Student Guide Version 08.09 - Noodlez.org

Student Guide Version 08.09.10

Table of Contents

Chapter 1 Equipment Overview and Architecture Chapter 2 Components and Operations Chapter 3 Basic Networking Chapter 4 DMVPN Chapter 5 TACLANE KG-175 Operations Chapter 6 Call Manager Express Chapter 7 SNMPc for JNN and CPNs Chapter 8 Appendix

TAB

Insert Tab # 1 Here

Equipment Overview and Architecture

2

3

Satellite Backbone

Hub Node

BN CPN BN CPN

STEP

Ku TDMA

Ku FDMA

(BCT)

(Battalion level unit)

JNN

(Div/Corps)

DISN/GIG

DISN/GIG(cable)

The BnCPN has a single radio link into the JNN network via the TDMA satellite. Permanent or static VPNs are built into the JNNs and Hub Node. Dynamic VPNs are built on demand to other BnCPN systems. The establishment of these demand VPNs are based on user requirements to transfer information between BnCPNs. Establishing VPNs between CPNs on an as needed basis decreases the amount of satellite resources required to support the network. The THN is a Division asset that provides connectivity to the Defense Information Systems Network (DISN) and the Global Information Grid (GIG). The THN utilizes both FDMA and TDMA satellite connectivity. The THN also serves as the master hub node for TDMA mesh networks of the BCTs and their associated BnCPN. The JNN is located at the Brigade Combat Team (BCT) element. It serves as both a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity and has a single FDMA link that is usually reserved for connectivity to the THN.

4

The BnCPN provides direct network access to users within a Battalion element. It utilizes only TDMA satellite connectivity. It has permanent links to the THN and JNN and can establish on demand connections to other CPNs within the BCT. Regional Hub Node The RHN is the largest of the four JNN-N Hub Node types, and can provide the following capabilities:

• Provide primary hub node connectivity (FDMA and TDMA) and services for tactical users during reception, staging, onward movement, and integration (RSOI) operations.

• Provide TDMA management support enabling intra-theater Brigade-to-

Brigade level routing and network services.

• Provide continuity of operations (COOP) for MRHNs and THNs.

• Provide primary hub node connectivity and services to expeditionary units (e.g., BCT) not deploying with a THN.

• Provide support to Expeditionary Signal Battalions (ESBs)/Integrated

Theater Signal Battalion-Joint Network Node (ITSB-J) that are task organized to support Division and below units.

• Provide a server sanctuary supporting the delivery of theater level

services and a stable location for Division or Brigade units to host services for their tactical users.

• Provide JNN-N Hub Node connectivity and services for mounted battle

command on the move (MBCOTM) users.

• Support up to three JNN-N equipped Divisions, or reconfigurable to support two JNN-N equipped Divisions, four BCTs, and one separate (non-BCT) mission.

• Extend DISN voice, data, and video services to the warfighters.

• Provide assured, low latency reachback to the TNCCs for Top

Secret/Sensitive Compartmented Information (TS/SCI) users using JNNs or CPNs as their transport connection to the RHN.

The RHN system is designed to support three separate JNN-enabled Army Divisions and up to four stand-alone BCTs through satellite connectivity to other JNN Network systems: the THN, the JNN, and the BnCPN. The RHN will support both Frequency Division Multiple Access (FDMA) and Time Division Multiple Access (TDMA) satellite links. Equipment is grouped into enclaves within the FHRN facility as shown. Each enclave will operate independently of the others.

5

STT HCLOSV1

STTSTT

HCLOSV3

TSC-93STT JNN

Step SiteDISA

TSC-85 STTJNN

SSSV3

Ku Band

X Band EHF Band

ESB Hub Node

Signal Platoon Element

Signal Platoon Element

STT

Signal Platoon Element

ITSB Expeditionary Signal Platoon

TDMA

TDMA

TDMAFDMA

TDMA

TDMA

ITSB Heavy Signal Platoon

Signal Platoon Element

TDMAFDMA

LOSBack-Up Link

CPN Network Example

The above figure is an example of an area signal posture and the basic inter-connectivity of signal assets.

6

BnCPN Transit Cases

The BnCPN is contained in three transit cases:

• Router Case • VPN Case • LOS Case

The above diagram shows the interconnectivity between the cases. The Router Case directly supports the SIPR user, data and voice and is connected to the VPN Case via fiber through media converters. The VPN Case provides direct connectivity to the Ku Satellite trailer for connectivity into the TDMA satellite network. The VPN Case can be configured to support NIPR users though this is not part of the standard configuration. The LOS case is intended to provide connectivity for the BnCPN to a legacy system with a TRI-TAC CDI interface such as an MSE LOS system. When using the LOS Case, DMVPN operation is not possible.

7

BnCPN Router Case

Front Rear

The router case contains the following components:

• The COMTECH Turbo IP (Performance Enhancing Proxy) provides a performance enhancement solution that significantly improves TCP/IP performance over wireless and satellite communication networks. By overcoming the inherent limitations of TCP/IP over impaired links (high delay and/or high error), it improves performance of TCP/IP based applications such as web browsing (HTTP), file transfer (FTP), etc.

• The Media Converters (CBFTF1013-100) convert 100 Base FX Fiber

Optic to 100 Base TX Copper Ethernet.

• The TACLANE KG-175 provides security over legacy tactical IP networks.

• The NetScreen 5XT Firewall interfaces the trusted world with the untrusted world.

• A console port for connecting to serial terminal emulation programs such

as HyperTerminal.

• A modem port is used for remote console sessions using dial-up connections.

8

• A compact Flash card slot is used for storage of system images, configuration files, keys, and logs.

• Four Ethernet ports connect the Netscreen 5 device to the LAN or local

workstation and to the Internet.

• The Cisco 2651XM Access Routers are used as the SIPR voice Gateway and as the VPN Router in the NIPR Case.

• The Cisco Catalyst 3750-24PS switch is used to connect workstations and

other network devices, such as servers, routers, and other switches. It terminates IP phones and computers and acts as the connection point for Voice and Data users.

The Battalion Command Post Router Case is intended for use in the SIPR domain to provide connectivity to Data and Voice over IP users. It interfaces to the KU TDMA transmission network via a fiber optic connection to the Battalion Command Post VPN case. Because the KU transmission network is a black network, and because the VPN case is also black, the Ethernet interface from the Router Case is encrypted by a TACLANE within the Router Case. The Router Case contains a Netscreen 5XT firewall for local user protection. Local users connect to the Ethernet switch via an RJ-45 connection block, mounted on the back of the case.

9

BnCPN VPN Case

Components: • Media Converters • Cisco 2651 • Netscreen 5xt • Cisco 2950 • Signal Entry Panel • Power Entry Panel

Case Dimensions: 9U 22.47 W x 19.40 H x 34.50 D Estimated Case Weight: 130 lbs. Estimated Power: 419 W

10

Front

Rear

BnCPN LOS Case

Diphase Modem LOS Case: The LOS case is intended to be used in conjunction with either the BnCPN VPN case or the BnCPN Router case. It accepts a serial interface (as from the VPN or Router case Router) applies Forward Error Correction (FEC), encrypts via KIV-19, and modulates signals using a CTM-100C diphase modem. Note: The BnCPN LOS Case is populated to support two LOS links as delivered.

11

Taclane

The TACLANE provides security over legacy tactical IP networks (MPN) and strategic IP networks (SIPRNET). The SVNs support the logical grouping of users at a common security level in a common community of interest. Although multiple SVNs can operate at different security levels, they can share common transmission and switching elements because they are isolated from each other via cryptography. SVNs encrypt data prior to passing it over the Ku network. TACLANE versions:

(1) Classic (2) E100

The base part number of the TACLANE is 0N649470, and the dash variations differentiate between the hardware versions.

12

TACLANE Capabilities:

(1) TACLANE can communicate at multiple security levels, one level at any given time. The operator selects the security level.

(2) The CIK protects one FIREFLY vector set and up to 48 PPKs, all filled using a DTD. An operator can create two user CIKs, for 3 CIKs, to allow shift operators access to the same key material.

(3) Physical access control is provided by removing the CIK, which locks the TACLANE.

(4) TACLANE is NSA-certified to provide Type 1 encryption and decryption for information classified TOP SECRET codeword and below.

(5) When a valid CIK is inserted, the TACLANE is classified at the highest classification level of the key it contains (but never less than UNCLASSIFIED/CCI).

(6) When the CIK is removed, the TACLANE is UNCLASSIFIED/CCI and the CIK is UNCLASSIFIED.

TACLANE Classic Capabilities:

(1) Supports IP datagram encryption over an Ethernet 10Base-T or Attachment Unit Interface (AUI) physical interface.

(2) 7 Mbps throughput with a user traffic Maximum Transfer Unit (MTU) size of 1400 bytes.

(3) Provides 253 secure IP paths for user traffic (One secure IP path protects all user traffic between a given pair of TACLANEs)

(4) Provides automated peer TACLANE discovery for secure IP paths. (5) Supports Pre-positioned Key (PPK) or dynamically generated

FIREFLY Traffic Encryption Key (TEK) for each secure IP path (6) Provides for limited Reverse Address Resolution Protocol (RARP) and

Dynamic Host Configuration Protocol (DHCP) bypass for protected hosts to ease integration with existing base network infrastructure

(7) Supports Broadcast IP datagram traffic encryption (8) Supports static multicast with PPK

13

E100 Capabilities:

(1) Supports IP datagram encryption over an Ethernet 100Base-TX or 100Base-FX physical interface

(2) 100 Mbps throughput with a user traffic MTU size of 1424 octets in half duplex

(3) 100+ Mbps aggregate throughput with a user traffic MTU size of 1424 octets in full duplex

(4) 253 secure IP paths supported for user traffic (One secure IP path protects all user traffic between a given pair of TACLANEs)

(5) Automated peer TACLANE discovery for secure IP paths (6) PPK or dynamically generated FIREFLY TEK for each secure IP path (7) Limited RARP and DHCP bypass supported for protected hosts to

ease integration with existing base network infrastructure (8) Broadcast IP datagram traffic encryption supported (9) Auto-Negotiating 10Base-T vs. 100Base-T Ethernet interface (10) Static multicast with PPK (11) Remote TACLANE static routes

14

UPS

.

Technical Characteristics: Power (VA):1500 VA Power (W):1050 W Max Backup Time With Full Load: 5 Minutes Platform: PC Connectors Total Number of Outputs: 4 Outlets Recharge Time: 5 Hours Surge Suppression Automatic Shutdown Audible Alarm Cable Length: 10 ft

TAB

Insert Tab # 2 Here

Components and Operations

2

3

Setup Procedures

1. Unpack/Inventory.2. Setup.3. Install Physical Layer.4. Configure/Verify Data Configurations.5. Check Internal Data/Voice Connectivity.6. Install CME Services.7. Validate Voice Services.

4

Power Requirements

• VPN Case/UPS Case 120 VAC, Single-phase.• Router Case/UPS Case 120 VAC, Single-phase. • LOS Case/UPS Case 120 VAC, Single-phase. • Management laptop computer 120 VAC, Single-phase. • 2.4 Meter Ku-Band STT 208-240 VAC, Split-phase.

5

Router Case SEP

6

BnCPN Block Diagram

7

BnCPN Connectivity

POE

NON POE

8

Allocations

9

TUNNEL SIGNAL FLOW

STTSTT

NIPR_T2_RTR NIPR_T2_RTRKG-175Taclane

KG-175Taclane SIPR_T2_RTRSIPR_T2_RTR

TDMATDMA

NIPR Tunnel

Taclane Tunnel

SIPR Tunnel

mGRE mGRESDD SDDAES

TAB

Insert Tab # 3 Here

Basic Networking

2

3

One of the most important concepts of Internetworking.

It is essential you understand how IP Addresses are used in a network.

IP Addressing and Subnet Masks

Internet Scaling Problems Over the past few years, the Internet has experienced two major scaling issues as it has struggled to provide continuous and uninterrupted growth:

• The eventual exhaustion of the IPv4 address space. • The ability to route traffic between the ever-increasing numbers of

networks that comprise the Internet. The first problem is concerned with the eventual depletion of the IP address space. The current version of IP, IP version 4 (IPv4), defines a 32-bit address which means that there are only 232 (4,294,967,296) IPv4 addresses available. This might seem like a large number of addresses, but as new markets open and a significant portion of the world's population becomes candidates for IP addresses, the finite number of IP addresses will eventually be exhausted. The address shortage problem is aggravated by the fact that portions of the IP address space have not been efficiently allocated. Also, the traditional model of classful addressing does not allow the address space to be used to its maximum potential. The Address Lifetime Expectancy (ALE) Working Group of the IETF has expressed concerns that if the current address allocation policies are not modified, the Internet will experience a near to medium term exhaustion of its unallocated address pool.

4

If the Internet's address supply problem is not solved, new users may be unable to connect to the global Internet networks (in the thousands). The second problem is caused by the rapid growth in the size of the Internet routing tables. Internet backbone routers are required to maintain complete routing information for the Internet. Over recent years, routing tables have experienced exponential growth as increasing numbers of organizations connect to the Internet -- in December 1990 there were 2,190 routes; in December 1992 there were 8,500 routes; and in December 1995 there were 30,000+ routes. By the early 2000s, the number had reached 210,000. Unfortunately, the routing problem cannot be solved by simply installing more router memory and increasing the size of the routing tables. Other factors related to the capacity problem include the growing demand for CPU horsepower to compute routing table/topology changes, the increasingly dynamic nature of WWW connections and their effect on router forwarding caches, and the sheer volume of information that needs to be managed by people and machines. If the number of entries in the global routing table is allowed to increase without bounds, core routers will be forced to drop routes and portions of the Internet will become unreachable. The long-term solution to these problems can be found in the anticipated widespread deployment of IP Next Generation (IPng or IPv6). However, while the Internet community waits for IPng, IPv4 will need to be patched and modified so that the Internet can continue to provide the universal connectivity we have come to expect. This patching process may cause a tremendous amount of pain and may alter some of our fundamental concepts about the Internet.

5

The IP Address

• Is made up of 4 octets.• Each octet is 8 bits in length.• Each IP address is 32 bits in length.

148.43.200.110010100.00101011.11001000.00000001

6

The IP Address

148.43.200.1

148 43 200 1

10010100 00101011 11001000 00000001

Dotted-Decimal Notation - To make Internet addresses easier for human users to read and write, IP addresses are often expressed as four decimal numbers, each separated by a dot. This format is called dotted-decimal notation. Dotted-decimal notation divides the 32-bit Internet address into four 8-bit (byte) fields and specifies the value of each field independently as a decimal number with the fields separated by dots.

7

The IP Address

• Host• Is essentially anything on the network that is capable

of receiving and transmitting IP packets, such as a workstation (computer) or a router. Each host must be supplied with a unique IP address.

• Network• Is the media that is used to interconnect hosts. The

network portion of the address designates your location in the overall topology.

• Mask• A mask is applied to the address to define which

portion of the address is network specific and which is host specific.

IP addressing is based on the concept of hosts and networks. A host is essentially anything on the network that is capable of receiving and transmitting IP packets, such as a workstation or a router. The hosts are connected together by one or more networks (segments). The IP address of any host consists of its network address plus its own host address on the network. Routers deliver packets to networks, not hosts. A mask is used to determine the network and host portion of an IP address. When applied to an IP address, it quite simply defines a range of addresses. The mask determines which IP addresses reside on a given network or segment. The mask is written in the same dotted decimal notation format as the IP address but it is limited to contiguous binary variations: all ones, then all zeros. All ones in the first octet is the starting point.

