Wednesday, February 11, 2015

OFDM

What is OFDM

OFDM is an ingenious technique which works around these issues:
  • The popularity of OFDM stems from its ability to transform a wideband frequency-selective channel to a set of parallel flat fading narrowband channels, which substantially simplifies the channel equalization problem.
  • It directly modulates the incoming symbol sequence onto the sub-carriers without pulse shaping. Since rectangular pulses (in the time domain) have a sinc curve response (in the frequency domain) and a sync curve response has spectral nulls at fc+1Ts , the sub-carriers can be placed exactly 1Ts  apart, actually squeezing the carriers together.
  • Instead of separate modulators, the outgoing waveform is created by executing a high-speed inverse DFT on a set of time-samples of the transmitted data (post modulation). The output of the DFT can be directly modulated onto the outgoing carrier, without requiring any other components.
The BER performance of an OFDM signal in a fading channel is much better then the performance of FDM. The advantage is tacit from diversity of the multicarrier such that fading applies to only small subset. Because of the timefrequency granularity that it offers, OFDM appears to be a natural solution when the available spectrum is not contiguous, for overlay systems, and to cope with issues such as narrowband jamming. In the multiuser context, this granularity also accommodates variable quality-of-service (QoS) requirements and bursty data.

1. Frequency Division Multiplexing

Frequency division multiplexing (FDM) involves the allocation of each channel to a unique frequency range. This frequency range prescribes both the center frequency and channel width (bandwidth). Because these channels are non-overlapping, multiple users can operate concurrently simply by using different channels of the frequency domain. Below, we illustrate the frequency domain of an FDM system. Note from the diagram that each channel operates a different carrier frequency and that these channels are bandlimited to operate within a defined bandwidth.


While we will not discuss pulse-shape filters in depth , it is important to note that the implementation of a pulse-shaping filter allows each channel to be bandlimited to a specific frequency range.

2. FDM Applications in Industry


FDM is commonly used in a variety of communications protocols including Bluetooth and cellular protocols such as GSM, TDMA, and CDMA. Bluetooth, a digital communications protocol that is utilized by cell phones, laptops, and PDA’s, is one example. It operates in the 2.4GHz unlicensed band and implements FDM by defining 79 channels from 2.402 GHz to 2.480 GHz which are spaced at 1 MHz apart. Each channel is bandlimited through the implementation of a Gaussian filter.

As second common implementation of FDM is in the Global System for Mobile Communications protocol (GSM) which is a 3G cellular communication standard. With GSM, the frequency range is divided into downlink channels from 890 - 915 MHz and the uplink channels at 935 - 960 MHz. Moreover, these frequency bands are further divided so that there are 124 channels which are spaced at 200 kHz intervals. Again, the bandwidth of each channel can be limited through the implantation of a root raised cosine filter.

3. Limiting Channel Bandwidth with Pulse-Shaping


Because digital modulation involves changing characteristics of a carrier sinusoid to transmit information, filtering is an important mechanism to limit the rate at which these are altered. Sharp transitions in a modulated sinusoid result in harmonics of the carrier at higher frequencies. This can cause severe difficulty in communications system for two reasons. First, the harmonics require more power to generate. Second, an unfiltered channel requires substantial power on adjacent channels and can cause interference. We illustrate this concept by showing the frequency domain of a test channel in a simulated physical environment. In this system, each channel is spaced by 100 MHz and is 80 MHz wide. In the diagram below, we show the test channel as the white plot on the graph. The simulated physical channel is shown as the red plot. Note that test channel, centered at 1.0 GHz, shows only -20 dB of attenuation in the adjacent channel spectrum at 1.1 Ghz.



As the image above illustrates, the lack of a pulse-shaping filter creates significant interference between adjacent channels. Thus, it is important to limit the bandwidth of each channel through the implementation of a pulse-shaping filter. By applying this filter, the symbol transitions are smoothed and the harmonics are eliminated. Below, we show the frequency domain of the same physical system after a pulse-shaping filter has been applied to each channel. As the image illustrates, the adjacent channel power on each channel is significantly reduced.



