Glossary

The same as DES except that it repeats the encryption with a different 56-bit key three times. You will see 3DES called 168-bit encryption as well.

The generic reference to applications that provide security for remote access, such as Terminal Access Controller Access Control System (TACACS+) and Remote Authentication Dial-In User Service (RADIUS).

Allows an administrator to keep track of a number of things, such as the duration of a connection, the amount of traffic transmitted, and the commands that were entered on a device.

The believability level of knowledge gained via a routing protocol. Although customizable, the defaults indicate that Routing Information Protocol (RIP) routes are less believable than Open Shortest Path First (OSPF) learned routes, but Enhanced Interior Gateway Routing Protocols (EIGRP) routes are more reliable.

The most popular form of DSL technology. The key to ADSL is that the upstream and downstream bandwidth is asymmetric, or uneven. In practice, the bandwidth from the provider to the user (downstream) is the higher speed path. This difference is in part due to the limitation of the telephone cabling system, but it also accommodates the typical Internet usage, where the majority of data is sent to the user downstream. ADSL is rated for distances up to 18,000 feet.

A privacy transform for IP Security (IPSec) and Internet Key Exchange (IKE) that was developed to replace DES. It uses a 128-, 192-, or 256-bit key.

Faster than main mode because it sends a total of three messages. The drawback is that information is exchanged before a secure channel is established.

Provides data authentication, integrity, and optionally antireplay. The AH process is applied to an entire datagram except for mutable fields. A mutable field would be something like time to live (TTL), which gets modified by every router in the transmission path. AH provide no encryption and does not work with network address translation (NAT).

The location where antennas and satellite receivers receive broadcast signals.

A serial connection where the transmission of data, and the way in which it should be interpreted, is managed by each device on the network. Each packet has "decoding" information built into it, taking away from the usable bandwidth of the connection for data.

A process that happens before a user or device is allowed onto the network. It is the ability to verify their identity and determine whether they should be allowed.

Indicates what a user is allowed to do on a network. You can control protocols, services, commands, and system levels.

Might be always up but is often a dial-on-demand link. The backup comes up when the primary is down or if the primary is congested and the backup is configured to help.

A dial-on-demand form on ISDN. BRIs consist of three DS0 channels, two for data and one that uses 48KB for signaling.

A message from the telco cloud back to the router that generated some traffic indicating that the traffic had to be discarded due to congestion.

Remote locations where smaller groups of people work. Users connect through a LAN but require WAN access to reach the central office.

A type of data transmission in which a single medium (wire) can carry several signals at once. Usually, it transmits using frequency division multiplexing (FDM).

A measurement in Frame Relay, which has a committed burst rate and an excess burst rate. The committed burst is the amount that the service provider has guaranteed to provide. The excess burst rate is an amount that can be stored to go above the committed burst rate, without a guarantee that the traffic will make it across the cloud.

A trusted third-party service that eases in the establishment of secured communications. A CA produces digital certificates, and the digital certificates can be used for key material in establishing a virtual private network (VPN). Using a CA allows for tremendous scalability in a VPN infrastructure.

A feature in Point-to-Point Protocol (PPP) that you can configure in two ways. The first allows a user to call in with the router returning the call. The second configures the router to only call a single phone number. You can use callback for security or for bill consolidation.

One of several methods of implementing DES. CBC requires that an initialization value (IV) be the same for both IPSec peers before encryption can take place.

Generated by data circuit terminating equipment (DCE), indicates that DCE-to-DCE communications has been established.

The main office where the majority of a corporation is located, usually the destination point for remote users and branch offices.

A distinct amount of bandwidth, usually allowing 64Kbps but possibly 56Kbps, depending on the line code in use.

Used by PPP to hide passwords as they cross the network. Hashing encrypts the password and then possibly pads or truncates the result to achieve a 96-bit payload.

Often referred to as line mode. The data is destined to the router, specifically to a TTY, VTY, aux, or con port, most likely for configuration and maintenance reasons.

The amount of bandwidth that the service provider has guaranteed. Anything in excess of this value may be discarded without breaching any contracts.

The switching system in which a dedicated physical circuit path must exist between the sender and the receiver for the duration of the "call." It is used heavily in the telephone company network. Circuit switching can be contrasted with contention and token passing as a channel-access method and with message switching and packet switching as a switching technique.

What provides a Cisco network with AAA capabilities. It is available on UNIX and Windows platforms.

A modulator-demodulator at subscriber locations for use in conveying data packets on a cable television system.

A system of devices located in the headend that allows cable providers to offer high-speed Internet access. The CMTS provides many of the same functions provided by the DSL access multiplexer (DSLAM) in a DSL system.

