• Network Management
  • OSI and Network Management
  • SNMP and CMIP
  • MIB Structure
  • SNMP Protocol
  • SNMP Configuration
  • RMON
  • Syslog

Network Management

OSI and Network Management

There are 4 parts to the OSI management model:

• Orginizational – describes components of network management and their relationships
• Information – structure and storage of information, representation of objects
• Communication – method for data transfer between the agent and manager
• Functional – Fault, Configuration, Accounting, Performance, Security (FCAPS)

SNMP and CMIP

Simple Network Management Protocol (SNMP):

• made up of a protocol, a database structure, and a set of data objects
• SNMP v2c was released in ‘93, SNMP v3 is current
• TCP/IP adopted SNMP as a protocol in 1989

Common Management Information Protocol (CMIP):

• ISO standard
• made up of a complex set of standards

MIB structure

MIB I includes 114 objects, and the newer MIB II is expanded, with 185 objects defined.

There are objects administered by the Internet Activities Board (IAB), which are standardized. Vendors may also create custom objects, while it is recommended that they release the definitions of their objects, they are not always.

SNMP Protocol

There are three main functions that can be used by the Network Management Station, GetRequest, GetNextRequest, and SetRequest. SNMP v2c added a Bulk function to these, allowing more than one value to be requested at a time.

SNMP Configuration

Basic SNMP Configuration
Router(config) snmp-server community [string (acts as password)] [ro (read only) | rw (read/write)]

Specify the location and main contact of managed device
Router(config) snmp-server location [text]
Router(config) snmp-server contact [text]

RMON

• is an MIB
• based on IETF RFCs
• gets statistics by analyzing all frames on a segment
• RMON1 works on the data link layer
• RMON2 works on the network layer
• has a different group for each type of information it analyzes

Syslog

• based on UNIX syslog utility
• has 8 severity levels, from 0 (most critical) to 7 (least critical):
  • 0 – Emergencies
  • 1 – Alerts
  • 2 – Critical
  • 3 – Errors
  • 4 – Warnings
  • 5 – Notifications
  • 6 – Informational (default on Cisco IOS)
  • 7 – Debugging

Configuration:

Enable logging to all supported destinations:
Router(config)#logging on

Send log messages to a syslog server host:
Router(config)#logging [hostname | ip address]

Set logging severity level
Router(config)#logging trap [level name]

Include timestamp with syslog message:
Router(config)#service timestamps log datetime

• Frame Relay Concepts
  • General Concepts
  • Bandwidth and Flow
  • Address Mapping and Topology
  • LMI
• Frame Relay Configuration
  • Basic Configuration
  • Static Map
  • Subinterfaces

Frame Relay Concepts

General Concepts

• Customer end is the DTE
• Frame Relay switch is the DCE
• The connection between two DTEs is called a Virtual Circuit (VC)
• Dynamic VCs are known as Switched VCs (SVCs)
• Static VCs are known as Permanent VCs (PVCs), which are the most common.
• Frame Relay has no error recovery, corrupt frames are discarded without notification. It is up to the upper layers to detect missing frames and request retransmission
• Several VCs can operate on one physical link
• DLCIs are used locally to identify where a packet is going, and is put in the address field of an outgoing frame.

Bandwidth and flow

• Typical port speed is 64kbps to 4Mbps, though some providers offer up to 45Mbps
• Each VC has a Commited Information Rate (CIR), which is the guaranteed bandwidth.
• As it is unlikely for all VCs to need to transmit at the same time, lines are commonly over-allocated by up to 2-3x the CIR
• Packets that are being sent over the CIR are marked as Discard Eligible, and will be discarded should a link become congested.
• The difference between the port speed and the CIR is the Excess Information Rate (EIR)
• The load average is worked out by dividing the data transferred by the committed time (Tc)
• Idle time can not be saved up for use at a later time of load
• The FECN bits are set on all frames downstream of a congested link
• The BECN bits are set on all frames upstream of a congested link
• When a DTE receives a frame with ECN bits set, it is expected to reduce the amount of traffic it creates

Address Mapping and Topology

• DLCIs are mapped to the IP address of the remote router, either with RARP or statically
• Frame Relay can be used in a full or partial mesh topology, point to point links are possible, but are usually not cost effective
• There can only be <100 VCs per physical interface, so full mesh topologies are not usually cost effective for larger networks

