Posted: February 16th, 2010 | Author: charlie | Filed under: Networking | Tags: ccie, ccna, cisco, networks | No Comments »
Let’s talk about TCAM hardware, Cisco SDM templates, and try to answer that elusive question: “why do I have to reboot my router to enable certain features, which in turn disables others?”
First, CAM stands for Content Addressable Memory. A CAM is a special type of memory; some would say the opposite of RAM. With normal computer memory (RAM) the operating system provides an address, and receives the data stored at the supplied address. With a CAM, the operating system supplies the data, and the CAM returns a list of addresses where the data is stored, if it finds any. Furthermore, a CAM searches the entire memory in one operation, so it is considerably faster than RAM.
CAMs are very expensive, so they aren’t normally found in PCs. Even router vendors will sometimes skimp, opting to instead implement advanced software-based searching algorithms to plod through RAM. Most commonly, CAMs and TCAMs are found in network processing devices, including Intel IXP cards and various routers or switches. The most commonly implemented CAMs are called binary CAMs. They search only for ones and zeros; a simple operation. MAC address tables in switches commonly get stored inside binary CAMs. You can bet that any
A Renesas TCAM
switch capable of forwarding Ethernet frames at line-speed gigabit is using CAMs for lookups. If they were using RAM, the operating system would have to remember the address where everything is stored. With CAMs, the operating system can find what it needs in a single operation. In this case desired data is the switchport that data should be sent out, based on the given MAC address, i.e. the essence of a MAC table. Some older Cisco switches running CatOS even opted to call this table the cam table, thereby causing great confusion across the land. Bridge table, forwarding table, mac-address table, cam table; it’s all the same.
Finally, a TCAM is a Ternary CAM. This allows the operating system to match a third state, “X.” The X state is a mask, which means you don’t care what it is. This naturally lends itself to networking, since netmasks operate this way. To calculate a subnet address we mask the bits we don’t care about, and then apply the logical AND operation to the rest. Being able to do this in hardware is a great benefit for routers. Additionally, routers can store their entire routing table in these TCAMs, allowing for very quick lookups. A router with routing tables in TCAMs can find the next-hop destination in a single operation every time instead of trying to search through a tree (or other data structure) in RAM.
Hardware can sometimes seem magic, but it isn’t always transparent. When configuring routers most people will run into a situation where enabling a new feature will require that the Cisco SDM (Switching Database Manager) template be changed. This template is actually a method Cisco uses to assign specific applications to specific TCAM resources.
Some routers will allow you to manually specify how much TCAM space you want to allocate to a specific feature. Others aren’t so nice. They make you choose from a few restrictive templates, which allocate the resources automatically based on a few predetermined settings. For example, on the Cisco 3750, we recently wanted to enable policy-based routing (PBR) to implement a layer 3 jail. The basic idea with template-only routers is that you have to choose where you want most of the optimizations, and compromise on the rest.
For this platform, there are four templates: default, routing, PBR, and VLAN. Each of these tries to allow for a bit more resources allocated to the specified task. For policy routing, we’d have to choose “routing” or “PBR,” which in turn limits the amount of unicast MAC addresses that can be held in TCAMs. Likewise, selecting a VLAN template will make PBR impossible, but allow for more VLAN database information to be held in TCAMs. There are always compromises when we need to use more advanced features. Keeping true with the spirit of router operating systems, there’s also some mysterious side-effects when a new template is chosen. On our specific router, if the PBR template is chosen, the router will become unable to support VPN routing/forwarding tables (VRF). The next unsightly gotcha is that with the IOS version that supports IPv6, you cannot even enable PBR. There is no template to allow both policy routing and IPv6.
Perhaps the main idea of TCAM allocation still isn’t clear. Just because, for example, 8K is allocated to routing tables, this doesn’t mean that you can only have a routing table of that size. There’s always the fallback of process switching. Process switching means that everything will be done by the processor instead of in hardware (TCAMs). Processor intervention is not desirable, mostly because it is much slower than hardware lookups. Also, the processor is supposed to be used for things like sending logs to a syslog server and controlling SSH sessions. If a router doing process switching gets really busy, it may be unable to service your console access attempts. Generally speaking, the more expensive the router, the less it will use the processor.
