Remote Access Konfigurasi Rangkaian Meluas (WAN).

Remote AccessKonfigurasi Rangkaian Meluas (WAN)

WAN - Flashback A WAN is a data communications network that operates beyond the

geographic scope of a LAN.

WANs are different from LANs in several ways. While a LAN connects computers, peripherals, and other devices in a single building or other small geographic area, a WAN allows the transmission of data across greater geographic distances.

In addition, an enterprise must subscribe to a WAN service provider to use WAN carrier network services. LANs are typically owned by the company or organization that uses them.

WANs use facilities provided by a service provider, or carrier, such as a telephone or cable company, to connect the locations of an organization to each other, to locations of other organizations, to external services, and to remote users. WANs generally carry a variety of traffic types, such as voice, data, and video.

WAN - Flashback The three major characteristics of WANs:

WANs generally connect devices that are separated by a broader geographical area than can be served by a LAN.

WANs use the services of carriers, such as telephone companies, cable companies, satellite systems, and network providers.

WANs use serial connections of various types to provide access to bandwidth over large geographic areas.

WAN - Flashback

Why Are WANs Necessary? LAN technologies provide both speed and cost-efficiency for

the transmission of data in organizations over relatively small geographic areas.

However, there are other business needs that require communication among remote sites, including the following: People in the regional or branch offices of an organization need

to be able to communicate and share data with the central site.

Organizations often want to share information with other organizations across large distances. For example, software manufacturers routinely communicate product and promotion information to distributors that sell their products to end users.

Employees who travel on company business frequently need to access information that resides on their corporate networks.

WANs and the OSI Model In relation to the OSI reference model, WAN operations focus primarily

on Layer 1 and Layer 2. WAN access standards typically describe both Physical layer delivery methods and Data Link layer requirements, including physical addressing, flow control, and encapsulation. WAN access standards are defined and managed by a number of recognized authorities, including the International Organization for Standardization (ISO), the Telecommunication Industry Association (TIA), and the Electronic Industries Alliance (EIA).

The Physical layer (OSI Layer 1) protocols describe how to provide electrical, mechanical, operational, and functional connections to the services of a communications service provider.

The Data Link layer (OSI Layer 2) protocols define how data is encapsulated for transmission toward a remote location and the mechanisms for transferring the resulting frames. A variety of different technologies are used, such as Frame Relay and ATM. Some of these protocols use the same basic framing mechanism, High-Level Data Link Control (HDLC), an ISO standard, or one of its subsets or variants.

WANs and the OSI Model

WAN Physical Layer Terminology

WAN Physical Layer Terminology

Customer Premises Equipment (CPE)-The devices and inside wiring located at the premises of the subscriber and connected with a telecommunication channel of a carrier. The subscriber either owns the CPE or leases the CPE from the service provider. A subscriber, in this context, is a company that arranges for WAN services from a service provider or carrier.

Data Communications Equipment (DCE)-Also called data circuit-terminating equipment, the DCE consists of devices that put data on the local loop. The DCE primarily provides an interface to connect subscribers to a communication link on the WAN cloud.

Data Terminal Equipment (DTE)-The customer devices that pass the data from a customer network or host computer for transmission over the WAN. The DTE connects to the local loop through the DCE.

WAN Physical Layer Terminology Demarcation Point-A point established in a building or complex to

separate customer equipment from service provider equipment. Physically, the demarcation point is the cabling junction box, located on the customer premises, that connects the CPE wiring to the local loop. It is usually placed for easy access by a technician. The demarcation point is the place where the responsibility for the connection changes from the user to the service provider. This is very important because when problems arise, it is necessary to determine whether the user or the service provider is responsible for troubleshooting or repair.

Local Loop-The copper or fiber telephone cable that connects the CPE at the subscriber site to the CO of the service provider. The local loop is also sometimes called the "last-mile."

Central Office (CO)-A local service provider facility or building where local telephone cables link to long-haul, all-digital, fiber-optic communications lines through a system of switches and other equipment.