LMI

• Link Management Interface (LMI) is used on Frame Relay to provide status updates
• Some DLCIs are reserved for use by LMI
• There are three types of LMI supported by Cisco routers:
  • Cisco – original LMI extensions
  • ANSI – ANSI standard T1.617 Annex D
  • Q933a – ITU standard Q933 Annex A

Frame Relay Configuration

Basic Configuration

Router(config)# interface [interface]
Router(config-if)# ip address [address] [mask]
Router(config-if)# encapsulation frame-relay [cisco | ietf]

Static Map

Router(config)# frame-relay map [protocol] [address] [dlci] ['broadcast']

Subinterfaces

Router(config) interface [interface].[sub-if no.] [point-to-point | multipoint]
Router(config-if) ip address [address] [mask]
Router(config-if) frame-relay interface-dlci [dlci]

• ISDN Concepts
  • ISDN Benefits
  • ISDN standards and access methods
  • ISDN 3-layer model and related standards
  • ISDN functions
  • ISDN reference points
  • Determining the router ISDN interface
  • ISDN switch types
• ISDN Configuration
  • Configuring ISDN BRI
  • Configuring ISDN PRI
  • Verifying ISDN Configuration
  • Troubleshooting ISDN Configurations
• DDR Configuration
  • DDR Operation
  • Configuring legacy DDR
  • Static Routes
  • Defining interesting traffic
  • Dialer Profiles
  • Debugging DDR configs

ISDN Concepts

ISDN Benefits

Traditional PSTN is based on an analog connection between the local exchange and the customer site. Analog links are limited in the available bandwidth.

ISDN was made possible by telcos upgrading switches to support digital signals over the local loop.

Some of the benefits include:

• Carries several different types of data
• Faster to connect than analog
• B channels offer more bandwidth than dialup
• B channels are able to be used with PPP

The D channel is used to setup calls and signaling, and is either 16 or 64kbps.

Each B channel offers 64kbps of bandwidth.

ISDN standards and access methods

ISDN is made up by three series of protocols:

• E protocols – defines telephone network standards
• I protocols – defines concepts, terminology, and general methods. I.100 includes general ISDN concepts. I.200 defines service aspects. I.300 defines network aspects. I.400 defines how UNI is provided.
• Q protocols – defines how call setup and switching is handled.

Unlike a standard TCP connection, ISDN uses out-of-band signalling, meaning all connections are negotiatied over the D channel, while data goes through the B channels.

B channels can carry digitized speech signals. They use either HDLC or PPP. PPP is more robust as it allows for authentication and negotiation of link and protocol configuration.

The D channel uses Link Access Procedure on the D Channel (LAPD) as its data link layer protocol.

North America and Japan PRI connections are 23B+D (giving T1), and most other countries use 30B+D (giving E1).

ISDN 3-layer model and related standards

BRI and PRI pysical layer specifications are  defined in ITU-T I.430 and I.431

ISDN data link layer is based on LAPD and is specified in ITU-T Q.920, Q.921, Q.922, and Q.923

The network layer is defined by ITU-T Q.930 and Q.931, also known as I.450 and I.451, respectively.

With a BRI connection, a standard phone line local loop is used. Although there is only one physical link, the 3 ISDN channels are multiplexed as to not require any extra physical links.

Each BRI frame on the physical layer has:

• 8 bits from B1
• 8 bits from B2
• 2 bits from D
• 6 bits overhead

4,000 frames are sent per second, giving a total of 192kbps, though 48kb of this is overhead, which makes for 144kbps of throughput.

The overhead bits are used for these purposes:

• Framing – provides synchronization
• Load balancing – changes the average bit value
• Echo of previous D channel bits – used for contention resolution
• Activation bit – activates devices
• Spare bit – unassigned

The ISDN signaling channel uses LAPD for Layer 2. The flag and control fields for LAPD are the same as in HDLC. The address field is 2 bytes long, made up of the following:

• Service Address Point Identifier (SAPI) – identifies the  portal that is providing LAPD services to layer 3. One byte long
• Command/Response (C/R) bit – specifies if the command is a command or response
• Terminal Endpoint Identifier (TEI) – identifies the terminal, ranges between 0 and 63 if static, 64-126 if dynamic, and 127 for a broadcast. 7b long.