8

Decimal to Binary Conversion

• A decimal number can be represented by a group of binary 1s and 0s.

• Computers do not understand decimal numbers.• They communicate in 1s and 0s, electrical highs

and lows.

0 1 0 1

9

Decimal to Binary Conversion

0 0 0 0

1 1 1 1

=01010101

85

10

Decimal to Binary Conversion

Converting from binary to decimal

1 1 1 1 1 1 1 1128 64 32 16 8 4 2 1 = 255

0 1 0 0 0 0 0 1128 64 32 16 8 4 2 1

Value for each bit

0+ 64 +0 +0 + 0+0 +0+1 = 65

11

Decimal to Binary Conversion

7

128 64 32 16 8 4 2 1

0 0 0 0 0 1 1 1

00000111

A Decimal

Is A Binary

12

Decimal to Binary Conversion

67

128 64 32 16 8 4 2 1

0 1 0 0 0 0 1 1

01000011

A Decimal

Is A Binary

13

Classfull IP Addressing

Network NumberNetwork Number Host NumberHost Number

What networkare we in?

Which user on thatnetwork are we?Network

148.43.0.0 /16

Host 148.43.200.76

Classful IP Addressing When IP was first standardized in September 1981, the specification required that each system attached to an IP-based internet be assigned a unique 32-bit Internet address value. Some systems, such as routers, which have interfaces to more than one network, must be assigned a unique IP address for each network interface. The first part of an Internet address identifies the network on which the host resides, while the second part identifies the particular host on the given network. This created the two-level addressing hierarchy.

• Network-Prefix Host-Number • Network-Number Host-Number

In recent years, the network-number field has been referred to as the network-prefix because the leading portion of each IP address identifies the network number. All hosts on a given network share the same network-prefix but must have a unique host-number. Similarly, any two hosts on different networks must have different network-prefixes but may have the same host-number.

14

Primary Address Classes

. . .

. . .

. . .

Class A

Class B

Class C

0

1 0

1 1 0

= Network= Host

Primary Address Classes In order to provide the flexibility required to support different size networks, the designers decided that the IP address space should be divided into three different address classes - Class A, Class B, and Class C. This is often referred to as classful addressing because the address space is split into three predefined classes, groupings, or categories. Each class fixes the boundary between the network-prefix and the host-number at a different point within the 32-bit address. One of the fundamental features of classful IP addressing is that each address contains a self-encoding key that identifies the dividing point between the network-prefix and the host-number. For example, if the first two bits of an IP address are 1-0, the dividing point falls between the 15th and 16th bits. This simplified the routing system during the early years of the Internet because the original routing protocols did not supply a deciphering key or mask with each route to identify the length of the network-prefix.

15

Class A

. . .

Class A (1 – 126) (/8 Prefixes)

0 0 0 0 0 0 0 1 . . .

0 1 1 1 1 1 1 0

NETWORK HOST

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

0 0 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0

126 255 255 255. . .

1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Mask

255 0 0 0

Class A Networks (/8 Prefixes) Each Class A network address has an 8-bit network-prefix with the highest order bit set to 0 and a seven-bit network number, followed by a 24-bit host-number. Today, it is no longer considered modern to refer to a Class A network. Class A networks are now referred to as /8s (pronounced "slash eight" or just "eights") since they have an 8-bit network-prefix. A maximum of 126 (27 -2) /8 networks can be defined. The calculation requires that the 2 is subtracted because the /8 network 0.0.0.0 is reserved for use as the default route and the /8 network 127.0.0.0 (also written 127/8 or 127.0.0.0/8) has been reserved for the "loopback" function. Each /8 supports a maximum of 16,777,214 (224 -2) hosts per network. The host calculation requires that 2 is subtracted because the all-0s (this network) and all-1s (broadcast) host-numbers may not be assigned to individual hosts. Since the /8 address block contains 231 (2,147,483,648) individual addresses and the IPv4 address space contains a maximum of 232 (4,294,967,296) addresses, the /8 address space is 50% of the total IPv4 unicast address space.

16

Class B

. . .

C lass B (128 – 191) (/16 P refixes)

1 0 0 0 0 0 0 0

. . .1 0 1 1 1 1 1 1

0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1

N E T W O R K H O ST

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

. . .1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

M ask

255 255 0 0

128 0 0 0

191 255 255 255

Class B Networks (/16 Prefixes) Each Class B network address has a 16-bit network-prefix with the two highest order bits set to 10 and a 14-bit network number, followed by a 16-bit host-number. Class B networks are now referred to as /16s since they have a 16-bit network-prefix. A maximum of 16,384 (214) /16 networks can be defined with up to 65,534 (216 -2) hosts per network. Since the entire /16 address block contains 230 (1,073,741,824) addresses, it represents 25% of the total IPv4 unicast address space.

17

Class C

. . .

C lass C (192 – 223) (/24 Prefixes)

1 1 0 0 0 0 0 0

. . .1 1 0 1 1 1 1 1

0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1

N ET W O R K H O ST

. . .1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0

M ask

255 255 255 0

192 0 0 0

223 255 255 255

Class C Networks (/24 Prefixes) Each Class C network address has a 24-bit network-prefix with the three highest order bits set to 110 and a 21-bit network number, followed by an 8-bit host-number. Class C networks are now referred to as /24s since they have a 24-bit network-prefix. A maximum of 2,097,152 (221) /24 networks can be defined with up to 254 (28 -2) hosts per network. Since the entire /24 address block contains 229 (536,870,912) addresses, it represents 12.5% (or 1/8th) of the total IPv4 unicast address space.

18

Other Classes

. . .

Class D (IP Multicasting)

1 1 1 0

. . .1 1 1 1 1

224 – 239

Class E (Experimental)240 – 254

In addition to the three most popular classes, there are two additional classes. Class D addresses have their leading four-bits set to 1110 and are used to support IP Multicasting. Class E addresses have their leading four-bits set to 1111 and are reserved for experimental use.

19

Subnet Masking

148.43.200.1 255.255.255.0

10010100 . 00101011 . 11001000 . 0000000111111111 . 11111111 . 11111111 . 0000000010010100 . 00101011 . 11001000 . xxxxxxxx

Address:Mask:

Network Host

• A bit for bit comparison is conducted between the address & mask.

• The address bits that align with ones in the mask are considered network.

• The address bits that align with zeros in the mask are considered host.

• The point at which the mask changes from ones to zeros divides the address into network and host portions.

20

Subnet Masking

148.43.200.1/24 or 255.255.255.0

10010100 . 00101011 . 11001000 . 0000000111111111 . 11111111 . 11111111 . 0000000010010100 . 00101011 . 11001000 . 00000001

10010100 . 00101011 . 11001000 . 00000000 10010100 . 00101011 . 11001000 . 11111111

148 . 43 . 200 . 0-255

Address:Mask:

Range:

Network Host

You will often see the mask as a slash prefix (/)This represents the number of bits that are on (ones)

21

Subnet Masking

148.43.200.1/25 or 255.255.255.128

10010100 . 00101011 . 11001000 . 0 000000111111111 . 11111111 . 11111111 . 1 000000010010100 . 00101011 . 11001000 . 0 0000001

10010100 . 00101011 . 11001000 . 0 0000000 10010100 . 00101011 . 11001000 . 0 1111111

148 . 43 . 200 . 0-127

Address:Mask:

Range:

Network Host

22

Subnet Masking

148.43.200.1/27 or 255.255.255.224

10010100 . 00101011 . 11001000 . 000 0000111111111 . 11111111 . 11111111 . 111 0000010010100 . 00101011 . 11001000 . 000 00001

10010100 . 00101011 . 11001000 . 000 00000 10010100 . 00101011 . 11001000 . 000 11111

148 . 43 . 200 . 0-31

Address:Mask:

Range:

Network Host

23

Subnet Masking

148.43.200.1/28 or 255.255.255.240

10010100 . 00101011 . 11001000 . 0000 000111111111 . 11111111 . 11111111 . 1111 000010010100 . 00101011 . 11001000 . 0000 0001

10010100 . 00101011 . 11001000 . 0000 000010010100 . 00101011 . 11001000 . 0000 1111

148 . 43 . 200 . 0-15

Address:Mask:

Range:

HostNetwork

24

Subnet Masking

148.43.200.1/29 or 255.255.255.248

10010100 . 00101011 . 11001000 . 00000 00111111111 . 11111111 . 11111111 . 11111 00010010100 . 00101011 . 11001000 . 00000 001

10010100 . 00101011 . 11001000 . 00000 000 10010100 . 00101011 . 11001000 . 00000 111

148 . 43 . 200 . 0-7

Address:Mask:

Range:

HostNetwork

25

Available Hosts in a Network

148.43.200.0 Network Address

148.43.200.1

148.43.200.14

148.43.200.15 Broadcast Address

Hosts; or usable IP’s

148.43.200.0 255.255.255.240

Defining Network, Host and Broadcast Addresses According to Internet practices, the host-number field of an IP address cannot contain all 0-bits or all 1-bits. The all-0s host-number identifies the base network (or sub-network) number, while the all-1s host-number represents the broadcast address for the network (or sub-network). In the above example, there are 4 bits in the host-number field of each subnet address. This means that each subnet represents a block of 16 host addresses (24 -2 = 14, note that the 2 is subtracted because the all-0s and the all-1s host addresses cannot be used). The hosts on this subnet are numbered 1 through 15.

26

Network Address

• The network address is used by routers to identify and route packets to the correct destination.

• The network address can be identified by having all 0s in the host field.

• The network address cannot be assigned to a computer or host.

148.43.200.0 255.255.255.0148.43.200.128 255.255.255.128

148.43.200.64 255.255.255.192148.43.200.96 255.255.255.224

Network Address Examples

27

Broadcast Address

• The broadcast address is used by routers and hosts to send packets to all computers on a network at one time.

• The broadcast address can be identified by having all 1s in the host field.

• The broadcast address cannot be assigned to a computer or host.

148.43.200.255 255.255.255.0148.43.200.127 255.255.255.128

148.43.200.63 255.255.255.192148.43.200.95 255.255.255.224

Broadcast Address Examples

28

Subnet Masking Template

decimal

binary

Where the 1s end and the 0s begin, draw a VERTICAL line of demarcation to represent the division of the network specific bits and host specific bits.

binary

decimal

binary

decimalIP address plus Subnet prefix

IP address convertedInto binary

binarySubnet from the prefix Converted into binary

All zeroes in the Host Field gives you theNetwork address

Convert the binary back to Dotted decimal, this is yourNetwork IP address

All ones in the Host fieldgives you the broadcastAddress

Convert the binary back to Dotted decimal, this is yourBroadcast IP address

Once you have determined the Network and Broadcast IP addresses, everything in between will be usable host addresses

29

Practical Exercise: IP Subnet Masking 1. IP Address 10.0.0.1/16 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 2. IP Address 131.29.1.5/24 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 3. IP Address 148.43.200.128/25 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 4. IP Address 25.205.120.6/9 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 5. IP Address 128.1.0.0/10 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________

30

6. IP Address 148.43.200.16/30 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 7. IP Address 220.0.0.1/31 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 8. IP Address 55.15.3.9/27 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 9. IP Address 148.43.200.12/29 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 10. IP Address 125.25.20.6/22 Classful Mask: ____________________________ Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 11. IP Address 18.121.10.0/14 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________

TAB

Insert Tab # 4 Here

Dynamic Multi-Point Virtual Private Networks

(DMVPN)

2

3

JNN Network - Satellite Backbone

Hub Node

CPN CPN

STEP

Ku TDMA

Ku FDMA

(BCT)

(Battalion level unit)

JNN

(Div/Corps)

DISN/GIG

DISN/GIG(cable)

The JNN network utilizes a Ku Band commercial satellite network for the backbone interconnectivity of its systems. Both Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA) are utilized. The JNN network architecture is composed of three primary elements:

1. Unit Hub Node (UHN) 2. Joint Network Node (JNN) 3. Battalion Command Post Node (CPN)

These systems provide communications support to the various elements within an Army Division. The UHN is located at the Division and/or the Corps element. It provides connectivity to the Defense Information Systems Network (DISN) and the Global Information Grid (GIG). The UHN utilizes both FDMA and TDMA satellite connectivity. The JNN is located at the Brigade Combat Team (BCT) element. It serves as both a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity. It has a single FDMA link which is usually reserved connectivity to the UHN.

4

The CPN provides direct network access to users within a Battalion element. It utilizes only TDMA satellite connectivity. It has permanent links to the UHN and/or JNN and can establish on demand connections to other CPNs within the BCT.

5

Why Satellite?

• Allows for beyond line of sight (BLOS) extension.

• Accessible from virtually anywhere on the battlefield.

• No need for extensive “link” planning for installation of ground systems at a new location.

• Scales well for maneuver units.

• Current ground equipment readily transportable.

The use of satellite communications by the JNN network allows for the installation and operation of a very flexible intra-network backbone for its users. Tactical line of sight radio systems (LOS) are normally limited to a maximum range of approximately 40 miles. This limits the area on a battle field that maneuver units can cover. With satellite, two systems can establish a radio link as long as they are within the earth “footprint” of the satellite coverage. This coverage can be rather large allowing systems to be hundreds of miles apart. LOS radio link installation requires extensive planning and engineering utilizing complex computer programs to provide a “profile”. It is not always possible to establish an LOS radio link between two locations. Whenever LOS radio systems are moved to a new location, this link planning must be conducted again prior to the installation of the new radio link. Satellite on the other hand requires initial link planning for the installation of radio links. Once this is done, systems can move almost anywhere within the footprint and reestablish the radio link. Also, there are virtually no limits to establishing a satellite link as long as there is a clear line of sight path between the earth system and the satellite. With the flexibility noted above, satellite based systems serve well in meeting the needs of Army combat units. As changes occur on the battlefield and units are required to move, satellite based systems provide them the ability to rapidly terminate and reestablish communications in a minimal amount of time.

6

FDMA / HUB & JNN

• Users xmit on one carrier frequency and receive on another.• 2 carriers per full duplex link (point to point).• Scales poorly - inefficient use of space segment.• Does not support ad hoc networking.• Dedicated bandwidth, not shared.• No delay for link connection.

TDMA / HUB, JNN & CPN

• Users share carrier(s) for both xmit and receive.• Additional carriers can be defined to support network growth.• Scales well – efficient use of valuable space resource.• Supports ad hoc networking well.• Bandwidth is a shared resource, not dedicated.• Slight delay in establishing link connection.• Only source of connectivity for the CPN

Space Segment Usage/Efficiency

* Space segment efficiency directly related to type of modulation/encoding used.

Frequency Division Multiple Access: FDMA is a traditional technique whereby earth stations transmit simultaneously on different pre-assigned frequencies, into a common satellite transponder. In addition, the FDMA carrier is allotted a certain amount of bandwidth. This carrier is constantly being transmitted to the satellite, processed by it, and retransmitted back to earth by it regardless of user traffic. Only the system assigned a certain transmit frequency can use the allocated bandwidth. Time Division Multiple Access: TDMA is a digital transmission technology that allows a number of users to access a single radio-frequency (RF) carrier without interference by allocating unique time slots to each user within each carrier. The type utilized within JNTC-S is referred to as Multi-Frequency TDMA Demand Assigned Multiple Access. This allows for dynamic allocation of time slots based on user requirements and allows multiple carriers on the satellite within the TDMA network. This forms a “bandwidth pool” for the users.