WAN Connection Types The Remote Access is concerned

primarily with five types of WAN connections. These are predominately older, more established technologies. Asynchronous dial-up X.25 ISDN Frame Relay Leased lines

WAN Connection Options

Leased lines Typically, these are referred to as a point-to-point

connection or dedicated connection. A leased line is a pre-established WAN communications path from the CPE, through the DCE switch, to the CPE of the remote site, allowing DTE networks to communicate at any time with no setup procedures before transmitting data.

When cost is no object, it’s really the best choice. It uses synchronous serial lines up to 45Mbps. HDLC and PPP encapsulations are frequently used on leased lines.

Circuit switching When you hear the term circuit switching, think phone

call. The big advantage is cost—you only pay for the time you actually use. No data can transfer before an end-to-end connection is established.

Circuit switching uses dial-up modems or ISDN, and is used for low-bandwidth data transfers.

Packet switching This is a WAN switching method that allows you to share

bandwidth with other companies to save money. Packet switching can be thought of as a network that’s

designed to look like a leased line, yet charges you (and costs) more like circuit switching.

There is a downside: If you need to transfer data constantly, forget about this option. Just get yourself a leased line.

Packet switching will only work well if your data transfers are bursty in nature. Frame Relay and X.25 are packet-switching technologies. Speeds can range from 56Kbps to T3 (45Mbps).

DSL and cable modem technologies have greatly enhanced the options available for home users. At present, neither is as flexible and universally available as asynchronous connections are, but both do offer substantial bandwidth at a relatively low cost.

Asynchronous Transfer Mode (ATM) is a cell-based system similar in many respects to Frame Relay, although the use of fixed length cells can make ATM better suited to installations that integrate voice, video, and data.

Wireless technologies include microwave, 802.11 LANs, laser and satellite systems, which typically require a fixed transmitter and receiver, although major strides are being made to add mobility.

Cellular systems are very mobile, but they do not provide substantial bandwidth.

REMOTE ACCESS Remote Access secara umumnya ditakrifkan

sebagai satu perkhidmatan yang digunakan untuk menghubungkan pejabat-pejabat pada kawasan geografi yang luas.

These services are typically encompassed under the guise of a wide area network (WAN).

Secara kebiasaannya, rangkaian kawasan meluas menggunakan pembekal telekomunikasi untuk menghubungkan lokasi jauh; walau bagaimanapun, definisi ini sedang mengalami perubahan yang besar.

REMOTE ACCESS Kebanyakan pembekal mula menawarkan

teknologi Ethernet pada jarak yang jauh, walaupun Ethernet biasanya adalah teknologi rangkaian kawasan setempat (LAN). Tidak seperti LAN, WAN biasanya menggunakan infrastruktur telekomunikasi - satu kumpulan perkhidmatan yang telah disewa daripada pembekal perkhidmatan dan syarikat-syarikat telefon.

REMOTE ACCESS Historically, the most common remote access installations have

involved connectivity between fixed locations and a corporation’s headquarters. Such installations are relatively simple once a design has been selected since the solution used for the first office is applicable to the hundredth.

Designers need only concern themselves with scalability and availability—as long as the bandwidth needs of each office are comparable. In the modern remote access design, the architect needs to focus on multiple solutions to address not only the branch office, but also the sales force (a typically mobile group) and telecommuters working from their homes. Residential installations usually have a different set of needs than office configurations, and T-1 and other high-speed access technologies are usually not available for home use.

Selecting a WAN Protocol The following list is composed of a number of factors

for you to consider when selecting a WAN type: Availability Bandwidth Cost Manageability Applications in use Quality of service Reliability Security

As you can deduce from the list, many of these elements are common to any network design regardless of its WAN or LAN delineation.

WAN Encapsulation The only WAN protocols configured on a

serial interface these days: High-Level Data-Link Control (HDLC) Point-to-point (PPP) Frame Relay

High-Level Data-Link Control Protocol (HDLC) The High-Level Data-Link Control (HDLC) protocol is a

popular ISO-standard, bit-oriented Data Link layer protocol.

