WANs connect devices that are separated by a

broader geographical area than a LAN. WANs use

the carriers, such as phone companies, cable
companies, and network providers. WANs use serial
connections of various types to provide access over
large geographic areas. The Hierarchical Network
Model: Access layer (Grants user access to network
devices), Distribution layer (policy-based
connectivity), Core layer (the backbone) CSU/DSU
(Channelized Service Unit/Data Service Unit)
provides the clocking for T1 or T3. The Demarc
refers to the point of last responsibility for the
service provider. The Local Loop (Last Mile) refers to
the physical line connecting the CPE to the
providers nearest Central Office (CO). By default, a
serial interface will utilize HDLC for encapsulation.
Other supported encapsulation types: SDLC, PPP,
LAPB, Frame-Relay, X.25, ATM. Encap must identical
on both sides of a point-to-point link. Customer
Premise Equipment (CPE). High-Level Data-link
Control (HDLC) is a WAN encapsulation protocol
used on dedicated point-to-point serial lines. HDLC
provides no authentication PPP Encapsulation
Point-to-Point Protocol (PPP) is an encapsulation
protocol that can be used on: Dedicated point-to-
point serial lines, Asynchronous dial-up links, ISDN
PPP has four components:
Physical: standard for physical serial
HDLC: encap packets into frames over serial lines.
LCP for establishing, maintaining, and
terminating point-to-point links.
NCP allows multiple Layer-3 protocols (such as
IP and IPX) to be encapsulated into frames.
A circuit-switched a dedicated circuit between
nodes before users communicate. If the circuit
carries computer data, the usage may not be
efficient. PPP, ISDN--The advantages of modem and
analog lines are simplicity, availability, and low cost.
Packet switching splits traffic data into packets that
are routed over a shared network. Frame Relay has
no error or flow control. The simplified handling of
frames leads to reduced latency, and reduce jitter.
Leased line - HDLC, PPP--permanent dedicated
connection (point-to-point link is used to provide a
pre-established WAN communications path from
the CPE through the provider network
Cell relay Asynchronous Transfer Mode (ATM)
Serial links can be clocked considerably faster than
parallel links, and achieve a higher data rate,
because of two factors that affect parallel
communications: clock skew and crosstalk.
TDM shares available transmission time on a
medium by assigning timeslots to users. TDM
divides the bandwidth of a single link into separate
channels or time slots. TDM transmits two or more
channels over the same link by allocating a different
(time slot) for the transmission of each channel. In
effect, the channels take turns using the link.
Statistical time-division multiplexing (STDM) uses a
variable time slot length allowing channels to
compete for any free slot space.
PPP supports several features that HDLC does not:
Authentication forcing the sender/receiver to
identify themselves with a username and password.
PPP supports PAP & CHAP.
Compression efficiency on slow links. PPP
supports: Stac and Predictor.
Multilink allows multiple channels to be trunked
together to combine the bandwidth. The bundled
channels are treated as one logical channel.
Callback provides security and billing services.
Allows a client to first dial a PPP server, disconnect,
and then have the PPP server call the client back.
Error Control. PAP (Password Authentication
Protocol) sends passwords in clear text, two-way
handshake. Sent-username and password must
match remote username and password. The calling
host is in control of the frequency and timing of
login requests. This is undesirable, because the
access server must respond to all login requests,
even the repeated attempts of a hacker (brute-force
attacks) CHAP (Challenge Handshake Authentication
Protocol) uses MD5 hash. The username must be
the hostname and pass of the remote router must
be the same on both routers. 1. The client initiates
the call, requesting callback by using the callback
option during the PPP LCP negotiation phase. 2. The
callback server acknowledges the callback request if
its configuration shows that callback is enabled.
3. The callback client and server participate in
authentication via CHAP or PAP this is required
for callback.4.The callback server identifies the
callback dial string based on an LCP option field or
the username of the authenticated host matched to
