MN-FNS Series Technical Applications Guide - v3
MN-FNS Series Technical Applications Guide - v3
FCC compliance Class A: This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference
in which case the user will be required to correct the interference at his own expense.
ACMA compliance Notice. This is a Class A product. In a domestic environment this product may cause
radio interference in which case the user may be required to take adequate measures.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE
OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. EDWARDS, CISCO AND THE
ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL EDWARDS, CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT,
SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF EDWARDS, CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Background
The Edwards FireWorks® and Emergency Communication Systems/Mass Notification
Systems/Life Safety Systems (ECS/MNS/LSS) all use static IP addressing. This means that
each and every IP device on the Edwards networks must be properly configured to function on
the network or they will not function correctly or at all.
This document is intended to be used by technicians/engineers certified by the Edwards
Learning Center (ELC) on the MN-FNS Series Industrial Ethernet switches and accessories.
These procedures require knowledge of the MN-FNS switches, their components, software,
options, and configuration. Expertise with Microsoft® Windows® 7 or higher operating systems
and computer operations is essential.
• All the released MN-FNS Series Ethernet Switches connect to each other by way of two
optical fiber filaments
• Optical Fiber can be multimode or single mode
o FireWorks® workstations
• Edge devices connect to MN-FNS switches with Cat 5, Cat5e and/or Cat6 cable
(“Ethernet” cable). Usually unshielded, twisted pairs (UTP)
• TFTPd32 and TFTPd64 TFTP, and DHCP Server software version 4.5 by Philippe
Jounin.
o Service Pack 1
Some companies “lock out” USB ports. The MN-FNS Series Ethernet
Switches are seen as a “USB drive” by Windows computer systems.
o 4 GB system RAM
• USB cable (USB A male to USB Mini-b (5-pin) male), at least 6’ long
o In lieu of the USB, you can also use a Cisco 72-3383-01 RJ45 RS232 to DB9
cable and a USB-to-DB9 serial adapter cable
• Small-blade (e.g. “watchmaker”) screwdrivers (for wire connections and switch terminal
removal)
• Anti-static tools
• LAN Base – Robust, full Layer 2 IOS. Supports QoS, port security and static routing
features. Standard on all MN-FNS Series Ethernet Switches.
Numbers
• Maximum switches in a CNA community (Version 6.0): 80
4. When stand-along, single network, cabinet switches will use LAN-base. Rack switches
will use LAN-base
5. When using multiple networks or customer LAN, cabinet switches will use LAN-base.
Rack switches will use Layer 3 and may function as routers.
5. REP configuration
6. Legacy MN-NETSW1 cannot be used in master ring, but can be used in Class B
taps. See Application 7 for connection information
5. REP configuration
2. Layer 3 Lite (LAN Base) class operation and full Layer 3 class operation
3. Encryption required
2. ST to LC multimode fiber patch cables and barrel connectors must be used. Check
on dB loss.
For initial switch configuration, if done prior to installation, the loading of the Configuration Text
file is the most efficient. Once switches are up and running, CNA is usually the best method
for servicing the switches.
o Physical security
o Network/Data security
o Routing
o Class A loop-backs
o Lengths
o Fiber types
o Fiber connectors
o Locations
o Accessibility
o Types
o Quantities
o Use/application
o Power requirement
o Accessibility
o Types
o Quantities
o Use/application
o Power requirement
o Mounting requirements
o Accessibility
• Layout of network
o REP segments
Edge Primary
Edge
Transit
o VLAN requirements
2) By logging into the switch itself and making changes directly until the technician
becomes very comfortable with the use of CLI and CNA, it is recommended that the text
file method be used as this provides an easy visual check of operating parameters of
the switch.
When you are working with CNA and writing to the switch, the CNA program actually converts
what you have entered and loads it into the switch in CLI format.
There are hundreds of possible CLI commands. With the MN-FNS Series Ethernet Switches,
only a few are actually used.
The default Edwards MN-FNS Series Ethernet Switch configuration files set up certain
defaults:
• Trunkport VLAN is 1
o 1
The ! in the file indicates that the switch is to ignore that line or command. This is helpful for
inserting comments or for commenting out a command. Please note that if you comment out a
command – the switch ignores that line and generally does not post a fault.
The following is a breakdown of sections that can be manipulated for the MN-FNS Series
Ethernet Switches. If the item in the example above does not have a CHANGE above it or is
not in this list, to NOT alter it.
1. hostname MySwitchNameGoesHere
a. This is the switch name that posts in CNA and when the switch is accessed.
After the command “hostname” is the switch name. It must start with a letter, end
with a letter or digit and have interior characters of only letters, digits and/or
hyphens WITHOUT spaces (spaces are not allowed). Maximum of 63 characters
2. power-supply dual
a. If the switch will have dual power supplies or risers, uncomment this line (remove
! at beginning of line)
a. If switch is being installed in a location where time does not shift, place a ! at the
beginning of this line
5. rep segment 3
a. If port is part of a REP segment, remove comment from beginning of line and put
in appropriate REP segment NUMBER
6. interface Vlan1
ip address 10.0.0.12 255.255.0.0
a. Change this IPv4 address and subnet to match what your application and design
requires
• config t
• config interface
• copy ru st
Show:
• show ip int br
• show run
2. Using CNA
Must have BOTH cables connected to work with Console & TFTP
1. Load CONFIGURATION file (in examples here, file is called 152CAB8BClass.txt) into a
known directory. In the examples below, the folder is on the E drive, CSFI directory.
a. Note – the screen captures in this example are of the 64 bit version of the TFTP
server – the 32 bit version also works for this application.
10. Once the session opens, click enter. The switch will prompt with a password prompt.
16. When you hit return, the system will prompt with asking you if you want to call the
destination file run, press enter
18. Once the switch has copied the file over, it will return to the EXEC (#) prompt.
23. Click enter and the switch will display the EXEC prompt again
24. Note that the name of the switch in this example has changed from 4PortNoTape to
MySwitchNameGoesHere
a. Note – the screen captures in this example are of the 64 bit version of the TFTP
server – the 32 bit version also works for this application.
10. Click OK
11. The switch will prompt with a credentials screen – use edwards as the username and
sdrawde as the password
12. Click OK
21. If the file already exists, the switch will prompt with confirmation about overwriting the
file. Press enter.
22. The switch will now copy the file and indicate that it has completed the copy command
by returning to the EXEC prompt.
25. The system will ask to confirm the file name. Click Enter.
31. You can use the wr command to verify that the NVRAM was written to.
This procedure can only be used on the MN-FNS4C2F3 and MN-FNS8C2F3 switch. Do
not use this procedure on the MN-FNS8C18F2 switch.
1. Copy the CONFIGURATION file onto 1GB SD Flash card.
3. Console-connect into the switch using the USB or RJ45 (RS232) connection.
5. Password is edwards
6. Type enable
7. Password is sdrawde
15. The switch will ask for confirmation of the file name. Click Enter.
19. The system will prompt with a file name conformation. Press Enter.
21. The switch will show that the command is being saved. Press Enter.
22. The switch will show the command has been completed and return to the prompt.
25. The switch will prompt for a file name confirmation. Press Enter.
27. You can use the wr to verify that the switch has written the file set to NVRAM.
The following example shows the CLI commands to configure an MN-FNS Series
Ethernet switch trunk interfaces for ECS/MNS/LSS Class X Fire using REP.
