Ccna 4

AACS5324 Advanced Computer Networks
Chapter 1 IP Addressing Services
ACN - 1
Chapter 1
Objectives
Upon completion of this chapter, student should be able to understand the followings: Dynamic Host Configuration Protocol (DHCP)(RFC2131)

ACN - 2
IP address Assignment DHCP Operations DHCP Relay Agent DHCP Common Security Attacks DHCP Configurations Private Address Space (RFC 1918) NAT Operations & Terminologies NAT Types Advantages & Disadvantages NAT Configurations
Chapter 1
Network Address Translation (NAT)
IP Addressing Services
Dynamic Host Configuration Protocol (DHCP)
ACN - 3
Chapter 1
IP Address Assignments
Before Dynamic Host Configuration Protocol (DHCP) Hosts statically assigned (unique IP address, not possible to reuse) Required large number of address Network changes meant manual re-configuration of hosts
ACN - 4
Chapter 1
Then came Bootstrap Protocol (BOOTP) Predecessor of DHCP. Designed to configure diskless workstations based on their MAC address BOOTP Server is configured with a table of MAC addresses and the corresponding IP addresses Same IP address is always handed to a workstation No versatility Permanent assignment Static mapping only 4 configuration parameters
ACN - 5 Chapter 1
Then came DHCP Reduces Internet access costs when NAT/PAT is not deployed by allowing dynamic address space allocation and reuse. Static IP addresses are considerably more expensive to purchase than are automatically allocated IP addresses Minimizes time and expense of client configuration. Because DHCP is easy to configure, it minimizes operational overhead and costs associated with device configuration tasks and eases deployment by nontechnical users.
ACN - 6
Chapter 1
Then came DHCP Means of centralized management of IP information. Because the DHCP server maintains configurations for several subnets, an administrator only needs to update a single, central server when configuration parameters change. Allows client to be assigned another address when moves to a different subnet. Supports up to 20 configuration parameters Can be run on router or server
ACN - 7
Chapter 1
BOOTP vs. DHCP

There are three primary differences between DHCP and BOOTP:
The main difference is that BOOTP was designed for manual preconfiguration of the host information in a server database, while DHCP allows for dynamic allocation of network addresses and configurations to newly attached hosts.
DHCP allows for recovery and reallocation of network addresses through a leasing mechanism. Specifically, DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. This lease period allows for reassignment of the IP address to another client later, or for the client to get another assignment if the client moves to another subnet. Clients may also renew leases and keep the same IP address. BOOTP does not use leases.
BOOTP provides a limited amount of information to a host. DHCP provides additional IP configuration parameters, such as WINS and domain name
Chapter 1
ACN - 8
Scaling Networks with DHCP

DHCP is not always possible or desirable under these scenarios
Servers, routers usually require static addresses When network administrators want to achieve security and simplicity DHCP server must be always available whenever an address is required Must prevent end users from manually configuring network settings and generating conflict with dynamic assigned addresses
ACN - 9
Chapter 1

Every device that connects to a network needs an IP address. Network administrators assign static IP addresses to routers, servers, and other network devices whose locations (physical and logical) are not likely to change. User computers in an organization often change locations, physically and logically. Desktop clients do not require a static address. A workstation can use any address within a range of addresses. This range is typically within an IP subnet.
ACN - 10
Chapter 1

Two modes of installing DHCP services in a network: Administrators typically prefer a network server to offer DHCP services. Scalable. Relatively easy to manage. In a small branch or SOHO location, a Cisco router can be configured to provide DHCP services without the need for an expensive dedicated server.
ACN - 11
Chapter 1
DHCP Address Allocation Methods

dynamic allocation: A network administrator assigns a range of IP addresses to DHCP, and each client computer on the LAN is configured to request an IP address from the DHCP server during network initialization. The request-and-grant process uses a lease concept with a controllable time period, allowing the DHCP server to reclaim (and then reallocate) IP addresses that are not renewed.
ACN - 12
Chapter 1

automatic allocation: The DHCP server permanently assigns a free IP address to a requesting client from the range defined by the administrator. This is like dynamic allocation, but the DHCP server keeps a table of past IP address assignments, so that it can preferentially assign to a client the same IP address that the client previously had.
ACN - 13
Chapter 1

Manual/static allocation: (next)
The DHCP server allocates an IP address based on a table with MAC address/IP address pairs, which are manually filled in (perhaps by a network administrator). Only requesting clients with a MAC address listed in this table will be allocated an IP address. This feature (which is not supported by all DHCP servers) is variously called. Ex. Static DHCP Assignment (by DD-WRT), fixed-address (by the dhcpd documentation), Address Reservation (by Netgear), DHCP reservation or Static DHCP (by Cisco/Linksys), and IP reservation or MAC/IP binding (by various other router manufacturers)- Wikipedia
ACN - 14 Chapter 1

Manual Bindings Configuration Example
The following example creates a manual binding for a client named Mars.cisco.com. The MAC address of the client is 02c7.f800.0422 and the IP address of the client is 172.16.2.254. ip dhcp pool Mars host 172.16.2.254 255.255.255.0 default-router 172.16.2.100 hardware-address 02c7.f800.0422 ieee802 client-name Mars dns-server 172.16.1.102 domain-name cisco.com
ACN - 15
Chapter 1
DHCP Operation Dynamic Allocation

Dynamic Allocation: DHCP works in a client/server mode. When the client connects, the server assigns or leases an IP address to the device. The device connects to the network with that leased IP address until the lease period expires. The host must contact the DHCP server periodically to extend the lease. The leasing of addresses assures that addresses that are no longer used are returned to the address pool for use by other devices.
ACN - 16
Chapter 1

Dynamic Allocation: 4 Step Process. DHCPDISCOVER: The client broadcasts a DHCPDISCOVER message. The DHCPDISCOVER message finds the DHCP server(s) on the network.
ACN - 17
Chapter 1

Dynamic Allocation: 4 Step Process. DHCPOFFER: (next) The server responds with a DHCPOFFER. The DHCPOFFER message is sent as a unicast and contains an available IP address to lease.
ACN - 18
Chapter 1
Server-side Conflict Detection

By default, the DHCP server pings an IP address twice before offering an IP address to a requesting client. If the ping is not successful, the DHCP server assumes that the address is not in use and assigns the address to the requesting client. If the ping is successful, the server attaches a BAD_ADDRESS value to that IP address and will try to lease the next available address. If the duplicate address is removed from the network, the BAD_ADDRESS value attached to the IP address can be deleted, and the address returned to the pool.
ACN - 19
Chapter 1
Server-side Conflict Detection (FYI)

To change the number of ping packets sent and/or the timeout wait value: Router(config)#ip dhcp ping packets number Router(config)#ip dhcp ping timeout milliseconds
ACN - 20
Chapter 1

Dynamic Allocation: 4 Step Process. DHCPREQUEST: The client responds with a broadcast of a DHCPREQUEST message. When used for obtaining a lease, it serves as an acceptance notice to the selected server and an implicit decline to any other servers. Also used for lease renewal and verification.
ACN - 21
Chapter 1

Dynamic Allocation: 4 Step Process. DHCPACK: The server verifies the lease information and responds with a DHCPACK message. The client logs the information and sends an ARP request to verify that the address is unique. (next)
ACN - 22
Chapter 1
Client-side Conflict Detection

Upon receiving the DHCPACK message with configuration parameters, the client performs a final check on the these parameters by using ARP (ping ) and notes the duration of the lease specified in the DHCPACK message. If the ping is not successful, the client is configured with the IP address. If the ping is successful, the client MUST send a DHCPDECLINE message to the server and restarts the configuration process. The client SHOULD wait a minimum of ten seconds before restarting the configuration process to avoid excessive network traffic in case of looping (RFC2131)
ACN - 23 Chapter 1
DHCP Operation 2 DHCP Servers
ACN - 24
Chapter 1
DHCP Operation 2 DHCP Servers
ACN - 25
Chapter 1
DHCP Operation
A DHCP client may receive offers from multiple DHCP servers and can accept any one of the offers; however, the client usually accepts the first offer it receives. Additionally, the offer from the DHCP server is not a guarantee that the IP address will be allocated to the client; however, the server usually reserves the address until the client has had a chance to formally request the address.
ACN - 26
Chapter 1
DHCP Operation
The client returns a formal request for the offered IP address to the DHCP server in a DHCPREQUEST broadcast message. The formal request for the offered IP address (the DHCPREQUEST message) that is sent by the client is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client. The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK unicast message to the client.
ACN - 27 Chapter 1
DHCP Messages
DHCPDISCOVER - Client broadcast to locate available servers. DHCPOFFER - Server to client in response to DHCPDISCOVER with offer of configuration parameters. DHCPREQUEST - Client message to servers either Accepting offered parameters from one server and implicitly declining offers from all others, confirming correctness of previously allocated address after, e.g., system reboot (verification), or extending the lease on a particular network address (renewal). DHCPACK - Server to client with configuration parameters, including committed network address.
ACN - 28 Chapter 1
DHCP Messages
DHCPNAK - Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new subnet) or client's lease as expired DHCPDECLINE - Client to server indicating network address is already in use. DHCPRELEASE - Client to server relinquishing network address and cancelling remaining lease.
ACN - 29
Chapter 1
DHCP Relay
In a complex hierarchical network, enterprise servers are usually contained in a server farm. These servers may provide DHCP, DNS, TFTP, and FTP services for the clients.
ACN - 30 Chapter 1
DHCP Relay
Broadcast
Broadcast
PC1 either tries to obtain an IP configuration or attempts to renew its address. In addition, other network services use broadcasts to find a TFTP server or an authentication server.
ACN - 31 Chapter 1
DHCP Relay
Broadcast
Broadcast
The solution is DHCP Relay. By configuring a helper address feature on intervening routers will forward DHCP broadcasts, and others, to the appropriate server.
ACN - 32 Chapter 1
DHCP Relay
Broadcast
To configure RTA Fa0/0 (the interface that receives the Host A broadcasts) to relay DHCP broadcasts to the DHCP server, use the following commands: RTA(config)#interface fa0/0 RTA(config-if)#ip helper-address 172.24.1.9
ACN - 33 Chapter 1
DHCP Relay
DHCP clients use IP broadcasts to find the DHCP server on the segment. What happens when the DHCP server and the client are not on the same segment and are separated by a router?
Routers, by default, will not forward broadcast packets. Since DHCP client messages use the destination IP address of 255.255.255.255 (limited broadcast), DHCP clients will not be able to send requests to a DHCP server on a different subnet The router must be configured as a DHCP relay agent in order to allow the DHCP request to go through Accomplished by implementing ip helper-address The agent will forward DHCP broadcast requests on behalf of DHCP client and unicast to the DHCP server. The DHCP Relay Agent will append its own IP address to the source IP address of the DHCP frames going to the DHCP server. This allows the DHCP server to respond via unicast to the DHCP Relay Agent. ACN - 34
Chapter 1
DHCP Common Security Attacks

DHCP Spoof Attacks: Man-In-The-Middle Attack
One of the ways an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCP requests. The legitimate server may reply as well, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first. The intruders DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. In the case of a gateway, the clients will then forward packets to the attacking device, which will in turn send them to the desired destination. It may go entirely undetected as the intruder intercepts the data flow through the network. ACN - 35
Chapter 1
DHCP Spoof Attacks: DHCP Starvation Attack

DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time. Subsequently, a legitimate user is denied when requesting a DHCP IP address and thus is not able to access the network. DHCP starvation may be purely a denial of service (DoS) mechanism or may be used in conjunction with a malicious rogue server attack to redirect traffic to a malicious computer ready to intercept traffic.
ACN - 36
Chapter 1
DHCP Spoof Attacks

Here you go, I might be first! (Rouge) I can now forward these on to my leader. (Rouge)
I need an IP address/mask, default gateway, and DNS server. Got it, thanks! Already got the info. All default gateway frames and DNS requests sent to Rogue.
Here you go. (Legitimate)
ACN - 37
Chapter 1
Configuring a Cisco Router as a DHCP Server

3 Basic Steps: Step 1: Define a range of addresses that DHCP is not to allocate. Usually static addresses reserved for the router interface, switch management IP address, servers, and local network printers. Step 2: Create the DHCP pool of addresses using the ip dhcp pool command. Step 3: Configure the specific DHCP tasks for the pool.
ACN - 38 Chapter 1

The DHCP service is enabled by default on versions of Cisco IOS that support it. To disable the service: Router(config)#no service dhcp To enable the service: Router(config)#service dhcp
ACN - 39
Chapter 1

Step 1: Exclude an address or addresses from the pool: Router(config)#ip dhcp excluded-address low-address [high-address] Exclude an individual address or range of addresses when assigning addresses to clients. Used to reserve addresses that are statically assigned to key hosts, for instance, the interface address on the router.
ACN - 40 Chapter 1

Step 2: Create the DHCP pool and place the router in DHCP configuration mode. Router(config)#ip dhcp pool [pool-name] Router(config-dhcp)#
ACN - 41
Chapter 1