a dialer map statement.5.The initial call is
disconnected if the server is configured for callback
AND any one of the following is true: 1.callback
string found, 2.callback secure is configured
6. The callback server uses the dial string to initiate
the callback. If the return call fails, no additional
calls are attempted. (Callback is not negotiated on
the return call.)7. User authentication is repeated
once the return call connects. 8. The connection is
established and data exchange proceeds. Note that
the answering router will maintain the initial call if:
the server is not configured to accept a callback, OR,
callback is not being enforced and the user is not
properly configured for callback (e.g. callback string
not found). Multilink PPP (MLP) is an LCP option
that provides load balancing over multiple
interfaces including ISDN, synchronous, and
asynchronous. MLP works by splitting packets into
fragments, not by load balancing complete packets
to a destination. Two ATM interface types exist:
The Network-to-Network Interface (NNI) is used to
describe how Frame Relay networks from different
providers connect to each other. The DTE-DCE
connection at the local loop, between the CPE and
the CO, is known as the User-to-Network Interface
(UNI). Virtual channels can be permanent (PVC) or
switched (SVC), and one-way. Frame-relay circuits
can either be permanent (PVC), or switched (SVC). A
permanent virtual circuit is always kept active, and
is the most common virtual circuit. A switched
virtual circuit is created only when traffic needs to
be sent, and is torn down when communication is
complete. Virtual circuits are identified with Data
Link Connection Identifiers (DLCIs). Frame-Relay
switches make decisions based on DLCIs, whereas
Ethernet switches make decisions based on MAC.
Frame-Relay CIR: Bandwidth is provided on a best
effort basis in Frame-Relay. The Frame provider and
customer agree on a Committed Information Rate
(CIR), which is not always a guarantee of bandwidth.
The provider will give a best effort to meet the CIR,
which is measured in bits per second. At times,
bandwidth speeds can burst (Be) above the CIR.
Speeds above the CIR are certainly not guaranteed,
and if the Frame Network becomes congested, any
data exceeding the CIR becomes Discard Eligible,
and is at risk of being dropped. The broadcast
keyword is commonly used with the frame-relay
map command to allow broadcast forwarding,
simplify OSPF configuration for nonbroadcast
networks over Frame Relay
Frame Relay is a Non Broadcast Multiple Access
Physical interfaces: With a hub and spoke topology,
Split Horizon will prevent the hub router from
propagating routes learned from one spoke router
to another spoke router.
Point-to-point subinterfaces: Each subinterface is
on its own subnet, so Broadcast propagation and
Split Horizon rules are not a problem.
Multipoint subinterfaces: All participating
subinterfaces would be in the same subnet.
Broadcasts and routing updates are also subject to
the Split Horizon Rule and may pose a problem.
Frame-Relay Encapsulation Types
On Cisco routers, two possible Frame
encapsulations can be configured on the routers
serial ports.
Cisco the default, and proprietary, Frame-Relay
IETF the standardized Frame-Relay
Frame-Relay Local Management Interface (LMI)
LMI is the type of signaling used between your
router and your providers Frame-Relay switch. LMI
provides status updates of Virtual Circuits between
the Frame switch and the router. Cisco,ANSI,Q.933a
LMI type is auto-sensed on Cisco routers, but can be
manually set if desired. LMI is responsible for
managing the connection and maintaining the
status between devices. LMI includes a keepalive
mechanism, to verify the health of the link.
A multicast mechanism, which provides one to
many delivery. Addressing extensions, which can
tie DLCIs to devices, thereby giving them global,
rather than local, significance (uncommon).
A status mechanism, which provides an ongoing
status of the DLCIs known to the switch.
0-15, 1008-1023--reserved for special purposes
16-1007, LMI - local management interface
0x0 - added/inactive
0x2 - added/active
0x4 - deleted (not on FR)
Active - is active, routers can exchange data
Inactive - local connection to the FR switch is
working but remote router connection to the
FR switch is not. Deleted - no LMI is being received
from the FR switch or that there is no service
between the CPE and FR switch. Inverse ARP asks
the remote station for its Layer 3 address. Then
