Building an IPSEC GRE Tunnel

So there is a little bit of confusion on the interwebz when it comes to understanding an IPSEC GRE tunnel. First off lets look at how it actually works.

GRE works by encapsulating IP traffic inside of an IP packet and sends it across the wire to its destination where it is decapsulated and the inner-packet is than routed. GRE is commonly used to bridge two routed domains over a network outside of your administrative control.

When using GRE over the public internet, security is a concern and therefore you would want to encrypt the traffic, this is where IPSEC comes in.

IPSEC GRE tunnels are GRE tunnels that are encapsulated inside of an IPSEC payload and sent across a public network. If you were to capture such traffic using Wireshark you would see only ESP (Encapsulating Security Payload) and not GRE as depicted below;

To get a better understanding this concept the following diagram should help;

Okay so how do I configure it?

Now on to the fun part, configuration. First off lets take a look at the diagram we’ll be using to demonstrate this technology;

The following configuration demonstration was performed on the Stub Lab. If you like, you can also do this configuration on the Stub Lab which is a freely accessible Cisco Lab. All ya gotta do is sign up and reserve lab time!

First off we need to configure the INET router. This router will simulate the internet connectivity between the NYC and ATL routers. The following initial configuration has been provided to make this quickly achievable;

!####################################!# IPSEC GRE TUNNEL - INET ROUTER #!####################################!enableconfigure terminal!hostname INETno ip domain-lookup!interface Serial0/0/0 description Link to R2 Se0/1/0 ip address 198.51.100.33 255.255.255.252 no fair-queue no cdp enable no shut!interface Serial0/1/0 description Link to R1 Se0/0/0 ip address 203.0.113.129 255.255.255.252 no cdp enable no shut!interface FastEthernet0/0 shutdown!interface FastEthernet0/1 shutdown!line con 0 logging sync no exec-timeout!end

Now we can go ahead and configure the basics on the NYC and ATL routers. We’ll setup a loopback interface on each router to simulate LAN connectivity and than EIGRP to route over the tunnel.

Router con0 is now availablePress RETURN to get started.Router>enableRouter#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname NYCNYC(config)#no ip domain-lookupNYC(config)#interface Loopback0NYC(config-if)#description Simulated LAN ConnectionNYC(config-if)#ip add 10.1.0.1 255.255.255.0NYC(config-if)#exitNYC(config)#interface Serial0/0/0NYC(config-if)#description Link to InternetNYC(config-if)#ip address 203.0.113.130 255.255.255.252NYC(config-if)#exitNYC(config)#router eigrp 1NYC(config-router)#no auto-summaryNYC(config-router)#network 10.1.0.1 0.0.0.0NYC(config-router)#exitNYC(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.129NYC(config)#Router con0 is now availablePress RETURN to get started.Router>enableRouter#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname ATLATL(config)#no ip domain-lookupATL(config)#interface Loopback0ATL(config-if)#description Simulated LAN ConnectionATL(config-if)#ip add 10.2.0.2 255.255.255.0ATL(config-if)#exitATL(config)#interface Serial0/1/0ATL(config-if)#description Link to InternetATL(config-if)#ip address 198.51.100.34 255.255.255.252ATL(config-if)#exitATL(config)#router eigrp 1ATL(config-router)#no auto-summaryATL(config-router)#network 10.2.0.2 0.0.0.0ATL(config-router)#exitATL(config)#ip route 0.0.0.0 0.0.0.0 198.51.100.33ATL(config)#

Now that the basic config is out of the way we can now setup the basic GRE tunnel interface and enable EIGRP routing on the tunnel interface which should allow the two simulated LAN segments to communicate with each other unencrypted over the public internet.

NYC(config)#interface Tunnel0NYC(config-if)#description IPSEC GRE TUNNEL TO ATLANTANYC(config-if)#ip address 10.12.0.1 255.255.255.0NYC(config-if)#tunnel source Serial0/0/0NYC(config-if)#tunnel destination 198.51.100.34NYC(config-if)#exitNYC(config)#router eigrp 1NYC(config-router)#network 10.12.0.1 0.0.0.0NYC(config-router)#exit%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.12.0.2 (Tunnel0) is up: new adjacencyNYC(config)#exitNYC#%SYS-5-CONFIG_I: Configured from console by consoleNYC#ATL(config)#interface Tunnel0ATL(config-if)#description IPSEC GRE TUNNEL TO ATLANTAATL(config-if)#ip address 10.12.0.2 255.255.255.0ATL(config-if)#tunnel source Serial0/1/0ATL(config-if)#tunnel destination 203.0.113.130ATL(config-if)#exitATL(config)#router eigrp 1ATL(config-router)#network 10.12.0.2 0.0.0.0ATL(config-router)#exit%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.12.0.1 (Tunnel0) is up: new adjacencyATL(config)#exitATL#%SYS-5-CONFIG_I: Configured from console by consoleATL#

Now that a basic GRE tunnel has been established, we can verify the operational status of the tunnel by pinging the other end.

NYC#ping 10.12.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.12.0.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC(config)#

Also you should have noticed that the NYC and ATL became EIGRP neighbors and you should now have the ability to ping Atlanta’s simulated LAN segment from New York as demonstrated below;

NYC#ping 10.2.0.2 source loopback0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:Packet sent with a source address of 10.1.0.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC#

Now we’re ready to configure the IPSEC portion of the IPSEC GRE tunnel. First you must define an ISAKMP policy. ISAKMP policies are used to define the phase 1 negotiations of an IPSEC tunnel. When it comes to IPSEC GRE, the ISAKMP policy is very simple. The policy must be defined on both routers.