ISDN functions

The D channel is always up, so that ISDN calls can be started.

The following steps are used to connect an ISDN call:

1. Called number sent to local ISDN switch via D channel
2. The local switch sets up a connection to the remote ISDN switch using the SS7 protocol
3. The remote switch signals the remote site via the D channel
4. The remote site’s NT-1 device sends a call-connect message to the remote switch
5. The remote switch uses SS7 to forward the call-connect message to the local switch
6. The local switch connects one B channel to the remote site, leaving the other free for another conversation or data link, as both channels can be used at the same time.

ISDN reference points

The following devices are used to facilitate ISDN connectivity:

• Terminal Equipment 1 (TE1) – native ISDN device. eg. ISDN router or ISDN phone
• Terminal Equipment 2 (TE2) - non-ISDN device. eg. workstation or router. Requires TA to connect to ISDN service
• Terminal Adapter (TA) – Converts serial link into ISDN BRI
• Network Termination 2 – point at which the ISDN lines at the customer site are aggregated and switched using a customer switching device
• Network Termination 1 – controls the physical/electrical termination at the customer premises. Converts from 4 wire ISDN BRI to 2 line used over local loop

The following are reference points used to identify connections between ISDN devices:

• R – connection between TA and TE2
• S – connection between NT2 and customer premises equipment
• T – electrically identical to the S interface, referencing the outbound connection from the NT2 to the ISDN network or NT1
• U – link between the NT1 and the telco owned ISDN network

As S and T connections are electrically identical, interfaces are often labeled as S/T, meaning they can perform either role.

Determining the router ISDN interface

For North America and Japan, a router should use an ISDN interface with the NT1 built in, as the NT1 is a customer premises device in these countries. These interfaces are labeled with a ‘U’

In other countries, the NT1 is usually provided by the telco, so the interface should not include an NT1. These interfaces are labeled with ‘S/T’

If the router doesn’t have a way to fit an ISDN interface, a TA is required, this will connect to a serial interface on the router.

ISDN switch types

As there are no fixed standards for D channel communication with ISDN switches, it is necessary to specify the type on the router. The type of switch generally varies from country to country, though it can change within a country as well.

With some switches, a service profile identifier (SPID) is required. An SPID sets the line configuration, and allows for voice and data to both be carried over the local loop.

SPIDs are only used in North America and Japan.

Below is a table of the different switch types by country.

ISDN Configuration

Configuring ISDN BRI

To setup a BRI connection, use the following commands:

Router(config)# isdn switch-type [type]

Router(config)# interface bri [number]

If required: Router(config-if)# spid1 [spid-number] [ldn (optional)]

If required: Router(config-if)# spid2 [spid-number] [ldn (optional)]

Router(config-if)# no shutdown

Configuring ISDN PRI

To setup a PRI connection, use the following commands:

Router(config)# controller [t1 | e1]

For T1 lines: Router(config-controller)# framing [sf | esf]

For E1 lines: Router(config-controller)# framing [crc4 | no-crc4] [australia (optional)]

Router(config-controller)# linecode [ami | b8zs | hdb3] -  Nth America usually uses B8ZS, Europe usually uses HDB3.

Router(config-controller)# pri-group [timeslots range (1-24 for T1, 1-31 for E1)]

Router(config)# interface serial [slot/port: | unit:] [23 (T1) | 15 (E1)]

Router(config-if)# isdn switch-type [type]

Verifying ISDN configuration

Router# show isdn status allows the isdn link to the local switch to be checked. When the link is working correctly, the layer 1 status will be ‘ACTIVE’, and the layer 2 status ‘MULTIPLE_FRAME_ESTABLISHED’

Router# show isdn active will give information regarding:

• called number
• time until disconnect
• Advice of Charge (AOC)
• charging units used
• whether AOC is provided during or after calls

Router# show dialer shows the following details:

• current call status
• dial timer config
• dial reason
• remote device that is connected

Router# show interface bri 0/0 will display interface statistics.

