Categories
CCNA Study Guide

How to Configure Dynamic NAT in Cisco Router

This tutorial explains Dynamic NAT configuration (creating an access list of IP addresses which need translation, creating a pool of available IP address, mapping access list with pool and defining inside and outside interfaces) in detail. Learn how to configure, manage, verify and debug dynamic NAT step by step with packet tracer examples.

To explain Dynamic NAT configuration, I will use packet tracer network simulator software. You can use any network simulator software
to follow this guide. There is no difference in output as long as your selected software contains the commands explained in this tutorial.

Create a practice lab as shown in following figure or download this pre-created practice lab and load in packet tracer

Download NAT Practice LAB with initial IP configuration

If require, you can download the latest as well as earlier version of Packet Tracer from here.
Download Packet Tracer

Dynamic NAT Lab stepup

This tutorial is the third part of our article “Learn NAT (Network Address Translation) Step by Step in Easy Language with Examples”. You can read other parts of this article here.

Basic Concepts of NAT Exaplained in Easy Language

This tutorial is the first part of this article. This tutorial explains basic concepts of static nat, dynamic nat, pat, inside local, outside local, inside global and outside global in detail with examples.

How to Configure Static NAT in Cisco Router

This tutorial is the second part of this article. This tutorial explains how to configure Static NAT (Network Address Translation) in Cisco Router step by step with packet tracer examples.

Configure PAT in Cisco Router with Examples

This tutorial is the last part of this article. This tutorial explains how to configure PAT (Port Address Translation) in Cisco Router step by step with packet tracer examples.



Initial IP Configuration

Device / Interface IP Address Connected With
Laotop0 10.0.0.10/8 Fa0/0 of R0
Laptop1 10.0.0.20/8 Fa0/0 of R0
Laptop2 10.0.0.30/8 Fa0/0 of R0
Server0 192.168.1.10/24 Fa0/0 of R1
Serial 0/0/0 of R1 100.0.0.1/8 Serial 0/0/0 of R2
Serial 0/0/0 of R2 100.0.0.2/8 Serial 0/0/0 of R2

If you are following this tutorial on my practice topology, skip this IP configuration section as that topology is already configured with this initial IP configuration.

To assign IP address in Laptop click Laptop and click Desktop and click IP configuration and Select Static and set IP address as given in above table.

Dynamic NAT assign IP

Following same way configure IP address in Server.

Dynamic NAT assign IP

To configure IP address in Router1 click Router1 and select CLI and press Enter key.

Access router cli packet tracer

Run following commands to set IP address and hostname.

Router>enable
Router# configure terminal
Router(config)#
Router(config)#hostname R1
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface Serial0/0/0
R1(config-if)#ip address 100.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

Same way access the command prompt of R2 and run following commands to set IP address and hostname.

Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface Serial0/0/0
R2(config-if)#ip address 100.0.0.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#

That’s all initial IP configuration we need. Now this topology is ready for the practice of dynamic nat.

Configure Dynamic NAT



Dynamic NAT configuration requires four steps: –

  1. Create an access list of IP addresses which need translation
  2. Create a pool of all IP address which are available for translation
  3. Map access list with pool
  4. Define inside and outside interfaces

In first step we will create a standard access list which defines which inside local addresses are permitted to map with inside global address.

To create a standard numbered ACL following global configuration mode command is used:-

Router(config)# access-list ACL_Identifier_number permit/deny matching-parameters

Let’s understand this command and its options in detail.

Router(config)#

This command prompt indicates that we are in global configuration mode.

access-list

Through this parameter we tell router that we are creating or accessing an access list.

ACL_Identifier_number

With this parameter we specify the type of access list. We have two types of access list; standard and extended. Both lists have their own unique identifier numbers. Standard ACL uses numbers range 1 to 99 and 1300 to 1999. We can pick any number from this range to tell the router that we are working with standard ACL. This number is used in groping the conditions under a single ACL. This number is also a unique identifier for this ACL in router.

permit/deny

An ACL condition has two actions; permit and deny. If we use permit keyword, ACL will allow all packets from the source address specified in next parameter. If we use deny keyword, ACL will drop all packets from the source address specified in next parameter.

matching-parameters

This parameter allows us to specify the contents of packet that we want to match. In a standard ACL condition it could be a single source address or a range of addresses. We have three options to specify the source address.

  • Any
  • host
  • A.B.C.D
Any

Any keyword is used to match all sources. Every packet compared against this condition would be matched.

Host

Host keyword is used to match a specific host. To match a particular host, type the keyword host and then the IP address of host.

A.B.C.D

Through this option we can match a single address or a range of addresses. To match a single address, simply type its address. To match a range of addresses, we need to use wildcard mask.

Wildcard mask

Just like subnet mask, wildcard mask is also used to draw a boundary in IP address. Where subnet mask is used to separate network address from host address, wildcard mask is used to distinguish the matching portion from the rest. Wildcard mask is the invert of Subnet mask. Wildcard can be calculated in decimal or in binary from subnet mask.

We have three hosts in lab. Let’s create a standard access list which allows two hosts and denies one host.

R1(config)#access-list 1 permit 10.0.0.10 0.0.0.0
R1(config)#access-list 1 permit 10.0.0.20 0.0.0.0
R1(config)#access-list 1 deny any

To learn standard ACL in detail you can use following tutorial.

Standard ACL Configuration Explained

In second step we define a pool of inside global addresses which are available for translation.

Following command is used to define the NAT pool.

Router(config)#ip nat pool [Pool Name] [Start IP address] [End IP address] netmask [Subnet mask]

This command accepts four options pool name, start IP address, end IP address and Subnet mask.

Pool Name: – This is the name of pool. We can choose any descriptive name here.

Start IP Address: – First IP address from the IP range which is available for translation.

End IP Address: – Last IP address from the IP range which is available for translation. There is no minimum or maximum criteria for IP range for example we can have a range of single IP address or we can have a range of all IP address from a subnet.

Subnet Mask: – Subnet mask of IP range.

Let’s create a pool named ccna with an IP range of two addresses.

R1(config)#ip nat pool ccna 50.0.0.1 50.0.0.2 netmask 255.0.0.0

This pool consist two class A IP address 50.0.0.1 and 50.0.0.2.

In third step we map access list with pool. Following command will map the access list with pool and configure the dynamic NAT.

Router(config)#ip nat inside source list [access list name or number] pool [pool name]

This command accepts two options.

Access list name or number: – Name or number the access list which we created in first step.

Pool Name: – Name of pool which we created in second step.

In first step we created a standard access list with number 1 and in second step we created a pool named ccna.
To configure a dynamic NAT with these options we will use following command.

R1(config)#ip nat inside source list 1 pool ccna

Finally we have to define which interface is connected with local network and which interface is connected with global network.

To define an inside local we use following command

Router(config-if)#ip nat inside

Following command defines inside global

Router(config-if)#ip nat outside

nat dynamic inside outside

Let’s implement all these commands together and configure the dynamic NAT.

R1 Dynamic NAT Configuration

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 1 permit 10.0.0.10 0.0.0.0
R1(config)#access-list 1 permit 10.0.0.20 0.0.0.0
R1(config)#access-list 1 deny any
R1(config)#ip nat pool ccna 50.0.0.1 50.0.0.2 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool ccna
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface Serial0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#
 

For testing purpose I configured dynamic translations for two addresses only.

On R2 we can keep standard configuration or can configure dynamic NAT as we just did in R1 or can configure static NAT as we learnt
in pervious part of this article.

Let’s do a quick recap of what we learnt in previous part and configure static NAT on R2.

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip nat inside source static 192.168.1.10 200.0.0.10
R2(config)#interface Serial 0/0/0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#

To understand above commands in detail please see the second part of this tutorial.

Before we test this lab we need to configure the IP routing. IP routing is the process which allows router to route the packet between different networks. Following tutorial explain routing in detail with examples

Routing Protocols Explained in details

Configure static routing in R1

R1(config)#ip route 200.0.0.0 255.255.255.0 100.0.0.2

Configure static routing in R2

R2(config)#ip route 50.0.0.0 255.0.0.0 100.0.0.1

Testing Dynamic NAT Configuration

In this lab we configured dynamic NAT on R1for 10.0.0.10 and 10.0.0.20 and static NAT on R2 for 192.168.1.10.

Device Inside Local IP Address Inside Global IP Address
Laptop0 10.0.0.10 50.0.0.1
Laptop1 10.0.0.20 50.0.0.2
Server 192.168.1.10 200.0.0.10

To test this setup click Laptop0 and Desktop and click Command Prompt.

  • Run ipconfig command.
  • Run ping 200.0.0.10 command.
  • Run ping 192.168.1.10 command.

nat testing sucess

First command verifies that we are testing from correct NAT device.

Second command checks whether we are able to access the remote device or not. A ping reply confirms that we are able to connect with remote device on this IP address.

Third command checks whether we are able to access the remote device on its actual IP address or not. A ping error confirms that we are not able to connect with remote device on this IP address.

Let’s do one more testing. Close the command prompt and click web server and access 200.0.0.10.

nat testing sucess

Above figure confirms that host 10.0.0.10 is able to access the 200.0.0.10. You can also do the same testing from Laptop1, result will be same.

Now run ping 200.0.0.10 command from Laptop2.

nat testing fail

Close the command prompt and access web server from this host.

dynamic nat testing fail

Why we are not able to connect with the remote device from this host?

Because we configured NAT only for two hosts (Laptop0 and Laptop1) which IP addresses are 10.0.0.10 and 10.0.0.20. So only the host 10.0.0.10 and 10.0.0.20 will be able to access the remote device.

If you followed this tutorial step by step, you should get the same output of testing. Although it’s very rare but some time you may get different output. To figure out what went wrong you can use my practice topology with all above configuration. Download my practice topology.

Download NAT Practice LAB with Dynamic NAT configuration

We can also verify this translation on router with show ip nat translation command.

Following figure illustrates this translation on router R1.

show ip nat translation

We did three tests one from each host, but why only two tests are listed here? Remember in first step we created an access list. Access list filters the unwanted traffic before it reaches to the NAT. We can see how many packets are blocked by ACL with following command

R1#show ip access-lists 1

show ip access-lists

Basically it is access list which filters the traffic. NAT does not filter any traffic it only translate the address.

Following figure illustrate NAT translation on router R2

nat dynamic show command

That’s all for this tutorial. In next part we will learn NAT overload (PAT) configuration step by step with examples.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

How to Configure Static NAT in Cisco Router

This tutorial explains Static NAT configuration in detail. Learn how configure static NAT, map address (inside local address, outside local address, inside global address and outside global address), debug and verify Static NAT translation step by step with practical examples in packet tracer.

In order to configure NAT we have to understand four basic terms; inside local, inside global, outside local and outside global. These terms define which address will be mapped with which address.

Term Description
Inside Local IP Address Before translation source IP address located inside the local network.
Inside Global IP Address After translation source IP address located outside the local network.
Outside Global IP Address Before translation destination IP address located outside the remote network.
Outside Local IP Address After translation destination IP address located inside the remote network.

For this tutorial I assume that you are familiar with these basic terms. If you want to learn these terms in detail please go through the first part
of this article which explains them in details with examples.

This tutorial is the second part of our article “Learn NAT (Network Address Translation) Step by Step in Easy Language with Examples”. You can read other parts of this article here.

Basic Concepts of NAT Exaplained in Easy Language

This tutorial is the first part of this article. This tutorial explains basic concepts of static nat, dynamic nat, pat inside local, outside local, inside global and outside global in detail with examples.

How to Configure Dynamic NAT in Cisco Router

This tutorial is the third part of this article. This tutorial explains how to configure Dynamic NAT (Network Address Translation) in Cisco Router step by step with packet tracer examples.

Configure PAT in Cisco Router with Examples

This tutorial is the last part of this article. This tutorial explains how to configure PAT (Port Address Translation) in Cisco Router step by step with packet tracer examples.

Static NAT Practice LAB Setup



To explain Static NAT Configuration, I will use packet tracer network simulator software.
You can use any network simulator software or can use real Cisco devices to follow this guide.
There is no difference in output as long as your selected software contains the commands explained in this tutorial.

Create a practice lab as shown in following figure or download this pre-created practice lab and load in packet tracer

Download NAT Practice LAB with initial IP configuration

Static NAT Practice Topology

If require, you can download the latest as well as earlier version of Packet Tracer from here. Download Packet Tracer

Initial IP Configuration

Device / Interface IP Address Connected With
Laotop0 10.0.0.10/8 Fa0/0 of R0
Laptop1 10.0.0.20/8 Fa0/0 of R0
Laptop2 10.0.0.30/8 Fa0/0 of R0
Server0 192.168.1.10/24 Fa0/0 of R1
Serial 0/0/0 of R1 100.0.0.1/8 Serial 0/0/0 of R2
Serial 0/0/0 of R2 100.0.0.2/8 Serial 0/0/0 of R2

If you are following this tutorial on my practice topology, skip this IP configuration section as that topology is already configured with this initial IP configuration

To assign IP address in Laptop click Laptop and click Desktop and IP configuration and Select Static and set IP address as given in above table.

Static NAT Assign IP Laptop

Following same way configure IP address in Server.

Static NAT Assign IP Server

To configure IP address in Router1 click Router1 and select CLI and press Enter key.

Static NAT Assign IP router

Two interfaces of Router1 are used in topology; FastEthernet0/0 and Serial 0/0/0.



By default interfaces on router are remain administratively down during the start up. We need to configure IP address and other parameters on interfaces before we could actually use them for routing. Interface mode is used to assign the IP address and other parameters. Interface mode can be accessed from global configuration mode. Following commands are used to access the global configuration mode.

Router>enable
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#

Before we configure IP address in interfaces let’s assign a unique descriptive name to router.

Router(config)#hostname R1
R1#

Now execute the following commands to set IP address in FastEthernet 0/0 interface.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

interface FastEthernet 0/0 command is used to enter in interface mode.

ip address 10.0.0.1 255.0.0.0 command assigns IP address to interface.

no shutdown command is used to bring the interface up.

exit command is used to return in global configuration mode.

Serial interface needs two additional parameters clock rate and bandwidth. Every serial cable has two ends DTE and DCE. These parameters are always configured at DCE end.

We can use show controllers interface command from privilege mode to check the cable’s end.

R1(config)#exit
R1#show controllers serial 0/0/0
Interface Serial0/0/0
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 2000000
[Output omitted]

Fourth line of output confirms that DCE end of serial cable is attached. If you see DTE here instead of DCE skip these parameters.

Now we have necessary information let’s assign IP address to serial interface.

R1#configure terminal
R1(config)#interface Serial0/0/0
R1(config-if)#ip address 100.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

Router#configure terminal Command is used to enter in global configuration mode.

Router(config)#interface serial 0/0/0 Command is used to enter in interface mode.

Router(config-if)#ip address 100.0.0.1 255.0.0.0 Command assigns IP address to interface.

Router(config-if)#clock rate 64000

In real life environment this parameter controls the data flow between serial links and need to be set at service provider’s end. In lab environment we need not to worry about this value. We can use any valid rate here.