7

FDMA/TDMA Satellite Payload-users present

• Above depicts two users communicating via a satellite link - TDMA or FDMA.• Spectrum analyzer display depicts the radio carrier used between the two systems.• The carrier has a center frequency plus a certain amount of bandwidth.• Amount of bandwidth is dependant upon data rate transfer.

The above diagram displays two ground based satellite systems with a radio link established between the two through a satellite. This could be an FDMA or TDMA link. There are two users communicating through this link with laptop computers. Depicted between the two systems is a display from a spectrum analyzer. The “hump” on the screen is a representation of the radio carrier being received by one of the satellite systems. The carrier has a center frequency and a certain amount of bandwidth being utilized on each side of this center frequency. The amount of bandwidth is determined by the data rate being transmitted by the earth systems.

8

• Above depicts two systems with no user data being transferred.• Satellite resource utilization remains unchanged on an FDMA link.• Carrier can only be utilized by systems with the pre-assigned frequency & bandwidth.• User activity or inactivity has no affect on satellite resource utilization.

FDMA Satellite Payload-no users present

The diagram now shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization stand point, there would be no change on an FDMA link (as depicted by the spectrum analyzer display). FDMA systems have pre-assigned frequencies and pre-assigned bandwidth allocation; only the systems allocated these resources can utilize them. User activity or inactivity has no affect on satellite resource utilization.

9

• Above depicts two systems with no user data being transferred.• No satellite resources are utilized on a TDMA link.• Once user data transfer is complete, bandwidth is returned to a pool for use by

other systems.• Bandwidth is allocated on demand - based on user requirements.• User activity or inactivity has a direct affect on satellite resource utilization.

TDMA Satellite Payload-no users present

The diagram still shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization stand point, there would be a change on a TDMA link (as depicted by the spectrum analyzer display). Resources on a TDMA satellite network are allocated based on user requirements. When users communicating through a TDMA satellite link have information to transfer, resources are allocated, a carrier (center frequency and bandwidth), to support the requirement. Once the transfer of this information is complete, the resources are returned to a pool for use by other systems as needed.

10

• Internet Engineering Task Force (IETF): A VPN is “An emulation of a private Wide Area Network (WAN) using shared or public IP facilities, such as the Internet orprivate IP backbones.”

• In simpler terms, a VPN is an extension of a private intranet across a publicnetwork (the Internet) that ensures secure and cost-effective connectivity between the two communicating ends.

Headquarters Home Office

Branch OfficeInternet

Virtual Private Network (VPN)

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. VPNs establish a secure network over insecure or public networks. VPNs can take many different forms and be implemented in various ways. VPNs achieve their security by encrypting the traffic that they transport, preventing eavesdropping or interception. In simplest terms, a VPN is fundamentally a secure tunnel established between two or more endpoints. A VPN can be constructed with or without the knowledge of the network provider, and can span multiple network providers.

11

Tunneling

Data TCP Hdr IP Hdr original IP packet

IP packet encapsulated w/tunnel protocol

• VPNs are established with the help of private logical tunnels. Tunneling is theencapsulation of one protocol within another.

• Tunnels enable the two ends to exchange data in a manner that resembles point-to-point communications.

• From a routing protocol stand point, the two routers depicted above would act asdirectly connected neighbors through the tunnel even though there may be several other routers physically between them.

TunnelTrailer Data TCP

HdrTunnelHdr

Orig IP Hdr

New IP Hdr

CPN 1 CPN 2

The VPNs are established with the help of private logical "tunnels." These tunnels enable the two ends to exchange data in a manner that resembles point-to-point communication. Tunneling technology lies at the core of VPNs. In addition, elaborate security measures and mechanisms can be used to ensure safe passage of sensitive data across an unsecured medium. Tunneling is the technique of encapsulating a data packet in a tunneling protocol, such as IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), or Layer 2 Tunneling Protocol (L2TP), and then finally packaging the tunneled packet into an IP packet. The resultant packet is then routed to the destination network using the overlying IP information. Because the original data packet can be of any type, tunneling can support multi-protocol traffic, including IP, ISDN, FR, and ATM.

12

Tunnel Protocols

• Point-to-Point Tunneling Protocol (PPTP)

• Layer 2 Tunneling Protocol (L2TP)

• Internet Security Protocol (IPSec)*

• Generic Routing Encapsulation (GRE)

• Multi-point Generic Routing Encapsulation (mGRE)*

*utilized within the JNN network architecture

IP Security (IPSec) - Developed by IETF, IPSec is an open standard that ensures transmission security and user authentication over public networks. Unlike other encryption techniques, IPSec operates at the Network layer of the seven-layer Open System Interconnect (OSI) model. Therefore, it can be implemented independently of the applications running over the network. As a result the network can be secured without the need to implement and coordinate security for each individual application.

• Multi-Point Generic Routing Encapsulation (mGRE) - mGRE allows a

single GRE tunnel interface to support multiple tunnels (GRE is strictly point to point). This greatly simplifies the tunnel configuration and when used in conjunction with NHRP, tunnels can be established dynamically.

13

DMVPN

CommercialTDMACPN 1 CPN 2

JNN

• DMVPN technology is utilized within the JNN network Architecture.

• Permanent VPNs are established between Hub/JNN & Bn CPN systems.

• Connections between CPN systems are established on an as needed basis utilizing DMVPN technology.

• TDMA satellite bandwidth is a shared resource; DMVPNs allow this to be utilized more efficiently.

Tunnel formed between CPN’s as needed

The JNN network utilizes satellite radio links as the backbone to interconnect its IP based systems. There are two types of satellite networks within the JNN architecture: Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA). For the past several years, legacy tactical communications systems have utilized FDMA satellite networks. Within FDMA, individual satellite systems are assigned a frequency and a certain amount of bandwidth. These two resources can then only be utilized by that system even if there is actually no user communications going through this link. TDMA on the other hand pools satellite bandwidth for use by ground systems on an as needed or demand basis. It is somewhat similar to a radio Ethernet network. For IP based systems to effectively utilize this TDMA network, dynamic multi-point virtual private networks (DMVPN) are established. IP Security (IPSec) is utilized to encrypt and authenticate the DMVPN traffic. DMVPN is composed of two protocols: multi-point generic routing encapsulation (mGRE) and next hop resolution protocol (NHRP).

14

A DMVPN network is based on a hub/spoke topology. A system acts as the hub and all the others are considered spokes. Each spoke makes a permanent connection to the hub. Initially, when a spoke system has traffic destined for another spoke system, it is routed through the hub. Utilizing NHRP, the hub provides the appropriate information so that a temporary virtual connection can be made between the two spoke systems. Essentially, connections are made on an as needed basis therefore effectively utilizing the satellite resources.

15

What is a DMVPN?

• DMVPNs allow the dynamic establishment of multiple GRE tunnelsthrough a single tunnel interface.

- based on a hub/spoke network design- tunnels can be established dynamically (as needed)- more efficiently utilizes network resources- minimizes router configuration size- allows routers to be added or removed from the

topology without reconfiguring present routers

•Two protocols are utilized within DMVPNs.

- Multi-point GRE (mGRE)- Next Hop Resolution Protocol (NHRP)

The idea behind DMVPNs is that tunnels between certain routers can be established on an as needed basis. This has many benefits. The design is based on a hub/spoke topology with all spoke systems having a permanent tunnel to the hub system. Then as required the spoke systems dynamically establish tunnels between each other with information provided by the hub. This establishing of tunnels as needed and then terminating them once packet transfer is complete is very efficient in that network resources are only utilized when needed. Permanent VPNs (tunnels) utilize network resources even when there is no user traffic being transferred through the tunnel. When utilizing static tunnels with GRE, a separate tunnel interface and sub-net must be configured between the hub and each spoke. Depending on the number of routers involved, the size of the configuration and the numbers of IP’s required can be become quite extensive. DMVPNs by contrast have a simple configuration and the size of the configuration remains the same regardless of the number of routes participating. With DMVPNs, as the network, topology changes (adding or removing routers); the configurations of the existing routers do not have to be modified. This makes the scaling of a DMVPN network very flexible. Static tunnels by contrast would require configuration changes to all routers within the network topology.

16

To establish DMVPNs, three protocols are utilized: Multi-point GRE (mGRE), Next Hop Resolution Protocol (NHRP), and a dynamic routing protocol (OSPF or EIGRP).

17

Multi-Point Generic Router Encapsulation

• mGRE — allows a single GRE tunnel interface to support multiple tunnels.

• GRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel destination- optional tunnel key

• mGRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel key

• With mGRE, the tunnel destination is not defined.

• mGRE relies on NHRP to supply the tunnel destination information which it then utilizes to dynamically establish the tunnel.

Tunneling protocols such as IPSec can only support IP unicast traffic. Routing protocols such as OSPF and EIGRP exchange routing information via multi-cast; therefore tunneling protocols such as IPSec cannot support dynamic routing. GRE was created to support multi-protocol traffic (IPX & AppleTalk) and in addition support all types of IP traffic (unicast, broadcast, & multicast). GRE however only supports point to point tunneling in which the source and destination addresses are specified. For each additional tunnel, a separate tunnel interface must be configured with the source and destination specified. mGRE on the other hand allows the establishment of multiple tunnels via a single tunnel interface. It is in a sense a broadcast multi-access tunnel interface. Within the mGRE configuration only the source addressing information is supplied. The destination address is learned dynamically relying on some other protocol such as NHRP.

18

• Client/server protocol: hub is server & spokes are clients.

• Each client registers with server: tunnel address and associatedtunnel source interface address (physical).

• Server maintains an NHRP database of these registrations.

• Clients request next hop information (tunnel to physical addressresolution) from server to establish dynamic tunnel to anotherspoke.

Next Hop Resolution Protocol (NHRP)

Next Hop Resolution Protocol (NHRP) is a client/server protocol that provides the capability for the spoke routers to dynamically learn the exterior physical interface address of other spoke routers within the DMVP network. Spoke routers are considered the clients and the hub router is the server. NHRP is used by a source station (host or router) connected to a Non-Broadcast, Multi-Access (NBMA) subnetwork to determine the internetworking layer address and NBMA subnetwork addresses of the "NBMA next hop" towards a destination station. If the destination is connected to the NBMA subnetwork, then the NBMA next hop is the destination station itself. Otherwise, the NBMA next hop is the egress router from the NBMA subnetwork that is "nearest" to the destination station. NHRP is intended for use in a multiprotocol internetworking layer environment over NBMA subnetworks. NHRP Resolution Requests traverse one or more hops within an NBMA subnetwork before reaching the station that is expected to generate a response. Each station, including the source station, chooses a neighboring next-hop server (NHS) to which it will forward the NHRP Resolution Request. The NHS selection procedure typically involves applying a destination protocol layer address to the protocol layer routing table which causes a routing decision to be returned.

19

This routing decision is then used to forward the NHRP Resolution Request to the downstream NHS. The destination protocol layer address previously mentioned is carried within the NHRP Resolution Request packet. Note that even though a protocol layer address was used to acquire a routing decision, NHRP packets are not encapsulated within a protocol layer header but rather are carried at the NBMA layer using the encapsulation described in its own header.

20

• Hub is the NHRP server, spokes are clients.• Clients register to server with address mapping information.• Server replies to clients once registration is complete.

NHRP (1)NHRP Database

10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

NHRPRegistration10.10.10.2 148.43.200.10

CPN 1

HUB

RegistrationReply NHRP

Registration10.10.10.3 148.43.200.20

CPN 2

TDMATDMA

The registration request is sent from the client (spoke) to the server (hub) in order to identify or register its NHRP information. The destination protocol address field is set to the server’s IP address or address of the client in the event the client is not specifically configured with next-hop server information. If the address field is set with the server’s address or with a client’s address that is within the same subnet as the server, then the server places the client NHRP information in its NHRP database. The server then sends a registration reply to the client informing it is now registered with this server. If the destination protocol address field is not set with the server’s address and the client IP is not within the same subnet as the server, then the server forwards the registration to another next-hop server.

21

NHRPResolution

Request10.10.10.3

• Client 1 has packets destined for a network belonging to client 2.• Client 1 sends request to server for resolution of the next hop tunnel address to physical address of client 2.

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

HUB

CPN 1 CPN 2

NHRP (2)

TDMATDMA

A resolution request is sent from a client to the server in order to identify the address for the next hop end point in the network. If the requested endpoint belongs to the server that has received the request, then it formulates a reply based on information contained in its database. Otherwise, the request must be forwarded to a next-hop server that supports that endpoint. Within the JNN DMVPN network, the request contains the destination router’s tunnel address requesting the destinations associated physical address.

22

NHRPResolution

Reply10.10.10.3 148.43.200.20

• Server replies with the tunnel to physical address resolution.• Client 1 enters this into its NHRP database.

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

NHRP Database

10.10.10.3 148.43.200.20

CPN 1 CPN 2

HUB

NHRP (3)

TDMATDMA

A resolution reply is sent from the server to requesting client. The reply provides a mapping of the requested destination tunnel address to the destination physical address. This information is then entered into the client’s NHRP database. This type of reply is termed an authoritative reply. The server that supports the subnet in question generates the reply. In the case where a resolution request was forwarded by an NHRP server to another server, it is possible for a server to receive a resolution reply. Once it has received the reply, it forwards it to the originating client. It also caches this reply for later use. When the same request is received again, it can use this cached information to reply instead of forwarding the request to the server that actually supports that subnet. This type of reply is termed non-authoritative.

23

DMVPN

• Client 1 utilizes received NHRP info to establish a dynamic tunnel to client 2.• Tunnel will be terminated after a predetermined amount of time.

•Ip nhrp holdtime

NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20

tunnel 10.10.10.2/28f0/1 148.43.200.10/29

tunnel 10.10.10.3/28f0/1 148.43.200.20/29

tunnel 10.10.10.1/28f0/1 148.43.200.1/29

NHRP Database10.10.10.3 148.43.200.20

HUB

CPN 1 CPN 2UDPUDP IP

HdrIP HdrPayloadPayload Tunn

IP HdrTunnIP HdrGREGRE

s – 148.43.200.10d – 148.43.200.20

NHRP (4)

TDMATDMA

Once the client (spoke) has received the reply from the server and has entered it into its NHRP database, it now has the required information to establish a dynamic tunnel to the other spoke. When configuring mGRE tunnels, the information supplied is the IP address & mask of the tunnel and the source physical interface to be utilized by the tunnel. In addition to packets utilizing the tunnel actually exiting the configured physical interface, the tunneled packet also utilizes the IP address assigned to the physical interface as its source address. NHRP is dynamically supplying the destination tunnel address. The tunnel will be terminated after a predetermined amount of time. By default, the tunnel will stay active for 120 minutes. This value can be changed within the tunnel configuration.

24

DMVPN and Routing Protocols

• For DMVPN to work properly, a routing protocol must be enabled on the tunnel interface.

• Spokes must advertise their supported networks to the hub& the hub must propagate these to all the other spokes.

• Advertisements received by a spoke router must have the subnets originating router listed as the next hop.

• The same routing protocol cannot be enabled on the tunnel & physical interfaces or recursive routing may occur.

*JNN network employs static routes along with OSPF

For DMVPNs to work properly, a routing protocol must be utilized within the tunnel network so that the spokes can advertise their supported subnets to the hub. The hub then propagates these so that each spoke has knowledge of the subnets within the DMVPN topology. This is a key piece in the establishment of DMVPNs and can be easily overlooked. It is very common for a routing protocol to also be in operation on the physical network in addition to the tunnel network. It is very important that different routing protocols be utilized inside and outside of the tunnel to prevent recursive routing (routing loops). Recursive routing simply means that the routing table has found that the best path to the tunnel destination is through the tunnel. This means that the router cannot send the tunnel protocol’s TCP packets to the destination device because it thinks that they have to be encapsulated in the tunnel protocol again. This is a loop of sorts and the tunnel will be in a constant state of being torn down and rebuilt (up/down status). The other problem that can occur when using the same routing protocol inside and outside the tunnel is that packets can possibly be routed external to the tunnel. This can cause numerous problems and somewhat defeats the purpose of establishing the tunnel.