NYC#config terminalNYC(config)#crypto isakmp policy 10NYC(config-isakmp)#authentication pre-shareNYC(config-isakmp)#exitNYC(config)#ATL#config terminalATL(config)#crypto isakmp policy 10ATL(config-isakmp)#authentication pre-shareATL(config-isakmp)#exitATL(config)#

Next we need to need to define the pre-shared key on a per peer basis;

NYC(config)#crypto isakmp key 0 CISCO address 198.51.100.34ATL(config)#crypto isakmp key 0 CISCO address 203.0.113.130

than we need to configure the transform-set which will actually be used to encrypt the data. For this demonstration we’re going to use AES128 and SHA hashing.

NYC(config)#crypto ipsec transform-set TRANS_IPSEC_GRE esp-aes esp-sha-hmac ATL(config)#crypto ipsec transform-set TRANS_IPSEC_GRE esp-aes esp-sha-hmac

Next we’ll need to build the ipsec profile that will be applied to the GRE tunnel interface;

NYC(config)#crypto ipsec profile IPSEC_GRENYC(ipsec-profile)#set transform-set TRANS_IPSEC_GREATL(config)#crypto ipsec profile IPSEC_GREATL(ipsec-profile)#set transform-set TRANS_IPSEC_GRE

Finally once all the IPSEC configuration is completed we can assign the IPSEC profile to the tunnel interface as shown below;

NYC(ipsec-profile)#interface Tunnel0NYC(config-if)#tunnel protection ipsec profile IPSEC_GRENYC(config-if)#%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONNYC(config-if)#^ZNYC#ATL(ipsec-profile)#interface Tunnel0ATL(config-if)#tunnel protection ipsec profile IPSEC_GREATL(config-if)#%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONATL(config-if)#^ZATL#

And now for the ultimate verification! We’ll ping the Atlanta simulated LAN segment (Loopback0: 10.2.0.2) from the NYC simulated LAN Segment (Loopback0: 10.1.0.1) and verify that the packets are being encrypted and decrypted by viewing the ipsec security-association;

NYC#ping 10.2.0.2 source loopback0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:Packet sent with a source address of 10.1.0.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC#NYC#show crypto ipsec sa peer 198.51.100.34interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 203.0.113.130 protected vrf: (none) local ident (addr/mask/prot/port): (203.0.113.130/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (198.51.100.34/255.255.255.255/47/0) current_peer 198.51.100.34 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79 #pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.0.113.130, remote crypto endpt.: 198.51.100.34 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0xE15A5BAE(3780795310) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x67D027CC(1741694924) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2007, flow_id: NETGX:7, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590179/3282) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE15A5BAE(3780795310) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2008, flow_id: NETGX:8, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590178/3282) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:NYC#

We have successfully build an IPSEC GRE tunnel that can route EIGRP between two locations over the internet securely. Post your comments and questions below!

اكمل القراءة

• twitter
• share
• plus

Cisco IOS Radius Authentication with Windows Server 2012 NPS

Configuring Cisco devices to authenticate management users via RADIUS is a great way to maintain a centralized user management base. Traditionally this has been done using the Cisco Access Control Server (ACS) which of course is fairly expensive and is typically out of the price range for most small & medium sized businesses.

If you are like most businesses you may already have an Active Directory infrastructure deployed and thus you already have the necessary software and licenses required to setup a basic RADIUS server using Network Policy Server (NPS) which can be used to authenticate network administrators on your Cisco IOS equipment for management purposes. The main benefit you get from RADIUS authentication is a centralized management console for user authentication and the ability to control which users have access to the Cisco CLI. So look at it this way; if your company hires or fires an employee than whatever changes are applied in Active Directory will take affect immediately. Such as disabling a user account in AD would result in failed authentication attempts for that username when attempting to log into a Cisco device. Also if you have a new employee, you can easily give their username access to Cisco network devices just by adding them into a Security Group in active directory.

This blog will discuss and demonstrate the configuration of Network Policy Server which is included with Windows Server 2008 and greater however will blog concentrate on Windows Server 2008 R2.

Active Directory Configuration

First there are a few small task you must complete in Active Directory. You must create two Security Distribution Groups called Network Engineers and Network Support Technicians

Network Engineers will have level 15 privileges and thus have full read/write permissions to the Cisco Command Line interface after successfully authenticating to Cisco routers and Switches.

Network Support Technicians however will only have Read Only privileges.

Next you will need to assign users to these groups. For the purposes of this blog I have created two users, John Doe and John Smith.

John Doe (Username: jdoe) is a Network Engineer and John Smith (Username: jsmith) is a Network Support Technician. These users will be used to verify the configuration and operational status of NPS.

Once you have completed the basic Active Directory configuration you can move on to the NPS config. Please note that the Security Groups can be named whatever you like.

Windows Network Policy Server Configuration

Prior to configuring NPS it must first be installed and authorized in Active Directory. To install NPS add the “Network Policy and Access Services” role to your server.

After you have authorized NPS in Active Directory you’re ready to add the first RADIUS Client. To add the client you must expan the RADIUS Clients and Servers line and right click on RADIUS Clients and click “NEW”.

You’ll be prompted to enter the Friendly Name and Address, IP address and Shared Secret. Enter this information as required. For this blog we’re using R1 which had the IP address of 172.16.22.215 and the secret of CISCO as shown below;

Note that ND_ is used as a prefix to the device friendly name, this will be used later in the configuration of the NPS Policy which can identify network devices.

Next, click the Advanced Tab across the type and select “Cisco” as the vendor name from the drop down list and click ok;

If you added the client correctly you should see the client friendly name, IP address and other information listed in the RADIUS Clients section;

Now you’re ready to configure the network policy which will authenticate users in the specific active directory groups and grant them access.

to create a new policy you need to expand the Policies item in the left list and right click on “Network Policies” and click NEW.

