Sunday, July 29, 2012

IPSEC - VPN Notes






IPSEC is a framework for security that operates at the Network Layer by extending the IP packet header (using additional protocol numbers, not options). This gives it the ability to encrypt any higher layer protocol, including arbitrary TCP and UDP sessions, so it offers the greatest flexibility of all the existing TCP/IP cryptosystems. Flexibility, however, often comes at the price of complexity, and IPSEC is not an exception. Configuring which addresses and ports to encrypt using which IPSEC options often begins to look like configuring packet filtering, then add in the additional complexities of key management. While conceptually simple, setting up IPSEC is much more complex that installing SSH, for example.

What IPsec Does
IPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more "paths" between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.  (The term "security gateway" is used throughout the IPsec documents to refer to an intermediate system that implements IPsec protocols.  For example, a router or a firewall implementing IPsec is a security gateway.)
The set of security services that IPsec can provide includes access control, connectionless integrity, data origin authentication, rejection of replayed packets (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.  Because these services are provided at the IP layer, they can be used by any higher layer protocol, e.g., TCP, UDP, ICMP, BGP, etc.

How IPsec Works
IPsec uses two protocols to provide traffic security -- Authentication Header (AH) and Encapsulating Security Payload (ESP).
The IP Authentication Header (AH) [KA98a] provides connectionless integrity, data origin authentication, and an optional anti-replay service.
The Encapsulating Security Payload (ESP) protocol [KA98b] may provide confidentiality (encryption), and limited traffic flow confidentiality.  It also may provide connectionless

Domain of Interpretation (DOI), a term in the IPSec ISAKMP/IKE, defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes.


 



Great Sites for Study Material

http://blog.ine.com/

http://packetlife.net/

http://tekcert.com/

http://www.youtube.com/user/Keith6783?feature=watch

Monday, July 16, 2012

WS-X6716-10G Performance Mode



Depending on what kind of traffic you plan to push onto a 6716 module, you might need to run one of the port groups in performance mode. You loose 3 out of the four ports in that port group when you do this but you gain a bigger buffer. This is great for bursty traffic like multicast or when you are spanning multiple ports into one.

Implementation:
6509E(config)#no hw-module slot 8 oversubscription port-group 3

Verification:
6509E#show hw-module slot 8 oversubscription
port-group      oversubscription-mode
1               enabled
2               enabled
3               disabled
4               enabled

 Verification:

6509E#show int te 8/10
TenGigabitEthernet8/10 is administratively down, line protocol is down (disabled for performance)
  Hardware is C6k 10000Mb 802.3, address is 001c.f9d7.e400 (bia 001c.f9d7.e400)


Further Reference: