How 802.1x works

EAP is the frame work we use in 802.1x authentication, which is capable of supporting multiple authentication methods. EAP defines mainly three terminologies

Supplicant - Client/Workstation which need access to the network.

Authenticator - A device which controller the device access of supplicant to the network. For eg- Switch/AP/Controller. Authenticator request the identity of the supplicant and it will be verified with help of authentication server. EAP messages are encapsulated and decapsulated by authenticator.

Authentication Server - Actuall device which verify the supplicants credentials. He notify the authenticator whether the client can be allowed to access the network

What is EAPOL ?
EAPOL is a method to transport EAP packets between Supplicant and an Authenticator directly over LAN MAC service (both wired and wireless). There are 5 types of EAPOL message and not all EAPOL frames carry EAP messages; they are used for administrative tasks:

1. EAPOL-Start: When the Supplicant first connects to the LAN, it does not know the MAC address of the Authenticator (if any). By sending the EAPOL-Start message to a multicast group mac address (all authentication servers will be a part of this group), the Supplicant can find out if there is any Authenticator present.
2. EAPOL-Key: Using this message type, the Authenticator sends encryption (and other) keys to the Supplicant once it has decided to admit it to the network. 
3. EAPOL-Packet: This EAPOL frame is used to send actual EAP messages. It is simply a container to send EAP message across LAN.
4. EAPOL-Logoff: This message indicates that the Supplicant wishes to be disconnected from the network. 
5. EAPOL-Encapsulated-ASF-Alert: This is provided for use by Alert Standard Forum (ASF) to allow alerts to be forwarded through a port that is in Unauthorized state.

Behind the scenes - While you browse www.google.com from your computer

1. You open the browser and type www.google.com in the browser
2. Your laptop has the IP address and DNS server address
3. Now computer want to resolve the www.google.com to the IP address
4. He check the DNS server IP he got during the DHCP process
5. If DNS server is not in his subnet he need to resolve it
6. Suppose client even dont know he mac address of gateway
7. Computer will send a L2 broadcast ARP to asking what is the mac address of my gateway
8. Gateway respond back saying my mac address is x.x.x.x.x
9. Computer will send the DNS request to the gateway
10. Gateway check his routing table if this IP address is know to me
11. If not he will forward the request based on his routing table
12. Request goes like this and reached the DNS server
13. DNS server respond back with the IP address of www.google.com
14. IP address reaches the computer
15. Computer check if the IP is in his subnet else will forward the request to gateway
16. Here is the packet computer forms

 Source IP address - Computer IP
 Source Mac Address - Computer mac
 Destination IP address - google IP address
 Destination Mac - Gateway mac address

17. If reached the gateway and he checks the routing table as before
18. Now gateway change the packet as bellow

Source Mac - Gateway Mac
Source IP - Computer IP
Destination Mac - Mac of next route in the routing table
Destination IP - google IP address

19. This process continues on the way
20. Every router comes in between changes the Source and destination mac but keep the source and destination IP as same.
21. Packet reaches google
22. Google respond back as bellow

Source IP -google IP address
Source Mac - google mac
Destination IP - Computer IP
Destination Mac -  gateway of google

23. This process continues as mentioned above and packet reaches the computer

IF NAT IS CONFIGURED
===================
Most probably NAT will be one to many

Here natting device will keep a track on the IP and port number client used to send data to the public IP
Source port 10 , IP address 10.10.10.10 ===>>> Mapped to 200.200.200.200

While the reply comes it will be again on the same port number so natting device know which was the client mapped to this IP address in this port number.

Basic IPv6 Packet Flow - In Aruba Controllers

Document assume reader is familiar with basics of IPv6, so we are directly getting into IPv6 packet flow.

We are going to discuss mainly four packet exchange happening between client and router which is fundamental to all IPv6 addressing. Neighbor  Discovery (ND) mechanism contains mainly 4 packet exchange and all of them works based on ICMP v6. We need to make sure ICMP v6 is allowed in controller for IPv6 to work in a Aruba controller.

1. Router Solicitation

2. Router Advertisement

3. Neighbor Solicitation

4. Neighbor Advertisement

RS (Router Solicitation) :-

 If a client is IPv6 capable first packet goes out of client will be RS. This is send to ff02::2 (Multicast group for All Routers capable of providing RA). RS is not mandatory in a IPv6 scenario, there is always a possibility to client get an RA before it send a RS to the network.

RA (Router Advertisement) :-  

Send from Router which will be send to ff02::1 (Multicast group for all nodes ). There are two purpose for RA

1.       Providing the prefix for the client to generate IPv6 address. RA provides first 64 bits in the IPv6 address

2.       Gateway for the client. Client gateway will be always link local address of router.

Unsolictated RA :- Router can be configured in such a way that it will send RA periodically. Getting an IP in this mechanism is called Unsolictated RA. Router will not be waiting for RS to come to send an RA in this case.

Solicitated RA :- In this case router respond back only if it gets an RS from client.

DHCP v6

In DHCP v6 (Stateful mechanism) we still need RA as the IPv6 DHCP don’t have the default gateway option. Gateway for the client remains the link local address of the router

In this case there will be a m bit in RA which will be set which says RA is not capable of providing you prefix but only the gateway. Once client see m bit is set it triggers the DHCPv6 process.

Neighbour Solicitation (NS) :-  

Mainly 2 type of NS is there for two purposes

1.       Duplicated address detection – Same as GARP in IPv4

2.       Keep alive – ARP in IPv4

Duplicate Address Detection :

Client send this packet to ff02:1::<last 24 bit of client mac> (Multicast group) where ideally no one else would have joined. If some client gets this packet he will check the target field and verify  the IPv6 address in case of duplication. Source address of this packet will be either null or link local address of the client. In case of Aruba we normally flood this packet in air so it will go to all the clients. Response comes to this packet only if someone is already using this

Keep Alive

Send to the link local address of router. If it is reachable it will respond back with an acknowledgement. Which is called “Solicitated NA”. This packet will be periodic to make sure the router is still alive.

Neighbour Advertisement:-

 Comes as a response to NS if someone has this IP address. Else keepalive response.

Unsolictated NA:-

Once client gets an IPv6 address he sends an NA packet to ff02::1 (All nodes), this used by other clients to update their ARP table. There is no response for this packet. This NA will be send using both link local address and global unicast address.

Duplicate Address
For statically assigned IP IPv4 dont try for duplicate address detection, but in case of IPv6 it send an NA even for statically assigned IPs. In case of interface address configuration controller mark the duplicate address as "dupe" in braces if controller finds a duplicate address in the network.

EUI-64
EUI-64 is a mechanism used by IPv6 nodes to make the address unique. Aruba controllers also support this. Take an example where 2 nodes are connected there is always a chance by mistake we give same IPv6 in both end statically. To avoid this while giving IPv6 address on interface add EUI-64 to the IPv6 address. In this scenario controller will generate IPv6 address automatically using its mac address. Interface will take only prefix part of the statically configured IP, rest is generated same as the way client generate its IP.

Normally for link local address we append hex form of vlan ID to make 48 bit mac address to 64 bit but in case of global address it append FFFE in the middle of mac address to convert it to 64 bit. The actually configured static IPv6 address wont be displayed anywhere in controller instead the newly generated IPv6 address. Show running config it show the prefix with eui-64 so user need to understand interface IP is configured using the mac address.

Advantages of IPv6 over IPv4

1.  No concept of Broadcast in IPv6 most communication is through multicast
2. Introduction of RA, an option for stateless IP addressing
3. DHCP server is not mandatory in the network
4. No fragmentation in intermediate nodes, TCP MSS is enabled by default. This results in a better throughput in the network
5. Header is much simpler compared to IPv4
6. No option field in header and extension header is introduced as replacement. Which result is a 40 bit fixed header.