You must enter a name for the policy, in this case we’re going to use “Network Engineers (Cisco LEVEL 15)”

After you have provided a policy name you must than configure the conditions which are required to match in order to successfully authenticate. You will need to create two conditions;

Configure a User Group to match the Network Engineers security group and the Client Friendly Name to match “ND_?” which denotes the device authenticating has a friendly name starting with ND_

Once you’ve successfully added these conditions you should see the following;

Click next and you’ll be prompted to specify the access permission, leave this as the default “Access Granted” and click next.

Cisco only supports the “Unencrypted authentication (PAP, SPAP) methods. Uncheck everything and check “Unencrypted authentication (PAP, SPAP) as shown below and click next;

After configuring the Authentication Methods you will be prompted to configure the Constraits, you can skip this section and just click next.

When prompted to configure settings, remove the Framed-Protocol and edit the Service-Type and set it to “Login” which is under “Others” as shown below;

Next you will need to add a Vendor Specific Attribute by clicking on “Vendor Specific” under the left side settings and clicking the Add… button

Scroll down the list and select “Cisco-AV-Pair” and click add. You will be prompted to add the Attribute Information, here you will click Add… and set the attribute value as shell:priv-lvl=15

This specifies which privilege level is returned to the authenticating user/device after successful authentication. For Network Engineers this would be shell:priv-lvl=15 and the Network Support Technicians would use shell:priv-lvl=1

When added successfully you should see the following;

After you click next you will be presented a summary of the new network policy that you just created as shown below;

Click finish and you’re ready co configure the Cisco Routers and Switches to authenticate to the NPS Radius Server. Please note that you will need to create another policy for the Network Support Technicians and any other privilege levels you wish to use.

Cisco IOS AAA Configuration

The very first thing we need to do prior to configuring AAA is to setup a local user account so that when the RADIUS server has failed, you have the ability to still log into the device. This is done using the username command as demonstrated below;

R1 con0 is now availablePress RETURN to get started.R1>enableR1#config terminalEnter configuration commands, one per line. End with CNTL/Z.R1(config)#username NORAD priv 15 secret R@du3F@1ledR1(config)#

Now we can enable AAA new model and configure the radius server group and default authentication list as demonstrated below;

R1(config)#username NORAD priv 15 secret R@du3F@1ledR1(config)#aaa group server radius NPS_RADIUS_SERVERSR1(config-sg-radius)#server-private 172.16.22.228 auth-port 1812 acct-port 1812 key CISCOR1(config)#aaa authentication login default group NPS_RADIUS_SERVERS localR1(config)#aaa authorization exec default group NPS_RADIUS_SERVERS local if-authenticatedR1(config)#aaa authorization console

INFO: Users will ONLY authenticate to the RADIUS servers if the RADIUS server is alive when defining the default aaa authentication list using group NPS_RADIUS_SERVERS followed by local. If you are attempting to log into the device using a local account and the Radius servers are accessable than it will reject the authentication unless the local account used to log in also exist in Active Directory and are member(s) of the Network Engineers or Network Support Technicians security group.

And that’s it for the basic Cisco IOS AAA config. You can however get into some more advanced configurations by using AAA list and applying a radius authentication list to the VTY lines and local authentication only to the console line.

Verification

Now for the fun part, verification. If you completed all the steps correctly you should be able to log in using the jdoe username and be automatically placed into privilged mode as demonstrated below;

And also if you configured the second policy for Network Support Technicians, you should be able to authenticate as jsmith and be placed into user mode as shown below;

If you have any questions or suggestions please comment

اكمل القراءة

• twitter
• share
• plus

Private Internet Access via L2TP IPSEC Cisco IOS Client

So with the NSA, the CIA and the FBI sucking up every bit they possibly can on the internet at countless locations around the world you wonder how could you possibly become anonymous on the interwebz? Of course it’s not just the United States Government that feels the need that you as an individual should sacrifice your liberty for security, this practice is becoming quite common all around the globe from the United Kingdom all the way down under in the land of the happy kangaroos (Australia of course). Just for the record I’m sure the kangaroo’s don’t give a shit because they don’t feel their privacy is violated.

As the world awakens to the vast over reach of Government around the globe people are looking for new and innovative ways to retain and/or regain their privacy. As a network engineer I wanted to share one of many methods I use to remain anonymous on the internet.

So first lets ask a big question. Why would you want to remain anonymous on the internet? Think about that for a minute.

As a network engineer or an individual aspiring to become a network engineer you will quickly realize or learn that you can easily be singled out on the internet with just an IP address. Your IP Address can be used to locate you geographically speaking.

For example lets say your computer is infected with a virus and you become an unwilling participate in a hack that is orchestrated by individuals attempting to gain access into classified computer networks to gather information. You personally would be held responsible, after all it is your IP Address that is doing the hacking. Your IP address along with the date and time included in subpoena sent to your ISP could easily identify you and the home address related to the service. Next thing you know you have the SWAT team busting your door down while you’re watching reality TV of SWAT teams busting peoples door down. How is that for irony?

So how do you solve this problem? Through the use of VPN technology. There are several VPN providers on the internet who’s sole purpose is to provide anonymity online. You pay for the service and they provide you with the credentials to connect to a VPN. After you’ve connected all your internet traffic traverses their network and any internet request that are made are made through the VPN. So now your public IP Address is not the IP Address provided to you by your ISP which can be used to identify you but rather the public IP address used by the anonymous VPN service.

While using Anonymous VPN services can be used to commit illegal crimes such as downloading and distributing copyrighted material or perhaps even other nefarious actions, Free CCNA Workbook does not promote or endorse any of these actions. With that being said anything you do on anonymous vpn services is at your own risk.

Beyond the Basics

Traditionally anonymous VPN services are typically used via Dialer interfaces on common operating systems such as Windows and Linux. While this configuration works, it only works for a single PC unless you want to configure a Windows Server with connection sharing which of course is a huge pain in the @$$.

Using a Cisco IOS router you can than allow multiple PC’s to use the VPN service by changing the default gateway on the PC(s) to the inside interface of the VPN Client. You can even go a step further by setting up a separate SSID on your wireless access point(s) so that you have a dedicated wireless SSID which only uses the anonymous VPN service as its connection to the internet.