It specifies an encapsulation method for data on synchronous serial data links using frame characters and checksums.

HDLC is a point-to-point protocol used on leased lines. No authentication can be used with HDLC.

In byte-oriented protocols, control information is encoded using entire bytes.

On the other hand, bit-oriented protocols may use single bits to represent control information. Bit-oriented protocols include SDLC, LLC, HDLC, TCP, IP, and others.

High-Level Data-Link Control Protocol (HDLC)

HDLC is the default encapsulation used by Cisco routers over synchronous serial links. Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s HDLC implementation.

But don’t give Cisco grief for it—everyone’s HDLC implementation is proprietary.

The reason that every vendor has a proprietary HDLC encapsulation method is that each vendor has a different way for the HDLC protocol to encapsulate multiple Network layer protocols.

If the vendors didn’t have a way for HDLC to communicate the different layer 3 protocols, then HDLC would only be able to carry one protocol. This proprietary header is placed in the data field of the HDLC encapsulation.

Point-to-Point Protocol (PPP) The Point-to-Point Protocol (PPP) is one of the serial

encapsulations that administrators find useful for remote access solutions.

PPP operates over a wide range of media and was designed to simplify the transport of multiple protocols over serial links.

Though the protocol does operate over other media, this chapter will focus solely on remote access solutions.

With the intense demand for connectivity by salespeople, remote staff, and telecommuters, it becomes clear that consistent remote access solutions are required.

Point-to-Point Protocol (PPP) The benefits of using PPP are that it is universal and

efficient. PPP on Windows should be able to communicate

with PPP on any access server, and the configuration demands on the client side are extremely small, thus resulting in fewer support issues.

While HDLC, SLIP, and Frame Relay encapsulations are also somewhat standardized, the benefits of PPP and its low overhead, along with virtually universal media support, makes it an excellent choice for remote access.

Point-to-Point Protocol (PPP) Since HDLC is the default serial encapsulation on Cisco

serial links and it works great, when would you choose to use PPP?

The basic purpose of PPP is to transport layer 3 packets across a Data Link layer point-to-point link.

It is non-proprietary, which means that if you don’t have all Cisco routers, PPP would be needed on your serial interfaces—the HDLC encapsulation would not work because it is Cisco proprietary.

In addition, since PPP can encapsulate several layer 3 routed protocols and provide authentication, dynamic addressing, and callback, this may be the encapsulation solution of choice for you over HDLC.

Point-to-Point Protocol stack PPP contains four main components: EIA/TIA-232-C, V.24, V.35, and ISDN - A Physical layer

international standard for serial communication. HDLC - A method for encapsulating datagrams over serial

links. LCP -Satu kaedah menubuhkan, mengkonfigurasi,

mengekalkan, dan menamatkan sambungan point-to-point. NCP - Satu kaedah untuk menubuhkan dan

mengkonfigurasi protokol Lapisan Rangkaian yang berbeza. NCP direka untuk membenarkan penggunaan serentak pelbagai protokol Lapisan Rangkaian. Beberapa contoh protokol di sini adalah IPCP (Internet Protocol Control Protocol) dan IPXCP (Internetwork Packet Exchange Control Protocol).

It is important to understand that the PPP protocol stack is specified at the Physical and Data Link layers only. NCP is used to allow communication of multiple Network layer protocols by encapsulating the protocols across a PPP data link.

Link Control Protocol (LCP) offers different PPP encapsulation options, including the following:

Authentication This option tells the calling side of the link to send

information that can identify the user. The two methods are PAP and CHAP.

Compression This is used to increase the throughput of PPP

connections by compressing the data or payload prior to transmission. PPP decompresses the data frame on the receiving end.

Error detection PPP uses Quality and Magic Number options to

ensure a reliable, loop-free data link. Multilink Starting in IOS version 11.1, multilink is supported

on PPP links with Cisco routers.

This option allows several separate physical paths to appear to be one logical path at layer 3. For example, two T1s running multilink PPP would appear as a single 3Mbps path to a layer 3 routing protocol.