Note in the diagram above that the application of filtering reduces spectral leakage into adjacent channel bands. As the image above illustrates, the interference from the test channel (1.0 GHz) has now been reduced to -70 dB after a pulse-shaping filter has been applied. Note that the bandwidth of each channel is defined exclusively by the symbol rate such that:
Bandwidth (Bw) = 2 / Symbol Rate (Rs)

Thus, by applying a pulse-shaping filter, we are able to bandlimit each channel to implement a multi-channel communications systems.

4. Reducing Inter-Symbol Interference (ISI)


Not only can the pulse-shaping filters be used to eliminate interference from adjacent channels in the frequency domain, but it can also be used to eliminate interference from subsequent symbols on the same channel. Intersymbol interference (ISI) can be caused by multi-path fading as signals are transmitted over long distances and through various mediums. More specifically, this characteristic of the physical environment causes some symbols to be spread beyond their given time interval. As a result, they can interfere with the following or preceding transmitted symbols.

One solution to this problem is the application of the pulse shaping filter. By applying this filter to each symbol that is generated, we attenuate both the beginning and ending portions of the generated symbol. This reduces ISI by attenuating the last portion of each symbol which takes the longest time to reach the receiver. Below, we illustrate the implementation of a pulse shaping filter on each symbol that is generated. As the image illustrates, the maximum amplitude of the pulse-shaping filter occurs in the middle of the symbol period.



As illustrated in the graph above, the peak of each symbol corresponds directly to the zero-crossing point of each subsequent symbol. In addition, the beginning and ending portions of the symbol period are attenuated. Thus, ISI is reduced by providing a pseudo-guard interval which attenuates signals from multi-path reflections. As a result, inter symbol interference (ISI) can be reduced while still limiting each channel to a specified bandwidth.

5. Orthogonal Frequency Divison Multiplexing (OFDM)


OFDM is a subset of frequency division multiplexing in which a single channel utilizes multiple sub-carriers on adjacent frequencies. In addition the sub-carriers in an OFDM system are overlapping to maximize spectral efficiency. Ordinarily, overlapping adjacent channels can interfere with one another. However, sub-carriers in an OFDM system are precisely orthogonal to one another. Thus, they are able to overlap without interfering. As a result, OFDM systems are able to maximize spectral efficiency without causing adjacent channel interference. The frequency domain of an OFDM system is represented in the diagram below.



Notice above that there are seven sub-carriers for each individual channel. Because the symbol rate increases as the channel bandwidth increases, this implementation allows for a greater data throughput than with an FDM system.

Orthogonality of Sub-Channel Carriers
OFDM communications systems are able to more effectively utilize the frequency spectrum through overlapping sub-carriers. These sub-carriers are able to partially overlap without interfering with adjacent sub-carriers because the maximum power of each sub-carrier corresponds directly with the minimum power of each adjacent channel. Below, we illustrate the frequency domain of an OFDM system graphically. As you can see from the figure, each sub-carrier is represented by a different peak. In addition, the peak of each sub-carrier corresponds directly with the zero crossing of all channels.



Note that OFDM channels are different from bandlimited FDM channels how they apply a pulse-shaping filter. With FDM systems, a sinc-shaped pulse is applied in the time domain to shape each individual symbol and prevent ISI. With OFDM systems, a sinc-shaped pulse is applied in the frequency domain of each channel. As a result, each sub-carrier remains orthogonal to one another.
Transmitter/Receiver Implementation: (Signal Generation):
In order to use multiple sub-carriers to transmit an individual channel, an OFDM communications system must perform several steps.  These steps are described in the figure shown below.



Serial to Parallel Conversion
In an OFDM system, each channel can be broken into various sub-carriers. The use of sub-carriers makes optimal use out of the frequency spectrum but also requires additional processing by the transmitter and receiver. This additional processing is necessary to convert a serial bitstream into several parallel bitstreams to be divided among the individual carriers. Once the bitstream has been divided among the individual sub-carriers, each sub-carrier is modulated as if it was an individual channel before all channels are combined back together and transmitted as a whole. The receiver performs the reverse process to divide the incoming signal into appropriate sub-carriers and then demodulating these individually before reconstructing the original bitstream.