There are tons of Anonymous VPN Providers out there however this blog is going to demonstrate the configuration of an L2TP IPSEC using Private Internet Access

So enough with all the jibble jabble lets dive in to the config shall we?

The L2TP IPSEC Tunnel Configuration

Well I’m not going to explain every single line of configuration however if you are experienced enough in Cisco IOS and VPN technologies this should all make sense. If you have questions you can post a comment with your question.

Before you get started you’re going to need the credentials for your VPN Authentication. The credentials you got in your email when you signed up with Private Internet Access is NOT the credentials you’ll be using to connect to the VPN. You must log into the Client Support Page and generate new vpn credentials which will be used. Once you have the credentials you’ll need the peer IP address which you’ll be connecting to.

You can obtain this by pinging the DNS name of the VPN gateway you wish to connect to. In this case we’re going to use East US Gateway “us-east.privateinternetaccess.com” At the time of this blog this name resolves to 108.61.152.251. This of course will probably change by the time you read this.

Once you have all this information you’re ready to start configuration. Go ahead and configure hostname, ssh, credentials, IP addresses, etc…

You’re also going to need a PUBLIC IP address for this configuration, for this blog we’re using 73.41.232.21 on FastEthernet0/0

First up we need to configure Phase 1 of the IPSEC Tunnel by defining the ISKMP policies and peer pre-shared key.

!crypto isakmp policy 10 encr aes 256 authentication pre-share group 5!crypto isakmp key mysafety address 108.61.152.251!

Now lets define the first sequence in the crypto map which will be used to build the security association;

!crypto map PIA_VPN 10 ipsec-isakmp set peer 108.61.152.251 set transform-set ESP-AES256-SHA1 match address PIA_EAST_US!

You’re going to need to build out the transform set referenced in the crypto map “ESP-AES256-SHA1″;

!crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac mode transport!

Now you need to configure the ACL referenced in the crypto map “PIA_EAST_US”. In this case the source and destination UDP port is going to be 1701. You’ll also need to use the public IP address which should be static as the source IP Address int he ACL. In this case 73.41.232.21 is the IP address assigned to the outside interface FastEthernet0/0 whereas 108.61.152.251 is the VPN Gateway IP Address.

!ip access-list extended PIA_EAST_US permit udp host 73.41.232.21 eq 1701 host 108.61.152.251 eq 1701!

Once the IPSEC Configuration has been completed you’ll need to assign the crypto map to the public facing IP Address, in this case FastEthernet0/0;

!interface FastEthernet0/0 crypto map PIA_VPN!

Before we can configure the L2TP virtual tunnel interface we first need to define the pseudowire class configuration. The encapsulation will be set to l2tpv2 and the local interface should be defined as the public facing interface;

!pseudowire-class PIA_L2TP encapsulation l2tpv2 ip local interface FastEthernet0/0!

Now we can define the virtual tunnel interface, in this case its going to be a Virtual-PPP Interface;

interface Virtual-PPP1 description Tunnel to PIA EAST US ip address negotiated ip nat outside ip virtual-reassembly ppp eap refuse ppp chap hostname x4108222 ppp chap password 0 8Mz1wHgZDJ ppp ipcp address accept no cdp enable pseudowire 108.61.152.251 1 pw-class PIA_L2TP

And thats it for the L2TP IPSEC Tunnel configuration. You should now be able to verify that Phase I and Phase II have established successfully as shown below;

PIA-GATEWAY#show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id status108.61.152.251 73.41.232.21 QM_IDLE 1001 ACTIVEIPv6 Crypto ISAKMP SAPIA-GATEWAY#PIA-GATEWAY#show crypto ipsec sainterface: FastEthernet0/0 Crypto map tag: PIA_VPN, local addr 73.41.232.21 protected vrf: (none) local ident (addr/mask/prot/port): (73.41.232.21/255.255.255.255/17/1701) remote ident (addr/mask/prot/port): (108.61.152.251/255.255.255.255/17/1701) current_peer 108.61.152.251 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 305, #pkts encrypt: 305, #pkts digest: 305 #pkts decaps: 294, #pkts decrypt: 294, #pkts verify: 294 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 73.41.232.21, remote crypto endpt.: 108.61.152.251 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xC4E6F422(3303470114) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x97AF5057(2544848983) transform: esp-256-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: PIA_VPN sa timing: remaining key lifetime (k/sec): (4580055/1730) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC4E6F422(3303470114) transform: esp-256-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: PIA_VPN sa timing: remaining key lifetime (k/sec): (4580054/1730) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:PIA-GATEWAY#

If you are having problems with Phase I or Phase II you can use the debug crypto isakmp and debug crypto ipsec command(s) to help you better understand why. Google any errors you may receive

If your configuration is correct thus far the Virtual-PPP1 interface should be up/up with an IP Address as shown below;

PIA-GATEWAY#show interface virtual-ppp1Virtual-PPP1 is up, line protocol is up Hardware is Virtual PPP interface Description: Tunnel to PIA EAST US Internet address is 10.10.1.3/32 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP, loopback not set Keepalive set (10 sec) DTR is pulsed for 1 seconds on reset Last input 00:05:43, output never, output hang never Last clearing of "show interface" counters 00:50:30 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 417 packets input, 5892 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 339 packets output, 6217 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 0 carrier transitionsPIA-GATEWAY#

If your Virtual-PPP1 interface is failing to obtain an IP Address and shows UP/DOWN than you can use the debug ppp authentication command to ensure that your credentials are correct.

Routing and NAT Configuration

Before the clients on the inside can access the internet via the L2TP IPSEC VPN you need to setup two static routes and NAT.

