Learning IOS and JUNOS

E&M-FGD The  e&m-fgd setting   allows   E&M interface connections for PBX trunk lines (tie lines) and telephone equipment to use Feature Group D switched-access service.  FGD-EANA FGD-EANA is a Feature Group-D (FGD) signaling protocol of type Exchange Access North American (EANA). This provides certain call services, such as emergency (USA-911) calls. FGD can accept ANI and DNIS for inward calls (Network to CPE), but can only provide DNIS for outward calls (CPE to Network). FGD-EANA can also provide ANI and DNIS for outward calls (Network to CPE), but cannot accept ANI for inward calls (CPE to Network). To provide and accept ANI and DNIS at the same time using CAS we can split the T1 into two different ds0 groups. One group is for inbound calls and one group is for outbound calls.This output shows an example:  ds0-group 0 timeslots 1-12 type e&m-fgd ds0-group 1 timeslots 13-24 type fgd-eana

以下是讓IP Phone註冊到Cisco Call Manager Express最基本的指令。其中有一行非常重要的指令就是 create cnf-files 。如果沒有這個指令，當IP Phone嘗試去註冊到CME時，CME將不會建立xml檔案來發放給IP Phone。這個問題在我之前嘗試要連到TP新加坡Remote Lab時就遇過了，VPN確定通了但是IP Phone就是無法完成註冊，結果請新加坡那邊的負責Remote Lab 的同事協助查了很久還是找不到問題，後來幸好有Chris Yang幫忙，終於找到Remote Lab HQ Router(CME)上缺少了這個config才把這個問題給解決。不過很奇怪的是…經過了幾個月之後，這個星期又請公司admin幫忙再跟新加坡借了一次CVOICE Remote Lab，結果有問題的initial config到現在還是有問題，唉，同時是華人，怎麼台灣跟新加坡的華人工作態度卻是大大不同。 telephony-service max-ephones 2 max-dn 2 ip source-address 172.16.1.1 port 2000 create cnf-files ! ! ephone-dn 1 number 1001 ! ! ephone 1 button 1:1

(USOC Wiring Diagram) Telephone wiring for a phone outlet is typically either 1, 2 or 3 pairs (2, 4, or 6 conductor). Most cable nowadays is UTP (unshielded twisted pair). There may be instances where you may need to connect to or transpose from the old "quad" cable. The diagram below provides the transposition between these standards. Pair 1 (T1 & R1) Usually the primary dial tone or talk circuit is wired to the center two pins (pins 3 & 4) and is the white/blue and blue/white pair (AKA: T1 & R1 - tip 1 and ring 1). A standard single line phone draws dial tone from these center pins. NOTE: The type of wiring shown here is known as USOC (pronounced U-sock). See background below. Pair 2 (T2 & R2) The secondary circuit is wired to the two pins (pins 2 & 5) directly to the side of the center pins and is the white/orange and orange/white pair (AKA: T2 & R2 - tip 2 and ring 2). Depending on the application, the secondary circuit can either be t...

很多人聽過PBX之間交換的標準-QSIG，但是可能比較少人聽過DPNSS，事實上DPNSS也是另外一種跟QSIG類似的PBX交換標準，但是它們之間到底有那些不相同的地方及歷史上演進的結果為何? 請參閱下文Q&A： http://www.pqmconsultants.com/coexist.htm Q. What are DPNSS and QSIG? DPNSS and QSIG are inter-exchange signalling protocols, primarily intended for the interconnection of nodes in a Corporate telecommunication Network (CN). The interconnection of PABXs using leased circuits is a typical application. Both DPNSS and QSIG are common channel signalling systems based on ISDN technology. They are open standards; that is, they permit signalling between equipment from different vendors. Q. How did DPNSS come about? The development of DPNSS commenced in 1981 with the decision by the UK telecomms industry (British Telecom, as was, and a number of PABX manufacturers) to develop a vendor independent private network signalling system. This work resulted in the protocol that is today widely used throughout the UK and elsewhere. The drivers behind DPNSS development are well known. They were...