Modulation with the Inverse FFT
The modulation of data into a complex waveform occurs at the Inverse Fast Fourier Transform (IFFT) stage of the transmitter. Here, the modulation scheme can be chosen completely independently of the specific channel being used and can be chosen based on the channel requirements. In fact, it is possible for each individual sub-carrier to use a different modulation scheme. The role of the IFFT is to modulate each sub-channel onto the appropriate carrier.



Cyclic Prefix Insertion
Because wireless communications systems are susceptible to multi-path channel reflections, a cyclic prefix is added to reduce ISI. A cyclic prefix is a repetition of the first section of a symbol that is appended to the end of the symbol. In addition, it is important because it enables multi-path representations of the original signal to fade so that they do not interfere with the subsequent symbol.



Parallel to Serial Conversion
Once the cyclic prefix has been added to the sub-carrier channels, they must be transmitted as one signal. Thus, the parallel to serial conversion stage is the process of summing all sub-carriers and combining them into one signal. As a result, all sub-carriers are generated perfectly simultaneously.

6. Advantages of OFDM


Orthogonal frequency division multiplexing is commonly implemented in many emerging communications protocols because it provides several advantages over the traditional FDM approach to communications channels. More specifically, OFDM systems allow for greater spectral efficiency reduced intersymbol interference (ISI), and resilience to multi-path distortion.

Spectral Efficiency
In a traditional FDM system, each channel is spaced by about 25% of the channel width. This is done to ensure that adjacent channels do not interfere. This is illustrated in the diagram below, which shows the guard bands between individual channels.



Because of the requirement for guard bands, it is required to the symbol rate to allow for guard bands to exist. In general, the allowed channel bandwidth (Bw) is 2/Rs. As a result of this, the channels are able to be separated adequately.

In an OFDM system, on the other hand, the channels actually overlap. As a result, it is possible to maximize the symbol rate, and thus the throughput, for a given bandwidth. In the image below, we illustrate overlapping sub-carriers in an OFDM system. In this scenario, the channel bandwidth (Bw) approaches 1 / Rs. Thus, as the number of sub-carriers approaches infinity, OFDM systems allow for nearly double the spectral efficiency.



Note that with an OFDM system, it is still required to have a guard band between each individual channel. However, the effective symbol rate for the combined sub-carriers is greater than if a single carrier were used instead.



Note that the effect of using overlapping orthogonal sub-carriers also requires the use of a cyclic prefix to prevent intersymbol interference (ISI). Thus, some of the advantages gained through overlapping sub-carriers are compromised. However, the spectral efficiency advantage is great enough such that greater throughput is available in an OFDM system.

Reduced Inter Symbol Interference (ISI)
In mono-carrier systems, intersymbol interference is often caused through the multi-path characteristics of a wireless communications channel. Note that when transmitting an electromagnetic wave over a long distance, the signal passes through a variety of physical mediums. As a result, the actual received signal contains the direct path signal overlaid with signal reflections of smaller amplitudes. The diagram below illustrates how, at high symbol rates, reflected signals can interfere with subsequent symbols.

In wireless systems, this creates difficulty because the received signal can be slightly distorted. In this scenario, the direct path signal arrives as expected, but slightly attenuated reflections arrive later in time. These reflections create a challenge because they interfere with subsequent symbols transmitted along the direct path. These signal reflections are typically mitigated through a pulse-shaping filter, which attenuates both the starting and ending sections of the symbol period. However, as the figure above illustrates, this problem becomes much more significant at high symbol rates. Because the reflections make up a significant percentage of the symbol period, ISI will also be substantial.



OFDM systems mitigate this problem by utilizing a comparatively long symbol period. In addition, they do this without sacrificing throughput by utilizing multiple sub-carriers per channel. Below, we illustrate the time domain of OFDM symbols. Note that in an OFDM system, the symbol rate can be reduced while still achieving similar or even higher throughput.



Note from the illustration above that the time required for the reflections to fully attenuate is the same as before. However, by utilizing a smaller symbol rate, the signal reflections make up only a small percentage of the total symbol period. Thus, it is possible to simply add a guard interval to remove interference from reflections without significantly decreasing system throughput.