Router(config-if)#bandwidth 64

Bandwidth works as an influencer. It is used to influence the metric calculation of EIGRP or any other routing protocol which uses bandwidth parameter in route selection process.

Router(config-if)#no shutdown Command brings interface up.

Router(config-if)#exit Command is used to return in global configuration mode.

We will use same commands to assign IP addresses on interfaces of Router2. We need to provided clock rate and bandwidth only on DCE side of serial interface. Following command will assign IP addresses on interface of Router2.

Initial IP configuration in R2

Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface Serial0/0/0
R2(config-if)#ip address 100.0.0.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#

That’s all initial IP configuration we need. Now this topology is ready for the practice of static nat.

Configure Static NAT

Static NAT configuration requires three steps: –

  1. Define IP address mapping
  2. Define inside local interface
  3. Define inside global interface

Since static NAT use manual translation, we have to map each inside local IP address (which needs a translation) with inside global IP address. Following command is used to map the inside local IP address with inside global IP address.

Router(config)#ip nat inside source static [inside local ip address] [inside global IP address]

For example in our lab Laptop1 is configured with IP address 10.0.0.10. To map it with 50.0.0.10 IP address we will use following command

Router(config)#ip nat inside source static 10.0.0.10 50.0.0.10

In second step we have to define which interface is connected with local the network. On both routers interface Fa0/0 is connected with the local network which need IP translation.

Following command will define interface Fa0/0 as inside local.

Router(config-if)#ip nat inside

In third step we have to define which interface is connected with the global network. On both routers serial 0/0/0 interface is connected with the global network. Following command will define interface Serial0/0/0 as inside global.

Router(config-if)#ip nat outside

Following figure illustrates these terms.

inside local inside global

Let’s implement all these commands together and configure the static NAT.

R1 Static NAT Configuration

R1(config)#ip nat inside source static 10.0.0.10 50.0.0.10
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#
R1(config)#interface Serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit

For testing purpose I configured only one static translation. You may use following commands to configure the translation for remaining address.

R1(config)#ip nat inside source static 10.0.0.20 50.0.0.20
R1(config)#ip nat inside source static 10.0.0.30 50.0.0.30

R2 Static NAT Configuration

R2(config)#ip nat inside source static 192.168.1.10 200.0.0.10
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#
R2(config)#interface Serial 0/0/0
R2(config-if)#ip nat outside
R2(config-if)#exit

Before we test this lab we need to configure the IP routing. IP routing is the process which allows router to route the packet between different networks.
Following tutorial explain routing in detail with examples

Routing concepts Explained with Examples

Configure static routing in R1

R1(config)#ip route 200.0.0.0 255.255.255.0 100.0.0.2

Configure static routing in R2

R2(config)#ip route 50.0.0.0 255.0.0.0 100.0.0.1

Testing Static NAT Configuration

In this lab we configured static NAT on R1 and R2. On R1 we mapped inside local IP address 10.0.0.10 with inside global address 50.0.0.10 while on R2 we mapped inside local IP address 192.168.1.10 with inside global IP address 200.0.0.10.

Device Inside Local IP Address Inside Global IP Address
Laptop0 10.0.0.10 50.0.0.10
Server 192.168.1.10 200.0.0.10

To test this setup click Laptop0 and Desktop and click Command Prompt.

  • Run ipconfig command.
  • Run ping 200.0.0.10 command.
  • Run ping 192.168.1.10 command.

NAT Testing

First command verifies that we are testing from correct NAT device.

Second command checks whether we are able to access the remote device or not. A ping reply confirms that we are able to connect with remote device on this IP address.

Third command checks whether we are able to access the remote device on its actual IP address or not. A ping error confirms that we are not able to connect with remote device on this IP address.

Let’s do one more testing. Click Laptop0 and click Desktop and click Web Browser and access 200.0.0.10.

 NAT testing

Above figure confirms that host 10.0.0.10 is able to access the 200.0.0.10.

Now run ping 200.0.0.10 command from Laptop1.

Static NAT testing

Why we are not able to connect with the remote device from this host?

Because we configured NAT only for one host (Laptop0) which IP address is 10.0.0.10. So only the host 10.0.0.10 will be able to access the remote device.

To confirm it again, let’s try to access web service from this host.

static nat testing

If you followed this tutorial step by step, you should get the same output of testing. Although it’s very rare but some time you may get different output. To figure out what went wrong you can use my practice topology with all above configuration. Download my practice topology

Download NAT Practice LAB with Static NAT configuration

We can also verify this translation on router with show ip nat translation command.

Following figure illustrate this translation on router R1.

show ip nat translation

Following figure illustrate this translation on router R2

show ip nat translation

Pay a little bit extra attention on outside local address filed. Have you noticed one interesting feature of NAT in above output? Why actual outside local IP address is not listed in this filed?

The actual IP address is not listed here because router is receiving packets after the translation. From R1’s point of view remote device’s IP address is 200.0.0.10 while from R2’s point of view end device’s IP address is 50.0.0.10.

This way if NAT is enabled we would not be able to trace the actual end device.

That’s all for this tutorial. In next part we will learn dynamic NAT configuration step by step with examples.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

Basic Concepts of NAT Explained in Easy Language

This tutorial explains basic concepts of NAT (Network Address Translation) protocol, types of NAT (Static NAT, Dynamic NAT, NAT Overload & PAT) and NAT terminology (inside local, outside local, inside global and outside global) in detail. Learn how NAT works step by step with practical examples in packet tracer.

Basic overview of NAT

There are several situations where we need address translation such as, a network which do not have sufficient public IP addresses want to connect with the Internet, two networks which have same IP addresses want to merge or due to security reason a network want to hide its internal IP structure from the external world. NAT (Network Address Translation) is the process which translates IP address. NAT can be performed at firewall, server and router. In this tutorial we will understand how it is performed at Cisco router.

This tutorial is the first part of our article “Learn NAT (Network Address Translation) Step by Step in Easy Language with Examples”. You can read other parts of this article here.

How to Configure Static NAT in Cisco Router

This tutorial is the second part of this article. This tutorial explains how to configure Static NAT (Network Address Translation) in Cisco Router with examples.

How to Configure Dynamic NAT in Cisco Router

This tutorial is the third part of this article. This tutorial explains how to configure Dynamic NAT (Network Address Translation) in Cisco Router step by step with examples.

Configure PAT in Cisco Router with Examples

This tutorial is the last part of this article. This tutorial explains how to configure PAT (Port Address Translation) in Cisco Router step by step with packet tracer examples.

NAT Terminology

Before we understand NAT in details let’s get familiar with four basic terms used in NAT.

Term Description
Inside Local IP Address Before translation source IP address located inside the local network.
Inside Global IP Address After translation source IP address located outside the local network.
Outside Global IP Address Before translation destination IP address located outside the remote network.
Outside Local IP Address After translation destination IP address located inside the remote network.



Let’s understand these terms with an example. Suppose a user is browsing a website from his home computer. The network which connects his computer with internet is considered as a local network for him. Same as the network which connects the webserver where the website is located with internet is considered as a local network for webserver. The network which connects both networks on internet is considered as a global network.

NAT Basic Terms

On router the interface which is connected with local network will be configured with inside local IP address and the interface which is connected with global network will be configured with inside global IP address. Inside and outside depend on where we are standing right now. For example in above network for user router R1 is inside and router R2 is outside.

nat inside local

While for webserver router R2 is inside and router R1 is outside.

nat inside global

Basically on a NAT enabled router there are two types of interface inside local and inside global.



So, what about outside global and outside local? Well… these terms are used to explain the NAT process theoretically. Practically we never need to configure the outside local and outside global as they sound. For example let’s discuss above example once again.

On R1 we will configure inside local address (10.0.0.1) and inside global address (100.0.0.1) which will become outside local address (10.0.0.1) and outside global address (100.0.0.1) for R2 respectively.

Same way on R2 we will configure inside local address (192.168.1.1) and inside global address (100.0.0.2) which will become outside local address (192.168.1.1) and outside global address (100.0.0.2) for R1 respectively.

So practically we only configure inside local and inside global. What is inside for one side is the outside for other side.

nat basic terminology explained

Types of NAT

There are three types of NAT; Static NAT, Dynamic NAT and PAT. These types define how inside local IP address will be mapped with inside global IP address.

Static NAT

In this type we manually map each inside local IP address with inside global IP address. Since this type uses one to one mapping we need exactly same number of IP address on both sides.

Dynamic NAT

In this type we create a pool of inside global IP addresses and let the NAT device to map inside local IP address with the available outside global IP address from the pool automatically.

PAT

In this type a single inside global IP address is mapped with multiple inside local IP addresses using the source port address. This is also known as PAT (Port Address Translation) or NAT over load.

Situations where NAT is used

There are no hard and fast rules about where we should use NAT or where we should not use the NAT. Whether we should use the NAT or not is purely depends on network requirement for example NAT is the best solution in following situations: –

  • Our network is built with private IP addresses and we want to connect it with internet. As we know to connect with internet we require public IP address. In this situation we can use NAT device which will map private IP address with public IP address.
  • Two networks which are using same IP address scheme want to merge. In this situation NAT device is used to avoid IP overlapping issue.
  • We want to connect multiple computers with internet through the single public IP address. In this situation NAT is used to map the multiple IP addresses with single IP address through the port number.

How NAT Works

To understand how NAT works, let’s take one more example. In this example a user is accessing a web server. User and Webserver both are connected through the NAT devices. Both user and webserver are using private IP addresses which are not routable on the internet. Now let’s understand how NAT makes this communication possible.

How NAT works

User generates a data packet for web server. This packet has source address 10.0.0.1 and destination address 100.0.0.2.

Here source address is the correct address but why the packet has destination address 100.0.0.2 instead of actual destination address 192.168.1.1?

When a system needs to connect with the website, it uses DNS server to resolve the IP address of the website. DNS server advertises the global IP address of the website. Outsider can connect with the website through the advertised IP address only. In our example the global IP address of web server is 100.0.0.2. For this reason the packet has the destination address 100.0.0.2 instead of 192.168.1.1.

This packet reaches at R1. Since this packet contains private IP address in source filed which is not routable on internet, R1 has to update the private IP address with a routable public IP address before forwarding this packet.

R1 checks NAT table for available public IP addresses. Depending on what type of NAT (Static, Dynamic or PAT) is configured one routable public IP will be picked from NAT table for this packet.

In our example 100.0.0.1 is picked for this packet. Now R1 will replace 10.0.0.1 with 100.0.0.1 in the source filed of the packet and forward it to the R2.

R2 receives this packet and reads the destination IP address. R2 looks in NAT table to find out the actual IP address of the destination. Since the NAT table of R2 has an entry for the address 100.0.0.2 which maps it with the address 192.168.1.1, R2 will replace the destination address 100.0.0.2 with the address 192.168.1.1 and forward it to the web server.

Webserver will process this packet and reply with its own packet. This packet has source address 192.168.1.1 and destination address 100.0.0.1.

Since webserver received this packet from 100.0.0.1 so it will reply to it instead of 10.0.0.1.

R2 receives this packet. Before forwarding this packet R2 will replace the source IP address with the mapped IP address in NAT table. In this example 192.168.1.1 will be replaced with 100.0.0.2.

R1 receives this packet and checks its destination address. R1 will perform a query in NAT table to figure out the IP address which is associated with this destination IP address. Since this destination IP address 100.0.0.1 is mapped with 10.0.0.1, R1 will replace this destination IP address 100.0.0.1 with 10.0.0.1 and forward it to the PC.

From user’s point of view the IP address of the webserver is 100.0.0.2. While from web server’s point of view the IP address of the user is 100.0.0.1. This way both user and webserver will never know to whom they are communicating actually.

Advantages and disadvantages of NAT

Nat provides following advantages: –

  • NAT solves IP overlapping issue.
  • NAT hides internal IP structure from external world.
  • NAT allows us to connect with any network without changing IP address.
  • NAT allows us to connect multiple computers with internet through the single the public IP address.

NAT has following disadvantages: –

  • NAT adds additional delay in network.
  • Several applications are not compatible with NAT.
  • End to end IP traceability will not work with NAT.
  • NAT hides actual end device.

That’s all for this article. In next part of this tutorial we will learn how to configure static NAT and dynamic NAT in Cisco router.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

Basic Concepts of Frame Relay Explained in Easy Language

This tutorial explains basic concepts of Frame Relay step by step in detail with examples including Frame Relay fundamental, Frame Relay Congestion Control method and Frame Relay Terminology (VC, PVC, SVC, DTE, DCE, DE, Access link, LMI types, LMI status enquiry, DLCI numbers, FECN, BECN, Access rate and CIR).

Basic concept of Frame Relay

Frame Relay is one of the most popular WAN service deployed over the past decade.
Even though several advanced technologies (such as VPN, ATM) are available today,
Frame Relay still rocks and will be in near future due to its features, benefits and lower cost in comparison with other point to point wan services. For example have look on following figure that illustrates a network with simple point to point leased line connection.

Frame Realy network

There are four routers in this network. To connect these routers with each other, total six leased lines and three serial interfaces on each router are used.
We can use following formula to figure out how many connections are required:-

(N × (N – 1)) / 2 [Here N is the number of routers]

In our example we have four routers so we need (4 x (4-1)) /2 = 6 leased lines.



If we have 100 routers then we need (100 x (100-1)) /2 = 4950 lease lines and 99 serial interfaces on each router. Forget about low end routers, even a 7700 series router does not have sufficient physical interfaces to handle this requirement.

Here comes Frame Relay. Frame Relay turns physical interface in virtual interfaces. With virtual interface Frame Relay can effectively handle this network or even bigger network with single serial interface. Have a look on following figure that illustrate above network with Frame Relay

frame relay network example

With Frame Relay implementation, we still need 6 connections to connect all these routers with each other. But instead of physical lines, Frame Relay uses virtual lines to connect all these locations. The biggest benefit of these virtual lines is that we do not need equal physical interfaces on router to connect them. We can connect multiple virtual lines with single interface.

Frame Relay access link share

This tutorial is the fourth part of our article “WAN Terminology Explained with Encapsulation Protocols and Methods”. You can read other parts of this article here.

WAN Tutorial – Basic WAN Switching Concept Explained

This tutorial is the first part of article. This part explains basic wan concepts including terminology, encapsulation methods, switching concepts and encapsulation protocols in detail with example.

HDLC Protocol and Encapsulation method Explained

This tutorial is the second part of the article. This part explains HDLC (High-Level Data Link Control) protocol and encapsulation method in detail with examples including step by step configuration guide.

PPP Protocol and Encapsulation method Explained

This tutorial is the third part of the article. This part explains PPP (Point to Point) protocol and encapsulation method in detail with examples including step by step configuration guide.

How to configure Frame Relay Step by Step Guide

This tutorial is the last part of the article. This part provide step by step guide on how to configure Frame Relay in Cisco routers.

Frame Relay VC, PVC and SVC



In Frame Relay terminology virtual connection lines are known as Virtual Circuits (VCs). There are two types of VCs; PVCs and SVCs.

