A
AAA
Authentication, Authorization, and Accounting. Pronounced "triple-A."
AAL5-SNAP
ATM Adaptation Layer 5 Subnetwork Access Protocol.
AAL5-MUX
ATM Adaptation Layer 5 Multiplexing.
access control, access control rule
information entered into the configuration which allows you to specify what type of traffic to permit or deny into an the interface. By default, traffic that is not explicitly permitted is denied. Access control rules are composed of access control entries (ACEs).
ACE
access control entry. An entry in an ACL that specifies a source host or network and whether or not traffic from that host is permitted or denied. An ACE can also specify a destination host or network, and the type of traffic.
ACL
access control list. Information on a device that specifies which entities are permitted to access that device or the networks behind that device. Access control lists consist of one or more access control entries (ACE).
ACS
address translation
The translation of a network address and/or port to another network address/or port. See also IP address, NAT, PAT, Static PAT.
ADSL
asymmetric digital subscriber line.
aggressive mode
A mode of establishing ISAKMP SAs that simplifies IKE authentication negotiation (phase 1) between two or more IPSec peers. Aggressive mode is faster than main mode, but is not as secure. See main mode, quick mode.
AES
Advanced Encryption Standard
AES-CCMP
Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. AES-CCMP is required for Wi-Fi Protected Access 2 (WPA2) and IEEE 802.11i wireless LAN security.
AH
Authentication Header. This is an older IPSec protocol that is less important in most networks than ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption.
AH-MD5-HMAC
Authentication Header with the MD5 (HMAC variant) hash algorithm.
AH-SHA-HMAC
Authentication Header with the SHA (HMAC variant) hash algorithm.
AHP
Authentication Header Protocol. A protocol that provides source host authentication, and data integrity. AHP does not provide secrecy.
algorithm
A logical sequence of steps for solving a problem. Security algorithms pertain to either data encryption or authentication.
DES and 3DES are two examples of data encryption algorithms.
Examples of encryption-decryption algorithms include block cipher, CBC, null cipher, and stream cipher.
Authentication algorithms include hashes such as MD5 and SHA.
AMI
alternate mark inversion.
ARP
Address Resolution Protocol—A low-level TCP/IP protocol that maps a node hardware address (called a MAC address) to its IP address.
ASA
Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application.
asymmetric encryption
Also called public key systems, this approach allows anyone to obtain access to anyone else's public key and therefore send an encrypted message to that person using the public key.
asymmetric keys
A pair of mathematically related cryptographic keys. The public key encrypts information that only the private key can decrypt, and vice versa. Additionally, the private key signs data that only the public key can authenticate.
ATM
Asynchronous Transfer Mode. International standard for cell relay in which multiple service types (such as voice, video, and data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, thereby reducing transit delays.
authenticate
To establish the truth of an identity.
authentication
In security, the verification of the identity of a person or process. Authentication establishes the integrity of a data stream, ensuring that it was not tampered with in transit, and providing confirmation of the data stream's origin.
B | |
BC | Committed Burst. BC is a QoS policing parameter that specifies in bits (or bytes) per burst how much traffic can be sent within a given unit of time to not create scheduling concerns. |
BE | Excess Burst. BC is a QoS policing parameter that specifies how large traffic bursts can be before all traffic exceeds the rate limit. Traffic that falls between the normal burst size and the excess burst size exceeds the rate limit with a probability that increases as the burst size increases. |
BOOTP | Bootstrap Protocol. The protocol used by a network node to determine the IP address of its Ethernet interfaces to affect network booting. |
BSSID | Basic Service Set Identifier. BSSIDs are identifiers used in 802.11g radios. They are similar to MAC addresses |
burst rate | The number of bytes that a traffic burst must not exceed. |
C | |
C3PL | Cisco Common Classification Policy Language. C3PL is a structured replacement for feature-specific configuration commands and allows configurable functionality to be expressed in terms of an event, a condition, and an action. |
CA | Certification Authority. A trusted third-party entity that issues and/or revokes digital certificates. Sometimes referred to as a notary or a certifying authority. Within a given CA's domain, each device needs only its own certificate and the CA's public key to authenticate every other device in that domain. |
CA certificate | A digital certificate granted to one certification authority (CA) by another certification authority. |
CA server | Certification Authority server. A network host that is used to issue and/or revoke digital certificates. |
cache | A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks. |
CBAC | Context-based Access Control. Protocol that provides internal users with secure access control for each application and for all traffic across network perimeters. CBAC scrutinizes both source and destination addresses and tracks each application connection status. |
CBWFQ | Class-Based Weighted Fair Queuing. CBWFQ provides support for user-defined traffic classes. For CBWFQ, you define traffic classes based on match criteria including protocols, access control lists (ACLs), and input interfaces. |
CDP | Cisco Discovery Protocol. A media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN or on the remote side of a WAN. |
CDP | Certificate Revocation List Distribution Point. A location from with a Certificate Revocation List can be retrieved. A CDP is usually an HTTP or LDAP URL |
CEP | Certificate Enrollment Protocol. A certificate management protocol. CEP is an early implementation of Certificate Request Syntax (CRS), a standard proposed to the Internet Engineering Task Force (IETF). CEP specifies how a device communicates with a CA, including how to retrieve the public key of the CA, how to enroll a device with the CA, and how to retrieve a certificate revocation list (CRL). CEP uses PKCS (Public Key Cryptography Standards) 7 and 10 as key component technologies. The public key infrastructure working group (PKIX) of the IETF is working to standardize a protocol for these functions, either CRS or an equivalent. When an IETF standard is stable, Cisco will add support for it. CEP was jointly developed by Cisco Systems and VeriSign, Inc. |
certificate | See digital certificate. |
certificate identity | An X.509 certificate contains within it information regarding the identity of whichever device or entity possesses that certificate. The identification information is then examined during each subsequent instance of peer verification and authentication. However, certificate identities can be vulnerable to spoofing attacks. |