Troubleshooting ISDN configurations

Router# debug isdn q921 displays layer 2 information related to the D channel. This command should be used if show isdn status doesn’t show layer 1 as ‘ACTIVE’ and layer 2 as ‘MULTIPLE_FRAME_ESTABLISHED’

Router# debug isdn q931 shows exchanged messages for call setup and teardown

Router# debug ppp authentication displays messages regarding PPP authentication

Router# debug ppp negotiation displays messages related to the PPP link configuration when the connection is started

Router# debug ppp error shows errors relating to PPP.

The debug ppp commands are for use when there are layer 2 issues and show isdn status doesn’t show any problems with the ISDN connection.

DDR Configuration

DDR operation

Dial-on-demand routing (DDR) is used to make a connection when an ‘interesting packet’ needs to cross the link. Packets that are not interesting are forwarded only if the connection is already active. The protocols of which the packets are ‘interesing’ are set with dialer-list.

The following steps are used for an interesting packet to be forwarded using DDR:

1. Router recieves packet, checks there is a valid route to the destination, and identifies the outbound interface
2. If the interface is connected to the next hop router, the packet is forwarded, if the interface is not connected, the packet is identified as interesting.
3. The router connects the the remote site. Now that the link is up, the packet is forwarded.
4. All packets to the remote site, whether interesting or not are forwarded over the link.
5. Once the set time limit has passed without an interesting packet, the call is terminated.

Configuring legacy DDR

Legacy DDR refers to having one connection set per interface.

Follow these steps to set up legacy DDR:

1. Set the static routes
2. Define the interesting traffic
3. Set up the dialer information

Static Routes

Static routes should be used over for connections with DDR, as using a dynamic routing protocol could cause the connection to be dialed more often than it is needed.

Defining interesting traffic

Using dialer-list [no.] protocol ip permit allows all IP traffic, if more control is needed, an ACL can be used. Create the ACL and then use dialer-list [no.] protocol ip list [ACL no.]

Dialer profiles

Dialer profiles allow for a single ISDN interface to connect to different links as required. Several interfaces can also be used, so if, for example, there were three possible connections, but only 2 were ever required at once, the dialer could have 3 profiles in a pool with 2 interfaces.

When configuring dialer interfaces, the dialer pool membership is specified for the physical interface, with the other settings configured for each logical interface.

Debugging DDR configs

debug dialer [events | packets] will help diagnose problems with the DDR configuration.

• Serial Point-to-Point Links
  • TDM
  • Demarcation Point
  • DTE and DCE
  • HDLC
  • Enabling HDLC on an Interface
  • Troubleshooting a serial interface
• PPP Authentication
  • PPP layered architecture
  • Establishing a PPP connection
  • PPP Authentication Protocols
  • PAP
  • CHAP
• Configuring PPP
  • Set up basic PPP encapsulation
  • Set up PPP with compression
  • Set up PPP with error correction
  • Set up PPP with load balancing
  • Configuring PPP athentication
  • Check the PPP encapsulation configuration
  • Debug the PPP configuration

Serial Point-to-Point Links

TDM
Time division multiplexing interleaves data so protocols do not have to wait for another protocol to finish before they can transmit. It is a similar concept to Hyper-Threading in CPUs.
Demarcation Point
The demarcation point or demarc is where the responsibility of the link goes to the customer, rather than the link provider.

In the US, this is before the DCE device (CSU/DSU), where the local loop ends. In most other countries, the DCE is provided by the telco, in the form of an NTU. NTUs allow the telco to manage and troubleshoot the local loop.
DTE and DCE
The DTE is the customer device, which is commonly a router, though there are many other devices it could be, including a computer or fax machine.

The DCE is the device which changes the DTE’s data into a form suitable for the WAN link.

There are 4 main specifications defined in DTE/DCE standards:

• Physical – number of pins and connector form factor
• Electrical – voltage levels
• Functional – assigns functions to different signals
• Procedural – sequence of data transmission

When two DTE devices are connected together, such as in a lab, a null modem cable must be used. For synchronous links, one of the DTEs must have a clock rate set, to emulate a DCE.

