have eight in- dependent full featured traffic generators attached to the main test port (Port A). Each traffic flow may be configured with specific encapsulation and ad- dressing parameters thus providing great versatility in all applications requiring Ethernet and IP traffic generation. 1. GENERATION OF ETHERNET TRAFFIC In Ether.Genius / Ether.Sync / Ether.Giga testers, generation of custom Ether- net frames is available for Port A in Ethernet endpoint mode through the Frame, Bandwith profile and Payload settings for each of the eight available traffic flows. This is a short description of the Ethernet traffic generation menus: Figure 1 ALBEDO Ether.Giga is a field tester for Ethernet equipped with all the features to install and maintain Ethernet infrastructures supporting legacy features such as BER and RFC2544 while new test such as eSAM Y.1564. All rights reserved. No part of this document may be stored, copied or transmitted, by any means,
    [Show full text]
  • Ethernet Explained
    Technical Note TN_157 Ethernet Explained Version 1.0 Issue Date: 2015-03-23 The FTDI FT900 32 bit MCU series, provides for high data rate, computationally intensive data transfers. One of the interfaces used for this high speed communication is Ethernet. This application note discusses some of the key features of an Ethernet link and how the FT900 assists in establishing the link. Use of FTDI devices in life support and/or safety applications is entirely at the user’s risk, and the user agrees to defend, indemnify and hold FTDI harmless from any and all damages, claims, suits or expense resulting from such use. Future Technology Devices International Limited (FTDI) Unit 1, 2 Seaward Place, Glasgow G41 1HH, United Kingdom Tel.: +44 (0) 141 429 2777 Fax: + 44 (0) 141 429 2758 Web Site: http://ftdichip.com Copyright © 2015 Future Technology Devices International Limited Technical Note TN_157 Ethernet Explained Version 1.0 Document Reference No.: FT_001105 Clearance No.: FTDI# 442 Table of Contents 1 Introduction .................................................................................................................................... 3 1.1 Scope ....................................................................................................................................... 3 2 What is Ethernet? ........................................................................................................................... 4 2.1 Speeds ....................................................................................................................................
    [Show full text]
  • 10/100 Mb/S Ethernet Frame Processor Agilent Technologies Broadband Series Test System
    10/100 Mb/s Ethernet Frame Processor Agilent Technologies Broadband Series Test System E6282A Product Features • Dual port 10/100 Ethernet module for the BSTS • Enables LAN-LAN, LAN-ATM and LAN-WAN interworking • Comprehensive real-time analysis and filtering • IP CoS stimulus/response testing • Functional and performance IP testing • More than 100 protocols supported • Error injection and the ability to transmit non-conforming streams • Over 200 real-time measurements • Full and half duplex configuration support • Network Services including RIP, Ping and full Main control dialog for the dual port E6282A Ethernet Frame Processor showing key operational modes ARP implementation and interface type, duplex and rate. The Agilent Technologies E6282A This module works seamlessly with Key Benefits 10/100 Mb/s Ethernet Frame Processor other BSTS ATM or frame relay brings LAN interworking and native modules to form the foundation of a Interworking with BSTS ATM and Frame Ethernet testing to the BSTS. As with functional interworking test. Relay modules all BSTS modules, the Ethernet Frame Important test connection modes The Ethernet Frame Processor is a Processor has a rich set of test features supported include: fully integrated BSTS module. It can tailored for equipment design and be used as a stimulus/response tester network test applications. • Dual Channel Emulation and debugging tool for native LAN, • Transmit Monitor You can create LAN Protocol Data WAN and ATM when used in • Active Monitor Units (PDUs) such as IP, send them conjunction with E4209B Cell individually or use the capabilities Physical layer support includes a Protocol Processor, E4206A T1/E1 provided by the traffic generator to choice of RJ45 or Media Independent Frame Processor, or E4207A create complex traffic streams.
    [Show full text]
  • Ethernet Theory of Operation
    AN1120 Ethernet Theory of Operation Author: M. Simmons However, with ubiquitous deployment, internet Microchip Technology Inc. connectivity, high data rates and limitless range expansibility, Ethernet can accommodate nearly all wired communications requirements. Potential INTRODUCTION applications include: This document specifies the theory and operation of • Remote sensing and monitoring the Ethernet technology found in PIC® MCUs with • Remote command, control and firmware updating integrated Ethernet and in stand-alone Ethernet • Bulk data transfer controllers. • Live streaming audio, video and media • Public data acquisition (date/time, stock quotes, Ethernet technology contains acronyms and terms news releases, etc.) defined in Table 1. THEORY OF OPERATION APPLICATIONS Ethernet is a data link and physical layer protocol Ethernet is an asynchronous Carrier Sense Multiple defined by the IEEE 802.3™ specification. It comes in Access with Collision Detect (CSMA/CD) many flavors, defined by maximum bit rate, mode of protocol/interface, with a payload size of 46-1500 octets. transmission and physical transmission medium. With data rates of tens to hundreds of megabits/second, it is generally not well suited for low-power applications. • Maximum Bit Rate (Mbits/s): 10, 100, 1000, etc. • Mode of Transmission: Broadband, Baseband • Physical Transmission Medium: Coax, Fiber, UTP, etc. TABLE 1: ETHERNET GLOSSARY Term Definition CRC Cyclic Redundancy Check: Type of checksum algorithm used when computing the FCS for all Ethernet frames and the hash table key for hash table filtering of receive packets. DA Destination Address: The 6-octet destination address field of an Ethernet frame. ESD End-of-Stream Delimiter: In 100 Mb/s operation, the ESD is transmitted after the FCS (during the inter-frame gap) to denote the end of the frame.