Notes:
• Configure all Transit ports before configuring the Edge switch ports in a REP segment.
• CLI commands are shown with authorized operator logged into the switch being
programmed with EXEC privilege.
2. Using CNA
7. Refer to the list (below) of commands for configuring the REP segments for the
MN-FNS8C18F2
To verify REP topology information for the configured REP Segment, execute the command
shown below from a Telnet command window on any switch in the REP Segment. The
following example shows a REP configuration with each switch uniquely named. This is
convenient for identification purposes.
Check to see that all switches in the ring are present, that there is a Primary and a Secondary
Edge, and that all Roles are Open except for one Alternate, as seen below. The Alternate may
move to another switch if the ring is broken and reconnected. This is normal behavior.
ClassroomC_Switch#show rep topology
REP Segment 1
BridgeName PortName Edge Role
---------------- ---------- ---- ----
ClassroomC_3010 Gi0/1 Pri Open
Lab6_Sw1_BOT Gi1/2 Open
Lab6_Sw1_BOT Gi1/1 Open
Lab4_SW1_BOT Gi1/2 Open
Lab4_SW1_BOT Gi1/1 Open
Lab2_Sw1_BOT Gi1/2 Open
Lab2_Sw1_BOT Gi1/1 Open
Lab1_Sw1_BOT Gi1/1 Open
Lab1_Sw1_BOT Gi1/2 Open
Lab3_Sw1_BOT Gi1/2 Open
Lab3_Sw1_BOT Gi1/1 Open
Lab5_Sw1_BOT Gi1/2 Open
Lab5_Sw1_BOT Gi1/1 Open
ClassroomC_3010 Gi0/2 Sec Alt
Note: The MN-FNS Series Ethernet switches configurations do not support multiple IOS
version loads or multiple running-config files. Use only Edwards-released IOS versions and
only one version in the switch and one running-config file.
7. Switch will start loading IOS. This will take a few minutes (usually at least 5, depending
on the computer used and the switch model)
8. Do not interrupt the loading process or use the computer to do anything else until the
system is done extracting the file set. The switch will return to the EXEC prompt once
the extraction has been completed.
9. Load the CONFIGURATION file
10. Test the switch
1. Connect the RJ-45-to-DB-9 adapter cable to the 9-pin serial port on the PC. If PC does
not have 9-pin serial port, use a USB-to-DB9 serial adapter cable. Connect the other
end of the cable to the MN-FNS switch console port.
3. Configure the baud rate and character format of the PC or terminal to match the console
port characteristics:
• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
• None (flow control)
3. This procedure requires a computer reboot – make sure you know the computer
passwords.
22. After the computer reboots, connect the USB cable from the computer to a powered
MN-FNS Series Ethernet switch.
23. The system will install the device driver. This may take a few minutes.
a. Clicking on Start
31. Port is now read to use with HyperTerminal or other terminal emulation software to
access the switch.
32. Note – if you unplug the USB cable from your computer and plug it in a different USB
port in the future, the system may reassign a different COM port to the Cisco Serial
Port.
1. Connect the USB cable to the PC and then the Mini-USB connector to the switch. See
figure below:
b. Click the Hardware tab and choose Device Manager. Expand the Ports section.
The assigned COM port appears in parenthesis at the end of the line with this
entry: Cisco USB System Management Console.
• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
Always examine the cable for marginal damage or failure. A cable might be just good enough
to connect at the physical layer, but it could corrupt packets as a result of subtle damage to
the wiring or connectors. You can identify this problem because the port has many packet
errors or it constantly flaps (loses and regains link).
• Rule out any bad patch panel connections or media convertors between the source
and the destination. If possible, bypass the patch panel, or eliminate media convertors
• (fiber-optic-to-copper).
• Try the cable in another port to see if the problem follows the cable.
• Use either Category 5, Category 5e, or Category 6 UTP for 10/100 Mb/s
connections.
• Verify that you have the correct fiber-optic cable for the distance and port type.
Make sure that the connected device ports match and use the same type encoding,
optical frequency, and fiber type.
Verify that both sides have a link. A broken wire or a shutdown port can cause one side to
show a link even though the other side does not have a link.
A port LED that is on does not guarantee that the cable is functional. It might have encountered
physical stress, causing it to function at a marginal level. If the port LED does not turn on:
• Make sure that both ends of the cable are connected to the correct ports.
• Look for loose connections. Sometimes a cable appears to be seated but is not.
Disconnect the cable, and then reconnect it.
• Verify the status of all ports. See MN-FNS Switch LED section of this document for
descriptions of the LEDs and their meanings.
• Use the show interfaces privileged EXEC command to see if the port is error-
disabled, disabled, or shut down. Re-enable the port, if necessary.
SFP Module
Use only Edwards MN-FSN Series SFP modules. Each module has an internal serial
EEPROM that is encoded with security information. This encoding verifies that the module
meets the requirements for the switch.
• Inspect the SFP module. Exchange the suspect module with a known good module.
• Verify that the module is supported on this platform. (The switch release notes on
Cisco.com list the SFP modules that the switch supports.)
• Make sure that all fiber-optic connections are clean and securely connected.
Interface Settings
Verify that the interface is not disabled or powered off. If an interface is manually shut down
on either side of the link, it does not come up until you re-enable the interface. Use the show
interfaces privileged EXEC command to see if the interface is error-disabled, disabled, or shut
down on either side of the connection. If needed, re-enable the interface.
A unidirectional link can cause loops. It occurs when the traffic sent by the switch is
received by the neighbor, but the traffic from the neighbor is not received by the switch. A
broken cable, other cabling problems, or a port issue can cause this one-way
communication.
You can enable UniDirectional Link Detection (UDLD) on the switch to help identify
unidirectional link problems. For information about enabling UDLD on the switch, see the
“Understanding UDLD” section in the switch software configuration guide on Cisco.com.
Port statistics that show a large amount of alignment errors, frame check sequence (FCS), or
late-collisions errors, might mean a speed or duplex mismatch.
A common issue occurs when duplex and speed settings are mismatched between two
switches, between a switch and a router, or between the switch and a workstation or server.
Mismatches can happen when manually setting the speed and duplex or from
autonegotiation issues between the two devices.
To maximize switch performance and to ensure a link, follow one of these guidelines when
changing the duplex or the speed settings.
• Manually set the speed and duplex parameters for the interfaces on both ends of
the connection.
• If a remote device does not autonegotiate, use the same duplex settings on the two
ports. The speed parameter adjusts itself even if the connected port does not
autonegotiate.
Problems sometimes occur between the switch and third-party network interface cards (NICs).
By default, the switch ports and interfaces autonegotiate. Laptops or other devices are
commonly set to autonegotiate, yet sometimes issues occur.
To troubleshoot autonegotiation problems, try manually setting both sides of the connection.
If this does not solve the problem, there could be a problem with the firmware or software on
the NIC. You can resolve this by upgrading the NIC driver to the latest version.
Cabling Distance
If the port statistics show excessive FCS, late-collision, or alignment errors, verify that the cable
distance from the switch to the connected device meets the recommended guidelines.
These are reasons why you might want to reset the switch to the Cisco factory default
settings:
• You installed the switch in your network and cannot connect to it because you
assigned the wrong IP address.