Step 3: Configure the specific DHCP tasks. Define the pool of addresses: Router(config-dhcp)# network network-number [mask | /prefix] The network statement enables DHCP on any router interfaces belonging to that network. The router will act as a DHCP server on that interface. It is also the pool of addresses that the DHCP server will use. ACN - 42
Chapter 1

Step 3: Configure the specific DHCP tasks. Assign the default gateway for the DHCP clients: Router(config-dhcp)# default-router ip-address [ip-address2] Only one is required but up to 8 addresses may be assigned in one command line.
ACN - 43
Chapter 1

Step 3: Configure the specific DHCP tasks. Assign the DNS Server(s) for the DHCP clients: Router(config-dhcp)# dns-server ip-address [ip-address2]
Only one is required but up to 8 addresses may be assigned in one command line.
ACN - 44
Chapter 1

Step 3: Configure the specific DHCP tasks. Assign the WINS Server(s) for the DHCP clients: Router(config-dhcp)# netbios-name-server ip-address [ip-address2]
Only one is required but up to 8 addresses may be assigned in one command line.
ACN - 45
Chapter 1

Step 3: Configure the specific DHCP tasks. Assign the Domain Name for the DHCP clients: Router(config-dhcp)# domain-name [domain]
ACN - 46
Chapter 1

Step 3: Configure the specific DHCP tasks. Assign the duration of the lease for the DHCP clients: Router(config-dhcp)# lease {days [hours] [minutes] | infinite} The default lease time is 1 day.
ACN - 47
Chapter 1

Step 3: Configure the specific DHCP tasks. FYI - Other available parameters: Router(config-dhcp)# netbios-node-type [type] host address [mask | /prefix] hardware-address hardware-address-type or client-identifier unique-identifier client-name name bootfile filename
ACN - 48 Chapter 1
Step 1
Step 2 Step 3
ACN - 49 Chapter 1

Verifying DHCP:
Router#
show ip dhcp binding show ip dhcp server statistics show ip dhcp pool debug ip dhcp server events
Much more detail in the lab.
ACN - 50
Chapter 1
Troubleshooting DHCP Configuration

Resolve any IP Address conflicts. show ip address conflicts Verify physical connectivity. Test connectivity by configuring a workstation with a static IP address. Verify switch port configuration. Do DHCP clients obtain an IP address on the same subnet or VLAN where the DHCP server resides? Verify any DHCP Relay configuration. Verify that the router is receiving DHCP requests. debug ip dhcp events debug ip dhcp server debug ip packet detail
ACN - 51 Chapter 1
IP Addressing Services
Scaling Networks With Network Address Translation (NAT)
ACN - 52
Chapter 1
Scaling Networks With NAT

All public Internet addresses must be registered with a Regional Internet Registry (RIR). Organizations can lease public addresses from an ISP. Only the registered holder of a public Internet address can assign that address to a network device.
ACN - 53
Chapter 1

Private Internet Addresses: These are reserved private Internet addresses drawn from three blocks. These addresses are for private, internal network use only. RFC 1918 specifies that private addresses are not to be routed over the Internet. ISPs configure the border routers to prevent private addresses traffic from being forwarded to the Internet
ACN - 54
Chapter 1

Private Internet Addresses: Benefits: Eliminates expense of large pools of routable addresses conserved public addresses Gives enterprises considerable flexibility in network addressing design. This enable operationally and administratively convenient addressing schemes as well as easier growth. Non routable and Not reserved for anyone; 2 or more private networks can use the same private addresses.
ACN - 55
Chapter 1

Private Internet Addresses: Two Issues: You cannot route private addresses over the Internet. There are not enough public addresses to allow organizations to provide one to every one of their hosts. Networks need a mechanism to translate private addresses to public addresses at the edge of their network that works in both directions. Solution NAT.
ACN - 56
Chapter 1
What is NAT?
The DHCP server assigns IP dynamic addresses to devices inside the network. NAT-enabled routers retain one or many valid Internet IP addresses outside of the network. When the client sends packets out of the network, NAT translates the internal IP address of the client to an external address. To outside users, all traffic coming to and going from the network has the same IP address or is from the same pool of addresses. NAT Private Address Public Address
ACN - 57 Chapter 1
What is NAT?
A NAT enabled device typically operates at the border of a stub network. A stub network is a network that has a single connection to its neighbor network.
ACN - 58 Chapter 1
What is NAT?
Inside Private
Outside Public
When a host on the inside network wants to access a host on the outside network, the packet is sent to the border gateway router. The border gateway router performs the NAT process, translating the inside private address to an outside public address.
ACN - 59 Chapter 1
What is NAT?
Inside Private
Outside Public
The translation process uses an internal translation table. The contents of the table will vary depending on the type of network translation being implemented. We will be looking at the use of static NAT, dynamic NAT and Port Address Translation (PAT).
ACN - 60 Chapter 1
NAT Terminology
Inside Network: Usually an organizations LAN.
Outside Network: Usually the Internet but it can be any network.

ACN - 61 Chapter 1
NAT Terminology
Local Addresses: How a node on a network is seen by another node on the same network.
10.0.0.2
128.23.2.2
10.0.0.3
128.23.3.3
ACN - 62
Chapter 1
NAT Terminology
Global Addresses: How a node on one network is seen by a node on another network.
10.0.0.2
128.23.2.2
10.0.0.3
128.23.3.3
ACN - 63
Chapter 1
NAT Terminology
Inside Local Address: An RFC 1918 address assigned to a host on an inside network. Inside Global Address: A valid public address that the host on the inside network is assigned as it exits the router. Outside Global Address: A reachable IP address assigned to a host on the Internet. Outside Local Address: A local address assigned to a host on an outside network. (Use beyond the scope of this course).
ACN - 64 Chapter 1
How Does NAT Work?

R2: I have a packet for the outside network. I must translate the IP address.
209.165.200.226
Send
DA 209.165.201.1
SA 209.165.200.226
DA 209.165.201.1
SA 192.168.10.10
ACN - 65
Chapter 1
How Does NAT Work?

R2: I have a packet for the inside network. I must translate the IP address.
DA 192.168.10.10 SA 209.165.201.1
209.165.200.226
Receive
DA 209.165.200.226
SA 209.165.201.1
ACN - 66
Chapter 1
Dynamic Mapping and Static Mapping

NAT Table Inside Local Inside Global Dynamic Mapping: 10.0.0.1 179.9.8.81 Mapping of local addresses 10.0.0.2 dynamically to a pool of 10.0.0.3 global addresses. 10.0.0.4 The hosts able to use NAT is 10.0.0.5 limited by the number of addresses in the range. 10.0.0.6 10.0.0.7 If you have allocated 6 public 10.0.0.8 179.9.8.86 addresses for NAT, any 6 users can use NAT simultaneously. The NAT device dynamically assigns an address when a request is received. When a session ends, the address is returned to the pool for another user.
ACN - 67 Chapter 1

Dynamic Mapping: Eliminates the requirement for equal numbers of internal and external addresses by creating a pool of IP addresses for translation. Not usable for mapping internal server as it does not allow the assignment of a predefined address between the internal and external networks. Usually deployed along with static NAT Does not guarantee successful translation if pool is exhausted, hence need to provide large enough address pool
ACN - 68
Chapter 1

Dynamic Mapping: Most commonly used to provide Internet connectivity for organizations that deployed private addressing on the internal network (RFC 1918). Required a small pool of registered addresses as not all hosts will need Internet access at the same time, hence reduces the expense of maintaining registered addresses for all hosts. Translation occurs as packets leave the NAT border router (from inside network to outside network) Active only during the conversation or configurable time periods. Translation resolved after the conversation and address returned to the NAT pool.
ACN - 69 Chapter 1

NAT Table
Static Mapping: One to one mapping of local and global addresses. The hosts able to use NAT is limited by the static assignment in the table.
Inside Local
Inside Global
10.0.0.1
10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5
179.9.8.81
179.9.8.82 179.9.8.83 179.9.8.84 179.9.8.85
10.0.0.6
179.9.8.86
If you have allocated 6 public addresses for NAT, only these 6 users can use NAT. No other network users will have access unless you allocate another global address and add it to the table.
ACN - 70 Chapter 1

Static Mapping: No conservation of IP addresses because each internal IP address must be mapped to a unique, routable public address. Usually deployed for access to internal servers from outside network. This allows the servers to be accessed from within the organization by using the inside local address and from outside network by using the inside global address. No packets dropped due to lack of addresses Minimizes delay due to building a dynamic translation Provides a limited level of security by hiding the internal address. Access to the internal network is only allow through inside global address, NOT inside local address. ACN - 71
Chapter 1
NAT Overload
Port Address Translation (PAT): Allows you to use a single Public IP address and assign it up to 65,536 inside hosts (4,000 is more realistic). Modifies the TCP/UDP source port to track inside host addresses. Tracks and translates: Source IP Address. Destination IP Address. TCP/UDP Source Port Number. These uniquely identify each connection for each stream of traffic.
ACN - 72
Chapter 1
NAT Overload
Port Address Translation (PAT):
SA 192.168.10.10:1555 DA 209.165.201.1:80 SA 209.165.200.226:1555 SA 209.165.200.226:1331 DA 209.165.201.1:80 DA 209.165.202.129:80 209.165.200.226
SA 192.168.10.11:1331
DA 209.165.202.129:80
ACN - 73
Chapter 1
NAT Overload
Port Address Translation (PAT):
209.165.200.226 SA 209.165.201.1:80 SA 209.165.201.1:80 SA 209.165.202.129:80 DA 192.168.10.10:1555 DA 192.168.10.11:1331 DA 209.165.200.226:1555
SA
DA
209.165.202.129:80
209.165.200.226:1331
ACN - 74
Chapter 1
NAT Overload
Port Address Translation (PAT): NEXT AVAILABLE PORT
192.168.10.11:1444
192.168.10.12:1444
ACN - 75
Chapter 1
Benefits and Drawbacks

NAT Benefits:
Conserves the legally registered addressing scheme by allowing the privatization of the intranets. NAT conserves addresses by applying port-level multiplexing: NAT overload where internal hosts can share a single public address for all external communications. Increases the flexibility of connections to the public network. Provides consistency for internal network addressing schemes. An organization could change ISPs and no need to renumber all the hosts on the existing internal network Provides network security. Private networks do not advertise their addresses, they remain reasonably secure when used in conjunction with NAT to gain controlled external access. However, NAT does not replace firewalls.
ACN - 76
Chapter 1
Benefits and Drawbacks

NAT Drawbacks:
Performance is degraded. NAT increases switching delays because the router must look at every packet to decide whether it needs to be translated. End-to-end functionality is degraded. NAT prevents applications that depends on end-to-end addressing, such as digital signatures and applications that use physical addresses. End-to-end trace is lost. NAT making troubleshooting challenging. It is much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops. Tunneling is more complicated. Complicate the integrity checks done by some tunneling protocols like IPSec as NAT modifies values in the headers.
ACN - 77
Chapter 1
Configuring Static NAT

Step 1: Specify static translation between an inside local and inside global address.
ip nat inside source static local-ip global-ip
179.23.2.2 Inside Global address from ISP.
Port Address Inside Local

ACN - 78
ISP routing table: 179.23.2.0 via 192.168.1.1
RA(config)#ip nat inside source static 10.1.1.2 179.23.2.2

Chapter 1

Step 2: Mark the router interfaces as an inside interface or an outside interface.
RA(config)#interface fa0/0 RA(config-if)#ip address 10.1.1.1 255.255.255.0 RA(config-if)#ip nat inside
ISP routing table: 179.23.2.0 via 192.168.1.1

RA(config)#interface s0/0/0 RA(config-if)#ip address 192.168.1.1 255.255.255.0 RA(config-if)#ip nat outside
Chapter 1
ACN - 79

Summary: 10.1.1.2 will always translate to 179.23.2.2
ACN - 80
Chapter 1
Configuring Dynamic NAT

1. Define a named address pool of outside addresses to be used for translation. 2. Define an access list to specify those inside addresses that are eligible for translation. (* interesting traffic) (next) 3. Specify dynamic translation between the inside addresses allowed by the access list and the pool of outside addresses. 4. Mark the interfaces as inside or outside.
ACN - 81 Chapter 1

Interesting traffic: Not necessary to translate all traffic as this would waste valuable router resources. Traffic to be translated is termed as interesting traffic Interesting traffic is selected with help of access control list (ACL) Checks the source address on the inside interface If address matches then traffic is interesting, if no match then no translation. A record is maintained in the NAT table
ACN - 82
Chapter 1

Step 1: Define a named address pool of outside addresses to be used for translation.
ip nat pool name start-ip end-ip (netmask netmask | prefix-length prefix-length)
Address space from ISP = 179.9.8.0/24
IP Address assigned to the interface.