Differences between Frame Relay PVCs and Frame Relay SVCs

Frame Relay PVCs (Permanent Virtual Circuits) Frame Relay SVCs (Switched Virtual Circuits)
PVC is just like a leased line that is once configured will stay there until we manually reconfigure it. SVC is just like a telephone connection that is dynamically built whenever we have data to transmit and once transmission is over it will be terminated.
If we have regular data for transmission then PVC is the best choice. If we have periodical data for transmission then SVC is the right choice.
PVCs need a lot of manual configuration. SVCs need less configuration in comparison with PVCs.
Once PVC is built there is no delay before data transmission. Since SVC is built each time whenever we send data, therefore a small delay before data transmission is expected.
Whether we use it or not, we have to pay for entire billing cycle. We need to pay only when we actually use it.

SVC is not tested in any CCNA level exam. So I am not going to include it in rest of the article. After this wherever VC or PVC is referred please take that for PVC only.

Frame Relay Network Type

A frame relay network is considered fully meshed when all sites (routers) are connected with each other via direct link. When all sites do not have direct link with each other then it would be considered as partially meshed frame relay network.

Frame Relay network type

Frame Relay Terminology

Frame Relay uses a lot of terms to describe its components and functions. In this section we will understand these terms in detail. Have a look on following figure that illustrate a simple Frame Relay network

frame relay terminology

DTE

DTE (Data Terminal Equipment) is a device (usually a router or PC) that converts data frame into signals and reconvert received signals in data frame. DTE device communicates with DCE device.

CSU/DSU

A CSU/DSU (Channel Service Unit/Data Service Unit) is a device that converts data signal between LAN network and WAN network. LAN network and WAN network uses separate communication technology. A CSU/DSU understands both technologies. DSL and cable modems are the example of CSU/DSU.

DCE

DCE (Data circuit terminating equipment) is a device (usually modem, CSU/DSU or Frame Relay switch) that provides clock rate and synchronization.

Access Link

Connection line between DTE and DCE.

Frame Relay cloud

Frame Relay cloud refers Telco companies internal infrastructure.

VC

A VC is the logical path between two endpoint DTEs.

Access Rate

This is the maximum speed of purchased connection. Access link should be clocked on this speed. Access rate is the maximum speed at which data can be transmitted.

CIR (Committed Information Rate)

This is the guaranteed bandwidth that we will get from provider for a VC. In congestion we could be sure about this bandwidth. CIR is the maximum bandwidth at which data will be delivered guaranteed.

Let’s understand these value with an example. Suppose, there are three networks connected with a frame relay switch sharing single path. Network1 and Network2 purchased a connection with access rate of 128Kbps and CIR of 64 Kbps. Network3 purchased connection with access rate of 64Kbps and CIR of 64 Kbps.

If access rate and CIR rate is equal then Frame relay connection is pretty much works like a leased line. Network3 is paying for 64Kbps speed and in return, getting a guaranteed speed of 64Kbps from frame relay company. So for network3 this connection will work just like a leased line of 64Kbps where you will get what you will pay for.

Instead of fix bandwidth, network1 and network2 opt for a flexible connection where access rate and CIR rate is different. For this connection they have to spend a little extra money. They will be charged for 64Kbps guaranteed (CIR) + additional bandwidth (if available under certain terms and conditions). Additional bandwidth will be provided on share basis. If all other users are transferring data at any particular time then they will get a minimum bandwidth of 64Kbps at that time.

Frame Relay access rate

If no other user is transferring data at any specific time then they will get a maximum bandwidth of 128 Kbps on that time. For example if no other user is transferring data at any specific time then R1 is allowed to use additional 64Kbps bandwidth at that particular time.

frame relay cri

  • If no other user is transferring data then maximum (128 Kbps) bandwidth would be available.
  • If all other users are transferring data then minimum (64 Kbps) bandwidth would be available.
  • If some users are transferring data then bandwidth speed may be anywhere between 64Kbps and 128 Kbps.

Anything beyond the CIR is marked as burst. There are two types of burst:-

BC (committed burst rate)

A small amount of additional bandwidth that is allowed to handle small burst in traffic.

BE (excessive burst rate)

Remaining amount of bandwidth. If Telco allows, we can also set bandwidth at this rate. Connection rarely works at this speed.

Oversubscription

When we add up all CIRs (CIR + Bc + BE ) and sum exceed the access rate then it would be considered as oversubscription.

Usually oversubscription is not allowed. So any data that fall in oversubscription category will be dropped.

frame relay oversubscription

Frame Relay Congestion Control

Since users share bandwidth, congestion is common in Frame Relay. We should avoid sending additional data if network is facing congestion at any particular time. Frame Relay uses three bits to manage congestion:-

Discard Eligibility (DE)

Any packet beyond CIR is eligible to discard if Frame Relay network is facing congestion.
DE bit is set in header. During congestion, Frame Relay switch will drop all the packets that are marked (set to on) with DE bit. If there is no congestion, packet will be allowed to cross the frame relay network.

Forward Explicit Congestion Notification (FECN)

If there is congestion in network then frame relay switch will set FECN bit to on (1) in data frame header. This way destination router will learn about congestion in VC.

Backward Explicit Congestion Notification (BECN)

Once the frames with congestion bit on arrived at destination router (DTE) , the destination router will send back a frame in reverse direction with BECN bit on in header of frame. Once source receive this frame it will learn about the congestion and slow down the data transmission on that VC.

frame relay congestion control

If Frame Relay carrier experiences less or no congestion, you will get a good speed and great service at competitively low price. If Frame Relay carrier experiences constantly congestion, you will get a poor service since most of your fames will be dropped.

Frame Relay LMI (Local Management Interface) protocol

Before data transmission DTE confirms the status of remote end. It sends data only if remote end is up.
To know the status of each other’s, devices exchange Keepalive messages.
If one end does not receive a Keepalive message from other end in specified time then it would assume that remote end is down.
Keepalive messages are exchanged between directly connected devices.
For example in leased line where two devices connect with each other via direct link, will exchange Keepalive messages.
But in Frame Relay devices connect with each other via the Frame Relay switches, so they will exchange Keepalive message with Frame Relay switches.

frame relay keepalive LMI message

Frame Relay uses LMI protocol to exchange the Keepalive messages between DTE (connection end point)
and DCE (last frame relay switch that is directly connected with the end point).
DTE (Routers) send LMI status enquiry messages to the connected DCE (Frame Relay switch).
If DCE (Frame Relay) is up then it will respond with LMI status reply message.
If DTE does not get response form DCE then it will assume that either access link or frame relay switch is down.

Besides LMI status enquiry DTE also asks for full status updates.
In response DCE respond with all information that is related to DTE.
This information includes the status of VCs which are connected to the DTE and their configuration values (CIR, BC, BE and DLCIs).

lmi status inquiry

LMI status enquiry :- A simple query asking simple question “Are you there”. Response of this query is also simple “Yes I am here”.

LMI full status enquiry :- A complete query seeking full information “Tell me everything that is related to me”. Response of this query contains all information that is related to DTE “Here is all information which is related to you”.

There are three types of LMI Cisco, ANSI, and Q.933A. Each LMI type is slightly different from other two. Therefor they are not compatible with each other. We must have to use same LMI option on both ends. In next part of this article we will learn how to configure LMI type.

On Job

Unless you configure LMI type, routers use autosense feature. In autosense feature router automatically figure out which LMI type is Frame Relay switch is using and configure itself accordingly.

Frame Relay DLCI (data link connection identifiers) explained

Frame Relay allows us to connect multiple VCs with single physical access link. In first example of this tutorial, we connected six VCs with single physical link ( serial interface). Basically we divided a serial interface in six sub-interfaces and assigned one VC with each sub interface. Frame Relay must need to know which sub-interface is connected with which VC before it can transmit the data. Frame Relay uses DLCI (data link connection identifiers) number to map the interface with VC.

Since a VC has two ends it need two DLCI number, one for each end. DLCI value is provided by Telco. Probably we may get same or different DLCI number for both ends. DLCI number need to be unique only between Frame Relay switch and DTE router. If we received different DLCI number for both end then Frame Relay would convert DLCI number in midway.

frame relay dlci

That’s all for this part. In next part of this article we will configure Frame Relay in Cisco router.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

How to configure Frame Relay Step by Step Guide

This tutorial explains how to configure Frame Relay step by step. Learn how to configure (LMI option, DLCI number, VC and PCV) create (point-point & multipoint connection and sub interface), verify and debug Frame Relay implementation with practical examples in packet tracer including Frame Relay configuration commands.

To explain Frame Relay configuration , I will use packet tracer network simulator software.
You can use any network simulator software or can use real Cisco devices to follow this guide.
There is no difference in output as long as your selected software contains the commands explained in this tutorial.

Create a practice lab as shown in following figure or download this pre-created practice lab and load in packet tracer

Download Frame Relay Practise LAB – Blank

frame relay practice topology

If require, you can download the latest as well as earlier version of Packet Tracer from here. Download Packet Tracer

We will start learning with this simple example. Once we understood this example, we will add more terms in next example. This easy approach will help us to learn Frame Relay configuration easily.



This tutorial is the last part of our article \”WAN Terminology Explained with Encapsulation Protocols and Methods\”. You can read other parts of this article here.

WAN Tutorial – Basic WAN Switching Concept Explained

This tutorial is the first part of article. This part explains basic wan concepts including terminology, encapsulation methods, switching concepts and encapsulation protocols in detail with example.

HDLC Protocol and Encapsulation method Explained

This tutorial is the second part of the article. This part explains HDLC (High-Level Data Link Control) protocol and encapsulation method in detail with examples including step by step configuration guide.

PPP Protocol and Encapsulation method Explained

This tutorial is the third part of the article. This part explains PPP (Point to Point) protocol and encapsulation method in detail with examples including step by step configuration guide.

Basic Concepts of Frame Relay Explained in Easy Language

This tutorial is the fourth part of the article. This part explains basic concepts of Frame Relay such as LMI Types, DLCI, Access Rate, CIR rate, PVC, SVC and network type in easy language.

This example network includes two routers and one frame relay cloud.
Both routers connected with each other via Frame Relay cloud. At this time there is no configuration in any device.

In real life Frame Relay provider company builds VCs but in LAB environment we have to bear this responsibility.

Frame Relay Configuration in Packet Tracer step by step



To simulate VCs in packet tracer following steps are required :-

Click Cloud-PT and click Config. From left pane select appropriate interface.

configure frame relay in packet tracer step 1

LMI :- Frame Relay supports three LMI options; ANSI, Cisco and Q933a. Whatever option we choose here, we have to use the same option at DTE ( serial 0/0/0 interface of router).

DLCI :- DTE device will identify this VC from DLCI number. Whatever number (usually 17 to 1000) we use here, we must have to use the same number at DTE. DLCI number must be unique for a Frame Relay interface.

Connection Name :- Connection name is used to map VCs between interfaces.

configure frame relay in packet tracer step 2

On Job

LMI option and DLCI number are provided by Frame Relay company.

Follow the same process and configure LMI and DLCI number for serial 1 interface.

configure frame relay in packet tracer step 3

Now finally it’s time to link this VC. Select Frame Relay option from left pane.
In Right window select interface and connection from dropdown box. This represent one end of VC. For other end of VC we need to select appropriate connection and interface from right side dropdown boxes.

R1 is connected on Serial 0 and we have created a connection naming R1toR2. So in left side we will select Serial 0 and R1toR2.

R2 is connected on Serial 1 and we have created a connection naming R2toR1. So in right side we will select Serial 1 and R2toR1.

Once we are done click add button.

configure frame relay in packet tracer step 1

Frame Relay connects two sites via VC (Virtual Circuit). Service [Frame Relay] provider company uses its internal infrastructure to build VCs. Neither end user need to know this technology nor provider company share this information with users. All the end user need to know is which VC is connected with which site. For this information Frame Relay assigns two DLCI values in each VC, one for each end. End user uses this value to identify the other end of VC. Previous part of this article explains these terms in more detail.

Just like real life environment, we ( Frame Relay ) need to share LMI option and DLCI number with DTE (customer). In our example these values will be following

For R1

LMI option – ANSI

DLCI Number – 100

For R2

LMI option – Cisco

DLCI Number – 101

That’s all setting we need in packet tracer to simulate Frame Relay. Now it’s time to configure DTE ends.
We need following essential configuration on both routers to bring this network up.

R1
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#frame-relay interface-dlci 100
Router(config-if)#frame-relay lmi-type ansi
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#
R2
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#frame-relay interface-dlci 101
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#

Let’s understand above configuration step by step. As we know, routers allow us to run different
WAN services on different interfaces. So our first logical objective is to identify the correct interface. As figure shows interface serial 0/0/0 is assigned for frame relay on both routers. To configure Frame Relay on this interface we need to enter in interface mode. First three commands in above configuration are used for this purpose.

enable :- This command is used to enter in privileged exec mode.

configure terminal :- This command is used to enter in global configuration mode.

interface serial 0/0/0 :- This command is used to enter in interface mode.

In Cisco routers default encapsulation is set to HDLC. We cannot use Frame Relay with default encapsulation.
Next command changes this encapsulation.

Router(config-if)#encapsulation frame-relay :- This command will change default encapsulation method to Frame Relay.

Next command assigns IP address in interface.

Router(config-if)#ip address 192.168.1.1 255.255.255.0:- This command assign IP address in Serial 0/0/0 of R1.

Router(config-if)#ip address 192.168.1.2 255.255.255.0 :- This command assign IP address in Serial 0/0/0 of R2.

Next command assigns DLCI value in interface.

Router(config-if)#frame-relay interface-dlci 100 :- This command assigns DLCI value 100 in Serial interface of R1.

Router(config-if)#frame-relay interface-dlci 101 :- This command assigns DLCI value 101 in Serial interface of R2.

Next command sets LMI option in interface. Until we change LMI option with next command default LMI option is set to Cisco (in Cisco routers).

Router(config-if)#frame-relay lmi-type ansi :- This command will change default LMI option to ANSI.

Have you notice ? we did not run this command in R2. Since LMI option [Cisco] that we got from provider matches with the default (Cisco) setting, so there is no need to run this command in R2.

By default all interfaces on router are disabled. We need to enable them before they can communicate with other.

Router(config-if)#no shutdown :- This command will enable the Serial interface.

Last two commands [exit] are used to return back in privileged exec mode.

That’s all configuration we need to do in routers.

Let’s test our implementation with ping command.

test frame relay

If ping return with success, move in next section. Otherwise check your configuration again. For troubleshooting you can use my configured topology.

Download Frame Relay Practise LAB – Configured

Now we are familiar with Frame Relay basic configuration. In next section we will understand advance configuration options with a complex example.

Frame Relay configuration example

Create a topology as illustrate in following figure or download this pre-created topology

Download Frame Relay Example Practise LAB – Blank

frame relay packet tracer practice lab

Frame Relay supports two types of network; fully meshed and partially meshed.

Fully meshed :- A network where all sites are connected with each other’s via direct link.

Partially meshed :- A network where all sites do not have direct link.

Previous part of this article explains these types in detail with examples.