The local telephone company office to which all local loops in a given area connect and in which circuit switching of subscriber lines occurs.

A type of wire that consists of a center wire surrounded by insulation and then a grounded shield of braided wire. The shield minimizes electrical and radio frequency interference. Coaxial cable suffers from attenuation, which is the weakening of the signal due to resistance. Coaxial cable is the primary type of cabling used by the cable television industry.

A method of reducing transmitted data by using an algorithm that reduces the number of bits needed to describe a particular data stream, thus reducing bandwidth usage.

The system that performs encryption, decryption, hashing, authentication, and key management.

Basically a conversion device. It sits between the telco's connection, T1, and your network router. It is used to terminate and convert the signal into a usable format by the router. Some routers use an internal CSU/DSU; others require an external device to perform the function.

Generated by DCE, indicates that the DCE has buffers to receive data from the DTE.

A mechanism where all queues have the same priority but some can have more traffic removed from them at a time than others. Each queue is serviced in a round-robin fashion.

The physical equipment on a network that connects to the outside world and the underlying WAN network. This device provides the clocking on a network.

The process of taking ciphertext and converting it back into cleartext so that authorized users can view it.

A WAN connection that has guaranteed bandwidth from one point to another. A dedicated connection is analogous to a single Ethernet connection from one branch to another.

A 56-bit key used to encrypt and decrypt packet data.

A dial-on-demand circuit configured to dial and connect if a primary link is unavailable.

A public-key cryptography protocol that allows two parties to establish a shared secret key over an insecure communications channel. There are multiple groups of D-H, such as group 1 at 768 bits, group 2 at 1024 bits, and others.

The trunk or backbone made of fiber and coaxial cabling that brings the signal to the subscriber drop.

Identifies the Frame Relay circuit that will go from one device to another.

Defines interface standards for CMs and supporting equipment. Developed by CableLabs and approved by the International Telecommunications Union (ITU) in March 1998, version 1.0 was the first standard and version 1.1 added VoIP capabilities. Version 2.0 is currently in the works and should allow for 30Mbps in the upstream path.

The transmission from the headend to a subscriber, also called the forward path.

Refers collectively to all types of digital subscriber lines. DSL technologies use sophisticated modulation schemes to pack data onto copper wires. They are referred to as last-mile technologies because they are used only for connections from a central office to a home or office.

Terminates DSL connections at the CO. DSLAM is a device that connects many lines to a network by multiplexing the DSL traffic onto one or more network trunk lines.

Pin 6 of the Electronic Industries Association/Telecommunications Industry Association (EIA/TIA)-232 interface standard. Generated by the DCE, it informs the DTE that it is ready for use.

A device on the customer side of a carrier network that accepts the clocking or synchronization from the DCE device.

Pin 20 of the EIA/TIA-232 interface standard. Generated by the DTE, it informs the DCE that it is ready to receive an incoming call.

The finalized standard for serial connections. EIA/TIA-232-C standardized on a 25-pin connector.

The process of taking cleartext and converting it into ciphertext to protect it from unauthorized viewing. There are two types of encryption: symmetric, which uses a single shared secret key, and asymmetric, which uses a public and private key.

When the modem detects that data has changed since it was sent and requests that the data be retransmitted. Error detection is the realization that data has changed. Error correction is the request for a retransmission of the data.

Provides encryption, integrity, and optionally authentication and antireplay. The E stands for encapsulation, which makes it different from AH. With ESP, the entire IP packet is encapsulated. ESP works with NAT.

Sent from the telco cloud to the destination of a piece of information when there is congestion and the frame is discarded.

An address outside the organization. An example is an address on the Internet.

Also known as G.991.2, an international standard for Symmetric DSL (SDSL) developed by the ITU. This is the first DSL technology to be developed from the ground up as an international standard; it supports longer distances (28,000 feet) and is predicted to be the most adopted standard in the future.

Uses an algorithm or formula to convert data and a key into a hash. The hash is used to ensure that the transmitted message has not been tampered with. The sender generates a hash of the message and key, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. The recalculated hash is used to verify that the message and the key are intact. Common algorithms include Message Digest 5 (MD5) and Secure Hash Algorithm-1 (SHA-1).

Similar to a telephone company's CO. This is where the signals are processed and formatted for transmission onto the distribution network.

Used as a replacement for T1 or E1 services. The distances are limited to 12,000 feet.

Provides two-way, high-speed data access to the home using a combination of fiber optics and coaxial cable. Each channel, upstream and downstream, gets a 6MHz channel to transmit and receive its signals. Downstream gets 50 to 860MHz, and upstream gets 5 to 42MHz.