PPP callback PPP can be configured to call back after successful

authentication. PPP callback can be a good thing for you because you can keep track of usage based upon access charges, for accounting records, or a variety of other reasons.

With callback enabled, a calling router (client) will contact a remote router (server) and authenticate as described in the previous section.

Both routers must be configured for the callback feature. Once authentication is completed, the remote router will terminate the connection and then re-initiate a connection to the calling router from the remote router.

PPP Session Establishment Link-establishment phase - LCP packets are sent by each

PPP device to configure and test the link. These packets contain a field called the Configuration Option that allows each device to see the size of the data, compression, and authentication. If no Configuration Option field is present, then the default configurations are used.

Authentication phase - If required, either CHAP or PAP can be used to authenticate a link. Authentication takes place before Network layer protocol information is read. It is possible that link-quality determination may occur at this same time.

Network layer protocol phase - PPP uses the Network Control Protocol (NCP) to allow multiple Network layer protocols to be encapsulated and sent over a PPP data link. Each Network layer protocol (e.g., IP, IPX, AppleTalk, which are routed protocols) establishes a service with NCP.

PPP Authentication Methods

There are two methods of authentication that can be used with PPP links:

Password Authentication Protocol (PAP) The Password Authentication Protocol (PAP)

is the less secure of the two methods. Passwords are sent in clear text, and PAP is only performed upon the initial link establishment.

When the PPP link is first established, the remote node sends back to the originating router the username and password until authentication is acknowledged.

Initiating PAP

PAP provides a simple method for a remote node to establish its identity using a two-way handshake. PAP is not interactive.

When the ppp authentication pap command is used, the username and password are sent as one LCP data package, rather than the server sending a login prompt and waiting for a response.

The figure shows that after PPP completes the link establishment phase, the remote node repeatedly sends a username-password pair across the link until the sending node acknowledges it or terminates the connection.

Completing PAP At the receiving node, the username-password is checked by an

authentication server that either allows or denies the connection. An accept or reject message is returned to the requester.

PAP is not a strong authentication protocol. Using PAP, you send passwords across the link in clear text and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.

Nonetheless, there are times when using PAP can be justified. For example, despite its shortcomings, PAP may be used in the following environments: A large installed base of client applications that do not support CHAP Incompatibilities between different vendor implementations of CHAP Situations where a plaintext password must be available to simulate a

login at the remote host

PPP Authentication Methods

Challenge Handshake Authentication Protocol (CHAP)

The Challenge Handshake Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host.

After PPP finishes its initial link-establishment phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5.

The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.

Initiating CHAP Once authentication is established with PAP, it

essentially stops working. This leaves the network vulnerable to attack. Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value.

After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node.

Initiating CHAP

Responding CHAP The remote node responds with a value

calculated using a one-way hash function, which is typically Message Digest 5 (MD5) based on the password and challenge message.

Responding CHAP

Completing CHAP The local router checks the response against its own

calculation of the expected hash value. If the values match, the initiating node acknowledges the authentication. Otherwise, it immediately terminates the connection.

CHAP provides protection against playback attack by using a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value is also unique and random. The use of repeated challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

Completing CHAP

Configuring PPP Encapsulation

Configuring PPP encapsulation on an interface is a fairly straightforward process. To configure it, follow these router commands: Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int s0 Router(config-if)#encapsulation ppp Router(config-if)#^Z Router#

Of course, PPP encapsulation must be enabled on both interfaces connected to a serial line to work, and there are several additional configuration options available by using the help command.

Configuring PPP Authentication After you configure your serial interface to support PPP encapsulation,

you can configure authentication using PPP between routers. First set the hostname of the router if it’s not already set. Then set the

username and password for the remote router connecting to your router.

Here is an example: Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname RouterA RouterA(config)#username RouterB password cisco

When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. And it’s case sensitive. Also, the password on both routers must be the same. It’s a plain-text password that you can see with a show run command.