used to build a frame relay map. The broadcast
option allows broadcasts and multicasts to be
forwarded to that address, so that routing protocols
such as OSPF can form neighbor relationships.
Step 1. Perform footprint analysis (reconnaissance)
Step 2. Enumerate information.
Step 3. Manipulate users to gain access.
Step 4. Escalate privileges.
Step 5. Gather additional passwords and secrets
Step 6. Install backdoors
Step 7. Leverage the compromised system.
The overall security challenge facing network
administrators is balancing two important needs:
keep networks open to support business
requirements
protect private, personal, and business
information.
A security policy meets these goals:
Informs users, staff, and managers of their
requirements for protecting information assets
Specifies the mechanisms through which these
requirements can be met
Provides a baseline from which to acquire,
configure, and audit computer systems for
compliance
When discussing network security, 3 factors are
vulnerability, threat, attack.
Vulnerability: it is the degree of weakness which is
inherent in every network and device - Routers,
switches, desktops, and servers.
Threats: They are the people interested in taking
advantage of each security weakness.
Attack: The threats use a variety of tools, and
programs to launch attacks against networks.
There are 3 primary vulnerabilities:
TechnologicalConfigurationSecurity policy
The four classes of physical threats are:
HardwareElectricalMaintenance,Enviro
There are 4 primary classes of threats to networks:
UnstructuredStructuredInternalExternal
There are four primary classes of attacks.
ReconnaissanceAccessDoSWorms, Viruses, and
Trojan Horses. ACLs: 1. Enhance security (Limit host
access, Restrict certain areas of the network), 2.
Manage bandwidth 3. Restrict services. Any
command = 1s. Host command = 0s. Dynamic
ACLs: Reduction of the opportunity for network
break-ins by network hackers. Creation of dynamic
user access through a firewall, without
compromising other configured security
restrictions. Network administrators use reflexive
ACLs to allow IP traffic for sessions originating from
their network while denying IP traffic for sessions
originating outside the network.
Standard ACL: Identified by numbers 1 - 99 and
1300 - 1999, Filter traffic based on source IP address
Extended ACL: Identified by number 100 -199 &
2000 2699; Filter traffic based on Source IP
Destination IP Protocol Port #. 1. Traditional
private WAN Layer 2 technologies, including Frame
Relay, ATM, and leased lines, provide many remote
connection solutions. 2. IPsec Virtual Private
Networks (VPNs) offer flexible and scalable
connectivity. Site-to-site connections can provide a
secure, fast, and reliable remote connection to
teleworkers. This is the most common option for
teleworkers, combined with remote access over
broadband, to establish a secure VPN over the
public Internet. (A less reliable means of
connectivity using the Internet is a dialup
connection.) 3. The term broadband refers to
advanced communications systems capable of
providing high-speed transmission of services, such
as data, voice, and video, over the Internet and
other networks. Dialup access - Dialup is the slowest
option, and is typically used by mobile workers in
areas where high speed connection are not
available. DSL - DSL also uses telephone lines. DSL
uses a special modem that separates the DSL signal
from the telephone signal and provides an Ethernet
connection to a host computer or LAN. Cable
modem - The Internet signal is carried on the same
coaxial cable that delivers cable TV. A special cable
modem separates the Internet signal from the other
signals and provides an Ethernet connection to a
host computer or LAN. Satellite - The computer
connects to a satellite modem that transmits radio
signals to the nearest point of presence within the
satellite network. DSL vs Cable The advantage that
DSL has over cable technology is that DSL is not a
shared medium. Each user has a separate direct
connection to the DSLAM. Adding users does not
impede performance unless the DSLAM Internet
connection on the other side becomes saturated.
VPN creates a private network over a public
network infrastructure while maintaining
confidentiality and security. VPNs use
cryptographic tunneling protocols to provide
protection against packet sniffing, sender
authentication, and message integrity.
Cost savings - Organizations can use Internet