7. Commercial Applications of OFDM


Several common commercial protocols, such as digital video broadcast (DVB), asymmetric digital subscriber line (ADSL), and wireless Ethernet (WiFI) implement OFDM. With WiFI, the IEEE 802.11a and IEEE 802.11g implementations specifically use OFDM techniques. With IEEE 802.11g, each channel occupies 16.25 MHz of bandwidth at the 2.4GHz frequency range. In addition, each channel is divided into 52 sub-carriers of 312.5 kHz. Together, these sub-carriers overlap to fully utilize the 16.25 MHz channel bandwidth dedicated per channel. In addition, each sub-carrier can use a unique modulation scheme. More specifically, WiFI can use BPS, QPSK, 16-QAM, or 64-QAM depending on the characteristics of the physical channel being used. One of the newest wireless internet protocols, WiMAX, also uses OFDM technology.

Tuesday, February 10, 2015

WiFi Association Process

WPA-PSK(TKIP)

1.      Beacon frames are transmitted periodically to anonunce presence of wireless network and contain all information about it(data rates, channels, security ciphers, key management etc):

WPA-PSK-TKIP-Beacon.png


2.     Probe request, is sent by STA to obtain information from AP:
WPA-PSK-TKIP-Probe-req.png




3.      Probe response, AP responds with with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame from STA:
WPA-PSK-TKIP-Probe-res.png

4.      802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC. The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection).:
a.       Dot11 authentication request:

WPA-PSK-TKIP-Auth-req.png

b.      Dot11 authentication response:

WPA-PSK-TKIP-Auth-res.png


5.     
802.11 association enables the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (e.g., supported data rates) and the SSID of the network it wishes to associate with.
a.       Dot11 association request:

WPA-PSK-TKIP-Assos-req.png
After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
b.      Dott11 association response:
WPA-PSK-TKIP-Assos-res.png


6.      4-way handshake, during this phase PTK is created, PSK is used as PMK to construct those values:
a.       AP sends 802.1x authentication frame with ANonce, STA now has all information to construct PTK:

WPA-PSK-TKIP-Key-1.png


b.      STA responds with 802.1x authentication frame with SNonce and MIC:

WPA-PSK-TKIP-Key-2.png
c.       AP constructs 802.1x frame with new MIC and GTK with sequence number, This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection:
WPA-PSK-TKIP-Key-3.png

d.      STA sends ACK:

WPA-PSK-TKIP-Key-4.png
From that point all data is sent encrypted.

WPA2-PSK(AES/TKIP)


The process if fairly the same as in previous section, I’ll highlight only information that is different.

1.      WPA2 AP management frame include RSN element that included unicast cipher suite, AKM information and GTK cipher suite (if both AES and TKIP are selected, then less stronger encryption method will be used for GTK).
image012.png

2.      During 4-way handshake frames contain version information for WPA2 in “Type” fields.
image013.png



Note: you can decrypt WEP/WPA-PSK/WPA2-PSK encrypted wireless traffic if 4-way handshake key exchange frames are included in trace and PSK is known.

In order to encrypt wireless traffic in wireshark open Preferences-> Protocols->IEEE 802.11 and provide PSK information and select “Enable decryption option”.

To decrypt WPA/WPA2 encrypted traffic specify Key in format:
wpa-psk:PSK:SSID


Note: In order to filter out WLAN traffic from specific STA in wireshark you could use “WLAN Statistic” option.
In order to filter traffic from specific STA go to “Statistics -> WLAN Traffic”, from the list of SSIDs select corresponding SSID STA is associated with, and apply filter based on the STA.
image014.jpg




