Ccna 4

Chapter 1ACN - 1

AACS5324 Advanced Computer Networks

Chapter 1

IP Addressing Services

Chapter 1ACN - 2

Objectives

Upon completion of this chapter, student should be able to understand the followings:

• Dynamic Host Configuration Protocol (DHCP)(RFC2131)• IP address Assignment• DHCP Operations• DHCP Relay Agent• DHCP Common Security Attacks• DHCP Configurations

• Network Address Translation (NAT)• Private Address Space (RFC 1918)• NAT Operations & Terminologies• NAT Types• Advantages & Disadvantages• NAT Configurations

Chapter 1ACN - 3


Dynamic Host ConfigurationDynamic Host ConfigurationProtocol (DHCP)Protocol (DHCP)

Chapter 1ACN - 4

IP Address Assignments

• Before Dynamic Host Configuration Protocol (DHCP)• Hosts statically assigned (unique IP address, not possible

to reuse)• Required large number of address• Network changes meant manual re-configuration of hosts

Chapter 1ACN - 5


• Then came Bootstrap Protocol (BOOTP)• Predecessor of DHCP.• Designed to configure diskless workstations based on

their MAC address• BOOTP Server is configured with a table of MAC

addresses and the corresponding IP addresses• Same IP address is always handed to a workstation• No versatility

• Permanent assignment• Static mapping• only 4 configuration parameters

Chapter 1ACN - 6


• Then came DHCP• Reduces Internet access costs when NAT/PAT is not

deployed by allowing dynamic address space allocation and reuse. Static IP addresses are considerably more expensive to purchase than are automatically allocated IP addresses

• Minimizes time and expense of client configuration. Because DHCP is easy to configure, it minimizes operational overhead and costs associated with device configuration tasks and eases deployment by nontechnical users.

Chapter 1ACN - 7


• Then came DHCP• Means of centralized management of IP information.

Because the DHCP server maintains configurations for several subnets, an administrator only needs to update a single, central server when configuration parameters change.

• Allows client to be assigned another address when moves to a different subnet.

• Supports up to 20 configuration parameters• Can be run on router or server

Chapter 1ACN - 8

BOOTP vs. DHCP

There are three primary differences between DHCP and BOOTP:

• The main difference is that BOOTP was designed for manual pre-configuration of the host information in a server database, while DHCP allows for dynamic allocation of network addresses and configurations to newly attached hosts.

• DHCP allows for recovery and reallocation of network addresses through a leasing mechanism. Specifically, DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. This lease period allows for reassignment of the IP address to another client later, or for the client to get another assignment if the client moves to another subnet. Clients may also renew leases and keep the same IP address. BOOTP does not use leases.

• BOOTP provides a limited amount of information to a host. DHCP provides additional IP configuration parameters, such as WINS and domain name

Chapter 1ACN - 9

Scaling Networks with DHCP

• DHCP is not always possible or desirable under these scenarios

• Servers, routers usually require static addresses

• When network administrators want to achieve security and simplicity

• DHCP server must be always available whenever an address is required

• Must prevent end users from manually configuring network settings and generating conflict with dynamic assigned addresses

Chapter 1ACN - 10

Dynamic Host Configuration Protocol (DHCP)

• Every device that connects to a network needs an IP address.

• Network administrators assign static IP addresses to routers, servers, and other network devices whose locations (physical and logical) are not likely to change.

• User computers in an organization often change locations, physically and logically.• Desktop clients do not require a static address.• A workstation can use any address within a range of

addresses.• This range is typically within an IP subnet.

Chapter 1ACN - 11

Dynamic Host Configuration Protocol (DHCP)

• Two modes of installing DHCP services in a network:• Administrators typically prefer a network server to offer

DHCP services.• Scalable.• Relatively easy to manage.

• In a small branch or SOHO location, a Cisco router can be configured to provide DHCP services without the need for an expensive dedicated server.

Chapter 1ACN - 12

DHCP Address Allocation Methods

• dynamic allocation: • A network administrator assigns a range of IP addresses

to DHCP, and each client computer on the LAN is configured to request an IP address from the DHCP server during network initialization.

• The request-and-grant process uses a lease concept with a controllable time period, allowing the DHCP server to reclaim (and then reallocate) IP addresses that are not renewed.

Chapter 1ACN - 13


• automatic allocation: • The DHCP server permanently assigns a free IP address

to a requesting client from the range defined by the administrator.

• This is like dynamic allocation, but the DHCP server keeps a table of past IP address assignments, so that it can preferentially assign to a client the same IP address that the client previously had.

Chapter 1ACN - 14


• Manual/static allocation: (next)• The DHCP server allocates an IP address based on a table with

MAC address/IP address pairs, which are manually filled in (perhaps by a network administrator).

• Only requesting clients with a MAC address listed in this table will be allocated an IP address.

• This feature (which is not supported by all DHCP servers) is variously called. Ex.• Static DHCP Assignment (by DD-WRT), • fixed-address (by the dhcpd documentation), • Address Reservation (by Netgear), • DHCP reservation or Static DHCP (by Cisco/Linksys), and • IP reservation or MAC/IP binding (by various other router

manufacturers)- Wikipedia

Chapter 1ACN - 15


Manual Bindings Configuration Example• The following example creates a manual binding for a client named

Mars.cisco.com. The MAC address of the client is 02c7.f800.0422 and the IP address of the client is 172.16.2.254.

ip dhcp pool Mars

host 172.16.2.254 255.255.255.0

default-router 172.16.2.100

hardware-address 02c7.f800.0422 ieee802

client-name Mars

dns-server 172.16.1.102

domain-name cisco.com

Chapter 1ACN - 16

DHCP Operation – Dynamic Allocation

• Dynamic Allocation:• DHCP works in a client/server mode.

• When the client connects, the server assigns or leases an IP address to the device.

• The device connects to the network with that leased IP address until the lease period expires.

• The host must contact the DHCP server periodically to extend the lease.

• The leasing of addresses assures that addresses that are no longer used are returned to the address pool for use by other devices.

Chapter 1ACN - 17


• Dynamic Allocation: 4 Step Process.• DHCPDISCOVER:

• The client broadcasts a DHCPDISCOVER message.• The DHCPDISCOVER message finds the DHCP

server(s) on the network.

Chapter 1ACN - 18


• Dynamic Allocation: 4 Step Process.• DHCPOFFER: (next)

• The server responds with a DHCPOFFER.• The DHCPOFFER message is sent as a unicast and

contains an available IP address to lease.

Chapter 1ACN - 19

Server-side Conflict Detection

• By default, the DHCP server pings an IP address twice before offering an IP address to a requesting client.

• If the ping is not successful, the DHCP server assumes that the address is not in use and assigns the address to the requesting client.

• If the ping is successful, the server attaches a BAD_ADDRESS value to that IP address and will try to lease the next available address.

• If the duplicate address is removed from the network, the BAD_ADDRESS value attached to the IP address can be deleted, and the address returned to the pool.

Chapter 1ACN - 20

Server-side Conflict Detection (FYI)

• To change the number of ping packets sent and/or the timeout wait value:

Router(config)#ip dhcp ping packets number

Router(config)#ip dhcp ping timeout milliseconds

Chapter 1ACN - 21


• Dynamic Allocation: 4 Step Process.• DHCPREQUEST:

• The client responds with a broadcast of a DHCPREQUEST message.

• When used for obtaining a lease, it serves as an acceptance notice to the selected server and an implicit decline to any other servers.

• Also used for lease renewal and verification.

Chapter 1ACN - 22


• Dynamic Allocation: 4 Step Process.• DHCPACK:

• The server verifies the lease information and responds with a DHCPACK message.

• The client logs the information and sends an ARP request to verify that the address is unique. (next)

Chapter 1ACN - 23

Client-side Conflict Detection

• Upon receiving the DHCPACK message with configuration parameters, the client performs a final check on the these parameters by using ARP (ping ) and notes the duration of the lease specified in the DHCPACK message.

• If the ping is not successful, the client is configured with the IP address.

• If the ping is successful, the client MUST send a DHCPDECLINE message to the server and restarts the configuration process.

• The client SHOULD wait a minimum of ten seconds before restarting the configuration process to avoid excessive network traffic in case of looping (RFC2131)

Chapter 1ACN - 24

DHCP Operation – 2 DHCP Servers

Chapter 1ACN - 25

DHCP Operation – 2 DHCP Servers

Chapter 1ACN - 26

DHCP Operation

• A DHCP client may receive offers from multiple DHCP servers and can accept any one of the offers; however, the client usually accepts the first offer it receives.

• Additionally, the offer from the DHCP server is not a guarantee that the IP address will be allocated to the client; however, the server usually reserves the address until the client has had a chance to formally request the address.

Chapter 1ACN - 27

DHCP Operation

• The client returns a formal request for the offered IP address to the DHCP server in a DHCPREQUEST broadcast message.

• The formal request for the offered IP address (the DHCPREQUEST message) that is sent by the client is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client.

• The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK unicast message to the client.

Chapter 1ACN - 28

DHCP Messages

• DHCPDISCOVER - Client broadcast to locate available servers.

• DHCPOFFER - Server to client in response to DHCPDISCOVER with offer of configuration parameters.

• DHCPREQUEST - Client message to servers either• Accepting offered parameters from one server and

implicitly declining offers from all others, • confirming correctness of previously allocated address

after, e.g., system reboot (verification), or • extending the lease on a particular network address

(renewal).• DHCPACK - Server to client with configuration parameters,

including committed network address.

Chapter 1ACN - 29

DHCP Messages

• DHCPNAK - Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new

subnet) or client's lease as expired• DHCPDECLINE - Client to server indicating network

address is already in use.• DHCPRELEASE - Client to server relinquishing network

address and cancelling remaining lease.

Chapter 1ACN - 30

DHCP Relay

• In a complex hierarchical network, enterprise servers are usually contained in a server farm.

• These servers may provide DHCP, DNS, TFTP, and FTP services for the clients.

Chapter 1ACN - 31

DHCP Relay

• PC1 either tries to obtain an IP configuration or attempts to renew its address.

• In addition, other network services use broadcasts to find a TFTP server or an authentication server.

BroadcastBroadcastBroadcastBroadcast


Chapter 1ACN - 32

DHCP Relay

• The solution is DHCP Relay.• By configuring a helper address feature on intervening routers

will forward DHCP broadcasts, and others, to the appropriate server.



Chapter 1ACN - 33

DHCP Relay

• To configure RTA Fa0/0 (the interface that receives the Host A broadcasts) to relay DHCP broadcasts to the DHCP server, use the following commands:

RTA(config)#interface fa0/0

RTA(config-if)#ip helper-address 172.24.1.9


Chapter 1ACN - 34

DHCP Relay

• DHCP clients use IP broadcasts to find the DHCP server on the segment. What happens when the DHCP server and the client are not on the same segment and are separated by a router?

• Routers, by default, will not forward broadcast packets. • Since DHCP client messages use the destination IP address of

255.255.255.255 (limited broadcast), DHCP clients will not be able to send requests to a DHCP server on a different subnet

• The router must be configured as a DHCP relay agent in order to allow the DHCP request to go through

• Accomplished by implementing ‘ip helper-address’• The agent will forward DHCP broadcast requests on behalf of DHCP client

and unicast to the DHCP server. • The DHCP Relay Agent will append its own IP address to the source IP

address of the DHCP frames going to the DHCP server. • This allows the DHCP server to respond via unicast to the DHCP Relay

Agent.

Chapter 1ACN - 35

DHCP Common Security Attacks

DHCP Spoof Attacks:• Man-In-The-Middle Attack

• One of the ways an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server.

• The DHCP spoofing device replies to client DHCP requests. • The legitimate server may reply as well, but if the spoofing device is on

the same segment as the client, its reply to the client may arrive first. • The intruder’s DHCP reply offers an IP address and supporting

information that designates the intruder as the default gateway or Domain Name System (DNS) server.

• In the case of a gateway, the clients will then forward packets to the attacking device, which will in turn send them to the desired destination.

• It may go entirely undetected as the intruder intercepts the data flow through the network.

Chapter 1ACN - 36

DHCP Spoof Attacks:• DHCP Starvation Attack

• DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses.

• If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time.

• Subsequently, a legitimate user is denied when requesting a DHCP IP address and thus is not able to access the network.

• DHCP starvation may be purely a denial of service (DoS) mechanism or may be used in conjunction with a malicious rogue server attack to redirect traffic to a malicious computer ready to intercept traffic.

Chapter 1ACN - 37

DHCP Spoof Attacks

““I need an IP I need an IP address/mask, default address/mask, default

gateway, and DNS gateway, and DNS server.”server.”

““Here you go, I Here you go, I might be first!” might be first!”

(Rouge)(Rouge)

““Here you go.” Here you go.” (Legitimate)(Legitimate)

““Got it, thanks!”Got it, thanks!”

““Already got the info.”Already got the info.”

All default gateway All default gateway frames and DNS frames and DNS requests sent to requests sent to

Rogue.Rogue.

““I can now I can now forward these on forward these on

to my leader.” to my leader.” (Rouge)(Rouge)

Chapter 1ACN - 38

Configuring a Cisco Router as a DHCP Server

• 3 Basic Steps:• Step 1:

• Define a range of addresses that DHCP is not to allocate.

• Usually static addresses reserved for the router interface, switch management IP address, servers, and local network printers.

• Step 2:• Create the DHCP pool of addresses using theip dhcp pool command.

• Step 3:• Configure the specific DHCP tasks for the pool.

Chapter 1ACN - 39


• The DHCP service is enabled by default on versions of Cisco IOS that support it.

• To disable the service:

Router(config)#no service dhcp

• To enable the service:

Router(config)#service dhcp

Chapter 1ACN - 40


• Step 1:• Exclude an address or addresses from the pool:

Router(config)#ip dhcp excluded-address

low-address [high-address]

• Exclude an individual address or range of addresses when assigning addresses to clients.

• Used to reserve addresses that are statically assigned to key hosts, for instance, the interface address on the router.

Chapter 1ACN - 41


• Step 2:• Create the DHCP pool and place the router in DHCP

configuration mode.

Router(config)#ip dhcp pool [pool-name]

Router(config-dhcp)#

Chapter 1ACN - 42


• Step 3:• Configure the specific DHCP tasks.• Define the pool of addresses:


network network-number [mask | /prefix]

• The network statement enables DHCP on any router interfaces belonging to that network.• The router will act as a DHCP server on that interface.• It is also the pool of addresses that the DHCP server

will use.

Chapter 1ACN - 43


• Step 3:• Configure the specific DHCP tasks.• Assign the default gateway for the DHCP clients:


default-router ip-address [ip-address2……]

• Only one is required but up to 8 addresses may be assigned in one command line.