ACN - 83
ISP Routing table 179.9.8.0 via 192.168.1.1
Chapter 1

Step 1: Define a named address pool of outside addresses to be used for translation. Range
ip nat pool NAT-POOL1 179.9.8.80 179.9.8.85 netmask 255.255.255.0
Name Mask

ACN - 84
Chapter 1

Step 2: Define an access list to specify those inside addresses that are eligible for translation. (interesting traffic)
access-list access-list-number permit source [source wildcard]

ACN - 85
Chapter 1

Step 2: Define an access list to specify those inside addresses that are eligible for translation.
access-list 1 permit 10.1.0.0 0.0.255.255
Allows ALL inside network addresses to be translated.


ACN - 86
Chapter 1

Step 2: Specify dynamic translation between the inside addresses allowed by the access list and the pool of outside addresses.
ip nat inside source list access-list-number pool pool-name

ACN - 87
Chapter 1

Step 3: Specify dynamic translation between the inside addresses allowed by the access list and the From Step 1 pool of outside addresses.
ip nat inside source list 1 pool NAT-POOL1
From Step 2

ACN - 88
Chapter 1

Step 4: Mark the interfaces as inside or outside.
RA(config)#interface fa0/0 RA(config-if)#ip address 10.1.1.1 255.255.255.0 RA(config-if)#ip nat inside
RA(config)#interface s0/0/0 RA(config-if)#ip address 192.168.1.1 255.255.255.0 RA(config-if)#ip nat outside

ACN - 89 Chapter 1

Summary: All inside hosts are eligible for NAT.
ACN - 90
Chapter 1
Configuring NAT Overload (PAT)

There are two possible ways to configure overloading. It depends on how the ISP allocates public IP addresses. The ISP allocates one public IP address to the organization. The ISP allocates more than one public IP address. In either case, the configuration will include the overload keyword. This keyword specifies to the router that Port Address Translation (PAT) is to be used.
ACN - 91
Chapter 1

The ISP allocates one public IP address to the organization. 1. Assign the IP address received from the ISP as the IP address of the outside interface. 2. Define a standard access list permitting those addresses to be translated. 3. Establish dynamic translation specifying the access list and the actual interface instead of a pool of addresses and include the overload keyword. 4. Identify the inside and outside interfaces.
ACN - 92 Chapter 1

The ISP allocates one public IP address to the organization.
Assigned by ISP
ACN - 93
Chapter 1

The ISP allocates more than one public IP address.
ACN - 94
Chapter 1
Verifying NAT and NAT Overload

show ip nat translations
ACN - 95
Chapter 1

show ip nat statistics
ACN - 96
Chapter 1

clear ip nat translation
ACN - 97
Chapter 1
Troubleshooting NAT and NAT Overload

show ip nat translations clear ip nat translation debug ip nat
ACN - 98
Chapter 1

Chapter 2 Introduction to WANs
ACN - 99
Chapter 1
Objectives
Upon completion of this chapter, student should be able to understand the followings:
WAN as compare to LAN Common WAN Devices WAN and the OSI WAN Physical Layer Terminologies & Concepts WAN Data Link Layer Concepts & Encapsulation WAN Switching Concepts Circuit Switching and Packet Switching WAN Link Connection Options WAN Design
ACN - 100
Chapter 1
Introduction to WAN
LAN: (Review)
A high speed, low-error data network covering a relatively small geographic area, up to a few thousand meters. LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LANs typically are owned by the company or organization that uses them LANs are usually high-speed connections LANs usually controlled by single administrator LAN standards specify cabling and signaling at the physical and data link layers of the OSI. Ethernet and Token Ring are widely used LAN technologies.
ACN - 101
Chapter 1
What is a WAN?
A WAN is a data communications network that operates beyond the geographic scope of a LAN.
ACN - 102
Chapter 1
What is a WAN?
A WAN is a data communications network that operates beyond the geographic scope of a LAN.
WANs connect devices that are separated by a broader geographical area than a LAN. Concerned with moving data between LANs WANs use the carriers, such as phone companies, cable companies, and network providers (WAN Service Provider). WAN might be controlled by multiple organizations. An organization must subscribe to an outside provider to gain access to WAN carrier services. WANs use serial connections of various types to provide access over large geographic areas. Ex. V.35, X.21, EIA/TIA-232 WANs use different types of WAN technologies and protocols like Frame Relay, ATM and DSL WAN bandwidth usually less than a LAN Most often be capable of handling voice, video and data simultaneously.
ACN - 103 Chapter 1
What is a WAN?
There are other business needs that require communication among remote sites using WAN:
People in the branch offices of an organization need to be able to communicate with the central site. Organizations often want to share information with other organizations across large distances. Employees who travel frequently need to access information that resides on their corporate networks.
In addition, home computer users need to send and receive data across larger distances.
It is now common in many consumers to communicate with banks, stores, and a variety of providers of goods and services via computers. Most significant difference between LAN and WAN is the technology involved
ACN - 104 Chapter 1
WAN Devices
ACN - 105
Chapter 1
WAN Devices
WANs use numerous types of devices:
Modem A voice band modem converts and reconverts the digital signals produced by a computer into voice frequencies that can be transmitted over the analog lines of the public telephone network. Faster modems, such as cable modems and DSL modems, transmit using higher broadband frequencies. CSU/DSU Digital lines, such as T1 or T3 carrier lines, require a channel service unit (CSU) and a data service unit (DSU). The two are often combined into a single piece of equipment, called the CSU/DSU. The CSU provides termination for the digital signal and ensures connection integrity through error correction and line monitoring while the DSU converts the T-carrier line frames into frames that the LAN can interpret.
ACN - 106 Chapter 1
WAN Devices
WANs use numerous types of devices:
Access server Concentrates dial-in and dial-out communications. An access server may have a mixture of analog and digital interfaces and
support hundreds of simultaneous users.
WAN switch A multiport internetworking device used in carrier networks to support Frame Relay, ATM, or X.25and operate at the data link layer of the OSI model. Router Provides internetworking and WAN access interface ports that are used to connect to the service provider network.
These interfaces may be serial connections or other WAN interfaces and may require an external device such as, a DSU/CSU or modem (analog, cable, or DSL), to connect to the service provider
ACN - 107 Chapter 1
WAN Devices
WANs use numerous types of devices (contd):
Core router A router that resides within the middle or backbone of the WAN rather than at its periphery.
To fulfill this role, a router must be able to support the highest speed in use in the WAN core, and it must be able to forward IP packets at full speed on all of those interfaces.
ACN - 108
Chapter 1
Modems
ACN - 109
Chapter 1
External CSU/DSU
To T1 circuit
To router
ACN - 110
Chapter 1
CSU/DSU Interface Card
The CSU/DSU may also be built into the interface card in the router.
ACN - 111
Chapter 1
WANs and the OSI Model
In relation to the OSI reference model, WAN operations focus on Layer 1 and Layer 2.
ACN - 112
Chapter 1
WANs and the OSI Model

The physical layer (OSI Layer 1) protocols describe how to provide electrical, mechanical, operational, and functional connections to the services of a communications service provider. The data link layer (OSI Layer 2) protocols define how data is encapsulated for transmission toward a remote location and the mechanisms for transferring the resulting frames. A variety of different technologies are used, such as Frame Relay and ATM. Some of these protocols use the same basic framing mechanism, High-Level Data Link Control (HDLC), an ISO standard, or one of its subsets or variants.
ACN - 113 Chapter 1
WAN Physical Layer Terminology

The WAN physical layer describes the physical connection between company network and service provider network. The physical WAN connections, including: Customer Premises Equipment (CPE) The devices and inside wiring located at the premises of the subscriber and connected with a telecommunication channel of a carrier. The subscriber either owns the CPE or leases the CPE from the service provider. Data Terminal Equipment (DTE) (Router) The customer devices that pass the data to a device called Data Communications Equipment (DCE) for transmission over the WAN. The DTE connects to the ACN - 114 local loop through the DCE. Chapter 1

Data Communications Equipment (DCE) (CSU/DSU) Also called data circuit-terminating equipment. The DCE prepares data and places it on the local loop for transmission to the service provider Demarcation Point Physically, the demarcation point is the cabling junction box, located on the customer premises, that connects the CPE wiring to the local loop and officially separates the customer equipment from service provider equipment. It is the place where the responsibility for the connection changes from the user to the service provider.
ACN - 115 Chapter 1

The physical WAN connections, including: Local Loop The copper or fiber cable that connects the CPE at the subscriber site to the CO of the service provider. The local loop is also sometimes called the "lastmile. Central Office (CO) A local service provider facility where local telephone cables link to long-haul, all-digital, fiber-optic communications lines.
ACN - 116
Chapter 1
WAN Terminologies
Local loop can carry analog or digital signal
LAN B
Digital Signal sends to DCE via serial cable
3 Last mile 4
ACN - 117
1
Chapter 1
ABC Sdn. Bhd.
1.
3.
2.
4.
ACN - 118 Chapter 1

Various physical layer protocols establish the code and electrical parameters that the DTE and DCE devices use to communicate.
Local loop
The local loops data-carrying capacity can vary from 56kbps to several gigabits per second. (next)
ACN - 119 Chapter 1
SONET: Synchronous Optical NETwork (US version by ANSI) ACN - 120 Chapter 1
WAN Physical Layer Standards
ACN - 121
Chapter 1

The WAN physical layer also describes the interface between the DTE and the DCE.
EIA/TIA-232 - This protocol allows signal speeds of up to 64 kb/s on a 25-pin D-connector over short distances. It was formerly known as RS-232. The ITU-T V.24 specification is effectively the same. EIA/TIA-449/530 - This protocol is a faster (up to 2 Mb/s) version of EIA/TIA-232. It uses a 36-pin D-connector and is capable of longer cable runs. There are several versions. This standard is also known as RS422 and RS-423. EIA/TIA-612/613 - This standard describes the High-Speed Serial Interface (HSSI) protocol, which provides access to services up to 52 Mb/s on a 60-pin D-connector.
ACN - 122
Chapter 1

The WAN physical layer also describes the interface between the DTE and the DCE.
V.35 - This is the ITU-T standard for synchronous communications between a network access device and a packet network. Originally specified to support data rates of 48 kb/s, it now supports speeds of up to 2.048 Mb/s using a 34-pin rectangular connector. X.21 - This protocol is an ITU-T standard for synchronous digital communications. It uses a 15-pin D-connector.
ACN - 123
Chapter 1
WAN Data Link Layer Concepts

Data link layer protocols define how data is encapsulated for transmission to remote sites and the mechanisms for transferring the resulting frames. A variety of different technologies, such as ISDN, Frame Relay, or ATM are used to move the data across the WAN connection. Many of these protocols use the same basic framing mechanism, High-Level Data Link Control (HDLC), which is an ISO standard, or one of its subsets or modification (next).
ACN - 124
Chapter 1

The most common WAN data-link protocols are HDLC, PPP, Frame Relay & ATM ATM is different from the others, because it uses small fixed-size cells of 53 bytes, unlike the other packet-switched technologies, which use variable-sized packets. ISDN and X.25 are less frequently used today
ACN - 125
Chapter 1
Data Link layer protocols define how the data is encapsulated as well as how it is transported between sites.
ACN - 126
Chapter 1
A number of technologies for the transport of data exist. While the encapsulation will vary with the technology, most use the ISO HDLC standard or a modification of it.
ACN - 127 Chapter 1
WAN Encapsulation
Data from the network layer is passed to the data link layer for delivery on a physical link, which is normally point-to-point on a WAN connection
ACN - 128
Chapter 1
WAN Encapsulation
HDLC was first proposed in 1979 and for this reason, most framing protocols which were developed afterwards are based on it. The data link layer builds a frame around the network layer data so that the necessary checks and controls can be applied. To ensure that the correct encapsulation protocol is used, the Layer 2 encapsulation type used for each router serial interface must be configured.
ACN - 129
Chapter 1
WAN Encapsulation
The choice of encapsulation protocols depends on the WAN technology and the equipment. Most framing is based on the HDLC standard. The data is encapsulated with some form of header information and an FCS field. The entire frame is then encapsulated with Flag fields to indicate the beginning and end of the frame. FLAG HEADER DATA FCS FLAG
It is important to note that most vendors (Cisco included) use their own proprietary version of HDLC on HDLC links between their own products.
ACN - 130 Chapter 1
WAN Encapsulation
Examining the Frame:
The frame always starts and ends with an 8-bit flag field to indicate the beginning and end of the frame. The bit pattern is 01111110. (0x7E)
ACN - 131 Chapter 1
WAN Encapsulation
The address field may not needed for WAN links, depending upon the technology. The address may be 1 or 2 bytes long.
ACN - 132 Chapter 1
WAN Encapsulation
The control field is protocol dependent. It usually indicates whether the content of the data is control information or Network layer data (1 Byte).
ACN - 133 Chapter 1
WAN Encapsulation
Examining the Frame: The address and control fields form the header information in the standard HDLC frame. Both PPP and Cisco HDLC add the Protocol field to the header to identify the Layer 3 protocol of the encapsulated data.
Cisco HDLC only communicates with Cisco HDLC..