WPA/WPA2 Enterprise
1)     WPA(TKIP)/WPA2(AES) with dot1x (PEAP)
This process follows the same steps like previous except for the AKM method and deriving PTK/GTK and AP advertised attributes in 802.11 management frames.
a.       In this example AP advertises WPA(TKIP)/WPA2(AES) with dot1x authentication, both RSN and WPA tag attributes for AKM contain WPA value, whether in case of PSK authentication this field contains “PSK”. Also in this example TKIP is used for WPA and AES is used for WPA2
dot1x.png

b.      STA selects one of authentication methods and cipher suites advertised by AP. In this case WPA2 with AES was selected, that can be seen in RSN IE parameters.
WPA2PEAP.png
c.       After successful dot11 association dot1x authentication takes place, during this process we can see what EAP method is used by STA for authentication and certificate(s) exchange information between supplicant and AAA server.
dot1x-PEAP-1.png
d.      After successful dot1x authentication PMK is trasmited to AP in “Access-Accept” message from AAA server and the same PMK is derived on the client, next 4-way handshake takes place and PTK and GTK establishment.
Radius exchange between WLC and AAA server:
image018.jpg
General flow diagram:
image019.jpg

WPA(TKIP)/WPA2(AES) with dot1x (EAP-TLS)
Difference for this type of authentication compared to the previous one is that client provides its certificate in “Client Hello” message and mutual authentication is performed between client and AAA server based on certificates.
EAP exchange between STA and WLC:
image020.jpg
Radius exchange between WLC and AAA server:
image021.jpg
General flow diagram:
image022.jpg
2)     WPA(TKIP)/WPA2(AES) with dot1x (FAST)
Only dot1x authentication stage is a bit different comparing to the previous example. After successful dot11 association dot1x authentication takes place, AP sends dot1x identity request to the STA and STA provides identity response, the response depends on what PAC provisioning is been in use (in-band PAC provisioning (phase 0) or out-of-band PAC provisioning). In case of in-band provisioning PAC is sent to the client from AAA server, once client has PAC it goes to EAP-FAST phase1 from this point TLS tunnel establishment starts (phase 1)
image023.jpg
After TLS tunnel is established inner authentication method (phase 2) starts inside encrypted tunnel. On successful authentication PMK is send in “Access-Accept” message to AP from AAA server, the same key is derived based on dot1x exchange on STA. This key (PMK) is used to calculate PTK during 4-way handshake that will be used to secure communication between STA and AP.
General flow diagram:
image024.jpg

Thursday, February 5, 2015

Proxy Arp

Experimenting with Proxy-ARP

After reading a little about proxy ARP, I wanted to experiment with it.  Proxy-ARP is used  on some routers by default.  The idea is that it allows devices on 2 different subnets to talk to each other without configuring a default gateway!
LAB
This lab was setup on GNS3.  R1 and R3 are routers, however, we are going to emulate them as hosts by disabling ip routing.  So envision this as 2 hosts (R1 & R3) connecting to 1 router (R2).

Let’s set this up ready for testing.
R1#
!
no ip routing
!
interface FastEthernet0/0
 ip address 192.168.0.2 255.255.255.0
!
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0
!
//notice we haven't configured a default gateway for this host
R2#
interface FastEthernet0/0
description connections to R1
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1
description connections to R3
ip address 10.10.10.1 255.255.255.0
!
R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.1             -   cc01.0e1c.0001  ARPA   FastEthernet0/1
Internet  192.168.0.1            -   cc01.0e1c.0000  ARPA   FastEthernet0/0
R3#
no ip routing
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
!
R3#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.2             -   cc02.116c.0001  ARPA   FastEthernet0/1

//notice we haven't configured a default gateway for this host
So let’s try and ping from R1 to R3 without a default gateway configured either side.
R1#ping 10.10.10.2

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
!
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.2              -   cc01.0e1c.0000  ARPA   FastEthernet0/0
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0
The MAC address for 10.10.10.2 is actually the MAC address of our router R2’s fa0/0 interface (as opposed to the MAC of our host R3). Let’s verify this by checking the MAC for R2’s fa0/0 interface.
R2#sh int fa0/0 | i bia
  Hardware is AmdFE, address is cc01.0e1c.0000 (bia cc01.0e1c.0000)
Cool.  This means our ping from R1 to R3 was actually proxy-arp’d by our router R2 (i.e. R2 actually arp’d R3 for us. This is because he knows the destination IP off one of his interfaces). So if we disable proxy-arp on R2, the ping from R1–>R3 should be unsuccessful!  At this point, I’ve now cleared the arp-cache by using #clear arp on each of the three devices so that we don’t use any old arp entries.
R2(config)#interface FastEthernet0/1
R2(config-if)#no ip proxy-arp