To understand fully meshed network we will connect R1, R2 and R3 via direct links.
To get an overview of partially meshed network we will connect R4 only with R1.

Fully Meshed Network Configuration (Multipoint)

Device Interface IP Address DLCI Number Connected with
R1 Sub-Serial 0/0/0.1 192.168.1.1/24 100 R2
R1 Sub-Serial 0/0/0.1 192.168.1.1/24 101 R3
R2 Sub-Serial 0/0/0.1 192.168.1.2/24 100 R1
R2 Sub-Serial 0/0/0.1 192.168.1.2/24 101 R3
R3 Sub-Serial 0/0/0.1 192.168.1.3/24 100 R1
R3 Sub-Serial 0/0/0.1 192.168.1.3/24 101 R2

Partially Meshed Network Configuration (Point-to-point)

Device Interface IP Address DLCI Number Connected with
R1 Sub-Serial 0/0/0.2 192.168.2.1/24 102 R4
R4 Serial 0/0/0 192.168.2.2/24 100 R1

frame relay example

Following commands will be used to configure the R1.

Router – R1
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#no shutdown
Router(config-if)#interface serial 0/0/0.1 multipoint
Router(config-subif)#ip address 192.168.1.1 255.255.255.0
Router(config-subif)#frame-relay interface-dlci 100
Router(config-subif)#frame-relay interface-dlci 101
Router(config-subif)#interface serial 0/0/0.2 point-to-point
Router(config-subif)#ip address 192.168.2.1 255.255.255.0
Router(config-subif)#frame-relay interface-dlci 102
Router(config-subif)#exit
Router(config)#exit
Router#

As we know from pervious example, Frame Relay can be configured from interface mode.
We used first three commands to access the interface mode. Next command is used to change default
encapsulation method to Frame Relay. Fifth command is used to enable the interface. These five commands are explained in previous example.

Okay Let’s understand remaining commands.

As we can see in figure R1 is connected with three sites from single serial interface.
To connect multiple sites from single interface we have to divide it in sub interfaces.

Sub-interface is a virtual interface defined by IOS software. It uses the same hardware of physical interface but works just like a separate interface.

A sub-interface can works in two modes; point-to-point and multipoint.

In point-to-point mode, sub-interface can connect with single VC. In this mode each sub-interface requires its own IP subnet. Each IP address need to be map with unique DLCI address.

In multipoint mode, sub-interface can connect with multiple VCs. A single IP address can be mapped with multiple DLCI addresses. Usually this mode is used in fully meshed network type where routers are connected with all routers.

Key points

Before we create sub interface, we first need to set encapsulation on physical interface.
Physical interface need to be enabled from no shutdown command and it should be remain enabled always.
If we disable the physical interface, all associate sub-interface will be disabled.
Since sub-interfaces use their own IP configuration we cannot assign IP address in physical interface.

Following command will create a sub-interface from serial interface.

Router(config-if)#interface serial 0/0/0.1 multipoint :- Since this sub-interface will connect with two sites, multipoint mode will be used here.

Router(config-subif)#ip address 192.168.1.1 255.255.255.0 :- This command will set a common IP address for all VCs that we will connect from this interface. As we know in multipoint mode we are allowed to use a single IP subnet for multiple VCs. We will use this IP address to connect with both sites (VCs).

Frame Relay provides us LMI options and DLCI numbers.
LMI option is used to exchange management messages between router and Frame Relay switch while DLCI number is used to identify the other end of VC. In our example VC that has DLCI number 100 is connected with R2 and VC with DLCI number 101 is connected with R3. Router will automatically map DLCI number with correct VC. We only need to provide the DLCI numbers which are associated with the interface. Following commands will do this job for this sub-interface.

Router(config-subif)#frame-relay interface-dlci 100

AND

Router(config-subif)#frame-relay interface-dlci 101

Since default LMI (Cisco) option is used in this example, we need not configure it here.

On Job

If Cisco router is running IOS version 11.2 or higher, interface will automatically detect corresponding LMI type.

R1 has one more point-to-point connection. For that connection we need a separate sub-interface.
Following command will create another point-to-point sub-interface.

Router(config-subif)#interface serial 0/0/0.2 point-to-point

Following command will assign IP address in interface.

Router(config-subif)#ip address 192.168.2.1 255.255.255.0

Next command will assign associated DLCI number to it.

Router(config-subif)#frame-relay interface-dlci 102
Exam Tip

Point-to-point sub-interface map single DLCI and use a separate IP subnet. It also solve split horizon issue.

That’s all configuration we need on this router. We can use exit command to return
back in global configuration mode or in privileged exec mode (from global configuration mode).

Same way we will configure R2 and R3.

Router – R2
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#no shutdown
Router(config)#interface serial 0/0/0.1 multipoint
Router(config-subif)#ip address 192.168.1.2 255.255.255.0
Router(config-subif)#frame-relay interface-dlci 100
Router(config-subif)#frame-relay interface-dlci 101
Router(config-subif)#exit
Router(config)#exit
Router#
Router – R3
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#no shutdown
Router(config)#interface serial 0/0/0.1 multipoint
Router(config-subif)#ip address 192.168.1.3 255.255.255.0
Router(config-subif)#frame-relay interface-dlci 100
Router(config-subif)#frame-relay interface-dlci 101
Router(config-subif)#exit
Router(config)#exit
Router#

Router R4 has only one point-to-point link with R1. Since there is only one connection
we can use physical interface for it or may create a logical interface as explained above, choice is ours.

Router – R4
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.2.2 255.255.255.0
Router(config-if)#encapsulation frame-relay
Router(config-if)#frame-relay interface-dlci 100
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#

That’s all configuration we need to bring this frame relay network up.
We can test our implementation with ping command. If everything is fine,
routers should be able to access connected sites.

frame relay test implementation

You can use my configured topology for cross check.

Download Frame Relay Example Practise LAB – Configured

Frame Relay configuration command sheet

Command Description
Router(config-if)#encapsulation frame-relay Enable Frame Relay encapsulation in interface
Router(config-if)#encapsulation frame-relay ietf Enable Frame Relay ietf encapsulation in interface. Used if connecting with Non-Cisco router.
Router(config-if)#frame-relay lmitype {ansi | cisco | q933a} Used to set LMI type. If router is running Cisco ISO 11.2 or higher, this command is optional. As router will automatically detect the correct LMI type.
Router(config-if)#frame-relay interface-dlci 100 Assign DLCI number 100 in interface.
Router(config-if)#frame-relay map ip 192.168.100.1 110 broadcast Used to map remote IP with local DLCI statically. Mapping is automatically done by inverse ARP protocol.
By default Frame Relay does not forward any broadcast packet in VC. Due to this reason any routing protocol that depends on broadcast will not work with Frame Relay.
Use broadcast keyword to enable broadcast forwarding on this VC.
Router(config-if)#no frame-relay inverse arp Used to Turn off inverse ARP. If we turn off the inverse ARP, we have to map remote IP and local DLCI statically.
Router(config-if)#interface serial 0/0/0.1 point-to-point Creates a point-to-point sub-interface numbered 1
Router#show frame-relay map Used to view IP/DLCI map entries
Router#show frame-relay pvc Used to view the status of all PVCs configured
Router#show frame-relay lmi Displays LMI statistics including types and exchanged messages
Router#clear frame-relay counters Clears all Frame Relay counters
Router#clear frame-relay inarp Reset map table and Clears all Inverse ARP entries
Router#debug frame-relay lmi Enable debug process on LMI.
Router#no debug frame-relay lmi Disable debug process on LMI.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

PPP Protocol and Encapsulation method Explained

This tutorial explains basic concepts of PPP, PPP encapsulation, PPP authentication PAP, PPP authentication CHAP and how to configure PPP protocol on Cisco router step by step.

Overview of PPP Protocol

  • PPP was built in 1990 as open standard protocol.
  • Since it is based on open standard, it will run with all vendors.
  • It works with Asynchronous serial connection, Synchronous serial connection, High-Speed Serial Interfaces (HSSI) and ISDN interfaces (BRI and PRI).
  • It provides dynamic addressing, authentication, callback and compression facilities.
  • It can encapsulate multiple network layer protocols to pass over the same link.
  • It can perform error detection, correction and quality check of link.
  • It can build single logical connection over multiple physical connections.

This tutorial is the third part of our article \” WAN Terminology Explained with Encapsulation Protocols and Methods \”. You can read other parts of this article here.

WAN Tutorial – Basic WAN Switching Concept Explained

This tutorial is the first part of article. This part explains basic wan concepts including terminology, encapsulation methods, switching concepts and encapsulation protocols in detail with example.

HDLC Protocol and Encapsulation method Explained

This tutorial is the second part of the article. This part explains HDLC (High-Level Data Link Control) protocol and encapsulation method in detail with examples including step by step configuration guide.

Basic Concepts of Frame Relay Explained in Easy Language

This tutorial is the fourth part of the article. This part explains basic concepts of Frame Relay such as LMI Types, DLCI, Access Rate, CIR rate, PVC, SVC and network type in easy language.

How to configure Frame Relay Step by Step Guide

This tutorial is the last part of the article. This part provide step by step guide on how to configure Frame Relay in Cisco routers.

Basic concepts of PPP Protocol



PPP is built from three components; Framing, LCP and NCP. In this section we will take a closer look at these components.

PPP Framing (Encapsulation)

PPP Framing defines how network layer packets are encapsulated in PPP frame. As we know PPP can carry multiple Layer 3 protocols
over a single link. To support multiple network layer protocols PPP uses Protocol Type filed in header. Following figure illustrates PPP framing

ppp framing

LCP (Link Control Protocol)

This is the second component of PPP. PPP uses it to build and maintain data-link connections. It provides following options:-

Authentication:- LCP provides two types of authentication; PAP and CHAP. (Explained shortly in next section)

Compression:- Through compression LCP increases overall data transmission speed while saving bandwidth at the same time. It compression data at sending end and decompress data at receiving end.

Error Detection:- LCP uses LQM (Link Quality Monitoring ) tool to detect the interface that is exceeding threshold error percentage. Once faulty interface is identified, LCP will disable that interface and reroute the traffic from better route.

Looped Link Detection:- LCP uses magic number to detect looped link. Once looped link is detected LCP will disable that interface and reroute the traffic over the working link.

Multilink:- In this option multiple physical links are combined in a single logical connection at layer three. For example if we have two 64Kbps lines then this option can combine them in such a way that they appear as a single 128Kbps connection at layer 3.

Call Back :- In this option remote side router will call back to calling router. For example we have two routers; R1 and R2 with callback enabled. In this case, R1 will connect with R2 and authenticate itself. Once authentication process is completed, R2 will terminate the connection and then re-initiate the connection from its side. This way R1 will be charged only for the data that is used during the authentication process while R2 will be charged for remaining data transmission.

NCP (Network Control Protocol)

This is the third component of PPP. PPP uses NCP (Network Control Protocol) to allow multiple Network layer protocols (such as IPv4, IPv6, IPX) to be used in a single point to point connection.

PPP is specified at the physical and Data Link layers only. Don’t confuse with NCP component. NCP component is only used to carry multiple Network Layer protocols simultaneously across the single point to point link. PPP is neither specified as layer 3 protocol nor it works as layer 3 (network layer) protocol.

PPP Authentication



PPP Authentication is the method of identifying remote device. Through authentication we can find out whether remote party is genuine or imposter. For example there are two routers (R1 and R2) communicating over a serial link. Now R1 has some data for R2. But before sending this data, R1 want to be sure that remote device which is claiming itself as R2, is real R2. In this case R1 will initiate authentication process. In authentication process R2 will prove its identity. PPP supports two authentication protocols; PAP and CHAP.

PAP (Password Authentication Protocol)

In this protocol, password is sent in clear text format that makes it less secure in comparison with CHAP. PAP authentication is a two steps process. In step one, Router that want to be authenticate will send its user name and password to the Router that will authenticate it. In second step, if user name and password match, remote router will authenticate originating router otherwise authentication process will be failed. Following figure illustrate this process in detail

PPP PAP Authentication

In step one, R1 sends user name and password in clear text format to R2 which will authenticate R1.

In step two, R2 will match received username and password with locally stored username and password. If both credential match, R2 will assume that R1 is real R1. R2 will send back an acknowledgment to R1 stating that it has passed authentication process and R2 is ready for data transmission.

PAP authentication is only performed upon the initial link establishment. Once link is established, no more sequential authentication are done for that particular session. PAP sends user name and password in clear text format. Username and password are case sensitive.

CHAP (Challenge Handshake Authentication Protocol)

CHAP is used at initial startup and once link is established, sequential authentication are performed to make sure that router is still communicating with same host. If any sequential authentication is failed, connection will be terminated immediately. CHAP authentication is a three steps process.

Step1

In first step R1 (Source) sends its username (without password) to the R2 (Destination).

Step2

  • Routers running CHAP need to maintain a local authentication database. This database contain a list of all allowed hosts with their login credential.
  • R2 will scan this database to find out whether R1 is allowed to connect with it or not.
  • If no entry for a particular host is found in database then that specific host is not allowed to connect with it. In such a case connection will be terminated at this point.
  • A database entry for R1 (with password) will confirm that R1 is allowed to connect with it. R1’s password would be picked up for next process.
  • At this moment a random key will be generated.
  • This random key with password will be passed in MD5 hashing function.
  • MD5 hashing function will produce a hashed value from given input (Random Key + Password).
  • This hashed value is known as Challenge.
  • R2 will send this Challenge with random key back to R1.

Step3

  • R1 will receive hashed value (Challenge) and a random key.
  • R1 will pass received random key and locally stored password in MD5 hashing function.
  • MD5 hashing function will produce a hashed value from given input (Random Key + Password).
  • Now R1 will compare this hashed value (generated from MD5 hashed function) with received hashed value from R2.
  • If both hashed value do not match, process will be terminated and connection will be rejected.
  • If both hashed values (locally generated and received) match, R1 will assume that password used by remote router (R2) must have been same as password used by itself. Thus R2 is real R2 and permission for this connection can be granted.
  • R1 will update R2 about authentication result with Accepted or Rejected acknowledgement signal.

ppp authentication chap example

CHAP uses one way hash algorithm (MD5) to generate a hashed value. This hashed value is valid only for one time. So you need not to worry about those users who intentionally make a copy of this hashed value for later use. In CHAP authentication actual password is never sent across the link. So anybody tapping the wire will never be able to reverse the hash to know the original password.

CHAP uses three way handshake process to perform the authentication. In CHAP protocol actual password is never sent across the link. CHAP uses a hashed value for authentication that is generated from MD5 hashed function. MD5 uses locally store password and a random key to generate hashed value. This hashed value is valid only for one time.

Differences between PAP and CHAP authentication protocol

PAP CHAP
Perform authentication in two steps. Perform authentication in three steps.
Username and password are sent across the link. Only username is sent across the link.
Actual password is sent across the link. Actual password is never sent across the link.
Password is sent in clear text format. Password is hashed with a random key through the MD5 hashed function.
It is a less secure authentication protocol. Anyone tapping the wire can learn password. It is a secure authentication protocol. Since actual password is never sent across the wire, no one can learn password from wire-tapping.
PAP authentication is performed only at initial link establishment. CHAP authentication is performed at initial startup and if required, any time during the session.