A DTE will usually have a DB-60 or smart-serial connection on it, and the cable will have the connection specified by the telco on the other end.
HDLC
HDLC is the main signaling standard used by WAN links. Below is a list of some of the derivatives of HDLC in use:

• Link Access Procedure, Balanced for X.25
• Link Access Procedure on the D channel for ISDN
• Link Access Procedure for Modems and PPP for modems
• Link Access Procedure for Frame Relay

HDLC has three types of frames:

• Information frames – for data
• Supervisory frames – request/response for when piggybacking is not used
• Unnumbered frames – control, such as connection setup

Enabling HDLC on an Interface
Router(config-if)# encapsulation hdlc
Troubleshooting a serial interface
By using show interface [type] [no.], details of the interface will be shown, so the incorrect parameter can be found.

PPP Authentication

PPP layered architecture

PPP is made from two sub-protocols:

• Link Control Protocol – establishes a point-to-point link
• Network Control Protocol – configures the network layer protocols

LCP is used for the following:

• Authentication - authenticates the connection, using either PAP or CHAP
• Compression – sets up compression on the link which is then decompressed when it reaches the other end of the link
• Error detection – recognizing errors
• Multilink – IOS 11.1 and later supports multilink, which provides load balancing
• PPP Callback – increases security by requesting the other device calls back to make the connection

NCP has a different protocol to control each network layer protocol, e.g IPCP is used for IP connections.

PPP uses the following fields:

• Flag – 01111110 is used to mark the beginning and end of a frame
• Address – a broadcast address (11111111) is used, as PPP doesn’t use individual station addresses
• Protocol – specifies the type of data being carried
• Data - between 0 and 1500 bytes of data
• FCS - checksum used to detect errors

Establishing a PPP connection

• Link-establishment phase – LCP frames are used to configure the link. Details such as MTU are confirmed during this phase. The phase is completed with a configuration acknowledgement frame
• Authentication phase (optional) – if configured, the link is authenticated before the network layer link is initialized
• Network layer protocol phase – configures network layer protocols

PPP Authentication Protocols

There are two authentication protocols used by PPP, Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). CHAP is the preferred protocol, as it is more secure.

PAP

PAP sends the username and password repeatedly until the other node acknowledges it as correct or terminates the session. PAP is not very secure as the username and password are sent in plain text.

CHAP

CHAP uses a 3 way handshake, starting off with a challenge from the central site router. The remote router then uses the password and the challenge and sends back the checksum, if the checksum is correct, the connection is allowed, if it fails, the connection is dropped. There is a limit on the number of tries from the remote router, to reduce the risk even further.

To set up the hostname and password for CHAP:

Router(config-if)# ppp chap hostname [hostname]

Router(config-if)# ppp chap password [password]

Configuring PPP

Set up basic PPP encapsulation

Router(config)# interface [interface]

Router(config-if)# encapsulation ppp

Set up PPP with compression

Router(config)# interface [interface]

Router(config-if)# encapsulation ppp

Router(config-if)# compress [predictor | stac]

Set up PPP with error correction

Router(config)# interface [interface]

Router(config-if)# encapsulation ppp

Router(config-if)# ppp quality [percentage]

Set up PPP with load balancing

Router(config)# interface [interface]

Router(config-if)# encapsulation ppp

Router(config-if)# ppp multilink

Configuring PPP athentication

Router(config)# username [name] password [password]

Router(config)# interface [interface]

Router(config-if)# ppp authentication [chap | chap pap | pap chap | pap]

For IOS 11.1 and later: Router(config-if)# ppp pap sent-username [name] password [password]

Check the PPP encapsulation configuration

Router# show interfaces serial [no.]

Debug the PPP configuration

Enable debugging:

Router# debug ppp [authentication | packet | negotiation | error | chap]

Disable debugging:

Router# no debug ppp [authentication | packet | negotiation | error | chap]

Explanations of debug modes:

• packet – display PPP packets being sent and received
• negotiation – display PPP packets used during startup
• error – errors and error statistics
• chap – CHAP packet exchanges

• WAN Technologies Overview
  • WAN devices
  • WAN Standards
  • WAN encapsulation
  • Packet and circuit switching
• WAN Technologies
  • Analog dialup
  • ISDN
  • Leased line
  • X.25
  • Frame Relay
  • ATM
  • DSL
  • Cable modem
• WAN Design
  • WAN communication
  • Steps in WAN design
  • How to identify and select networking capabilities
  • Three-layer design model
  • Other layered design models
  • Other WAN design considerations

WAN Technologies Overview

WAN devices

The customer connects to the WAN with customer premises equipment (CPE), which is usually either a modem or serial interface. The customer end is known as the DTE.