Aruba IPv6 Best Practices

1.  Defaults values would work and apply for majority of use cases.
2. IPv6 should be globally enabled.
3. Ensure “valid user” session acl does not block ipv6 traffic.
4. Enable BCMC optimization: knob under interface VLAN. This knob is recommended to be enabled at most times as it drops a lot of random IPv6 multicast traffic.
5. There must not be any ACLs that drop ICMPv6/DHCPv6 traffic. If the deployment is such that only SLAAC is being used, then it is acceptable to drop DHCPv6 traffic.

6. If controller is used to provide RA
         -IPv6 vlan interface address must be configured that maps to the prefixes configured.
         -3 prefixes limit is enforced

7. If an external device provides RA:
        - It is not recommended to advertise too many prefixes in RA.
        -The controller supports up to four IPv6 user entries in the user table. If a client uses more than
          four IPv6 addresses at a time, the user table is refreshed with the latest four active entries 
          without disrupting the traffic flow. However, this may have some performance impact.

Experiencing India's North East - Nagaland n Meghalaya

        Visiting North East of India was always a dream for me, reading different blogs I was always fascinated about the life in North East. I want to cover north east at the earliest before it become too commercialized but  never got the right company to do that.  2013 winter I made a rough plan to visit north east with my wife and started collecting information's to execute my plan.  Soon I understood from different sources that it is not going to be easy for a first timer to NE with family considering different dimensions of the place. Even I don’t have any friends NE so I had dropped the plan to go with family and started looking for a friend with similar mind set as the NE trip is more of a cultural experience than visiting places.  In the middle of nowhere I got someone who was ready for this fascinated trip and interesting part was he sits next to me in office for past one year and I never realized it J.

Where to Go

NE consist of 7 sister states so we have to decide where to go. We had only 7 days to spend, this was our judgement on 7 sisters

Assam – NO. Safety is a concern lower Assam and other parts are very much Indianized.

Manipur – NO.Again safety concerns, protests going on against non-Manipuri’s. Few blasts were reported in last week targeting only non-Manipuri’s    

Tripura – NO. Small state…. not much to see as per our research

Meghalaya – YES.  Biggest attraction was visiting living root bridges also we want to spend a day in Asia’s cleanest village Mawllynong.

Nagaland – YES. The hornbill festival happening at Dec first week also  we want to see the Naga culture “the real head hunters”  !!!!

Mizoram- NO.  Same reason as in the case of Tripura

Arunachal Pradesh- YES/NO . We want to visit Tawang but we had only 7 days for the trip so we kept it as backup plan if we wont get entry to Nagaland. Also Arunachal culture is equally fascinating as Nagas. But we rated Nagas slightly above.

In paper the plan looks fine as we have 7 days and need to cover only 2 states . 3 days per state and 1 day in Guwahati  to get the feel of Assam. Also we will be travelling across Assam on the way to Nagaland. So all set and the plan was

Day1 – Bangalore – Guwahati in flight. From Guwahati to Shillong and from thereto  Mawllynong (Stay)

Day 2 – Back to Shillong Roam Around Shillong (Stay)

Day 3 – Back to Guwahati and catch train to Dimapur. Roam Around Dimapur(Stay)

Day 4 – Dimapur-Kohima . The Hornbill Festival

Day 5- Explore other parts of Kohima + Hornbill

Day 6 – Hornbill and getting back to Guwahati

Day 7- Reaching Guwahati and Roam Around Guwahati. Catch Evening Flight Back to Bangalore

But plans went terribly wrong while executing it J  

Rule No 1 :- Never go to NE with a fixed plan you need to be flexible with your plans.

So here we start

Day 1

We reached Guwahati on time but on the way to Mawllynong we got into Crazy Shillong traffic and lost 3 hours. We reached Mawllynong around 8 PM and spend the day in a homestay inside the village. On the way we stopped in one of the typical Khasi Hotel run by a lady to taste the local cuisine.  We had a campfire at night in the homestay and got opportunity to taste the local beer. Homestay Owner was very friendly and  happy to know that  we are from Bangalore.