A hashing algorithm that uses a 128-bit shared secret key. IKE, AH, and ESP can use MD5 for authentication.

A hashing algorithm that uses a 160-bit shared secret key. IKE, AH, and ESP can use SHA-1 for authentication.

A location where a user works out of his or her home, usually using a dial-on-demand connection. Broadband is changing this situation.

Uses 2B1Q line coding and the full bandwidth of two 64Kbps bearer channels plus one 16Kbps delta channel. Major benefits of switching to IDSL from ISDN are the always-on connection, no call setup, and flat rate billing instead of per-minute fees. Distances can be 18,000 feet.

A hybrid protocol of Oakley key exchange and Skeme key exchange. IKE is synonymous with ISAKMP; you will see both terms used and referenced throughout Cisco materials.

A legitimate address on the public or external network, usually provided by your ISP. This translated address is viewable to the outside world that maps back to your inside local address.

The IP address assigned to a host on the private or internal network. It is usually based on RFC 1918.

The connection between two systems or devices. The physical ports on a router that the media plugs into, such as serial, Ethernet, ISDN, console, aux, and so on, are examples of interfaces.

A Frame Relay mechanism for discovering the network address of a device on the far end of a link and mapping that network address to a DLCI.

A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

Provides authentication of IPSec peers, negotiation of IKE and IPSec security associations (SAs), and the establishment of keys for IPSec encryption algorithms.

A WAN technology utilizing a standard single pair of wires from the telephone company to provide a higher bandwidth connection to a fixed location. ISDN basic rate allows for 2 B (bearer) channels at up to 64Kbps each for a maximum throughput of 128Kbps. ISDN also uses a single D of 16Kbps (data or delta) channel for signaling, call setup, and call disconnection.

Input parameter that sets the starting state of a cryptographic algorithm or mode.

Pieces of information that flow between two devices. The purpose is for each device to alert the other that it is still online and available.

The information used to set up and possibly change operations of a cryptosystem, usually random binary digits. You can think of it as x (71,399 * x = hash), which is not technically accurate, but you get the point.

The control of keys generated, stored, revoked, transferred, and used.

The signaling standard between the CPE device and the Frame Relay switch. It is responsible for managing and maintaining the connection. The three LMI types are Cisco, ANSI, and Q933A.

A measure of bandwidth usage, often used with a backup configuration to allow the backup connection to come up and help the primary when the primary becomes congested.

An address inside a network using NAT.

An add-on to class-based weighted fair queuing. LLQ allows a high level of prioritization for voice traffic as well as bandwidth allocation for nonvoice traffic.

The recommended mode for IKE. It is a touch slower than aggressive mode, but more secure and reliable. It consists of six message exchanges, three in each direction.

Configures interface-level components such as the idle timeout or the interface speed.

The internal database built into the Cisco IOS that defines the modems which can be automatically detected by the router. You can modify and add to this database.

Connecting two or more distinct circuits together to be represented by a single larger virtual circuit.

Provides a method for address conservation and the ability to translate local addresses for use on the Internet. NAT is typically used in an effort to hide a network behind a set of nonpublicly routable IP addresses, such as with the 10.0.0.0 network.

The process of two devices communicating and sharing what they are capable of, for the purpose of forming a communications connection.

A network where a single network address can send traffic to multiple destinations, such as Ethernet. Although Frame Relay supports NBMA with a multipoint configuration, by default it does not allow broadcast traffic across and the Frame Relay map must show that broadcasts are allowed through manual configuration or through Inverse-ARP.

Responsible for setting television and video standards in the United States. It uses a 6MHz modulated signal.

Someone else's inside global address, an address of an external host on the public network, or a routable address provided by the ISP.

An IP address of an outside host as it appears to the private or internal network. Not necessarily a legitimate address, it is allocated from the inside address space. It is usually based on RFC 1918.

A scenario where the same addresses are used on two different networks and the networks are trying to reach each other. You can use NAT to make this scenario possible.

A NAT scenario where all outbound address translations use the same address. Port numbers are used for uniqueness. It is also referred to as port address translation (PAT) because it uses ports.

Where there is more traffic than there is available bandwidth.

Also known as interface mode. The data passes through the router from one network to another through such ports as async, BRI, Primary Rate Interface (PRI), serial, and dialer interfaces.

Networking method in which nodes share bandwidth with each other by sending packets. Compare with circuit switching.

The dominant television standard in Europe. It uses a 6MHz, 7MHz, or 8MHz modulated signal, depending on the version.