ACN - 134 Chapter 1
WAN Switching Concepts

WAN switched networks fall into two categories: Circuit switched. POTS, ISDN Packet switched. Frame Relay, ATM, X.25
ACN - 135
Chapter 1
WAN Switching Concepts Circuit Switched

When a subscriber makes a telephone call, the dialed number is used to set switches in the exchanges along the route of the call so that there is a continuous circuit from the originating caller to that of the called party. Because of the switching operation used to establish the circuit, the telephone system is called a circuit-switched network.
ACN - 136 Chapter 1

If the telephones are replaced with modems, then the switched circuit is able to carry data. Suppose it is used to access a web page. There will be a burst of activity that uses the entire bandwidth while the page is being downloaded. That will be followed by no activity while the user reads the page and followed again by another burst while another page is accessed.
ACN - 137 Chapter 1

If the circuit carries data, it may not be very efficient. The internal path is shared by several conversations. Time Division Multiplexing (TDM) is used to give each conversation a share of the connection in turn. TDM assures that a fixed capacity connection is made available to the subscriber.
ACN - 138 Chapter 1
WAN Switching Concepts

Circuit Switching and TDM: Each device to be multiplexed is assigned a specific time slot in the frame. At each time slot, 8 bits is read from each device and a fixed length frame is built using that data. If there is nothing to send for that time slot, 8 null bits are placed in the frame for that device.
ACN - 139
Chapter 1
WAN Switching Concepts Packet Switched

Because the subscriber has sole use of the fixed capacity allocation, switched circuits are an expensive way of moving data. An alternative is to allocate the capacity to the traffic only when it is needed and share capacity among many users. If the circuit is to be shared, there must be some mechanism to label the bits so that the system knows where to deliver them. The bits are gathered into groups called cells, frames, or packets.
ACN - 140
Chapter 1

Each packet must contain the network information in order to be delivered to the correct destination. The packet passes from exchange to exchange for delivery through the provider network. Packet Switched describes the type of network in which relatively small units of data called packets are routed through a network based on the destination address contained within each packet.
ACN - 141 Chapter 1

The circuits only exist while data travels through them. They are termed virtual circuits and are categorized as switched or permanent. Switched Virtual Circuit (SVC): Is constructed at the time of the connection and disappears when the user is done. Permanent Virtual Circuit (PVC): Is a pre-configured pathway through the providers network. This path is always available to the user for data transmission. ACN - 142
Chapter 1

These networks can also be connectionless or connection-oriented. The Internet is a good example of a connectionless, packet switched network. Each packet contains all of the addressing information required for successful packet delivery. Frame Relay is an example of a connection-oriented packet switched network. Each packet does not require addressing information and travels a pre-configured path between the source and the destination.
ACN - 143 Chapter 1
WAN Link Connection Options
ACN - 144
Chapter 1

WAN connections can be either over a private infrastructure or over a public infrastructure, such as the Internet. Private WAN Connection Options
Dedicated communication links
When dedicated connections are required, point-to-point lines are used with various capacities that are limited only by the willingness of users to pay for these dedicated lines. Point-to-point lines are usually leased from a carrier and are also called leased lines. Circuit-switched communication links - Circuit switching dynamically establishes a dedicated virtual connection for voice or data between a sender and a receiver. Examples of circuit-switched communication links are analog dialup (PSTN) and ISDN. Packet-switched communication links - In packet-switched networks, the data is transmitted in labeled frames. Packet-switched communication links include Frame Relay, ATM, X.25, and Metro Ethernet.
Chapter 1
Switched communication links

ACN - 145

WAN connections can be either over a private infrastructure or over a public infrastructure, such as the Internet. Public WAN Connection Options
Public connections use the global Internet infrastructure. Until recently, the Internet was not a viable networking option for many businesses because of the significant security risks and lack of adequate performance guarantees in an end-to end Internet connection. With the development of VPN technology, however, the Internet is now an inexpensive and secure option for connecting to teleworkers and remote offices where performance guarantees are not critical. Internet WAN connection links are through broadband services such as DSL, cable modem, and broadband wireless, and combined with VPN technology to provide privacy across the Internet.
ACN - 146 Chapter 1
Dedicated Connection Link: Leased Lines
ACN - 147
Chapter 1
Dedicated Connection Link: Leased Lines

When permanent dedicated connections are required, a point-to-point link is used to provide a pre-established WAN communications path from the customer premises through the provider network to a remote destination.
Point-to-point lines are usually leased from a carrier and are called leased lines. Leased lines are available in different capacities and are generally priced based on the bandwidth required and the distance between the two connected points. However, there are times when the benefits outweigh the cost of the leased line. The dedicated capacity removes latency or jitter between the endpoints. Constant availability is essential for some applications such as VoIP or Video over IP.
Point-to-point links are usually more expensive than shared services such as Frame Relay.
A router serial port is required for each leased line connection. A CSU/DSU and the actual circuit from the service provider are also required.
ACN - 148
Chapter 1
Circuit Switched Connection: Analog Dialup
Power limitation to help prevent crosstalk, the FCC has limited the power a modem is allowed to output over the phone line. This power limitation has the effect of reducing your possible speed to 53Kbps.
ACN - 149 Chapter 1
Circuit Switched Connection: Analog Dialup

When intermittent, low-volume data transfers are needed, modems and analog dialed telephone lines provide low capacity and dedicated switched connections.
Traditional telephony uses a copper cable, called the local loop, to connect the telephone handset to the CO. Traditional local loops can transport binary computer data through the voice telephone network using a modem. The modem modulates the binary data into an analog signal at the source and demodulates the analog signal to binary data at the destination. The physical characteristics of the local loop to the PSTN limit the rate of the signal to less than 56 kb/s.
The advantages of modem and analog lines are simplicity, availability, and low implementation cost. The disadvantages are the low data rates and a relatively long connection time.
The dedicated circuit has little delay or jitter for point-to-point traffic, but voice or video traffic does not operate adequately at these low bit rates.
ACN - 150 Chapter 1
Circuit Switched Connection: ISDN
ACN - 151
Chapter 1

Integrated Services Digital Network (ISDN) enables the local loop to carry digital signals, resulting in higher capacity connections.
ISDN allows two or more bit streams to be transferred as subchannels in one communication channel (TDM).
There are two types of ISDN interfaces:

Basic Rate Interface (BRI) - BRI is for home and small enterprise and has two 64 kb/s B and a 16 kb/s D channel.
ISDN connection uses 64 kb/s bearer channels (B) for carrying voice or data and a signaling, delta channel (D) for call setup. Some providers allow the D channel to carry data at low bit rates, such as X.25 connections at 9.6 kb/s.
Primary Rate Interface (PRI) - ISDN is also available for larger installations. PRI delivers 23 B channels with 64 kb/s and one D channel with 64 kb/s in North America, for a total bit rate of up to 1.544 Mb/s.

ACN - 152
In Europe, and other parts of the world, ISDN PRI provides 30 B channels and one D channel, for a total of 2.048 Mb/s. In North America, PRI corresponds to a T1 connection. The rate of international PRI corresponds to an E1 or J1 connection.
Chapter 1

BRI has a call setup time that is less than a second, and the 64 kb/s B channel provides greater capacity than an analog modem link.
If greater capacity is required, a second B channel can be activated to provide a total of 128 kb/s. Although inadequate for video, this permits several simultaneous voice conversations in addition to data traffic.
Another common application of ISDN is to provide additional capacity as needed on a leased line connection.
The leased line is sized to carry average traffic loads while ISDN is added during peak demand periods.
ISDN is also used as a backup if the leased line fails. With PRI ISDN, multiple B channels can be connected between two endpoints.
This allows for videoconferencing and high-bandwidth data connections with no latency or jitter. However, multiple connections can be very expensive over long distances.
ACN - 153 Chapter 1
Packet Switched: X.25, Frame Relay, ATM
ACN - 154
Chapter 1
The packet-switching technologies used in today's WAN networks include Frame Relay, ATM, and legacy X.25. X.25
X.25 is a legacy network-layer protocol. Typical X.25 applications are point-of-sale card readers. X.25 speeds vary from 2400 b/s up to 2 Mb/s. However, public networks are usually low capacity and rarely exceeding 64 kb/s. X.25 networks are now in dramatic decline. They are still in use in many portions of the developing world.
Frame Relay (The network layout similar to X.25.)

It is a much simpler protocol that works at the data link layer. Frame Relay implements no error or flow control. The simplified handling of frames leads to reduced latency, and reduce jitter. Frame Relay offers data rates up to 4 Mb/s. Frame Relay VCs are uniquely identified by a DLCI. Most Frame Relay connections are PVCs rather than SVCs. The router on the LAN needs only a single interface, even when multiple VCs are used. The short-leased line to the Frame Relay network edge allows cost-effective Chapter 1 connections between widely scattered LANs.
ACN - 155
ACN - 156
Chapter 1

Asynchronous Transfer Mode (ATM)
ATM technology is capable of transferring voice, video, and data through private and public networks. It is built on a cell-based architecture rather than on a framebased architecture. ATM cells are always a fixed length of 53 bytes.
The ATM cell contains a 5 byte ATM header followed by 48 bytes of ATM payload. Video and voice traffic do not have to wait for a larger data packet to be transmitted. The 53 byte ATM cell is less efficient than the bigger frames and packets of Frame Relay and X.25. A typical ATM line needs almost 20 percent greater bandwidth than Frame Relay to carry the same volume of network layer data.
Small, fixed-length cells are well suited for carrying voice and video traffic because this traffic is intolerant of delay.

ATM was designed to be extremely scalable and can support link speeds of T1/E1 to OC-12 (622 Mb/s) and higher. ATM offers both PVCs and SVCs,
ACN - 157
although PVCs are more common with WANs.

Chapter 1
Internet Connection: Broadband Services
ACN - 158
Chapter 1

Broadband connection are used by telecommuting employees to connect to a corporate over the Internet. These options include cable, DSL, and wireless. DSL
DSL technology is an always-on connection technology that uses existing telephone lines to transport high-bandwidth data, and provides IP services to subscribers. A DSL modem converts an Ethernet signal to a DSL signal, which is transmitted to the central office. Multiple DSL subscriber lines are multiplexed into a single, high-capacity link using a DSL access multiplexer (DSLAM). DSLAMs incorporate TDM technology to aggregate lines into a single medium, generally a T3 (DS3) connection. Current DSL has data rates of up to 8.192 Mb/s. There is a wide variety of DSL types, standards, and emerging standards. DSL is now a popular choice for enterprise IT departments to support home workers.
ACN - 159 Chapter 1

Cable Modem
Cable modems provide an always-on connection and a simple installation. Coaxial cable is widely used in urban areas to distribute television signals. Network access is available from some cable television networks. The local cable TV office, which is called the cable headend, contains the computer system and databases needed to provide Internet access.
The most important component located at the headend is the cable modem termination system (CMTS), which sends and receives digital cable modem signals on a cable network and is necessary for providing Internet services to cable subscribers. As more users join the service, available bandwidth may be below the expected rate.
All the local subscribers share the same cable bandwidth.
ACN - 160
Chapter 1
ACN - 161
Chapter 1

Broadband Wireless: Wireless technology uses the unlicensed radio spectrum to send and receive data.
Municipal WiFi - Many cities have begun setting up municipal wireless networks.
Some networks provide high-speed Internet access for free or for substantially less than the price of other broadband services. Others are for city use only, allowing police and fire departments and other city employees. It is described in the IEEE standard 802.16. WiMAX provides high-speed wireless access with coverage like a cell phone network rather than through WiFi hotspots. To access a WiMAX network, subscribers must subscribe to an ISP with a WiMAX tower within 10 miles of their location.
WiMAX - Worldwide Interoperability for Microwave Access.
Satellite Internet - Typically used by rural users where cable and DSL are not available.
A satellite dish provides two-way (upload and download) data communications. The upload speed is about one-tenth of the download speed. To access satellite Internet services, subscribers need a satellite dish, two modems (uplink and downlink), and coaxial cables between the dish and the modem.
ACN - 162
Chapter 1
Internet Connection: VPN Technology
ACN - 163
Chapter 1

Security risks are incurred when a teleworker uses broadband services to access corporate over the Internet.
To address security concerns, broadband services provide capabilities for using Virtual Private Network (VPN) connections. A VPN is an encrypted connection between private networks over a public network such as the Internet.
VPN Benefits:
Cost savings - VPNs enable organizations to use the global Internet to connect remote offices and users to the corporate site, thus eliminating expensive dedicated WAN links. Security - VPNs provide the security by using encryption and authentication protocols that protect data. Scalability - Because VPNs use the Internet infrastructure within ISPs and devices, it is easy to add new users. Compatibility with broadband technology - VPN is supported by broadband service providers such as DSL and cable.
ACN - 164
Chapter 1

There are 2 types of VPN access:
Site-to-site VPNs - Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network.
Each site is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or security appliance. In the figure, a remote branch office uses a site-to-site-VPN to connect with the corporate head office.
Remote-access VPNs - Remote-access VPNs enable individual hosts, such as telecommuters, mobile users, and extranet consumers, to access a company network securely over the Internet.
Each host typically has VPN client software loaded or uses a webbased client.
ACN - 165
Chapter 1
Internet Connection Options: Metro Ethernet
ACN - 166
Chapter 1
Internet Connection Options: Metro Ethernet