7 = Relay Common
To connect the MN-FNS8C18F2 alarm port, use an RJ31X cable assembly, such as the
StarTell p/n 91678 (available on the Internet) of Silent Knight SK-7860 cord (available at ADI
and other security wholesalers) and connect that to an MN-TK10 terminal block or the monitor
module.
The is the pin-out of the serial MN-FNS Series Ethernet switch console cable
RJ45 DB9
RTS 1 8 CTS
DTR 2 6 DSR
TXD 3 2 RXD
GND 4 5 GND
GND 5 5 GND
RXD 6 3 TXD
DSR 7 4 DTR
CTS 8 7 RTS
Switch Location:
witch Name:
GBT1 Name:
BT2 Name:
REP Segment:
Switch Type:
Notes:
AAA Authentication, authorization, and accounting. See also TACACS+ and RADIUS.
ABR Area Border Router. In OSPF, a router with interfaces in multiple areas.
ACE Access Control Entry. Information entered into the configuration that lets you specify what
type of traffic to permit or deny on an interface. By default, traffic that is not explicitly
permitted is denied.
Access Modes The security appliance CLI uses several command modes. The commands available in each
mode vary. See also user EXEC mode, privileged EXEC mode, global configuration
mode, command-specific configuration mode.
ACL Access Control List. A collection of ACEs. An ACL lets you specify what type of traffic to
allow on an interface. By default, traffic that is not explicitly permitted is denied. ACLs are
usually applied to the interface which is the source of inbound traffic. See
also rule, outbound ACL.
ActiveX A set of object-oriented programming technologies and tools used to create mobile or
portable programs. An ActiveX program is roughly equivalent to a Java applet.
address The translation of a network address and/or port to another network address/or port. See
translation also IP address, interface PAT, NAT, PAT, Static PAT, xlate.
AES Advanced Encryption Standard. A symmetric block cipher that can encrypt and decrypt
information. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256
bits to encrypt and decrypt data in blocks of 128 bits. See also DES.
AH Authentication Header. An IP protocol (type 51) that can ensure data integrity,
authentication, and replay detection. AH is embedded in the data to be protected (a full IP
datagram, for example). AH can be used either by itself or with ESP. This is an
older IPSec protocol that is less important in most networks than ESP. AH provides
authentication services but does not provide encryption services. It is provided to ensure
compatibility with IPSec peers that do not support ESP, which provides
both authentication and encryption. See also encryption andVPN. Refer to the RFC 2402.
A record "A" stands for address, and refers to name-to-address mapped records in DNS.
address
APCF Application Profile Customization Framework. Lets the security appliance handle non-
standard applications so that they render correctly over a WebVPN connection.
ARP Address Resolution Protocol. A low-level TCP/IP protocol that maps a hardware address, or
MAC address, to an IP address. An example hardware address is 00:00:a6:00:01:ba. The
ASA Adaptive Security Algorithm. Used by the security appliance to perform inspections. ASA
allows one-way (inside to outside) connections without an explicit configuration for each
internal system and application. See also inspection engine.
ASDM Adaptive Security Device Manager. An application for managing and configuring a single
security appliance.
asymmetric Also called public key systems, asymmetric encryption allows anyone to obtain access to the
encryption public key of anyone else. Once the public key is accessed, one can send an encrypted
message to that person using the public key. See also encryption, public key.
authentication Cryptographic protocols and services that verify the identity of users and the integrity of data.
One of the functions of the IPSec framework. Authentication establishes the integrity of
datastream and ensures that it is not tampered with in transit. It also provides confirmation
about the origin of the datastream. See also AAA, encryption, and VPN.
Auto Applet Automatically downloads the WebVPN port-forwarding applet when the user first logs in to
Download WebVPN.
auto-signon This command provides a single sign-on method for WebVPN users. It passes the WebVPN
login credentials (username and password) to internal servers for authentication using NTLM
authentication, basic authentication, or both.
Backup IPSec backup servers let a VPN client connect to the central site when the primary security
Server appliance is unavailable.
BGP Border Gateway Protocol. BGP performs interdomain routing in TCP/IP networks. BGP is an
Exterior Gateway Protocol, which means that it performs routing between multiple autonomous
systems or domains and exchanges routing and access information with other BGP systems. The
security appliance does not support BGP. See also EGP.
BLT Bandwidth Limited Traffic stream. Stream or flow of packets whose bandwidth is constrained.
stream
BOOTP Bootstrap Protocol. Lets diskless workstations boot over the network as is described in RFC 951 and
RFC 1542.
BPDU Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable
intervals to exchange information among bridges in the network. Protocol data unit is the OSI term
for packet.
CBC Cipher Block Chaining. A cryptographic technique that increases the encryption
strength of an algorithm. CBC requires an initialization vector (IV) to start
encryption. The IV is explicitly given in the IPSec packet.
certificate A signed cryptographic object that contains the identity of a user or device and
the public key of the CA that issued the certificate. Certificates have an expiration
date and may also be placed on a CRL if known to be compromised. Certificates
also establish non-repudiation for IKE negotiation, which means that you can
prove to a third party that IKE negotiation was completed with a specific peer.
CLI command line interface. The primary interface for entering configuration and
monitoring commands to the security appliance.
Client update Lets you update revisions of clients to which the update applies; provide a URL
or IP address from which to get the update; and, in the case of Windows clients,
optionally notify users that they should update their VPN client version.
Compression The process of encoding information using fewer bits or other information-
bearing units than an unencoded representation would use. Compression can
reduce the size of transferring packets and increase communication
performance.
Content Interprets and modifies applications so that they render correctly over a WebVPN
Rewriting/Transformation connection.
CRL Certificate Revocation List. A digitally signed message that lists all of the current
but revoked certificates listed by a given CA. This is analogous to a book of
stolen charge card numbers that allow stores to reject bad credit cards. When
certificates are revoked, they are added to a CRL. When you implement
authentication using certificates, you can choose to use CRLs or not. Using
CRLs lets you easily revoke certificates before they expire, but the CRL is
generally only maintained by the CA or an RA. If you are using CRLs and the
connection to the CA or RA is not available when authentication is requested, the
authentication request will fail. See also CA, certificate, public key, RA.
CRV Call Reference Value. Used by H.225.0 to distinguish call legs signaled between
two entities.
cryptography Encryption, authentication, integrity, keys and other services used for secure
communication over networks. See also VPN and IPSec.
crypto map A data structure with a unique name and sequence number that is used for
configuring VPNs on the security appliance. A crypto map selects data flows that
need security processing and defines the policy for these flows and the crypto
peer that traffic needs to go to. A crypto map is applied to an interface. Crypto
maps contain the ACLs, encryption standards, peers, and other parameters
necessary to specify security policies for VPNs using IKE and IPSec. See
alsoVPN.
cut-through proxy Enables the security appliance to provide faster traffic flow after user
authentication. The cut-through proxy challenges a user initially at the application
layer. After the security appliance authenticates the user, it shifts the session flow
and all traffic flows directly and quickly between the source and destination while
maintaining session state information.
data confidentiality Describes any method that manipulates data so that no attacker can read it. This is
commonly achieved by data encryption and keys that are only available to the parties
involved in the communication.
data integrity Describes mechanisms that, through the use of encryption based on secret key or public
keyalgorithms, allow the recipient of a piece of protected data to verify that the data has
not been modified in transit.
data origin A security service where the receiver can verify that protected data could have
authentication originated only from the sender. This service requires a data integrity service plus
a key distribution mechanism, where a secret key is shared only between the sender
and receiver.
decryption Application of a specific algorithm or cipher to encrypted data so as to render the data
comprehensible to those who are authorized to see the information. See also encryption.