The first static route you’ll need is a route to the VPN Gateway via your ISP default gateway. In this case 108.61.152.251 needs to be routed to 73.41.232.1

!ip route 108.61.152.251 255.255.255.255 73.41.232.1!

Next is going to be the default route for all traffic to reach the internet, send it through the tunnel;

!ip route 0.0.0.0 0.0.0.0 Virtual-PPP1!

Next up you need to define the inside and outside NAT zones;

!interface FastEthernet0/1 ip nat inside!interface Virtual-PPP1 ip nat outside!

Once NAT zones have been defined you’ll need to define an ACL which will be used by NAT overload to translate multiple inside machines to the IP address of the virtual-ppp interface. In this case our inside network is 192.168.0.0/24

!ip access-list standard NAT permit 192.168.0.0 0.0.255.255!

Finally we need to define the source NAT statement so that inside hosts referenced by the named acl “NAT” will be overloaded to the Virtual-PPP1 interface.

!ip nat inside source list NAT interface Virtual-PPP1 overload!

Now you’re golden. To test your NAT configuration you can do a traceroute sourced from your inside interface, in this case FastEthernet0/1 to 4.2.2.2 as demonstrated below;

PIA-GATEWAY#traceroute 4.2.2.2 source FastEthernet0/1 probe 1 numericType escape sequence to abort.Tracing the route to 4.2.2.2 1 10.10.1.1 48 msec 2 * 3 184.75.211.129 64 msec 4 38.88.240.133 88 msec 5 69.31.143.24 60 msec 6 154.54.3.93 76 msec 7 4.69.155.208 128 msec 8 4.2.2.2 112 msecPIA-GATEWAY#

As you can see from the traceroute provided above the next hop IP address is going to be 10.10.1.1 which is the IP address of the VPN gateway.

To allow machines on your network to access the internet via this newly build L2TP IPSEC VPN Gateway you just need to change the default gateway on your machines to the inside interface of the newly configured vpn gateway router.

After which you can test your public facing IP address using IP Chicken!

Download the final Configuration!

Click the button below to download the final configuration!

VPN-GATEWAY Final Configuration

If you have any questions or comments please post a comment below! Enjoy….

اكمل القراءة

• twitter
• share
• plus

Job Advice for Aspiring Network Engineers

Well I figured I would write a new type of blog regarding a question that I see get posted on the facebook page all the time. What kind of job can you get with the CCNA? Well in order to answer this question accurately you’ll need to provide a little bit more information.

In general as a CCNA who is new to the networking industry and have limited IT experience than you should not be expecting much as you will find it hard to get your foot in the door. You’ll do countless interviews most likely and eventually someone will feel that they can trust you (Mold you into what they want) enough to offer you a job in which case they’re going to offer you a very low salary.

Yeah its nice to get an hourly position but in America you only see those types of employment with contracting which would also NOT include benefits such as vacation, health insurance, etc…

Most companies are smart not to pay their engineers hourly because they know it saves them thousands of dollars a year to just pay you salary. As a network engineer you may find yourself working 40-80 hours a week. Why? Because most changes that occur to the network occur after hours and this does not include the time you’re required to be at your cube 8:00AM to 5:00PM.

So let me be blunt, if you’re going to become a network engineer you’re most likely going to end up as a cube slave. I say this as an engineer who has been in the field for 12 years and 10 of those 12 years have been spent in a cube. The last two years I’ve worked from home full time. So with this in mind you should embrace your inner cube personality and get some nice decorations because without an MBA or a management position your chances of getting your own office are very slim in most cases.

What should I expect in pay?

Well as a newly minted CCNA network engineer who has little to no experience (less than 2 years) you should not expect 75,000 a year. You would get laughed at by the hiring manager soon as you’ve walked out of the door from the interview.

Why do I know this? Because I’ve done this myself on countless occasions. No hiring manager in their right mind would hire a CCNA with 1 year experience in the USA @ 75k a year with benefits and vacay unless they’re extremely desperate or you’ve managed to “WOW” them in the interview.

Realistically you should expect between 25,000 to 50,000 Salary with limited experience. Keep in mind you’re only going to get an offer like this if you don’t make yourself look like an idiot in the job interview. You’re probably thinking in your head “how would I look like an idiot”.

Well if you brain dumped the CCNA exam than you’re going to get laughed at. If the hiring manager asks you a simple question that any network engineer with the CCNA should know and you answer it with “i don’t know” they’re gonna think you’re not worth it.

An example question would be, “how is the root bridge elected in spanning tree?”

What type of job should I look for?

Well as a CCNA you’re job opportunities are going to be limited and often times you’re going to be limited to larger companies who feel they can “mold” you into what they want you to become. At this stage your chances of getting a startup company position or small business position is slim unless you know someone or you have other skills needed by that company.

In either case a CCNA engineer with less than 3 years experience is not going to be doing very much engineering. You’re gonna start out as a switch tech or triage engineer (level 1) support. As your experience and skills advance you’ll work your way up the ladder. How fast you climb is completely up to you!

What type of company should I work for?

Well this is the million dollar question and this is the type of question that should be asked before accepting ANY position.

Speaking form experience most large companies (publicly traded companies, etc..) Your engineering experience will become extremely limited. This is because at large corporate companies you have to learn the politics involved. This includes Change Control, Change Management, Auditing, Approval Processes, documentation, etc… If you’ve never read Dilbert comic strips I would suggest you start there. Dilbert is a GREAT representation of what happens in most corporate environments on a day to day basis.

Most large corporate companies will often times have “too many Chiefs and not enough Indians.” What I mean by this is that you have too many managers that don’t know shit and very few engineers that actually do the work, in which case the managers claim credit for. This is typical among corporate environments.

Also if you accept a corporate environment position then don’t expect to work from home too often as “most” managers and VP’s that work in corporate environments are “old school” which pretty much equates to be at your desk at 8:00AM and not not leave before 5:00PM or I’m going to fire your ass type. This of course is slowly changing as young talent is moving up and this way of management is not the most efficient anymore due to the world becoming so connected with internet, mobile devices, etc…

There are however several benefits from working at large corporations which include job security and benefits.