Configuring PPP Authentication And you can encrypt the password by using the command

service password-encryption. You must have a username and password configured for each remote system you plan to connect to. The remote routers must also be configured with usernames and passwords.

After you set the hostname, usernames, and passwords, choose the authentication type, either CHAP or PAP: RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#int s0 RouterA(config-if)#ppp authentication chap pap RouterA(config-if)#^Z RouterA#

If both methods are configured on the same line as is shown here, then only the first method will be used during link negotiation—the second is a backup in case the first method fails.

Verifying PPP Encapsulation

Show interface command: (Figure A) Pod1R1#sh int s0/0 Serial0/0 is up, line protocol is up Hardware is PowerQUICC Serial Internet address is 10.0.1.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 239/255, txload 1/255, rxload 1/255 Encapsulation PPP loopback not set Keepalive set (10 sec) LCP Open Open: IPCP, CDPCP

Sixth line lists encapsulation as PPP Eighth line shows that the LCP is open, which means that it has

negotiated the session establishment and is good! Ninth line tells us the NCP is listening for the protocols IP and

CDP.

A

B

PPP Authentication Failed Figure B :

Pod1R1#sh int s0/0 Serial0/0 is up, line protocol is down Hardware is PowerQUICC Serial Internet address is 10.0.1.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 243/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) LCP Closed Closed: IPCP, CDPCP

First line of output that serial0/0 is up, line protocol is down. This is because there are no keepalives coming from the

remote router. Next, notice that the LCP is closed because the authentication

failed.

Debug PPP Authentication To display the CHAP authentication process as it occurs

between two routers in the network, use the command debug ppp authentication.

If your PPP encapsulation and authentication are set up correctly on both routers, and your usernames and passwords are correct, then the debug ppp authentication command will have an output like this: d16h: Se0/0 PPP: Using default call direction 1d16h: Se0/0 PPP: Treating connection as a dedicated line 1d16h: Se0/0 CHAP: O CHALLENGE id 219 len 27 from

"Pod1R1" 1d16h: Se0/0 CHAP: I CHALLENGE id 208 len 27 from

"Pod1R2" 1d16h: Se0/0 CHAP: O RESPONSE id 208 len 27 from

"Pod1R1"

1d16h: Se0/0 CHAP: I RESPONSE id 219 len 27 from "Pod1R2" 1d16h: Se0/0 CHAP: O SUCCESS id 219 len 4 1d16h: Se0/0 CHAP: I SUCCESS id 208 len 4

However, if you have the username wrong, as in our previous PPP authentication failure, then the output would look something like this: 1d16h: Se0/0 PPP: Using default call direction 1d16h: Se0/0 PPP: Treating connection as a dedicated line 1d16h: %SYS-5-CONFIG_I: Configured from console by console 1d16h: Se0/0 CHAP: O CHALLENGE id 220 len 27 from "Pod1R1" 1d16h: Se0/0 CHAP: I CHALLENGE id 209 len 27 from "Pod1R2" 1d16h: Se0/0 CHAP: O RESPONSE id 209 len 27 from "Pod1R1" 1d16h: Se0/0 CHAP: I RESPONSE id 220 len 27 from "Pod1R2" 1d16h: Se0/0 CHAP: O FAILURE id 220 len 25 msg is "MD/DES

compare failed" PPP with CHAP authentication is a three-way authentication and if

the username and passwords are not configured exactly the way they should be, then the authentication will fail and the link will be down.

Mismatched WAN Encapsulations If you have a point-to-point link and the encapsulations are

not the same, then the link will never come up. Even though the usernames are configured and they are

wrong, it doesn’t matter; the command ppp authentication chap is not used under the serial interface configuration, so the username command is not used in this example.

Mismatched IP Addresses If the IP addresses are wrong between the routers, the link

looks like it is working fine. This is because PPP, like HDLC and Frame Relay, is a layer 2

WAN encapsulation and doesn’t care about IP addresses. So yes, the link is up; however, you cannot use IP across

this link since it is misconfigured.