25

Also, if IPSec is being applied to the tunnel, any packets that should be going through the tunnel but are routed externally will not have IPSec applied.

26

OSPF

• Certain configuration steps must be applied to the tunnel interfacewhen utilizing OSPF (primary protocol used in JNN network)

• OSPF- configure OSPF network type to broadcast (ip ospf network broadcast)

- configure OSPF priority so hub is always DR (ip ospf priority)

- insure the IP MTU is set the same on all tunnel interfaces (ip mtu)

Depending on the routing protocol selected, there are certain configuration steps that must be taken for it to work properly within a DMVPN environment. OSPF:

- OSPF considers a tunnel interface point to point and will not allow it to support multiple connections. Tunnel interface must be set to broadcast within OSPF.

- Once the interface is set to broadcast, OSPF treats it as part of a

broadcast multi-access network. The hub router must always be the designated router. A good practice would be to set the priority of all the spokes to “0”.

- Insure that all the ip mtu setting on the tunnel interfaces within the DMVPN

topology are set the same. Two OSPF routers cannot form a neighbor relationship if this setting is different.

27

• By default, OSPF treats a tunnel interface as a point to point network.• All tunnel interfaces on routers within a DMVPN net are on the same subnet.• OSPF must operate as if it is enabled on a broadcast multi-access network.• Tunnel interface must be set to broadcast for proper operation of the DMVPN.

OSPF - Broadcast Network

HUB

CPN 1 CPN 2tunnel 10.10.10.2/28 - broadcastf0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - broadcastf0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - broadcastf0/1 148.43.200.1/29

HUB

CPN 1 CPN 2

TDMATDMA

OSPF considers a tunnel interface as a point-to-point network and will not allow it to support multiple OSPF neighbor connections. For DMVPNs to function properly, the tunnel interface must be set to OSPF broadcast. All tunnel interfaces belonging to routers within the same DMVPN network are configured as part of the same subnet. Configuring the tunnel interface to broadcast will cause all of these routers to function as part of the same OSPF broadcast multi-access network.

28

• Spoke routers (CPN’s) have permanent connectivity only to the HUB and JNN router.• Spoke routers (CPN’s) only form an OSPF neighborship with the HUB and JNN.• The HUB must be elected as the OSPF designated router (DR).• Set all spoke routers' OSPF priority to 0. •NOTE: If no priority is set, the router will default to 1; must set a priority…

OSPF & DMVPN - Hub is DR

HUB

CPN 1 CPN 2

tunnel 10.10.10.2/28 - priority 0f0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - priority 0f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - priority 1f0/1 148.43.200.1/29

(DR)

(Drother) (Drother)

TDMATDMA

Once the DMVPN topology has been configured to function as an OSPF broadcast multi-access network, the OSPF priority must be configured for the designated router (DR) election. The goal is have the hub (NHRP server) always be the DR and the spokes (NHRP clients) never be the DR. To accomplish this, all spokes should have their OSPF priority configured as “0”. If there are going to be multiple hubs (servers) within a single DMVPN topology, the priority should be set according to which of these should be the DR and which should be the backup designated router (BDR).

29

• Within the JNN network, several tunnels along with IPSec are configured.• These functions add additional bytes to the packet.• To limit fragmentation, the MTU settings of the IP packets is reduced. • For two routers to form an OSPF neighbor relationship, the interfaces providing

connectivity for this must have the same IP MTU setting.

OSPF & DMVPN - IP MTU

HUB

CPN 1 CPN 2

tunnel 10.10.10.2/28 - ip mtu 1420f0/1 148.43.200.10/29

tunnel 10.10.10.3/28 - ip mtu 1420f0/1 148.43.200.20/29

tunnel 10.10.10.1/28 - ip mtu 1420f0/1 148.43.200.1/29

TDMATDMA

Within the JNN TDMA topology, several tunnels are created and IPSec is applied to these tunnels at various points. This tunnel creation and application of IPSec causes additional overhead to be added to the original IP packet causing the size (bytes) of the packet to increase. Ethernet based networks have a default maximum transmission unit (MTU) of 1500 bytes. Once the packet exceeds this size, packet fragmentation occurs. This can have detrimental effects on the processing of packets and can interfere with the operation of IPSec. To prevent the fragmentation of packets on the interface, the IP MTU size is adjusted on the tunnel interface. The actual setting can be calculated based on the additional overhead added by the above noted processes. For two routers to form an OSPF neighbor relationship, the interfaces being utilized by the routers must have the same MTU setting.

30

DMVPN Configuration - Hub

interface Tunnel1ip address 172.21.38.1 255.255.255.128ip mtu 1420ip nhrp authentication 101A6727ip nhrp map multicast dynamicip nhrp network-id 6727ip nhrp holdtime 600ip ospf network broadcastip ospf priority 5tunnel source FastEthernet2/0tunnel mode gre multipointtunnel key 6727

interface tunnel 1: Configures a tunnel interface. ip address: Assigns an IP address & mask to the tunnel interface. ip mtu: Sets the maximum transmission unit size on the tunnel interface. If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it. All devices on a physical medium must have the same protocol MTU in order to operate. Within the DMVPN network the MTU size for the tunnel interface is set to a smaller size than what is utilized for the physical interface (such as 1500 for Ethernet). This insures that once the packet is encapsulated with mGRE and IPSec that it won’t exceed the physical MTU size and be fragmented once the additional headers & encryption have been applied. ip nhrp authentication: Configure the authentication string for an interface using the Next Hop Resolution Protocol (NHRP). All routers configured with NHRP within one logical NBMA network must share the same authentication string. ip nhrp map multicast dynamic: Configures NBMA addresses for use as destinations for broadcast or multicast packets to be sent over a tunnel network. When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address. When utilized with the key word dynamic, multicast & broadcast packets are sent to all entries within the NHRP database.

31

This is utilized on the hub so that router neighbor relationships can be established with all spoke systems dynamically. ip nhrp network-id: Enables the Next Hop Resolution Protocol (NHRP) on an interface. All NHRP stations within one logical NBMA network must be configured with the same network identifier. ip nhrp hold-time: Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses. The command affects authoritative responses only. The advertised holding time is the length of time the Cisco IOS software tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the holding time expires. The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or non-authoritative. ip ospf network broadcast: Configures the OSPF network type to a type other than the default for a given medium. By default, the router sees a tunnel interface as part of a point to point network. By using the command and the key word broadcast, it causes OSPF to operate in a broadcast multi-access mode. ip ospf priority: Sets the OSPF router priority, which helps determine the designated router for a BMA network. When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. In the DMVPN topology, the hub router should always be the designated router and the spokes never be the DR. tunnel source: Designates the router physical interface to be utilized as the source for this tunnel. Any traffic originating from the tunnel will be sent through the tunnel source interface. In addition, the IP address assigned to the tunnel source will be utilized as the source address of the tunneled packets. tunnel mode gre multipoint: Sets the tunnel encapsulation mode to gre multipoint. tunnel key: Enables an ID key for a tunnel interface. This command currently applies to (GRE) only. Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source. When GRE is used, the ID key is carried in each packet. It is not recommended to be used for security purposes. All routers wishing to establish DMVPNs must have the same key.

32

tunnel protection ipsec profile: Associates a tunnel interface with an IP Security (IPSec) profile. Use the command to specify that IPSec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding NHRP mapping NBMA destination addresses will be used as the IPSec peer addresses. If you wish to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPSec tunnels on the same router, you must issue the shared keyword.

33

interface Tunnel1ip address 172.21.38.16 255.255.255.128ip mtu 1420ip nhrp authentication 101A6727ip nhrp map 172.21.38.1 10.37.1.2ip nhrp map multicast 10.37.1.2ip nhrp network-id 6727ip nhrp holdtime 600ip nhrp nhs 172.21.37.1ip ospf network broadcastip ospf priority 0tunnel source FastEthernet0/0tunnel mode gre multipointtunnel key 6727

DMVPN Configuration - Spoke

Note: commands that are the same for the hub and spoke will not have the explanation duplicated here. ip nhrp map: Statically configures the tunnel IP to a physical IP of a distant end router. This will force a static entry into the NHRP database. This is configured on the spoke and maps the IP’s of the hub router. ip nhrp map multicast: Configures NBMA addresses for use as destinations for broadcast or multicast packets to be sent over a tunnel network. The spokes utilize this command and map the addresses for the hub system. The spokes will only form a router neighbor relationship with the hub. ip nhrp nhs: Configures the virtual IP (tunnel) address of the NHRP server (hub). This address was previously mapped to a physical interface address in the “ip nhrp map” command.

TAB

Insert Tab # 5 Here

TACLANE Operations

2

3

Introduction to the TACLANE

• System Overview – Mission, Description, Capabilities• Keying and Security Concepts• HMI Overview – Controls, Screen Format• Modes - Offline, Secure Comms• Basic Operation – Startup, Time, Restart, Shutdown• CIK Management

The introduction to the TACLANE will provide you with the Mission of the TACLANE, procedures required to install the TACLANE, the Human Machine Interface, the mode or state the TACLANE may be in and the importance of setting the TACLANE’s Time.

4

General Description

• Low cost, key-agile, inline network encryptor for deployment in DOD tactical and strategic networks.

• Encrypts data prior to passing over the Ku network.

• 2 TACLANE versions.

• Classic – Battalion CP• E100 – JNN & Hub Node shelters• Base Part Number is 0N649470

• -1 is Classic AC• -2 is Classic DC• -5 is E100 AC• -6 is E100 DC

• Front panel provides the configuration controls.

• Low cost, key-agile, inline network encryptor (INE) for deployment in DOD tactical and strategic networks.

• Encrypts data prior to passing over the Ku network. Two TACLANE versions: Classic – Battalion CP E100 – JNN shelter Base Part Number is 0N649470 -1 is Classic AC -2 is Classic DC -5 is E100 AC -6 is E100 DC TACLANE can communicate at multiple security levels, one level at any given time. The CIK protects one FIREFLY vector set and up to 48 PPKs, all filled using a DTD. Provides for creating 2 user CIKs, for a total of 3 CIKs, to allow shift operators access to the same key material. Physical access control is provided by removing the CIK, which locks the TACLANE.

5

The TACLANE is NSA-certified to provide Type 1 encryption and decryption for information classified TOP SECRET codeword and below. When a valid CIK is inserted, the TACLANE is classified at the highest classification level of the key it contains (but never less than UNCLASSIFIED/CCI). When the CIK is removed, the TACLANE is UNCLASSIFIED/CCI and the CIK is UNCLASSIFIED. TACLANE E100 can support 100 Mbps throughput with a user traffic MTU size of 1424 octets in half duplex Important Notes: Use care in turning a CIK (KSD-1) when inserting and removing, especially the first few times a CIK is inserted and removed. Tabs on the CIK may break if the CIK is forced. If a CIK is inserted, do not remove the CIK during TACLANE startup (or restart). A spare blank KSD-1 CIK is included with the TACLANE. Create a user CIK copy. Certain TACLANE HMI screens display fields that are larger than the visible screen area. During data entry, entries (e.g., ATM addresses, IP addresses, KMID) are lost if data entry is interrupted by a pop-up TACLANE status message. TACLANE HMI screens are not updated dynamically.

6

TACLANE Capabilities

• TACLANE can communicate at multiple security levels, but only one level at any given time.

• The CIK protects one FIREFLY vector set and up to 48 PPKs, all filled using a DTD. Provides for creating 2 user CIKs, by the System Security Officer (SSO), for a total of 3 CIKs, to allow access by different shifts to the same key material.

• Physical access control is provided by removing the CIK, which locks the TACLANE.

• TACLANE is NSA-certified to provide Type 1 encryption and decryption for information classified TOP SECRET codeword and below.

• When a valid CIK is inserted, the TACLANE is classified at the highest classification level of the key it contains (but never less thanUNCLASSIFIED/CCI).

• When the CIK is removed, the TACLANE is UNCLASSIFIED/CCI and the CIK is UNCLASSIFIED.

7

TACLANE Rear Panels

The above depicts the rear panels of the KG-175 (TACLANE).

8

TACLANE Keying Concepts

TACLANE Keying Concepts

9

TACLANE Security Concepts

TACLANE Security Concepts

10

TACLANE HMI

ON/OFF SWITCH

BATTERY/BATTERY HOLDER

CRYPTO IGNITION KEY RECEPTICLE

KEY FILL PORT

STATUS LEDs (4)

LIQUID CRYSTAL DISPLAY ZEROIZE BUTTONS

KEYPADFUNCTION KEYS (3)

Screen FormatCURRENT LOCATION

MENU CHOICES

ITEM OPTIONS WITHIN A MENU

FIELD FOR DISPLAY AND/OR EDIT

STATUS OR ERROR MESSAGES

ACTIONS REQUIRED

FUNCTION KEYS

11

Important Notes

• Use care in turning a CIK (KSD-1) when inserting and removing, especially the first few times a CIK is inserted and removed. Tabs on the CIK may break if the CIK is forced.

• If a CIK is inserted, do not remove the CIK during TACLANE startup (or restart).

• A spare blank KSD-1 CIK is included with the TACLANE. The SSO will create a user CIK for daily operation. The Master CIK can not be used for daily operation..

• TACLANE HMI screens are not updated dynamically.

Modes of Operation

• Initialized - TACLANE must have valid CIK inserted to allow any input except use of zeroize buttons.

• Offline Mode• Allows for configuration of most network parameters. • Different options are available depending on whether the

security level is selected or not (see menu tree).

12

Modes of Operation

• Secure Communications (Secure Comms) • TACLANE passes user traffic.

• Shutdown in Progress• TACLANE is shutting down in response to an operator

command (either Restart or Shutdown).

• Lockup • Locked mode after manual shutdown or when alarmed. To

clear, cycle power to restart TACLANE.

Menu Tree

13

IP Network Configuration

• Ethernet Protocol Support

• TACLANE encrypts IP datagram, encapsulated in Ethernet frames.• Ethernet Protocol support is configured while offline. TACLANE

will automatically restart.

• Entering/Modifying the TACLANE IP Addresses• TACLANE requires two IP addresses, a CT IP address and a PT

IP address.• To route off-network IP traffic, TACLANE also supports one CT

default gateway and one PT default gateway.• The operator must manually enter the CT IP address, the PT IP

address, the CT default gateway IP address, and the PT default gateway address and Subnet Mask.

IP Network Configuration

• Entering/Modifying the TACLANE IP Addresses (continued)• TACLANE must be offline in order to enter or modify the

TACLANE IP addresses.• The TACLANE can be configured with its CT and PT IP

addresses in the same or in different subnets.• The CT and PT IP addresses must be unique such that no host

or remote device (e.g., another TACLANE) uses these IP addresses.

• When any of the IP addresses (CT IP address, PT IP address, CT default gateway IP address, PT default gateway IP address) are entered/modified, the TACLANE

• automatically sets the CT and PT subnet masks to the default* value. (*based on whether the IP address is of Class A, B, or C)

• When this command is completed, the TACLANE will restart.