As an entry level network engineer you may only get offers from large corporate environments in which case it is a learning experience. If you want my advice, stay there for a year or two and find another job.

Why find another job so quickly? Because 3% raise is nothing compared to doubling your salary in a single move after you have 2-3 years good experience and you need to be realistic, most corporate companies are not going to try to keep your talent however other companies may want what you have to offer and would be willing to offer significantly more pay with better benefits.

For example you start working at Widgets Inc making $30,000 a year, after 2 years you’re making about $35k a year after raises and bonuses based on performance. Maybe you get paid on call as well who knows. At this point you’re 2 years in with your CCNA and you’re probably already working on your CCNP or perhaps you’ve already passed the 3 CCNP Exams (Route, Switch and TShoot) in which case you’re ready to make a move as a CCNP with 2-3 years experience making 35k a year not doing yourself any service. If you have the experience and skills to pass the CCNP exams without dumps and can prove those skills in a job interview than you should not have a hard time finding another job around the 50-70k range in the United States. (This depends on job density and where you live of course).

At which point a single jump and you’ve effectively doubled your salary. Now you can afford to get rid of that 1995 Honda accord and buy something decent as your paychecks should be around $1,800 a bi-weekly. Ultimately at this point you should be clearing around $3,500 a month.

Working for the little guys!

As you have evolved your skills and experience and obtained other certifications along your journey you now have more opportunities and can be picky when it comes to what type of jobs you can apply for and potentially get offers from.

Once you have worked in the Corporate environment for a year years you may like it or you may hate it. Most people hate it but must have the job security as they may have a mortgage, children, etc… If you have flexible and have the ability to take a little bit of risk than your reward is going to be greater.

I’ve worked in corporate environment(s) for years and after all these years I would never return to the corporate environment. Why? Because I hate playing corporate politics and ultimately I’m an engineer, not a paper pusher.

At smaller companies you have the ability to become more hands on whereas larger corporations, over 80% of your work is nothing but paperwork. Again if you like job security that is great! But if you want to be able to develop your engineering skills than large environments are not the place to be. Keep in mind they only refresh their network 3-5 years and when they do it takes an act of congress to get it done because of all the Chief’s and not enough Indians rule. Most managers in corporate environment(s) feel the need to micro manage that of which they have no understanding. Again, read some Dilbert.

Working for smaller companies often times may pay a little less and you may have a little less job security but you typically have more flexibility, more freedom and just a better quality of life due to less stress and you wont feel like just another number to HR. Everyone in the company would know your name.

In my humble option as a network architect with the CCIE Routing and Switching certification, working for start up companies are the best jobs ever because you get to do all the engineering and build from the ground up. Such a rewarding learning experience and often times rewarding financially if you have stock options and company goes public. Lets say you’ve worked for a start up for 5 years and you have 12,000 shares and the company goes public at $23.00 a share you’ve just made $276,000 dollars.

However if you work for a start up you must be willing to work your ass off because if you start slacking you’ll get laid off real fast. Companies cant afford to keep slackers on the payroll.

Obtaining the CCIE and finding a job!

So if your long term goal is to obtain the CCIE certification and make the big bucks than there are several things you will learn along the way. One of the more important things to know regarding job opportunity and job security is the ability to set conditions on accepting a job offer(s)

As a CCIE, if you’re offered a job from any Partner that wants to use your CCIE number for partnership status (Silver, Gold Partner) than you should ALWAYS include a relinquishment clause in your offer.

In a nutshell the relinquishment clause will state that in the event of an involuntary termination, the company effectively relinquishes rights to use the CCIE number for partnership use at the effective termination date and time.

If they do not add this to the employment offer than you are taking a risk accepting the offer. Why?

Well ask yourself what is to stop them from hiring you and using you for 90 days just to associate your CCIE number with the company and letting you go shortly after and still being able to use your CCIE number for partnership status for 12 months? There is a term for this called “CCIE Poaching”

Now you’re a CCIE who cannot associate your CCIE number with another company thus effectively limiting your job opportunities. Because your CCIE number is in use, other companies may not extend offers to you because they cannot use your number until a year later.

It is your responsibility to protect your CCIE Number from poachers in which case the relinquishment clause is a “legally binding” agreement upon accepting the offer of employment stating that if the company involuntarily terminates you for any reason than they relinquish the right to use your CCIE number for partnership use.

Other Questions

If you have any other questions not answered in this blog entry feel free to post a comment and I’ll respond ^_^

اكمل القراءة

• twitter
• share
• plus

CCNA Wireless Chapter 1 and Chapter 2 Exam Answers

1.With radio frequencies, the goal is…
to send as much data as possible
as far as possible
as fast as possible

2.The IEEE wireless standard is…
802.11

3.The FCC defines (4 things)
Unlicensed frequencies
Power @ which frequencies can be transmitted at
Transmission technologies which can be used
Locations WLAN dev’s can be deployed

4.The European equivalent of the FCC is called
ETSI: European Telecommunications Standards Institute

5.To achieve bandwidth from RF, an _____________ method is needed, for example ______________
emission method
example: spread spectrum

6.To place data on RF signals, a __________ method is required
modulation method

7.Modulation is…
The addition of data to a carrier signal

8.As data is placed on a signal, more ______________ aka _________________ is used
frequency spectrum or bandwidth