Configure PPP Protocol on Cisco Router

Configuration of PPP encapsulation is simple and straightforward. Following command is used to configure the PPP encapsulation.

Router(config-if)# encapsulation ppp

Let’s understand this process in detail with following example.

wan ppp protocol example

In above network two routers are connected with each other via serial link. Serial interfaces are essentially configured with following configuration on both routers.

R1
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#clock rate 64000
Router(config-if)#bandwidth 64
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
R2
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#

At this time both routers are running default encapsulation in serial interface. HDLC is the default encapsulation protocol in Cisco routers. I have already explained HDLC in detail with example in second part of this article.

Okay lets change default encapsulation to PPP with following command.

R1
Router(config)#interface serial 0/0/0
Router(config-if)# encapsulation ppp
Router(config-if)#exit
Router(config)#
R2
Router(config)#interface serial 0/0/0
Router(config-if)# encapsulation ppp
Router(config-if)#exit
Router(config)#

Router(config)#interface serial 0/0/0 :- This command is used to enter in serial interface. Encapsulation is interface specific. We can use different encapsulation protocols in different interfaces. For example we can use PPP in serial 0/0/0 and HDLC in serial 0/0/1.

Router(config-if)# encapsulation ppp :- This command would set encapsulation protocol to PPP.

Router(config-if)#exit :- This command is used to return back in global configuration mode.

Router(config)# :- This command prompt indicates that we are in global configuration mode.

Configure PPP Authentication

PPP authentication requires two essential parameters:-

  1. Unique hostname of local router
  2. Username and password of remote router

Hostname of local router

To set hostname we can use hostname global configuration command. Let’s assign unique hostname to our routers

R1
Router(config)#hostname R1
R1(config)#
R2
Router(config)#hostname R2
R2(config)#

Username and password of remote router

To set username and password for remote router following global configuration mode command is used

Router(config)# username remote_hostname password matching_password

Username is the hostname of remote router that will connect with this router.
Hostname and password is case sensitive. Router stores password in clear text format that can be viewed with
show running-config command.

WAN PPP authentication

Let’s set username and password in our example

R1
R1(config)#username R2 password test
R1(config)#
R2
R2(config)#username R1 password test
R2(config)#

Passwords assigned through the username [hostname of remote device] password [password]
command would be save in running configuration as clear text format and could be viewed
via show run command. To encrypt it use service password-encryption command from global configuration mode.
Username and password is case sensitive. Username is the hostname of remote router that will connect with this router.
Remote routers must also be configured with username and password. Password must be same on both routers.

PPP Protocol PAP Authentication

To configure PAP authentication use following commands on both routers

R1
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication pap
R1(config-if)#exit
R1(config)#
R2
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication pap
R2(config-if)#exit
R2(config)#

PPP Protocol CHAP Authentication

To configure CHAP authentication use following commands on both routers

R1
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap
R1(config-if)#exit
R1(config)#
R2
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap
R2(config-if)#exit
R2(config)#

Configure Both CHAP and PAP in same link

To configure both CHAP and PAP in same link use following commands on both routers

R1
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap ppp
R1(config-if)#exit
R1(config)#
R2
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap ppp
R2(config-if)#exit
R2(config)#

If we use both methods on the same link as shown above then only the first method will be used in authentication process.
Second method will be used only if first method fails. Thus second method will work as backup method.

Verifying PPP Protocol implementation

We can use show interface [interface] command to verify the PPP implementation.

R1#show interface serial 0/0/0
Serial0/0/0 is up, line protocol is up
  Hardware is HD64570
  Internet address is 192.168.1.1/30
  MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set, keepalive set
[Output omitted]

As output indicates encapsulation is set to PPP in this interface.

Troubleshooting / Debugging PPP Authentication

In this last section I will discuss some essential troubleshooting steps for PPP. When something went wrong,
we should start debugging from the output of show interface [interface] command.

First line from output provides some clues about possible issue.

Line Status Protocol Status Possible Reason Possible solution
Administratively Down Down Interface is shutdown Use no shutdown command from sub-interface mode
Down Down Physical layer issue. Check cable, connector and other connecting devices.
UP Down Data Link Layer issue. Check configuration.

ppp lcp closed

In above example its “Serial 0/0/0 is up, line protocol is down” which indicates that physical
layer is working properly but there is some issue in data link layer configuration.

Next, notice the states of LCP, IPCP and CDPCP. A Closed state for these indicates that something is wrong with LCP setup process, causing data link layer to fail. In rest of this tutorial I will explain some common causes for data link failure.

Mismatched WAN Encapsulation

In point to point link, encapsulation method at both ends must be same otherwise link will never come up.
This problem is easy to find and fix. The show interfaces [interface] command will the list the encapsulation type.

mismatched wan encapsulation

Once you identify the problem, it can be fixed easily. Simply reconfigure the one end’s interface to match with other end’s encapsulation method.

Mismatched IP configuration

This problem is not directly associated with PPP configuration but can be tricky one question in exam.
This problem cannot be spotted from show interface [interface] command as the output of this
command will show “Serial 0/0/0 is up, line protocol is up” that makes you assume that everything is
fine and operational at interface level. But when you try to ping remote router it gets fail.
This is because PPP, HDLC and Frame Relay are layer 2 protocols and they don’t care about layer 3 configuration
(IP Configuration). So even link is up, you cannot transfer the IP packets.

mismatched ip configuration

To fix this problem configure IP addresses in both ends from same subnet.

Debug PPP Authentication

To determine whether issue is related with PPP authentication or not, we can use debug ppp authentication command.
If PPP encapsulation and authentication are setup correctly then this command will display output like this :

R1# debug ppp authentication
PPP authentication debugging is on
R1#
R1: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
R1: Se0/0/0 PPP: Using default call direction
R1: Se0/0/0 PPP: Treating connection as a dedicated line
R1: Se0/0/0 PPP: Session handle[45004] Session id[12]
R1: Se0/0/0 CHAP: O CHALLENGE id 5 len 23 from \"R1\"
R1: Se0/0/0 CHAP: I CHALLENGE id 5 len 23 from \"R2\"
R1: Se0/0/0 PPP: Sent CHAP SENDAUTH Request
R1: Se0/0/0 CHAP: I RESPONSE id 5 len 23 from \"R2\"
R1: Se0/0/0 PPP: Received SENDAUTH Response PASS
R1: Se0/0/0 CHAP: Using hostname from configured hostname
R1: Se0/0/0 CHAP: Using password from AAA
R1: Se0/0/0 CHAP: O RESPONSE id 5 len 23 from \"R1\"
R1: Se0/0/0 PPP: Sent CHAP LOGIN Request
R1: Se0/0/0 PPP: Received LOGIN Response PASS
R1: Se0/0/0 CHAP: O SUCCESS id 5 len 4
R1: Se0/0/0 CHAP: I SUCCESS id 5 len 4

But if something wrong during authentication process output would look like this:-

R1# debug ppp authentication
PPP authentication debugging is on
! Lines omitted for brevity
R1: Se0/0/0 CHAP: O CHALLENGE id 1 len 23 from \"R1\"
R1: Se0/0/0 CHAP: I RESPONSE id 1 len 23 from \"R2\"
R1: Se0/0/0 CHAP: O FAILURE id 1 len 25 msg is \"Authentication failed\"

If username and password are not configure exactly as they should be then authentication will be failed.

ppp username password configuration

To fix this problem configure username and password in proper way. Remember that username and password are case sensitive.

Another thing that you should notice is authentication type that must be same in both ends. If you configure one end to use PAP while another end to use CHAP then that link would never work.

ppp authneticaton worng protocol

To fix this problem change authentication type in one end to match with other end.

That’s all for this part. In next part I will explain basic concepts of frame really in detail with examples.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

HDLC Protocol and Encapsulation method Explained

This tutorial explains how to configure, verify and troubleshoot HDLC protocol step by step with example. Learn fundamental and basic concepts of HDLC encapsulation, how HDLC protocol works, HDLC frame and types of HDLC protocol (ISO HDLC & Cisco HDLC) in detail.

Basic of HDLC

HDLC is a layer two protocol that provides encapsulation method for serial link. Serial link and Ethernet link both use different encapsulation methods for data transmission. Serial link cannot carry the frame formatted with Ethernet encapsulation and vice versa Ethernet link cannot carry the frame formatted through the Serial encapsulation. Ethernet encapsulation method and protocols are basically specified in LAN technology. Serial protocols and encapsulation methods are primarly descirbed in WAN technology. Router is used to connect two different technologies. HDLC is an encapsulation method for serial link.

How HDLC Protocol works

Let’s understand this process with a simple example

  • Suppose PC0 has some data for PC1. So it generated a data packet.
  • Since PC1 is not connected with LAN segment, network layer of PC0 will encapsulate data packet with default gateway’s IP address.
  • Data link layer of PC0 will warp this IP packet in 802.3 header and trailer. Once wrapped, it becomes frame.
  • Physical layer of PC0 will put this frame in wire.
  • Through switch this frame will be received in Router R0.
  • Router will de-encapsulate the frame in packet to find out the Layer 3 destination address.
  • Since destination address is connected with serial link, router will forward this frame in serial interface.
  • Serial interface will re–encapsulate the frame with serial encapsulation protocol. In our example it is HDLC.
  • After re-encapsulation this frame will be forwarded from serial interface.
  • This frame will be received in serial interface of Router R1.
  • R1 will de-encapsulate the frame in packet to find the Layer 3 destination address.
  • Since destination address is connected via FastEthernet, it will forward this packet in FastEthernet interface.
  • FastEthernet Interface will re-encapsulate the packet in Ethernet frame.
  • After re-encapsulation this frame will be forwarded from FastEthernet interface
  • Through switch this frame will be received at PC1.
  • PC1 will receive this frame in exactly same format as it was packed by PC0 without knowing how it makes it way to him.



Following figure illustrate above process

WAN HDLC Encapsulation Example

This tutorial is the second part of our article \”WAN Terminology Explained with Encapsulation Protocols and Methods \”. You can read other parts of this article here.

WAN Tutorial – Basic WAN Switching Concept Explained

This tutorial is the first part of article. This part explains basic wan concepts including terminology, encapsulation methods, switching concepts and encapsulation protocols in detail with example.

PPP Protocol and Encapsulation method Explained

This tutorial is the third part of the article. This part explains PPP (Point to Point) protocol and encapsulation method in detail with examples including step by step configuration guide.

Basic Concepts of Frame Relay Explained in Easy Language

This tutorial is the fourth part of the article. This part explains basic concepts of Frame Relay such as LMI Types, DLCI, Access Rate, CIR rate, PVC, SVC and network type in easy language.

How to configure Frame Relay Step by Step Guide

This tutorial is the last part of the article. This part provide step by step guide on how to configure Frame Relay in Cisco routers.

Types of HDLC Protocol



HDLC protocol was developed by ISO (International Organization for Standardization), which is same organization that also developed OSI model. It specifies data encapsulation method for serial link using frame characters and checksums.

Basically it was developed for point to point leased line where only the two points exist; one sending and another receiving. Once a HDLC frame exits from sending point it has only one place to go; the other end of link (receiving point).

WAN HDLC Protocol

When we have only point to point connection between source and destination, there is no need to attach network layer information in frame header every time. Frames will go where they should go. By this way network can save a lot of time and resources. HDLC was built on this concept. It has no field for network layer information in its header.

WAN IOS HDLC Frame

Since it has no separate field for network layer protocol information it cannot carry multiple network layer protocols information across the link. It can carry only single network layer protocol information. So basically you can use IOS’s HDLC in point to point link where only a single network layer protocol is used to transport the data.

Type filed is used to carry multiple network layer information. If we need to carry multiple network layer protocols information, we have to insert the type filed in frame header. For this reason every vendor who wants to use HDLC in multiple network layer protocols environment had to insert type field in frame header. Due to this modification HDLC became vendor proprietary protocol that means one vendor’s HDLC will not work with others. Going with the same concept Cisco’s HDLC will not work with other vendor’s HDLC. So if you want to use Cisco’s HDLC, buy all devices from Cisco or use other open standard encapsulation method such as PPP.

Configure HDLC in Cisco Router

HDLC is the default encapsulation method on Cisco routers. Unless we have changed it with other encapsulation method, there is no need to configure it. It’s already configured. Suppose we have changed default encapsulation method with other methods such as PPP. Now we are looking for a way to use HDLC again then we have to go through the following two steps

Access serial interface

Protocols and encapsulation methods are Interface specific. We can use different protocol and encapsulation method in different interfaces. For example if we have two serial interfaces, we can use HDLC in one and PPP in another. So our first logical step is to access the correct serial interface.

Suppose we want to change the encapsulation method of serial interface Serial 0/0/0 then we will use following commands to access the serial interface

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#

Set encapsulation

Now we are in serial interface mode, use following command to configure encapsulation method to HDLC

Router(config-if)#encapsulation hdlc
Router(config-if)#exit
Router(config)#

That’s all we need to do. Now HDLC encapsulation is enabled in serial interface Serial 0/0/0.

How to verify HDLC encapsulation

Since HDLC is the default encapsulation method for serial interfaces in Cisco Router,
it will not be listed in running configuration. It means we cannot use show running-config command
to verify the HDLC encapsulation. We have to use show interfaces [Interface] command to view encapsulation
type in interface.

Router#show interfaces serial 0/0/0
Serial0/0/0 is administratively down, line protocol is down (disabled)
  Hardware is HD64570
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of \"show interface\" counters never
     

As output indicates encapsulation type is HDLC.

Troubleshooting HDLC encapsulation

We can use show ip interface brief and show interfaces
[interface]
commands to view the status of serial interface.

show ip interface brief

If there is some issue with HDLC implementation, protocol status will be down. There are three possible reasons:-

  1. Remote side router is a Non-Cisco router.
  2. Remote side is using other protocol such as PPP.
  3. DCE device is not providing clock rate to DTE device.
Key points
  • HDLC does not provide any kind of authentication.
  • HDLC is a byte oriented protocol. In byte oriented protocols control information is encoded used entire bytes.
  • HDLC protocol was developed by ISO for point to point link where single network layer protocol is used to transport the data.
  • ISO’s HDLC does not have type field in its header.
  • ISO’s HDLC supports only single network layer protocol.
  • Type filed is used to carry multiple network layer protocols information.
  • Vendors need to insert type filed in HDLC frame header.
  • Once type filed is inserted, HDLC becomes proprietary protocol.
  • A proprietary HDLC protocol will not work with other vendor’s HDLC.
  • HDLC is the default encapsulation method in Cisco routers.

That’s all for this part. In next part I will explain PPP protocol and encapsulation method in detail with example.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

Types of Wireless Network Explained with Standards

This tutorial explains Wireless Network types (WLANS, WPANS, WMANS and WWANS) and Wireless network terminology (Ad hoc mode, Infrastructure mode, BSS, ESS, BSA, SSID, WEP, EAP, WPA, WPA2, Infrared, Bluetooth, FHSS, DSSS, FHSS, OFDM, MIMO, RF, Omni directional, 802.11g, 802.11a and 802.11h ) in detail.