Hardware is finite, and we always need more. More expensive routers don’t always suffer from the constant struggle for TCAMs because they have enough to support most features that currently exist. Unfortunately, most companies won’t want to purchase the latest and greatest router with seemingly endless hardware resources unless they can justify the added cost by showing a current need for them. So, most of us are stuck having to adjust TCAM allocations.
Further reading: an interesting blog from Plixer.
No Comments yet... be the first » Related posts:
- Networking 101: Subnetting – Slice Up 32-bits
- Networking 101: Layer 2, Link and Spanning Tree
- Networking 101: Understanding Layers
- Are Cisco Flex Links the End of STP?
- Networking 101: More Subnets, and IPv6
Posted: February 14th, 2010 | Author: charlie | Filed under: Networking, Security | Tags: ccna, cisco, networks, Security | No Comments »
Another new feature available in IOS (12.3) is Cisco’s Intrusion Prevention System. An IDS has been part of IOS for a long time, but they recently took it a step further. As part of its Self-Defending Network campaign, Cisco realized that an IPS should be integrated into the network fabric. We’ll explain what this means, and show you how to implement it.
Actively preventing the attack makes it an IPS. The standard old IDS solution means that it can detect and alert, but blocking attacks is not normally part of an IDS’s feature set. Thus, if you want to prevent attacks rather than just receive alerts, you need an IPS. Cisco’s IPS works like any other: you get a signature file, called the Signature Definition File (SDF) by Cisco, and if the IPS finds that a packet matches a signature, it’s blocked.
There are appliances, Catalyst switch modules, and router modules, but IPS is also built-in to certain IOS images now. Since Cisco claims IPS features won’t impact router performance (since the latest release), it may be possible to skip the purchase of a dedicated module for IPS.
The catch, of course, is that an IPS is not robust without constant signature updates. Attacks are constantly evolving, and without an update you aren’t protected against the latest and greatest attacks. Something completely new could sneak in, but the idea is that after the first few attacks Cisco will update the SDF and you’ll be notified that it’s time to download a new version. That’s right, you have to manually download and install a new signature file. This requires a subscription service above and beyond what you pay for SMARTnet. Services for IPS, as it’s called, provides SDF updates and the other features (support, warranty) that SMARTnet does as well. Accordingly, your SMARTnet contract is discounted when you purchase a Cisco Services for IPS contract, according to Cisco’s Q&A documentation.
Configuring IPS for Sensor Modules
There are many different cases for configuring IPS depending on your device. First, we’ll show you how to enable it on any IPS sensor module that uses the IPS 5.1 or later, then we’ll show you how to take advantage of the IOS built-in default IPS features.
The IDS Device Manager (IDM) is a graphical interface for configuring all IDS (and IPS) functionality. If you prefer that, then refer to the Cisco documentation after reading about how it’s done via the CLI here.
The general idea we’re working with here is called the VLAN pair method. This means that we’ll configure two VLANs in a pair group, and all traffic received by a sensor will be inspected and either forwarded on to the other VLAN, or dropped. Up to 255 VLAN pairs can be configured on most sensors.
First we enter configuration mode, then the service interface, and finally select the physical interface that we wish to configure:
sensor#configure terminal
sensor(config)#service interface
sensor(config-int)#physical-interfaces GigabitEthernet0/1
Next, we must configure the VLAN pair (and give it a meaningful description):
sensor(config-int-phy)#subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)#subinterface 1
sensor(config-int-phy-inl-sub)#vlan1 10
sensor(config-int-phy-inl-sub)#vlan2 11
sensor(config-int-phy-inl-sub)#description vlans 10 and 11
Conceptually, the interface will now be added to a virtual sensor, and once it’s enabled it will monitor traffic. We now need to enable a virtual sensor:
sensor(config)#service analysis-engine
sensor(config-ana)#virtual-sensor vs0
Once that’s completed, we simply add the previously-defined subinterface to the sensor, and we’re done:
sensor(config-ana-vir)#physical-interface GigabitEthernet0/2 subinterface-number 1
Configuring IPS for IOS
You can enable IPS features in IOS using the default SDF. Signatures may be added manually to the SDF, or you can pay Cisco for the latest signatures.