DES Data encryption standard. DES was published in 1977 by the National Bureau of
Standards and is a secret key encryption scheme based on the Lucifer algorithm from
IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths), IPSec crypto (56-
bit key), and 3DES (triple DES), which performs encryption three times using a 56-bit
key. 3DES is more secure than DES but requires more processing for encryption and
decryption. See also AES, ESP.
DHCP Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses
to hosts dynamically, so that addresses can be reused when hosts no longer need them
and so that mobile computers, such as laptops, receive an IP address applicable to
the LAN to which it is connected.
Diffie-Hellman A public key cryptography protocol that allows two parties to establish a shared secret
over insecure communications channels. Diffie-Hellman is used within IKE to establish
session keys. Diffie-Hellman is a component of Oakley key exchange.
Diffie-Hellman Diffie-Hellman refers to a type of public key cryptography using asymmetric encryption
Group 1, Group 2, based on large prime numbers to establish both Phase 1 and Phase 2 SAs. Group 1
Group 5, Group 7 provides a smaller prime number than Group 2 but may be the only version supported
by some IPSecpeers. Diffe-Hellman Group 5 uses a 1536-bit prime number, is the most
secure, and is recommended for use with AES. Group 7 has an elliptical curve field size
of 163 bits and is for use with the Movian VPN client, but works with any peer that
supports Group 7 (ECC). See also VPN and encryption.
Note The group 7 command option was deprecated in ASA version 8.0(4).
DN Distinguished Name. Global, authoritative name of an entry in the OSI Directory (X.500).
DNS Domain Name System (or Service). An Internet service that translates domain names
into IP addresses.
DoS Denial of Service. A type of network attack in which the goal is to render a network
service unavailable.
DSP digital signal processor. A DSP segments a voice signal into frames and stores them in
voice packets.
DSS Digital Signature Standard. A digital signature algorithm designed by The US National
Institute of Standards and Technology and based on public-key cryptography. DSS does
not do user datagram encryption. DSS is a component in classic crypto, as well as the
RedcreekIPSec card, but not in IPSec implemented in Cisco IOS software.
Dynamic PAT Dynamic Port Address Translation. Dynamic PAT lets multiple outbound sessions
appear to originate from a single IP address. With PAT enabled, the security appliance
chooses a unique port number from the PAT IP address for each outbound translation
slot ( xlate). This feature is valuable when an ISP cannot allocate enough unique IP
addresses for your outbound connections. The global pool addresses always come first,
before a PAT address is used. See also NAT, Static PAT, and xlate.
EGP Exterior Gateway Protocol. Replaced by BGP. The security appliance does not support EGP. See
also BGP.
EIGRP Enhanced Interior Gateway Routing Protocol. The security appliance does not support EIGRP.
encryption Application of a specific algorithm or cipher to data so as to render the data incomprehensible to
those unauthorized to see the information. See also decryption.
ESMTP Extended SMTP. Extended version of SMTP that includes additional functionality, such as delivery
notification and session delivery. ESMTP is described in RFC 1869, SMTP Service Extensions.
ESP Encapsulating Security Payload. An IPSec protocol, ESP provides authentication and encryption
services for establishing a secure tunnel over an insecure network. For more information, refer to
RFCs 2406 and 1827.
Flash, Flash A nonvolatile storage device used to store the configuration file when the security appliance is
memory powered down.
FQDN/IP Fully qualified domain name/IP address. IPSec parameter that identifies peers that are security
gateways.
FragGuard Provides IP fragment protection and performs full reassembly of all ICMP error messages and
virtual reassembly of the remaining IP fragments that are routed through the security appliance.
FTP File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between
hosts.
GGSN gateway GPRS support node. A wireless gateway that allows mobile cell phone users to
access the public data network or specified private IP networks.
global Global configuration mode lets you to change the security appliance configuration. All user
configuration EXEC, privileged EXEC, and global configuration commands are available in this mode. See
mode also user EXEC mode, privileged EXEC mode, command-specific configuration mode.
GMT Greenwich Mean Time. Replaced by UTC (Coordinated Universal Time) in 1967 as the world
time standard.
GPRS general packet radio service. A service defined and standardized by the European
Telecommunication Standards Institute. GPRS is an IP-packet-based extension
of GSMnetworks and provides mobile, wireless, data communications
GRE Generic Routing Encapsulation described in RFCs 1701 and 1702. GRE is a tunneling
protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels,
creating a virtual point-to-point link to routers at remote points over an IP network. By
connecting multiprotocol subnetworks in a single-protocol backbone environment, IP
tunneling using GRE allows network expansion across a single protocol backbone
environment.
GSM Global System for Mobile Communication. A digital, mobile, radio standard developed for
mobile, wireless, voice communications.
GTP GPRS tunneling protocol. GTP handles the flow of user packet data and signaling information
between the SGSN and GGSN in a GPRS network. GTP is defined on both the Gn and Gp
H.225 A protocol used for TCP signaling in applications such as video conferencing. See
also H.323and inspection engine.
H.225.0 An ITU standard that governs H.225.0 session establishment and packetization. H.225.0
actually describes several different protocols: RAS, use of Q.931, and use of RTP.
H.320 Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such
as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable
video conferencing over LANs and other packet-switched networks, as well as video over the
Internet.
H.323 Allows dissimilar communication devices to communicate with each other by using a
standardized communication protocol. H.323 defines a common set of CODECs, call setup
and negotiating procedures, and basic data transport methods.
H.323 RAS Registration, admission, and status signaling protocol. Enables devices to perform registration,
admissions, bandwidth changes, and status and disengage procedures between VoIP gateway
and the gatekeeper.
Hash, Hash A hash algorithm is a one way function that operates on a message of arbitrary length to
Algorithm create a fixed-length message digest used by cryptographic services to ensure its data
integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco
uses both SHA-1 and MD5 hashes within our implementation of the IPSec framework. See
also encryption, HMAC, and VPN.
headend A firewall, concentrator, or other host that serves as the entry point into a private network
forVPN client connections over the public network. See also ISP and VPN.
HMAC A mechanism for message authentication using cryptographic hashes such as SHA-
1 andMD5.
host The name for any device on a TCP/IP network that has an IP address. See
also network andnode.
host/network An IP address and netmask used with other information to identify a single host or network
subnet for security appliance configuration, such as an address translation ( xlate) or ACE.
HTTP Hypertext Transfer Protocol. A protocol used by browsers and web servers to transfer files.
When a user views a web page, the browser can use HTTP to request and receive the files
used by the web page. HTTP transmissions are not encrypted.
IANA Internet Assigned Number Authority. Assigns all port and protocol numbers for use on the
Internet.
ICMP Internet Control Message Protocol. Network-layer Internet protocol that reports errors and
provides other information relevant to IP packet processing.