CET | Cisco Encryption Technology. Proprietary network layer encryption introduced in Cisco IOS Release 11.2. CET provides network data encryption at the IP packet level and implements the following standards: DH, DSS, and 40- and 56-bit DES. |
CHAP | Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access, it merely identifies the remote end. The router or access server then determines whether that user is allowed access. See also PAP. |
chargen | Character Generation. Via TCP, a service that sends a continual stream of characters until stopped by the client. Via UDP, the server sends a random number of characters each time the client sends a datagram. |
checksum | Computational method for checking the integrity of transmitted data, computed from a sequence of octets taken through a series of arithmetic operations. The recipient recomputes the value and compares it for verification. |
Cisco SDM | Cisco Router and Security Device Manager. Cisco SDM is an Internet browser-based software tool designed to configure LAN, WAN, and security features on a router. See Getting Started for more information. |
cipher | An encryption-decryption algorithm. |
ciphertext | Encrypted, unreadable data, prior to its decryption. |
CIR | Committed Information Rate. A configured long-term average committed rate to enforce. |
class map | Used by zone-based firewall policies to specify traffic that is to be handled according to the actions specified in a policy map. A class map can specify a type of traffic, and can also specify an ACL to define the source and destinaton of the traffic. |
clear channel | A clear channel is one through which non-encrypted traffic can flow. Clear channels place no security restrictions on transmitted data. |
cleartext | Decrypted text. Also called plaintext. |
CLI | command-line interface. The primary interface for entering configuration and monitoring commands to the router. Refer to the Configuration Guide for the router you are configuring for information on what commands you can enter from the CLI. |
client/server computing | Term used to describe distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also RPC. |
CM | |
CME | Cisco Call Manager Express. CME provides call-processing services to voice over IP (VoIP) gateways. |
CNS | Cisco Networking Services. A suite of services that support scalable network deployment, configuration, service-assurance monitoring, and service delivery. |
comp-lzs | An IP compression algorithm. |
Configuration, Config, Config File | The file on the router that holds the settings, preferences, and properties you can administer using Cisco SDM. |
content engine | In the context of a WAAS solution, a cache of web content located on the network. |
cookie | A cookie is a web browser feature which stores or retrieves information, such as a user's preferences, to persistent storage. In Netscape and Internet Explorer, cookies are implemented by saving a small text file on your local hard drive. The file can be loaded the next time you run a Java applet or visit a website. In this way information unique to you as a user can be saved between sessions. The maximum size of a cookie is approximately 4KB. |
CPE | customer premises equipment. |
CRL | certificate revocation list. A list maintained and signed by a certificate authority (CA) of all the unexpired but revoked digital certificates. |
cryptography | Mathematical and scientific techniques for keeping data private, authentic, unmodified, and non-repudiated. |
crypto map | In Cisco SDM, crypto maps specify which traffic should be protected by IPSec, where IPSec-protected traffic should be sent, and what IPSec transform sets should be applied to this traffic. |
cTCP |
D | |
data confidentiality | The result of data encryption that prevents the disclosure of information to unauthorized individuals, entities, or processes. This information can be either data at the application level, or communication parameters. See traffic flow confidentiality or traffic analysis. |
data integrity | The presumed accuracy of transmitted data — signifying the sender's authenticity and the absence of data tampering. |
data origin authentication | One function of a non-repudiation service. |
decryption | Reverse application of an encryption algorithm to encrypted data, thereby restoring that data to its original, unencrypted state. |
default gateway | The gateway of last resort. The gateway to which a packet is routed when its destination address does not match any entries in the routing table. |
delta file | A file that Cisco IOS IPS creates to store changes made to signatures. |
DES | Data Encryption Standard. Standard cryptographic algorithm developed and standardized by the U.S. National Institute of Standards and Technology (NIST). Uses a secret 56-bit encryption key. The DES algorithm is included in many encryption standards. |
DHCP | Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them. |
DH, Diffie-Hellman | |
Diffie-Hellman key exchange | A public key cryptography protocol that allows two parties to establish a shared secret over insecure communication channels. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange. Cisco IOS software supports 768-bit and 1024-bit Diffie-Hellman groups. |
digest | The output of a hash function. |
digital certificate | A cryptographically signed, digital representation of user or device attributes that binds a key to an identity. A unique certificate attached to a public key provides evidence that the key has not been compromised. A certificate is issued and signed by a trusted certification authority, and binds a public key to its owner. Certificates typically include the owner's name, the owner's public key, the certificate's serial number, and the certificate's expiration date. Other information might also be present. See X.509. |
digital signature | An authentication method that permits the easy discovery of data forgery, and prevents repudiation. Additionally, the use of digital signatures allows for verification that a transmission has been received intact. Typically includes a transmission time stamp. |
distributed key | A shared cryptographic key that is divided into pieces, with each piece provided to a different participant. |
DLCI | data-link connection identifier. In Frame Relay connections, the identifier for a particular data link connection between two endpoints. |
DMVPN | Dynamic multipoint virtual private network. A virtual private network in which routers are arranged in a logical hub and spoke topology, and in which the hubs have point-to-point GRE over IPSec connections with the hub. DMVPN uses GRE and NHRP to enable the flow of packets to destinations in the network. |
single DMVPN | A router with a single DMVPN configuration has a connection to one DMVPN hub, and has one configured GRE tunnel for DMVPN communication.The GRE tunnel addresses for the hub and spokes must be in the same subnet. |
DMZ | demilitarized zone. A DMZ is a buffer zone between the Internet, and your private networks. It can be a public network typically used for Web, FTP and E-Mail servers that are accessed by external clients on the Internet. Placing these public access servers on a separate isolated network provides an extra measure of security for your internal network. |