Metro Ethernet is a rapidly maturing networking technology that broadens Ethernet to the public networks run by telecommunications companies.
By extending Ethernet to the metropolitan area, companies can provide their remote offices with reliable access to applications and data on the corporate headquarters LAN.
Benefits of Metro Ethernet include:

Reduced expenses and administration - Metro Ethernet provides a switched, high-bandwidth Layer 2 network capable of managing data, voice, and video all on the same infrastructure. Easy integration with existing networks - Metro Ethernet connects easily to existing Ethernet LANs, reducing installation costs and time. Enhanced business productivity - Metro Ethernet enables businesses to take advantage of productivity-enhancing IP applications that are difficult to implement on TDM or Frame Relay networks, such as hosted IP communications, VoIP, and streaming and broadcast video.
ACN - 167 Chapter 1
WAN Design
Three-Layer Design Model
As networks grow star and mesh topologies become impractical Network with 10 countries and 5 cities in each requires 1225 links in full mesh Same network in star would require hub router to have 50 interfaces Hierarchical network design advantages Scalability Ease of Implementation Ease of Troubleshooting Predictability Protocol Support Manageability
ACN - 168 Chapter 1
WAN Design
Three-Layer Design Model (cont.)
Three-layer hierarchical design Similar to PSTN LANs in star topology connect to form areas Areas joined to form regions Regions linked by core links Contains majority of traffic locally Each LAN provides local services Central LAN responsible for area-wide service
ACN - 169
Chapter 1
WAN Design
Core Layer of hierarchical design model Used to move traffic between regions Carries variety of traffic Redundant high-speed links are common No packet manipulation Usually on ATM or leased-line technology Distribution Layer of design model Address or area aggregation Departmental or workgroup access to core layer Broadcast/multicast domain definition Virtual LAN (VLAN routing) Media transitions Security Campus backbone and connection routers Provides policy-based connectivity Remote access to network Links are usually Frame Relay or ATM
Chapter 1
ACN - 170
WAN Design
Access Layer of design model
Layer where end users connect Might use access control lists for users Connects LANs into the WAN Isolates broadcast traffic to the workgroup Can be dialup, leased line, or Frame Relay
ACN - 171
Chapter 1
WAN Design
Other WAN Design Considerations
Internet traffic must be considered in WAN design Each branch might connect to Internet independently If traffic is low the Internet connection can be used for all traffic (no separate WAN) Server locations should be addressed
ACN - 172
Chapter 1
Chapter Summary
In this chapter, you should have learned:
WAN as compare to LAN Common WAN Devices WAN and the OSI WAN Physical Layer Terminologies & Concepts WAN Data Link Layer Concepts & Encapsulation WAN Switching Concepts Circuit Switching and Packet Switching WAN Link Connection Options
ACN - 173
Chapter 1
AACS 5324 Advanced Network Communications Chapter 3

Point-to-Point Protocol (PPP)
Objectives
Upon completion of this chapter, student should be able to understand the followings: Overview of Serial Communication & Standards TDM/STDM DTE & DCE HDLC Encapsulation Introduction to PPP & its Layered Architecture PPP Frame Structure PPP Session Establishment PPP Authentication: PAP, CHAP PPP Configurations
ACN - 175 Chapter 1
How Does Serial Communication Work?

Most PCs have both serial and parallel ports. Computers use of relatively short parallel connections between interior components, but use a serial bus to convert signals for most external communications.
With a serial connection, information is sent across one wire, one data bit at a time.
The 9-pin serial connector on most PCs uses two loops of wire, one in each direction, for data communication, plus additional wires to control the flow of information.
A parallel connection sends the bits over more wires simultaneously. In the 25-pin parallel port on your PC, there are 8 data wires to carry 8 bits simultaneously.
The parallel link theoretically transfers data eight times faster than a serial connection.
In reality, it is often the case that serial links can be clocked considerably faster than parallel links, and they achieve a higher data rate
Two factors that affect parallel communications: clock skew and crosstalk interference.
Chapter 1
ACN - 176
Parallel connection: Clock Skew & Interference

In a parallel connection, it is wrong to assume that the 8 bits leaving the sender at the same time arrive at the receiver at the same time. Clock Skew
Some of the bits get there later than others. This is known as clock skew. Overcoming clock skew is not trivial. The receiving end must synchronize itself with the transmitter and then wait until all the bits have arrived. The process of reading, waiting, waiting adds time to the transmission. This is not a factor with serial links, because most serial links do not need clocking. Parallel wires are physically bundled in a parallel cable. The possibility of crosstalk across the wires requires more processing. Since serial cables have fewer wires, there is less crosstalk, and network devices transmit serial communications at higher, more efficient frequencies.
Interference
ACN - 177
Chapter 1
Serial Communication Standards

In a serial communication process.
Data is encapsulated by the sending router. The frame is sent on a physical medium to the WAN. There are various ways to traverse the WAN, The receiving router uses the same communications protocol to de-encapsulate the frame when it arrives.
ACN - 178
Chapter 1
Serial Communication Standards

There are three key serial communication standards affecting LAN-to-WAN connections:
RS-232 - Most serial ports on personal computers conform to the RS-232C standards.
Both 9-pin and 25-pin connectors are used. It be used for device, including modems, mice, and printers.
V.35 It is used for modem-tomultiplexer communication.

V.35 is used by routers and DSUs that connect to T1 carriers.
HSSI - A High-Speed Serial Interface (HSSI) supports transmission rates up to 52 Mb/s.
ACN - 179
HSSI is used to connect routers on LANs with WANs over high-speed lines such as T3 lines.
Chapter 1
Time Division Multiplexing
A process called Time-Division Multiplexing (TDM) is deployed to carry multiple sources of information using one common channel, or signal, and then the reconstruction of the original streams at the remote end. TDM divides the media into multiple time slots and interleaves bytes of data from multiple conversations, assigning each conversation one or more time slots TDM functions at physical layer, it has no regard for the type of information it carries.
ACN - 180 Chapter 1
Time Division Multiplexing

The time slot goes unused if it is assigned to a conversation that has no information to transfer valuable bandwidth goes unused! A modification of TDM, Statistical TDM (STDM) analyzes the bandwidth requirements of each conversation and dynamically reassigns unused time slots to conversations that require additional bandwidth.
ACN - 181
Chapter 1
DTE-DCE
ACN - 182
Chapter 1
DTE-DCE
Serial connections have a data terminal equipment (DTE) device at one end and a data communications equipment (DCE) device at the other end. DTE device is usually the CPE is often the companys border router that connects to the service providers network through a leased line. uses external clock and is usually provided by DCE Ex. Router, Frame relay access device DCE is usually the service providers device. (SPE) convert the data from DTE into a form acceptable by the service providers network. uses an internal clock Ex. modem or CSU/DSU. Remote DCE device receives the signal and decodes it back into a sequence of bits that sent to the remote DTE device.
ACN - 183 Chapter 1
DTE-DCE
If two DTEs must be connected together, like two computers or two routers in the lab, a special cable called a null-modem cable is necessary to eliminate the need for a DCE. For synchronous connections, where a clock signal is needed, either an external device or one of the DTEs must generate the clock signal. The clock signal is to align the transmitting and receiving ends so that they agree on how data will be transmitted and received.
ACN - 184 Chapter 1
HDLC Encapsulation
High-level Data Link Control (HDLC): HDLC is a bit-oriented, synchronous, Data Link layer protocol developed by the International Organization for Standardization (ISO). Developed from IBMs Synchronous Data Link Control (SDLC) standard proposed in the 1970s. Provides both connection-oriented and connectionless service. Defines a Layer 2 framing structure that allows for flow control and error control through the use of acknowledgments. Uses a frame delimiter, or flag, to mark the beginning and the end of each frame.
ACN - 185 Chapter 1
HDLC Encapsulation
HDLC is used when connecting two devices manufactured from the same vendor. HDLC does not support multiple protocols on a single link, as it does not have a way to indicate which protocol is being carried. Point-to-point Protocol (PPP) is an open standard encapsulation used in a multivendor environment PPP uses HDLC as a basis for encapsulating datagrams.
ACN - 186 Chapter 1
HDLC Encapsulation
Cisco High-level Data Link Control (Cisco HDLC): Cisco has developed an extension to the HDLC protocol to solve an inability to provide multiprotocol support. Cisco HLDC is proprietary and is the default encapsulation on a Cisco device WAN port. Cisco HDLC frames contain a field for identifying the network protocol being encapsulated.
ACN - 187
Chapter 1
Configuring HDLC
The default encapsulation method used by Cisco devices on synchronous serial lines is Cisco HDLC. Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. When communicating with a non-Cisco device, PPP is a more viable option.
ACN - 188
Chapter 1
Configuring HDLC
Verify the encapsulation on the serial interface: R1#show interface serial0/0/0 Serial0/0/0 is up, line protocol is up Hardware is GT96K Serial Internet address is 10.1.1.1/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set
ACN - 189
Chapter 1
Point-to-Point Protocol (PPP)
PPP
PPP was developed based on the ISO High-Level Data Link Control (HDLC) protocol The Point-to-Point Protocol (PPP) is an industry standard method of utilizing point-to-point links to transport multi-protocol datagrams including AppleTalk, DECnet, IP and IPX. Note: HDLC is the default serial encapsulation method when you connect two Cisco routers. Cisco HDLC can only work with other Cisco devices. However, when you need to connect to a non-Cisco router, you should use PPP encapsulation. PPP includes many features not available in HDLC: The link quality management feature monitors the quality of the link. If too many errors are detected, PPP takes the link down. PPP supports PAP and CHAP authentication.
ACN - 191
Chapter 1
PPP
IP IPX Many Others
Network Layer
Network Control Protocol (NCP) Point-to-Point Protocol (PPP) Link Control Protocol (LCP) Synchronous or Asynchronous Physical Medium
Data Link Layer
Physical Layer
PPP is a Data Link Layer protocol that provides a standard method for transporting multiprotocol datagrams over point-to-point links. PPP can be configured on multiple types of interfaces: Asynchronous serial Synchronous serial High-Speed Serial Interface (HSSI) ACN - 192 Integrated Services Digital Network (ISDN) Chapter 1
PPP Layered Architecture

IP IPX Many Others Network Layer
Network Control Protocols (NCPs) Data Link Layer Link Control Protocol (LCP) Synchronous or Asynchronous Physical Medium Physical Layer
PPP has a layered architecture: Link Control Protocol (LCP): To establish, configure and test the connection. Network Control Protocols (NCPs): A family of protocols to establish and configure Network Layer protocols. ACN - 193
Chapter 1

PPP contains three main components: (1) PPP Encapsulation method take higher-layer messages such as IP packets and encapsulate them for transmission over the underlying physical layer link. PPP defines a special frame format for encapsulating data for transmission, based on the framing used in the HDLC protocol. The PPP frame has been specially designed to be small in size and contain only simple fields, to maximize bandwidth efficiency and speed in processing.
ACN - 194
Chapter 1
194
PPP layered architecture

PPP contains three main components: (2) Link Control Protocol (LCP) The LCP sits on top of the physical layer and has a role in establishing the point-to-point link, configuring, and testing the data-link connection. The LCP also negotiates and sets up control options on the WAN data link, which are handled by the NCPs. PPP also uses the LCP to agree automatically on encapsulation formats such as authentication, compression, PPP Callback, multilink for load balancing, link monitoring & error detection as soon as the link is established.
ACN - 195 Chapter 1
195

PPP contains three main components: (2) Link Control Protocol (LCP) The LCP provides automatic configuration of the interfaces at each end, including: Handling varying limits on packet size Detecting common misconfiguration errors Terminating the link Determining when a link is functioning properly or when it is failing
ACN - 196
Chapter 1
196

PPP contains three main components: (3) Network Control Protocol (NCP) to permit multiple network layer protocols to operate on the same communications link (next).
ACN - 197
Chapter 1
197