IDS Intrusion Detection System. A method of detecting malicious network activity by signatures
and then implementing a policy for that signature.
IETF The Internet Engineering Task Force. A technical standards organization that
develops RFCdocuments defining protocols for the Internet.
IGMP Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report
IPmulticast memberships to neighboring multicast routers.
IKE Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for
services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each
security appliance must verify the identity of its peer. This can be done by manually entering
preshared keys into both hosts or by a CA service. IKE is a hybrid protocol that uses
partOakley and part of another protocol suite called SKEME inside ISAKMP framework. This
is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409.
IKE Extended IKE Extended Authenticate (Xauth) is implemented per the IETF draft-ietf-ipsec-isakmp-
Authentication xauth-04.txt ("extended authentication" draft). This protocol provides the capability of
authenticating a user within IKE using TACACS+ or RADIUS.
IKE Mode IKE Mode Configuration is implemented per the IETF draft-ietf-ipsec-isakmp-mode-cfg-04.txt.
Configuration IKE Mode Configuration provides a method for a security gateway to download an IP
address (and other network level configuration) to the VPN client as part of an IKE
negotiation.
ILS Internet Locator Service. ILS is based on LDAP and is ILSv2 compliant. ILS was developed
by Microsoft for use with its NetMeeting, SiteServer, and Active Directory products.
IMAP Internet Message Access Protocol. Method of accessing e-mail or bulletin board messages
kept on a mail server that can be shared. IMAP permits client e-mail applications to access
remote message stores as if they were local without actually transferring the message.
implicit rule An access rule automatically created by the security appliance based on default rules or as a
result of user-defined rules.
IMSI International Mobile Subscriber Identity. One of two components of a GTP tunnel ID, the
other being the NSAPI. See also NSAPI.
inside The first interface, usually port 1, that connects your internal, "trusted" network protected by
the security appliance. See also interface, interface names.
interface The physical connection between a particular network and a security appliance.
interface The IP address of a security appliance network interface. Each interface IP address must be
ip_address unique. Two or more interfaces must not be given the same IP address or IP addresses that
are on the same IP network.
interface names Human readable name assigned to a security appliance network interface. The inside
interface default name is "inside" and the outside interface default name is "outside." Any
perimeter interface default names are "intf n", such as intf2 for the first perimeter interface,
intf3 for the second perimeter interface, and so on to the last interface. The numbers in the
intf string corresponds to the position of the interface card in the security appliance. You can
use the default names or, if you are an experienced user, give each interface a more
meaningful name. See also inside, intfn, outside.
intf n Any interface, usually beginning with port 2, that connects to a subset network of your design
that you can custom name and configure.
interface PAT The use of PAT where the PAT IP address is also the IP address of the outside interface.
SeeDynamic PAT, Static PAT.
Internet The global network that uses IP. Not a LAN. See also intranet.
intranet Intranetwork. A LAN that uses IP. See also network and Internet.
IP Internet Protocol. IP protocols are the most popular nonproprietary protocols because they
can be used to communicate across any set of interconnected networks and are equally well
suited for LAN and WAN communications.
IPS Intrusion Prevention Service. An in-line, deep-packet inspection-based solution that helps
mitigate a wide range of network attacks.
IP pool A range of local IP addresses specified by a name, and a range with a starting IP address
and an ending address. IP Pools are used by DHCP and VPNs to assign local IP addresses
to clients on the inside interface.
IPSec IP Security. A framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. IPSec provides these security services
at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based
on local policy and to generate the encryption and authentication keys to be used by IPSec.
IPSec can protect one or more data flows between a pair of hosts, between a pair of security
IPSec Phase 1 The first phase of negotiating IPSec, includes the key exchange and the ISAKMP portions
ofIPSec.
IPSec Phase 2 The second phase of negotiating IPSec. Phase two determines the type of encryption rules
used for payload, the source and destination that will be used for encryption, the definition of
interesting traffic according to access lists, and the IPSec peer. IPSec is applied to the
interface in Phase 2.
IPSec transform A transform set specifies the IPSec protocol, encryption algorithm, and hash algorithm to use
set on traffic matching the IPSec policy. A transform describes a security protocol ( AH or ESP)
with its corresponding algorithms. The IPSec protocol used in almost all transform sets
isESP with the DES algorithm and HMAC-SHA for authentication.
ISAKMP Internet Security Association and Key Management Protocol. A protocol framework that
defines payload formats, the mechanics of implementing a key exchange protocol, and the
negotiation of a security association. See IKE.
ISP Internet Service Provider. An organization that provides connection to the Internet via their
services, such as modem dial in over telephone voice lines or DSL.
JTAPI Java Telephony Application Programming Interface. A Java-based API supporting telephony functions.
See also TAPI.
LAN Local area network. A network residing in one location, such as a single building or campus. See
also Internet, intranet, and network.
layer, Networking models implement layers with which different protocols are associated. The most common
layers networking model is the OSI model, which consists of the following 7 layers, in order: physical, data
link, network, transport, session, presentation, and application.
MAC Address A media access control address (MAC address) is a unique identifier assigned to network
interfaces for communications on the physical network segment. MAC addresses are used as a
network address for most IEEE 802 network technologies, including Ethernet.
mask A 32-bit mask that shows how an Internet address is divided into network, subnet, and host
parts. The mask has ones in the bit positions to be used for the network and subnet parts, and
zeros for the host part. The mask should contain at least the standard network portion, and the
subnet field should be contiguous with the network portion.
MC router Multicast (MC) routers route multicast data transmissions to the hosts on each LAN in an
internetwork that are registered to receive specific multimedia or other broadcasts. See
alsomulticast.
MD5 Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5
andSHA-1 are variations on MD4 and are designed to strengthen the security of the MD4
hashing algorithm. SHA-1 is more secure than MD4 and MD5. Cisco uses hashes for
authentication within the IPSec framework. Also used for message authentication in SNMP v.2.
MD5 verifies the integrity of the communication, authenticates the origin, and checks for
timeliness. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
Message A message digest is created by a hash algorithm, such as MD5 or SHA-1, that is used for
Digest ensuring message integrity.
MGCP Media Gateway Control Protocol. Media Gateway Control Protocol is a protocol for the control
of VoIP calls by external call-control elements known as media gateway controllers or call
agents. MGCP merges the IPDC and SGCP protocols.
Modular Modular Policy Framework. A means of configuring security appliance features in a manner to
Policy similar to Cisco IOS software Modular QoS CLI.
Framework
MS mobile station. Refers generically to any mobile device, such as a mobile handset or computer,
that is used to access network services. GPRS networks support three classes of MS, which
describe the type of operation supported within the GPRS and the GSM mobile wireless
MTU Maximum transmission unit, the maximum number of bytes in a packet that can flow efficiently
across the network with best response time. For Ethernet, the default MTU is 1500 bytes, but
each network can have different values, with serial connections having the smallest values. The
MTU is described in RFC 1191.
multicast Multicast refers to a network addressing method in which the source transmits a packet to
multiple destinations, a multicast group, simultaneously. See also PIM, SMR.
N2H2 A third-party, policy-oriented filtering application that works with the security appliance to
control user web access. N2H2 can filter HTTP requests based on destination host name,
destination IP address, and username and password. The N2H2 corporation was acquired by
Secure Computing in October, 2003.