DN | Distinguished Name. A unique identifier for a Certification Authority customer, included in each of that customer's certificates received from that Certification Authority. The DN typically includes the user's common name, the name of that user's company or organization, the user's two-letter country code, an e-mail address used to contact the user, the user's telephone number, the user's department number, and the city in which the user resides. |
DNS | Domain Name System (or Service). An Internet service that translates domain names, which are composed of letters, into IP addresses, which are composed of numbers. |
domain name | The familiar, easy-to-remember name of a host on the Internet that corresponds to its IP address. |
DPD | dead peer detection. DPD determines if a peer is still active by sending periodic keepalive messages to which the peer is supposed to respond. If the peer does not respond within a specified amount of time, the connection is terminated. |
DRAM | dynamic random access memory. RAM that stores information in capacitors that must be periodically refreshed. |
DSCP | |
DSLAM | digital subscriber line access multiplexer. |
DSS | digital signature standard. Also called digital signature algorithm (DSA), the DSS algorithm is part of many public-key standards for cryptographic signatures. |
DVTI | Dynamic Virtual Tunnel Interface. A DVTI is a routable interface that is able to selectively send traffic to different destinations. DVTIs are not statically mapped to physical interfaces. Thus they are able to send and receive encrypted data over any physical interface. |
dynamic routing | Routing that adjusts automatically to network topology or traffic changes. Also called adaptive routing. |
E | |
E1 | A wide-area digital transmission scheme used predominantly in Europe that carries data at a rate of 2.048 Mbps. |
EAPoUDP | |
EAP-FAST | Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. A 802.1x EAP type developed by Cisco Systems to enable customers who cannot enforce strong password policies to deploy an 802.1x EAP type that does not require digital certificates. |
Easy VPN | A centralized VPN management solution based on the Cisco Unified Client Framework.A Cisco Easy VPN consists of two components: a Cisco Easy VPN Remote client, and a Cisco Easy VPN server. |
ECHO | |
eDonkey | Also known as eDonkey 2000 or ED2K is an extremely large peer-to-peer file sharing network. eDonkey implements the (Multisource File Transmission Protocol (MFTP). |
EIGRP | Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco Systems. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols. |
encapsulation | Wrapping of data in a particular protocol header. For example, Ethernet data is wrapped in a specific Ethernet header before network transit. Also, when bridging dissimilar networks, the entire frame from one network is simply placed in the header used by the data link layer protocol of the other network. |
encrypt | To crytographically produce ciphertext from plaintext. |
encryption | Application of a specific algorithm to data so as to alter the appearance of the data, making it incomprehensible to those who are not authorized to see the information. |
enrollment proxy host | The proxy server for a certificate enrollment server. |
enrollment URL | The enrollment URL is the HTTP path to a certification authority (CA) that your Cisco IOS router should follow when sending certificate requests. The URL includes either a DNS name or an IP address, and may be followed by a full path to the CA scripts. |
ERR | Event Risk Rating. ERR is used to control the level at which a user chooses to take actions in an effort to minimize false positives. |
ESP | Encapsulating Security Payload. An IPSec protocol that provides both data integrity and confidentiality. Also known as Encapsulating Security Payload, ESP provides confidentiality, data origin authentication, replay-detection, connectionless integrity, partial sequence integrity, and limited traffic flow confidentiality. |
ESP_SEAL | ESP with the 160-bit key SEAL (Software Encryption Algorithm) encryption algorithm. This feature was introduced in 12.3(7)T. The router must not have hardware IPSec encryption enabled in order to use this feature. |
esp-3des | ESP (Encapsulating Security Payload) transform with the 168-bit DES encryption algorithm (3DES or Triple DES). |
esp-des | ESP (Encapsulating Security Payload) transform with the 56-bit DES encryption algorithm. |
ESP-MD5-HMAC | ESP (Encapsulating Security Payload) transform using the MD5-variant SHA authentication algorithm. |
esp-null | ESP (Encapsulating Security Payload) transform that provides no encryption and no confidentiality. |
ESP-SHA-HMAC | ESP (Encapsulating Security Payload) transform using the HMAC-variant SHA authentication algorithm. |
Ethernet | A widely used LAN protocol invented by Xerox Corporation, and developed by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD, and run over a variety of cable types at 10 Mbps, or at 100 Mbps. Ethernet is similar to the IEEE 802.3 series of standards. |
Event action override event action override | Event action overrides are used in IOS IPS 5.x. They allow you to change the actions associated with an event based on the RR of that event. |
expiration date | The expiration date within a certificate or key indicates the end of its limited lifetime. The certificate or key is not trusted after its expiration date passes. |
exception list | |
extended rules | A type of Access rule. Extended rules extended rules can examine a greater variety of packet fields to determine a match. Extended rules can examine both the packet's source and destination IP addresses, the protocol type, the source and destination ports, and other packet fields. |
SDP | Secure Device Provisioning. SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices, such as a Cisco IOS client and a Cisco IOS certificate server. |
I | |
ICMP | Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. |
Identical Addressing | The ability to reach devices having identical IP addresses over an EasyVPN connection through the use of Network Address Translation. |
IDS | Intrusion Detection System. The Cisco IPS performs a real time analysis of network traffic to find anomalies and misuse, using a library of signatures it can compare traffic against. When it finds unauthorized activity or anomalies, it can terminate the condition, block traffic from attacking hosts, and send alerts to the IDM. |
IDS Sensor | An IDS sensor is hardware on with the Cisco IDS runs. IDS sensors can be stand-alone devices, or network modules installed on routers. |
IDM | IDS Device Manager. IDM is software used to manage an IDS sensor. |
IEEE | Institute of Electrical and Electronics Engineers. |
IETF | Internet Engineering Task Force. |
IGMP | Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report IP multicast memberships to neighboring multicast routers |
IKE | Internet Key Exchange. IKE is a key management protocol standard used in conjunction with IPSec and other standards. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations. Before any IPSec traffic can be passed, each router/firewall/host must be able to verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.) |