14

IP Network Configuration

• Entering/Modifying the TACLANE IP Subnet Mask(s)

• TACLANE must be offline in order to modify a subnet mask.

• Enter TACLANE IP addresses before the subnet mask.

• For a TACLANE with interface addresses in separate subnets, theoperator may modify the CT mask and the PT mask; based on whether the IP address is of default Class A, B, or C.

• Restart the TACLANE after changing subnet masks when configuring a unit intended for static routing operation.

The TACLANE automatically generates the default CT and PT IP subnet masks based on the respective CT and PT IP addresses (Class A, B, or C). However, the operator can also manually modify the default IP subnet masks (e.g., in a case where network is further subnetted). Restart the TACLANE after changing subnet masks when configuring a unit intended for static routing operation. Note that configuring static routes after setting subnet masks may cause the TACLANE to automatically restart. In addition, setting subnet masks after configuring static routes (or downloading them from GEM) may cause a restart. When changes to the subnet masks do not cause the unit to automatically restart, the operator should manually restart the TACLANE. The following notes apply to /modifying a TACLANE Subnet Mask:

• TACLANE must be offline in order to modify a subnet mask. • The PT and CT subnet masks are independent of each other (e.g., PT

subnet mask could be 255.255.255.0 while the CT subnet mask could be 255.255.0.0).

• Enter TACLANE IP addresses before the subnet mask. When any of the IP addresses (CT IP address, PT IP address, CT default gateway IP address, PT default gateway IP address) are entered/modified, the TACLANE automatically sets the CT and PT subnet masks to the default* value. (*based on whether the IP address is of Class A, B, or C).

15

IP Network Configuration

• Modifying the TACLANE MTU Size:

• TACLANE MTU size can be modified only when TACLANE is offline, and it takes effect immediately.

• The MTU size is the length, in bytes, of the largest IP datagram the TACLANE sends without fragmenting the IP datagram.

• JNN TACLANE MTU values are:

• for Strategic IP/Ethernet, 1424 bytes

• for Tactical IP/Ethernet, 1007 bytes

• TFS Parameters (Traffic Flow Security).

16

Setting the TACLANE’s Time

• Set Time:

• All communicating TACLANEs must be synchronized within 55 minutes.

• Time should be set to GMT time zone.

• TACLANE will automatically restart.

• Nominal TACLANE clock drift is approximately 2 min./month. TACLANE date and time should be checked for accuracy at least once every 3 months and adjusted if needed.

Because of the imbedded security of the TACLANE, It is crucial that all communicating TACLANEs stay within a 55 minutes synchronization window of each other or 40 minutes when communicating with a FASTLANE. The TACLANE will automatically restart when the time is set or reset, thereby dropping all connections.

17

Firefly Vector Concepts

• FIREFLY is a public key technique used by the Initiator and Responder TACLANEs to cooperatively generate a unique Traffic Encryption Key (TEK).

• Allows pair-wise TEKs to be dynamically set up (i.e., no pre-assignment) between two TACLANEs.

• Security level of local and remote TACLANE must be identical.

• Local and remote universal edition and partition code must match.• Partition code allows for segregation of users into communities.• Classification allows for multiple levels to exist in a network.

Filling the Firefly Vector Set

• The Data Transfer Device (DTD) (AN/CYZ-10(V3)) is the only fill device used at this time to fill TACLANEs with FIREFLY vector sets and PPKs (as of 15-Feb-06).

• Must delete any existing FIREFLY vector set before filling a new one.

• TACLANE must be offline with no security level selected.

18

Selecting Security Level

• Security Level:

• Filling the FIREFLY vector set must be done with no security level selected because it may be used at more than one security level.

• Preplaced keys (PPK) have a security level associated with them.• They must be filled in the correct security level.• The TACLANE must be in the right security level BEFORE

filling preplaced keys.

• The FIREFLY vector set may only be used to generate TEKs if the security level selected matches one of the security levels allowed by the vector set.

• Certain configuration information entered while in a security level, may only be used when in that security level.• PPKs and PPK assignments.• Network Manager configuration data.

Selecting Security Level

19

Filling a PPK

• TACLANE must have a security level selected in order to fill a PPK.

• Only the SSO or a privileged user can access this command.

• PPK SDD Security Level must match the Firefly Vector Set classification.

• There are two types of PPKs: User PPKs and the Secure Dynamic Discovery (SDD) PPK.

• When filling a PPK, the operator is prompted to enter the Effective Date of the PPK and the Type of PPK (User vs. SDD).

• The TACLANE in IP mode supports DS-100-1 PPK formats.

• If the Backward Compatibility mode is ON, then the TACLANE will also support the DS-74 PPK format.

PPK Mapping

• Assigning PPK to Multicast address.

• Both the PT & CT must have a multicast address assigned.

20

Securing IP Paths

• TACLANE must have a valid IP/Ethernet configuration.

• All communicating TACLANEs must be at the same security level.

• If FIREFLY TEKs are used, each communicating TACLANE must have:• An unique valid operational FIREFLY vector set and the FIREFLY

vector sets must be valid for the current security level.

• If PPKs are used, all communicating TACLANEs must have: • valid PPK assignments • with the same PPK filled at the same security level • with the same effective date • under the same PPK ID.

IP Secure Communication

• TACLANEs support automated peer discovery for secure IP paths. Once a peer TACLANE is identified, a key is selected to secure the path, as follows:• PPK Assignments are checked for a match based on the remote

TACLANE IP address. If a match is found, that PPK is used to secure the traffic.

• Existing secure IP paths using FIREFLY TEKs are checked for a match based on the remote TACLANE IP address. If a match is found, that FIREFLY TEK is used to secure the traffic.

• Automated peer discovery, continued.• If no match is found, a new secure IP path is created using FIREFLY.

• Automated peer discovery may be inhibited by assigning the remote TACLANE and the remote host IP addresses to a PPK.

21

TACLANE Maintenance

• Battery Maintenance:

• The battery should be changed yearly or when the Battery Low light illuminates.

• Always remove and replace the battery while the device is powered on.

• Battery removal with the TACLANE powered off (or powering off the TACLANE after removing the battery) tampers the TACLANE

• TACLANE takes a 3.6 V AA lithium battery (NSN 6135-01-301-8776)

Note: If the battery is inserted backwards, there is a risk that the device will be damaged.

The battery should be changed yearly or when the Battery Low light illuminates The battery may be changed while the device is plugged in or while the device is not plugged in. It is recommended that the battery be changed while the device is plugged in, because when the device is NOT plugged in, there is a 30-second time limit to change the battery. In the unplugged situation, if the battery is not changed within 30 seconds, the TACLANE goes into a tamper condition and data will be lost. Therefore, it is important that the operator have the new 3.6 V Lithium battery ready before starting! Note: It is very important that the new battery be placed in correct polarity. If the battery is inserted backwards, there is a risk that the device will be damaged.

22

Changing Battery

Always remove and replace the battery while the device is powered on. Battery removal with the TACLANE powered off (or powering off the TACLANE after removing the battery) tampers the TACLANE.

Follow these steps to replace the battery:

1. With the TACLANE powered on, remove the battery cover from the front panel by loosening the two thumbscrews.

2. Pull out the bottom of the battery (positive end) to remove. 3. Install a new battery with the positive end down. 4. Replace the battery cover and tighten the two thumbscrews. 5. To update the battery installed date, select MAINT from the MAIN 6. From the MAINTENANCE menu, select BATTERY. The following screen

is displayed:

----------BATTERY---------

BATTERY REPLACED? --------------------------

| YES | NO

1. Select YES to acknowledge battery replacement and return to the MAINTENANCE menu.

Note: This sets the battery installed date to the current date.

23

Troubleshooting Filling and Managing Keys

The table below describes TACLANE problems with filling and managing keys, their causes, and solutions. Also, see applicable TACLANE Release Notes for the TACLANE software version.

TAB

Insert Tab # 6 Here

Call Manager Express

2

3

CME Functional Requirements

Minimum Requirements

• CME-enabled IOS• CME-capable platform• Firmware for phones

Optional Files

• Music on Hold file• (MOH)• CME-GUI files

The only file that is actually needed to run CME on the router is a CME-enabled IOS. The army is currently using:

c2600-advipservicesk9-mz.123-11.T5.bin for the 2600XM-series routers. c3725-advipservicesk9-mz.123-9.bin for the 3725 routers. c3745-advipservicesk9-mz.123-9.bin for the 3745 routers.

As can be derived from the above IOS files, the routing platforms commonly found in the JNN network that can support CME are the 2600 and 3700 series of modular access routers. There are a few other Cisco platforms that can also support CME, but none are found in the current military tactical network. The only reason that the phone firmware is needed is in the case where a phone is being used for the first time in a network and is running the wrong version of firmware. For that reason, it is always a good idea to have the firmware files loaded into the flash memory of the CME router. If you wish to make available music on hold for the devices off of the CME router, then an audio file named music-on-hold.au must reside in the flash memory of the router. A default file is provided with the software, but any audio file of type .au or .wav can be used, as long as it is renamed music-on-hold.au.

4

Besides using the command line interface typically used to configure all Cisco routers, it is possible to administer all the telephony functions of the router via a web GUI interface. It is provided in an archived file of type .tar and the proper command must be entered into the command line interface in order to properly upload and extract the files into their proper locations on the CME router. This command is archive tar /xtract tftp://IP_Addr/filename.tar flash: The file name will include versioning information that should match the version of IOS being run. For example, on a 2600 router, if c2600-advipservicesk9-mz.123-11.T5.bin is being run as the IOS, then cme-123-11T.tar should be the tar file uploaded using the above command.

5

CME Call Path in JNN System

HUB Node

UA1 JNN UA2 JNN

CP Node 1

CP Node 2

CP Node 2

CP Node 1

HUB

UA 1 UA 2

Routes to Hub and Inter-UARoute to JNN, secondary Inter-UAIntra-UA Route

The CME routers are found exclusively in the battalion nodes of the JNN system. As the name suggests, these are generally designated to be employed at the battalion level. A common misconception for the use of CME on the battalion nodes has been that it is simply there to enable intrasite phone calls during a network outage. There are actually several important reasons to have it – no need to register with a particular JNN, an independent dial plan, minimized downtime during network outages, and localization of the phone’s image file. The only path that a CP Node typically has in the network will be over a highly-latent satellite connection. By having all device registration and management functions, as well as several dial plans with routes to intra-brigade peers the CP Node has little to no reliance on an external call management device.

6

Cisco Devices – CME/CPN

• 7940, 7940G

• 7960, 7960G

• 7910, 7910+SW

• ATA – 186/188

CME Introduction:

IOS-based call processing software. Can control VOIP and POTs lines and trunks. Runs completely independent of a Call Manager server. Able to perform many of the services that a Call Manager can provide. Centralizes most data and voice functions of the local network to a single

platform. Provides a means to ensure efficient use of bandwidth via QoS.

Call Manager

PC server hardware. Microsoft Server based. GUI-only management. Highly scalable. Located at JNN and UHN.

Call Manager Express

Cisco router hardware. Cisco IOS software. CLI or GUI management. Limited number of devices. Located at CP Nodes.

7

How It Works

Registration SCCP Registration SCCP

Call Manager Express is an IOS-based call control agent.

Several things happen during the registration of each IP phone or device. Once the phones begin power up and have an IP address, they begin to communicate with the call manager. This address is typically given via DHCP as option 150, or if manually assigned, it is entered in the field for the TFTP server. As the device is recognized by the call manager, it verifies that the phone has the correct version of firmware and then checks for an existing configuration file. If it requires firmware, it is downloaded to the phone via TFTP and the device is rebooted automatically. If it does not have a current configuration file, it is downloaded from the call manager. An additional point to remember is that Call Manager Express does not support devices on anything other than its local LAN. It is possible to get a device to register over a WAN connection, but it is not recommended to do so.

8

Configuration Steps

1. Set IP Address on Telephony Device.2. DHCP – Automatically set address.3. Turn on and Configure telephony-

service.4. Create directory numbers.5. Apply directory numbers to devices.

9

DHCP Server Settings

ip dhcp pool VOICEnetwork 22.230.40.254 255.255.255.192

default-router 22.230.40.254option 150 ip 22.230.40.254

show ip dhcp binding

When any Cisco phone device boots, one of the first things it looks for is a DHCP server with which to get its IP settings and the Cisco Call Manager address. This is especially important to remember when a device has either been booted for the first time or has recently had a factory reset performed on it. In those cases, it is required to have both a DHCP server and a TFTP server available for the devices. The settings above are the minimum settings needed by any Cisco device in order to get it to function. “IP dhcp pool VOICE” creates a DHCP pool called “VOICE”, which is case-sensitive. The network command describes the range of addresses that will be provided to a client. The default-router points to the gateway, which in this case is also the CME router, but doesn’t always have to be the case. Option 150 is a setting utilized by Cisco to identify the address of the TFTP server to the client device. It also will be the address of the Call Manager, but again doesn’t always have to be the case. The device configuration file received via TFTP will actually have the Call Manager address which the device will use to register. The show command: sh ip dhcp binding will list any devices that have received an address from this DHCP server.

10

Telephony-Service Commandstelephony-serviceload 7910 P00403020214load 7960-7940 P00303020214max-ephones 8max-dn 8ip source-address <IP Address> port

2000timeouts interdigit 5max-conferences 4call-forward pattern .Tmoh music-on-hold.autransfer-system full-consulttransfer-pattern .T

create cnf-files The above contains the settings used within telephony-service to configure the call management properties of the router.

LOAD command – Specifies the devices expected and their associated firmware files.

MAX-EPHONES – Sets the maximum number of physical devices allowed

to be registered off the CME router.

MAX-DN – Sets the maximum number of directory numbers allowed on the CME router.

IP SOURCE-ADDRESS – Specifies which IP address the router should be

listening for SCCP traffic off of. This is normally the IP address of VLAN 58 in the JNN system.

TIMEOUTS INTERDIGIT – The amount of time, in seconds, that the

system waits between dialed digits.

CREATE CNF-FILES – This command is used to automatically create the default device configuration files.

MAX-CONFERENCES –

11

CALL-FORWARD PATTERN – In the case of the JNN CMEs all calls are forwarded.

MOH – Specifies the name of the music on hold file, stored in the root of

the flash: drive. In this case it is music-on-hold.au.

TRANSFER-SYSTEM – TRANSFER-PATTERN –

CREATE CNF-FILES – This command is used to automatically create the

default device configuration files.

12

Ephone-dn Command

ephone-dn 1 dual-linenumber 6605201

!!ephone-dn 2 dual-linenumber 6605202

!!ephone-dn 3 dual-linenumber 6605203

!

This is the most basic setting available for the ephone-dn command. This command is used to create the actual directory numbers used on the system. At this point they are virtual and are not tied to any specific device. The number directly after “ephone-dn” is the tag number, which is normally sequential. The “dual-line” option is necessary for call waiting, conferencing and transfers to be enabled as this allows two virtual voice ports to be dedicated to the phone device. The number command sets the 7 digit number. Additional commands: NAME <WORD> - Used to create a free-text name that is used on both the phone and is also passed during call setup as the Caller ID Name. DESCRIPTION <display-text> - Unlike most applications of the description command, this is actually used as a header bar display along the top of the phone. LABEL <string> - Used to mark the line button on the phone device, rather than the line number.

13

Ephone Command Example

ephone 1mac-address <mac-address>type 7960button 1:1!ephone 2mac-address <mac-address>type 7960button 1:2!ephone 3mac-address <mac-address>type atabutton 1:3!

The ephone command is used to associate a physical device (an Ethernet phone) to directory numbers.