Translation method that allows the user to conserve addresses in the global address pool by allowing source ports in TCP connections or User Datagram Protocol (UDP) conversations to be translated. Different local addresses then map to the same global address, with port translation providing the necessary uniqueness.

Technique of encoding analog voice into a 64kbit data stream by sampling with 8-bit resolution at a rate of 8000 times per second.

In IP terminology, a field in both the TCP and UDP headers that is used to identify a service. Ports are numbered, and each number is associated with a specific process or service. There are 65,535 useable ports for each TCP and UDP.

An encapsulation protocol that you can use on serial links as well as some Ethernet implementations. PPP provides several functions such as multilink, callback, authentication, and compression.

A routed solution by which the CPE routes packets to the aggregation router. No host-based software is required as with PPPoE.

A bridged solution covered in RFC 2516. Ethernet frames are bridged over ATM as with RFC 1483/2684, but this time, the Ethernet packets encapsulate PPP. The PPP session is established between the end-user PC and the aggregation router.

A shared secret key or password that is usually entered manually on each peer for use in setting up an SA. It is used for authentication.

The circuit that the organization wants up most of the time. If the primary is not available, the backup takes over.

A bundle of 64Kbps DS0 channels. PRIs include T1s and E1s.

A queuing strategy that places traffic into one of four queues: high, medium, normal, or low. Each queue must be totally empty before taking a waiting packet out of a lower-ranking queue.

The logical component of a dial-on-demand routing (DDR) configuration. You use the profile to separate physical interface configurations from logical components such as encapsulation or phone numbers.

The ISDN standard that defines signaling between the router and the telco switch.

The ISDN standard that defines ISDN communication between the two end devices.

Defines for ISDN a set of standards for interconnecting two devices.

Used when there is a single phone number and multiple modems that can service calls. All users can dial the same number, and no one gets a busy signal until all the modems are busy.

Built between two or more peers that describe the security services which have been set up or negotiated between the available options. SAs are unidirectional and protocol specific; there is an SA for IKE and an SA for IPSec.

Designed more for business. The line speed is the same in both directions, allowing for greater upstream speeds than ADSL, and it is generally used as a substitute for T1/E1. SDSL is becoming popular as a way to provide full-duplex symmetric data communication. The greater available bandwidth for upstream communication can handle requests for services hosted at the customer's site. Distances can be up to 12,000 feet.

Takes advantage of a "sealed" cable or network. A cable company can place signals on a wire that they could otherwise not use. Because the signal is trapped within, it doesn't conflict with other signals.

The connection from your television to the distribution network, consisting of the cable, set-top box, grounding, and attachment hardware.

A serial connection where the sending and receiving of packets on the network is managed by one single source. All traffic is synchronized based on a clocking signal on the line. When a line uses a standard clock, more bandwidth can be dedicated to the actual transmission of data.

Speed standards utilized in the United States. A T1 has a bandwidth capacity of 1.544Mbps, and a T3 has a capacity of approximately 54Mbps.

A Cisco proprietary protocol for use with the CSACS. It uses TCP/IP, encrypts all data, and allows multiple levels of authorization, and it can use other methods of authentication such as Kerberos.

Configuring a router to treat some types of traffic with a higher priority than other types. Prioritization may be based on size of the packet, the type of traffic, the source or destination of the traffic, or some combination of factors.

Define the combinations of IPSec algorithms for encryption and authentication. A transform set describes authentication (such as AH), encryption (such as ESP), and mode (tunnel versus transport).

Often found between the antenna site and headend or the headend and the distribution network. It is used when necessary to maintain the link.

Used for end-host-to-end-host communication. Security is provided at the transport layer and above; it protects the data of the packet but exposes the IP address. The original IP address is used to traverse the network. Tunnel mode is more common.

A virtual point-to-point connection that carries traffic from one protocol encapsulated in another. Security is provided for the original IP packet. The encrypted packet is placed inside another packet, which amounts to ciphertext inside a new IP packet. The IP address of the new packet is used to traverse the network. In tunnel mode, the hosts are not aware that encryption is taking place.

The transmission from a subscriber to the headend, also called the return or reverse path.

Transmits data in the 13Mbps to 55Mbps range over short distances, usually between 1,000 and 4,500 feet. The shorter the distance, the faster the connection rate.

Enables IP traffic to travel securely over any network by encrypting traffic from one network to another. VPNs are often associated with tunneling.

Makes data connections across a broad geographical area. Much like a LAN but bigger in scope, a WAN uses various broadband and leased connections to provide connectivity.

An extension to first-in, first-out queuing. The router keeps track of the packets that fully arrive first and forward based on that criteria, weighting toward smaller packets.