IKE negotiation | A method for the secure exchange of private keys across non-secured networks. |
IKE profile | A group of ISAKMP parameters that can be mapped to different IP Security tunnels. |
IM | Instant Messaging. A real-time communication service in which both parties are online at the same time. Popular IM services include Yahoo! Messenger (YM), Microsoft Networks Messenger, and AOL Instant Messenger (AIM). |
IMAP | Internet Message Access Protocol. A protocol used by clients to communicate with an e-mail server. Defined in RFC 2060, IMAP enables clients to delete, change the status, and otherwise manipulate messages on the e-mail server as well as retrieve them. |
implicit rule | An access rule automatically created by the router based on default rules or as a result of user-defined rules. |
inside global | The IP address of a host inside a network as it appears to devices outside the network. |
inside local | The configured IP address assigned to a host inside the network. |
inspection rule | A CBAC inspection rule allows the router to inspect specified outgoing traffic so that it can allow return traffic of the same type that is associated with a session started on the LAN. If a firewall is in place, incoming traffic that is associated with a session started inside the firewall might be dropped if an inspection rule has not been configured. |
interface | The physical connection between a particular network and the router. The router's LAN interface connects to the local network that the router serves. The router has one or more WAN interfaces that connect to the Internet. |
Internet | The global network which uses IP, Internet protocols. Not a LAN. See also intranet. |
intranet | |
IOS | Cisco IOS software. Cisco system software that provides common functionality, scalability, and security for all products under CiscoFusion architecture. Cisco IOS allows centralized, integrated, and automated installation and management of internetworks, while ensuring support for a wide variety of protocols, media, services and platforms. |
IOS IPS IPS | Cisco IOS Intrusion Prevention System. IOS IPS compares traffic against an extensive database of intrusion signatures, and can drop intruding packets and take other actions based on configuration. Signatures are built in to IOS images supporting this feature, and additional signatures can be stored in local or remote signature files. |
IP | Internet Protocol. The Internet protocols are the world's most popular open-system (nonproprietary) protocol suite because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications. |
IP address | IP version 4 addresses are 32 bits, or 4 bytes, in length. This address "space" is used to designate the network number, the optional subnetwork number, and a host number. The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods or "dots." The part of the address used to specify the network number, the subnetwork number, and the host number is specified by the subnet mask. |
IPSec | A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. |
IPSec policy | In Cisco SDM, an IPSec policy is a named set of crypto map associated with a VPN connection. |
IPSec rule | A rule used to specify which traffic is protected by IPSec. |
IRB | Integrated Routing and Bridging. IRB allows you to route a given protocol between routed interfaces and bridge groups within a single switch router. |
ISAKMP | The Internet Security Association Key Management Protocol is the basis for IKE. ISAKMP authenticates communicating peers, creates and manages security associations, and defines key generation techniques. |
L | |
L2F Protocol | Layer 2 Forwarding Protocol. Protocol that supports the creation of secure virtual private dial-up networks over the Internet. |
L2TP | Layer 2 Tunneling Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN. L2TP is proposed as an IPSec alternative, but is used sometimes alongside IPSec to provide authentication services. |
LAC | L2TP access concentrator. Device terminating calls to remote systems and tunneling PPP sessions between remote systems and the LNS. |
LAN | |
LAPB | Link Access Procedure, Balanced. |
Layer 3 Interface | Layer 3 interfaces support internetwork routing. A VLAN is an example of a logical layer 3 interface. An Ethernet port is an example of a physical layer 3 interface. |
LBO | Line Build Out. |
LEFS | low-end file system. |
life cycle | See expiration date. |
LLQ | Low Latency Queuing (LLQ) allows delay-sensitive data such as voice to be dequeued and sent first (before packets in other queues are dequeued), giving delay-sensitive data preferential treatment over other traffic. |
LNS | L2TP network server. Device able to terminate L2TP tunnels from a LAC and able to terminate PPP sessions to remote systems through L2TP data sessions. |
local subnet | Subnetworks are IP networks arbitrarily segmented by a network administrator (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. The local subnet is the subnet associated with your end of a transmission. |
logical interface | An interface that has been created solely by configuration, and that is not a physical interface on the router. Dialer interfaces and tunnel interfaces are examples of logical interfaces. |
loopback | In a loopback test, signals are sent and then redirected back toward their source from some point along the communications path. Loopback tests are often used to determine network interface usability. |
M | |
MAC | message authentication code. The cryptographic checksum of the message used to verify message authenticity. See hash. |
mask subnet mask netmask network mask | A 32-bit bit mask which specifies how an Internet address is to be divided into network, subnet, and host parts. The net mask has ones (1's) in the bit positions in the 32-bit address that are to be used for the network and subnet parts, and has zeros (0's) for the host part. The mask should contain at least the standard network portion (as determined by the address class), and the subnet field should be contiguous with the network portion. The mask is configured using the decimal equivalent of the binary value. Examples: Decimal: 255.255.255.0 Binary: 11111111 11111111 11111111 00000000 The first 24 bits provide the network and subnetwork address, and the last 8 provide the host address. Decimal: 255.255.255.248 Binary: 11111111 11111111 11111111 11111000 The first 29 bits provide the network and subnetwork address, and the last 3 provide the host address. See also IP Address, TCP/IP, host, host/network. |
MD5 | Message Digest 5. A one-way hashing function that produces a 128-bit hash. Both MD5 and Secure Hashing Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. MD5 verifies the integrity and authenticates the origin of a communication. |
message digest | A string of bits that represents a larger data block. This string defines a data block, based on the processing of its precise content through a 128-bit hash function. Message digests are used in the generation of digital signatures. See hash. |
MD5 | Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness. |
mGRE | multipoint GRE. |
MTU | maximum transmission unit. The maximum packet size, in bytes that an interface can transmit or receive. |