14

Call Processing - Internal

Call Setup - SCCP

Voice Traffic-RTP

Phone A calls Phone B

PHONE BPHONE A

Call Setup - SCCP

A call sequence within one CME router is quite simple. The phone dials the requested number and the most specific match will be the directory number of the destination device. The same CME router handles the call control for both devices and then hands the call off to the devices. There are two protocols involved: SCCP – Skinny Call Control Protocol – Used primarily as the signaling method between a device and its registered call manager or between to call managers. Only used during device registration, call setup and call teardown. RTP – Real-Time Transport Protocol – Used as the end-to-end transport mechanism for applications passing real-time data, such as audio or video. Allows for time-stamping and packet sequencing to enable the devices to reassemble the packets in the correct order.

15

Call Processing CME to CME

Call Setup –H.323

Voice Traffic-RTP

Phone A calls Phone B

PHONE B

6605301

22.230.44.199

PHONE A

6605201

22.230.40.199

dial-peer voice 66053 voipdescription Primary Route for calls to bn3preference 1destination-pattern 66053..session target ipv4:22.230.44.254codec g711ulawno vad

BN 3 CME

22.230.44.254

BN 2 CME

22.230.40.254

Call Setup - SCCPCall Setup - SCCP

When phone A goes offhook and begins dialing, the BN 2 CME is continually attempting to match the dialed digits with its most specific dial peer or directory number. Once the caller dials the sequence of 67273, the CME has now narrowed the possibilities down to the above dial peer. After the final digits are dialed and the requisite pause set by the “interdigit timeout”, the directory number request is immediately sent to the session target, in this case BN3 CME for directory resolution. As the call is in progress between the WAN connections, the CMEs act as a sort of proxy for their respective voice devices. The RTP voice data is converted to H.323 signaling to be passed between the CME devices. Once received at the distant CME, the packet IP and UDP headers are rewritten for transmission for the device endpoint. The purpose of this conversion of RTP to H.323 is to take advantage of the QoS features inherent within H.323 such as RSVP and priority queuing.

16

Dial Peers for JNN Systemdial-peer voice 5 voipdescription Primary route to MSE to JNN1preference 1destination-pattern 5...... Standard route to MSE lines viasession target ipv4:<UA JNN1 CCM IP> the main UA JNN.codec g711ulawno vad!dial-peer voice 9993 voipdescription All NNXXXXX calls go to HUB Routes 7 digit calls to the HUB.preference 1destination-pattern [2-9][2-9].....session target ipv4:148.22.246.29codec g711ulawno vad!dial-peer voice 9994 voipdescription All MYXXXXXXXX calls go to HUB Routes 10 digit calls to the HUB.preference 1destination-pattern [2-8][0-1]........session target ipv4:148.22.246.29codec g711ulawno vad

These are the two dial peers in the JNN CME systems that are generic to all CMEs. Every BN node directs any non-matched directory numbers to the Cisco Call Manager at the Unit Hub Node. Note that dial peer “9998” does not contain a destination pattern and thus any number dialed will match this peer. Any MSE calls are sent to the primary JNN for the BN node’s parent brigade. If this unit is task organized to another unit that has a JNN node, it would need to be modified to go to its Call Manager. These dial peers and any others, for that matter, merely direct the call to the call management system that most likely contains the directory number dialed. Call completion will still follow the IP route to the actual IP-enabled device for call setup. What this means is that while there may be a second JNN within the brigade which is directly reachable, the call will not go to the UHN and then on to the JNN, only the initial directory lookup will. An additional function that the default dial-peer performs does not involve outbound calls, but inbound. It ensures that the proper codec is used for call setup, which in this case is g.711. If this was not the case, there would be the possibility that an inbound number would not match one of the dial peers and would use the default “dial-peer 0” settings, which includes compression. Dial-peer 0 does not actually appear on the router configuration and cannot be modified, which is why it is always important to include a default dial-peer in your telephony configurations.

17

Dial Peers (2)dial-peer voice 9995 voipdescription All 9YXMYXXXXXXXX calls go to HUB Allows NATO routing up to HUB CCM.preference 1destination-pattern 9[0-1].[2-8][0-1]........session target ipv4:148.22.246.29codec g711ulawno vad!dial-peer voice 9998 voipdescription All other calls go to hub for routingpreference 1destination-pattern .T Description self-explanatory. There are additionalsession target ipv4:<HUB CCM Address> .T dial peers with different preferences (2,3,4,etc.)codec g711ulaw when additional default paths are available.no vad!dial-peer voice 66052 voipdescription RingAroundtheRosey prevention Each CPN now includes this dial-peer, pointing topermission none its own dial plan in order to prevent misdialing orhuntstop non-registered phone directory numbers fromdestination-pattern 66052. leaving the local system.session target ipv4:<yourCME_IP>gatewaytimer receive-rtp 12000

These dial peers enable the CME to directly negotiate with the call control device handling the directory number being called. There is always the possibility that a brigade combat team will be deployed in a stand alone configuration. This ensures that all units normally organized under the brigade will be reachable with no reconfiguration required. During deployments where the BN node is organized under a different UA, additional dial peers may be added to reach the dial peers within that UAed network. It is not recommended to delete the existing dial peers.

18

dial-peer voice 6605 voipdescription Primary Route for calls to UA1preference 1 This is one of the two entries neededdestination-pattern 6605[0-1].. to go directly to their brigade JNNs.session target ipv4 :<UA JNN1 CCM IP>codec g711ulawno vad

dial-peer voice 66053 voipdescription Primary Route for calls to bn3preference 1 This entry is typical for routing to destination-pattern 66053.. Another battalion CP node in the samesession target ipv4:<CME IP of BN3> brigade.codec g711ulawno vad

Dial Peers (3)

These dial peers enable the CME to directly negotiate with the call control device handling the directory number being called. There is always the possibility that a brigade combat team will be deployed in a stand alone configuration. This ensures that all units normally organized under the brigade will be reachable with no reconfiguration required. During deployments where the BN node is organized under a different UA, additional dial peers may be added to reach the dial peers within that UAed network. It is not recommended to delete the existing dial peers.

19

Show Commands

shows all calls in progressshow voice call active brief

Shows all configured dial-peers, to include ephone-dnshow dial-peer voice summary

Shows more detailed information related to CMEshow telephony-service all

shows current CME-related configuration infoshow telephony-service

shows summary information – useful for getting MAC address info.show ephone summary

shows detailed information about all registered telephony devicesshow ephone

DescriptionCommand

TAB

Insert Tab # 7 Here

SNMPc for CPNs

2

3

Course Outline

• Introduction to SNMPc• Start SNMPc

• What to manage• Build a Map

• Intro to Access-Lists• Backup Restore Database

4

Introduction to SNMPc

• Secure Distributed Network Management System

• Proactive Real-time Monitoring

• Ease of Use

SNMPc is a secure distributed network management system.

• Secure – Information cannot be extracted from the SNMPc database without proper password and authority.

• Distributed – The Remote polling and Manager of Manager features make is distributed.

SNMPc delivers proactive real-time monitoring for your entire network infrastructure.

• Proactive - Alarms and emails can be automatically generated if a trap is received.

• Real-time – SNMPc responds immediately when changes occur in the networks. The real-time feature is dependent on proper setup on the routers and switches.

SNMPc will display network devices, show connectivity between network devices, and display the status of devices with colored icons. Green icons are active, Yellow are marginal and Red are down.

5

Key SNMPc Features

• Monitors SNMP devices

• Supports SNMP v1, v2 and v3

• Vendor Independent

• Runs as a Windows Service

SNMPv3 is not covered in this course because it is not used in Army networks. SNMPc is vendor independent; it relies on standard SNMP and ICMP protocols to manage and monitor devices. Key network metrics can be monitored using SNMPc. (example: Utilization) Windows Service places SNMPc processes in the Windows Services area.

6

SNMPc Editions

• SNMPc Workgroup Edition• Suitable for small to medium sized networks

• Used at the Bn CP nodes

• SNMPc Enterprise Edition• Distributed polling agent architecture

• Remote Web based consoles• Used at the JNN, Hub Node, DMAIN, DTAC,

and ESB Network Operations.

SNMPc Workgroup Edition is an affordable version of SNMPc suitable for a single user and small to medium sized networks.

• It supports all the features of SNMPc except the extra three features listed below.

• The Workgroup Edition is used at the JNN & BnCP Nodes. SNMPc Enterprise Edition does everything the workgroup version does plus the following extra features.

• Scalable, Distributed Architecture allows for the setup of a remote polling agent. This feature probably doesn’t work well in an Army network because there is no terminal dedicated to only forward network status.

• Live/Standby Servers with automatic failover provide for one SNMPc server as active and one as standby in case the active server goes down. This feature doesn’t work well in an Army network because each network manager is an active monitor. There are no standby servers available.

• Remote Console & JAVA Access allows users to web into the SNMPc server to get a view of the network and use some of the SNMPc tools to monitor the network status. The feature is controlled with a user ID and password.

7

Starting SNMPc

NO PASSWORD NEEDED, CLICK OK

Procedure: Open SNMPc Locally

1. From the Windows start menu, select Programs, then SNMPc Network Manager, then Configure Tasks, and the SNMPc Task Setup dialog box displays.

2. After verifying all programs are started, select Login. The Remote Login

dialog box displays.

3. Login to the local SNMPc workstation using localhost as the Server IP address. (Localhost is preferred over an IP address, because if for some reason the IP was inactive, the program would not start and would appear to not be working).

4. Enter a valid User Name and Password.

8

SNMPc Management Console

The SNMPc Management Console looks like this when it opens. The following tools and toolbars can be selected for view on the View menu:

• Selection Tool: On the left center of the Management Console. It includes sections labeled Map, MIB, Trend, Event and Menu.

• Event Log Tool: At the bottom of the screen. It includes tabs labeled Current, History and Custom1 thru Custom8.

• Main (Standard) Toolbar: At the top of the user screen below the main menu. It includes shortcuts to commonly used commands from the Edit and View menus.

• Map Edit (Insert Object) Toolbar: Movable toolbar that is normally on the right side of the Management Console screen. It contains commonly used map editing commands from the Insert menu - Insert Device, Submap, GoTo, Link, Bus Network, Ring Network, or Network.

• Status Bar: Along the bottom of the Management Console. It indicates the currently selected object and information about the logged in window.

9

Main Toolbar

• Find Map Objects: Find items in the SNMPc database. • Edit Map Objects: Edit properties using General, Access, Attributes and

Dependencies Tabs. The item must be selected on the map before the Edit Map Object button can be selected.

• Use Read/Write Mode: Forces SNMPc to always use the Read/Write mode. This only affects console operations such as table and graph displays.

• Show/Hide Event Log Tool: Toggles Event Log On and Off. • View Object History Events: If no object is selected, all Events in the

History are displayed. If an object is selected, only events in the History that match the object are displayed.

• View Object Current Events: If no object is selected, all Events in the Current database are displayed. If an object is selected, only events in the current database that match the object are displayed.

• Show All Mode: Snaps the active Map to show all objects. • Zoom to Selected Rectangle: Select Button, then use left mouse button

to draw a box around area to zoom into Map view. • Normal Zoom Mode: Changes zoom to a ratio of 1:1 • Zoom In / Zoom Out: Zoom view in and out respectively. • Map View Back/Map View Forward: If more than one Map is open,

move from one to another. • Map View Parent: Move from Submap view to the Submap’s parent map.

10

• Root Submap Map View: Move from any Submap to the Root Submap. • Map Object Quick Select: Type in the object name and hit the enter key.

The object will move to the center of the screen. This tool is case sensitive.

• MIB Object Quick Select: Type the MIB Object and select Display MIB Table or Graph.

• Display MIB Table: Displays MIB Object in table form. • Display MIB Graph: Displays MIB Object in Graph form. • MIB Browser Tool: Launches the MIB Browser. • Device Quick Poll: Select any device on the Submap and click Device

Quick Poll to start a continuous SNMP poll or ICMP ping.

11

Insert Object Toolbar

Insert Device: A Device icon represents SNMP and Ping polled devices. Insert Submap: A Subnet icon contains other map layers, including other subnets. Double-click on a subnet icon to open a view window for the next layer down. Use the Parent Window button to go up one layer to the parent subnet view. Use the Root Subnet button to open the top map level view. Insert GoTo: A GoTo object displays the map subnet that is named in the address field. To make a GoTo that opens the Root Submap, leave the address field blank. Insert Link: A link object is represents the link between two objects. Link objects can be polled so you can optionally set an IP Address and attributes as with the Device Object. Insert Network: See the next page.

12

Console Options

IF THIS BOX IS CHECKED, OBJECTS CAN NOT BE ALTERED

CHECK THIS BOX TO PREVENT CASCADING WINDOWS

Procedure: Configure Console Options

1. From the SNMPc Management Console main menu, select Config, and then Console Options. The Console Options box displays.

2. Checking or unchecking the Local Options allows you to customize some

local features. 3. Under Global Options, checking Lock Map Views will prevent users from

moving objects.

4. Checking or unchecking the Toolbars changes the toolbars that SNMPc displays.

13

Local Options: • Recycle Map Views – When you double-click a SubMap object, SNMPc

opens a new window to display the contents of the new SubMap. To reuse a single window and prevent users from having multiple windows open in the background, select Recycle Map Views.

• Floating Tables/Graphs - Use this option to create floating Table/Graph windows. This allows you to move or resize the Table/Graphs as needed and prevents them from being hidden behind submaps.

• Show Grid: Use this option to set Grid Parameters., which is useful when drawing a map manually.

• Event Sounds: Use this option to enable/disable audible alarms on your console.

• Event Alarms: Use this option to enable/disable pop-up alarms and sounds. .

• Read/Write Mode: Use this option to force SNMPc to use the Read/Write Access Mode. This only affects console operations such as table and graph displays.

Global Options:

• Lock Map Views – Use this option when the map is complete to prevent icons from being moved.

• Date Format: Sets the date format used by SNMPc for any new event log entries and displayed graphs.

Toolbars: Toggles the view of the following toolbars.

• Standard, Status Bar, Selection Tree, Insert Object, Log View

14

Default Object Properties

INSERT YOUR UNIT SPECIFIC READ AND READ/WRITE COMMUNITY STRINGS

Procedure: Configure SNMPc Default Object Settings

1. From the SNMPc Management Console main menu, select Config, and then Default Object. The Default Object Properties box displays.

2. Select an item in the Attributes Menu and select the >> to display value

options.

• Map Icon – the default is auto.ico. • Exec Program – the default is auto.exe, which pulls up

Hubview.exe. If you wish to use putty as your executable program, enter: putty.exe –ssh $xxx.xxx.xxx.xxx (use the ip address of the device)

• Poll Interval – the default value is 30 seconds. • Poll Timeout – the default value is 2 seconds. • Poll Retries – the default value is 2 retries. • Polling Agent – the default value is localhost. • Read Community – the default value is public. Set to equipment

SNMP value. • Read/Write Community – the default value is netman. Set to

equipment SNMP value. • Trap Community – the default value is public.

15

Create a Sub-Map

Procedure: Create a SubMap

1. From the SNMPc Management Console, select the Root SubMap. 2. Select the Insert SubMap icon on the Insert Object toolbar.

3. The Map Object Properties box displays. On the General tab, enter a

descriptive Label or name.

4. The Subnet Type cannot be changed and an IP Address is not needed for a Submap. For Icon, use auto.ico or select a desired icon by clicking the >> option.

5. On the Access, Attributes, or Dependencies tabs, no options are

required.