Chapter 1ACN - 44


• Step 3:• Configure the specific DHCP tasks.• Assign the DNS Server(s) for the DHCP clients:


dns-server ip-address [ip-address2……]


Chapter 1ACN - 45


• Step 3:• Configure the specific DHCP tasks.• Assign the WINS Server(s) for the DHCP clients:


netbios-name-server ip-address [ip-address2……]


Chapter 1ACN - 46


• Step 3:• Configure the specific DHCP tasks.• Assign the Domain Name for the DHCP clients:


domain-name [domain]

Chapter 1ACN - 47


• Step 3:• Configure the specific DHCP tasks.• Assign the duration of the lease for the DHCP clients:


lease {days [hours] [minutes] | infinite}

• The default lease time is 1 day.

Chapter 1ACN - 48


• Step 3:• Configure the specific DHCP tasks.• FYI - Other available parameters:


netbios-node-type [type]

host address [mask | /prefix]

hardware-address hardware-address-type

or client-identifier unique-identifier

client-name name

bootfile filename

Chapter 1ACN - 49


Step 1Step 1Step 1Step 1



Chapter 1ACN - 50


• Verifying DHCP:

Router#

show ip dhcp binding

show ip dhcp server statistics

show ip dhcp pool

debug ip dhcp server events

Much more detail in the lab….Much more detail in the lab….Much more detail in the lab….Much more detail in the lab….

Chapter 1ACN - 51

• Resolve any IP Address conflicts.

show ip address conflicts• Verify physical connectivity.• Test connectivity by configuring a workstation with a static IP address.• Verify switch port configuration.• Do DHCP clients obtain an IP address on the same subnet or VLAN

where the DHCP server resides?• Verify any DHCP Relay configuration.

• Verify that the router is receiving DHCP requests.debug ip dhcp events debug ip dhcp server

debug ip packet detail

Troubleshooting DHCP Configuration

Chapter 1ACN - 52


Scaling Networks With Network Scaling Networks With Network Address Translation (NAT)Address Translation (NAT)

Chapter 1ACN - 53

• All public Internet addresses must be registered with a Regional Internet Registry (RIR).

• Organizations can lease public addresses from an ISP.• Only the registered holder of a public Internet address can

assign that address to a network device.

Scaling Networks With NAT

Chapter 1ACN - 54

• Private Internet Addresses:• These are reserved private Internet addresses drawn

from three blocks.• These addresses are for private, internal network use

only.• RFC 1918 specifies that private addresses are not to be

routed over the Internet. ISPs configure the border routers to prevent private addresses traffic from being forwarded to the Internet


Chapter 1ACN - 55

• Private Internet Addresses:• Benefits:

• Eliminates expense of large pools of routable addresses – conserved public addresses

• Gives enterprises considerable flexibility in network addressing design. This enable operationally and administratively convenient addressing schemes as well as easier growth.

• Non routable and Not reserved for anyone; 2 or more private networks can use the same private addresses.


Chapter 1ACN - 56

• Private Internet Addresses:• Two Issues:

• You cannot routeprivate addresses over the Internet.

• There are not enough public addresses to allow organizations to provide one to every one of their hosts.

• Networks need a mechanism to translate private addresses to public addresses at the edge of their network that works in both directions.

• Solution – NAT.


Chapter 1ACN - 57

• The DHCP server assigns IP dynamic addresses to devices inside the network.

• NAT-enabled routers retain one or many valid Internet IP addresses outside of the network.

• When the client sends packets out of the network, NAT translates the internal IP address of the client to an external address.

• To outside users, all traffic coming to and going from the network has the same IP address or is from the same pool of addresses.

What is NAT?

Private AddressPrivate AddressPrivate AddressPrivate Address Public AddressPublic AddressPublic AddressPublic AddressNATNATNATNAT

Chapter 1ACN - 58

What is NAT?

• A NAT enabled device typically operates at the border of a stub network.

• A stub network is a network that has a single connection to its neighbor network.

Chapter 1ACN - 59

What is NAT?

• When a host on the inside network wants to access a host on the outside network, the packet is sent to the border gateway router.

• The border gateway router performs the NAT process, translating the inside private address to an outside public address.

Inside PrivateInside PrivateInside PrivateInside Private

Chapter 1ACN - 60

What is NAT?

• The translation process uses an internal translation table.• The contents of the table will vary depending on the type of

network translation being implemented.• We will be looking at the use of static NAT, dynamic NAT and

Port Address Translation (PAT).

Inside PrivateInside PrivateInside PrivateInside Private

Chapter 1ACN - 61

NAT Terminology

Inside Network:Inside Network:Usually an Usually an

organization’s LAN.organization’s LAN.

Inside Network:Inside Network:Usually an Usually an

organization’s LAN.organization’s LAN.

Outside Network:Outside Network:Usually the Internet but Usually the Internet but it can be any network.it can be any network.

Outside Network:Outside Network:Usually the Internet but Usually the Internet but it can be any network.it can be any network.

Chapter 1ACN - 62

NAT Terminology

10.0.0.2

10.0.0.3

128.23.2.2

128.23.3.3

Local Addresses:Local Addresses:How a node on a network is How a node on a network is

seen by another node onseen by another node onthe same networkthe same network..

Local Addresses:Local Addresses:How a node on a network is How a node on a network is

seen by another node onseen by another node onthe same networkthe same network..

Chapter 1ACN - 63

NAT Terminology

10.0.0.2

10.0.0.3

128.23.2.2

128.23.3.3

Global Addresses:Global Addresses:How a node on one networkHow a node on one network

is seen by a node on is seen by a node on another network. another network.

Global Addresses:Global Addresses:How a node on one networkHow a node on one network

is seen by a node on is seen by a node on another network. another network.

Chapter 1ACN - 64

NAT Terminology

• Inside Local Address:• An RFC 1918 address assigned to a host on an inside

network.• Inside Global Address:

• A valid public address that the host on the inside network is assigned as it exits the router.

• Outside Global Address:• A reachable IP address assigned to a host on the

Internet.• Outside Local Address:

• A local address assigned to a host on an outside network.• (Use beyond the scope of this course).

Chapter 1ACN - 65

How Does NAT Work?

DADA SASA

209.165.201.1 192.168.10.10

R2:R2: I have a packet for the I have a packet for the outside networkoutside network..I must translate the IP address.I must translate the IP address.

R2:R2: I have a packet for the I have a packet for the outside networkoutside network..I must translate the IP address.I must translate the IP address.

SendSendSendSend

DADA SASA

209.165.201.1 209.165.200.226

209.165.200.226

Chapter 1ACN - 66

How Does NAT Work?

DADA SASA

209.165.200.226 209.165.201.1

R2:R2: I have a packet for the I have a packet for the inside networkinside network..I must translate the IP address.I must translate the IP address.

R2:R2: I have a packet for the I have a packet for the inside networkinside network..I must translate the IP address.I must translate the IP address.

ReceiveReceiveReceiveReceive

DADA SASA

192.168.10.10 209.165.201.1

209.165.200.226

Chapter 1ACN - 67

Dynamic Mapping and Static Mapping

• Dynamic Mapping:• Mapping of local addresses

dynamically to a pool ofglobal addresses.

• The hosts able to use NAT islimited by the number ofaddresses in the range.

• If you have allocated 6 publicaddresses for NAT, any 6users can use NAT simultaneously.• The NAT device dynamically assigns an address

when a request is received. When a session ends, the address is returned to the pool for another user.

NAT TableNAT Table

Inside LocalInside Local Inside GlobalInside Global

10.0.0.110.0.0.1 179.9.8.81179.9.8.81

10.0.0.210.0.0.2

10.0.0.310.0.0.3

10.0.0.410.0.0.4

10.0.0.510.0.0.5

10.0.0.610.0.0.6

10.0.0.710.0.0.7

10.0.0.810.0.0.8 179.9.8.86179.9.8.86

Chapter 1ACN - 68


• Dynamic Mapping:• Eliminates the requirement for equal numbers of internal

and external addresses by creating a pool of IP addresses for translation.

• Not usable for mapping internal server as it does not allow the assignment of a predefined address between the internal and external networks.

• Usually deployed along with static NAT• Does not guarantee successful translation if pool is

exhausted, hence need to provide large enough address pool

Chapter 1ACN - 69


• Dynamic Mapping:• Most commonly used to provide Internet connectivity for

organizations that deployed private addressing on the internal network (RFC 1918).

• Required a small pool of registered addresses as not all hosts will need Internet access at the same time, hence reduces the expense of maintaining registered addresses for all hosts.

• Translation occurs as packets leave the NAT border router (from inside network to outside network)

• Active only during the conversation or configurable time periods.

• Translation resolved after the conversation and address returned to the NAT pool.

Chapter 1ACN - 70


• Static Mapping:• One to one mapping of local

and global addresses.• The hosts able to use NAT is

limited by the staticassignment in the table.

• If you have allocated 6 public addresses for NAT, only these 6 users can use NAT.• No other network users will have access unless you

allocate another global address and add it to the table.

NAT TableNAT Table

Inside LocalInside Local Inside GlobalInside Global

10.0.0.110.0.0.1 179.9.8.81179.9.8.81

10.0.0.210.0.0.2 179.9.8.82179.9.8.82

10.0.0.310.0.0.3 179.9.8.83179.9.8.83

10.0.0.410.0.0.4 179.9.8.84179.9.8.84

10.0.0.510.0.0.5 179.9.8.85179.9.8.85

10.0.0.610.0.0.6 179.9.8.86179.9.8.86

Chapter 1ACN - 71


• Static Mapping:• No conservation of IP addresses because each internal IP

address must be mapped to a unique, routable public address.

• Usually deployed for access to internal servers from outside network. This allows the servers to be accessed from within the organization by using the inside local address and from outside network by using the inside global address.

• No packets dropped due to lack of addresses• Minimizes delay due to building a dynamic translation• Provides a limited level of security by hiding the internal

address. Access to the internal network is only allow through inside global address, NOT inside local address.

Chapter 1ACN - 72

NAT Overload

• Port Address Translation (PAT):• Allows you to use a single Public IP address and assign

it up to 65,536 inside hosts (4,000 is more realistic).• Modifies the TCP/UDP source port to track inside host

addresses.• Tracks and translates:

• Source IP Address.• Destination IP Address.• TCP/UDP Source Port Number.

• These uniquely identify each connection for each stream of traffic.

Chapter 1ACN - 73

NAT Overload

• Port Address Translation (PAT):209.165.200.226

SASA DADA

209.165.200.226:1555 209.165.201.1:80

SASA DADA

192.168.10.10:1555 209.165.201.1:80

SASA DADA

192.168.10.11:1331 209.165.202.129:80

SASA DADA

209.165.200.226:1331 209.165.202.129:80

Chapter 1ACN - 74

NAT Overload

• Port Address Translation (PAT):209.165.200.226

SASA DADA

209.165.201.1:80 192.168.10.10:1555

SASA DADA

209.165.201.1:80 209.165.200.226:1555

SASA DADA

209.165.202.129:80 192.168.10.11:1331

SASA DADA

209.165.202.129:80 209.165.200.226:1331

Chapter 1ACN - 75

NAT Overload

• Port Address Translation (PAT): NEXT AVAILABLE PORT

192.168.10.11:1444

192.168.10.12:1444

Chapter 1ACN - 76

Benefits and Drawbacks

• NAT Benefits:• Conserves the legally registered addressing scheme by allowing the

privatization of the intranets. NAT conserves addresses by applying port-level multiplexing: NAT overload where internal hosts can share a single public address for all external communications.

• Increases the flexibility of connections to the public network.• Provides consistency for internal network addressing schemes. An

organization could change ISPs and no need to renumber all the hosts on the existing internal network

• Provides network security. Private networks do not advertise their addresses, they remain reasonably secure when used in conjunction with NAT to gain controlled external access. However, NAT does not replace firewalls.

Chapter 1ACN - 77

Benefits and Drawbacks

• NAT Drawbacks:• Performance is degraded. NAT increases switching delays because

the router must look at every packet to decide whether it needs to be translated.

• End-to-end functionality is degraded. NAT prevents applications that depends on end-to-end addressing, such as digital signatures and applications that use physical addresses.

• End-to-end trace is lost. NAT making troubleshooting challenging. It is much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops.

• Tunneling is more complicated. Complicate the integrity checks done by some tunneling protocols like IPSec as NAT modifies values in the headers.

Chapter 1ACN - 78

Configuring Static NAT

• Step 1:• Specify static translation between an inside local and

inside global address.

ip nat inside source staticlocal-ip global-ip

Port AddressPort AddressPort AddressPort Address

179.23.2.2179.23.2.2 – Inside Global – Inside Global address from ISP.address from ISP.179.23.2.2179.23.2.2 – Inside Global – Inside Global address from ISP.address from ISP.

ISP routing table:ISP routing table:179.23.2.0 via 192.168.1.1179.23.2.0 via 192.168.1.1


RA(config)#RA(config)#ip nat inside source staticip nat inside source static10.1.1.2 179.23.2.210.1.1.2 179.23.2.2

RA(config)#RA(config)#ip nat inside source staticip nat inside source static10.1.1.2 179.23.2.210.1.1.2 179.23.2.2

Chapter 1ACN - 79


• Step 2:• Mark the router interfaces as an inside interface or an

outside interface.



RA(config)#RA(config)#interface fa0/0interface fa0/0RA(config-if)#RA(config-if)#ip address 10.1.1.1 255.255.255.0ip address 10.1.1.1 255.255.255.0RA(config-if)#ip nat insideRA(config-if)#ip nat inside


Chapter 1ACN - 80


• Summary:

10.1.1.2 will always translate to 179.23.2.210.1.1.2 will always translate to 179.23.2.210.1.1.2 will always translate to 179.23.2.210.1.1.2 will always translate to 179.23.2.2

Chapter 1ACN - 81

Configuring Dynamic NAT

1. Define a named address pool of outside addresses to be used for translation.

2. Define an access list to specify those inside addresses that are eligible for translation. (* interesting traffic) (next)

3. Specify dynamic translation between theinside addresses allowed by the access listand the pool of outside addresses.

4. Mark the interfaces as inside or outside.

Chapter 1ACN - 82


• Interesting traffic:• Not necessary to translate all traffic as this would

waste valuable router resources.• Traffic to be translated is termed as interesting traffic• Interesting traffic is selected with help of access

control list (ACL)• Checks the source address on the inside interface• If address matches then traffic is interesting, if no

match then no translation. A record is maintained in the NAT table

Chapter 1ACN - 83


• Step 1:• Define a named address pool of outside addresses to be

used for translation.

ip nat pool name start-ip end-ip

(netmask netmask | prefix-length prefix-length)

Address space from ISP = Address space from ISP = 179.9.8.0/24179.9.8.0/24Address space from ISP = Address space from ISP = 179.9.8.0/24179.9.8.0/24

Chapter 1ACN - 84


• Step 1:• Define a named address pool of outside addresses to be

used for translation.

ip nat pool NAT-POOL1 179.9.8.80 179.9.8.85

netmask 255.255.255.0NameNameNameName

RangeRangeRangeRange

MaskMaskMaskMask


Chapter 1ACN - 85


• Step 2:• Define an access list to specify those inside addresses

that are eligible for translation. (interesting traffic)

access-list access-list-number permit source [source

wildcard]


Chapter 1ACN - 86

• Step 2:• Define an access list to specify those inside addresses

that are eligible for translation.

access-list 1 permit 10.1.0.0 0.0.255.255


AllowsAllows ALL ALL inside network addresses to be translated.inside network addresses to be translated.AllowsAllows ALL ALL inside network addresses to be translated.inside network addresses to be translated.