IP IPCP IPX IPXCP Many Others Many Others Data Link Layer Link Control Protocol (LCP) Synchronous or Asynchronous Physical Medium Physical Layer Network Layer
For every network layer protocol used, a separate Network Control Protocol (NCP) is provided. Ex. Ex. IP uses the IP Control Protocol (IPCP), IPX uses the Novell IPX Control Protocol (IPXCP). NCPs include functional fields containing standardized codes to indicate the network layer protocol type that PPP encapsulates.
ACN - 198 Chapter 1
PPP Frame Structure
Notice how the PPP frame has been modeled very closely on the standard HDLC frame. The protocol field contains specific codes.
ACN - 199 Chapter 1
PPP Frame Structure
Flag: indicates the beginning or end of a frame and consists of the binary sequence 01111110 to identify a PPP frame. The value is set to 0x7E (01111110) to signify the start and end of a PPP frame. In successive PPP frames, only a single Flag character is used. Address: Consists of the standard broadcast address, which is the binary sequence 11111111 (0xFF). PPP does not assign individual station addresses but rather dealing with a direct link between 2 devices.
ACN - 200
Chapter 1
PPP Frame Structure
Control: set to 00000011. This provides a connectionless link service that does not require you to establish data links or link stations. On point-to-point link, the destination node does not need to be addressed. Therefore, for PPP, the address field is set to 0xFF, the broadcast address.
ACN - 201
Chapter 1
PPP Frame Structure
Protocol: identify the protocol of the datagram encapsulated in the Data field.
ACN - 202
Chapter 1
PPP Frame Structure
Data: Zero or more bytes of payload that contains either data or control information, depending on the frame type. For regular PPP data frames the network-layer packet is encapsulated here. For control frames, the control information fields are placed here instead. The default maximum length of data field is 1500 byte FCS (Frame Check Sequence) A checksum computed over the frame to provide basic protection against errors in transmission. This is a CRC code similar to the one used for other layer two protocol error protection schemes such as the one used in Ethernet. It can be either 16 bits or 32 ACN - bits in size (default is 16 bits). 203 Chapter 1
PPP Session Establishment

PPP session establishment progresses through three phases:
ACN - 204
Chapter 1
Establishing a PPP Session

The three phases of establishing a PPP session: Phase 1: Link establishment and configuration negotiation The LCP must first open the connection and negotiate configuration options. Phase 2: Link quality determination (optional) The LCP tests the link to determine whether the link quality is sufficient to bring up network layer protocols. Phase 3: Network layer protocol configuration negotiation The appropriate NCP can separately configure the network layer protocols The NCP can bring them up and take them down at any time.
ACN - 205
Chapter 1
Establishing a PPP Session

The link remains configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs. This happen because of the loss of the carrier, authentication failure, link quality failure, the expiration of idle-period timer, or administrative closing the link.
ACN - 206
Chapter 1
Establishing a Link with LCP (summary)
Phase 1 Link Establishment: In this phase each PPP device sends LCP frames to configure and test the data link. LCP frames contain a configuration option field that allows devices to negotiate the use of options such as: The maximum transmission unit (MTU) Compression of certain PPP fields The link-authentication protocol.
Chapter 1
ACN - 207
If a configuration option is not included in an LCP packet, the default value is assumed. Before any network layer packets can be exchanged, LCP must first open the connection and negotiate the configuration parameters. This phase is complete when a configuration acknowledgment frame has been sent and received.
Chapter 1
ACN - 208

Authentication: After the link has been established and the authentication protocol decided on, the peer may be authenticated. Authentication, if used, takes place before the network layer protocol phase is entered.
ACN - 209
Chapter 1
As part of this phase, LCP also allows for an optional linkquality determination test. The link is tested to determine whether the link quality is good enough to bring up network layer protocols.
Chapter 1
ACN - 210
Network Layer Protocol Negotiation (summary)
PPP permits multiple Network layer protocols to operate on the same communications link. For every Network layer protocol used, PPP uses a separate NCP module. IP uses the IPCP module. IP Version 6 uses the IPv6CP module. IPX uses the IPXCP module. ACN - 211 Chapter 1
Network Layer Protocol Negotiation (summary)
In this phase the PPP devices send NCP packets to choose and configure one or more network layer protocols (e.g. IP). Once each of the chosen network layer protocols has been configured, packets from each network layer protocol can be sent over the link. If LCP closes the link, it informs the network layer protocols so that they can take appropriate action.
Chapter 1
ACN - 212
Establishing a Link with LCP (detail)

LCP operation uses three classes of LCP frames to accomplish the work of each of the LCP phases: Link-establishment frames establish and configure a link (Configure-Request, Configure-Ack, Configure-Nak, and Configure-Reject)
During link establishment, the LCP opens the connection and negotiates the configuration parameters. The Configure-Request frame includes a variable number of configuration options needed to set up on the link.
Link-maintenance frames manage and debug a link (Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and Discard-Request)
Echo-Request, Echo-Reply, and Discard-Request - These frames can be used for testing the link.
ACN - 213 Chapter 1

LCP operation uses three classes of LCP frames to accomplish the work of each of the LCP phases: Link-termination frames terminate a link (TerminateRequest and Terminate-Ack)
The link remains open until the LCP terminates it. If the LCP terminates the link before the NCP, the NCP session is also terminated. The device initiating the shutdown sends a TerminateRequest message. The other device replies with a Terminate-Ack.
ACN - 214
Chapter 1
ACN - 215
Chapter 1
PPP Configuration Options

PPP can be configured to support: Authentication using either PAP or CHAP Compression using either Stacker or Predictor Multilink which combines two or more channels to increase the WAN bandwidth To negotiate the use of these PPP options, the LCP link-establishment frames contain Option information in the Data field of the LCP frame. This phase is complete when a configuration acknowledgment frame has been sent and received.
ACN - 216 Chapter 1
NCP Process (detail)

After the LCP has configured and authenticated the basic link, the appropriate NCP is invoked to complete the specific configuration of the network layer protocol being used. (ex. NCPs for IP, IPX, AppleTalk & others. IPCP Example After LCP has established the link, the routers exchange IPCP messages, negotiating options specific to the protocol.
ACN - 217
Chapter 1

IPCP Example IPCP negotiates two options: Compression - Allows devices to negotiate an algorithm to compress TCP and IP headers and save bandwidth. IP-Address - Allows the initiating device to specify an IP address to use for routing IP over the PPP link, or to request an IP address for the responder. Dialup network links commonly use the IP address option. When the NCP process is complete, the link goes into the open state and LCP takes over again.
ACN - 218
Chapter 1
ACN - 219
Chapter 1
LCP = connection made NCP
The show interfaces command reveals the LCP and NCP states under PPP configuration. The PPP link remains configured for communications until LCP or NCP frames close the link or until an inactivity timer expires or a user intervenes.
ACN - 220 Chapter 1

PPP may include the following LCP options: Authentication - Uses PAP or CHAP to create a secure connection between communicating devices (more later) Requires the calling side enter credentials to verify to the called side that it has permission to make the call Compression - Increases the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link. Two compression are Stacker and Predictor. Error detection - Identifies fault conditions like quality of the line and loop detection and for each transmitted frame through the use of a CRC code in each frame header Ex. The Quality and Magic Number options help ensure a reliable, loop-free data link.
ACN - 221
Chapter 1

PPP may include the following LCP options: Multilink - Load balance over multiple interfaces. Similar to routers load balance across equal-cost paths, except multilink breaks the frame into fragments and then assembles it at the other end of the link. PPP Callback - To enhance security The client makes the initial call, requests that the server call it back, and terminates its initial call.
ACN - 222
Chapter 1
PPP Authentication Protocols

PPP defines an extensible version of LCP that allows negotiation of an authentication protocol for its peer before allowing network layer protocols to transmit over the link The authentication process require the calling side of the link enter authentication information. Defines 2 protocols for authentication: Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP)
ACN - 223
Chapter 1
Password Authentication Protocol (PAP)
1. Remote router sends its username and password to Central router 2. Central router evaluates Remote routers username and password against its local database. If it is matches, it accepts the connection. If no, it rejects the connection
ACN - 224
Chapter 1
1. Establish PPP Link 2. Configuration request for PAP authentication. 3. Configuration ACK. 4. SantaCruz sends the SantaCruz username and SantCruzpass password configured for the interface. 5. HQ looks up the received name, retrieves the password and compares configured to received.
2
3 4
ACK2
6. If they are the same, send an ACK and allow access.

If they are not the same, send a NACK and terminate the connection.
ACN - 225
5 6
NACK
Chapter 1

PAP provides a simple method for a remote node to establish its identity, using a two-way handshake. PAP is not interactive When the ppp authentication pap command is used, a username/password pair is repeatedly sent by the remote node across the link until authentication is acknowledged or the connection is terminated. Passwords are sent across the link in clear text and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.
ACN - 226 Chapter 1

Authenticates only once. After authentication is established, PAP essentially stops working, as it cant reauthenticate during the session However, PAP may be used in the following environments: A large installed base of client applications that do not support CHAP Incompatibilities between different vendor implementations of CHAP Situation in which a plain-text password must be available to simulate a login at the remote host
ACN - 227
Chapter 1
Challenge Handshake Authentication Protocol (CHAP)
Share secret password
Share secret password
1. Central router sending a CHAP challenge to Remote router 2. Remote router validates Central router; Remote router sends the response to Central router 3. Central router validates Remote router; Central router establishes or rejects the link
ACN - 228 Chapter 1
PPP Authentication CHAP Challenge
SantaCruz calls HQ and establishes a ppp link. A CHAP challenge packet is built by the HQ router with the following characteristics: 01 = challenge packet type identifier. ID = sequential number that identifies the challenge. random = a reasonably random number generated by the router. HQ = the authentication name of the challenger.
Chapter 1
ACN - 229
CHAP Challenge
The ID and random values are kept on the HQ router or the called router. The challenge packet is sent to the calling router. A list of outstanding challenges is maintained.
ACN - 230
Chapter 1
CHAP Challenge
Receive CHAP Challenge
The name HQ is used to look up the password. The ID value, the random value and the password are fed into the MD5 hash generator. The result is the one-way MD5-hashed CHAP challenge that will be sent back in the CHAP response.
Chapter 1
ACN - 231
CHAP Challenge
CHAP Response
The response packet is assembled and sent. 02 = CHAP response packet type identifier. ID = copied from the challenge packet. hash = the output from the MD5 hash generator. SantaCruz = the hostname of the responding device. (From the hostname command or the
ppp chap hostname command).
Chapter 1
ACN - 232
CHAP Challenge
Receive CHAP Response
The ID is used to find the original challenge packet. The name is used to look up the password from a configured name or a security server. The original ID, the original random value and the password are fed into the MD5 hash generator.
Chapter 1
ACN - 233
CHAP Challenge
Receive CHAP Response
The hash value received in the response packet is then compared to the calculated MD5 hash value. CHAP authentication succeeds if the calculated and the received hash values are equal.
ACN - 234
Chapter 1
CHAP Challenge
Success OR Failure
03 Welcome In
If authentication is successful, a CHAP success packet is built from the following components: 03 = CHAP success message type. ID = copied from the response packet. Welcome In is simply a text message providing a userreadable explanation.
Chapter 1
ACN - 235
CHAP Challenge
Success OR Failure
03 Welcome In
04
Authentication Failed
If authentication fails, a CHAP failure packet is built from the following components: 04 = CHAP failure message type. ID = copied from the response packet. Authentication failure or other text message, providing a user-readable explanation.
Chapter 1
ACN - 236
Challenge Handshake Authentication Protocol (CHAP)

CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable. Since the challenge is unique and random, the resulting hash value will also be unique and random. The use of repeated challenges is intended to limit the time of exposure to any single attack. The Central router or a third-party authentication server is in control of the frequency and timing of the challenges.
ACN - 237
Chapter 1
Configuring PPP
Configuring PPP
Router#configure terminal Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp
Enables PPP encapsulation on serial interface 0/0
ACN - 239
Chapter 1
Configuring PPP
DTE .2/S0 172.25.3.0/24 Serial DCE .1/S0
interface Serial0 ip address 172.25.3.2 255.255.255.0 encapsulation ppp
interface Serial0 ip address 172.25.3.1 255.255.255.0 encapsulation ppp
ACN - 240
Chapter 1
Verifying PPP
LCP NCP
ACN - 241
Chapter 1
Configuring PAP
Rtr(config)# username remote-host password remotepassword This needs to match the ppp pap sent-username on the remote host. Rtr(config-if)# ppp pap sent-username this-host username password this-host-password The passwords do not need to match between the remote and the host. It should not need to be the same as the enable-secret password. Router(config-if)#ppp authentication {chap | chap pap | pap chap | pap} Two choices: first choice | second choice If both methods are enabled, then the first method specified will be requested during link negotiation. If the peer suggests using the second method or simply refuses the first method, then the second method will be tried.
ACN - 242 Chapter 1
Configuring PAP
DTE .2/S0
hostname SantaCruz username HQ password HQpass
172.25.3.0/24 Serial
DCE .1/S0
hostname HQ username SantaCruz password SantaCruzpass interface Serial0 ip address 172.25.3.1 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username HQ password HQpass
interface Serial0 ip address 172.25.3.2 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username SantaCruz password SantaCruzpass
Notes: sent-username and password must match remote username and password. Hostnames are not involved.
ACN - 243 Chapter 1
Configuring CHAP
DTE .2/S0
hostname
172.25.3.0/24 Serial
DCE .1/S0
hostname
username ppp chap hostname SantaCruz (optional) interface Serial0 ip address 172.25.3.2 255.255.255.0 encapsulation ppp ppp authentication chap
SantaCruz HQ password boardwalk
HQ
username SantaCruz password boardwalk ppp chap hostname HQ (optional) interface Serial0 ip address 172.25.3.1 255.255.255.0 encapsulation ppp ppp authentication chap
Notes: Hostnames are involved, unless the ppp chap hostname command is used, and must match remote routers username command. Passwords are case-sensitive and must match ACN - 244 Chapter 1
Configuring PPP Multilink (MLP)

Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp multilink
In some environments, it may be necessary to bundle multiple serial links to act as single link with aggregated bandwidth.
ACN - 245
Chapter 1
Configuring PPP Multilink with ISDN

BRI0 BRI0
PPP Multilink is common with ISDN. Prior to MLP, two or more ISDN B channels could not be used in a standardized way while ensuring sequencing. MLP is most effective when used with ISDN. We will see how this is done when we discuss ISDN.
Chapter 1
ACN - 246
Configuring Compression
Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#compress [predictor|stac|mppc] Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation. Compression is performed in software and might significantly affect system performance. Compression is not recommended if most of the traffic consists of compressed files. To configure compression over PPP.
ACN - 247
Chapter 1
Error Detection
Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp quality percentage
Link Quality Monitoring (LQM) is available on all serial interfaces running PPP. LQM will monitor the link quality, and if the quality drops below a configured percentage, the link will be taken down. The percentages are calculated for both the incoming and outgoing directions.
ACN - 248
Chapter 1
Load Balancing
Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp multilink
Multilink PPP provides load balancing over the router interfaces that PPP uses.
Packet fragmentation and sequencing, as specified in RFC 1717, splits the load for PPP and sends fragments over parallel circuits.
In some cases, this bundle of multilink PPP pipes functions as a single logical link, improving throughput and reducing latency between peer routers.
Prior to MLP, two or more ISDN B channels could not be used in a standardized way while ensuring sequencing. MLP is most effective when used with ISDN.
ACN - 249 Chapter 1
debug ppp negotiation

Router#debug ppp negotiation PPP protocol negotiation debugging is on . . . BR0:1 LCP: State is Open . . . PPP: Phase is AUTHENTICATING . . . BR0:1 IPCP: State is Open . . .
The debug ppp negotiation command enables you to view the PPP negotiation transactions, identify the problem or stage when the error occurs, and develop a resolution. During PPP negotiation, the link goes through several phases, as shown. The end result is that PPP is either up or down.
ACN - 250
Chapter 1
debug ppp authentication
The debug ppp authentication command displays the authentication exchange sequence. With two-way authentication configured, each router authenticates the other. Messages appear for both the authenticating process and the process of being authenticated.
ACN - 251 Chapter 1
Summary
Upon completion of this chapter, student should be able to understand the followings: Overview of Serial Communication & Standards TDM/STDM DTE & DCE HDLC Encapsulation Introduction to PPP & its Layered Architecture PPP Frame Structure PPP Session Establishment PPP Authentication: PAP, CHAP PPP Configurations
ACN - 252 Chapter 1

Chapter 4 Frame Relay
ACN - 253
Chapter 1
Objectives
Upon Completion of this chapter, student should be able to understand the followings: Introduction to Frame Relay Frame Relay Operation and Virtual Circuits Frame Relay Encapsulation Frame Relay Topologies Frame Relay Addressing & Mapping Frame Relay Configurations Frame Relay Advanced Concepts
Paying for Frame Relay Bandwidth & Flow Control Solving Reachability Issues
ACN - 254 Chapter 1
Frame Relay
Basic Frame Relay Concepts
ACN - 255
Chapter 1
Introducing Frame Relay

Frame Relay has become the most widely used WAN technology in the world. Large enterprises, ISPs, and small businesses use Frame Relay, because of its price and flexibility. Price: As corporations grow, so does their dependence on timely, reliable data transport. Leased line facilities become expensive. Flexibility: The pace of change and the global nature of businesses demand a flexible, world-wide solution.
ACN - 256 Chapter 1
Frame Relay - An Efficient and Flexible Technology

Example: Bandwidth Requirements
Need to consider the MAXIMUM.
ACN - 257
Chapter 1

Example: Leased Lines Providers Network
ACN - 258
Chapter 1

Example: Leased Lines T1 = 24 56K channels
Only use 7 of 24
ACN - 259
Chapter 1

Example: Leased Lines T1 = 24 56K channels
Only use 5 of 24
4
ACN - 260
Chapter 1

Example: Frame Relay Allows multiple links over a single network connection.
256 Kb
56 Kb
Providers Network
ACN - 261
Chapter 1
Introducing Frame Relay

Cost Effectiveness: Customers only pay for the local loop, and for the bandwidth they purchase from the network provider. Distance between nodes is not important in FR. With dedicated lines, customers pay for an end-to-end connection. That includes the local loop and the network link. Shared bandwidth across a larger base of customers. Typically, a network provider can service 40 or more 56 kb/s customers over one T1 circuit.
ACN - 262
Chapter 1
Frame Relay WAN

When you build a WAN, there are always 3 components, DTE DCE The component that sits in the middle, joining the 2 access points. In the late 1970s and into the early 1990s, the WAN technology typically used was the X.25 protocol. Now considered a legacy protocol. X.25 provided a reliable connection over unreliable cabling infrastructures. It included additional error control and flow control.
ACN - 263 Chapter 1
Frame Relay WAN

Frame Relay has lower overhead than X.25 because it has fewer capabilities. Modern WAN facilities offer more reliable lines and services. Frame Relay does not provide error correction. A Frame Relay node simply drops packets without notification when it detects errors. Any necessary error correction, such as retransmission of data, is left to the endpoints. Frame Relay handles transmission errors through a standard Cyclic Redundancy Check.
ACN - 264
Chapter 1
Frame Relay WAN
ACN - 265
Chapter 1
Frame Relay Operation

Frame Relay DTE to DCE connection: Two components: Physical Layer: Defines the mechanical, electrical, functional, and procedural specifications for the connection. Data Link Layer: Defines the protocol that establishes the connection between the DTE device (router) and the DCE device (providers switch).
ACN - 266
Chapter 1
Frame Relay Operation

Connects DTE to providers Frame Relay switch.
ACN - 267
Connects DTE to providers Frame Relay switch.
Chapter 1
Virtual Circuits
The connection through a Frame Relay network between two DTEs is called a virtual circuit (VC). The circuits are virtual because there is no direct electrical connection from end to end. The connection is logical & data moves from end-to-end without a direct electrical circuit Bandwidth shared among multiple users. Any single site can communicate with any other single site without using multiple dedicated physical lines. Two types: Switched (SVC): Dynamic call set up and disappears when done. Permanent (PVC): Preconfigured by the provider and ACN - 268
Chapter 1
Virtual Circuits
Any single site can communicate with any other single site without using multiple dedicated physical lines. Toronto Vancouver
Windsor
ACN - 269
Each site only pays for their connection to the providers DCE.
Chapter 1
Virtual Circuits
VCs are identified by DLCIs. (or in English.Virtual Circuits are identified by Data Link Connection Identifiers). Permanent Virtual Circuit = PVC. Switched Virtual Circuit = SVC. DLCI values are assigned by the Frame Relay service provider. DLCI is used to route Frame Relay traffic. Frame Relay DLCIs only have local significance. It simply identifies a VC to the equipment at an endpoint and is only unique on the physical channel where they reside The DLCI value itself is not unique in the providers Frame Relay WAN.
ACN - 270 Chapter 1
Local Significance of DLCIs

A DLCI simply identifies a VC to the equipment at an endpoint and is only unique on the physical channel where they reside.
ACN - 271
Chapter 1
Identifying Virtual Circuits (VC)

As the frame moves across the network, Frame Relay labels each VC with a DLCI. The DLCI is stored in the address field of every frame to tell the network how the frame should be routed. The Frame Relay service provider assigns DLCI numbers. DLCIs 0 to 15 and 1008 to 1023 are reserved for special purposes. Service providers typically assign DLCIs in the range of 16 to 1007.
ACN - 272
Chapter 1

VC 21 Port 0 DLCI 222
22
23 24 25
1
2 3 4
119
309 721 432
Each Frame Relay switch will have a table that is used to build the virtual circuit. As the frame moves through the switch, the DLCI is adjusted to follow the predetermined path through the network.
ACN - 273 Chapter 1
ACN - 274
Chapter 1

Any single site can communicate with any other single site without using multiple dedicated physical lines. Toronto Vancouver
Windsor Toronto Windsor

ACN - 275
102 102 119 119 432
119 432 102 432 102
Vancouver
432
119
Chapter 1
Multiple Virtual Circuits

Frame Relay is statistically multiplexed. It transmits only one frame at a time, but many logical connections can co-exist on a single physical line. Multiple VCs on a single physical line are distinguished because each VC has its own DLCI. Reduces the equipment and network complexity required to connect multiple devices. Cost-effective replacement for a mesh of access lines. More savings arise as the capacity of the access line is based on the average bandwidth requirement of the VCs, rather than on the maximum bandwidth requirement.
ACN - 276
Chapter 1
Multiple Virtual Circuits

Example: Frame Relay Capacity based on average bandwidth.
256 Kb
56 Kb
Providers Network
ACN - 277
Chapter 1
Frame Relay Encapsulation

Frame Relay takes data packets from a network layer protocol and encapsulates them as the data portion of a Frame Relay frame.
DLCI spans 2 bytes
ACN - 278
Chapter 1
Frame Relay Topologies

A topology is the map or visual layout of the network. You need to consider the topology in order to understand the network and the equipment used to build the network. Every network or network segment can be viewed as being one of three topology types: Star (Hub and Spoke) Full Mesh Partial Mesh
ACN - 279
Chapter 1

Star ( Hub and Spoke): The simplest WAN topology. A central site that acts as a hub and hosts the primary services.
One site with multiple VCs
ACN - 280
Chapter 1

Full Mesh: A full mesh topology connects every site to every other site. Using leased-line interconnections, additional serial interfaces and lines add costs.
Formula [n(n - 1)]/2 # Sites # Circuits 2 3 4 5 1 3 6 10
6
7
ACN - 281
15
24
Chapter 1

Full Mesh: Using Frame Relay, a network designer can build multiple connections simply by configuring additional VCs on each existing link.
No additional expense for communication lines or hardware.
ACN - 282
Chapter 1

Partial Mesh: For large networks, a full mesh topology is seldom affordable. The issue is not with the cost of the hardware, but because there is a theoretical limit of less than 1,000 VCs per link. In practice, the limit is less than that. For this reason, larger networks are generally configured in a partial mesh topology. With partial mesh, there are more interconnections than required for a star arrangement, but not as many as for a full mesh. The actual pattern is dependant on the data flow requirements.
ACN - 283 Chapter 1
Frame Relay Address Mapping

Before a router is able to transmit data over Frame Relay, it needs to know which local DLCI maps to the Layer 3 address of the remote destination.
ACN - 284
Chapter 1
Frame Relay Address Mapping WHY?

Remember: The PVC is a permanently defined path through the providers network. Remember: The DLCI is only locally significant and indentifies the connection to the providers network.
ACN - 285
When R2 has a packet to transmit, it must know which DLCI to put in the header at Layer 2. Chapter 1
Frame Relay Address Mapping - WHY?

1. R2 has a packet to transmit to 10.1.1.3. 2. The routing table says network 10.1.1.0/24 is out the interface S0/0/0. 3. The address to DLCI mapping says that to send to 10.1.1.3, use DLCI 203 in the Layer 2 header.
4. When the frame is read by the Frame Relay switch, it will be switched over to the PVC identified by DLCI 302.
ACN - 286 Chapter 1

Before a router is able to transmit data over Frame Relay, it needs to know which local DLCI maps to the Layer 3 address of the remote destination. Two Methods: Dynamic Address Mapping. Static Address Mapping.
ACN - 287
Chapter 1

Dynamic Address Mapping: Uses Inverse ARP (IARP). ARP: Layer 3 address to obtain Layer 2 address. IARP: Layer 2 address to obtain Layer 3 address. In the case of Frame Relay, IARP uses the Layer 2 DLCI to obtain the Layer 3 address of the router at the other end of the PVC. On Cisco routers, Inverse ARP is enabled by default for only those protocols enabled on the physical interface.
ACN - 288
Chapter 1

Static Address Mapping: Override Dynamic IARP mapping by supplying a manual static mapping for the next hop protocol address to a local DLCI. A static map works associates a specified next hop protocol address to a local Frame Relay DLCI. You cannot use Inverse ARP and a map statement for the same DLCI and protocol. WHEN? The router at the other end of the PVC does not support IARP for the protocol you are using. Hub and Spoke Frame Relay.
ACN - 289 Chapter 1
Local Management Interface (LMI)

History: When vendors implemented Frame Relay as a separate technology, they decided that there was a need for DTEs to dynamically acquire information about the status of the network. The original design did not include this option. A consortium of Cisco, Digital Equipment Corporation (DEC), Northern Telecom, and StrataCom extended the Frame Relay protocol to provide additional capabilities for complex internetworking environments. These extensions are referred to collectively as the LMI.
ACN - 290
Chapter 1

Basically, the LMI is a keepalive mechanism that provides status information about Frame Relay connections between the router (DTE) and the Frame Relay switch (DCE). Every 10 seconds or so, the end device polls the network. If the network does not respond with the requested information, the user device may consider the connection to be down. When the network responds with a FULL STATUS response, it includes status information about DLCIs that are allocated to that line. The end device can use this information to determine whether the logical connections are able to pass data.
ACN - 291 Chapter 1