Remember in Star Trek when the Enterprise was "cloaked" but somehow the Klingons found the ship anyway? Well there is a way to "cloak" your wireless network. Your SOHO wireless device should have a setting called "Closed Network" or "Broadcast SSID". By either enabling a closed network or disabling the broadcast SSID feature you can hide or cloak your network. The SSID (network name) is transmitted in the air by your device in a broadcast called a "Beacon". Also, many wireless cards client utilities transmit empty "Probe Requests" looking for your device. There is a very popular and freely available software program called Network Stumbler that is used by individuals to discover wireless networks. Network Stumbler also sends out blank Probe Requests looking for wireless access points. When you implement a closed network, the SSID is no longer in the BEACON and your wireless gateway will not respond to blank Probe Requests. Ef...

1. Beacon 封包 一般的無線 AP, 都會不斷的傳輸 Beacon 封包, Beacon 封包內會包含 SSID 訊息, 支援的傳輸速率, 此無線 AP 的 MAC 位址. 一般的 Beacon 封包速率是在 6~10 Beacon packets/sec. 為了安全性, 現在無線 AP 也提供了不包含 SSID 值的 Beacon 功能, 這種 SSID cloaking 的立意在於: 用戶端除非事先知道所使用 SSID, 否則無法使用這個無線 AP. 但是聰明的讀者一定想到了, 等到有用戶 要連接時, 就算有 WEP, 還是可以聽到所使用的 SSID :) (ref: dedicated sniffing) *另外也可以利用強波干擾 802.11b 的 2.4GHz 頻率(請參考 FCC 規範)，當干擾強到無線 AP 或無線網卡需要重新 re-join, 此時就 可以主動聽到 SSID；這種方法造成的斷線情形，對用戶而言也可當 作是可能被探測的警訊 :) 2. Probe response 封包 當用戶端想要連上網路時，他會依據收到的 Beacon 封包，送出 probe response 封包，其中會包含: 所要加入網域的 SSID、所使用的傳輸 速率。 3. Data 封包 通常是封裝在 802.11b frames 中的 TCP/IP 封包 4. Ad hoc 封包 和 Data 封包相同, 但屬於網卡對網卡傳輸不需繞經無線 AP. BSSID: mac address of the BSS SSID: 辨示該 BSS 的 32 bytes 字串 DATA RATE: 包括 1Mbps 2Mbps 5.5Mbps 11Mbps HR/DSSS: High Rate Direct Sequence Spread Spectrum

很多人在學習QoS LLQ & CBWFQ的時候，遇到了頻寬保留分配問題都會有一些不太確定的感覺，因為Cisco在課程中並沒有非常詳細的說明不同的指令參數之間的搭配，會得到什麼樣的後果，所以我把這個問題在這邊提出來(這要感謝課堂上的同學問我這個問題，也順便釐清了這個不確定因素)。 假設我們現在在P1R1上有一路Serial頻寬為512k，現在我們要進行頻寬分配，分配的條件如下： Class TEST1使用LLQ(10%) Class TEST2使用CBWFQ剩下可用頻寬的(30%) Class TEST3使用CBWFQ剩下可用頻寬的(20%) 這個問題看似簡單，但是如果從來沒有認真去注意到的話就可以會有不同的解讀，到底TEST3可以使用多少的保留頻寬? 正確答案是： Class TEST1 LLQ使用頻寬上限=512k * 10%=51.2k Class TEST2 CBWFQ保留頻寬 = [(512k * 75%預設最大可分配的頻寬) - 51.2k] * 30% Class TEST3 CBWFQ保留頻寬 = [(512k * 75%預設最大可分配的頻寬) - 51.2k] * 20% 也就是說最後所有使用bandwidth percent remaining指令的總和不得超過100% 還有一點很重要的是，在這邊所謂的remaining並非指interface上現在實際流量的剩餘頻寬，Cisco QoS的指令在MQC中沒有這麼厲害可以隨時去監控現行使用流量來進行等比例的動態保留(maybe in the future) 為了證明真的是這個樣子，我進行了以下的實驗： P1R1(config)#policy-map TEST P1R1(config-pmap)#class TEST1 P1R1(config-pmap-c)#priority percent 10 P1R1(config-pmap-c)#class TEST2 P1R1(config-pmap-c)#bandwidth remaining percent 30 P1R1(config-pmap-c)#class TEST3 P1R1(config-pmap-c)#bandwidth remaining percent 80 Sum total of class bandwidths excee...