A wireless network enables people to communicate and access applications and information without wires. This provides freedom of movement and the ability to extend applications to different parts of a building, city, or nearly anywhere in the world. Wireless networks allow people to interact with e-mail or browse the Internet from a location that they prefer.

Many types of wireless communication systems exist, but a distinguishing attribute of a wireless network is that communication takes place between computer devices. These devices include personal digital assistants (PDAs), laptops, personal computers (PCs), servers, and printers. Computer devices have processors, memory, and a means of interfacing with a particular type of network. Traditional cell phones don\’t fall within the definition of a computer device; however, newer phones and even audio headsets are beginning to incorporate computing power and network adapters. Eventually, most electronics will offer wireless network connections.

As with networks based on wire, or optical fiber, wireless networks convey information between computer devices. The information can take the form of e-mail messages, web pages, database records, streaming video or voice. In most cases, wireless networks transfer data, such as e-mail messages and files, but advancements in the performance of wireless networks is enabling support for video and voice communications as well.

Types of Wireless Networks

WLANS: Wireless Local Area Networks

WLANS allow users in a local area, such as a university campus or library, to form a network or gain access to the internet. A temporary network can be formed by a small number of users without the need of an access point; given that they do not need access to network resources.

WPANS: Wireless Personal Area Networks

The two current technologies for wireless personal area networks are Infra Red (IR) and Bluetooth (IEEE 802.15). These will allow the connectivity of personal devices within an area of about 30 feet. However, IR requires a direct line of site and the range is less.

WMANS: Wireless Metropolitan Area Networks

This technology allows the connection of multiple networks in a metropolitan area such as different buildings in a city, which can be an alternative or backup to laying copper or fiber cabling.

WWANS: Wireless Wide Area Networks

These types of networks can be maintained over large areas, such as cities or countries, via multiple satellite systems or antenna sites looked after by an ISP. These types of systems are referred to as 2G (2nd Generation) systems.

Comparison of Wireless Network Types



Type Coverage Performance Standards Applications

Wireless PAN

Within reach of a person

Moderate

Wireless PAN Within reach of a person Moderate Bluetooth, IEEE 802.15, and IrDa Cable replacement for peripherals

Cable replacement for peripherals

Wireless LAN

Within a building or campus

High

IEEE 802.11, Wi-Fi, and HiperLAN

Mobile extension of wired networks

Wireless MAN

Within a city

High

Proprietary, IEEE 802.16, and WIMAX

Fixed wireless between homes and businesses and the Internet

Wireless WAN

Worldwide

Low

CDPD and Cellular 2G, 2.5G, and 3G

Mobile access to the Internet from outdoor areas

Wireless Networking

Wireless networking is the new face of networking. Wireless networking have been around for many years. Cell phones are also a type of wireless communication and are popular today for people talking to each other worldwide.
Wireless networking are not only less expensive than more traditional wired networking but also much easier to install. An important goal of this site is to provide you adequate knowledge for installing a wireless network and get certified in wireless networks as well as.

Wireless Networking

Perhaps you already useing wireless networking in your local coffee shop, at the airport, or in hotel lobbies, and you want to set up a small office or home network. You already know how great wireless networking is, so you want to enjoy the benefits where you live and work. It is truly transformational to one\’s lifestyle to decouple computing from the wires! If you are looking to set up a wireless network, you\’ve come to the right place. We will show you the best way to set up wirless network easily. Many people are looking to find out how to use wireless networking at home.

In this wireless networking section we provides An Absolute Beginner\’s Guide in the perfect format for easily learning what you need to know to get up to speed with wireless network without wasting a lot of time.
The organization of this site, and the special elements that we have described in this section will help you get the information you need quickly, accurately, and with clarity. In this section you will find inspiration as well as practical information. we believe that Wireless networks is a modest technology that has the power to have a huge and positive impact. This is wonderful material, and it\’s lots of fun! So what are you waiting for? It\’s time to Go for wireless networking.

Wireless Basic



Radio Frequency Transmission Factors

Radio frequencies (RF) are generated by antennas that propagate the waves into the air.
Antennas fall under two different categories:

directional and omni-directional.

Directional antennas are commonly used in point-to-point configurations (connecting two distant buildings), and sometimes point-to-multipoint (connecting two WLANs).
An example of a directional antenna is a Yagi antenna: this antenna allows you to adjust the direction and focus of the signal to intensify your range/reach.

Omni-directional antennas are used in point-to-multipoint configurations, where they distribute the wireless signal to other computers or devices in your WLAN. An access point would use an omni-directional antenna. These antennas can also be used for point-to-point connections, but they lack the distance that directional antennas supply

Three main factors influence signal distortion:
  • Absorption Objects that absorb the RF waves, such as walls, ceilings, and floors
  • Scattering Objects that disperse the RF waves, such as rough plaster on a wall, carpet on the floor, or drop-down ceiling tiles
  • Reflection Objects that reflect the RF waves, such as metal and glass
Responsible body

The International Telecommunication Union-Radio Communication Sector (ITU-R) is responsible for managing the radio frequency (RF) spectrum and satellite orbits for wireless communications: its main purpose is to provide for cooperation and coexistence of standards and implementations across country boundaries.

Two standards bodies are primarily responsible for implementing WLANs:

  • IEEE defines the mechanical process of how WLANs are implemented in the 802.11 standards so that vendors can create compatible products.
  • The Wi-Fi Alliancebasically certifies companies by ensuring that their products follow the 802.11 standards, thus allowing customers to buy WLAN products from different vendors without having to be concerned about any compatibility issues.
Frequencies bands:

WLANs use three unlicensed bands:

  • 900 MHz Used by older cordless phones
  • 2.4 GHz Used by newer cordless phones, WLANs, Bluetooth, microwaves, and other devices
  • 5 GHz Used by the newest models of cordless phones and WLAN devices
  • 900 MHz and 2.4 GHz frequencies are referred to as the Industrial, Scientific, and Medical (ISM) bands.
  • 5 GHz frequency the Unlicensed National Information Infrastructure (UNII) band.
  • Unlicensed bands are still regulated by governments, which might define restrictions in their usage.

A hertz (Hz) is a unit of frequency that measures the change in a state or cycle in a wave (sound or radio) or alternating current (electricity) during 1 second.

Transmission Method

Direct Sequence Spread Spectrum (DSSS) uses one channel to send data across all frequencies within that channel. Complementary Code Keying (CCK) is a method for encoding transmissions for higher data rates, such as 5.5 and 11 Mbps, but it still allows backward compatibility with the original 802.11 standard, which supports only 1 and 2 Mbps speeds. 802.11b and 802.11g support this transmission method.

OFDM (Orthogonal Frequency Division Multiplexing) increases data rates by using a spread spectrum: modulation. 802.11a and 802.11g support this transmission method.

MIMO (Multiple Input Multiple Output) transmission, which uses DSSS and/or OFDM by spreading its signal across 14 overlapping channels at 5 MHz intervals. 802.11n uses it. Use of 802.11n requires multiple antennas.

WLAN Standards

Standards 802.11a 802.11b 802.11g 802.11n
Data Rate 54 Mbps 11 Mbps 54 Mbps 248 Mbps (with 2×2 antennas)
Throughput 23 Mbps 4.3 Mbps 19 Mbps 74 Mbps
Frequency 5 GHz 2.4 GHz 2.4 GHz 2.4 and/or 5 GHz
Compatibility None With 802.11g and the original 802.11 With 802.11b 802.11a, b, and g
Range (meters) 35–120 38–140 38–140 70–250
Number of Channels 3 Up to 23 3 14
Transmission OFDM DSSS DSSS/OFDM MIMO

Two 802.11 access modes can be used in a WLAN:

  • Ad hoc mode
  • Infrastructure mode

Ad hoc mode is based on the Independent Basic Service Set (IBSS). In IBSS, clients can set up connections directly to other clients without an intermediate AP. This allows you to set up peer-to-peer network connections and is sometimes used in a SOHO. The main problem with ad hoc mode is that it is difficult to secure since each device you need to connect to will require authentication. This problem, in turn, creates scalability issues.

Infrastructure mode was designed to deal with security and scalability issues. In infrastructure mode, wireless clients can communicate with each other, albeit via an AP. Two infrastructure mode implementations are in use:

  • Basic Service Set (BSS)
  • Extended Service Set (ESS)

In BSS mode, clients connect to an AP, which allows them to communicate with other clients or LANbased resources. The WLAN is identified by a single SSID; however, each AP requires a unique ID, called a Basic Service Set Identifier (BSSID), which is the MAC address of the AP’s wireless card. This mode is commonly used for wireless clients that don’t roam, such as PCs.

In ESS mode, two or more BSSs are interconnected to allow for larger roaming distances. To make this as transparent as possible to the clients, such as PDAs, laptops, or mobile phones, a single SSID is used among all of the APs. Each AP, however, will have a unique BSSID.

Coverage Areas

A WLAN coverage area includes the physical area in which the RF signal can be sent and received Two types of WLAN coverage’s are based on the two infrastructure mode implementations:

  • Basic Service Area (BSA)
  • Extended Service Area (ESA)

The terms BSS and BSA, and ESS and ESA, can be confusing. BSS and ESS refer to the building topology whereas BSA and ESA refer to the actual signal coverage

BSA With BSA, a single area called a cell is used to provide coverage for the WLAN clients and AP

ESA With ESA, multiple cells are used to provide for additional coverage over larger distances or to overcome areas that have or signal interference or degradation. When using ESA, remember that each cell should use a different radio channel.

How an end user client with a WLAN NIC accesses a LAN

  • To allow clients to find the AP easily, the AP periodically broadcasts beacons, announcing its (SSID) Service Set Identifier, data rates, and other WLAN information.
  • SSID is a naming scheme for WLANs to allow an administrator to group WLAN devices together.
  • To discover APs, clients will scan all channels and listen for the beacons from the AP(s). By default, the client will associate itself with the AP that has the strongest signal.
  • When the client associates itself with the AP, it sends the SSID, its MAC address, and any other security information that the AP might require based on the authentication method configured on the two devices.
  • Once connected, the client periodically monitors the signal strength of the AP to which it is connected.
  • If the signal strength becomes too low, the client will repeat the scanning process to discover an AP with a stronger signal. This process is commonly called roaming.
SSID and MAC Address Filtering

When implementing SSIDs, the AP and client must use the same SSID value to authenticate. By default, the access point broadcasts the SSID value, advertising its presence, basically allowing anyone access to the AP. Originally, to prevent rogue devices from accessing the AP, the administrator would turn off the SSID broadcast function on the AP, commonly called SSID cloaking. To allow a client to learn the SSID value of the AP, the client would send a null string value in the SSID field of the 802.11 frame and the AP would respond; of course, this defeats the security measure since through this query process, a rogue device could repeat the same process and learn the SSID value.

Therefore, the APs were commonly configured to filter traffic based on MAC addresses. The administrator would configure a list of MAC addresses in a security table on the AP, listing those devices allowed access; however, the problem with this solution is that MAC addresses can be seen in clear-text in the airwaves. A rogue device can easily sniff the airwaves, see the valid MAC addresses, and change its MAC address to match one of the valid ones.
This is called MAC address spoofing.

WEP

WEP (Wired Equivalent Privacy) was first security solutions for WLANs that employed encryption. WEP uses a static 64-bit key, where the key is 40 bits long, and a 24-bit initialization vector (IV) is used. IV is sent in clear-text. Because WEP uses RC4 as an encryption algorithm and the IV is sent in clear-text, WEP can be broken. To alleviate this problem, the key was extended to 104 bits with the IV value. However, either variation can easily be broken in minutes on laptops and computers produced today.

802.1x EAP

The Extensible Authentication Protocol (EAP) is a layer 2 process that allows a wireless client to authenticate to the network. There are two varieties of EAP: one for wireless and one for LAN connections, commonly called EAP over LAN (EAPoL).

One of the concerns in wireless is allowing a WLAN client to communicate to devices behind an AP. Three standards define this process: EAP, 802.1x, and Remote Authentication Dial In User Service (RADIUS). EAP defines a standard way of encapsulating authentication information, such as a username and password or a digital certificate that the AP can use to authenticate the user.802.1x and RADIUS define how to packetize the EAP information to move it across the network.

WPA

Wi-Fi Protected Access (WPA) was designed by the Wi-Fi Alliance as a temporary security solution to provide for the use of 802.1x and enhancements in the use of WEP until the 802.11i standard would be ratified. WPA can operate in two modes: personal and enterprise mode. Personal mode was designed for home or SOHO usage. A pre-shared key is used for authentication, requiring you to configure the same key on the clients and the AP. With this mode, no authentication server is necessary as it is in the official 802.1 x standards. Enterprise mode is meant for large companies, where an authentication server will centralize the authentication credentials of the clients.

WPA2

WPA2 is the IEEE 802.11i implementation from the Wi-Fi Alliance. Instead of using WEP, which uses the weak RC4 encryption algorithm, the much more secure Advanced Encryption Standard (AES)–counter mode CBC-MAC Protocol (CCMP) algorithm is used.

Infrared

Infrared (IR) radiation is electromagnetic radiation of a wavelength longer than that of visible light, but shorter than that of microwave radiation. The name means \”below red\” (from the Latin infra, \”below\”), red being the color of visible light of longest wavelength.

Bluetooth

Is an industrial specification for wireless personal area networks (PANs). Bluetooth provides a way to connect and exchange information between devices like personal digital assistants (PDAs), mobile phones, laptops, PCs, printers and digital cameras via a secure, low-cost, globally available short range radio frequency.

FHSS

Frequency-hopping spread spectrum is a spread-spectrum method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver. Spread-spectrum transmission offers these advantages over a fixed-frequency transmission:

  • Highly resistant to noise and interference.
  • Signals are difficult to intercept. A Frequency-Hop spread-spectrum signal sounds like a momentary noise burst or simply an increase in the background noise for short Frequency-Hop codes on any narrowband receiver except a Frequency-Hop spread-spectrum receiver using the exact same channel sequence as was used by the transmitter.
  • Transmissions can share a frequency band with many types of conventional transmissions with minimal interference. As a result, bandwidth can be utilized more efficiently.
DSSS

direct-sequence spread spectrum is a modulation technique where the transmitted signal takes up more bandwidth than the information signal that is being modulated, which is the reason that it is called spread spectrum. Direct Sequence Spread Spectrum (DSSS) uses one channel to send data across all frequencies within that channel. Complementary Code Keying (CCK) is a method for encoding transmissions for higher data rates, such as 5.5 and 11 Mbps, but it still allows backward compatibility with the original 802.11 standard, which supports only 1 and 2 Mbps speeds. 802.11b and 802.11g support this transmission method.