The 10-bit DLCI field supports 1,024 VC identifiers: 0 through 1023. The LMI extensions reserve some of these identifiers, thereby reducing the number of permitted VCs. LMI messages are exchanged between the DTE and DCE using these reserved DLCIs.
ACN - 292
Chapter 1

There are several LMI types, each of which is incompatible with the others. Three types of LMIs are supported by Cisco routers: Cisco - Original LMI extension Ansi - Corresponding to the ANSI standard T1.617 Annex D q933a - Corresponding to the ITU standard Q933 Annex A
ACN - 293
Chapter 1

Starting with Cisco IOS software release 11.2, the default LMI autosense feature detects the LMI type supported by the directly connected Frame Relay switch. If it is necessary to set the LMI type, use the interface configuration command: frame-relay lmi-type [cisco | ansi | q933a] Configuring the LMI type, disables the autosense feature.
ACN - 294
Chapter 1

For Example: There will be no connection to the Frame Relay network unless the router and the Frame Relay switch are using the same type of LMI.
LMI Status Enquiry LMI Status Response
ACN - 295
Chapter 1
Frame Relay
Configuring Frame Relay
ACN - 296
Chapter 1
Configuring Basic Frame Relay

1. Set up the IP address on the Interface. 2. Configure Frame Relay encapsulation.
encapsulation frame-relay [cisco | ietf]
The default encapsulation is Cisco HDLC. Use IETF if connecting to another vendors router.
3. Set the bandwidth. Use the bandwidth command to set the bandwidth for OSPF and EIGRP routing protocols. 4. Set the LMI type (optional). (Auto detects the LMI)
frame-relay lmi-type [cisco | ansi | q833a]
ACN - 297 Chapter 1
ACN - 298
Chapter 1
Once the interfaces are enabled with the no shutdown command: The Frame Relay switch and the router exchange LMI status messages that announce the DLCIs to the router. IARP maps the remote Layer 3 address to the local DLCI. Routers can exchange data.
ACN - 299 Chapter 1
LMI
IARP
OSPF EIGRP
ACN - 300
Chapter 1
ACN - 301
Chapter 1
We used IARP to obtain the DLCI to IP Address mapping.
Remember that IARP only works between point-to-point routers.
ACN - 302
Chapter 1
PVCs Full Mesh
ACN - 303
Chapter 1
Configuring Static Frame Relay Maps

To manually map between a next hop protocol address and a DLCI destination address, use the command:
Command
Protocol remote interface address (e.g. 10.1.1.3)
Allow broadcasts
Protocol used on the interface (e.g. IP)
Local DLCI
ACN - 304
Chapter 1
Frame Relay (and x.25 and ATM) is a non-broadcast multiple access (NBMA) network. It does not support multicast or broadcast traffic. Using the broadcast keyword is a simplified way to forward routing updates. Allows broadcasts and multicasts over the PVC. In effect, it turns the broadcast into a unicast do that the other node gets the routing updates.
ACN - 305
Chapter 1

When do we use a static map? Hub-and Spoke Topology. Partial Mesh Topology. If you absolutely need a connection between two sites that are already on your Frame Relay network and there is no PVC.
ACN - 306
Chapter 1
No PVC between R1 and R3.
ACN - 307
Chapter 1
R1 and R3 know about R2. R1 and R3 dont know about each other.
No PVC between R1 and R3.
ACN - 308
Chapter 1

How do we fix it? Add another PVC to the network. Additional Expense. Add a static frame relay map to both R1 and R3. R1: We will want to map the R3 IP Address 10.1.1.3 to DLCI 102 on R1. Anything for that network should go to the hub. R3: Map 10.1.1.1 to DLCI 302.
Chapter 1
ACN - 309
ACN - 310
Chapter 1
ACN - 311
Chapter 1
Frame Relay
Advanced Frame Relay Concepts
ACN - 312
Chapter 1

Paying for Frame Relay: Customers simply buy Frame Relay services from a service provider. Access rate or port speed - From a customer's point of view, the service provider provides a serial connection to the Frame Relay network over a leased line.
Access rate is the rate at which your access circuits join the Frame Relay network. These are typically at 56 kb/s, T1 (1.536 Mb/s), or Fractional T1 (a multiple of 56 kb/s or 64 kb/s). It is not possible to send data at higher than port speed.
ACN - 313
Chapter 1

Paying for Frame Relay: Customers simply buy Frame Relay services from a service provider. Committed Information Rate (CIR) - Customers negotiate CIRs with service providers for each PVC.
The service provider guarantees that the customer can send data at the CIR. All frames received at or below the CIR are accepted. A great advantage of Frame Relay is that any network capacity that is being unused is made available or shared with all customers, usually at no extra charge. This allows customers to "burst" over their CIR as a bonus.
ACN - 314
Chapter 1

Paying for Frame Relay: Access or port speed: The cost of the access line from the DTE to the DCE (customer to service provider). Permanent Virtual Circuit (PVC): This cost component is based on the PVCs. Committed Information Rate (CIR): Customers normally choose a CIR lower than the port speed or access rate (U.S.). This allows them to take advantage of bursts.
ACN - 315
Chapter 1

Paying for Frame Relay: Oversubscription: Service providers sometimes sell more capacity than they have on the assumption that not everyone will demand their entitled capacity all of the time. Because of oversubscription, there will be instances when the sum of CIRs from multiple PVCs to a given location is higher than the port or access channel rate. This can cause traffic issues, such as congestion and dropped traffic. Be aware that this can happen!
ACN - 316 Chapter 1

Bursting: Because the physical circuits of the Frame Relay network are shared between subscribers, there will often be time where there is excess bandwidth available. Frame Relay can allow customers to dynamically access this extra bandwidth and "burst" over their CIR for free.
ACN - 317
Chapter 1

Committed Burst Information Rate (CBIR)
The CBIR is a negotiated rate above the CIR which the customer can use to transmit for short burst. A device can burst up to the CBIR and still expect the data to get through. If bursts persist, then a higher CIR should be purchased. Frames submitted at this level are marked as Discard Eligible (DE) in the frame header, indicating that they may be dropped if there is congestion or there is not enough capacity in the network. Frames within the negotiated CIR are not eligible for discard (DE = 0). The BE is the term used to describe the bandwidth available above the CBIR up to the access rate of the link. Unlike the CBIR, it is not negotiated. Frames may be transmitted at this level but will most likely be dropped.
Excess Burst Size (BE)
ACN - 318
Chapter 1

Frame Relay Discard Eligibility Bit: The frame header also contains a Discard Eligibility (DE) bit, which identifies less important traffic that can be dropped during periods of congestion. DTE devices can set the value of the DE bit to indicate that the frame has lower importance than other frames. The DE bit is automatically set during a burst situation.
ACN - 319
Chapter 1

Frame Relay Flow Control: Frame Relay flow control is a matter of controlling congestion on the frame relay network. There are two bits that are set on the frame header when congestion occurs. Forward Explicit Congestion Notification (FECN) Backward Explicit Congestion Notification (BECN)
ACN - 320
Chapter 1

Frame Relay Flow Control: Traffic Flow
While Frame Relay Switch A is placing a large frame on interface 1, other frames for this interface are queued.
ACN - 321
Chapter 1

When the queue is sent, down stream devices are warned of the queue by setting the FECN bit in the header of the frame that was received on the congested link.
ACN - 322 Chapter 1

Upstream devices are warned of the queue by setting the BECN bit in the header of any frames sent on the congested link. Each upstream device receives the BECN frame.
ACN - 323 Chapter 1

Even though a device may not have contributed to the congestion, it still receives the BECN frame. Each device that provides input to the switch is instructed to reduce the rate at which it is sending packets.
ACN - 324 Chapter 1
Solving Reachability Issues

Frame Relay is a Non-Broadcast Multi-Access (NBMA) network. In Ethernet, multiple nodes can access the network and all nodes see all broadcasts or multicasts. However, in a non-broadcast network such as Frame Relay, nodes cannot see broadcasts of other nodes unless they are directly connected by a virtual circuit. This means that Branch A cannot directly see the broadcasts from Branch B, because they are connected using a hub and spoke topology.
ACN - 325 Chapter 1

Multiple-Access (MA) A Frame Relay network is one type of shared networks where many devices are attached to the same network and shared the bandwidth. Non-Broadcast (NB) A virtual circuit must be established between two DTEs attached to the Frame Relay network before commence of bidirectional communication. Frames transmitted over the virtual circuit are only seen by these DTEs, which is non broadcast.
ACN - 326
Chapter 1

Split Horizon prohibits routing updates received on an interface from exiting that same interface. Example: The Central router learns about Network X from Branch A. That update is learned via S0/0. The Central router must then send its own update to Branch B and Branch C.
ACN - 327 Chapter 1
One Solution is to turn off split horizon for IP.

no ip split-horizon
Of course, with split horizon disabled, the protection it affords against routing loops is lost. Split horizon is only an issue with distance vector routing protocols like RIP and EIGRP. It has no effect on link state routing protocols like OSPF.
ACN - 328 Chapter 1
Frame Relay Subinterfaces

A better solution is to use Subinterfaces. Subinterfaces are logical subdivisions of a physical interface. In split-horizon routing environments, routing updates received on one subinterface can be sent out on another subinterface. With this configuration, each PVC can be configured as a point-to-point connection and treated as a separate physical interface similar to a single leased line.
ACN - 329 Chapter 1
Frame Relay Subinterfaces

There are two types of Frame Relay subinterfaces: Point-to-Point How to configure stay tuned! Multipoint Act as a Leased Line. Separate subnets.
Act as a NBMA so no solution to Split Horizon. All on the same subnet.

ACN - 330 Chapter 1
Frame Relay
Configuring Advanced Frame Relay
ACN - 331
Chapter 1
Configuring Frame Relay Subinterfaces

1. Configure encapsulation on the interface. R1(config)#interface serial-number R1(config-if)#encapsulation frame-relay 2. Create the sub-interface with the IP Address and any other parameters that apply. R1(config-if)#interface serial-number.subinterface-number {multipoint | point-to-point} 3. Use this command to map the DLCI to the IP Address not frame-relay map. R1(config-subif)# frame-relay interface-dlci dlci-number
ACN - 332 Chapter 1

Note that the IP Addressing scheme has changed to provide separate IP subnets for each Frame relay link.
ACN - 333
Also note that the DLCI number is used as the sub-interface number.
Chapter 1
ACN - 334
Chapter 1
ACN - 335
Chapter 1

1. Configure Frame Relay encapsulation on the interface. 2. Create a sub-interface for each DLCI on the connection. Use the DLCI number helps in troubleshooting Configure the IP address. Map the DLCI. 3. Active the entire interface, not each individual sub-interface. 4. Use the following commands to verify. show frame-relay-map show frame-relay lmi show frame-relay pvc [dlci-number] debug frame-relay lmi
ACN - 336 Chapter 1

Ccna 4

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ccna 4

Hochgeladen von

Copyright:

Verfügbare Formate

AACS5324 Advanced Computer Networks

Chapter 1 IP Addressing Services

Network Address Translation (NAT)

Dynamic Host Configuration Protocol (DHCP)

BOOTP vs. DHCP

Scaling Networks with DHCP

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP)

DHCP Address Allocation Methods

DHCP Address Allocation Methods

DHCP Address Allocation Methods

DHCP Address Allocation Methods

DHCP Operation Dynamic Allocation

DHCP Operation Dynamic Allocation

DHCP Operation Dynamic Allocation

Server-side Conflict Detection

Server-side Conflict Detection (FYI)

DHCP Operation Dynamic Allocation

DHCP Operation Dynamic Allocation

Client-side Conflict Detection

DHCP Operation 2 DHCP Servers

DHCP Operation 2 DHCP Servers

DHCP Common Security Attacks

DHCP Spoof Attacks: DHCP Starvation Attack

DHCP Spoof Attacks

Here you go. (Legitimate)

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Configuring a Cisco Router as a DHCP Server

Much more detail in the lab.

Troubleshooting DHCP Configuration

Scaling Networks With Network Address Translation (NAT)

Scaling Networks With NAT

Scaling Networks With NAT

Scaling Networks With NAT

Scaling Networks With NAT

Outside Network: Usually the Internet but it can be any network.

How Does NAT Work?

How Does NAT Work?

Dynamic Mapping and Static Mapping

Dynamic Mapping and Static Mapping

Dynamic Mapping and Static Mapping

Dynamic Mapping and Static Mapping

Dynamic Mapping and Static Mapping

Benefits and Drawbacks

Benefits and Drawbacks

Configuring Static NAT

179.23.2.2 Inside Global address from ISP.

Port Address Inside Local

ISP routing table: 179.23.2.0 via 192.168.1.1

RA(config)#ip nat inside source static 10.1.1.2 179.23.2.2

Configuring Static NAT

ISP routing table: 179.23.2.0 via 192.168.1.1