First we need to enable what’s called Security Device Event Exchange notifications:
router(config)#ip ips notify sdee
Then we must configure an IPS rule name that will be used for associating with interfaces.
router(config)# ip ips name MYIPSRULES
The next step is to specify where the SDF file will come from. The following command specifies that the file 256MB.sdf can be found in flash memory. You can also specify tftp or any other protocol your Cisco knows how to handle, but it’s best to use flash memory to ensure no dependencies on other servers.
router(config)# ip ips sdf location flash:256MB.sdf
Finally, we simply enable IPS on the interface (in both directions). It is also a good idea to enable IP reassembly on the interface, so that the IPS rule can evaluate entire IP packets at once.
router(config)#interface fastEthernet 0
router(config-if)#ip ips MYIPSRULES in
router(config-if)#ip ips MYIPSRULES out
router(config-if)#ip virtual-reassembly
Now you have a working IPS, based on the file in your flash called 256MB.sdf. That file must be downloaded from Cisco using your CCO login linked to a valid support contract.
The Power of Community
If you don’t feel like paying Cisco for signature updates, you can update the SDF yourself. When a new attack surfaces, you’ll often find Cisco IPS XML signatures posted to various online forums. You can and should use them.
To view your current SDF version, you can run: sh ip ips signatures
To merge the IPS SDF configuration with new information, you can copy in an XML file. Just like copying in any configuration snippet, the updates will be merged, not replaced. Say we got sigs.xml from a helpful network operator. To enable these signatures, we simply run:
router#copy tftp://serer.fqdn/sigs.xml ips-sdf
That’s it! You’ll see that 256MB.sdf on the flash memory is now a bit larger. It’s a good idea (and is recommended by Cisco) to rename 256MB.sdf to avoid confusion, now that you are no longer running a Cisco-sanctioned version.
Enabling IPS on supported routers is quite easy, but can lead to some interesting troubleshooting sessions. Be sure you have a syslog server that your routers all log to: it will save hours of work. Also, search around; you may find a source for XML updates that you wish to trust, and then it’s pretty easy to automate daily merges into your local SDF.
No Comments yet... be the first » Related posts:
- Manage Devices and Configurations with Cisco SDM
- Are Cisco Flex Links the End of STP?
- Cisco AutoQoS: VoIP QoS for Mere Mortals
- Multi-user Security in Linux
- What the Heck is a TCAM?
Posted: February 13th, 2010 | Author: charlie | Filed under: Networking 101 | Tags: ccna, cisco, networks | No Comments »
Networks don’t work without addresses: whenever you are sending something, you need to specify where it should go, and where it came from. To be an effective network engineer or administrator, you need to understand IP addresses backwards and forwards: you need to think be able to think on your feet. If something breaks, likely as not it’s some address assignment has been screwed up. And spotting the problem quickly is likely to be the difference between being the hero, or the guy who “takes a long time to fix the problem.” Before covering subnetting in the next Networking 101 installment, we’d like to thoroughly explore IP addresses in their primal form. This is crucial to understanding subnets.
IPv4 Addresses and 32-bit Numbers
IP addresses are just 32-bit binary numbers, but they’re important binary numbers: you need to how to work with them. When working with subnet masks, new network administrators generally get confused with the ones they haven’t memorized. All the subnet mask amounts to is moving the boundary between the part of the address that represents a “network” and the part that represents a “host.” Once you’re comfortable with this method of thinking about IP addresses and masks, you’re mastered IP addressing.