N | |
NAC | Network Admission Control. A method of controlling access to a network in order to prevent the introduction of computer viruses. Using a variety of protocols and software products, NAC assesses the condition of hosts when they attempt to log onto the network, and handles the request based on the host's condition, called its posture. Infected hosts can be placed in quarantine; hosts without up-to-date virus protection software can be directed to obtain updates, and uninfected hosts with up-to-date virus protection can be allowed onto the network. See also ACL, posture, and EAPoUDP. |
NAD | Network Access Device. In a NAC implementation, the device that receives a host's request to log on to the network. A NAD, usually a router, works with posture agent software running on the host, virus protection software, and ACS and posture/remediation servers on the network to control access to the network in order to prevent infection by computer viruses. |
NAS | Network Access Server. Platform that interfaces between the Internet and the public switched telephone network (PSTN). Gateway that connects asynchronous devices to a LAN or WAN through network and terminal emulation software. Performs both synchronous and asynchronous routing of supported protocols. |
NAT Network Address Translation | Network Address Translation. Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. |
NBAR | Network-based Application Recognition. A method used to classify traffic for QoS. |
NetFlow | A feature of some routers that allows them to categorize incoming packets into flows. Because packets in a flow often can be treated in the same way, this classification can be used to bypass some of the work of the router and accelerate its switching operation. |
network | A network is a group of computing devices which share part of an IP address space and not a single host. A network consists of multiple "nodes" or devices with IP address, any of which may be referred to as hosts. See also Internet, Intranet, IP, LAN. |
network bits | In a subnet mask, the number of bits set to binary 1. A subnet mask of 255.255.255.0 has 24 network bits, because 24 bits in the mask are set to 1. A subnet mask of 255.255.248 has 17 network bits. |
network module | A network interface card that is installed in the router chassis to add functionality to the router. Examples are Ethernet network modules, and IDS network modules. |
NHRP | Next Hop Resolution protocol. A client and server protocol used in DMVPN networks, in which the hub router is the server and the spokes are the clients. The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots and queries the NHRP database for real addresses of the destination spokes in order to build direct tunnels to them. |
non-repudiation service | A third-party security service that stores evidence for later, possible retrieval, regarding the origin and destination of all data included in a communication — without storing the actual data. This evidence can be used to safeguard all participants in that communication against false denials by any participant of having sent information, as well as false denials by any participant of having received information. |
NTP | Network Time Protocol. A protocol to synchronize the system clocks on network devices. NTP is a UDP protocol. |
NVRAM | Non-volatile random access memory. |
P | |
P2P | See peer-to-peer. |
PAD | packet assembler/disassembler. Device used to connect simple devices (like character-mode terminals) that do not support the full functionality of a particular protocol to a network. PADs buffer data and assemble and disassemble packets sent to such end devices. |
padding | In cryptosystems, padding refers to random characters, blanks, zeros, and nulls added to the beginning and ending of messages, to conceal their actual length or to satisfy the data block size requirements of some ciphers. Padding also obscures the location at which cryptographic coding actually starts. |
PAM | Port to Application Mapping. PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. |
PAP | Password Authentication Protocol. An authentication protocol that allows peers to authenticate one another. PAP passes the password and hostname or username in unencrypted form. See also CHAP. |
parameter map | Parameter-maps specify inspection behavior for Zone-Policy Firewall, for parameters such as Denial-of-Service Protection, session and connection timers, and logging settings. Parameter-maps are also applied with Layer 7 class- and policy-maps to define application-specific behavior, such as HTTP objects, POP3 and IMAP authentication requirements, and other application-specific information. |
password | A protected and secret character string (or other data source) associated with the identity of a specific user or entity. |
password aging Password aging | The ability of a system to notify a user that their password has expired, and to provide them with themeans to create a new password. |
PAT Dynamic PAT | Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the router chooses a unique port number from the PAT IP address for each outbound translation slot (xlate). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always come first, before a PAT address is used. |
peer | In IKE, peers are routers acting as proxies for the participants in an IKE tunnel. In IPSec, peers are devices or entities that communicate securely either through the exchange of keys or the exchange of digital certificates. |
peer-to-peer | A type of network design where all hosts share roughly equivalent capabilities. Also called P2P, peer-to-peer networking is used by many file sharing networks. |
PEM | Privacy Enhanced Mail format. A format for storing digital certificates. |
PFS | perfect forward secrecy. A property of some asymmetric key agreement protocols that allows for the use of different keys at different times during a session, to ensure that the compromising of any single key will not compromise the session as a whole. |
physical interface | A router interface supported by a network module that is installed in the router chassis, or that is part of the router's basic hardware. |
ping | An ICMP request sent between hosts to determine whether a host is accessible on the network. |
PKCS7 | Public Key Cryptography Standard Number 7. |
PKCS12 | Public Key Cryptography Standard Number 12. A format for storing digital certificate information. See also PEM. |
PKI | public-key infrastructure. A system of certification authorities (CAs) and registration authorities (RAs) that provides support for the use of asymmetric key cryptography in data communication through such functions as certificate management, archive management, key management, and token management. Alternatively, any standard for the exchange of asymmetric keys. This type of exchange allows the recipient of a message to trust the signature in that message, and allows the sender of a message to encrypt it appropriately for the intended recipient. See key management. |
plaintext | Ordinary, unencrypted data. |
police rate | The rate of bits per second that traffic must not exceed. |
policing | Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate, excess traffic is dropped, or remarked. |