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device, providing more security for that device. Other benefits include improved performance for data packets on nonmanagement interfaces, support for network scalability, need for fewer access control lists (ACLs) to restrict access to a device, and management packet floods on switching and routing interfaces are prevented from reaching the CPU. I...

The  qos pre-classify  mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow since all packets that traverse across the same tunnel have the same tunnel header and receive the same treatment in the event of congestion. If your classification policy matches with the ToS byte, you do not need to use the  qos pre-classify  command since the ToS value is copied to the outer header by default. You can create a simple QoS policy which sorts traffic into classes based on IP precedence. However, to differentiate traffic within a class and to separate it into multiple flow-based queues, the  qos pre-classify  command is required. Note:  ToS byte copying is done by the tunneling mechanism and not by the  qos pre-classify  command. The  qos pre-classify  command can be applied at various points in yo...

In telecommunications, Received Signal Strength Indication (RSSI) is a measurement of the power present in a received radio signal. RSSI is generic radio receiver technology metric, which is usually invisible to the user of device containing the receiver, but is directly known to users of wireless networking of IEEE 802.11 protocol family. RSSI is often done in the intermediate frequency (IF) stage before the IF amplifier. In zero-IF systems, it is done in the baseband signal chain, before the baseband amplifier. RSSI output is often a DC analog level. It can also be sampled by an internal ADC and the resulting codes available directly or via peripheral or internal processor bus. RSSI in 802.11 implementations In an IEEE 802.11 system RSSI is the received signal strength in a wireless environment, in arbitrary units. RSSI can be used internally in a wireless networking card to determine when the amount of radio energy in the channel is below a certain threshold at which point the netwo...

SOAP的全名為Simple Object Access Protocol(簡易物件通訊協定)，是一種以XML為基礎的通訊協定，其作用是編譯網路服務所需的要求或回應後，再將編譯後的訊息送出到網路，簡單來說就是應用程式和用戶之間傳輸資料的一種機制。 SOAP的全名為Simple Object Access Protocol(簡易物件通訊協定)，是一種以XML為基礎的通訊協定，其作用是編譯網路服務所需的要求或回應後，再將編譯後的訊息送出到網路，簡單來說就是應用程式和用戶之間傳輸資料的一種機制。 SOAP是一個獨立的訊息，可以獨自運作在不同的作業系統與網路上面，例如在微軟的Windows或Linux的建構下運作，並可以使用各種不同的通訊方式來作傳輸，例如SMTP、MIME，或是HTTP等。 近來W3C對於建立網路服務的協定不遺於力，尤其W3C對於SOAP的1.2版更新工作更是已經接近完工的階段。在SOAP1.2版中，包含了一個用於簡化網路的工具包，這個工具包擁有許多1.1版未有的工具，例如可讓開發者建立管理SOAP訊息規則的「處理模型」，以及包含簡易管理大量的XML文檔功能。 不過因為SOAP還未到達完成的階段，所以W3C現今只定位SOAP1.2版為「建議性的網路服務開發工具」。 SOAP的架構為：Envelope、Header、Body，和Fault四個部份；其組織架構是與XML的語法相結合應用，換句話說SOAP是由XML語法所寫而成。 SOAP不但可以在不同的網路上運作，更可以在不同的網路間作傳輸，如圖3所示，SOAP可以透過HTTP發送訊息，再透過TCP、MSMQ，最後由SMTP收到訊息，途中可以透過四個不同的傳輸點傳達訊息。由此我們可以見到SOAP的透通性與實用性，遠比一般的通訊協定更為有彈性。