NAT Network Address Translation. Mechanism for reducing the need for globally unique IP
addresses. NAT allows an organization with addresses that are not globally unique to connect
to the Internet by translating those addresses into a globally routable address space.
NEM Network Extension Mode. Lets VPN hardware clients present a single, routable network to the
remote private network over the VPN tunnel.
NetBIOS Network Basic Input/Output System. A Microsoft protocol that supports Windows host name
registration, session management, and data transfer. The security appliance supports
NetBIOS by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.
network In the context of security appliance configuration, a network is a group of computing devices
that share part of an IP address space and not a single host. A network consists of multiple
nodes or hosts. See also host, Internet, intranet, IP, LAN, and node.
NMS network management system. System responsible for managing at least part of a network. An
NMS is generally a reasonably powerful and well-equipped computer, such as an engineering
workstation. NMSs communicate with agents to help keep track of network statistics and
resources.
node Devices such as routers and printers that would not normally be called hosts. See
also host,network.
nonvolatile Storage or memory that, unlike RAM, retains its contents without power. Data in a nonvolatile
storage, storage device survives a power-off, power-on cycle or reboot.
memory
NSAPI Network service access point identifier. One of two components of a GTP tunnel ID, the other
component being the IMSI. See also IMSI.
Oakley A key exchange protocol that defines how to acquire authenticated keying material. The basic
mechanism for Oakley is the Diffie-Hellman key exchange algorithm. Oakley is defined in RFC
2412.
object Simplifies access control by letting you apply access control statements to groups of network
grouping objects, such as protocol, services, hosts, and networks.
OSPF Open Shortest Path First. OSPF is a routing protocol for IP networks. OSPF is a routing protocol
widely deployed in large networks because of its efficient use of network bandwidth and its rapid
convergence after changes in topology. The security appliance supports OSPF.
outbound Refers to traffic whose destination is on an interface with lower security than the source interface.
outside The first interface, usually port 0, that connects to other "untrusted" networks outside the security
appliance; the Internet. See also interface, interface names, outbound.
PAC PPTP Access Concentrator. A device attached to one or more PSTN or ISDN lines capable
ofPPP operation and of handling the PPTP protocol. The PAC need only implement TCP/IP to
pass traffic to one or more PNSs. It may also tunnel non-IP protocols.
Perfmon The security appliance feature that gathers and reports a wide variety of feature statistics, such
as connections/second, xlates/second, etc.
PFS Perfect Forwarding Secrecy. PFS enhances security by using different security key for
PIM Protocol Independent Multicast. PIM provides a scalable method for determining the best paths
for distributing a specific multicast transmission to a group of hosts. Each host has registered
using IGMP to receive the transmission. See also PIM-SM.
PIM-SM Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco
routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded
from one MC router to the next, until the packets reach every registered host. See also PIM.
PIX Private Internet eXchange. The Cisco PIX 500-series security appliances range from compact,
plug-and-play desktop models for small/home offices to carrier-class gigabit models for the most
demanding enterprise and service provider environments. Cisco PIX security appliances provide
robust, enterprise-class integrated network security services to create a strong multilayered
defense for fast changing network environments.
PKCS12 A standard for the transfer of PKI-related data, such as private keys, certificates, and other data.
Devices supporting this standard let administrators maintain a single set of personal identity
information.
Policy NAT Lets you identify local traffic for address translation by specifying the source and destination
addresses (or ports) in an access list.
POP Post Office Protocol. Protocol that client e-mail applications use to retrieve mail from a mail
server.
Port A field in the packet headers of TCP and UDP protocols that identifies the higher level service
which is the source or destination of the packet.
PPP Point-to-Point Protocol. Developed for dial-up ISP access using analog phone lines and
modems.
PPTP Point-to-Point Tunneling Protocol. PPTP was introduced by Microsoft to provide secure remote
access to Windows networks; however, because it is vulnerable to attack, PPTP is commonly
used only when stronger security methods are not available or are not required. PPTP Ports are
pptp, 1723/tcp, 1723/udp, and pptp. For more information about PPTP, see RFC 2637. See
PPTP GRE A tunnel defined by a PNS- PAC pair. The tunnel protocol is defined by a modified version
tunnel of GRE. The tunnel carries PPP datagrams between the PAC and the PNS. Many sessions are
multiplexed on a single tunnel. A control connection operating over TCP controls the
establishment, release, and maintenance of sessions and of the tunnel itself.
PPTP PPTP is connection-oriented. The PNS and PAC maintain state for each user that is attached to
session aPAC. A session is created when end-to-end PPP connection is attempted between a dial user
and the PNS. The datagrams related to a session are sent over the tunnel between
the PAC andPNS.
PPTP TCP Standard TCP session over which PPTP call control and management information is passed.
The control session is logically associated with, but separate from, the sessions being tunneled
through a PPTP tunnel.
preshared A preshared key provides a method of IKE authentication that is suitable for networks with a
key limited, static number of IPSec peers. This method is limited in scalability because the key must
be configured for each pair of IPSec peers. When a new IPSec peer is added to the network, the
preshared key must be configured for every IPSec peer with which it communicates.
Usingcertificates and CAs provides a more scalable method of IKE authentication.
primary, The security appliance normally operating when two units, a primary and secondary, are
primary unit operating in failover mode.
privileged Privileged EXEC mode lets you to change current settings. Any user EXEC mode command will
EXEC mode work in privileged EXEC mode. See also command-specific configuration mode, global
configuration mode, user EXEC mode.
protocol, A standard that defines the exchange of packets between network nodes for communication.
protocol Protocols work together in layers. Protocols are specified in a security appliance configuration as
literals part of defining a security policy by their literal values or port numbers. Possible security
appliance protocol literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos,
ospf, pcp, snp, tcp, and udp.
Proxy-ARP Enables the security appliance to reply to an ARP request for IP addresses in the global pool.
See also ARP.
public key A public key is one of a pair of keys that are generated by devices involved in public key
infrastructure. Data encrypted with a public key can only be decrypted using the associated
private key. When a private key is used to produce a digital signature, the receiver can use the
public key of the sender to verify that the message was signed by the sender. These
characteristics of key pairs provide a scalable and secure method of authentication over an
insecure media, such as the Internet.
QoS quality of service. Measure of performance for a transmission system that reflects its transmission quality
and service availability.
RA Registration Authority. An authorized proxy for a CA. RAs can perform certificate enrollment
and can issue CRLs. See also CA, certificate, public key.
RADIUS Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that
secures networks against unauthorized access. RFC 2058 and RFC 2059 define the RADIUS
protocol standard. See also AAA and TACACS+.
Refresh Retrieve the running configuration from the security appliance and update the screen. The icon
and the button perform the same function.
replay- A security service where the receiver can reject old or duplicate packets to defeat replay
detection attacks. Replay attacks rely on the attacker sending out older or duplicate packets to the
receiver and the receiver thinking that the bogus traffic is legitimate. Replay-detection is done
by using sequence numbers combined with authentication, and is a standard feature ofIPSec.
RFC Request for Comments. RFC documents define protocols and standards for communications
over the Internet. RFCs are developed and published by IETF.
RIP Routing Information Protocol. Interior gateway protocol (IGP) supplied with UNIX BSD
systems. The most common IGP in the Internet. RIP uses hop count as a routing metric.