9.In wireless terminology, bandwidth refers to…
The width of the RF channel

10.Hertz can be described as…
Cycles /second

11.Extremely low frequency range = 3-30hz

12.Super low frequency range = 30-300hz

13.Ultra low frequency range = 300hz-3khz

14.Very low frequency range = 3khz-30khz

15.Low frequency range = 30khz-300khz

16.Medium frequency range = 300khz-3mhz

17.High frequency range = 3mhz-30mhz

18.Very high frequency range = 30mhz-300mhz

19.Ultra high frequency range = 300mhz-3ghz

20.Super high frequency range = 3ghz-30ghz

21.Extremely high frequency range = 30ghz-300ghz

22.The 900mhz band’s range is 902mhz-928mhz

23.The 2.4ghz band is used by which 3 wireless standards?
802.11b,g, and n

24.The 2.4ghz band’s range is
2.400ghz – 2.4835ghz

25.The 2.4ghz band has ____ channels
11

26.The 2.4ghz band’s channels are _____ wide
22mhz

27.Which channels in the 2.4ghz range do not overlap?
1, 6 and 11

28.The 2.4ghz band uses _______ modulation
DSSS: direct sequence spread spectrum modulation

29.What standards use the 5ghz band?
802.11a and n

30.The data rate range of 802.11a is
6-54mbps

31.In the 5ghz band, channels are _____ wide
20mhz

32.The 5ghz band has _______ channels
23

33.The 5ghz band uses _________ modulation
OFDM

34.The data rates available inside the 5ghz band are:
6,9,12,18,24,36,48 and 54mbps

35.Define modulation:
Varying in a signal or a tone called a carrier signal

36.Define encoding:
When data is added to that signal

37.A modulated waveform consists of 3 parts
1) amplitude; strength of signal
2) phase; the timing of signal between peaks
3) frequency; how often signal repeats /sec

38.In DSSS, the transmitted signal is spread
across the entire channel

39.Every data bit in DSSS is sent as a
chip stream

40.How many bits need to change in a chip stream before the bit is miscommunicated
5 or more

41.802.11 1 & 2 mbps use which encoding method?
barker code

42.802.11 5.5 and 11mbps use which encoding method?
cck: complimentary code keying

43.How many key words does cck have?
64

44.Each key word in cck communicates how many bits?
up to 6

45.802.11b uses DBPSK and DQPSK modulation, what are these?
These are methods of representing information by changing the phase of the signal

46.What is DBPSK?
Two phases are separated by 180 degrees, DBPSK modulates 1 bit per symbol

47.In DBPSK, a 180 degree phase shift = 1

48.In DBPSK, a zero degree phase shift = 0

49.Is OFDM considered a spread spectrum technology?
no

50.Channels in OFDM are divided into 20mhz, each subcarrier within these channels is 312.5hz wide

51.MIMO is used by
802.11n

52.As distance from AP increases, data rates
decrease

53.What is DRS?
Dynamic rate shifting
The data rate can be dynamically shifted without the connection being dropped

54.CSMA/CD uses a ___________ field to tell other transmitters how long it needs the channel for
duration field

55.The FCC is the federal communications commission

56.Cisco antennae use the __________ connector which stands for
RP-TNC (reverse polarity thread neil concelman connector)

57.What is the measurement for the power emitted by an antenna?
EIRP: effective isotropic radiated power

58.P2MP rules:
36dbm EIRP max
30dbm transmitter power
6db gain of antenna and cable combined
A 1:1 ratio of power to gain

اكمل القراءة

• twitter
• share
• plus

CCNA Wireless Chapter 3, 4 and 5 Exam Answers

1.Wavelength can be described as…
The distance between successive crests of a wave

2.What is the wavelength of AM radio waves?
400-500M

3.What is the wavelength of satellite waves?
1MM

4.As frequency increases, distance travelled
Decreases

5. 1mhz is 1 million cycles per second

6. 1ghz is 1 billion cycles per second

7. Gain provided by antennae helps to cancel out ___________ from cabling
Loss

8.The EIRP calculation is…
EIRP = transmitter O/P power – cable loss + antenna gain

9.Free path loss is a result of attenuation and not interference

10. As amplitude increases range increases

11.Reduction of amplitude is aka absorption

12.Absorption creates heat

13.The main issue presented by reflection is Multi path interference

14.What is multipath interference?
When two copies of the same signal arrive out of phase with eachother, and weaken or cancel eachother out

15.What is scattering
When a signal is reflected by objects which are reflective but have jagged edges

16.What is refraction
The changing or bending of a wave as it passes through something of a different density

17.Dryness refracts signals away from earth

18.Humidity refracts signals towards earth

19.RSSI is received signal strength indicator

20.A potential replacement for RSSI is receive channel power indicator

21.What is SNR?
Signal to noise ratio, how much stronger a received signal is than the underlying noise, it is measured in dB

22.What is link budget?
Value which accounts for gains/losses between tx and rx

23.What is the link budget equation?
Received power (dBm) = (tx power + gains – losses)

24.3 types of polarization for antennae are:
1) Vertical
2) Horizontal
3) Circular

25.In an electromagnetic field, the magnetic field is perpendicular  to the electric field

26.Cisco antennae all have vertical polarization

27.What is diversity?
The use of two antennae for each radio to increase the odds of a better signal

28.What has to be the same about each antennae in a diversity scenario?
Their orientation

29.Diversity is used to fight…
Multi path interference issues

30. 2 main types of antennae are
1) Directional
2) Omnidirectional

31. The h-plane of an antenna is aka
The azimuth

32.The e-plane shows how a signal would propagate vertically

33.The 2.2 dBi dipole antenna is aka the rubber ducky antenna

34.The loss incurred by a cable is usually referred to as the cable loss specification

35.3 types of antenna connectors are…
1) RP-TNC
2) N-connector
3) SMA (2 types)

36.2 subtypes of SMA connectors are
RP-SMA and SMA-RS

37.Attenuators reduce signal

38.Amplifiers add active gain to compensate for cable loss

39.Active gain means gain is added without focus change

40.What shunts lightning surges before they reach the wired LAN lightning arrestors