Chapter 1ACN - 87


• Step 2:• Specify dynamic translation between the inside

addresses allowed by the access list and thepool of outside addresses.

ip nat inside source list access-list-number

pool pool-nameAddress space from ISP = Address space from ISP = 179.9.8.0/24179.9.8.0/24Address space from ISP = Address space from ISP = 179.9.8.0/24179.9.8.0/24

Chapter 1ACN - 88


• Step 3:• Specify dynamic translation between the inside

addresses allowed by the access list and thepool of outside addresses.

ip nat inside source list 1 pool NAT-POOL1 From Step 2From Step 2From Step 2From Step 2

From Step 1From Step 1From Step 1From Step 1


Chapter 1ACN - 89


• Step 4:• Mark the interfaces as inside or outside.



Chapter 1ACN - 90


• Summary: All inside hosts are eligible for NAT.All inside hosts are eligible for NAT.All inside hosts are eligible for NAT.All inside hosts are eligible for NAT.

Chapter 1ACN - 91

Configuring NAT Overload (PAT)

• There are two possible ways to configure overloading.• It depends on how the ISP allocates public IP addresses.

• The ISP allocates one public IP address to the organization.

• The ISP allocates more than one public IP address.

• In either case, the configuration will include the overload keyword.• This keyword specifies to the router that Port

Address Translation (PAT) is to be used.

Chapter 1ACN - 92


• The ISP allocates The ISP allocates one public IP address to the organization.public IP address to the organization.

1.1. Assign the Assign the IP address received from the ISP as the IP as the IP address of the outside interface.

2.2. Define a Define a standard access list permitting those permitting those addresses to be translated.addresses to be translated.

3.3. Establish Establish dynamic translation specifying the specifying the access list and and the actual interface instead of a pool of addresses instead of a pool of addresses and include the and include the overload keyword.keyword.

4.4. Identify theIdentify the inside and outside interfaces.

Chapter 1ACN - 93


• The ISP allocates one public IP address to the organization.

Assigned by ISPAssigned by ISPAssigned by ISPAssigned by ISP

Chapter 1ACN - 94


• The ISP allocates more than one public IP address.

Chapter 1ACN - 95

Verifying NAT and NAT Overload

• show ip nat translations

Chapter 1ACN - 96


• show ip nat statistics

Chapter 1ACN - 97


• clear ip nat translation

Chapter 1ACN - 98

Troubleshooting NAT and NAT Overload

• show ip nat translations• clear ip nat translation• debug ip nat

Chapter 1ACN - 99


Chapter 2

Introduction to WANs

Chapter 1ACN - 100

Objectives

Upon completion of this chapter, student should be able to understand the followings:

• WAN as compare to LAN• Common WAN Devices• WAN and the OSI

• WAN Physical Layer Terminologies & Concepts• WAN Data Link Layer Concepts & Encapsulation

• WAN Switching Concepts• Circuit Switching and Packet Switching

• WAN Link Connection Options • WAN Design

Chapter 1ACN - 101

Introduction to WAN

• LAN: (Review)• A high speed, low-error data network covering a relatively small

geographic area, up to a few thousand meters.• LANs connect workstations, peripherals, terminals, and other

devices in a single building or other geographically limited area.• LANs typically are owned by the company or organization that

uses them• LANs are usually high-speed connections• LANs usually controlled by single administrator• LAN standards specify cabling and signaling at the physical and

data link layers of the OSI.• Ethernet and Token Ring are widely used LAN technologies.

Chapter 1ACN - 102

What is a WAN?

• A WAN is a data communications network that operates beyond the geographic scope of a LAN.

Chapter 1ACN - 103

What is a WAN?• A WAN is a data communications network that operates

beyond the geographic scope of a LAN. • WANs connect devices that are separated by a broader

geographical area than a LAN.• Concerned with moving data between LANs• WANs use the carriers, such as phone companies, cable

companies, and network providers (WAN Service Provider).• WAN might be controlled by multiple organizations. An

organization must subscribe to an outside provider to gain access to WAN carrier services.

• WANs use serial connections of various types to provide access over large geographic areas. Ex. V.35, X.21, EIA/TIA-232

• WANs use different types of WAN technologies and protocols like Frame Relay, ATM and DSL

• WAN bandwidth usually less than a LAN• Most often be capable of handling voice, video and data

simultaneously.

Chapter 1ACN - 104

What is a WAN?

• There are other business needs that require communication among remote sites using WAN:

• People in the branch offices of an organization need to be able to communicate with the central site.

• Organizations often want to share information with other organizations across large distances.

• Employees who travel frequently need to access information that resides on their corporate networks.

• In addition, home computer users need to send and receive data across larger distances.

• It is now common in many consumers to communicate with banks, stores, and a variety of providers of goods and services via computers.

Most significant difference between LAN and WAN is the

technology involved

Chapter 1ACN - 105

WAN Devices

Chapter 1ACN - 106

WAN Devices

• WANs use numerous types of devices:• Modem

• A voice band modem converts and reconverts the digital signals produced by a computer into voice frequencies that can be transmitted over the analog lines of the public telephone network.

• Faster modems, such as cable modems and DSL modems, transmit using higher broadband frequencies.

• CSU/DSU • Digital lines, such as T1 or T3 carrier lines, require a channel

service unit (CSU) and a data service unit (DSU).• The two are often combined into a single piece of equipment,

called the CSU/DSU.• The CSU provides termination for the digital signal and ensures

connection integrity through error correction and line monitoring while the DSU converts the T-carrier line frames into frames that the LAN can interpret.

Chapter 1ACN - 107

WAN Devices

• WANs use numerous types of devices:• Access server

• Concentrates dial-in and dial-out communications. • An access server may have a mixture of analog and digital interfaces and

support hundreds of simultaneous users.

• WAN switch• A multiport internetworking device used in carrier networks to

support Frame Relay, ATM, or X.25and operate at the data link layer of the OSI model.

• Router• Provides internetworking and WAN access interface ports that are

used to connect to the service provider network. • These interfaces may be serial connections or other WAN interfaces and

may require an external device such as, a DSU/CSU or modem (analog, cable, or DSL), to connect to the service provider

Chapter 1ACN - 108

WAN Devices

• WANs use numerous types of devices (cont’d):• Core router

• A router that resides within the middle or backbone of the WAN rather than at its periphery.

• To fulfill this role, a router must be able to support the highest speed in use in the WAN core, and it must be able to forward IP packets at full speed on all of those interfaces.

Chapter 1ACN - 109

Modems

Chapter 1ACN - 110

External CSU/DSU

To T1 circuitTo T1 circuit To routerTo router

Chapter 1ACN - 111

CSU/DSU Interface Card

• The CSU/DSU may also be built into the interface card in The CSU/DSU may also be built into the interface card in the router. the router.

Chapter 1ACN - 112

WANs and the OSI Model

In relation to the OSI In relation to the OSI reference model, WAN reference model, WAN

operations focus on operations focus on Layer 1 Layer 1 and and Layer 2Layer 2. .

Chapter 1ACN - 113

WANs and the OSI Model

• The physical layer (OSI Layer 1) protocols describe how to provide electrical, mechanical, operational, and functional connections to the services of a communications service provider.

• The data link layer (OSI Layer 2) protocols define how data is encapsulated for transmission toward a remote location and the mechanisms for transferring the resulting frames. • A variety of different technologies are used, such as

Frame Relay and ATM. • Some of these protocols use the same basic framing

mechanism, High-Level Data Link Control (HDLC), an ISO standard, or one of its subsets or variants.

Chapter 1ACN - 114

WAN Physical Layer Terminology

• The WAN physical layer describes the physical connection between company network and service provider network.

• The physical WAN connections, including:

• Customer Premises Equipment (CPE)

• The devices and inside wiring located at the premises of the subscriber and connected with a telecommunication channel of a carrier.

• The subscriber either owns the CPE or leases the CPE from the service provider.

• Data Terminal Equipment (DTE) (Router)

• The customer devices that pass the data to a device called Data Communications Equipment (DCE) for transmission over the WAN. The DTE connects to the local loop through the DCE.

Chapter 1ACN - 115


• Data Communications Equipment (DCE) (CSU/DSU)• Also called data circuit-terminating equipment. • The DCE prepares data and places it on the local loop

for transmission to the service provider • Demarcation Point

• Physically, the demarcation point is the cabling junction box, located on the customer premises, that connects the CPE wiring to the local loop and officially separates the customer equipment from service provider equipment.

• It is the place where the responsibility for the connection changes from the user to the service provider.

Chapter 1ACN - 116


• The physical WAN connections, including:• Local Loop

• The copper or fiber cable that connects the CPE at the subscriber site to the CO of the service provider. • The local loop is also sometimes called the "last-

mile.“• Central Office (CO)

• A local service provider facility where local telephone cables link to long-haul, all-digital, fiber-optic communications lines.•

Chapter 1ACN - 117

WAN Terminologies

AA 11

22

33Last mileLast mile

44

BB

CC

LANLAN

Digital Signal sends Digital Signal sends to DCE via serial to DCE via serial

cablecable

Local loop can carry Local loop can carry analog or digital signalanalog or digital signal

Chapter 1ACN - 118

1.

2.

4.

3.

ABC Sdn. Bhd.ABC Sdn. Bhd.

Chapter 1ACN - 119


Various physical layer protocols establish the code and electrical parameters that the DTE and DCE devices use to communicate.

The local loop’s data-carrying capacity can vary from 56kbps The local loop’s data-carrying capacity can vary from 56kbps to several gigabits per second. (next)to several gigabits per second. (next)

Local loopLocal loop

Chapter 1ACN - 120


SONET: Synchronous Optical NETwork (US version by ANSI)SONET: Synchronous Optical NETwork (US version by ANSI)

Chapter 1ACN - 121

WAN Physical Layer Standards

Chapter 1ACN - 122


• The WAN physical layer also describes the interface between the DTE and the DCE.

• EIA/TIA-232 - This protocol allows signal speeds of up to 64 kb/s on a 25-pin D-connector over short distances. It was formerly known as RS-232. The ITU-T V.24 specification is effectively the same.

• EIA/TIA-449/530 - This protocol is a faster (up to 2 Mb/s) version of EIA/TIA-232. It uses a 36-pin D-connector and is capable of longer cable runs. There are several versions. This standard is also known as RS422 and RS-423.

• EIA/TIA-612/613 - This standard describes the High-Speed Serial Interface (HSSI) protocol, which provides access to services up to 52 Mb/s on a 60-pin D-connector.

Chapter 1ACN - 123


• The WAN physical layer also describes the interface between the DTE and the DCE.

• V.35 - This is the ITU-T standard for synchronous communications between a network access device and a packet network. Originally specified to support data rates of 48 kb/s, it now supports speeds of up to 2.048 Mb/s using a 34-pin rectangular connector.

• X.21 - This protocol is an ITU-T standard for synchronous digital communications. It uses a 15-pin D-connector.

Chapter 1ACN - 124

WAN Data Link Layer Concepts

• Data link layer protocols define how data is encapsulated for transmission to remote sites and the mechanisms for transferring the resulting frames.

• A variety of different technologies, such as ISDN, Frame Relay, or ATM are used to move the data across the WAN connection.

• Many of these protocols use the same basic framing mechanism, High-Level Data Link Control (HDLC), which is an ISO standard, or one of its subsets or modification (next).

Chapter 1ACN - 125


• The most common WAN data-link protocols are HDLC, PPP, Frame Relay & ATM

• ATM is different from the others, because it uses small fixed-size cells of 53 bytes, unlike the other packet-switched technologies, which use variable-sized packets.

• ISDN and X.25 are less frequently used today

Chapter 1ACN - 126


• Data Link layer protocols define how the data is encapsulated as well as how it is transported between sites.

Chapter 1ACN - 127


A number of technologies for the transport of data exist.A number of technologies for the transport of data exist.While the encapsulation will vary with the technology, most While the encapsulation will vary with the technology, most

use the ISO HDLC standard or a modification of it.use the ISO HDLC standard or a modification of it.

Chapter 1ACN - 128

WAN Encapsulation

Data from the network layer is passed to the data link Data from the network layer is passed to the data link layer for delivery on a physical link, which is normally layer for delivery on a physical link, which is normally

point-to-point on a WAN connection point-to-point on a WAN connection

Chapter 1ACN - 129

WAN Encapsulation

• HDLC was first proposed in 1979 and for this reason, most framing protocols which were developed afterwards are based on it.

•The data link layer builds a frame around the network layer data so that the necessary checks and controls can be applied.

•To ensure that the correct encapsulation protocol is used, the Layer 2 encapsulation type used for each router serial interface must be configured.

Chapter 1ACN - 130

WAN Encapsulation

• The choice of encapsulation protocols depends on the WAN technology and the equipment.

• Most framing is based on the HDLC standard.• The data is encapsulated with some form of header

information and an FCS field.• The entire frame is then encapsulated with Flag fields to

indicate the beginning and end of the frame.

HEADERHEADER DATADATA FCSFCSFLAGFLAG FLAGFLAG

It is important to note that most vendors (Cisco It is important to note that most vendors (Cisco included) use their own proprietary version of HDLC on included) use their own proprietary version of HDLC on

HDLC links between their own products.HDLC links between their own products.

Chapter 1ACN - 131

WAN Encapsulation

• Examining the Frame:

The frame always starts and ends with The frame always starts and ends with an 8-bit flag field to indicate the an 8-bit flag field to indicate the beginning and end of the frame.beginning and end of the frame.

The bit pattern is 01111110. (0x7E) The bit pattern is 01111110. (0x7E)

Chapter 1ACN - 132

WAN Encapsulation


The address field may not needed for The address field may not needed for WAN links, depending upon the WAN links, depending upon the

technology.technology. The address may be 1 or 2 bytes long. The address may be 1 or 2 bytes long.

Chapter 1ACN - 133

WAN Encapsulation


The control field is protocol dependent.The control field is protocol dependent.It usually indicates whether the content of It usually indicates whether the content of the data is control information or Network the data is control information or Network

layer data (1 Byte). layer data (1 Byte).