policy map | A policy map consists of configured actions to be taken on traffic. Traffic is defined in a class map. More than one class map can be associated with a policy map. |
POP3 | Post Office Protocol version 3. A protocol used to retrieve e-mail from an e-mail server. |
posture | |
PPP | Point-to-Point Protocol. A protocol that provides router-to-router, and host-to-network connections over synchronous and asynchronous circuits. PPP has built in security mechanisms, such as CHAP and PAP. |
PPPoA | Point-to-Point Protocol over Asynchronous Transfer Mode (ATM). Primarily implemented as part of ADSL, PPPoA relies on RFC1483, operating in either Logical Link Control-Subnetwork Access Protocol (LLC-SNAP) or VC-Mux mode. |
PPPoE | Point-to-Point Protocol over Ethernet. PPP encapsulated in Ethernet frames. PPPoE enables hosts on an Ethernet network to connect to remote hosts through a broadband modem. |
PPTP | Point-to-Point Tunneling Protocol. Creates client-initiated tunnels by encapsulating packets into IP datagrams for transmission over TCP/IP-based networks. Can be used as an alternative to the L2F and L2TP tunneling protocols. Proprietary Microsoft protocol. |
pre-shared key | One of three authentication methods offered in IPSec, with the other two methods being RSA encrypted nonces, and RSA signatures. Pre-shared keys allow for one or more clients to use individual shared secrets to authenticate encrypted tunnels to a gateway using IKE. Pre-shared keys are commonly used in small networks of up to 10 clients. With pre-shared keys, there is no need to involve a CA for security. The Diffie-Hellman key exchange combines public and private keys to create a shared secret to be used for authentication between IPSec peers. The shared secret can be shared between two or more peers. At each participating peer, you would specify a shared secret as part of an IKE policy. Distribution of this pre-shared key usually takes place through a secure out-of-band channel. When using a pre-shared key, if one of the participating peers is not configured with the same pre-shared key, the IKE SA cannot be established. An IKE SA is a prerequisite to an IPSec SA. You must configure the pre-shared key at all peers. Digital certification and wildcard pre-shared keys (which allow for one or more clients to use a shared secret to authenticate encrypted tunnels to a gateway) are alternatives to pre-shared keys. Both digital certification and wildcard pre-shared keys are more scalable than pre-shared keys. |
private key | |
pseudo random | An ordered sequence of bits that appears superficially similar to a truly random sequence of the same bits. A key generated from a pseudo random number is called a nonce. |
public key encryption | In public key encryption systems, every user has both a public key and a private key. Each private key is maintained by a single user and shared with no one. The private key is used to generate a unique digital signature and to decrypt information encrypted with the public key. In contrast, a user's public key is available to everyone to encrypt information intended for that user, or to verify that user's digital signature. Sometimes called public key cryptography. |
PVC | permanent virtual circuit (or connection). Virtual circuit that is permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time. In ATM terminology, called a permanent virtual connection. |
R | |
RA | registration authority. An entity serving as an optional component in PKI systems to record or verify some of the information that certification authorities (CAs) use when issuing certificates or performing other certificate management functions. The CA itself might perform all RA functions, but they are generally kept separate. RA duties vary considerably, but may include assigning distinguished names, distributing tokens, and performing personal authentication functions. |
RADIUS | Remote Authentication Dial-In User Service. An access server authentication and accounting protocol that uses UDP as the transport protocol. See also TACACS+ |
RCP | remote copy protocol. Protocol that allows users to copy files to and from a file system residing on a remote host or server on the network. The rcp protocol uses TCP to ensure the reliable delivery of data |
remote subnet | Subnetworks are IP networks arbitrarily segmented by a network administrator (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. A "remote subnet" is the subnet that is not associated with your end of a transmission. |
replay-detection | A standard IPSec security feature that combines sequence numbers with authentication, so the receiver of a communication can reject old or duplicate packets in order to prevent replay attacks. |
repudiation | In cryptographic systems, repudiation is the denial by one of the entities involved in a communication of having participated in all or part of that communication. |
revocation password | The password that you provide to a CA when you request that it revoke a router's digital certificate. Sometimes called a challenge password. |
RFC 1483 routing | RFC1483 describes two different methods for carrying connectionless network interconnect traffic over an ATM network: routed protocol data units (PDUs) and bridged PDUs. Cisco SDM supports the configuration of RFC 1483 routing, and enables you to configure two encapsulation types: AAL5MUX, and AAL5SNAP. AAL5MUX: AAL5 MUX encapsulation supports only a single protocol (IP or IPX) per PVC. AAL5SNAP: AAL5 Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) encapsulation supports Inverse ARP and incorporates the LLC/SNAP that precedes the protocol datagram. This allows the multiple protocols to transverse the same PVC. |
RIP | Routing Information Protocol. A routing protocol that uses the number of routers a packet must pass through to reach the destination, as the routing metric. |
root CA | Ultimate certification authority (CA), which signs the certificates of the subordinate CAs. The root CA has a self-signed certificate that contains its own public key. |
route | A path through an internetwork. |
route map | Route maps enable you to control information that is added to the routing table. Cisco SDM automatically creates route maps to prevent NAT from translating specific source addresses when doing so would prevent packets from matching criteria in an IPSec rule. |
RPC | remote procedure call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients. See also client/server computing. |
RR | Risk Rating. An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. |
RSA | Rivest, Shamir, and Adelman, the inventors of this cryptographic key exchange technique, which is based on factoring large numbers. RSA is also the name of the technique itself. RSA may be used for encryption and authentication, and is included in many security protocols. |
RSA keys | An RSA asymmetric key pair is a set of matching public and private keys. |
RSA signatures | One of three authentication methods offered in IPSec, with the other two methods being RSA encrypted nonces, and pre-shared keys. Also, one of the three Federal Information Processing Standards (FIPS)-approved algorithms for generating and verifying digital signatures. The other approved algorithms are DSA and Elliptic Curve DSA. |