RLLA Reserved Link Local Address. Multicast addresses range from 224.0.0.0 to 239.255.255.255,
however only the range 224.0.1.0 to 239.255.255.255 is available to us. The first part of the
multicast address range, 224.0.0.0 to 224.0.0.255, is reserved and referred to as the RLLA.
These addresses are unavailable. We can exclude the RLLA range by specifying: 224.0.1.0 to
239.255.255.255. 224.0.0.0 to 239.255.255.255 excluding 224.0.0.0 to 224.0.0.255. This is the
same as specifying: 224.0.1.0 to 239.255.255.255.
routed firewall In routed firewall mode, the security appliance is counted as a router hop in the network. It
mode performs NAT between connected networks and can use OSPF or RIP. See also transparent
firewall mode.
RPC Remote Procedure Call. RPCs are procedure calls that are built or specified by clients and
executed on servers, with the results returned over the network to the clients.
RSA A public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adelman)
with a variable key length. The main weakness of RSA is that it is significantly slow to compute
compared to popular secret-key algorithms, such as DES. The Cisco implementation
of IKEuses a Diffie-Hellman exchange to get the secret keys. This exchange can be
authenticated with RSA (or preshared keys). With the Diffie-Hellman exchange, the DES key
never crosses the network (not even in encrypted form), which is not the case with the RSA
encrypt and sign technique. RSA is not public domain, and must be licensed from RSA Data
Security.
RTCP RTP Control Protocol. Protocol that monitors the QoS of an IPv6 RTP connection and conveys
information about the on-going session. See also RTP.
RTP Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide
end-to-end network transport functions for applications transmitting real-time data, such as
audio, video, or simulation data, over multicast or unicast network services. RTP provides
such services as payload type identification, sequence numbering, timestamping, and delivery
monitoring to real-time applications.
RTSP Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio
and video. RTSP is designed to work with established protocols, such as RTP andHTTP.
rule Conditional statements added to the security appliance configuration to define security policy
for a particular situation. See also ACE, ACL, NAT.
running The configuration currently running in RAM on the security appliance. The configuration that
configuration determines the operational characteristics of the security appliance.
SA security association. An instance of security policy and keying material applied to a data flow.
SAs are established in pairs by IPSec peers during both phases of IPSec. SAs specify the
encryption algorithms and other security parameters used to create a secure tunnel. Phase 1
SAs ( IKE SAs) establish a secure tunnel for negotiating Phase 2 SAs. Phase 2 SAs
( IPSecSAs) establish the secure tunnel used for sending user data. Both IKE and IPSec use
SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are
unique in each security protocol. A set of SAs are needed for a protected data pipe, one per
direction per protocol. For example, if you have a pipe that supports ESP between peers,
oneESP SA is required for each direction. SAs are uniquely identified by destination
( IPSecendpoint) address, security protocol ( AH or ESP), and Security Parameter
Index. IKEnegotiates and establishes SAs on behalf of IPSec. A user can also
establish IPSec SAs manually. An IKE SA is used by IKE only, and unlike the IPSec SA, it is
bidirectional.
SCCP Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager
and Cisco VoIP phones.
SCEP Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as
enrolling) certificates from CAs.
SDP Session Definition Protocol. An IETF protocol for the definition of Multimedia Services. SDP
messages can be part of SGCP and MGCP messages.
secondary The backup security appliance when two are operating in failover mode.
unit
security You can partition a single security appliance into multiple virtual firewalls, known as security
context contexts. Each context is an independent firewall, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple stand-alone firewalls.
serial A method of data transmission in which the bits of a data character are transmitted sequentially
transmission over a single channel.
SGCP Simple Gateway Control Protocol. Controls VoIP gateways by an external call control element
(called a call-agent).
SGSN Serving GPRS Support Node. The SGSN ensures mobility management, session management
and packet relaying functions.
SHA-1 Secure Hash Algorithm 1. SHA-1 [NIS94c] is a revision to SHA that was published in 1994.
SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a
160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but
it is slower. Secure Hash Algorithm 1 is a joint creation of the National Institute of Standards
and Technology and the National Security Agency. This algorithm, like other hash algorithms, is
used to generate a hash value, also known as a message digest, that acts like a CRC used in
lower-layer protocols to ensure that message contents are not changed during transmission.
SHA-1 is generally considered more secure than MD5.
SIP Session Initiation Protocol. Enables call handling sessions, particularly two-party audio
conferences, or "calls." SIP works with SDP for call signaling. SDP specifies the ports for the
media stream. Using SIP, the security appliance can support any SIP VoIP gateways
and VoIPproxy servers.
site-to-site A site-to-site VPN is established between two IPSec peers that connect remote networks into a
VPN single VPN. In this type of VPN, neither IPSec peer is the destination or source of user traffic.
Instead, each IPSec peer provides encryption and authentication services for hosts on theLANs
connected to each IPSec peer. The hosts on each LAN send and receive data through the
secure tunnel established by the pair of IPSec peers.
SKEME A key exchange protocol that defines how to derive authenticated keying material, with rapid
key refreshment.
SMR Stub Multicast Routing. SMR allows the security appliance to function as a "stub router." A stub
router is a device that acts as an IGMP proxy agent. IGMP is used to dynamically register
specific hosts in a multicast group on a particular LAN with a multicast router. Multicast routers
route multicast data transmissions to hosts that are registered to receive specific multimedia or
other broadcasts. A stub router forwards IGMP messages between hosts and MC routers.
SMTP Simple Mail Transfer Protocol. SMTP is an Internet protocol that supports email services.
SNMP Simple Network Management Protocol. A standard method for managing network devices
using data structures called Management Information Bases.
split Allows a remote VPN client simultaneous encrypted access to a private network and clear
tunneling unencrypted access to the Internet. If you do not enable split tunneling, all traffic between the
VPN client and the security appliance is sent through an IPSec tunnel. All traffic originating
from the VPN client is sent to the outside interface through a tunnel, and client access to the
spoofing A type of attack designed to foil network security mechanisms such as filters and access lists. A
spoofing attack sends a packet that claims to be from an address from which it was not actually
sent.
SQL*Net Structured Query Language Protocol. An Oracle protocol used to communicate between client
and server processes.
SSH Secure Shell. An application running on top of a reliable transport layer, such as TCP/IP, that
provides strong authentication and encryption capabilities.
SSL Secure Sockets Layer. A protocol that resides between the application layer and TCP/IP to
provide transparent encryption of data traffic.
stateful Network protocols maintain certain data, called state information, at each end of a network
inspection connection between two hosts. State information is necessary to implement the features of a
protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or
session IDs. Some of the protocol state information is sent in each packet while each protocol
is being used. For example, a browser connected to a web server uses HTTP and supporting
TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and
receives. The security appliance and some other firewalls inspect the state information in each
packet to verify that it is current and valid for every protocol it contains. This is called stateful
inspection and is designed to create a powerful barrier to certain types of computer security
threats.
Static PAT Static Port Address Translation. Static PAT is a static address that also maps a local port to a
global port. See also Dynamic PAT, NAT.
TACACS+ Terminal Access Controller Access Control System Plus. A client-server protocol that supports
AAA services, including command authorization. See also AAA, RADIUS.
TCP Transmission Control Protocol. Connection-oriented transport layer protocol that provides
reliable full-duplex data transmission.