R2(config)#interface FastEthernet0/0
R2(config-if)#no ip proxy-arp
R2#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 0 Incomplete ARPA
Internet 192.168.0.2 – cc00.0e1c.0000 ARPA FastEthernet0/0
Good.  The incomplete ARP entry indicates that we didn’t manage to receive a response from the destination of 10.10.10.2.  Because we removed proxy-arp we now need to add a default gateway on both R1 & R3 in order for this to work!
R3(config)#ip default-gateway 10.10.10.1
R1(config)#ip default-gateway 192.168.0.1

R1#ping 10.10.10.2

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/32/40 ms
!
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.1             0   cc01.0e1c.0000  ARPA   FastEthernet0/0
Internet  192.168.0.2             -   cc00.0e1c.0000  ARPA   FastEthernet0/0
Now we see the config as it should work without proxy arp.  When we ping an address on another subnet, our host (R1) knows it needs to use its default gateway.  It sends a broadcast ARP to find the MAC of the gateway so that he is able to pass the frame onto R2.  R2 looks up his routing table to see that the 10.10.10.0/24 network is directly connected via fa0/1.  He then broadcast ARPs for the MAC assigned to 10.10.10.2 and passes the frame onto R3. Because of the route-lookup, we are working at layer 3 on the router. This means we are no longer sending broadcast frames at layer 2 across different subnets.

Native VLAN

Native VLAN

The native VLAN has two main functions:
  1. Tags incoming un-tagged traffic on trunk links with the native VLAN.
  2. Un-tags outgoing traffic that has already been tagged with same VLAN that is being used for the native VLAN on the trunk.
Let me elaborate on this a little bit with aid of the diagram shown below.
Native VLAN
A normal design would use the same native VLAN both sides of the trunk.  But to understand the native VLAN properly, I’ve designed it this way instead.  So going back to the bullet points above (specifically bullet point 2), when the switchport connecting to Host A has been configured to use the same access VLAN (vlan 50) that is being used as the native VLAN on the trunk, the data sent from Host A is un-tagged as it leaves Switch 1 towards switch 2.  This leads us up to bullet point 1 (above), where switch2 now receives an un-tagged frame (i.e. a frame without a VLAN tag on it). Switch2 will always tag this, currently tag-less frame with the configured native VLAN on the trunk, in this case VLAN 60. So this actually leaks VLAN 50 into VLAN 60’s broadcast domain.

I’ll now configure this to demonstrate that it actually works. Below is the current configuration (notice I’ve not configured the native VLAN yet).

s1#
interface FastEthernet0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/20
 switchport access vlan 50

s2#
interface FastEthernet0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/20
 switchport access vlan 60

Now to configure the native vlan.
s2(config)#int fa0/23
s2(config-if)#switchport trunk native vlan 60
####### now i quickly switched over to switch1 ########

s1(config)#int fa0/23
s1(config-if)#switchport trunk native vlan 50
s1(config-if)#
*Mar  1 00:53:14.851: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 60 on FastEthernet0/23 VLAN50.
*Mar  1 00:53:14.851: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/23 on VLAN0050. Inconsistent local vlan.
s1(config)#
*Mar  1 00:53:44.119: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/23 (50), with s2 FastEthernet0/23 (60).
s1(config-if)#end
So what’s happened here is spanning-tree is not happy about the native VLAN mis-match we’ve just configured and ended up putting the port into the inconsistent state, as shown below.
s1#sh span int fa0/23