infrastructure to connect remote offices and users
to the main corporate site. Security - Advanced
encryption and authentication protocols protect
data from unauthorized access. Scalability -
Organizations, big and small, are able to add large
amounts of capacity without adding significant
infrastructure. The 3 foundation of a secure VPN are
the followings: Data confidentiality - A common
security concern is protecting data from
eavesdroppers or unauthorized sources. Data
integrity - Data integrity guarantees that no
tampering or alterations occur to data while it
travels between the source and destination.
Authentication - Authentication ensures that a
message comes from an authentic source and goes
to an authentic destination.
VPN Tunneling PPP carries the message to the
VPN device, where the message is encapsulated
within a Generic Route Encapsulation (GRE) packet.
Local address is any address that is used on, and
appears within, our internal network.
Global address is any address that is used and
appears on an external public network.
Inside address is associated with a native network
host.
Outside address is associated with a foreign
network host
Inside local address assigned to a host on our native
network. The address is likely not a publicly
routable IP address (i.e. not part of the registered
address space).
Inside global address that represents one or more
native hosts (i.e. inside local IP addresses) to the
outside world (i.e. on foreign networks).
Outside local address of a foreign host as it appears
on our native network. Not necessarily a legitimate
address, it's allocated from an address space
routable within our internal network.
Outside global address of a foreign host as it
appears on foreign networks. This address is
necessarily a publicly routable one. NOTE: In most
cases, the "outside local" and "outside global"
addresses are identical.
NAT Benefits
Eliminates readdressing overhead Conserves
addresses through application port-level
multiplexing Protects network security. Drawbacks
NAT increases delay due to translation of every
packet going out to or in from public network Loss
of functionality, particularly with any protocol or
application that involves sending IP address
information, as part of its payload. 3 types of NAT
currently available Static NAT translation
Dynamic NAT translation Overloading NAT or
Port Address Translation (PAT) Static NAT is
designed to allow one-to-one mapping of local and
global addresses. Mapping an unregistered IP
address to a registered IP address on a one-to-one
basis. Particularly useful when a device (server
usually) needs to be accessible from outside the
network. Dynamic NAT is designed to map a
private IP address to a public address. Maps an
unregistered IP address to a registered IP address
from a pool of registered IP addresses. PAT
Features PAT uses unique source port numbers on
the inside global IP address to distinguish between
translations. PAT / Overloading is a form of dynamic
NAT that maps multiple unregistered IP addresses
to a single registered IP address by using different
ports. Known also as PAT (Port Address Translation),
single address NAT or port-level multiplexed NAT.

NAT Implementation Overview
Define NAT inside and outside interfaces.
Define what you're trying to accomplish with NAT.
Configure NAT in order to accomplish what you
defined above.
Determine which of the following features you
need to use: Static NAT, Dynamic NAT Overloading.
There are two main mechanisms for dynamic
configuration of IP parameters:
RARP - Reverse Address Resolution Protocol
DHCP - Dynamic Host Configuration Protocol
Major DHCP Features: Auto Allocation, Manual
Allocation, Dynamic Allocation, Server(s) configured
to provide IP information to clients on locally
connected subnets: IP address pool(s) + exclusions
& reservations Subnet mask Default gateway
IP of DNS server, IP of WINS server, domain suffix
Clients lease IP information for a configured period;
Clients attempt to renew once half the lease time
has expired; Allocation can be done automatically,
manually or dynamically. IPv6 Advanced Features
Larger address space: Global reachability and
flexibility



-and-play


Simpler header






A simpler and more efficient header means:
-bit aligned fields and fewer fields
-based, efficient processing

rding rate with better scalability
x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field

2031:0:130F:0:0:9C0:876A:130B
Unicast: One to one
Global
Link local (FE80::/10)