rule | Information added to the configuration to define your security policy in the form of conditional statements that instruct the router how to react to a particular situation. |
S | |
SA | security association. A set of security parameters agreed upon by two peers to protect a specific session in a particular tunnel. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually. A set of SAs is needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Protocol (ESP) between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI). |
SAID | security association ID. Numeric identifier for the SA of a given link. |
salt | A string of pseudorandom characters used to enhance cryptographic complexity. |
SCCP | Skinny Client Control Protocol. SCCP is a proprietary terminal control protocol owned by Cisco Systems. It is used as a messaging protocol between a skinny client and Cisco CallManager. |
SDEE | Security Device Event Exchange. A message protocol that can be used to report on security events, such as alarms generated when a packet matches the characteristics of a signature. |
SDF | Signature Definition File. A file, usually in XML format, containing signature definitions that can be used to load signatures on a security device. |
SEAF | Signature Event Action Filter. A filter that allows you to subtract actions from an event whose parameters fall within those defined. For example, a SEAF can be created to subtract the action Reset TCP Connection from an event associated with a particular attacker address. |
SEAO | Signature Event Action Override. An SEAO allows you to assign a risk rating (RR) range to an IPS event action type, such as alarm. If an event occurs with an RR in the range you have assigned to the action type, then that action is added to the event. In this case, an alarm would be added to the event. |
SEAP | Signature Event Action Processor. SEAP allows filtering and overrides based on Event Risk Rating (ERR) feedback. |
secret key | See symmetric key. |
security association lifetime | The predetermined length of time in which an SA is in effect. |
security zone | A group of interfaces to which a policy can be applied. Security zones should consist of interfaces that share similar functions or features. For example, on a router, interfaces Ethernet 0/0 and Ethernet 0/1 may be connected to the local LAN. These two interfaces are similar because they represent the internal network, so they can be grouped into a zone for firewall configurations. |
session key | A key that is used only once. |
SFR | Signature Fidelity Rating. A weight associated with how well this signature might perform in the absence of specific knowledge of the target. |
SHA | Some encryption systems use the Secure Hashing Algorithm to generate digital signatures, as an alternative to MD5. |
SHA-1 | Secure Hashing Algorithm 1. Algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks. SHA-1 [NIS94c] is a revision to SHA that was published in 1994. |
shaping | Traffic shaping retains excess packets in a queue and then reschedules the excess for later transmission over increments of time. |
shared key | The secret key that all users share in a symmetric key-based communication session. |
shared secret | A crytographic key. |
signature | A data element in IOS IPS that detects a specific pattern of misuse on the network. |
signature engine | A signature engine is a component of Cisco IOS IPS designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters which have allowable ranges or sets of values. |
signing certificate | Used to associate your digital signature with your messages or documents, and to ensure that your messages or files are conveyed without changes. |
SIP | Session Initiation Protocol. Enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Using SIP, the router can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. |
site-to-site VPN | Typically, a site-to-site VPN is one that connects two networks or subneworks and that meets several other specific criteria, including the use of static IP addresses on both sides of the tunnel, the absence of VPN client software on user end-stations, and the absence of a central VPN hub (as would exist in hub-and-spoke VPN configurations). Site-to-site VPNs are not intended to replace dial-in access by remote or traveling users. |
SMTP | Simple Mail Transfer Protocol. Internet protocol providing e-mail services. |
SNMP | Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. |
SPD | Selective Packed Discard. SPD provides priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of queue congestion. |
Split DNS | Split DNS enables Cisco routers to answer DNS queries using the internal hostname cache specified by a selected virtual DNS name server. Queries that cannot be answered by the information in the hostname cache, are redirected to specified back-end DNS name servers. |
spoke | |
spoofing spoof | The act of a packet illegally claiming to be from an address from which it was not actually sent. Spoofing is designed to foil network security mechanisms such as filters and access lists. |
SRB | source-route bridging. Method of bridging originated by IBM and popular in Token Ring networks. In an SRB network, the entire route to a destination is predetermined, in real time, prior to the sending of data to the destination. |
SSH | Secure Shell. An application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. Up to five SSH clients are allowed simultaneous access to the router console. |
SSID | Service Set Identifier (also referred to as Radio Network Name). A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point. The SSID can be any alphanumeric entry up to a maximum of 32 characters. |
SSL | Secure Socket Layer. Encryption technology for the Web used to provide secure transactions, such as the transmission of credit card numbers for e-commerce. |
SSL VPN | Secure Socket Layer Virtual Private Networks. SSL VPN is a feature that enables a supported Cisco router to provide remote clients secure access to network resources by creating an encryption tunnel across the Internet using the broadband or ISP dial connection that the remote client uses. |
SSL VPN context | A WebVPN context provides the resources needed to configure secure access to a corporate intranet and other types of private networks. A WebVPN context must include an associated WebVPN gateway. A WebVPN context can serve one or more WebVPN group policies. |
SSL VPN gateway | A WebVPN gateway provides an IP address and a certificate for a WebVPN context. The |
SSL VPN group policy | WebVPN group policies define the portal page and links for the users included in those policies. A WebVPN group policy is configured under a WebVPN context. |
standard rule | In Cisco SDM, a type of access rule or NAT rule. Standard rules compare a packet's source IP address against its IP address criteria to determine a match.Standard rules use a wildcard mask to determine which portions of the IP address must match. |