Vlan                Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001            Desg FWD 19        128.25   P2p 
VLAN0050            Desg BKN*19        128.25   P2p *PVID_Inc
What this means is that the port is in blocking state which, in spanning-tree, means BPDU’s can be sent/received but mac addresses cannot be learned (i.e. the data-plane will not work). So by default a native VLAN mis-match causes spanning-tree to block the port. So if we disable spanning-tree for vlan 50 and 60, we should find that the port will become useable in the data plane and allow host A (192.168.1.1) to ping host B (192.168.4.1) even though they are on different subnets/broadcast domains and don’t have a gateway configured.
S1(config)#no spanning-tree vlan 50
S2(config)#no spanning-tree vlan 60
Now to send some pings from host A to Host B.
HostA#ping 192.168.4.1               

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
So now, the data plane is working, and we are learning mac-addresses on VLAN50.  Notice that Host B appears as being in VLAN50 on Switch 1, even though on switch 2 I put it in access vlan 60.  This is because Switch1 tagged the un-tagged frame as it arrived on the trunk port with the native VLAN (vlan 50).
s1#sh mac address-table int fa0/23
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0023.0443.0c99    DYNAMIC     Fa0/23
  50    0016.4661.a4c1    DYNAMIC     Fa0/23 (this is Host B)
  50    0023.0443.0c99    DYNAMIC     Fa0/23 (This is Switch 2)
 
 
Other Discussion 
allow host A (192.168.1.1) to ping host B (192.168.4.1) even though 
they are on different subnets/broadcast domains and don’t have a gateway
 configured.”
How it’s possible ? For me 2 hosts in 2 subnet can’t speak without router  
 
You are right in the fact that when you send a ping to another subnet, the device ARPs for its gateway, and the gateway does the rest. If this wasn’t the case, then you’d have an ARP entry for every device on the internet :). However!!!! If you do not configure a default gateway on the host machine, and you send a ping to an IP in a different subnet, an ARP is still sent to the destination MAC of FFFF.FFFF.FFFF, but you are ARPing for the original destination IP (as opposed to the gateway). Now, since layer 2 broadcast domains are controlled by VLANs, this ARP is allowed to go from Host A in VLAN 50 and over the trunk. Now because the Native VLAN is also 50 on Sw1, the packet loses its VLAN tag, and it gets tagged with VLAN 60 as it arrives on Switch2 (Sw2’s native VLAN), and therefore allows the ARP to flood the VLAN 60 domain, which encompasses Host B.
As an update to this, I tested this using two methods. I tried using a switch with #no ip routing configured for both Host A and Host B, and it worked. However, on a Windows machine, you just get a “PING: transmit failed. General failure” message. So it looks like Windows has prevented you sending ARPs like this if you don’t have your gateway configured. I bet in Linux it would let you do this though I haven’t tested on my Raspberry Pi.

So you mean to say if we configure the gateway on windows pc it should work to communicate between itself and another pc in different vlan. But to my understanding the gateway is the ip address of the router or any layer 3 device in which case it should work. But as far a layer 2 is concerned there is no concept of gateway configuration and the communication between two devices on two different vlans configured on separate switches will not work. Disabling Spanning Tree Protocol means you are broadcasting the two domains (or vlans) in which case the communication should work regardless of the vlan tags.
 
Page Courtesy : http://ccieblog.co.uk/spanning-tree/native-vlan 

Wednesday, February 4, 2015

WiFi 802.1x EAP-TLS Setup

Setting Up SSL Certificates and Keys for EAP-TLS

This section demonstrates how to set up SSL certificate and key files for use by AAA servers and WiFi clients. The first example shows a simplified procedure such as you might use from the command line. The second example describes how to set up SSL files on Windows
Important
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:
ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)

Example 1: Creating SSL Files from the Command Line on Unix
The following example shows a set of commands to create AAA server and client certificate and key files. You will need to respond to several prompts by the openssl commands. To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.
# Create clean environment
shell> rm -rf newcerts
shell> mkdir newcerts && cd newcerts

# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 3600 \
         -key ca-key.pem -out ca-cert.pem

# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
shell> openssl req -newkey rsa:2048 -days 3600 \
         -nodes -keyout server-key.pem -out server-req.pem
shell> openssl rsa -in server-key.pem -out server-key.pem
shell> openssl x509 -req -in server-req.pem -days 3600 \
         -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
shell> openssl req -newkey rsa:2048 -days 3600 \
         -nodes -keyout client-key.pem -out client-req.pem
shell> openssl rsa -in client-key.pem -out client-key.pem
shell> openssl x509 -req -in client-req.pem -days 3600 \
         -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:
shell> openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK 
 