Chapter 1ACN - 134

WAN Encapsulation

• Examining the Frame:• The address and control fields form the header

information in the standard HDLC frame.• Both PPP and Cisco HDLC add the Protocol field to

the header to identify the Layer 3 protocol of the encapsulated data.

• Cisco HDLC only communicates with Cisco HDLC…....

Chapter 1ACN - 135

WAN Switching Concepts

• WAN switched networks fall into two categories:• Circuit switched.

• POTS, ISDN• Packet switched.

• Frame Relay, ATM, X.25

Chapter 1ACN - 136

WAN Switching Concepts – Circuit Switched

• When a subscribermakes a telephonecall, the dialednumber is used to setswitches in theexchanges along theroute of the call sothat there is acontinuous circuit from the originating caller to that of the called party.

• Because of the switching operation used to establish the circuit, the telephone system is called a circuit-switched network.

Chapter 1ACN - 137

• If the telephones arereplaced withmodems, then theswitched circuit isable to carry data.

• Suppose it is usedto access a web page.

• There will be a burstof activity that uses the entire bandwidth while the page is being downloaded.

• That will be followed by no activity while the user reads the page and followed again by another burst while another page is accessed.


Chapter 1ACN - 138

• If the circuit carriesdata, it may not bevery efficient.

• The internal path isshared by severalconversations.

• Time Division Multiplexing (TDM) is used to give each conversation a share of the connection in turn.

• TDM assures that a fixed capacity connection is made available to the subscriber.


Chapter 1ACN - 139

WAN Switching ConceptsWAN Switching Concepts

• Circuit Switching and TDM:• Each device to be multiplexed is assigned a specific “time

slot” in the frame.• At each time slot, 8 bits is read from each device and a

fixed length frame is built using that data.• If there is nothing to send for that time slot, 8 null bits are

placed in the frame for that device.

Chapter 1ACN - 140

• Because the subscriber has sole use of the fixed capacity allocation, switched circuits are an expensive way of moving data.

• An alternative is to allocate the capacity to the traffic only when it is needed and share capacity among many users.

• If the circuit is to be shared, there must be some mechanism to label the bits so that the system knows where to deliver them.

• The bits are gathered into groups called cells, frames, or packets.

WAN Switching Concepts – Packet Switched

Chapter 1ACN - 141

• Each packetmust contain thenetworkinformationin order to bedelivered to thecorrectdestination.

• The packet passes from exchange to exchange for delivery through the provider network.

• Packet Switched describes the type of network in which relatively small units of data called packets are routed through a network based on the destination address contained within each packet.


Chapter 1ACN - 142

• The circuits onlyexist while datatravels throughthem.

• They are termedvirtual circuitsand arecategorized asswitched or permanent.

• Switched Virtual Circuit (SVC): Is constructed at the time of the connection and disappears when the user is done.

• Permanent Virtual Circuit (PVC): Is a pre-configured pathway through the provider’s network. This path is always available to the user for data transmission.


Chapter 1ACN - 143

• These networks can also beconnectionlessorconnection-oriented.

• The Internet is agood example of aconnectionless, packet switched network. Each packet contains all of the addressing information required for successful packet delivery.

• Frame Relay is an example of a connection-oriented packet switched network. Each packet does not require addressing information and travels a pre-configured path between the source and the destination.


Chapter 1ACN - 144

WAN Link Connection Options

Chapter 1ACN - 145


• WAN connections can be either over a private infrastructure or over a public infrastructure, such as the Internet.

• Private WAN Connection Options•Dedicated communication links

• When dedicated connections are required, point-to-point lines are used with various capacities that are limited only by the willingness of users to pay for these dedicated lines.

• Point-to-point lines are usually leased from a carrier and are also called leased lines.

•Switched communication links• Circuit-switched communication links - Circuit switching dynamically establishes

a dedicated virtual connection for voice or data between a sender and a receiver.

• Examples of circuit-switched communication links are analog dialup (PSTN) and ISDN.

• Packet-switched communication links - In packet-switched networks, the data is transmitted in labeled frames.

• Packet-switched communication links include Frame Relay, ATM, X.25, and Metro Ethernet.

Chapter 1ACN - 146


• WAN connections can be either over a private infrastructure or over a public infrastructure, such as the Internet.

• Public WAN Connection Options•Public connections use the global Internet infrastructure. •Until recently, the Internet was not a viable networking option for many businesses because of the significant security risks and lack of adequate performance guarantees in an end-to end Internet connection. •With the development of VPN technology, however, the Internet is now an inexpensive and secure option for connecting to teleworkers and remote offices where performance guarantees are not critical. •Internet WAN connection links are through broadband services such as DSL, cable modem, and broadband wireless, and combined with VPN technology to provide privacy across the Internet.

Chapter 1ACN - 147

Dedicated Connection Link: Leased Lines

Chapter 1ACN - 148

Dedicated Connection Link: Leased Lines

• When permanent dedicated connections are required, a point-to-point link is used to provide a pre-established WAN communications path from the customer premises through the provider network to a remote destination.

•Point-to-point lines are usually leased from a carrier and are called leased lines.•Leased lines are available in different capacities and are generally priced based on the bandwidth required and the distance between the two connected points.

• Point-to-point links are usually more expensive than shared services such as Frame Relay.

•However, there are times when the benefits outweigh the cost of the leased line. •The dedicated capacity removes latency or jitter between the endpoints. •Constant availability is essential for some applications such as VoIP or Video over IP.

• A router serial port is required for each leased line connection. A CSU/DSU and the actual circuit from the service provider are also required.

Chapter 1ACN - 149

Circuit Switched Connection: Analog Dialup

Power limitation to Power limitation to help prevent help prevent

crosstalk, the FCC crosstalk, the FCC has limited the power has limited the power a modem is allowed to a modem is allowed to output over the phone output over the phone

line. This power line. This power limitation has the limitation has the

effect of reducing your effect of reducing your possible speed to possible speed to

53Kbps. 53Kbps.

Chapter 1ACN - 150

Circuit Switched Connection: Analog Dialup

• When intermittent, low-volume data transfers are needed, modems and analog dialed telephone lines provide low capacity and dedicated switched connections.

•Traditional telephony uses a copper cable, called the local loop, to connect the telephone handset to the CO.

•Traditional local loops can transport binary computer data through the voice telephone network using a modem.

•The modem modulates the binary data into an analog signal at the source and demodulates the analog signal to binary data at the destination.

•The physical characteristics of the local loop to the PSTN limit the rate of the signal to less than 56 kb/s.

• The advantages of modem and analog lines are simplicity, availability, and low implementation cost.

• The disadvantages are the low data rates and a relatively long connection time.

•The dedicated circuit has little delay or jitter for point-to-point traffic, but voice or video traffic does not operate adequately at these low bit rates.

Chapter 1ACN - 151

Circuit Switched Connection: ISDN

Chapter 1ACN - 152


• Integrated Services Digital Network (ISDN) enables the local loop to carry digital signals, resulting in higher capacity connections.

•ISDN allows two or more bit streams to be transferred as subchannels in one communication channel (TDM).

• There are two types of ISDN interfaces:•Basic Rate Interface (BRI) - BRI is for home and small enterprise and has two 64 kb/s B and a 16 kb/s D channel.

• ISDN connection uses 64 kb/s bearer channels (B) for carrying voice or data and a signaling, delta channel (D) for call setup.

• Some providers allow the D channel to carry data at low bit rates, such as X.25 connections at 9.6 kb/s.

•Primary Rate Interface (PRI) - ISDN is also available for larger installations. PRI delivers 23 B channels with 64 kb/s and one D channel with 64 kb/s in North America, for a total bit rate of up to 1.544 Mb/s.

• In Europe, and other parts of the world, ISDN PRI provides 30 B channels and one D channel, for a total of 2.048 Mb/s.

• In North America, PRI corresponds to a T1 connection. • The rate of international PRI corresponds to an E1 or J1 connection.

Chapter 1ACN - 153


• BRI has a call setup time that is less than a second, and the 64 kb/s B channel provides greater capacity than an analog modem link.

•If greater capacity is required, a second B channel can be activated to provide a total of 128 kb/s.

•Although inadequate for video, this permits several simultaneous voice conversations in addition to data traffic.

• Another common application of ISDN is to provide additional capacity as needed on a leased line connection.

•The leased line is sized to carry average traffic loads while ISDN is added during peak demand periods.

• ISDN is also used as a backup if the leased line fails. • With PRI ISDN, multiple B channels can be connected between two

endpoints. •This allows for videoconferencing and high-bandwidth data connections with no latency or jitter. However, multiple connections can be very expensive over long distances.

Chapter 1ACN - 154

Packet Switched: X.25, Frame Relay, ATM

Chapter 1ACN - 155


• The packet-switching technologies used in today's WAN networks include Frame Relay, ATM, and legacy X.25.

• X.25•X.25 is a legacy network-layer protocol. •Typical X.25 applications are point-of-sale card readers.•X.25 speeds vary from 2400 b/s up to 2 Mb/s. However, public networks are usually low capacity and rarely exceeding 64 kb/s. •X.25 networks are now in dramatic decline. •They are still in use in many portions of the developing world.

• Frame Relay (The network layout similar to X.25.)•It is a much simpler protocol that works at the data link layer. •Frame Relay implements no error or flow control. The simplified handling of frames leads to reduced latency, and reduce jitter. •Frame Relay offers data rates up to 4 Mb/s.•Frame Relay VCs are uniquely identified by a DLCI. •Most Frame Relay connections are PVCs rather than SVCs. •The router on the LAN needs only a single interface, even when multiple VCs are used. •The short-leased line to the Frame Relay network edge allows cost-effective connections between widely scattered LANs.

Chapter 1ACN - 156


Chapter 1ACN - 157

• Asynchronous Transfer Mode (ATM)•ATM technology is capable of transferring voice, video, and data through private and public networks. •It is built on a cell-based architecture rather than on a frame-based architecture. •ATM cells are always a fixed length of 53 bytes. • The ATM cell contains a 5 byte ATM header followed by 48 bytes of

ATM payload. •Small, fixed-length cells are well suited for carrying voice and video traffic because this traffic is intolerant of delay. • Video and voice traffic do not have to wait for a larger data packet to

be transmitted.• The 53 byte ATM cell is less efficient than the bigger frames and

packets of Frame Relay and X.25. • A typical ATM line needs almost 20 percent greater bandwidth than

Frame Relay to carry the same volume of network layer data.•ATM was designed to be extremely scalable and can support link speeds of T1/E1 to OC-12 (622 Mb/s) and higher. •ATM offers both PVCs and SVCs, • although PVCs are more common with WANs.


Chapter 1ACN - 158

Internet Connection: Broadband Services

Chapter 1ACN - 159


• Broadband connection are used by telecommuting employees to connect to a corporate over the Internet. These options include cable, DSL, and wireless.

• DSL•DSL technology is an always-on connection technology that uses existing telephone lines to transport high-bandwidth data, and provides IP services to subscribers.

•A DSL modem converts an Ethernet signal to a DSL signal, which is transmitted to the central office.

•Multiple DSL subscriber lines are multiplexed into a single, high-capacity link using a DSL access multiplexer (DSLAM).

•DSLAMs incorporate TDM technology to aggregate lines into a single medium, generally a T3 (DS3) connection.

•Current DSL has data rates of up to 8.192 Mb/s.

•There is a wide variety of DSL types, standards, and emerging standards.

•DSL is now a popular choice for enterprise IT departments to support home workers.

Chapter 1ACN - 160


• Cable Modem•Cable modems provide an always-on connection and a simple installation.

•Coaxial cable is widely used in urban areas to distribute television signals.

•Network access is available from some cable television networks.

•The local cable TV office, which is called the cable headend, contains the computer system and databases needed to provide Internet access.

• The most important component located at the headend is the cable modem termination system (CMTS), which sends and receives digital cable modem signals on a cable network and is necessary for providing Internet services to cable subscribers.

•All the local subscribers share the same cable bandwidth. • As more users join the service, available bandwidth may be below the expected

rate.

Chapter 1ACN - 161


Chapter 1ACN - 162


• Broadband Wireless: Wireless technology uses the unlicensed radio spectrum to send and receive data.

•Municipal WiFi - Many cities have begun setting up municipal wireless networks. • Some networks provide high-speed Internet access for free or for substantially less than

the price of other broadband services.

• Others are for city use only, allowing police and fire departments and other city employees.

•WiMAX - Worldwide Interoperability for Microwave Access. • It is described in the IEEE standard 802.16.

• WiMAX provides high-speed wireless access with coverage like a cell phone network rather than through WiFi hotspots.

• To access a WiMAX network, subscribers must subscribe to an ISP with a WiMAX tower within 10 miles of their location.

•Satellite Internet - Typically used by rural users where cable and DSL are not available.

• A satellite dish provides two-way (upload and download) data communications.

• The upload speed is about one-tenth of the download speed.

• To access satellite Internet services, subscribers need a satellite dish, two modems (uplink and downlink), and coaxial cables between the dish and the modem.

Chapter 1ACN - 163

Internet Connection: VPN Technology

Chapter 1ACN - 164


• Security risks are incurred when a teleworker uses broadband services to access corporate over the Internet.

•To address security concerns, broadband services provide capabilities for using Virtual Private Network (VPN) connections.

•A VPN is an encrypted connection between private networks over a public network such as the Internet.

• VPN Benefits:•Cost savings - VPNs enable organizations to use the global Internet to connect remote offices and users to the corporate site, thus eliminating expensive dedicated WAN links.

•Security - VPNs provide the security by using encryption and authentication protocols that protect data.

•Scalability - Because VPNs use the Internet infrastructure within ISPs and devices, it is easy to add new users.

•Compatibility with broadband technology - VPN is supported by broadband service providers such as DSL and cable.

Chapter 1ACN - 165

• There are 2 types of VPN access:•Site-to-site VPNs - Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network. • Each site is equipped with a VPN gateway, such as a router, firewall,

VPN concentrator, or security appliance.

• In the figure, a remote branch office uses a site-to-site-VPN to connect with the corporate head office.

•Remote-access VPNs - Remote-access VPNs enable individual hosts, such as telecommuters, mobile users, and extranet consumers, to access a company network securely over the Internet. • Each host typically has VPN client software loaded or uses a web-

based client.


Chapter 1ACN - 166

Internet Connection Options: Metro Ethernet

Chapter 1ACN - 167

Internet Connection Options: Metro Ethernet

• Metro Ethernet is a rapidly maturing networking technology that broadens Ethernet to the public networks run by telecommunications companies.

•By extending Ethernet to the metropolitan area, companies can provide their remote offices with reliable access to applications and data on the corporate headquarters LAN.