6. Click OK. The newly created SubMap is now listed under the Root Subnet.

16

The Submap Icon will adopt its status color from the devices contained in the Submap.

• The Submap Icon will be green if all devices and links are green. • If there are any devices in the Submap that are yellow, the Submap icon

will turn yellow. • If there are any devices in the Submap that are red, the Submap icon will

turn red. • If the red or yellow devices are repaired, the device icons will change to

Green. • If a Trap is sent from a device to SNMPc, the device and Submap icon

turn Magenta. Once the trap is acknowledged, the device and SubMap return to the color assigned by their current status.

A GoTo object is a jump to a submap object. Double click a GoTo icon to open the submap view. Procedure: Insert a GoTo Symbol

1. Open the desired SubMap. 2. Select Insert GoTo on the Insert Object toolbar. The Map Object

Properties box displays.

3. On the General tab, select values for the following:

• Label – the default value is New Object. Change to the SubMap name.

• Address – the default entry is 0.0.0.0. Change to the SubMap name. The Label and Address must be set to the SubMap name for the GoTo symbol to work as a shortcut to the SubMap.

• Type – the default value is GoTo and can’t be changed. • Icon – the default value is auto.ico.

17

CPN VIEW

Above is an example of how a CPN team might want to monitor their network

• The JNN and the HUB will be monitored through OSPF neighborships o The procedure to monitor OSPF is shown on page 20-23 o The icons can be whatever the operator chooses

Cisco icon or cloud are recommended

• The icon labeled AES_RTR is the router located at the STT (Lot_9) • For Lot_7 the NIPR tier 2 will be monitored • The NIPR_CASE will be a Submap:

o Within the Submap will be the NIPR tier 2 router and NIPR switch o If chosen, the switch can also be a submap, if the team chooses to

monitor individual phones and computers o NOTE: monitoring individual phones and computers is not

recommended.

• The SIPR network can be monitored much the same, with the exception of the AES or NT2 router. The SIPR tier 2 router will be monitored

18

Insert a Device

Procedure: Insert a Device

1. Open the desired Root Subnet or SubMap by double-clicking it. 2. Select Insert Device on the Insert Object toolbar. The Map Object

Properties box displays. 3. On the General tab, select values for the following:

• Label – a host name. • Address – the IP Address of the managed device. Use the

Loopback address for a router, use the VLAN address for a switch, and use the NIC address for a Server.

• Type – the default value is Device and can’t be changed. • Icon – the default value is Auto.ico. Click on >> and select

CISCO.ICO. • Group – select the appropriate group for the device.

19

4. On the Access tab, select values for the following: ICMP Option:

• Read Access Mode – the default value is SNMPv1, set it to ICMP Ping.

• Read/Write Access Mode – the default value is SNMPv1. • Read Community – the default value is public. Enter the

managed device RO community string. • Read/Write Community – the default value is netman. Enter the

managed device RW community string. • Trap Community – the default value is public. Enter the managed

device community string. • V3 options – these are for SNMP version 3, which is not covered in

this course.

SNMP option:

• Read Access Mode – the default value is SNMPv1, set to SNMPv2.

• Read/Write Access Mode – the default value is SNMPv1, set to SNMPv2.

• Read Community – the default value is public. Enter the managed device RO community string.

• Read/Write Community – the default value is netman. Enter the managed device RW community string.

• Trap Community – the default value is public. Enter the managed device community string.

5. On the Attributes tab, select values for the following:

• Show Label – the default value is Yes and should not be changed. • Background Shape – the default value is Square. Routers are

circles and Switches are squares. • Exec Program – the default value is auto.exe. • Poll Interval – the default value is 30 seconds. • Poll Timeout – the default value is 2 seconds. • Poll Retries – the default value is 2 retries. • Polling Agent – the default value is localhost. • TCP Services – the default value is null entry and should not be

changed. • Status Variable – the default value is null entry. • Status Value – the default value is null entry. • Status OK Exp – the default value is an equal sign. • Has RMON – the default value is No and should not be changed. • MAC Address – the default value is 00 00 00 00 00 00. Once

SNMPc has queried the device, the actual MAC Address may be displayed.

20

• SNMP ObjectID – the default value is null entry. Once SNMPc has queried the device, the OID for the Device may be displayed.

6. On the Dependencies tab, no options are required. 7. Select OK to close the Map Object Properties box.

Repeat this process until all network devices are added to the Submap. Note: Using the Copy and Paste functions will allow you to add many devices quickly and then change the IP settings, Access Mode, Community Strings.

21

MONITORING OSPF

REPRESENTS THEPROTOCOL BEINGUSED

Procedure: Monitor an icon through OSPF

1. Right click the icon to be monitored and choose properties, from there, go to the Attributes tab

2. Highlight the Status Variable field

3. To the right of the Value drop down window there is a box with two >>

symbols on it. Click that box

4. Select mgmt and click the + box

5. From there, choose the protocol being used within your network: JNN network uses ospf. Again, click the + box.

22

MONITORING OSPF CONT.

SNMPc WILL BASICALLY DO A #show ip ospf neighbor COMMANDFOR YOU TO LOOK FOR A SPECIFIC NEIGHBOR

Procedure: Monitor an icon through OSPF (continued)

1. Once this box is opened, choose ospfNbrTable, and click the + box

2. From there, select ospfNbrState (basically you are having the router perform a #show ip ospf neighbor command

3. Once this is done, the Browse MIB Tree box will close

23

MONITORING OSPF CONT.

USE THE TUNNEL ADDRESSOF THE DISTANT END FOR MONITORING

THE DOT X (.0) AT THE END REPRESENTS THE INDEXNUMBER. 0 EQUALS A SPECIFICIP ADDRESS

Procedure: Monitor an icon through OSPF (continued)

1. The Value drop down window will now show the above. 2. At the end of the statement put a.

3. Now enter the local ip address that ospf forms as a neighbor

a. For TDMA that address will be of the local tunnel

4. At the end of the ip address, a .0 needs to be entered a. SNMPc has the ability to monitor index numbers within

routers, and .0 specifies no specific index number, that an ip address will be monitored.

Status Variable is now set:

24

MONITORING OSPF CONT.

THIS REPRESENTS THE TYPE OF NEIGHBOR RELATIONSHIP YOU HAVE WITH THE DISTANT END DEVICE.#show ip ospf neighbor COMMAND WILLSHOW YOU

Procedure: Monitor an icon through OSPF (continued)

1. At this point, highlight Status Value, and the Value dropdown window will change.

2. Choose the type of neighbor relationship that the router forms with

the monitored device, normally full will be chosen.

25

Insert a Link

Procedure: Insert a Link

1. Open the desired SubMap. 2. Select two devices that you want to connect with a link.

3. Select Insert Link on the Insert Object toolbar. The Link Map Object

Properties box displays.

4. On the General tab, select values for the following:

• Label – the default value is New Link. Enter a new name. • Address – the IP Address of the managed device on one end of

the link. • Type – the default value is Link and can’t be changed. • Descr – enter an optional textual description of the link such as

hostname and interfaces.

26

5. On the Access tab, enter values for the following:

• Read Access Mode – the default value is SNMPv1 and should be changed to SNMPv2.

• Read/Write Access Mode – the default value is SNMPv1 and should be changed to SNMPv2.

• Read Community – the default value is public. Enter the managed device Read community string.

• Read/Write Community – the default value is netman. Optional - Set to the device RW community string.

• Trap Community – the default value is public. Enter the managed device community string.

• V3 options – these are for SNMP version 3.

6. On the Attributes tab, enter values for the following:

• Link Thickness – the default value is 1. Set this value to 3. • Show Label – the default value is Yes. Change to No to make the

map less cluttered. • Exec Program – the default value is auto.exe. • Poll Interval – the default value is 0 seconds. • Poll Timeout – the default value is 2 seconds. • Poll Retries – the default value is 2 retries. • Polling Agent – the default value is localhost. • TCP Services – the default value is null entry and should not be

changed. • Status Variable – the default value is null entry. See the next

slide. • Status Value – the default value is null entry. See the next slide. • Status OK Exp – the default value is an equal sign. • Has RMON – the default value is No and should not be changed. • MAC Address – the default value is 00 00 00 00 00 00. • SNMP ObjectID – the default value is null entry.

27

Insert a Network

Procedure: Insert a Network

1. Open the desired SubMap. 2. Select Insert Network on the Insert Object toolbar. The Map Object

Properties box displays.

3. On the General tab, select values for the following:

• Label – the default value is New Network but enter a Network name.

• Address – enter an IP Address of a device that will reflect Network Status.

• Type – the default value is Network and can’t be changed. • Desc – enter an optional description of the network.

28

4. On the Access tab, select values for the following:

• Read Access Mode – the default value is SNMPv1, but managed networks should be set to ICMP Ping.

• Read/Write Access Mode – the default value is SNMPv1. • Read Community – the default value is public. Enter the device

RO community string. • Read/Write Community – the default value is netman. Enter the

managed device RW community string. • Trap Community – the default value is public. Enter the device

community string. • V3 options – these are for SNMP version 3, which is not covered in

this QRG

5. On the Attributes tab, enter values for the following:

• Show Label – the default value is Yes. • Poll Interval – the default value is 0 seconds, but must be set to a

number. • Poll Timeout – the default value is 2 seconds. • Poll Retries – the default value is 2 retries. • Polling Agent – the default value is localhost. • TCP Services – the default value is null entry and should not be

changed. • Status Variable – the default value is null entry and should not be

changed. • Status Value – the default value is 0 and should not be changed. • Status OK Exp – the default value is an equal sign. • Has RMON – the default value is No and should not be changed. • MAC Address – the default value is 00 00 00 00 00 00. • SNMP ObjectID – the default value is null entry.

6. On the Dependencies tab, no options are required. Select OK to close the Map Object Properties box.

29

Backup a Database

If the local system becomes corrupted or damaged, you must have a copy of your General Dynamics Installation software AND a copy of your network database to restore the Network Management system. Procedure: Backup SNMPc Database

1. From the SNMPc Management Console main menu, select File, then Backup.

2. Click Setup and the Backup/Restore Setup Tool Box displays. 3. In the Backup Directory section, the default backup directory is

displayed, but can be changed. SNMPc always adds a sub-directory to the path you enter on the setup screen. The added sub-directory is called backup.

4. In the Scheduled Backup section, check the selection box to enable automatic backups. Enter the hour of the day for the backup and the number of days to save backups.

5. The Remote Backup Service is not used; this option requires a second SNMPc server for redundancy.

6. Click OK to close the Backup/Restore dialog box. 7. On the Backup Files dialog box, enter a name for the Backup. 8. Click Backup. 9. Click OK to acknowledge Pop up message. 10. Click Done to close Backup tool box.

30

Introduction to Access Lists• access-list 90 permit 22.212.98.245• access-list 90 permit 22.212.98.248

access-list 90 remark SNMP READ RESTRICTIONS • access-list 90 permit 22.212.108.120• access-list 90 permit 22.212.100.123• access-list 90 remark Add any unit unique NetOps IPs/NWs• access-list 90 remark permit host <IP> log• access-list 90 permit 0.0.31.48 0.0.0.15

access-list 90 deny any log• access-list 95 permit 22.212.98.245 log• access-list 95 permit 22.212.98.248 log

access-list 95 remark SNMP RW & TFTP RESTRICTIONS• access-list 95 permit 22.212.108.120 log• access-list 95 permit 22.212.100.123 log• access-list 95 remark Add any unit unique NetOps IPs/NWs• access-list 95 remark permit host <IP> log• access-list 95 permit 0.0.31.48 0.0.0.15

access-list 95 deny any log• access-list 99 permit 22.212.98.245 log• access-list 99 permit 22.212.98.248 log• access-list 99 permit 22.212.96.2 log• access-list 99 permit 22.212.96.1 log

access-list 99 remark SSH PROTECTION FOR THE ROUTER• access-list 99 permit 22.212.108.120 log• access-list 99 permit 22.212.100.123 log• access-list 99 remark Add any unit unique NetOps IPs/NWs• access-list 99 remark permit host <IP> log• access-list 99 permit 0.0.31.48 0.0.0.15

access-list 99 deny any log

Access-list 90 is used in the JNTC network architecture to determine who has the authorization to monitor the devices within a certain network. The SNMP Read community string is used to pull information from a device. The WAN Manager Laptop IP address will be in access-list 90, giving it authorization. At the CPN level, you will see the IP address of the LAN Manager Laptop. Note: above the first line in access-list 90, you will find a line beginning with logging. That IP address should match the management laptop. Access-list 95 is used in the JNTC network architecture to determine who has authority to effect changes within a certain network. Access-list 99 is used to allow management users access to network devices via SSH.

31

Restore a Database

CHOOSE THE DATABASE YOU WISH TO RESTORE

CAUTION! This process clears all devices, links, networks, map backgrounds, and all user customizations from SNMPc. Procedure: Restore SNMPc Database

1. From the SNMPc Management Console main menu, select File, and then Restore.

2. The Restore Files box displays. Select the desired backup file. 3. Click Restore. Click Yes. 4. Click OK to acknowledge Pop up message. 5. Click Done to close Backup tool box.

32

Reset a Database

Procedure: Reset Database

1. From the SNMPc Management Console main menu, select File, and then Reset.

2. Click Yes on the Warning dialog box 3. Click OK on the confirmation dialog box.

NOTE: A Database Reset is not recoverable unless you have a recent backup file. CAUTION! This process clears all devices, links, networks, map backgrounds, and all user customizations from SNMPc. Once the reset is completed, you will have to recreate the SNMPc database using one of these methods:

1. Use the Auto-Discovery process. 2. Use the manual Database creation method to re-build the SNMPc. 3. Restore the database from a backup file.

33

TDMA Tunnels

• Example of a HUB Tunnel

• interface Tunnel7715• description SUST-7715 mGRE/AES

Tunnel• ip address 172.21.147.1

255.255.255.128• no ip redirects• ip mtu 1420• ip pim nbma-mode• ip pim sparse-mode• ip nhrp authentication 25ID7715• ip nhrp map multicast dynamic• ip nhrp map multicast 10.147.8.2• ip nhrp map 172.21.147.8 10.147.8.2• ip nhrp nhs 172.021.147.8 • ip nhrp network-id 7715• ip nhrp holdtime 600• ip ospf network broadcast• ip ospf cost 1050• bandwidth 3072• ip ospf priority 5• qos pre-classify• tunnel source FastEthernet2/0.110• tunnel mode gre multipoint• tunnel key 7715• tunnel protection ipsec profile aesprof• ip tcp adjust-mss 1332• ip route-cache flow• no shutdown

• Example of a JNN Tunnel

• interface Tunnel7715• description DMVPN Multipoint Hub to BN Spokes• ip address 172.21.147.8 255.255.255.128• no ip redirects• ip mtu 1420• ip pim sparse-mode• ip pim nbma-mode• ip nhrp authentication 25ID7715• ip nhrp map multicast dynamic• ip nhrp map multicast 10.147.1.2• ip nhrp map 172.21.147.1 10.147.1.2• ip nhrp network-id 7715• ip nhrp holdtime 600• ip nhrp nhs 172.21.147.1• ip ospf network broadcast• bandwidth 3072• ip ospf priority 3• ip ospf cost 1050• qos pre-classify• tunnel source FastEthernet0/0• tunnel mode gre multipoint• tunnel key 7715• tunnel protection ipsec profile jnn• ip tcp adjust-mss 1332• no ip mask-reply• no ip proxy-arp• ip route-cache flow• no shutdown

• Example of a CPN Tunnel

• interface Tunnel7715• description DMVPN Tunnel to JNN and-or HUB• ip address 172.21.147.16 255.255.255.128• ip pim sparse-mode• ip pim nbma-mode• no ip redirects• ip mtu 1420• ip nhrp authentication 25ID7715• ip nhrp map 172.21.147.8 10.147.8.2• ip nhrp map 172.21.147.1 10.147.1.2• ip nhrp map multicast 10.147.8.2• ip nhrp map multicast 10.147.1.2• ip nhrp network-id 7715• ip nhrp holdtime 600• ip nhrp nhs 172.21.147.8• ip nhrp nhs 172.21.147.1• ip ospf network broadcast• bandwidth 2048• ip ospf priority 0• ip ospf cost 1050• tunnel source FastEthernet0/0• tunnel mode gre multipoint• tunnel key 7715• tunnel protection ipsec profile btn1• qos pre-classify• ip tcp adjust-mss 1332• no ip directed-broadcast• no ip mask-reply• no ip proxy-arp• ip route-cache flow• no shutdown

The TDMA side of the JNN network is comprised of DMVPN (Dynamic Multipoint Virtual Private Network) Tunnels. The Tunnels in the JNN network do not need to be named the same, but each mesh will have the same name. The MTU size must be the same, as well as the nhrp authentication, and the tunnel key. The HUB will be the controller (master) of the tunnel. The JNN and the CPN will map to the HUB. OSPF priority for the HUB will always be higher than the JNN, the only exception will be during training, and the CPN OSPF priority will always be 0. This will ensure that the HUB will be the DR (Designated Router) and the JNN will be the BDR (Backup Designated Router).