state, stateful, stateful Inspection | Network protocols maintain certain data, called state information, at each end of a network connection between two hosts. State information is necessary to implement the features of a protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or session IDs. Some of the protocol state information is sent in each packet while each protocol is being used. For example, a web browser connected to a web server uses HTTP and supporting TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and receives. Routers inspect the state information in each packet to verify that it is current and valid for every protocol it contains. This is called stateful inspection and is designed to create a powerful barrier to certain types of computer security threats |
Static PAT | Static Port Address Translation. A static address maps a local IP address to a global IP address. Static PAT is a static address that also maps a local port to a global port. See also PAT. |
static route | Route that is explicitly configured and entered into the routing table. Static routes take precedence over routes chosen by dynamic routing protocols. |
subnet, subnetwork | In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by the network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. See also IP address, subnet bits, subnet mask. |
subnet bits subnet mask | 32-bit address mask used in IP to indicate the bits of an IP address that are being used for the network and optional subnet address. Subnet masks are expressed in decimal. The mask 255.255.255.0 specifies that the first 24 bits of the address Sometimes referred to simply as mask. See also address mask and IP address. |
SUNRPC | SUN Remote Procedure Call. RPC is a protocol that allows clients to run programs or routines on remote servers. SUNRPC is the version of RPC originally distributed in the SUN Open Network Computing (ONC) library. |
symmetric key | A symmetric key is used to decrypt information that it previously encrypted. |
V | |
verification | Identity confirmation of a person or process. |
VCI | virtual channel identifier. A virtual path may carry multiple virtual channels corresponding to individual connections. The VCI identifies the channel being used. The combination of VPI and VCI identifies an ATM connection. |
VFR | Virtual Fragment Reassembly. VFR enables IOS Firewall to dynamically create ACLs to block IP fragments. IP fragments often do not contain enough information for static ACLs to be able to filter them. |
VoIP | Voice over IP. The capability to carry normal telephony-style voice over an IP-based internet with POTS-like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (for example, telephone calls and faxes) over an IP network. |
VPI | virtual path identifier. Identifies the virtual path used by an ATM connection. |
VPDN | virtual private dial-up network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPDNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the home gateway, instead of the network access server (NAS). |
VPN | Virtual Private Network. Provides the same network connectivity for users over a public infrastructure as they would have over a private network. VPNs enable IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level. |
VPN connection | A site-to-site VPN. A site-to-site VPN consists of a set of VPN connections between peers, in which the defining attributes of each connection include the following device configuration information: - A connection name - Optionally, an IKE policy and pre-shared key - An IPSec peer - A list of one or more remote subnets or hosts that will be protected by the connection - An IPSec rule that defines which traffic is to be encrypted. - A list of transform sets that define how protected traffic is encrypted - A list of the device network interfaces to which the connection is applied |
VPN mirror policy | A VPN policy on a remote system that contains values that are compatible with a local policy and that enable the remote system to establish a VPN connection to the local system. Some values in a mirror policy must match values in a local policy, and some values, such as the IP address of the peer, must be the reverse of the corresponding values in the local policy. You can create mirror policies for remote administrators to use when you configure site-to-site VPN connections. For information on generating a mirror policy, refer to Generate Mirror.... |
VTI | Virtual Template Interface. |
vty | virtual type terminal. Commonly used as virtual terminal lines. |
W | |
WAN | Wide Area Network. A network that serves users across a broad geographical area, and often uses transmission devices provided by common carriers. See also LAN. |
WAAS | Wide Area Application Services. A Cisco solution that optimizes the performance of TCP-based applications across a wide area network. |
WCCP | Web Cache Communication Protocol. Also known as Web Cache Control Protocol and Web Cache Coordination Protocol. WCCP allows the use of a Content Engine to reduce Web traffic to reduce transmission costs and download time from Web servers. |
WAE | Wide Area Application Engine. The term refers to Cis co network appliances that enable WAN optimization and application acceleration. |
WAE-C | WAE-Core. The core WAE component is installed on a server at the data center. It connects directly to one or more file servers or network-attached storage (NAS) devices. |
WAE-E | WAE-Edge. The edge WAE is installed on clients. It is a file caching device that serves client requests at remote sites and branch offices. |
WFQ | Weighted Fair Queuing. A flow-based queuing algorithm that does two things simultaneously: It schedules interactive traffic to the front of the queue to reduce response time, and it fairly shares the remaining bandwidth between high bandwidth flows. |
wildcard mask | A bit mask used in access rules, IPSec rules, and NAT rules to specify which portions of the packet's IP address must match the IP address in the rule. A wildcard mask contains 32 bits, the same number of bits in an IP address. A wildcard bit value of 0 specifies that the bit in that same position of the packet's IP address must match the bit in the IP address in the rule. A value of 1 specifies that the corresponding bit in the packet's IP address can be either 1 or 0, that is, that the rule "doesn't care" what the value of the bit is. A wildcard mask of 0.0.0.0 specifies that all 32 bits in the packet's IP address must match the IP address in the rule. A wildcard mask of 0.0.255.0 specifies that the first 16 bits, and the last 8 bits must match, but that the third octet can be any value. If the IP address in a rule is 10.28.15.0, and the mask is 0.0.255.0, the IP address 10.28.88.0 would match the IP address in the rule, and the IP address 10.28.15.55 would not match. |
WINS | Windows Internet Naming Service. A Windows system that determines the IP address associated with a particular network computer. |
WMM | Wi-Fi Multimedia. An IEEE 802.11e Quality of Service (QoS) draft standard. WMM compliant equipment is designed to improve the user experience for audio, video, and voice applications over a Wi-Fi wireless connection. |
WRED | Weighted Random Early Detection. A queueing method that ensures that high-precedence traffic has lower loss rates than other traffic during times of congestion. |
Copyright © 2002-2007, Cisco Systems, Inc. All rights reserved.
No comments:
Post a Comment