Day 2

We got the unexpected on 2^nd day,  Khasi people (tribal people of Meghalaya) declared general strike in Shillong. Their demand was to impose ILP for outsiders to enter Meghalaya. We have to start early from Mawllynong to Shillong as they announced some rally by 12 PM.  On the way we covered the root bridge in Riwai village and it was stunning. We had stopped in Elephant falls as well and reached Shillong by 1 PM.  All non Khasi shops were closed in Shillong and CRPF was patrolling everywhere. We roamed through the safe areas of Shillong in the evening but we made sure we never went out of vicinity of a policeman/army.  Khasi youth were conducting rallies in between … we took that also as an experience.  Due to this strike we lost the chance to experience the Shillong Night Market and other attractions.

Day 3

Plan was to reach Dimapur at the earliest and spend a night there. We want to see 2 places mainly Dimapur Gun market and Kachori Ruins. But we got a lot of negative reviews about Dimapur from Shillong and our taxi drivers,  so we dropped our plan of spending a night in Dimapur. Also our train was late so decided to go directly to Kohima after reaching Dimapur.  Yes we took the entry to land of festivals and manage to find a home stay near to Naga Heritage village. Kohima we sync with other groups who came for Hornbill festival. Enjoyed the home made Naga food and famous rice beer at night.

Day 4&5

Hornbill festival, it was exactly as I had imagined. A photographers dream I would say. Even I felt like this is a festival mainly targeting Photographers. At first it makes u too excited, tribal dressing, ornaments, weapons everything will be new to you.  After few days you may feel repetitive. As they push the festival from 7 days to 10 days I think the content got diluted.  Best part is it extremely colourful and  gives you a platform to see all tribes together but most of the time it makes you feel you are watching something orchestrated. All together worth a visit even though it is not well organized. We visited other places like Night Market, Dog Market, Keeda Market etc.

Day 6   

We spend half day @ hornbill but  Another strike was waiting for us,  this time in Dimapur (We need to cross Dimapur on the way to Guwahati). Luckily it was only till 6 PM. We started from Kohima to Guwahati just after the strike and reached Guwahati next day morning.

Day 7

Went to famous Khamakya temple and did some shopping in Guwahati  before catching our flight back to Bangalore

Things to Keep in Mind while travelling to NE especially Meghalaya and Nagaland

1.       Sunset is around 4.30 and sunrise at 5.30 so the day is short (In December)

2.       Limited public transport options and you have to depend on share taxies

3.       Travelling in the night is not advisable

4.       There are no banks or ATMs outside the city so keep cash with you once you travel outside city

5.       As it is recommended to travel only in day time buffer enough time for that

6.       Roads are not in good condition and it is a hilly area so travel on the road takes much time compared to other parts of India (Average 30KM/Hr)

7.       Don’t trust the trains most of them not on time due to single lines

8.       Locals are friendly but you need to bargain most of the places (taxi, hotel, food etc)

9.       Limited options for vegies especially in Nagaland. Pork, dog, snail, frog they eat almost everything.

10.   People normally use  taxi, so you have to trust the driver we used to track the car using GPS to make sure he is not cheating  us

11.   Most of the tourist places close by 4 PM, plan accordingly.

12.    Nothing much happens after 8 PM in these area

13.   I am a hard core non vegie but never adjusted with Nagaland food, it has a strange smell.

14.   Most of the souvenirs’ are expensive in Nagaland/Meghalaya, I will recommend to do some shopping in Guwahati which was much cheaper.

15.   A general strike can be declared any moment in NE and it can go up to a week or more, so don’t go the NE with a tight schedule as ours.

16.   ILP is required to enter Kohima but they relaxed the rule for Hornbill festival so we manage to get it without ILP

17.   Army is everywhere in Nagaland, I would say every 100 mtr there is an armed personal
18. We spend almost 25K for 1 week trip (Dec 2013) which includes accommodation and flight fare, transportation is expensive due to lack of public transport.

Hornbill

Meghalaya

Living Root Bridge

Tribal Naga Women

Hornbill

Horbill

With Naga Tribals

Mawllynong