TAB

Insert Tab # 8 Here

JNN TACLANE Procedures

Taclane Configuration Procedures for Secure Dynamic Discovery Tunneling

1. Power on KG-175 Taclane 2. Insert (Site Security Officer/SSO) Master CIK

3. Choose Taclane Operation Protocol:

a. Main Menu | Config | Network | Protocol | select Ethernet

4. Configure the Plain Text, Cipher Text and Gateway Addresses:

a. Main Menu | Config | Network | IP Comms | IP Address | using the + and – keys input the proper IP addresses for each item.

5. Configure the Subnet Masks:

a. Main Menu | Config | Network | IP Comms | Subnet Mask | using the + and – keys input the proper subnet mask for the network.

6. Set the MTU Size:

a. Main Menu | Config | Network | IP Comms | MTU | using the + and – keys set the MTU size to 1424 for most JNN/CPN Networks.

7. Set the TFS parameters: (Will change to reflect Unit Network)

a. Main Menu | Config | Security | IP TFS | Fix Packet | Mode | select OFF

b. Main Menu | Config | Security | IP TFS | Bypass | DF BIT | select CLEAR

c. Main Menu | Config | Security | IP TFS | Bypass | DSCP | select ON d. Main Menu | Config | Security | IP TFS | Bypass | IGMP | select ON e. Main Menu | Config | Security | IP TFS | Bypass | PMTU | select

OFF f. Main Menu | Config | Security | IP TFS | Packet Seq Check | select

OFF g. Main Menu | Config | Security | IP TFS | ICMP Host | set to 0.0.0.0

8. Set the Date and Time (Must be within 55 minutes of all Taclane in your

network)

a. Main Menu | Maint | Date/Time | using the + and – keys input the proper time. [For best accuracy choose time from the JNN GPS clock]

2

9. Load the Firefly Vector Set into the Taclane.

a. Main Menu | Key Mngt | Fill | Operate [Connect the ANCD to the fill connector on the Taclane] Note: Fill menus and actions will vary on your ANCD, depending on what software set is loaded on your ANCD – See Addendum A for an example.

10. Choose Security Level: (Selected security level MUST match the security level in your network and the Firefly and PPK key security levels)

a. Main Menu | Select Level | choose Unclassified, Confidential,

Secret, or Top Secret.

11. Load PPK: (PPK security classification MUST match that of your Network and Firefly Vector Set) [TO SET PPK TYPE as SDD a PPK DS-100 series key must be used]

a. Main Menu | Key Mngt | Fill | PPK | (choose a pre place slot 1-48) |

Select TYPE | using the + and – keys select SDD. b. Connect ANCD to the Taclane fill connector, and follow load the

procedures on the ANCD. (See Addendum A for an example)

12. Map the PPK (SDD) key to the network Multicast Address:

a. Main Menu | Config | Security | PPK Assign | IP Slot | choose the PPK you want to map (the previous PPK (SDD) you loaded) | Remote INE | Assign | using the + and – keys input your multicast address in both the PT and CT address areas. PT: 239.255.0.1 CT: 239.255.0.1

TACLANE WILL NOW AUTOMATICALLY RESTART

13. Place the Taclane into SECURE COMMS (online):

a. Insert USER CIK. b. Main Menu | Operation | Secure Comms

14. Go to: Operation > Call Info > Summary: Check for IP Paths 15. Ping: CT IP Address on Taclane from the VPN Router. 16. Ping: PT IP Address on Taclane from SIPR T2 Router.

17. Ping: Tunnels on Distant JNNs to verify connectivity. 18. Do: Show IP OSPF Neighbor: To verify Tunnels are routing.

3

Troubleshooting

4

5

CIK Management Duplication

• The TACLANE must not be in a security level to copy/delete a CIK. • A CIK may not delete itself. • The Master CIK (CIK #1, also known as the SSO CIK) cannot be deleted. • Any KSD-1 device that is not an active CIK in the local TACLANE may be

reused for a CIK copy. The KSD-1 is erased as part of the CIK copy operation.

• During CIK copy operations, the operator has one minute to complete each CIK replacement step. If the CIK replacement step is not completed within one minute, the TACLANE resets automatically

Steps for CIK Duplication, All Models

1. From the Offline Main Menu, select Config 2. From the Configuration Menu, select the Security Menu 3. To Copy a CIK select CIK Copy from the Configure Security Menu (Note:

Only Empty CIK slots will be displayed) 4. Use the Up and Down Arrow Keys to navigate to a particular CIK slot. 5. Select the select option to choose the CIK slot. (Note: If the CIK is not

copied within a minute the TACLANE will automatically Restart) 6. The screen will read Remove CIK, Turn the CIK counter clockwise to

unlock and remove. 7. The screen will read Insert and Turn Blank CIK 8. Insert and Lock a Blank CIK, the screen will read Generating CIK 9. CIK _ of _ will be displayed when the CIK has been successfully created,

the screen will also read Remove CIK 10. Remove the CIK, the screen will now read Insert and Turn Original CIK 11. Insert and turn clockwise to lock the Original CIK

6

Configuring PuTTY

PuTTY lets you make your connection using either SSH protocol or Telnet protocol. From your computer, these connections look identical, but behind the scenes, there is a big difference. SSH makes an encrypted connection to the remote host and that helps protect you against eavesdropping as information is sent over that connection. Because SSH is more secure than Telnet, we recommend that you always use an SSH connection when connecting to a computer system that supports SSH. Most BU computer systems, including ACS, support SSH.

• In order for SSH to work properly in Router • Router must have a host name • Router must be in a domain

• Ip domain-name xxxxx • From global config mode

• Crypto Key Gen RSA • Select default (512)

• Enter Line Vty 0 4 • Transport input SSH Telnet • Login Local • Username gdadmin Priv 15 password gd1234$

7

• Double-click on the PuTTy icon on your desktop, or go to Start->Programs->PuTTy.

• If you do not see any hosts listed in the lower part of the PuTTY

configuration window, then type in your hostname (for example, CPN_NT2R) and click on your protocol (for example, SSH), then click Open. We recommend SSH for any system that supports it (ACS does).

• If you see some sessions already listed in the lower part of the PuTTy

configuration window, you have a pre-configured version of PuTTy or you have previously saved some sessions. Simply click on one of the CPN_NT2R sessions to connect to ACS. In the example, we chose CPN_NT2R. Then click the Load button.

8

Saving router and switch configurations:

When you get on site and all services are good: NIPR voice and data, and SIPR voice and data, you should make copies of your configurations (configs) via Solar Winds TFTP server. They should at least be saved to your LAN management laptop.

Preparing to TFTP via Solar Winds:

1. Make sure you can ping your laptop from your router: BCP_XXXXX_NT2R#ping XXX.XXX.XXX.XXX

2. From there you want to open the TFTP server within Solar Winds:

a. Start: All Programs: Solar Winds: Miscellaneous: TFTP server. b. Verify that the IP address on the bottom right is your laptop IP

address. c. Click file: configure: now make sure that the TFTP root file is the

chosen file. Click OK.

Router commands:

1. Make sure you are in enable mode: >en 2. Copy configuration to TFTP (Solar Winds)

a. BCP_XXXXX_NT2R#copy start tftp b. Address or name of remote host [ ] ? enter address of laptop. c. Destination filename [ xxx_xxxxx_xxx-confg ] ? Press enter to

accept the name the router gives you. d. At this point the router will transfer the startup config to Solar Winds

TFTP server. When you see the bang symbols (!!!!!!) The transfer was completed successfully.

CPN TFTP Procedures: switch

As long as you are in system and can ping, make phone calls, and pull web pages; the procedures to TFTP configs from your switch to Solar Winds is exactly the same as the router. The only difference will be the name of the files. They will be labeled: bcp_xxxxx_nt2s-confg These procedures are the same for NIPR and SIPR; again the only difference will be the file name: bcp_xxxxx_st2r-confg bcp_xxxxx_st2s-confg

9

CPN TFTP procedures: Router with no config: Lot 7

If you get on site, start your cases and notice there is no config in your router, you will see this message: would you like to enter initial configuration mode? Type no and then press enter key. Now you will see: would you like to terminate auto install? Type yes and then press enter key.

3. You need to plug your LAN management laptop into a Fast Ethernet port in the NIPR case:

4. From the router prompt, go into configure terminal mode: follow steps

below.

a. router>en b. router#config t c. router(config)#int faX/X (you are interfacing the FastEthernet port

you are plugged into) d. router(config-if)#ip address XXX.XXX.XXX.XXX 255.255.255.128

(IP address will be one less than your laptop) e. router(config-if)#no shut (after port comes up; control z) f. router#ping XXX.XXX.XXX.XXX (your laptop) you want to see !!!!!

this could take about 30 seconds. Now you are ready to TFTP your baseline config file from Solar Winds TFTP Server.

g. router#copy tftp start (from tftp To your start-up configuration) h. router#address or name of remote host [ ] ? enter IP address of

laptop i. router#source filename [ ] ? enter name of file from Solar Winds:

bcp_xxxxx_nt2r-confg j. router#destination filename [ startup – config ] ? press enter to

accept startup k. At this point Solar Winds will transfer the file from the TFTP server

to your router. You will see !!!!!! The transfer was successful. l. router#copy start run ( copies startup config to the running config) m. router#reload ( restarts the router ) n. Once the router reboots, you want to check to make sure all of the

ports are up and working properly. o. router#show ip interface brief to make sure all ports are up/up.

10

NOTE: For SIPR, you will follow the same steps as NIPR, but the IP address for faX/X will be one less then your SIPR laptop.

CPN TFTP procedures: Switch with no config

If you get on site, start your cases and notice there is no config in your switch, you will see this message: would you like to enter initial configuration mode? Type no and then press enter key. Now you will see: would you like to terminate auto install? Type yes and then press enter key.

5. You should plug your laptop into any available switchport on the SEP. 6. From the switch prompt, go into configure terminal mode: follow steps

below. a. Switch>en b. Switch#config t c. Switch(config)#int vlan 1 (this is the management vlan, used for

TFTP) d. Switch(config-if)#ip address XXX.XXX.XXX.XXX

XXX.XXX.XXX.XXX (IP address will be one less than your laptop) subnet should match laptops

e. Switch(config-if)#no shut f. At this point, try to ping your laptop: if you can not ping the laptop,

go to step G. if you can ping your laptop, go to step K. g. You will need to interface the switchport your computer is plugged

into, and give it switchport acces to vlan 1 h. Switch(config-if)#int g0/12 i. Switch(config-if)#switchport access vlan 1 (now control z) you

should now be able to ping your laptop. j. Switch#ping XXX.XXX.XXX.XXX you want to see !!!!! this could

take about 30 seconds. Now you are ready to TFTP a new or baseline config file from Solar Winds TFTP Server.

k. Switch#copy tftp start l. Switch#address or name of remote host [ ] ? enter IP address of

laptop m. Switch#source filename [ ] ? enter name of file from Solar Winds:

bcp_xxxxx_nt2s-confg n. Switch#destination filename [ startup – config ] ? press enter to

accept startup o. At this point Solar Winds will transfer the file from the TFTP server

to your switch. You will see !!!!!! The transfer was successful. p. Switch#copy start run (copies start-up config to the running config) q. At this point you need to exit out of the switch. Once the new config

is transferred from startup to running, the switch will not allow you to do any commands; it will tell you that you aren’t authorized.

r. Switch#exit s. Press the enter key and you will be able to log back into the switch.

11

NOTE: For SIPR, you will follow the same steps as NIPR, but the IP address for vlan 1 will be one less then your SIPR laptop.

12

CAT 5E Cabling

Straight-Through Cable Pinout

RJ45 Pin #

Wire Color

(T568B)

Wire Diagram (T568B)

10Base-T Signal100Base-TX

Signal 1000Base-T

Signal

1 White/Orange Transmit+ BI_DA+

2 Orange Transmit- BI_DA-

3 White/Green Receive+ BI_DB+

4 Blue Unused BI_DC+

5 White/Blue Unused BI_DC-

6 Green Receive- BI_DB-

7 White/Brown Unused BI_DD+

8 Brown Unused BI_DD-

Crossover Cable Pinout

RJ45 Pin # (END 1)

Wire Color

Diagram End #1

RJ45 Pin # (END 2)

Wire Color

Diagram End #2

1 White/Orange 1 White/Green

2 Orange 2 Green

3 White/Green 3 White/Orange

4 Blue 4 White/Brown

5 White/Blue 5 Brown

6 Green 6 Orange

7 White/Brown 7 Blue

8 Brown 8 White/Blue

13

SIMULATED TDMA MESHSwitch or hub

1 2 3 4 5 6 7.. ..JNN

CPN3

CPN4

CPN5

CPN6

f0/0

f0/0

f0/0

f0/0

f0/0

f0/0

f0/0Fiber to shelterVLAN 6

..

CPN2

CPN1

Fiber to casesVLAN 6

J1

J1

J1

J1

J1

J1

J1

.

Fiber to casesVLAN 6

Fiber to casesVLAN 6

Fiber to casesVLAN 6

Fiber to casesVLAN 6

8.

Fiber to casesVLAN 6

Procedures for Simulated TDMA mesh1. Place switch at a central location2. Plug all AES routers into an un-

programmed switch or hub:From: F0/0 at AESTo: Any port in switch

3. Access AES router: <Enable>4. en# sh run | beg router ospf5. Look for the IP route: (example below)

Ip route 10.0.0.0 255.0.0.0 f0/0 10.xxx.xxx.xxxRemove IP address after f0/0

7. Make sure the JNN comes up first to ensure Tunnels will form.

14

Phone Numbers: NIPR: SIPR: ________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

15

Notes:

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

16

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

17

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

CECOM LCMCIT Training - Engineering

Field Support

IT-FSB

CECOM LCMC Logistics Readiness Center

Force Modernization Division

Information Technology Field Services Branch

IT-FSB

Fort Gordon Office Com: 706-791-6150 DSN: 780-6150