Binary is quite simple. In binary the only numbers are zeros and ones, and a 32-bit number holds 32 zeros and ones. We’re all used to base-10 numbers, where each place in a number can hold any number from 0-9. In binary each place holds either a zero or a one. Here’s the address 255.255.255.0 in binary:
11111111.11111111.11111111.00000000
For convenience, network engineers typically break IP addresses into four 8-bit blocks, or octets. In an 8-bit number, if all of the bits are set to 1, then the number is equal to 255. In the previous address, 11111111 represents 255 and 00000000 represents zero.
The way binary really works is based on powers of two. Each bit represents a different power-of-two. Starting at the left-hand side, the most significant bit, numbers form in the following manner:
| Power-of-two | 232 | ... | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 |
| Decimal | 4,294,967,296 | ... | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
The result is additive, meaning that if all bits are set, you simply add the power-of-two value up for each place. For example, if we have an 8-bit number, 11111111 , we simply add: 27 + 2 6 + 2 5 + 2 4 + 2 3 + 2 2 + 2 1 + 2 0 = 255
Try a non-trivial example now: 11110000
We can see that four bits are “set” in the above 8-bit number. Summing the power-of-two values in those places yields: 27 + 26 + 2 5 + 2 4 = 240
It is just that simple. If you can convert a binary number to decimal form, you can easily figure out subnet masks and network addresses, and we’ll show you how in the next issue of Networking 101.
Focusing on 32-bit IPv4 addresses themselves now, there are a few different types that need to be understood. All IP addresses can be in the range 0.0.0.0 to 255.255.255.255, but some have special uses.
Loopback:
Packets that will not leave the host–i.e. they will not traverse an external network interface. Example: 127.0.0.1
Unicast:
Packets that are destined for a single IP address. Example: 2.2.2.2
Multicast:
Packets that will be duplicated by the router, and eventually routed by multicast routing mechanisms. Example: 226.0.0.2
Limited Broadcast:
A broadcast packet, sent to every host, limited to the local subnet. Example: 255.255.255.255
Directed Broadcast:
Packets that are routed to a specific subnet, and then broadcast. Example, assuming we are not on this subnet: 1.1.1.255
There are also some special cases of IP addresses, including private and multicast addresses. Addresses in the range 224.0.0.0 – 239.255.255.255 are reserved for multicast. Everything below that range is fair game on the Internet, excluding addresses reserved by RFC 1918 and a few other special-purpose assignments. These “1918 addresses” are private addresses, meaning Internet routers will not route them. The ranges include:
- 10.0.0.0 -10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
These IP addresses can be assigned locally to as many computers as you want, but before those computers access the Internet, the addresses must be translated to a globally routable address. This is commonly done via Network Address Translation ( NAT ). The 1918 addresses aren’t the only reserved spaces, but they are defined to be “site local.” Multicast also has a reserved range of addresses that aren’t designed to escape onto the Internet: 224.0.0.0 – 224.0.0.255 are multicast “link-local” addresses.To give the necessary background for the next issue of Networking 101, we need to make sure everyone understands the concept of a local subnet. Once we have assigned a valid IP address to a computer, it will be able to speak to the local network, assuming the subnet mask is configured properly. The subnet mask tells the operating system which IP addresses are on the local subnet and which are not. If an IP we wish to talk to is located on the local subnet, then the operating system can speak directly to it without using the router. In other words, it can ARP for the machine, and just start talking. IP address and subnet mask configuration is fairly straightforward for general /24 networks. The standard 255.255.255.0 mask means that the first three octets are the network address, and the last part is reserved for hosts. For example, a computer assigned the IP of 10.0.0.1 and a mask of 255.255.255.0 (a /24, or 24-bits if you write it out in binary) can talk to anyone inside the range 10.0.0.1-10.0.0.255.Be sure to digest everything here, because in part two we’ll get to the meat of subnetting with CIDR.
No Comments yet... be the first » Related posts:
- Networking 101: Subnetting – Slice Up 32-bits
- Networking 101: More Subnets, and IPv6
- Networking 101: Understanding Layers
- Networking 101: Layer 2, Link and Spanning Tree
- Are Cisco Flex Links the End of STP?