• Benefits of Metro Ethernet include:•Reduced expenses and administration - Metro Ethernet provides a switched, high-bandwidth Layer 2 network capable of managing data, voice, and video all on the same infrastructure.

•Easy integration with existing networks - Metro Ethernet connects easily to existing Ethernet LANs, reducing installation costs and time.

•Enhanced business productivity - Metro Ethernet enables businesses to take advantage of productivity-enhancing IP applications that are difficult to implement on TDM or Frame Relay networks, such as hosted IP communications, VoIP, and streaming and broadcast video.

Chapter 1ACN - 168

WAN DesignThree-Layer Design Model

• As networks grow star and mesh topologies become impractical

• Network with 10 countries and 5 cities in each requires 1225 links in full mesh

• Same network in star would require hub router to have 50 interfaces

• Hierarchical network design advantages• Scalability• Ease of Implementation• Ease of Troubleshooting• Predictability• Protocol Support• Manageability

Chapter 1ACN - 169

WAN DesignThree-Layer Design Model (cont.)

• Three-layer hierarchical design

• Similar to PSTN• LANs in star topology

connect to form areas• Areas joined to form

regions• Regions linked by core

links• Contains majority of traffic

locally• Each LAN provides local

services• Central LAN responsible for

area-wide service

Chapter 1ACN - 170

WAN DesignThree-Layer Design Model (cont.)

• Core Layer of hierarchical design model• Used to move traffic between regions• Carries variety of traffic• Redundant high-speed links are common • No packet manipulation• Usually on ATM or leased-line technology

• Distribution Layer of design model• Address or area aggregation• Departmental or workgroup access to core layer• Broadcast/multicast domain definition• Virtual LAN (VLAN routing) • Media transitions• Security• Campus backbone and connection routers• Provides policy-based connectivity• Remote access to network • Links are usually Frame Relay or ATM

Chapter 1ACN - 171

WAN Design Three-Layer Design Model (cont.)

• Access Layer of design model

• Layer where end users connect

• Might use access control lists for users

• Connects LANs into the WAN

• Isolates broadcast traffic to the workgroup

• Can be dialup, leased line, or Frame Relay

Chapter 1ACN - 172

WAN DesignOther WAN Design Considerations

• Internet traffic must be considered in WAN design• Each branch might connect to Internet independently• If traffic is low the Internet connection can be used for all

traffic (no separate WAN)• Server locations should be addressed

Chapter 1ACN - 173

Chapter Summary

In this chapter, you should have learned:• WAN as compare to LAN• Common WAN Devices• WAN and the OSI

• WAN Physical Layer Terminologies & Concepts• WAN Data Link Layer Concepts & Encapsulation

• WAN Switching Concepts• Circuit Switching and Packet Switching

• WAN Link Connection Options

AACS 5324Advanced Network Communications

Chapter 3Point-to-Point Protocol (PPP)

Chapter 1ACN - 175

Objectives

• Upon completion of this chapter, student should be able to understand the followings:

• Overview of Serial Communication & Standards• TDM/STDM• DTE & DCE• HDLC Encapsulation• Introduction to PPP & its Layered Architecture• PPP Frame Structure• PPP Session Establishment• PPP Authentication: PAP, CHAP• PPP Configurations

Chapter 1ACN - 176

How Does Serial Communication Work?

• Most PCs have both serial and parallel ports. • Computers use of relatively short parallel connections

between interior components, but use a serial bus to convert signals for most external communications.

•With a serial connection, information is sent across one wire, one data bit at a time.

• The 9-pin serial connector on most PCs uses two loops of wire, one in each direction, for data communication, plus additional wires to control the flow of information.

•A parallel connection sends the bits over more wires simultaneously. In the 25-pin parallel port on your PC, there are 8 data wires to carry 8 bits simultaneously.

• The parallel link theoretically transfers data eight times faster than a serial connection.

• In reality, it is often the case that serial links can be clocked considerably faster than parallel links, and they achieve a higher data rate

•Two factors that affect parallel communications: clock skew and crosstalk interference.

Chapter 1ACN - 177

Parallel connection: Clock Skew & Interference

• In a parallel connection, it is wrong to assume that the 8 bits leaving the sender at the same time arrive at the receiver at the same time.

• Clock Skew•Some of the bits get there later than others. This is known as clock skew. •Overcoming clock skew is not trivial. The receiving end must synchronize itself with the transmitter and then wait until all the bits have arrived. The process of reading, waiting, waiting adds time to the transmission. •This is not a factor with serial links, because most serial links do not need clocking.

• Interference•Parallel wires are physically bundled in a parallel cable. The possibility of crosstalk across the wires requires more processing. •Since serial cables have fewer wires, there is less crosstalk, and network devices transmit serial communications at higher, more efficient frequencies.

Chapter 1ACN - 178

Serial Communication Standards

• In a serial communication process. •Data is encapsulated by the sending router. •The frame is sent on a physical medium to the WAN. •There are various ways to traverse the WAN, •The receiving router uses the same communications protocol to de-encapsulate the frame when it arrives.

Chapter 1ACN - 179

Serial Communication Standards

• There are three key serial communication standards affecting LAN-to-WAN connections:

•RS-232 - Most serial ports on personal computers conform to the RS-232C standards.

• Both 9-pin and 25-pin connectors are used.

• It be used for device, including modems, mice, and printers.

•V.35 – It is used for modem-to-multiplexer communication.

• V.35 is used by routers and DSUs that connect to T1 carriers.

•HSSI - A High-Speed Serial Interface (HSSI) supports transmission rates up to 52 Mb/s.

• HSSI is used to connect routers on LANs with WANs over high-speed lines such as T3 lines.

Chapter 1ACN - 180

Time Division Multiplexing

• A process called Time-Division Multiplexing (TDM) is deployed to carry multiple sources of information using one common channel, or signal, and then the reconstruction of the original streams at the remote end.

• TDM divides the media into multiple time slots and interleaves bytes of data from multiple conversations, assigning each conversation one or more time slots

• TDM functions at physical layer, it has no regard for the type of information it carries.

Chapter 1ACN - 181

Time Division Multiplexing

• The time slot goes unused if it is assigned to a conversation that has no information to transfer valuable bandwidth goes unused!

• A modification of TDM, Statistical TDM (STDM) analyzes the bandwidth requirements of each conversation and dynamically reassigns unused time slots to conversations that require additional bandwidth.

Chapter 1ACN - 182

DTE-DCE

Chapter 1ACN - 183

DTE-DCE

• Serial connections have a data terminal equipment (DTE) device at one end and a data communications equipment (DCE) device at the other end.

• DTE • device is usually the CPE • is often the company’s border router that connects to the service

provider’s network through a leased line.• uses external clock and is usually provided by DCE• Ex. Router, Frame relay access device

• DCE • is usually the service provider’s device. (SPE)• convert the data from DTE into a form acceptable by the service

provider’s network.• uses an internal clock• Ex. modem or CSU/DSU.

• Remote DCE device receives the signal and decodes it back into a sequence of bits that sent to the remote DTE device.

Chapter 1ACN - 184

DTE-DCE

• If two DTEs must be connected together, like two computers or two routers in the lab, a special cable called a null-modem cable is necessary to eliminate the need for a DCE.

• For synchronous connections, where a clock signal is needed, either an external device or one of the DTEs must generate the clock signal.

• The clock signal is to align the transmitting and receiving ends so that they agree on how data will be transmitted and received.

Chapter 1ACN - 185

• High-level Data Link Control (HDLC):• HDLC is a bit-oriented, synchronous, Data Link layer

protocol developed by the International Organization for Standardization (ISO). • Developed from IBM’s Synchronous Data Link Control

(SDLC) standard proposed in the 1970s. • Provides both connection-oriented and connectionless

service.• Defines a Layer 2 framing structure that allows for

flow control and error control through the use of acknowledgments.

• Uses a frame delimiter, or flag, to mark the beginning and the end of each frame.

HDLC Encapsulation

Chapter 1ACN - 186

HDLC Encapsulation

• HDLC is used when connecting two devices manufactured from the same vendor.

• HDLC does not support multiple protocols on a single link, as it does not have a way to indicate which protocol is being carried.

• Point-to-point Protocol (PPP) is an open standard encapsulation used in a multivendor environment

• PPP uses HDLC as a basis for encapsulating datagrams.

Chapter 1ACN - 187

• Cisco High-level Data Link Control (Cisco HDLC):• Cisco has developed an extension to the HDLC protocol

to solve an inability to provide multiprotocol support. • Cisco HLDC is proprietary and is the default

encapsulation on a Cisco device WAN port.• Cisco HDLC frames contain a field for identifying the

network protocol being encapsulated.

HDLC Encapsulation

Chapter 1ACN - 188

Configuring HDLC

• The default encapsulation method used by Cisco devices on synchronous serial lines is Cisco HDLC.

• Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices.

• When communicating with a non-Cisco device, PPP is a more viable option.

Chapter 1ACN - 189

Configuring HDLC

Verify the encapsulation on the serial interface:Verify the encapsulation on the serial interface:

R1#show interface serial0/0/0R1#show interface serial0/0/0Serial0/0/0 is up, line protocol is up Serial0/0/0 is up, line protocol is up

Hardware is GT96K SerialHardware is GT96K Serial Internet address is 10.1.1.1/30Internet address is 10.1.1.1/30

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255reliability 255/255, txload 1/255, rxload 1/255

Encapsulation HDLCEncapsulation HDLC, loopback not set, loopback not set

Point-to-Point Protocol (PPP)

Chapter 1ACN - 191

PPP

• PPP was developed based on the ISO High-Level Data Link Control (HDLC) protocol

• The Point-to-Point Protocol (PPP) is an industry standard method of utilizing point-to-point links to transport multi-protocol datagrams including AppleTalk, DECnet, IP and IPX.

• Note: HDLC is the default serial encapsulation method when you connect two Cisco routers. Cisco HDLC can only work with other Cisco devices.

• However, when you need to connect to a non-Cisco router, you should use PPP encapsulation.

• PPP includes many features not available in HDLC:• The link quality management feature monitors the quality of the

link. If too many errors are detected, PPP takes the link down.

• PPP supports PAP and CHAP authentication.

Chapter 1ACN - 192

PPP

• PPP is a Data Link Layer protocol that provides a standard method for transporting multiprotocol datagrams over point-to-point links.

• PPP can be configured on multiple types of interfaces:• Asynchronous serial • Synchronous serial • High-Speed Serial Interface (HSSI) • Integrated Services Digital Network (ISDN)

Synchronous or AsynchronousSynchronous or AsynchronousPhysical MediumPhysical Medium Physical LayerPhysical Layer

Network Control Protocol (NCP)Network Control Protocol (NCP)

Data Link LayerData Link Layer

Network LayerNetwork LayerIPIP IPXIPX Many OthersMany Others

Link Control Protocol (LCP)Link Control Protocol (LCP)

Point-to-Point ProtocolPoint-to-Point Protocol(PPP)(PPP)

Chapter 1ACN - 193

PPP Layered Architecture

• PPP has a layered architecture:• Link Control Protocol (LCP): To establish, configure and

test the connection.• Network Control Protocols (NCPs): A family of protocols

to establish and configure Network Layer protocols.


Network Control Protocols (NCPs)Network Control Protocols (NCPs)




Chapter 1ACN - 194


• PPP contains three main components: (1) PPP Encapsulation method

• take higher-layer messages such as IP packets and encapsulate them for transmission over the underlying physical layer link.

• PPP defines a special frame format for encapsulating data for transmission, based on the framing used in the HDLC protocol.

• The PPP frame has been specially designed to be small in size and contain only simple fields, to maximize bandwidth efficiency and speed in processing.

194194

Chapter 1ACN - 195

PPP layered architecture

• PPP contains three main components:

(2) Link Control Protocol (LCP) • The LCP sits on top of the physical layer and has a role in

establishing the point-to-point link, configuring, and testing the data-link connection.

• The LCP also negotiates and sets up control options on the WAN data link, which are handled by the NCPs.

• PPP also uses the LCP to agree automatically on encapsulation formats such as authentication, compression, PPP Callback, multilink for load balancing, link monitoring & error detection as soon as the link is established.

195195

Chapter 1ACN - 196



(2) Link Control Protocol (LCP) • The LCP provides automatic configuration of the interfaces

at each end, including:• Handling varying limits on packet size • Detecting common misconfiguration errors • Terminating the link • Determining when a link is functioning properly or when it

is failing

196196

Chapter 1ACN - 197



(3) Network Control Protocol (NCP) • to permit multiple network layer protocols to operate on the

same communications link (next).

197197

Chapter 1ACN - 198






IPCPIPCP IPXCPIPXCP Many OthersMany Others

– For every network layer protocol used, a separate Network Control Protocol (NCP) is provided. Ex. Ex. IP uses the IP Control Protocol (IPCP), IPX uses the Novell IPX Control Protocol (IPXCP).

– NCPs include functional fields containing standardized codes to indicate the network layer protocol type that PPP encapsulates.

Chapter 1ACN - 199

PPP Frame Structure

• Notice how the PPP frame has been modeled very closely on the standard HDLC frame.

• The protocol field contains specific codes.

Chapter 1ACN - 200

PPP Frame Structure

• Flag: indicates the beginning or end of a frame and consists of the binary sequence 01111110 to identify a PPP frame. The value is set to 0x7E (01111110) to signify the start and end of a PPP frame. In successive PPP frames, only a single Flag character is used.

•Address: Consists of the standard broadcast address, which is the binary sequence 11111111 (0xFF). PPP does not assign individual station addresses but rather dealing with a direct link between 2 devices.

Chapter 1ACN - 201

PPP Frame Structure

•Control: set to 00000011. This provides a connectionless link service that does not require you to establish data links or link stations. On point-to-point link, the destination node does not need to be addressed. Therefore, for PPP, the address field is set to 0xFF, the broadcast address.

Chapter 1ACN - 202

PPP Frame Structure

•Protocol: identify the protocol of the datagram encapsulated in the Data field.

Chapter 1ACN - 203

PPP Frame Structure

•Data: Zero or more bytes of payload that contains either data or control information, depending on the frame type. For regular PPP data frames the network-layer packet is encapsulated here. For control frames, the control information fields are placed here instead. The default maximum length of data field is 1500 byte

• FCS (Frame Check Sequence) A checksum computed over the frame to provide basic protection against errors in transmission. This is a CRC code similar to the one used for other layer two protocol error protection schemes such as the one used in Ethernet. It can be either 16 bits or 32 bits in size (default is 16 bits).

Chapter 1ACN - 204

PPP Session Establishment

• PPP session establishment progresses through three phases:

Chapter 1ACN - 205

Establishing a PPP Session

The three phases of establishing a PPP session:• Phase 1: Link establishment and configuration negotiation

• The LCP must first open the connection and negotiate configuration options.