The DTE from the customer end connects to the DCE, which is the equipment operated by the telco at the other end of the local loop.

WAN Standards

WAN standards focus on OSI layers 1 and 2.

The layer 1 standards cover the connection types, such as EIA/TIA-232 and V.35.

The layer 2 standards cover the different types of HDLC used on WAN links. The common HDLC based standards include:

• Cisco HDLC (Point-to-Point)
• PPP (Point-to-Point)
• LAPB (Point-to-Point)
• X.25 (Packet switched)
• Frame Relay (Packet Switched)
• ISDN (Circuit Switched)

WAN encapsulation

WAN encapsulation standards are based on HDLC. At the beginning and end of each frame, there are flags with the sequence 01111110. After every 5 ‘1′ bits, a ‘0′ is added to prevent false ends.

The address field is not needed for point to point links, but is there regardless.

PPP and Cisco HDLC have an extra field – protocol.

Packet and circuit switching

Packet switching is used by X.25 and Frame Relay. This routes traffic on a packet-by-packet basis, and allows for more than one logical connection over a single physical line. Charges are based on amount of bandwidth used, not hours connected, which can save a significant amount of money depending on how heavily utilized the WAN link is.

Circuit switching creates a end to end connection, similar to an analog telephone. While these connections allow for a fixed connection between to locations, billing based on distance and connection time can cause for unnecessarily high charges if a link is used on a regular basis with little data throughput.

WAN Technologies

Analog dialup

Analog dialup uses the PTSN network to call the remote location and make a connection. There is a maximum of 33kbps, or 56kbps

ISDN

ISDN uses the wiring for a phone line to make a digital connection to the ISDN switch at the central office. There are two standards of ISDN, BRI and PRI. BRI offers 2 64kbps B channels and 1 16kbps D channel for a total of 144kpbs. PRI offers 23B+D or 30B+D depending on the country, in these situations both the B and D channels are 64kbps.

Leased line

Leased lines offer a fixed bandwidth between two locations. Speeds vary from 56kbps to about 2.5Gbps, depending on what is available from the provider. Leased lines are a common choice for interbuilding links. The main disadvantage of a leased line is that the link is bought at a fixed capacity, and the bandwidth requirement on WAN links is almost never constant, causing excessive cost.

X.25

X.25 was created to allow for WAN links that were billed based on actual data throughput, not maximum speed or link distance. X.25 is packet switched, meaning that several virtual links can run on one physical link. The maximum speed is usually 2Mbps, though providers rarely offered more than 64kbps. X.25 is now uncommon, as Frame Relay has taken its place.

Frame Relay

Frame Relay is similar to X.25 in that it is packet switched. The maximum speed is often 4Mbps, with some providers offering higher speeds. The Frame Relay network is usually connected to via a leased line, though some providers offer the ability to dial in via ISDN.

ATM

ATM is used when very high bandwidth, low latency connections are required. The maximum speed is in excess of 155Mbps. ATM uses a fixed 53B cell, with each cell containing 5B of headers, and 48B of information. Because of the small cell size, ATM has a very high overhead, typically about 20%.

DSL

DSL is a broadband technology that uses the copper local loop from the premises to the CO, where a DSLAM (DSL Access Multiplexer) is used to aggregate several ADSL lines on to a single WAN connection, often T3/DS3. There are several types of DSL, all of which fit into either ADSL or SDSL. Some DSL technologies are able to share a line with telephone services, which means only one physical line is needed to use both phone and ADSL at the same time. Because DSL has to go through the ISP, it is uncommon to use it for WAN links, though VPNs can make DSL a plausible option.

Cable modem

Cable internet connections use the same physical link that provides cable TV. A splitter is used to seperate the TV signals from the data. All the users that connect to the same cable share the bandwidth. All data has to go through the ISP, so VPNs are required to make cable a feasible option for WAN links.

WAN Design

WAN communication

WAN links are usually owned by a communications provider, as it is more cost effective for a large system to be run then leased to users than for users to have to maintain their own system.