TCP Intercept With the TCP intercept feature, once the optional embryonic connection limit is reached, and
until the embryonic connection count falls below this threshold, every SYN bound for the
effected server is intercepted. For each SYN, the security appliance responds on behalf of the
server with an empty SYN/ACK segment. The security appliance retains pertinent state
information, drops the packet, and waits for the client acknowledgment. If the ACK is received,
then a copy of the client SYN segment is sent to the server and the TCP three-way handshake
is performed between the security appliance and the server. If this three-way handshake
completes, may the connection resume as normal. If the client does not respond during any
TDP Tag Distribution Protocol. TDP is used by tag switching devices to distribute, request, and
release tag binding information for multiple network layer protocols in a tag switching network.
TDP does not replace routing protocols. Instead, it uses information learned from routing
protocols to create tag bindings. TDP is also used to open, monitor, and close TDP sessions
and to indicate errors that occur during those sessions. TDP operates over a connection-
oriented transport layer protocol with guaranteed sequential delivery (such as TCP). The use of
TDP does not preclude the use of other mechanisms to distribute tag binding information, such
as piggybacking information on other protocols.
Telnet A terminal emulation protocol for TCP/IP networks such as the Internet. Telnet is a common
way to control web servers remotely; however, its security vulnerabilities have led to its
replacement by SSH.
TFTP Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. It runs on UDP
and is explained in depth in RFC 1350.
traffic The traffic policing feature ensures that no traffic exceeds the maximum rate (bits per second)
policing that you configure, thus ensuring that no one traffic flow can take over the entire resource.
transparent A mode in which the security appliance is not a router hop. You can use transparent firewall
firewall mode mode to simplify your network configuration or to make the security appliance invisible to
attackers. You can also use transparent firewall mode to allow traffic through that would
otherwise be blocked in routed firewall mode. See also routed firewall mode.
transport An IPSec encryption mode that encrypts only the data portion (payload) of each packet, but
mode leaves the header untouched. Transport mode is less secure than tunnel mode.
tunnel mode An IPSec encryption mode that encrypts both the header and data portion (payload) of each
packet. Tunnel mode is more secure than transport mode.
tunnel A method of transporting data in one protocol by encapsulating it in another protocol. Tunneling
is used for reasons of incompatibility, implementation simplification, or security. For example, a
tunnel lets a remote VPN client have encrypted access to a private network.
Turbo ACL Increases ACL lookup speeds by compiling them into a set of lookup tables. Packet headers
are used to access the tables in a small, fixed number of lookups, independent of the existing
number of ACL entries.
UDP User Datagram Protocol. A connectionless transport layer protocol in the IP protocol stack. UDP is
a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery,
which requires other protocols to handle error processing and retransmission. UDP is defined in
RFC 768.
UMTS Universal Mobile Telecommunication System. An extension of GPRS networks that moves toward
an all-IP network by delivering broadband information, including commerce and entertainment
services, to mobile users via fixed, wireless, and satellite networks
Unicast Unicast Reverse Path Forwarding. Unicast RPF guards against spoofing by ensuring that packets
RPF have a source IP address that matches the correct source interface according to the routing table.
URL Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents
and other services using a browser. For example, http://www.cisco.com.
user User EXEC mode lets you to see the security appliance settings. The user EXEC mode prompt
EXEC appears as follows when you first access the security appliance. See also command-specific
mode configuration mode, global configuration mode, and privileged EXEC mode.
UTC Coordinated Universal Time. The time zone at zero degrees longitude, previously called Greenwich
Mean Time (GMT) and Zulu time. UTC replaced GMT in 1967 as the world time standard. UTC is
based on an atomic time scale rather than an astronomical time scale.
UTRAN Universal Terrestrial Radio Access Network. Networking protocol used for implementing wireless
networks in UMTS. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS
backbone between a GGSN, an SGSN and the UTRAN.
UUIE User-User Information Element. An element of an H.225 packet that identifies the users implicated
in the message.
VLAN Virtual LAN. A group of devices on one or more LANs that are configured (using management
software) so that they can communicate as if they were attached to the same physical network cable,
when in fact they are located on a number of different LAN segments. Because VLANs are based on
logical instead of physical connections, they are extremely flexible.
VoIP Voice over IP. VoIP carries normal voice traffic, such as telephone calls and faxes, over an IP-based
network. DSP segments the voice signal into frames, which then are coupled in groups of two and
stored in voice packets. These voice packets are transported using IP in compliance with ITU-T
specification H.323.
VPN Virtual Private Network. A network connection between two peers over the public network that is
made private by strict authentication of users and the encryption of all data traffic. You can establish
VPNs between clients, such as PCs, or a headend, such as the security appliance.
VSA Vendor-specific attribute. An attribute in a RADIUS packet that is defined by a vendor rather than
byRADIUS RFCs. The RADIUS protocol uses IANA-assigned vendor numbers to help identify VSAs.
This lets different vendors have VSAs of the same number. The combination of a vendor number and
a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of
VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A RADIUS packet
contains any VSAs attribute 26, named Vendor-specific. VSAs are sometimes referred to as
subattributes.
WAN wide-area network. Data communications network that serves users across a broad geographic
area and often uses transmission devices provided by common carriers.
WCCP Web Cache Communication Protocol. Transparently redirects selected types of traffic to a group of
web cache engines to optimize resource usage and lower response times.
Websense A content filtering solution that manages employee access to the Internet. Websense uses a policy
engine and a URL database to control user access to websites.
WEP Wired Equivalent Privacy. A security protocol for wireless LANs, defined in the IEEE 802.11b
standard.
WINS Windows Internet Naming Service. A Windows system that determines the IP address associated
with a particular network device, also known as "name resolution." WINS uses a distributed
database that is automatically updated with the NetBIOS names of network devices currently
available and the IP address assigned to each one.WINS provides a distributed database for
registering and querying dynamic NetBIOS names to IP address mapping in a routed network
environment. It is the best choice for NetBIOS name resolution in such a routed network because it
is designed to solve the problems that occur with name resolution in complex networks.
X.509 A widely used standard for defining digital certificates. X.509 is actually an ITU recommendation, which
means that it has not yet been officially defined or approved for standardized usage.
xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or
the mapping of one IP address/port pair to another.
Q When I pass the EST Institute class on the MN-FNS Series, does that mean I
have Cisco certification?
A No – The MN-FNS Series certification applies only to the solutions offered through
EST. The training is a great start to a Cisco certification, such as a CCNA, but it
does not in itself, provide this certification.
Q Why can the copper wire (“Cat 5”) cable from a standard Ethernet switch be
run over 300 feet, but I can only run it 20 feet on an MN-FNS switch?
A This is due to UL restrictions. Current UL standards require that if a circuit does not
have ground-fault detection (which Ethernet circuits do not), it cannot be run more
than 20 feet, must be in the same room and must be mechanically protected.
Q The MN-FNS8C18F2 switch has RJ45 ports labeled POE, what EST modules
are POE?
A While the switch is labeled for POE use, it is not listed for, nor can it be used for that
purpose. There are no current EST modules that are POE powered.
Q Are identical Cisco switches from other sources than EST also UL 864/2572
listed?
A No. The listing only applies to products purchased through EST and labeled as
such.