• Phase 2: Link quality determination (optional)• The LCP tests the link to determine whether the link

quality is sufficient to bring up network layer protocols.• Phase 3: Network layer protocol configuration negotiation

• The appropriate NCP can separately configure the network layer protocols

• The NCP can bring them up and take them down at any time.

Chapter 1ACN - 206

Establishing a PPP Session

• The link remains configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs.

• This happen because of the loss of the carrier, authentication failure, link quality failure, the expiration of idle-period timer, or administrative closing the link.

Chapter 1ACN - 207

Establishing a Link with LCP (summary)

• Phase 1 – Link Establishment:

• In this phase each PPP device sends LCP frames to configure and test the data link.

• LCP frames contain a configuration option field that allows devices to negotiate the use of options such as:• The maximum transmission unit (MTU)• Compression of certain PPP fields• The link-authentication protocol.

Chapter 1ACN - 208


• If a configurationoption is notincluded in an LCPpacket, the defaultvalue is assumed.

• Before any network layer packets can be exchanged, LCP must first open the connection and negotiate the configuration parameters.

• This phase is complete when a configuration acknowledgment frame has been sent and received.

Chapter 1ACN - 209


• Authentication:• After the link has been established and the

authentication protocol decided on, the peer may be authenticated.

• Authentication, if used, takes place before the network layer protocol phase is entered.

Chapter 1ACN - 210


• As part of this phase, LCP also allows for an optional link-quality determination test. • The link is tested to determine whether the link quality is

good enough to bring up network layer protocols.

Chapter 1ACN - 211

Network Layer Protocol Negotiation (summary)

• PPP permits multiple Network layer protocols to operate on the same communications link.• For every Network layer protocol used, PPP uses a

separate NCP module.• IP uses the IPCP module.• IP Version 6 uses the IPv6CP module.• IPX uses the IPXCP module.

Chapter 1ACN - 212

Network Layer Protocol Negotiation (summary)

• In this phase the PPP devices send NCP packets to choose and configure one or more network layer protocols (e.g. IP).

• Once each of the chosen network layer protocols has been configured, packets from each network layer protocol can be sent over the link.

• If LCP closes the link, it informs the network layer protocols so that they can take appropriate action.

Chapter 1ACN - 213

Establishing a Link with LCP (detail)

• LCP operation uses three classes of LCP frames to accomplish the work of each of the LCP phases:• Link-establishment frames establish and configure a link

(Configure-Request, Configure-Ack, Configure-Nak, and Configure-Reject)• During link establishment, the LCP opens the connection and

negotiates the configuration parameters.

• The Configure-Request frame includes a variable number of configuration options needed to set up on the link.

• Link-maintenance frames manage and debug a link (Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and Discard-Request)• Echo-Request, Echo-Reply, and Discard-Request - These

frames can be used for testing the link.

Chapter 1ACN - 214


• LCP operation uses three classes of LCP frames to accomplish the work of each of the LCP phases:• Link-termination frames terminate a link (Terminate-

Request and Terminate-Ack)• The link remains open until the LCP terminates it. If the LCP

terminates the link before the NCP, the NCP session is also terminated.

• The device initiating the shutdown sends a Terminate-Request message. The other device replies with a Terminate-Ack.

Chapter 1ACN - 215


Chapter 1ACN - 216

PPP Configuration Options

• PPP can be configured to support:

•Authentication using either PAP or CHAP

•Compression using either Stacker or Predictor

•Multilink which combines two or more channels to increase the WAN bandwidth

• To negotiate the use of these PPP options, the LCP link-establishment frames contain Option information in the Data field of the LCP frame.

• This phase is complete when a configuration acknowledgment frame has been sent and received.

Chapter 1ACN - 217

NCP Process (detail)

•After the LCP has configured and authenticated the basic link, the appropriate NCP is invoked to complete the specific configuration of the network layer protocol being used. (ex. NCPs for IP, IPX, AppleTalk & others.

• IPCP Example• After LCP has established the link, the routers exchange

IPCP messages, negotiating options specific to the protocol.

Chapter 1ACN - 218


• IPCP Example• IPCP negotiates two options:

• Compression - Allows devices to negotiate an algorithm to compress TCP and IP headers and save bandwidth.

• IP-Address - Allows the initiating device to specify an IP address to use for routing IP over the PPP link, or to request an IP address for the responder. Dialup network links commonly use the IP address option.

• When the NCP process is complete, the link goes into the open state and LCP takes over again.

Chapter 1ACN - 219


Chapter 1ACN - 220

• The show interfaces command reveals the LCP and NCP states under PPP configuration.

• The PPP link remains configured for communications until LCP or NCP frames close the link or until an inactivity timer expires or a user intervenes.

NCPNCPLCP = connection madeLCP = connection made

Chapter 1ACN - 221


•PPP may include the following LCP options:• Authentication - Uses PAP or CHAP to create a secure

connection between communicating devices (more later)•Requires the calling side enter credentials to verify to the called side that it has permission to make the call

• Compression - Increases the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link.

•Two compression are Stacker and Predictor. • Error detection - Identifies fault conditions like quality of

the line and loop detection and for each transmitted frame through the use of a CRC code in each frame header

•Ex. The Quality and Magic Number options help ensure a reliable, loop-free data link.

Chapter 1ACN - 222


•PPP may include the following LCP options:•Multilink - Load balance over multiple interfaces.

•Similar to routers load balance across equal-cost paths, except multilink breaks the frame into fragments and then assembles it at the other end of the link.

•PPP Callback - To enhance security•The client makes the initial call, requests that the server call it back, and terminates its initial call.

Chapter 1ACN - 223

PPP Authentication Protocols

• PPP defines an extensible version of LCP that allows negotiation of an authentication protocol for its peer before allowing network layer protocols to transmit over the link

• The authentication process require the calling side of the link enter authentication information.

• Defines 2 protocols for authentication:• Password Authentication Protocol (PAP)• Challenge Handshake Authentication Protocol (CHAP)

Chapter 1ACN - 224

Password Authentication Protocol (PAP)

1. Remote router sends its username and password to Central router

2. Central router evaluates Remote router‘s username and password against its local database. If it is matches, it accepts the connection. If no, it rejects the connection

Chapter 1ACN - 225

11

1. Establish PPP Link1. Establish PPP Link

22

2. Configuration request for PAP2. Configuration request for PAP authentication. authentication.

33

3. Configuration ACK.3. Configuration ACK.

44

4. SantaCruz sends the4. SantaCruz sends the SantaCruzSantaCruz username and username and SantCruzpass SantCruzpass passwordpassword configured for the interface. configured for the interface.

5. HQ looks up the received name,5. HQ looks up the received name, retrieves the password and retrieves the password and compares configured to received compares configured to received. .

556. If they are the same, send an6. If they are the same, send an ACK ACK and allow access.and allow access.

If they are not the same, send a If they are not the same, send a NACK NACK and terminate theand terminate the connection. connection.

66

ACK2ACK2

NACKNACK

Chapter 1ACN - 226


• PAP provides a simple method for a remote node to establish its identity, using a two-way handshake.

• PAP is not interactive• When the “ppp authentication pap“ command is used, a

username/password pair is repeatedly sent by the remote node across the link until authentication is acknowledged or the connection is terminated.

• Passwords are sent across the link in clear text and there is no protection from playback or repeated trial-and-error attacks.

• The remote node is in control of the frequency and timing of the login attempts.

Chapter 1ACN - 227


• Authenticates only once. After authentication is established, PAP essentially stops working, as it can‘t reauthenticate during the session

However, PAP may be used in the following environments:• A large installed base of client applications that do not

support CHAP• Incompatibilities between different vendor

implementations of CHAP• Situation in which a plain-text password must be available

to simulate a login at the remote host

Chapter 1ACN - 228

Challenge Handshake Authentication Protocol (CHAP)

1. Central router sending a CHAP challenge to Remote router

2. Remote router validates Central router; Remote router sends the response to Central router

3. Central router validates Remote router; Central router establishes or rejects the link

Share secret passwordShare secret password Share secret passwordShare secret password

Chapter 1ACN - 229

PPP Authentication – CHAP Challenge

• A CHAP challenge packet is built by the HQ router with the following characteristics:• 01 = challenge packet type identifier.• ID = sequential number that identifies the challenge.• random = a reasonably random number generated by

the router.• HQ = the authentication name of the challenger.

• SantaCruz calls HQ and establishes a ppp linkSantaCruz calls HQ and establishes a ppp link..

Chapter 1ACN - 230

CHAP Challenge

• The ID and random values are kept on the HQ router or the called router.

• The challenge packet is sent to the calling router.• A list of outstanding challenges is maintained.

Chapter 1ACN - 231

CHAP Challenge

• The name HQ is used to look up the password.

ReceiveReceiveCHAPCHAP

ChallengeChallenge

• The ID value, the random value and the password are fed into the MD5 hash generator.

• The result is the one-way MD5-hashed CHAP challenge that will be sent back in the CHAP response.

Chapter 1ACN - 232

• The response packet is assembled and sent.• 02 = CHAP response packet type identifier.• ID = copied from the challenge packet.• hash = the output from the MD5 hash generator.• SantaCruz = the hostname of the responding device.

(From the hostname command or the ppp chap hostname command).

CHAP Challenge

CHAPCHAPResponseResponse

Chapter 1ACN - 233

• The ID is used to find the original challenge packet.

CHAP Challenge


ResponseResponse

• The name is used to look up the password from a configured name or a security server.

• The original ID, the original random value and the password are fed into the MD5 hash generator.

Chapter 1ACN - 234

• The hash value received in the response packet is then compared to the calculated MD5 hash value.

• CHAP authentication succeeds if the calculated and the received hash values are equal.

CHAP Challenge


ResponseResponse

Chapter 1ACN - 235

• If authentication is successful, a CHAP success packet is built from the following components:• 03 = CHAP success message type.• ID = copied from the response packet.• “Welcome In” is simply a text message providing a user-

readable explanation.

CHAP Challenge

SuccessSuccessOROR

FailureFailure

0303 Welcome InWelcome In

Chapter 1ACN - 236

• If authentication fails, a CHAP failure packet is built from the following components:• 04 = CHAP failure message type.• ID = copied from the response packet.• “Authentication failure” or other text message, providing

a user-readable explanation.

CHAP Challenge

SuccessSuccessOROR

FailureFailure

0303 Welcome InWelcome In0303 Welcome InWelcome In

0404Authentication FailedAuthentication Failed

Chapter 1ACN - 237

Challenge Handshake Authentication Protocol (CHAP)

• CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable.

• Since the challenge is unique and random, the resulting hash value will also be unique and random.

• The use of repeated challenges is intended to limit the time of exposure to any single attack.

• The Central router or a third-party authentication server is in control of the frequency and timing of the challenges.

Configuring PPP

Chapter 1ACN - 239

Configuring PPP

• Enables PPP encapsulation on serial interface 0/0

Router#configure terminalRouter#configure terminal

Router(config)#interface serial 0/0Router(config)#interface serial 0/0

Router(config-if)#encapsulation pppRouter(config-if)#encapsulation ppp

Chapter 1ACN - 240

Configuring PPP

172.25.3.0/24Serial .1/S0.2/S0

DCEDTE

interface Serial0interface Serial0 ip address 172.25.3.2 255.255.255.0ip address 172.25.3.2 255.255.255.0

encapsulation pppencapsulation ppp


encapsulation pppencapsulation ppp

Chapter 1ACN - 241

Verifying PPP

NCPNCPLCPLCP

Chapter 1ACN - 242

Configuring PAP

Rtr(config)# username remote-host password remote-password

• This needs to match the ppp pap sent-username on the remote host.

Rtr(config-if)# ppp pap sent-username this-host username password this-host-password

• The passwords do not need to match between the remote and the host.

• It should not need to be the same as the enable-secret password.

Router(config-if)#ppp authentication {chap | chap pap | pap chap | pap}

• Two choices: first choice | second choice• If both methods are enabled, then the first method specified will be

requested during link negotiation. • If the peer suggests using the second method or simply refuses the

first method, then the second method will be tried.

Chapter 1ACN - 243

Notes: sent-username and password must match remote username Notes: sent-username and password must match remote username and password. Hostnames are and password. Hostnames are notnot involved. involved.

Configuring PAPConfiguring PAP

172.25.3.0/24Serial .1/S0.2/S0

DCEDTE

hostname SantaCruzhostname SantaCruzusernameusername HQHQ passwordpassword HQpassHQpass


encapsulation pppencapsulation ppp ppp authentication papppp authentication pap

ppp pap sent-username ppp pap sent-username SantaCruzSantaCruz password password SantaCruzpassSantaCruzpass

hostname HQhostname HQusernameusername SantaCruzSantaCruz passwordpassword SantaCruzpassSantaCruzpass


encapsulation pppencapsulation ppp ppp authentication papppp authentication pap ppp pap sent-username ppp pap sent-username HQHQ

passwordpassword HQpassHQpass

Chapter 1ACN - 244

Notes: Notes: HostnamesHostnames are are involved,involved, unless the unless the ppp chap ppp chap hostnamehostname command is used, and must match remote command is used, and must match remote

router’s username command. Passwords are case-sensitive router’s username command. Passwords are case-sensitive and must match and must match

172.25.3.0/24Serial .1/S0.2/S0

DCEDTE

hostname hostname SantaCruzSantaCruzusername username HQHQ password password boardwalkboardwalk

ppp chap hostname ppp chap hostname SantaCruz SantaCruz (optional)(optional)


encapsulation pppencapsulation ppp ppp authentication chapppp authentication chap

hostname hostname HQHQusername username SantaCruzSantaCruz password password boardwalkboardwalk

ppp chap hostname ppp chap hostname HQ HQ (optional)(optional)


encapsulation pppencapsulation ppp ppp authentication chapppp authentication chap

Configuring CHAPConfiguring CHAP

Chapter 1ACN - 245

Configuring PPP Multilink (MLP)

Router(config)#interface serial 0/0Router(config-if)#encapsulation pppRouter(config-if)#ppp multilink

• In some environments, it may be necessary to bundle In some environments, it may be necessary to bundle multiple serial links to act as single link with aggregated multiple serial links to act as single link with aggregated

bandwidth. bandwidth.

Chapter 1ACN - 246

Configuring PPP Multilink with ISDN

• PPP Multilink is common with ISDN.PPP Multilink is common with ISDN.

• Prior to MLP, two or more ISDN B channels could not be Prior to MLP, two or more ISDN B channels could not be used in a standardized way while ensuring sequencing. used in a standardized way while ensuring sequencing.

MLP is most effective when used with ISDN.MLP is most effective when used with ISDN.

• We will see how this is done when we discuss ISDN.We will see how this is done when we discuss ISDN.