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an encryption protocol that forms part of the 802.11i standard for wireless local area networks (WLANs), particularly those using WiMax technology. The CCMP algorithm is based on the U.S. federal government's Advanced Encryption Standard (AES). CCMP offers enhanced security compared with similar technologies such as Temporal Key Integrity Protocol (TKIP). CCMP employs 128-bit keys and a 48-bit initialization vector that minimizes vulnerability to replay attacks. The Counter Mode component provides data privacy. The Cipher Block Chaining Message Authentication Code component provides data integrity and authentication. The enhanced privacy and security of CCMP compared with TKIP requires additional processing power, often necessitating new or upgraded hardware. 802.11i is a standard for WLANs that provides encryption for networks that use the 802.11a, 802.11b and 802.11g standards. The AES is an en...

PKC is an IEEE 802.11i extension that allows for the proactive caching (before the client roaming event) of the WPA/WPA2 PMK that is derived during a client IEEE 802.1 x/EAP authentication at the AP. If a PMK (for a given WLAN client) is already present at an AP when presented by the associating client, full IEEE 802.1X/EAP authentication is not required. Instead, the WLAN client can simply use the WPA 4-way handshake process to securely derive a new session encryption key for communication with that AP. Note PKC is an IEEE 802.11i extension and so is supported in WPA2—not WPA.

The Basic Service Set is a term used to describe the collection of Stations which may communicate together within an 802.11 WLAN (Wireless Local Area Network). The BSS may or may not include AP (Access Point) which provide a connection onto a fixed distribution system such as an Ethernet network. Two types of BSS exist; IBSS (Independent Basic Service Set) and Infrastructure Basic Service Set.

EAP-Tunneled Transport Layer Security, or EAP-TTLS is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom. It is widely supported across platforms, although there is no native OS support for this EAP protocol in Microsoft Windows, it requires the installation of small extra programs such as SecureW2. EAP-TTLS offers very good security. The client does not need be authenticated via a CA-signed PKI certificate to the server, but only the server to the client. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client. After the server is securely authenticated to the client via its CA certificate, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eav...

EAP-MD5, defined in RFC 3748, is the only IETF Standards Track based EAP method. It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks.

Extensible Authentication Protocol Method for GSM Subscriber Identity, or EAP-SIM, is an Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM is described in RFC 4186.

In cryptography, a public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA) . For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA. The term trusted third party (TTP) may also be used for certificate authority (CA). The term PKI is sometimes erroneously used to denote public key algorithms, which do not require the use of a CA.

Protected Access Credentials (PACs) are credentials that are distributed to clients for optimized network authentication. PACs can be used to establish an authentication tunnel between the client and the authentication server (the first phase of authentication as described in the "Two-Phase Tunneled Authentication" section). A PAC consists of, at most, three components: a shared secret, an opaque element, and other information. The shared secret component contains the pre-shared key between the client and authentication server. Called the PAC-Key, this pre-shared key establishes the tunnel in the first phase of authentication. The opaque component is provided to the client and is presented to the authentication server when the client wants to obtain access to network resources. Called the PAC-Opaque, this component is a variable length field that is sent to the authentication server during tunnel establishment. The EAP server interprets the PAC-Opaque to obtain the required i...

CCKM is a term used in wireless networks. It stands for Cisco Centralized Key Management, which is a form of Fast Roaming. When a wireless LAN is configured for fast reconnection, a LEAP enabled client device can roam from one access point to another without involving the main server. Using Cisco (TM) Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client without perceptible delay in voice or other time-sensitive applications. Actually, the WDS (which can be run as a service on a Cisco Access Point or on various router modules) caches the user credentials after the initial log-on. The user must authenticate with the Radius server the first time - then he can roam between access points using cached credentials. This saves time in the roaming process, especially valuable for IP Telephones. The current implementation of CCKM requires Cisco compatible hardware and either LEAP,...