Example 2: Creating SSL Files on Windows
Download OpenSSL for Windows if it is not installed on your system. An overview of available packages can be seen here:
http://www.slproweb.com/products/Win32OpenSSL.html Choose the Win32 OpenSSL Light or Win64 OpenSSL Light package, depending on your architecture (32-bit or 64-bit). The default installation location will be C:\OpenSSL-Win32 or C:\OpenSSL-Win64, depending on which package you downloaded. The following instructions assume a default location of C:\OpenSSL-Win32. Modify this as necessary if you are using the 64-bit package.
If a message occurs during setup indicating '...critical component is missing: Microsoft Visual C++ 2008 Redistributables', cancel the setup and download one of the following packages as well, again depending on your architecture (32-bit or 64-bit):
After installing the additional package, restart the OpenSSL setup procedure.
During installation, leave the default C:\OpenSSL-Win32 as the install path, and also leave the default option 'Copy OpenSSL DLL files to the Windows system directory' selected.
When the installation has finished, add C:\OpenSSL-Win32\bin to the Windows System Path variable of your server:
  1. On the Windows desktop, right-click the My Computer icon, and select Properties.
  2. Select the Advanced tab from the System Properties menu that appears, and click the Environment Variables button.
  3. Under System Variables, select Path, then click the Edit button. The Edit System Variable dialogue should appear.
  4. Add ';C:\OpenSSL-Win32\bin' to the end (notice the semicolon).
  5. Press OK 3 times.
  6. Check that OpenSSL was correctly integrated into the Path variable by opening a new command console (Start>Run>cmd.exe) and verifying that OpenSSL is available:
    Microsoft Windows [Version ...]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>cd \
    
    C:\>openssl
    OpenSSL> exit <<< If you see the OpenSSL prompt, installation was successful.
    
    C:\>
    
Depending on your version of Windows, the preceding path-setting instructions might differ slightly.
After OpenSSL has been installed, use instructions similar to those from from Example 1 (shown earlier in this section), with the following changes:
  • Change the following Unix commands:
    # Create clean environment
    shell> rm -rf newcerts
    shell> mkdir newcerts && cd newcerts
    
    On Windows, use these commands instead:
    # Create clean environment
    shell> md c:\newcerts
    shell> cd c:\newcerts
     
      
The above content taken from http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html. 
 

Thursday, January 23, 2014

Assam Arunachal diary

முன்பு வலை பதிவு எழுதி இருந்தாலும் தமிழில் எழுதுவோம் என்று இந்த புதிய தளத்தில்  தமிழில் எழுத முயற்சி செய்கிறேன். மற்றும் பழைய தளம் பெயர் பிடிக்காத காரணத்தால் புதிய முயற்சி. எதை எழுத .  ஒரே கை வந்த கலை பயணங்கள் . பயணங்கள் பற்றியே எழுதுவோம். மற்றும் துளசிதளம் ஒரு தூண்டுகோள்.


அஸ்ஸாம் அருணாச்சல் பிரதேசம் பயணங்கள் பற்றி முதல் முயற்சி. அஸ்ஸாம் நினைவு தெரிந்த முதல் இந்திய மாநிலங்களில் அகர வரிசையில் முதலாக  இருக்கும் ஒரு மாநிலம். அவளவே . மற்றும் சில வருடங்களில் காமாக்ய கோவில் எப்படி இருக்கும் என்ற ஆவலும் இருந்தது. சதியின் யோனி விழுந்த இடம் . சக்தி பீடங்களில் முக்கியமான இடம்.

பெங்களூரில் இருந்து இண்டிகோ மூலம் விமான பயணம். மற்ற பயனங்களை போல கடைசி நேரத்தில் அவசரமாக துணி மற்றும் இத்யாதிகளை எடுத்து வைத்ததால் விமானம் ஏறியதும் தூக்கம். மற்றும் அன்று குவஹாத்தி இல் பந்த் . தொடரும் .....