BRI0BRI0BRI0BRI0

Chapter 1ACN - 247

Configuring Compression

• Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation.

• Compression is performed in software and might significantly affect system performance.

• Compression is not recommended if most of the traffic consists of compressed files.

• To configure compression over PPP.

Router(config)#interface serial 0/0Router(config)#interface serial 0/0Router(config-if)#encapsulation pppRouter(config-if)#encapsulation ppp

Router(config-if)#compress [predictor|stac|mppc]Router(config-if)#compress [predictor|stac|mppc]

Chapter 1ACN - 248

Error Detection

• Link Quality Monitoring (LQM) is available on all serial interfaces running PPP.

• LQM will monitor the link quality, and if the quality drops below a configured percentage, the link will be taken down.

• The percentages are calculated for both the incoming and outgoing directions.

Router(config)#interface serial 0/0Router(config)#interface serial 0/0Router(config-if)#encapsulation pppRouter(config-if)#encapsulation ppp

Router(config-if)#ppp quality Router(config-if)#ppp quality percentage percentage

Chapter 1ACN - 249

Load Balancing

• Multilink PPP provides load balancing over the router interfaces that PPP uses.

• Packet fragmentation and sequencing, as specified in RFC 1717, splits the load for PPP and sends fragments over parallel circuits.

• In some cases, this “bundle” of multilink PPP pipes functions as a single logical link, improving throughput and reducing latency between peer routers.

• Prior to MLP, two or more ISDN B channels could not be used in a standardized way while ensuring sequencing. MLP is most effective when used with ISDN.

Router(config)#interface serial 0/0Router(config)#interface serial 0/0Router(config-if)#encapsulation pppRouter(config-if)#encapsulation pppRouter(config-if)#ppp multilink Router(config-if)#ppp multilink

Chapter 1ACN - 250

debug ppp negotiation

• The debug ppp negotiation command enables you to view the PPP negotiation transactions, identify the problem or stage when the error occurs, and develop a resolution.

• During PPP negotiation, the link goes through several phases, as shown. • The end result is that PPP is either up or down.

Router#debug ppp negotiation Router#debug ppp negotiation

PPP protocol negotiation debugging PPP protocol negotiation debugging is onis on

. . .. . .

BR0:1 LCP: State is OpenBR0:1 LCP: State is Open

. . .. . .

PPP: Phase is AUTHENTICATINGPPP: Phase is AUTHENTICATING

. . .. . .

BR0:1 IPCP: State is OpenBR0:1 IPCP: State is Open

. . . . . .

Chapter 1ACN - 251

debug ppp authentication

• The debug ppp authentication command displays the authentication exchange sequence.

• With two-way authentication configured, each router authenticates the other.

• Messages appear for both the authenticating process and the process of being authenticated.

Chapter 1ACN - 252

Summary

• Upon completion of this chapter, student should be able to understand the followings:

• Overview of Serial Communication & Standards• TDM/STDM• DTE & DCE• HDLC Encapsulation• Introduction to PPP & its Layered Architecture• PPP Frame Structure• PPP Session Establishment• PPP Authentication: PAP, CHAP• PPP Configurations

Chapter 1ACN - 253


Chapter 4

Frame Relay

Chapter 1ACN - 254

Objectives

• Upon Completion of this chapter, student should be able to understand the followings:

• Introduction to Frame Relay• Frame Relay Operation and Virtual Circuits• Frame Relay Encapsulation• Frame Relay Topologies• Frame Relay Addressing & Mapping• Frame Relay Configurations• Frame Relay Advanced Concepts

• Paying for Frame Relay• Bandwidth & Flow Control• Solving Reachability Issues

Chapter 1ACN - 255

Frame Relay

Basic Frame Relay ConceptsBasic Frame Relay Concepts

Chapter 1ACN - 256

Introducing Frame Relay

• Frame Relay has become the most widely used WAN technology in the world.

• Large enterprises, ISPs, and small businesses use Frame Relay, because of its price and flexibility.

• Price:• As corporations grow, so does their dependence on

timely, reliable data transport.• Leased line facilities become expensive.

• Flexibility:• The pace of change and the global nature of businesses

demand a flexible, world-wide solution.

Chapter 1ACN - 257

Frame Relay - An Efficient and Flexible Technology

• Example: Bandwidth Requirements

Need to Need to consider the consider the MAXIMUM.MAXIMUM.

Need to Need to consider the consider the MAXIMUM.MAXIMUM.

Chapter 1ACN - 258


• Example: Leased Lines

Provider’sProvider’sNetworkNetwork

Provider’sProvider’sNetworkNetwork

Chapter 1ACN - 259



Only use 7 of 24Only use 7 of 24Only use 7 of 24Only use 7 of 24

T1 = 24 56K channelsT1 = 24 56K channelsT1 = 24 56K channelsT1 = 24 56K channels

Chapter 1ACN - 260



Only use 5 of 24Only use 5 of 24Only use 5 of 24Only use 5 of 24

T1 = 24 56K channelsT1 = 24 56K channelsT1 = 24 56K channelsT1 = 24 56K channels

Chapter 1ACN - 261


• Example: Frame RelayAllows multiple links over a Allows multiple links over a single network connection.single network connection.Allows multiple links over a Allows multiple links over a single network connection.single network connection.

56 Kb56 Kb56 Kb56 Kb

Chapter 1ACN - 262

Introducing Frame Relay

• Cost Effectiveness:• Customers only pay for the local loop, and for the

bandwidth they purchase from the network provider. • Distance between nodes is not important in FR. • With dedicated lines, customers pay for an end-to-end

connection. That includes the local loop and the network link.

• Shared bandwidth across a larger base of customers. Typically, a network provider can service 40 or more 56 kb/s customers over one T1 circuit.

Chapter 1ACN - 263

Frame Relay WAN

• When you build a WAN, there are always 3 components, • DTE• DCE• The component that sits in the middle, joining the 2

access points.• In the late 1970s and into the early 1990s, the WAN

technology typically used was the X.25 protocol. • Now considered a legacy protocol. • X.25 provided a reliable connection over unreliable

cabling infrastructures. • It included additional error control and flow control.

Chapter 1ACN - 264

Frame Relay WAN

• Frame Relay has lower overhead than X.25 because it has fewer capabilities.

• Modern WAN facilities offer more reliable lines and services.

• Frame Relay does not provide error correction. • A Frame Relay node simply drops packets without

notification when it detects errors. • Any necessary error correction, such as retransmission of

data, is left to the endpoints. • Frame Relay handles transmission errors through a

standard Cyclic Redundancy Check.

Chapter 1ACN - 265

Frame Relay WAN

Chapter 1ACN - 266

Frame Relay Operation

• Frame Relay DTE to DCE connection:• Two components:

• Physical Layer:• Defines the mechanical, electrical, functional, and

procedural specifications for the connection. • Data Link Layer:

• Defines the protocol that establishes the connection between the DTE device (router) and the DCE device (provider’s switch).

Chapter 1ACN - 267

Frame Relay Operation

Chapter 1ACN - 268

Virtual Circuits

• The connection through a Frame Relay network between two DTEs is called a virtual circuit (VC).

• The circuits are virtual because there is no direct electrical connection from end to end.

• The connection is logical & data moves from end-to-end data moves from end-to-end without a direct electrical circuitwithout a direct electrical circuit

• Bandwidth shared among multiple users. Any single site can communicate with any other single site without using multiple dedicated physical lines.

• Two types:• Switched (SVC): Dynamic call set up and disappears when

done.• Permanent (PVC): Preconfigured by the provider and always

present.

Chapter 1ACN - 269

Virtual Circuits

• Any single site can communicate with any other single site without using multiple dedicated physical lines.

WindsorWindsorWindsorWindsor

TorontoTorontoTorontoToronto

VancouverVancouverVancouverVancouver

Each site only pays for Each site only pays for their connection to the their connection to the

provider’s DCE.provider’s DCE.

Each site only pays for Each site only pays for their connection to the their connection to the

provider’s DCE.provider’s DCE.

Chapter 1ACN - 270

Virtual Circuits

• VCs are identified by DLCIs.• (or in English….Virtual Circuits are identified by Data Link

Connection Identifiers).• Permanent Virtual Circuit = PVC.• Switched Virtual Circuit = SVC.

• DLCI values are assigned by the Frame Relay service provider.

• DLCI is used to route Frame Relay traffic.• Frame Relay DLCIs only have local significance. It simply

identifies a VC to the equipment at an endpoint and is only unique on the physical channel where they reside

• The DLCI value itself is not unique in the provider’s Frame Relay WAN.

Chapter 1ACN - 271

Local Significance of DLCIs

• A DLCI simply identifies a VC to the equipment at an endpoint and is only unique on the physical channel where they reside.

Chapter 1ACN - 272

Identifying Virtual Circuits (VC)

• As the frame moves across the network, Frame Relay labels each VC with a DLCI.

• The DLCI is stored in the address field of every frame to tell the network how the frame should be routed.

• The Frame Relay service provider assigns DLCI numbers.• DLCIs 0 to 15 and 1008 to 1023 are reserved for

special purposes.• Service providers typically assign DLCIs in the range

of 16 to 1007.

Chapter 1ACN - 273


Each Frame Relay switch will have a table Each Frame Relay switch will have a table that is used to build the virtual circuit.that is used to build the virtual circuit.

Each Frame Relay switch will have a table Each Frame Relay switch will have a table that is used to build the virtual circuit.that is used to build the virtual circuit.

As the frame moves through the switch, As the frame moves through the switch, the DLCI is adjusted to follow the the DLCI is adjusted to follow the

predetermined path through the network.predetermined path through the network.

As the frame moves through the switch, As the frame moves through the switch, the DLCI is adjusted to follow the the DLCI is adjusted to follow the

predetermined path through the network.predetermined path through the network.

VC Port DLCI

21 0 222

22 1 119

23 2 309

24 3 721

25 4 432

Chapter 1ACN - 274


Chapter 1ACN - 275


• Any single site can communicate with any other single site without using multiple dedicated physical lines.

WindsorWindsorWindsorWindsor

TorontoTorontoTorontoToronto

VancouverVancouverVancouverVancouver

WindsorWindsor102 119

102 432

TorontoToronto119 102

119 432

VancouverVancouver432 102

432 119

Chapter 1ACN - 276

Multiple Virtual Circuits

• Frame Relay is statistically multiplexed.• It transmits only one frame at a time, but many logical

connections can co-exist on a single physical line. • Multiple VCs on a single physical line are distinguished

because each VC has its own DLCI. • Reduces the equipment and network complexity required

to connect multiple devices.• Cost-effective replacement for a mesh of access lines. • More savings arise as the capacity of the access line is

based on the average bandwidth requirement of the VCs, rather than on the maximum bandwidth requirement.

Chapter 1ACN - 277

Multiple Virtual Circuits

• Example: Frame RelayCapacity based on Capacity based on average bandwidth.average bandwidth.Capacity based on Capacity based on average bandwidth.average bandwidth.

Chapter 1ACN - 278

Frame Relay Encapsulation

• Frame Relay takes data packets from a network layer protocol and encapsulates them as the data portion of a Frame Relay frame.

DLCI spans 2 bytesDLCI spans 2 bytesDLCI spans 2 bytesDLCI spans 2 bytes

Chapter 1ACN - 279

Frame Relay Topologies

• A topology is the map or visual layout of the network. • You need to consider the topology in order to understand

the network and the equipment used to build the network. • Every network or network segment can be viewed as

being one of three topology types:• Star (Hub and Spoke)• Full Mesh• Partial Mesh

Chapter 1ACN - 280


• Star ( Hub and Spoke):• The simplest WAN topology.• A central site that acts as a hub and hosts the primary

services.

One site with One site with multiple VCsmultiple VCsOne site with One site with multiple VCsmultiple VCs

Chapter 1ACN - 281


• Full Mesh:• A full mesh topology connects every site to every other

site. Using leased-line interconnections, additional serial interfaces and lines add costs.

Formula Formula [n(n - 1)]/2[n(n - 1)]/2

# Sites# Sites # Circuits# Circuits

2 1

3 3

4 6

5 10

6 15

7 24

Chapter 1ACN - 282

• Full Mesh:• Using Frame Relay, a network designer can build multiple

connections simply by configuring additional VCs on each existing link.

• No additionalexpense forcommunicationlines orhardware.


Chapter 1ACN - 283

• Partial Mesh:• For large networks, a full mesh topology is seldom

affordable. • The issue is not with the cost of the hardware, but

because there is a theoretical limit of less than 1,000 VCs per link. In practice, the limit is less than that.

• For this reason, larger networks are generally configured in a partial mesh topology.

• With partial mesh, there are more interconnections than required for a star arrangement, but not as many as for a full mesh. The actual pattern is dependant on the data flow requirements.


Chapter 1ACN - 284

• Before a router is able to transmit data over Frame Relay, it needs to know which local DLCI maps to the Layer 3 address of the remote destination.

Frame Relay Address Mapping

Chapter 1ACN - 285

Frame Relay Address Mapping – WHY?

When R2 has a packet to transmit,When R2 has a packet to transmit, it must know it must know which DLCI to put in the header at Layer 2.which DLCI to put in the header at Layer 2.

When R2 has a packet to transmit,When R2 has a packet to transmit, it must know it must know which DLCI to put in the header at Layer 2.which DLCI to put in the header at Layer 2.

Chapter 1ACN - 286

Frame Relay Address Mapping - WHY?

1.1. R2 has a packet to transmit to 10.1.1.3.R2 has a packet to transmit to 10.1.1.3.1.1. R2 has a packet to transmit to 10.1.1.3.R2 has a packet to transmit to 10.1.1.3.

Chapter 1ACN - 287

• Before a router is able to transmit data over Frame Relay, it needs to know which local DLCI maps to the Layer 3 address of the remote destination.

• Two Methods:• Dynamic Address Mapping.• Static Address Mapping.


Chapter 1ACN - 288

• Dynamic Address Mapping:• Uses Inverse ARP (IARP).

• ARP: Layer 3 address to obtain Layer 2 address.• IARP: Layer 2 address to obtain Layer 3 address.

• In the case of Frame Relay, IARP uses the Layer 2 DLCI to obtain the Layer 3 address of the router at the other end of the PVC.

• On Cisco routers, Inverse ARP is enabled by default for only those protocols enabled on the physical interface.


Chapter 1ACN - 289

• Static Address Mapping:• Override Dynamic IARP mapping by supplying a manual

static mapping for the next hop protocol address to a local DLCI.

• A static map works associates a specified next hop protocol address to a local Frame Relay DLCI.• You cannot use Inverse ARP and a map statement for

the same DLCI and protocol.• WHEN?

• The router at the other end of the PVC does not support IARP for the protocol you are using.

• Hub and Spoke Frame Relay.