WANs carry many types of data, limited only by the capacity of the connections. WANs do not have any services directly connected, as they are for connection of geographically separated LANs.

Steps in WAN design

How to identify and select networking capabilities

The two main considerations to be made when deciding topology are where the traffic is going most and how much traffic. From these considerations, work out which locations need to be interconnected, and how much bandwidth these links will need.

Three-layer design model

The three layer design groups the link into regions, with links to the central office. This reduces the overall number of links that have to connect to the central office.

Other layered design models

Smaller WANs may need need a topology as complex as the three layer model, a two layer model could be used, along with others. Even if the network is small, the three layer model should be considered, as it offers flexible expansion should the network ever need to grow.

Other WAN design considerations

It is possible to use the internet as a way of linking offices in multiple locations, though it is a lot more difficult to keep the network secure with multiple points of entry from the internet, as opposed to having one central connection to the internet. If the traffic volumes are small, the saving of not having to pay for dedicated WAN links could pay for the security required, so it should still be considered as an option.

• NAT
  • NAT Concepts
  • Configuring NAT
  • Debugging NAT
• PAT
  • PAT Concepts
  • Configuring PAT
• DHCP
  • DHCP Concepts
  • Configuring DHCP

NAT

NAT Concepts

Network Address Translation (NAT) is used to allocate public IP addresses to hosts, regardless of the logical topology (hosts in different subnets can be allocated public addresses in the same subnet). As the topology of the network is hidden,  it is more secure than using public IP addresses for internal addressing.

The addresses can be assigned manually for each host, which is necessary for servers that offer external services, as domain names are set to go to a fixed IP. Hosts that do not need to always be assigned the same external IP address can have the addresses assigned dynamically as they are required.

Configuring NAT

Set IP address pool

Router(config)# ip nat pool [name] [start address] [end address] netmask [subnet mask]

Set the ACL for allowed internal hosts

Router(config)# access-list [no.] permit [network address] [wildcard mask]

Enable NAT and assign ACL

Router(config)# ip nat inside source list [no.] pool [name]

Set interfaces as inside or outside

Router(config-if)# ip nat [inside | outside]

Set a static NAT assignment

Router(config)# ip nat inside source static [inside address] [outside address]

Debugging NAT

Router# debug ip nat

PAT

PAT Concepts

Port Address Translation (PAT) is used when there are more hosts that need external addresses than external addresses available. When the there are no longer enough addresses to go around, the router will assign individual ports to hosts, as they are required. The port number is the same as the external destination port, provided it is available. If the destination port is in use, the router will assign the next available port (eg, if 7777 was the destination and was already assigned to another host, 7778 would be used, provided it is free).

PAT can allow for a significant reduction in the number of public IP addresses needed, reducing cost and extending the life of IPv4, which is running out of free addresses.

Configuring PAT

Set the ACL for allowed internal hosts

Router(config)# access-list [no.] permit [network address] [wildcard mask]

Enable PAT and assign ACL

Router(config)# ip nat inside source list [no.] interface [interface] overload

Set interfaces as inside or outside

Router(config-if)# ip nat [inside | outside]

DHCP

DHCP Concepts

Dynamic Host Configuration Protocol (DHCP) allows for host settings such as IP address, subnet mask, default gateway, and DNS server address, to be set remotely.

DHCP is based on BOOTP, which required that all hosts were allocated their IP addresses manually on the BOOTP server. DHCP doesn’t have this limitation.

DHCP requests are sent using UDP with port 68. DHCP reponses are sent back with UDP on port 67.

Configuring DHCP

Basic DHCP config with IP address and default gateway

Router(config)# ip dhcp pool [pool-name]

Router(dhcp-config)# network [network address] [subnet mask | CIDR]

Router(dhcp-config)# default-router [router address]

Other attributes

Router(dhcp-config)# dns-server [server address]

Router(dhcp-config)# domain-name [domain]

Router(dhcp-config)# netbios-name-server [server address]

Forward packets to DHCP server

On LAN interface: Router(config-if)# ip helper-address [DHCP server address]

Exclude IP addresses from DHCP pool

Router(config)# ip dhcp excluded-address [start address] [end address (optional)]