Comparison of DSSS and Frequency Hopped SS
DSSS
  • Flexible support of variable data rates
  • High capacity is possible with enhancements (interference cancellation, adaptive antenna, etc.)
  • Suffers from near-far effect
FHSS
  • Suitable for ad hoc networks (no near-far problem)
  • Robust to interference
  • Limited data rate
OFDM

Orthogonal frequency-division multiplexing, also called discrete multitone modulation (DMT), is a transmission technique based upon the idea of frequency-division multiplexing (FDM). OFDM (Orthogonal Frequency Division Multiplexing) increases data rates by using a spread spectrum: modulation. 802.11a and 802.11g support this transmission method.

  • Used in some wireless LAN applications, including WiMAX and IEEE 802.11a/g
  • Used in many communications systems such as: ADSL, Wireless LAN, Digital audio broadcasting.
MIMO (Multiple Input Multiple Output)

MIMO (Multiple Input Multiple Output) transmission, which uses DSSS and/or OFDM by spreading its signal across 14 overlapping channels at 5 MHz intervals. 802.11n uses it. Use of 802.11n requires multiple antennas.

802.11a 802.11b 802.11g 802.11n
Data Rate 54 Mbps 11 Mbps 54 Mbps 248 Mbps (with 2×2 antennas)
Throughput 23 Mbps 4.3 Mbps 19 Mbps 74 Mbps
Frequency 5 GHz 2.4 GHz 2.4 GHz 2.4 and/or 5 GHz
Compatibility None With 802.11g and the original 802.11 With 802.11b 802.11a, b, and g
Range (meters) 35–120 38–140 38–140 70–250
Number of Channels 3 Up to 23 3 14
Transmission OFDM DSSS DSSS/OFDM MIMO
Radio Frequency Transmission Factors

Radio frequencies (RF) are generated by antennas that propagate the waves into the air. Antennas fall under two different categories:

  • Directional
  • Omni-directional

Directional Directional antennas are commonly used in point-to-point configurations (connecting two distant buildings), and sometimes point-to-multipoint (connecting two WLANs). An example of a directional antenna is a Yagi antenna: this antenna allows you to adjust the direction and focus of the signal to intensify your range/reach.

Omni-directional Omni-directional antennas are used in point-to-multipoint configurations, where they distribute the wireless signal to other computers or devices in your WLAN. An access point would use an omni-directional antenna. These antennas can also be used for point-to-point connections, but they lack the distance that directional antennas supply

Three main factors influence signal distortion:

  • Absorption Objects that absorb the RF waves, such as walls, ceilings, and floors
  • Scattering Objects that disperse the RF waves, such as rough plaster on a wall, carpet on the floor, or drop-down ceiling tiles
  • Reflection Objects that reflect the RF waves, such as metal and glass
Responsible body

The International Telecommunication Union-Radio Communication Sector (ITU-R) is responsible for managing the radio frequency (RF) spectrum and satellite orbits for wireless communications: its main purpose is to provide for cooperation and coexistence of standards and implementations across country boundaries.
Two standards bodies are primarily responsible for implementing WLANs:

  • The Institute of Electrical and Electronic Engineers (IEEE)
  • The Wi-Fi Alliance.

IEEE Defines the mechanical process of how WLANs are implemented in the 802.11 standards so that vendors can create compatible products.

The Wi-Fi Alliance Basically certifies companies by ensuring that their products follow the 802.11 standards, thus allowing customers to buy WLAN products from different vendors without having to be concerned about any compatibility issues.

Frequencies bands:

WLANs use three unlicensed bands:

  • 900 MHz Used by older cordless phones
  • 2.4 GHz Used by newer cordless phones, WLANs, Bluetooth, microwaves, and other devices
  • 5 GHz Used by the newest models of cordless phones and WLAN devices

900 MHz and 2.4 GHz frequencies are referred to as the Industrial, Scientific, and Medical (ISM) bands.

5 GHz frequency the Unlicensed National Information Infrastructure (UNII) band.

Unlicensed bands are still regulated by governments, which might define restrictions in their usage.

A hertz (Hz) is a unit of frequency that measures the change in a state or cycle in a wave (sound or radio) or alternating current (electricity) during 1 second.

802.11g

Suffers from the same interference as 802.11b in the already crowded 2.4 GHz range. Devices operating in this range include microwave ovens, Bluetooth devices, and cordless telephones. Since the 2.4 GHz band is heavily used, using the 5 GHz band gives 802.11a the advantage of less interference. However, this high carrier frequency also brings disadvantages. It restricts the use of 802.11a to almost line of sight, necessitating the use of more access points; it also means that 802.11a cannot penetrate as far as 802.11b since it is absorbed more readily, other things (such as power) being equal.

802.11a

Transmits radio signals in the frequency range above 5 GHz. This range is \”regulated,\” meaning that 802.11a gear utilizes frequencies not used by other commercial wireless products like cordless phones. In contrast, 802.11b utilizes frequencies in the unregulated 2.4 GHz range and encounters much more radio interference from other devices.

IEEE 802.11a / IEEE 802.11h

This is also a physical layer enhancement. IEEE 802.11a provides significantly higher performance than 802.11b, at 54 Mbps. Unlike 802.11b, the 802.11a standard operates within the frequency range of 5.47 to 5.725 GHz and is not subject to the same interference from other commercial electronic products. This higher frequency band allows significantly higher speeds of communication over the 2.4 GHz range.

802.11g APs are backward compatible with 802.11b APs. This backward compatibility with 802.11b is handled through the MAC layer, not the physical layer. On the negative side, because 802.11g operates at the same frequency as 802.11b, it is subject to the same interferences from electronic devices such as cordless phones. Since the standard’s approval in June 2003, 802.11g products are gaining momentum and will most likely become as widespread as 802.11b products. Table II-1 displays basic 802.11b/a/g characteristics.

The common range of operation for 802.11b is 150 feet for a floor divided into individual offices by concrete or sheet-rock, about 300 feet in semi-open indoor spaces such as offices partitioned into individual workspaces, and about 1000 feet in large open indoor areas. Disadvantages of 802.11b include interference from electronic products such as cordless phones and microwave ovens.

Range

The layout of your building can reduce the range.

  • A lot of concrete walls can reduce your range.
  • The size of the antenna and the placement greatly affect the range of their signals
  • The weather and amount of water vapor in the air can affect your signals strength
Speed
  • The layout of your building can reduce the speed
  • The size of the antenna and its signal can affect your speed
  • The weather and amount of water vapor can weaken the signal and affect your speed

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

WAN Tutorial – Basic WAN Switching Concept Explained

This tutorial explains basic concepts of WAN Networking including WAN Switching (Circuit, Cell and Packet) and WAN Terminology (CPE, DP, Local Loop, CO, Toll network, CSU, DSU, DTE, DCE, HDLC, PPP, PPPoE, ISDN, LAPD, LAPB, Frame Relay, MPLS, ATM, DSL, Cable, Synchronous and Asynchronous connection) in detail.

What is WAN?

WAN is the term that is used to refer all those technology and hardware which involves in connecting multiple
network segments together. These network segments can be located far apart.
WAN is the abbreviated form of Wild Area Network.

Difference between LAN and WAN

LAN (Local Area Network) represents a small segment of
network that can be span in limited geographical area such as your home network, university campus, cyber café and office building.

WAN represents a large part of network that is not bounded by geographical location. It can be spanned in several locations. Basically WAN is made up from multiple LANs.

For example, an example company with an office in Delhi has 50 computers all connected together. It would be considered as a LAN. Now suppose company expanded its branch and opened new office in Jaipur. The network in Jaipur office would also be considered as LAN until we connect it with Delhi office in order to share information and data. Once both offices (LANs) are connected with each other, they would be considered as WAN.

Another major difference between LAN and WAN is that we own LAN, but we lease WAN. In LAN we have our own space, so we can install cables, switches, routers and other connecting devices as connections require. But in WAN, connections physically pass through the other people’s property where we don’t have right to put our cables and other networking devices. So what options left for us?

We need to lease or rent connection from cable companies. Let’s understand this in other way. Suppose you are in Delhi and you want to go Jaipur by car. Will you build your own road for transportation?

No you do not build your own road for transportation. Simply you use the road built by government and pay toll tax for use. Same mechanism works behind the cable network. A cable network company builds its network and we use it. Cable Network Company charges for using its network. There are several cable network companies available in market. Think about your ISP. It is also a cable network company. In short how a cable network company connects two LAN is described in WAN.

This tutorial is the first part of our article \”WAN Terminology Explained with Encapsulation Protocols and Methods\”. You can read other parts of this article here.

HDLC Protocol and Encapsulation method Explained

This tutorial is the second part of the article. This part explains HDLC (High-Level Data Link Control) protocol and encapsulation method in detail with examples including step by step configuration guide.

PPP Protocol and Encapsulation method Explained

This tutorial is the third part of the article. This part explains PPP (Point to Point) protocol and encapsulation method in detail with examples including step by step configuration guide.

Basic Concepts of Frame Relay Explained in Easy Language

This tutorial is the fourth part of the article. This part explains basic concepts of Frame Relay such as LMI Types, DLCI, Access Rate, CIR rate, PVC, SVC and network type in easy language.

How to configure Frame Relay Step by Step Guide

This tutorial is the last part of the article. This part provide step by step guide on how to configure Frame Relay in Cisco routers.

Basic WAN Terminology

Before we understand WAN networking concepts in detail, let’s be familiar with some basic WAN Network terminology.



CPE

CPE (Customer premises equipment) is the device that is located in subscriber’s premise such as modem, switches, CSU/DSU, DTE router and NT1.

Demarcation point

DP (Demarcation point) is the spot, from where responsibility of customer and Cable Network Company divides. Usually it is a device installed by telecommunication (Cable Network) company. In simple terms, it’s a delivery point where LAN delivers or receives data packet from Telecommunication Company.

WAN Terminology

Local Loop

Local loop is the connection between DP and CO (central office).

Central office

This is the nearest office of Telecommunication Company. You get connection from this office.

Toll network

Toll network is the internal infrastructure of Telecommunication Company for transporting your data.

A Telco (Telecommunication Company) uses several thousand kilometers of network cables and specialized networking devices to create its own network. This network provides a service that works like a crossover cable between two demarcation points but physically hidden from customer. Based on its network and customer requirement a Telco provides several types of WAN connections.

CSU/DSU

A CSU/DSU (Channel Service Unit/Data Service Unit) is a device that converts data signal between LAN network and WAN network. LAN network and WAN network use separate communication technology. A CSU/DSU understands both technologies. DSL and cable modems are the example of CSU/DSU.

DTE

DTE (Data Terminal Equipment) is a device (usually a router or PC) that converts data frame into signals and reconvert received signals in data frame. DTE device communicates with DCE device.

DCE

DCE (Data circuit terminating equipment) is a device (usually modem or CSU/DSU) that provides clock rate and synchronization.

WAN Connection Types



Nearly all WAN connections fall under one of following four categories:-

  1. Leased Line Connection
  2. Circuit Switched Connection
  3. Packet Switched Connection
  4. Cell Switched Connection
Leased Line Connection

Leased line connection is a dedicate connection between two LANs. It simulates a single Ethernet crossover cable between local LAN and remote LAN. Just like Ethernet connection you can transmit data any time without any setup procedures. It’s an always on connection that provides guaranteed bandwidth and minimal delay. With all goodies leased line has following disadvantage:-

  • Usually it is available for shorter distance.
  • This is the most expensive WAN solution.
  • Whether you use it or not, you will be charged for entire time.
  • Each line requires a separate interface on your router.

synchronous serial connection

Leased line is also known as point to point or dedicated connection. Leased line uses HDLC and PPP data link layer encapsulation protocol.

Circuit Switched Connection

Circuit switched connection is just like a phone call. Whenever you have data to transmit, open the circuit, transmit the data and close the circuit. Thus in positive side, you only need to pay when you actually use it. And in negative side, you have to establish an end to end connection every time whenever you have data to transmit. Circuit switched connection is available it two types:-

Asynchronous serial connection

It uses analog modem and standard telephone system to establish dial-up connection. This is the cheapest WAN services. On another side this is most unreliable and the slowest WAN service. In this service top connection speed in USA is 53Kbps.

Synchronous serial connection

It uses digital ISDN line, BRI (Basic Rate Interface) and PRI (Primary Rate Interface) for dial-up connection. It’s an expensive service that provides guaranteed bandwidth.

Circuit Switched connection

Typically Circuit Switched connections are used for secondary backup solution in offices as well as for temporary low speed connection in home network. As it charges per-minute, it’s not suitable for primary connection, depending on the destination: the more data we have to transmit, the more time it will take, and the more money it will cost.

Packet Switched Connection

Packet switched connection is the cost effective solution of leased line connection. People, who cannot afford leased line, can use this. It allows us to share bandwidth with others to save money. It looks like a leased line but charges like circuit switched line.

Yep you read it right; it looks like a leased line, not acts like a leased line. After all it’s a shared line, you will get full bandwidth if no other is not sending data at that time. But if others are also sending data at the same time then you will get congested bandwidth. Packet switched connection is the best suitable for bursty type data transmission. It is not suitable for constantly type data transmission.

Both leased line and circuit switched connection use a physical circuit path to connect two sites. While leased line uses same circuit path every time, circuit switched connection builds path every time a data call is made. Probable you may get same or new path for every data call in circuit switched network.

Packet switched connections use a different approach, instead of physical path, it builds logical path over the physical path and uses that to connect two sites. These logical circuits are called virtual circuits (VCs). VCs are not tied up with any specific physical circuit. They can be built from any available physical connection. We can create multiple logical circuits over the same physical circuit. Therefore we can use single router interface to connect multiple sites.

WAN Frame Relay Connection

Cell Switched Connection

This is the enhanced version of packet switched connections. It could provide guaranteed bandwidth, minimal delay, limited number of errors and Quality of Services. This service uses fixed length (53 bytes) packets known as cell to transmit the data. If you want to connect multiple remote sites with a single router interface then Packet Switched or Cell switched connections are the best options.

Based on data transmission technology, above wan connections can be divided in two types:-

Asynchronous connection

Asynchronous connection is a one way communication. Sender PC does not need to coordinate with receiver PC before sending data. Sender system simply sends data. Receiver system has to look in incoming data for decoding method and coordinate.

Synchronous connection

Synchronous connection is a two way communication. Sender PC and Receiver PC synchronize the connection before sending any user data. Once connection is established, sender system sends separate signals with every data packet regarding transmission setting (decoding method, clock rate, coordinate etc ). Receiver system also updates sender about what has been received so far with its signal.

Now we have basic understanding of WAN terms, in remaining part of this tutorial we will have quick look on most popular WAN solution.

WAN Protocols, services and encapsulation methods

HDLC

HDLC (High-Level Data-Link Control) protocol works at Data Link layer. In comparison with other WAN protocol it creates very little overhead. It is derived from SDLC (Synchronous Data Link Control) protocol. HDLC protocol doesn’t carry any network layer information in its header. For this reason any vendor who wants to use HDLC protocol has to implement his own method to identify the Network Layer protocol. This method may not work with other vendors. Thus if we want to use HDLC protocol, we have to by all devices from same vendor.

PPP

PPP (Point to Point) protocol is wildly used data link layer protocol. It has a field for Network Layer Protocol information in its header. For this reason vendors need not change anything. They can use it as it is. If you have equipment from different vendors then use this protocol to create point to point links.

