Archive for March, 2010

Spring Break

March 28, 2010 3 comments

Heavy Rain is not a good thing when your week-long vacation is about to start. As we start packing the rain is pounding on the window and though we’ll be about 400 miles south at the Shenandoah National Park and Blue Ridge parkway area, it is annoying 😦

So wish me good weather and don’t miss me too much. I’ll be back in a week time and hope to bring some new energy and renewed motivation toward completing my ONT exam and CCNP track!

OFF TOPIC – Post-it stop motion

March 27, 2010 1 comment

Amazing senior project at Savannah College of Art and Design:

The making of is even better:

ONT – Layer 3 Marking

March 26, 2010 Leave a comment

Now that I covered Layer 2 marking it is time for the more resource friendly way, Layer 3 marking.

ToS (Type of Services) byte in the IPv4 header contain a six-bit DSCP (Differentiated Services Code Point) and a two-bit ECN (Explicit Congestion Notification) field. It is located between the Destination IP and L4 data in the header.

Layer 3 marking has the ability to carry data (marking info) from router to router across the network. The first implementation of marking using the ToS byte was IP Precedence which only used the left-most 3 bits. The IP Precedence marking strategies are the same as the CoS marking strategies.

DSCP Marking strategies:

  • Introduced more usable markings
  • Maintained backwards compatibility with IP precedence

The eight bits are split as shown:

000 | 000 | 00

Left part is PHB (Per-Hop Behavior) – major class
Middle part is Drop Probability – minor class, it will break the tie if left part is equal
Right part is Flow Control – PCs can be told to slow down to prevent packet loss. This is not included in DSCP marking.

PHB can be one of the three things (6 & 7 are reserved for network routing data):
Expedited Forwarding (EF – 5)
Assured Forwarding (AF4, AF3, AF2, AF1)
Best Effort (0)

Drop Probability currently only uses the left-most two (of three) bits and can be one of three:
High drop preference:      11
Medium drop preference: 10
Low drop reference:         01

The rules for can be confusing: while higher PHB is better, higher Drop Probability is worse. The combination of the two fields will make the decision on the precedence.

As with classification, it is important to remember that the level of preferences is just for marking, it does not define treatment (policing). We use marking techniques for greater flexibility but only when we actually apply them on an interface they will have an impact.

ONT – Layer 2 Marking

March 24, 2010 Leave a comment

Following the QoS basics, the next step is Classification and Marking.

Quick definition reminder:

  • Classification – Inspecting one or more aspects of a packet to see what the packet is carrying. This is a local process affecting one router.
  • Marking – Writing information to a packet to easily identify it on other network devices. This is a global process running on one router but affecting any router on the network.

Whenever possible we should use marking because it has big impact on the network performance. Big example for the benefits of marking is when marked traffic leave the LAN and enter the ISP’s cloud. Using classification the same traffic will get to the ISP and will have no information attached to it while marking pass the data to the ISP. In this example your ISP can apply priority and other rules on the data and offer you the service you need.

Two other terms we should be familiar with (both in the QoS spirit):
CoS = Class of Service => L2 marking used on Ethernet
ToS = Type of Service => L3 marking = 1byte (8bits)

Frame Relay DE bit: 0 or 1. value of 0 = no, value of  1 = maybe, possible.
DE = Discard Eligible. You can mark the traffic that will become DE.

MPLS Exp bits: similar to CoS.

Ethernet trunk CoS: 3 bits.
CoS work by using 3bits -> only working on trunk connections (isl \ dot1q)
Ethernet CoS can get to 8 levels of service:

000 = best effort
001 = low data -> like web traffic
010 = high data -> apps like Citrix that need constant connection
011 = voice signal -> hold music
100 = video -> video streaming
101 = voice -> top class of traffic
110 = reserved -> that is for routing update traffic, STP etc
111 = reserved -> used by the router by default

Summary: L2 marking  is stripped at every router and consume more resources. L3 marking is going all the way, marking on one router and using it all over the network. It is a much more important type of marking and will get its own (next) post.

Security Alert – H.323 and SIP DoS

March 24, 2010 Leave a comment

After the Feb 17th security alert that focused on security products problems, Cisco released on March 24th another alert which focus on this blog’s current business – voice.

The latest security advisories can be found here. There are few voice related alerts such DoS for H.323 and Dos for  Unified Communications Manager Express.
If voice is part of your network make sure you read the document on Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager Express and Cisco IOS Software H.323 and SIP DoS Vulnerabilities which cover some of the problems and solutions.

Check the full list here and make sure your products are fully patched.

ONT – QoS basics

March 23, 2010 Leave a comment

Quality of Service. Three words that describe (almost) a full exam.
When normal person hear these words they think about the supermarket cashier or the drugstore pharmacy. Some people might think of their last call to their utility company, where the automatic message announced that “this call is monitored for quality of service purposes”.

If you read this blog regularly (and you’re not my wifi) you are not a normal person. You are twisted, think only about networks and you understand that there is no such thing as quality of service, it is called QoS 🙂

What is it good for? There are few problems that QoS try to attend:

  • Lack of bandwidth – QoS cannot help when there is no bandwidth left
  • Packet loss – Voice packet loss affect the quality of call. While data transfer (Internet or FTP) is hardly affected and the user will not notice small hiccups, voice users will notice immediately.
  • Delay – Same issue as in packet loss. A regular data usage will not be notice small delays while voice\video are heavily affected.
  • Jitter = Delay Variation – Variable form of delay. A difference from when a packet is sent to the next packet => overall delay

QoS Tools:

  • Classification – Identify and group different traffic types. Not critical apps and Important apps. Matching the different types of applications.
    MATCHing is done using ACL – this is very processor intensive.
  • Marking – Taging the packet so it can be quickly recognized elsewhere on the network. Marking put a tag in the header so other routers can process it faster (and save the local processing resources)
  • FIFO = First In First Out – Whoever came first will be forwarded, when the buffer is full it will drop the rest of the traffic without looking at the data.
  • Random Early Detection = RED – When the buffer is close to full the router can start freeing space and drop packets out of the queue.
  • Weighted Random Early Detection = WRED – Cisco proprietary, allow the router to aim at the traffic it drops. This is RED with some brain.

The following will be covered in future posts so I’ll mention them but will not detail:

  • Policing -> drop or mark packets when the limit is reached
  • Shaping -> queue packets when the limit is reached, not dropping it
  • Queuing -> method to priorities packets

False Positive on X64 systems with BitDefender

March 22, 2010 Leave a comment

Are you a Windows 64-bit user?
Are you also a BitDefender user?

If you answer YES to both questions you had a rough weekend realizing your antivirus software think your OS is a trojan

Due to a recent update for Windows 64-bit systems it is possible that BitDefender detects several Windows and BitDefender files as infected with Trojan.FakeAlert.5

BitDefender released a fix for this. Only time will tell how their (good) reputation will be affected by this fiasco.

Fixes are now available here for Windows Vista, here for Windows 7 and here for Windows XP.