    [Show full text]
  • Gigabit Ethernet (802.3Z)
    Ethernet Computer Networks Lecture 4 The History of Ethernet Originally: DIX Ethernet (DEC-Intel-Xerox, Ethernet II) - 10Mbps. No LLC sublayer Later standardized as: IEEE 802.3 Frame format has changed: (type/length field interpretation). Both frame formats are being used today even on the same medium 2 Naming of Ethernet Family Members According to IEEE 802.3 Today, Ethernet is a whole technology suite with a common frame format (both LAN and WAN technologies) {Mbps|GbpsG}{Base|Broad}{seg_len/100[m]|-medium} Medium: T/TX – Twisted Pair, F/LX/SX/… – Fiber optic, … Examples: 10Base5,10Base5, 10Base-T,10Base-T, 100Base-LX10,100Base-LX10, 10GBase-T10GBase-T 3 Half-duplex Ethernet MAC Access Protocol: CSMA/CD p-persistant Maximum signal delay in the Ethernet network is defined to be 51,2 microseconds 2x maximum time of signal propagation + delays incured by repeaters/hubs Corresponds to 512 bit intervals (64B) at 10Mb/s Implies the maximum network reach and maximum number of repeaters/hubs with a standardized maximum signal delay (5-4-3 rule) A station that detects collision sends a jam signal which helps other stations to detect the collision to limit the duration of a collision Exponential backoff is applied after a collision 4 Half-duplex and Full-duplex Ethernet Half duplex – colission envirnment (CSMA/CD) In half-duplex mode we have to adhere CSMA/CD timing that implies the maximum cable lengths Full duplex – colission-free (switched) environment For compatibility with half-duplex NICs, P2P links may also operate in half-duplex mode 5 Duplex and Speed Autonegotiation Stations may automatically negotiate duplex mode and speed (10/100/1000 Mb/s).
    [Show full text]
  • 10-Gbps Ethernet Reference Design User Guide
    10-Gbps Ethernet Reference Design User Guide c The IP described in this document is scheduled for product obsolescence and discontinued support as described in PDN1207. Therefore, Altera® does not recommend use of this IP in new designs. For more information about Altera’s current IP offering, refer to Altera’s Intellectual Property website. 101 Innovation Drive IP Core Version: 11.0 San Jose, CA 95134 Document Date: December 2011 www.altera.com i–2 © December 2011 Altera Corporation 10-Gbps Ethernet Reference Design User Guide UG-01076-5.0 1. 10-Gbps Ethernet IP Datasheet This datasheet describes the Altera® 10-Gbps Ethernet IP core which implements the IEEE 802.3 2005 and 802.1Q Ethernet standards. You can use the Quartus® II software to parameterize and implement this IP core in your design. The 10-Gbps Ethernet IP core is highly configurable. It includes an Ethernet Media Access Controller (MAC) with an Avalon® Streaming (Avalon-ST) interface on the client side, and a XAUI or a standard XGMII interface on the network side. The XAUI interface is implemented as hard IP in an Altera FPGA transceiver or as soft logic, which results in a soft 10GBASE-X XAUI PCS. Alternatively, you can choose to implement a 10-Gbps Ethernet IP core that includes only the MAC or the soft XAUI PCS. Figure 1–1 illustrates the top-level modules of this IP core. 1 Altera categorizes this IP core as a reference design, described on the Altera website on the 10-Gbps Ethernet Reference Design web page. Figure 1–1.
    [Show full text]
  • Synchronized Real Time Audio Streaming Over Ethernet in Embedded Systems
    Synchronized real time audio streaming over ethernet in embedded systems A thesis submitted for the degree Master of Science in Information Technology submitted by Indumathi Duraipandian 926286 Fachbereich Informatik und Elektrotechnik Fachhochschule Kiel January 2018 Declaration of Authorship I, Indumathi Duraipandian, declare that this thesis titled, `SYNCHRONIZED REAL TIME AUDIO STREAMING OVER ETHERNET IN EMBEDDED SYSTEMS' and the work presented in it are my own. I confirm that: This work was done wholly or mainly while in candidature for a research degree at this University. Where any part of this thesis has previously been submitted for a degree or any other qualification at this University or any other institution, this has been clearly stated. Where I have consulted the published work of others, this is always clearly at- tributed. Where I have quoted from the work of others, the source is always given. With the exception of such quotations, this thesis is entirely my own work. I have acknowledged all main sources of help. Where the thesis is based on work done by myself jointly with others, I have made clear exactly what was done by others and what I have contributed myself. Signed: Date: i Abstract In any complex audio video networks such as professional audio recording studios, au- tomotive or in-flight infotainment systems, concert avenues or even home entertainment systems, the connection between the various audio/ video sources and sinks are mostly analog, point to point and serve a single purpose. This leads to tonnes of confusing cables, each cable serving a specific data exchange. Even the digital solutions such as I2S, S/PDIF, AES3 for short distance connections, most for automotive applications and Firewire (IEEE 1394), HDMI or audio over USB for high bandwidth applications, still require purpose built cables and proprietary software to work correctly and still they lack interoperability.
    [Show full text]