41.Do lightning arrestors protected against direct strikes?
no

42.What are used to send a signal in two different directions?
Splitters

43.The range of a WPAN would be..
<5-10m, or 20 feet

44.WPAN’s use the 2.4ghz spectrum

45.Bluetooth is an example of a WPAN

46.Bluetooth uses what for an emission method
FHSS

47.Generally, clients in a WLAN are _______ or less from the access point
100m

48.An example of a WMAN is WiMAX

49.WiMAX could possibly replace T1 AND T3 technologies

50.Is it ideal for a WMAN to use ISM frequencies?
no

51.Do WWAN’s have high data rates?
no

52.The most popular versions of WWAN’s are… (2)
1) GSM
2) CDMA

53.Two original versions of 802.11 topologies:
1) Ad-hoc, no central point
2) Infrastructure, has a central point

54.The coverage area of an AP is called the
BSA

55.The wired network is aka the…
Distribution system

56.2 or more BSA’s make an…
ESA

57.The process of clients moving AP’s called…
Roaming

58.An SSID is a combination of what two things
MAC address and network name

59.AP’s can have up to __ SSID’s
16

60.An AP offering more than one NW called a
MBSSID

61.What is an AWGB
Connects to upstream AP’s and allows wired ethernet clients to connect as non-standard clients

62.What is an UWGB
Allows single wired device to be bridged upstream to an AP as a standard device

63.Overlap needed for a wireless repeater is…
50%

64.Original AP in a repeated wireless network is called…
The root device

65.Outdoor wireless bridges operate at what layer of the OSI model
L2

66.What is used to determine the best path in a wireless mesh network?
AWPP protocol

اكمل القراءة

• twitter
• share
• plus

CCNA Wireless Chapter 6 Exam Answers

802.11e is…
QoS standard for WLANs

802.11h is…
Transmit power management
Changes transmit power to avoid creating interference for other devices

802.11i is…
Security standard

The original 802.11 standard used…
FHSS and DSSS to achieve 1 and 2 mbps

802.11 is a ___________ standard
layer 2 standard

802.11 is focussed on the delivery of…
MSDU’s between peer LLC devices

802.11 defines…
MAC and PHY sublayer characteristics

The 2 lesser used 802.11 standards are…
802.11ac – bonded channel 802.11n
802.11ad – WiGig 60ghz ISM band

LLC sublayer makes 802.11 look like…
every other L2 protocol to other high level protocols

The MAC layer ________, but the LLC layer __________
changes, stays the same

LLC is independent of…
1) topology
2) trans medium
3) MAC techniques used

LLC provides 3 basic services:
1) Unack’d connectionless
2) Ack’d conn-oriented
3) Ack’d connectionless

The 3 purposes of control frames are…
1) Information
2) Supervisory
3) Unnumbered

A 0 in the IG header bit means
individual address

A 1 in the IG header bit means
group address

A 0 in the CR header bit means
command

A 1 in the CR header bit means
response

In control frames, what does 00 signify?
Receive ready

In control frames, what does 01 signify?
Reject

In control frames, what does 10 signify?
Receiver not ready

In control frames, what does 11 signify?
Undefined

STA’s are generally not a _______
Fixed location

STA’s can be ___________ in 802.11, but not 802.3
Hidden from eachother

802.11 can handle 2 types of stations…
Mobile and portable

In 802.11 context, mobile means… and portable means….
Mobile means device accesses LAN in motion
Portable means device can move but is stationary upon accessing LAN

The PLCP… (PHY layer definition)
Maps MAC sub layer data units to a framing format

The PMD…(PHY layer definition)
Defines characteristics of tx/rx through wireless medium

The PLME…(PHY layer definition)
Manages local PHY functions with MAC management entity

4 speeds of 802.11b
1,2,5.5 and 11mbps

802.11b uses DSSS and CCK

The chipping rate of 802.11b is…
11mhz

802.11b uses the same PLCP as
The original 802.11

Total number of 802.11b channels…
14

Actual allowed number of channels for 802.11b for each country:
US: 11
ETSI: 13
JAPAN: All 14

Power levels for 802.11b…
US: 36dbm
ETSI: 20dbm

In 802.11b, channels 1.6 and 11 are referred to as..
Set 1

In 802.11b, channels 2,3,4,5,7,8,9,10 are referred to as…
Set 2

Channels 1, 6, and 11 exact frequencies are…
2412, 2439, and 2462 mhz

802.11a has how many channels
8

802.11a operates at what throughput potentially…
54mbps

Does 802.11a have any backwards compatibility?
No.

OFDM divides…
Communication channel into equally spaced frequency bands

OFDM creates ____ subcarriers each at _____ distance from eachother
52, 312.5khz

How many OFDM subcarriers are for data? and for syncing?
48, 4

OFDM is less sensitive to ________ than DSSS
Multipath interference

Four 802.11a modulation techniques…
BPSK
QPSK
16QAM
64QAM

802.11g throughput…
54mbps @ 2.4ghz

What is used for 20mbps+ connections in 802.11g?
OFDM

What is used for speeds under 20mbps in 802.11g?
CCK

What is protection mode?
B clients on a G network are protected from OFDM which causes a significant decrease in throughput of 802.11g

Max possible throughput of 802.11n?
600mbps

802.11n operates at…
2.4 and 5ghz

2 techniques for 802.11n
1) MIMO – uses maximum ratio combining
2) Channel bonding
3) Frame aggregation – multiple LLC’s put into one MAC frame

3 legacy modes of 802.11n…
1) greenfield (HT) – assumes no legacy devices
2) Legacy mode (non-HT) – 20mhz channels only, no channel bonding
3) HT mixed mode – RTS/CTS must be a/g format

802.11h is required by…
ETSI for 5ghz range

2 main features of 802.11h…
1) Dynamic frequency selection to avoid interference
2) Transmit control power – minimizes interference on other systems

اكمل القراءة

• twitter
• share
• plus