Chapter 1ACN - 290

• History:• When vendors implemented Frame Relay as a separate

technology, they decided that there was a need for DTEs to dynamically acquire information about the status of the network.

• The original design did not include this option.• A consortium of Cisco, Digital Equipment Corporation

(DEC), Northern Telecom, and StrataCom extended the Frame Relay protocol to provide additional capabilities for complex internetworking environments.

• These extensions are referred to collectively as the LMI.

Local Management Interface (LMI)

Chapter 1ACN - 291

• Basically, the LMI is a keepalive mechanism that provides status information about Frame Relay connections between the router (DTE) and the Frame Relay switch (DCE).

• Every 10 seconds or so, the end device polls the network.• If the network does not respond with the requested

information, the user device may consider the connection to be down.

• When the network responds with a FULL STATUS response, it includes status information about DLCIs that are allocated to that line.

• The end device can use this information to determine whether the logical connections are able to pass data.


Chapter 1ACN - 292

• The 10-bit DLCI field supports 1,024 VC identifiers:• 0 through 1023.

• The LMI extensions reserve some of these identifiers, thereby reducing the number of permitted VCs.

• LMI messages are exchanged between the DTE and DCE using these reserved DLCIs.


Chapter 1ACN - 293

• There are several LMI types, each of which is incompatible with the others.

• Three types of LMIs are supported by Cisco routers: • Cisco - Original LMI extension • Ansi - Corresponding to the ANSI standard T1.617

Annex D • q933a - Corresponding to the ITU standard Q933

Annex A


Chapter 1ACN - 294

• Starting with Cisco IOS software release 11.2, the default LMI autosense feature detects the LMI type supported by the directly connected Frame Relay switch.

• If it is necessary to set the LMI type, use the interface configuration command:

frame-relay lmi-type [cisco | ansi | q933a]

• Configuring the LMI type, disables the autosense feature.


Chapter 1ACN - 295

• For Example:


There will be There will be no connectionno connection to the to the Frame Relay network unless the Frame Relay network unless the

router and the Frame Relay switch are router and the Frame Relay switch are using the same type of LMIusing the same type of LMI..

There will be There will be no connectionno connection to the to the Frame Relay network unless the Frame Relay network unless the

router and the Frame Relay switch are router and the Frame Relay switch are using the same type of LMIusing the same type of LMI..

Chapter 1ACN - 296

Frame Relay

Configuring Frame RelayConfiguring Frame Relay

Chapter 1ACN - 297

1. Set up the IP address on the Interface.2. Configure Frame Relay encapsulation.

encapsulation frame-relay [cisco | ietf]

• The default encapsulation is Cisco HDLC. Use IETF if connecting to another vendor’s router.

3. Set the bandwidth.• Use the bandwidth command to set the bandwidth for

OSPF and EIGRP routing protocols.

4. Set the LMI type (optional). (Auto detects the LMI)

frame-relay lmi-type [cisco | ansi | q833a]

Configuring Basic Frame Relay

Chapter 1ACN - 298


Chapter 1ACN - 299


• Once the interfaces are enabled with the no shutdown command:• The Frame Relay switch and the router exchange LMI

status messages that announce the DLCIs to the router.• IARP maps the remote Layer 3 address to the local DLCI.• Routers can exchange data.

Chapter 1ACN - 300


Chapter 1ACN - 301


Chapter 1ACN - 302


We used We used IARPIARP to obtain to obtain the DLCI to IP Address the DLCI to IP Address

mapping.mapping.

We used We used IARPIARP to obtain to obtain the DLCI to IP Address the DLCI to IP Address

mapping.mapping.Remember that Remember that IARPIARP only works only works between between

point-to-pointpoint-to-point routers routers..

Remember that Remember that IARPIARP only works only works between between

point-to-pointpoint-to-point routers routers..

Chapter 1ACN - 303


PVCsPVCsPVCsPVCsFull MeshFull MeshFull MeshFull Mesh

Chapter 1ACN - 304

• To manually map between a next hop protocol address and a DLCI destination address, use the command:

Configuring Static Frame Relay Maps

Protocol used on the Protocol used on the interface (e.g. IP)interface (e.g. IP)

Protocol used on the Protocol used on the interface (e.g. IP)interface (e.g. IP)

Chapter 1ACN - 305

• Frame Relay (and x.25 and ATM) is a non-broadcast multiple access (NBMA) network.• It does not support multicast or broadcast traffic.• Using the broadcast keyword is a simplified way to

forward routing updates.• Allows broadcasts and multicasts over the PVC.

• In effect, it turns the broadcast into a unicast do that the other node gets the routing updates.


Chapter 1ACN - 306

• When do we use a static map?• Hub-and Spoke Topology.• Partial Mesh Topology.• If you absolutely need a connection between two sites

that are already on your Frame Relay network and there is no PVC.


Chapter 1ACN - 307


No PVC No PVC between R1 between R1

and R3.and R3.


and R3.and R3.

Chapter 1ACN - 308



and R3.and R3.


and R3.and R3.

R1 and R3 know about R2.R1 and R3 know about R2.R1 and R3 R1 and R3 don’t know about don’t know about

each othereach other..

R1 and R3 know about R2.R1 and R3 know about R2.R1 and R3 R1 and R3 don’t know about don’t know about

each othereach other..

Chapter 1ACN - 309

• How do we fix it?• Add another PVC to

the network.• Additional

Expense.• Add a static frame relay map to both R1 and R3.

• R1:• We will want to map the R3 IP Address 10.1.1.3 to

DLCI 102 on R1. Anything for that network should go to the hub.

• R3:• Map 10.1.1.1 to DLCI 302.


Chapter 1ACN - 310


Chapter 1ACN - 311


Chapter 1ACN - 312

Frame Relay

Advanced Frame Relay ConceptsAdvanced Frame Relay Concepts

Chapter 1ACN - 313

Advanced Frame Relay Concepts

• Paying for Frame Relay:• Customers simply buy Frame Relay services from a

service provider. • Access rate or port speed - From a customer's point of

view, the service provider provides a serial connection to the Frame Relay network over a leased line. • Access rate is the rate at which your access circuits join the

Frame Relay network. • These are typically at 56 kb/s, T1 (1.536 Mb/s), or Fractional

T1 (a multiple of 56 kb/s or 64 kb/s). • It is not possible to send data at higher than port speed.

Chapter 1ACN - 314


• Paying for Frame Relay:• Customers simply buy Frame Relay services from a

service provider. • Committed Information Rate (CIR) - Customers

negotiate CIRs with service providers for each PVC. • The service provider guarantees that the customer can send

data at the CIR. • All frames received at or below the CIR are accepted. • A great advantage of Frame Relay is that any network

capacity that is being unused is made available or shared with all customers, usually at no extra charge.

• This allows customers to "burst" over their CIR as a bonus.

Chapter 1ACN - 315


• Paying for Frame Relay:• Access or port speed:

• The cost of the access line from the DTE to the DCE (customer to service provider).

• Permanent Virtual Circuit (PVC): • This cost component is based on the PVCs.

• Committed Information Rate (CIR):• Customers normally choose a CIR lower than the port

speed or access rate (U.S.). • This allows them to take advantage of bursts.

Chapter 1ACN - 316


• Paying for Frame Relay:• Oversubscription:

• Service providers sometimes sell more capacity than they have on the assumption that not everyone will demand their entitled capacity all of the time.

• Because of oversubscription, there will be instances when the sum of CIRs from multiple PVCs to a given location is higher than the port or access channel rate.

• This can cause traffic issues, such as congestion and dropped traffic.

• Be aware that this can happen!

Chapter 1ACN - 317


• Bursting:• Because the physical circuits of the Frame Relay network

are shared between subscribers, there will often be time where there is excess bandwidth available.

• Frame Relay can allow customers to dynamically access this extra bandwidth and "burst" over their CIR for free.

Chapter 1ACN - 318


• Committed Burst Information Rate (CBIR)• The CBIR is a negotiated rate above the CIR which the customer

can use to transmit for short burst. • A device can burst up to the CBIR and still expect the data to get

through.• If bursts persist, then a higher CIR should be purchased.• Frames submitted at this level are marked as Discard Eligible

(DE) in the frame header, indicating that they may be dropped if there is congestion or there is not enough capacity in the network.

• Frames within the negotiated CIR are not eligible for discard (DE = 0).

• Excess Burst Size (BE) • The BE is the term used to describe the bandwidth available

above the CBIR up to the access rate of the link. Unlike the CBIR, it is not negotiated.

• Frames may be transmitted at this level but will most likely be dropped.

Chapter 1ACN - 319


• Frame Relay Discard Eligibility Bit:• The frame header also contains a Discard Eligibility (DE)

bit, which identifies less important traffic that can be dropped during periods of congestion.

• DTE devices can set the value of the DE bit to indicate that the frame has lower importance than other frames.

• The DE bit is automatically set during a “burst” situation.

Chapter 1ACN - 320


• Frame Relay Flow Control:• Frame Relay flow control is a matter of controlling

congestion on the frame relay network.• There are two bits that are set on the frame header when

congestion occurs.• Forward Explicit Congestion Notification (FECN)• Backward Explicit Congestion Notification (BECN)

Chapter 1ACN - 321


• Frame Relay Flow Control:

• While Frame Relay Switch A is placing a large frame on interface 1, other frames for this interface are queued.

Traffic FlowTraffic FlowTraffic FlowTraffic Flow

Chapter 1ACN - 322



• When the queue is sent, down stream devices are warned of the queue by setting the FECN bit in the header of the frame that was received on the congested link.


Chapter 1ACN - 323


• Upstream devices are warned of the queue by setting the BECN bit in the header of any frames sent on the congested link.

• Each upstream device receives the BECN frame.



Chapter 1ACN - 324


• Even though a device may not have contributed to the congestion, it still receives the BECN frame.

• Each device that provides input to the switch is instructed to reduce the rate at which it is sending packets.



Chapter 1ACN - 325

Solving Reachability Issues

• Frame Relay is a Non-BroadcastMulti-Access (NBMA) network.

• In Ethernet, multiple nodescan access the network andall nodes see all broadcastsor multicasts.

• However, in a non-broadcast network such as Frame Relay, nodes cannot see broadcasts of other nodes unless they are directly connected by a virtual circuit.

• This means that Branch A cannot directly see the broadcasts from Branch B, because they are connected using a hub and spoke topology.

Chapter 1ACN - 326


Multiple-Access (MA)• A Frame Relay network is one type of shared networks

where many devices are attached to the same network and shared the bandwidth.

Non-Broadcast (NB)• A virtual circuit must be established between two DTEs

attached to the Frame Relay network before commence of bidirectional communication. Frames transmitted over the virtual circuit are only seen by these DTEs, which is non broadcast.

Chapter 1ACN - 327


• Example:• The Central router learns about Network X from

Branch A.• That update is learned via S0/0.• The Central router must then send its own update

to Branch B and Branch C.

Split HorizonSplit Horizonprohibits routing updates prohibits routing updates received on an interface received on an interface from exiting that same from exiting that same interface.interface.

Chapter 1ACN - 328


• One Solution is toturn off split horizonfor IP.

• Of course, with split horizon disabled, the protection it affords against routing loops is lost.

• Split horizon is only an issue with distance vector routing protocols like RIP and EIGRP.

• It has no effect on link state routing protocols like OSPF.

no ip split-horizon

Chapter 1ACN - 329

Frame Relay Subinterfaces

• A better solution is to useSubinterfaces.

• Subinterfaces are logicalsubdivisions of aphysical interface.

• In split-horizon routingenvironments, routingupdates received on one subinterface can be sent out on another subinterface.

• With this configuration, each PVC can be configured as a point-to-point connection and treated as a separate physical interface – similar to a single leased line.

Chapter 1ACN - 330

Frame Relay Subinterfaces

• There are two types of Frame Relay subinterfaces: • Point-to-Point• Multipoint

Act as a Leased Line.Act as a Leased Line.Separate subnets.Separate subnets.

Act as a Leased Line.Act as a Leased Line.Separate subnets.Separate subnets.

Act as a NBMA so no Act as a NBMA so no solution to Split Horizon.solution to Split Horizon.All on the same subnet.All on the same subnet.

Act as a NBMA so no Act as a NBMA so no solution to Split Horizon.solution to Split Horizon.All on the same subnet.All on the same subnet.

How to configure – stay tuned!How to configure – stay tuned!How to configure – stay tuned!How to configure – stay tuned!

Chapter 1ACN - 331

Frame Relay

Configuring Advanced Frame RelayConfiguring Advanced Frame Relay

Chapter 1ACN - 332

Configuring Frame Relay Subinterfaces

R1(config)#interface serial-number

R1(config-if)#encapsulation frame-relay

R1(config-if)#interfaceserial-number.subinterface-number

{multipoint | point-to-point}

R1(config-subif)# frame-relay interface-dlcidlci-number

1.1. Configure encapsulation on the interface.Configure encapsulation on the interface.1.1. Configure encapsulation on the interface.Configure encapsulation on the interface.

2.2. Create the sub-interface with the IP Address Create the sub-interface with the IP Address and any other parameters that apply.and any other parameters that apply.

2.2. Create the sub-interface with the IP Address Create the sub-interface with the IP Address and any other parameters that apply.and any other parameters that apply.

3.3. Use this command to map the DLCI to the Use this command to map the DLCI to the IP Address – not IP Address – not frame-relay mapframe-relay map..

3.3. Use this command to map the DLCI to the Use this command to map the DLCI to the IP Address – not IP Address – not frame-relay mapframe-relay map..

Chapter 1ACN - 333


Note that the Note that the IP Addressing schemeIP Addressing scheme has has changed to provide separate IP subnets changed to provide separate IP subnets

for each Frame relay link.for each Frame relay link.

Note that the Note that the IP Addressing schemeIP Addressing scheme has has changed to provide separate IP subnets changed to provide separate IP subnets

for each Frame relay link.for each Frame relay link.

Also note that the Also note that the DLCI numberDLCI number is is used as the sub-interface number. used as the sub-interface number. Also note that the Also note that the DLCI numberDLCI number is is used as the sub-interface number. used as the sub-interface number.

Chapter 1ACN - 334


Chapter 1ACN - 335


Chapter 1ACN - 336


1. Configure Frame Relay encapsulation on the interface.

2. Create a sub-interface for each DLCI on the connection.• Use the DLCI number – helps in troubleshooting• Configure the IP address.• Map the DLCI.

3. Active the entire interface, not each individual sub-interface.

4. Use the following commands to verify.• show frame-relay-map• show frame-relay lmi• show frame-relay pvc [dlci-number]• debug frame-relay lmi

Ccna 4

Documents

specific dhcp

md5 hash generator

side conflict

layer design

serial communication

ip address

wan encapsulation

identifying