PPPoE

PPPoE (Point-to-Point Protocol over Ethernet) is the Ethernet solution of PPP protocol. When used with ADSL service it provides a direct connection to Ethernet interface while supporting DSL as well. In upside it provides authentication, encryption, and compression. In downside it has lover MTU (maximum transmission unit) than standard Ethernet has.

ISDN

ISDN (Integrated Services Digital Network) uses circuit switched connection technology. It uses existing phone lines for voice and data transmission. Usually it is used for secondary backup connection. It provides a cost effective upgrade option for users who require a higher speed connection than analog modem connection.

LAPD

LAPD (Link Access Procedure, D-Channel) protocol was developed for ISDN. It is used to satisfy the signaling requirement of ISDN connection.

LAPB

LAPB (Link Access Procedure, Balanced) was created for X.25 as connection oriented protocol at Data Link Layer. It can also be used for simple data link transportation. Due to its windowing and strict time out techniques it creates a lot of overhead.

Frame Relay

Frame Relay uses packet-switched connection technology. It can provide bandwidth of 64Kbps up to 45Mbps. It builds logical circuit over physical circuit to transmit the data. With logical circuit we can connect multiple remote sites from single interface. Beside this it also provides dynamic bandwidth and congestion control features.

MPLS

MPLS (Multi-Protocol Label Switching) is the frame relay based data forwarding technology. Just like frame relay it also uses some features of circuit switched network over the packet switched network. It uses labels (numbers) to forward the packets. Labels are assigned in the edge of MPLS network. Core routers forward packets based on these labels that make forwarding process faster. Gradually companies are moving to MPLS from frame relay.

ATM

ATM (Asynchronous Transfer Mode) is the enhanced version of frame relay. Beside all goodies of frame relay it also provides simultaneous transmission for video, voice and data. ATM uses fixed length (53 bytes) cells for data forwarding. For faster data forwarding it supports external clocking.

DSL

In DSL (Digital subscriber line) service, a connection is setup between CPE (Usually modem) and the DSLAM (Digital Subscriber Line Access Multiplexer). DSLAM is a device that concentrates connections from multiple DSL lines. It is located at CO (Center Office of Telco). It uses twisted pair copper telephone wires for connectivity. It is the same phone line that is used to connect your phone with CO. In CPE side it uses DSL modem that follows DSL physical and data link layer standards to transmit data from Telco. Following figure illustrates a simple DSL service network.

WAN DSL Connection

DSL service provides asymmetric speed. In asymmetric speed downloading speed is much faster than uploading speed.

Cable

This service uses existing cable TV network for Internet. It can provide up to 27Mbps download and 2.5Mbps upload bandwidth. In this service, users connected with a certain cable network segment sharing bandwidth. For this reason actual bandwidth a user may get is 256Kbps to 6Mbps.

WAN Cable Connection

Key points of DSL and Cable services

  • Both services use existing network. DSL uses phone line while Cable uses CATV (Cable TV) cable.
  • Both services provide asymmetric speeds where downloading speed is much faster than uploading speed.
  • Both services work in always on mode where user can access Internet without taking any action to start Internet connection.
  • Both services are used to connect CPE with CO.
  • DSL service uses twisted pair cable while Cable service uses coaxial cable.
  • In customer side DSL service uses DSL modem while Cable service uses cable modem.
  • In company side DSL uses DSLAM device to filter voice and data while Cable service uses router to split data and videos.

Serial WAN Encapsulation method and protocol

Not all of above introduced protocols and methods are available for serial interface. What options are available for serial interface can be listed by encapsulation ? command from serial interface mode. For example following figure illustrates available options for serial interface in router.

WAN Encapsulation

Output may be different on different series routers. You may get more options such as atm-dxi, lapb, smds and x25 in real Cisco router. This output is taken from a virtual router running in packet tracer network simulator software.

As output shows we have three encapsulation methods:-

  1. HDLC
  2. PPP
  3. Frame-Relay

That’s all for this part. In next parts of this article I will explain these protocols in details with examples.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
CCNA Study Guide

Configure Extended Access Control List Step by Step Guide

This tutorial explains how to configure and manage Extended Access Control List step by step in detail. Learn how to create, enable, edit, verify, update, remove (individual or all) and delete Extended ACL statements and conditions in easy language with packet tracer examples.

For demonstration purpose I will use packet tracer network simulator software.
You can use it or can use any other network simulator software such as Boson, NetSim, GNS etc.

If require, you can download the latest as well as earlier version of Packet Tracer from here. Download Packet Tracer

Create a topology as illustrate in following figure.

Extended ACL Example

or download this pre-configured practice lab and load it in packet tracer.

Download practice topology for Extended ACL configuration

In this lab: –

  • IP address is assigned on all end devices.
  • IP addresses are configured on all used interfaces (in both routers).
  • RIPv2 (or any other routing protocol) is configured

For detail information about this topology please see the third part of this article. This is same network topology which I
used to explain Standard ACL. For this article I assume that you have above network topology in your network simulator
software with above essential configurations

In this network, at this moment all sections are connected with each other’s.
Users are able to access all resources from other sections as well as their own.
You are hired to secure this network.

This network has following security requirements.

  • Company has three servers. Assign one server for each section; Server0 for development section, Server1 for production section and Server2 for management section. Sections should be able to access only their own server. They are not allowed to access each other’s server.
  • Development section should be able to access production section. It should not be able to access management section.
  • Production section should be able to access development section. It should not be able to access management section.
  • Users from development are not allowed to ping their server (Server0). But they are allowed to access all services running on their server.
  • One user (PC0) from development section should not be able to access anything except its own section.
  • One user (PC2) is allowed to access only web server from server.
  • One user (PC3) from production section should also be able to access management section.
  • One user (laptop0) from management section should be able to access only Server section not the development section and production section. He is allowed to access only ftp and web service from server.



This tutorial is the last part of our article “Cisco IP ACL Configuration Guide”. You can read other parts of this article here:-

Access Control List Explained with Examples

This tutorial is the first part of this article. In this part I provided a brief introduction to Cisco IP ACLs such as what is ACL and how it works including ACLs direction and locations.

Standard ACL Configuration Commands Explained

This tutorial is the second part of this article. In this part I explained Standard Access Control List configuration commands and its parameters in detail with examples.

Configure Standard Access Control List Step by Step Guide

This tutorial is the third part of this article. In this part I provided a step by step configuration guide for Standard Access Control List.

Extended ACL Configuration Commands Explained

This tutorial is the fourth part of this article. In this part I explained Extended Access Control List configuration commands and its parameters in detail with examples.

For above requirements we need to secure three locations. For each location we need a separate ACL.

Extended ACL location and direction

As you know we can create an extended ACL in three ways:-

  1. Classic Numbered
  2. Modern Numbered
  3. Modern Named

To get a better overview of these methods we will use all of them in our example.

ACL Number / Name ACL Type ACL Direction Applied Interface
110 Classic Numbered Inbound R1’s Fa0/0
120 Modern Numbered Inbound R1’s Fa0/1
SecureManage Modern Numbered Inbound R2’s Fa0/0

Understanding ACL Location and requirements



Unlike standard ACL where we are limited with source address, in extended ACL we have a lot more options to match the packet. Due to these options we should always place an extended ACL near to the source address. This way an unwanted packet will be filtered as soon as it enters in the network. As I explained in third part of this article, we should always create ACL conditions in paper before router. This way we can edit/update/reorder/delete ACL conditions without messing a live network. Once satisfied we can migrate them in router easily.

ACL-110

This will be our first ACL. We will create this ACL in router R1 and enable it in interface Fa0/0. It will filter traffic in inward direction. This ACL will be used to fulfill following requirements:-

Development section should be able to access production section. It should not be able to access management section.

For this requirement we need two statements; one permit statement for production section and another deny statement for management section.

  • permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
  • deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31

Our statement starts with action (permit or deny). When a match found, what action should router take?
It is defined by this keyword. With permit keyword we tell router that if match found, let the packet go.
With deny keyword we tell router that when a match found, discard the packet immediately.

After action we need to specify the level of filtering. Extended ACL allows us to filter a packet based on its address or application.
In this requirement we are asked to filter all packets regardless what applications data they are carrying. For this requirement we have to
use IP keyword. With IP keyword we are tells router that matches all IP packets no matter which IP applications is sending /receiving data.

Later we need to provide source address and destination address with wildcard mask. To match a network range, we need to use network ID.
In this requirement we are filtering traffic that is originated form development section (Network ID 200.0.0.0) and going to production section
(Network ID 200.0.0.128) and management section (Network ID 200.0.0.192).

Along with network ID we need to provide wildcard mask. Wildcard mask controls the range of addresses which will be matched.
Wildcard mask are explained in detail with example in second part of this article.

Sections should be able to access only their own server. They are not allowed to
access each other’s server.

We need two conditions for this requirement. First permit condition which allows development section to access its own server. Second deny condition which blocks it from accessing other servers from server section.

  • permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226
  • deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15

Users from development are not allowed to ping their server (Server0). But they are allowed to access all services running on their server.

For this requirement we need to create a deny statement.

deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo

In this statement:-

  • deny keyword specifies the action.
  • icmp keyword tells router that we want to match a packet based on ICMP protocol.
  • 200.0.0.0 is the network ID of development section (Source).
  • 0.0.0.127 is the wildcard mask of source address.
  • host keyword tells router that we want to match a single host.
  • 200.0.0.226 is the IP address of server (Destination).
  • echo keyword is used to specify the type of message (ping) which we want match.

One user (PC0) from development section should not be able to access anything except its own section.

For this requirement we need following deny statement.

deny ip host 200.0.0.2 any

In this statement :-

  • deny is the action which say drop the packet that match with this criteria.
  • ip is the base line for filter which say match all IP traffics regardless which IP application it carry
  • host keyword is used to match a single host.
  • 200.0.0.2 is the source IP address.
  • any keyword is used to match all addresses. It says match all packets.

We can also use wildcard mask instead of host and any keywords. For host keyword wildcard mask
0.0.0.0 is used. For any keyword 0.0.0.0 address and 255.255.255.255 wildcard mask is used.
With this approach above condition would be
deny ip 200.0.0.2 0.0.0.0 0.0.0.0 255.255.255.255

Both methods work exactly same. It’s only a matter of choice which method you prefer.

Okay let’s have a quick look on our requirements and statement once again

Development section (200.0.0.0 0.0.0.127) should be able to access production section (200.0.0.128 0.0.0.63). It (200.0.0.0 0.0.0.127) should not be able to access management section (200.0.0.192 0.0.0.31).

Development section (200.0.0.0 0.0.0.127) should be able to access only its own server (200.0.0.226). Development section (200.0.0.0 0.0.0.127) is not allowed to access any other sever from server section (200.0.0.224 0.0.0.15).

Users from development section (200.0.0.0 0.0.0.127) are not allowed to ping their server (200.0.0.226).

One user (200.0.0.2) from development section should not be able to access anything except its own section.

Statements for above requirements

  • permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
  • deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
  • permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226
  • deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15
  • deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
  • deny ip host 200.0.0.2 any

Can we create statements in above order? Technically yes, router will accept statements in any order.
It does not have a brain to understand our requirements. It will do what we will say it to do. So it’s our responsibility to give it order in correct sequence. As we know ACL statements are matched from top to down without skipping any condition. Once a match is found, next condition will never be checked for that packet.

If we create statements in above order, last two statements will never match any packet.
Statement fifth says drop an icmp packet if it is originated from 200.0.0.0/25 network and going for 200.0.0.226 host.
While statement three says allow all IP packets if they are originated from network 200.0.0/25 and going for host 200.0.0.226.

Just like this, statement six says deny a packet if it is coming from host 200.0.0.2 while statement one says allow packets if they are coming from 200.0.0.0/25 and going for 200.0.0.128/192.

Thus statement fifth is overruled by statement three, while statement six is override by statement one.

For more detail about how ACLs are processed please see the first part of this article which explains this process in detail with example.

Okay let’s arrange conditions in correct order

  • deny ip host 200.0.0.2 any
  • permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
  • deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
  • deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
  • permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226
  • deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15

I have explained how ACL are processed in detail with example in first part of this article.

ACL-120

ACL-20 will filter incoming traffic from production department in R1’s Fa0/1. Production department has following requirements:-

Sections should be able to access only their own server. They are not allowed to access each other’s server.

For this requirement we need two statements. First statement will allow production department to access its server Server1.
Second statement will block production section from accessing other resources from server section.

  • permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
  • deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15

Production section should be able to access development section. It should not be able to access management section.

This requirement needs two conditions. First condition allows production section to access development section. Second condition blocks production section to access management section.

  • permit ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
  • deny ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.31

One user (PC2) is allowed to access only web server from server.

For this requirement we need two statements. First statement allows host 200.0.0.130 to access web server from Server. Second condition blocks this host from accessing anything from Sever.

  • permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
  • deny ip host 200.0.0.130 host 200.0.0.227

eq is the operator which stands for equal.

80 is the port number of web server. We can also use keyword www here instead of port number.
Collectively eq 80 says “match a packet which is going for web server”. If you are asked to match secure
web server, use port number 443. For more detail about port number and operator please check previous part of this article.

One user (PC3) from production section should also be able to access management section.

We need one permit condition for this requirement.

permit ip host 200.0.0.131 200.0.0.192 0.0.0.31

Okay let’s arrange above conditions in proper order.

  • permit ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
  • permit ip host 200.0.0.131 200.0.0.192 0.0.0.31
  • deny ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.31
  • permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
  • deny ip host 200.0.0.130 host 200.0.0.227
  • permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
  • deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15
ACL-SecureManagement

This ACL will filter incoming traffic from management section in router R2’s Fa0/0. Management section has following requirements

Sections should be able to access only their own server. They are not allowed to access each other’s server.

  • permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
  • deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15

One user (laptop0) from management section should be able to access only Server section not the development section and production section. He is allowed to access only tftp and telnet service from server.

For this requirement we need three statements. First statement allows user to access ftp service from server. Second statement allows user to access web service. Last statement blocks it from accessing server.

  • permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
  • permit udp host 200.0.0.194 host 200.0.0.228 eq 80
  • deny ip host 200.0.0.194 host 200.0.0.228

We need to add one more permit statement in this ACL for following requirement

One user (PC3) from production section should also be able to access management section.

permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131

We have already allowed this user in ACL-20 then why we need above permit statement for this user in this ACL. Any guesses…..

To understand this statement we need to have a quick look on how data flows:-

  • PC3 (200.0.0.131) generates a packet with destination Laptop1 (200.0.0.195).
  • PC3 sends this packet to router R1.
  • R1 receives this packet in interface FastEthernet 0/1.
  • Interface FastEthernet 0/1 has an inbound ACL (Numbered ACL -120) in FastEthernet 0/1.
  • ACL-120 will compare this packet and let it in as it has an allow statement for this situation.
  • R1 will forward this packet from its Serial 0/0/0.
  • R2 will receive this packet in its Serial 0/0/0.
  • R2 will forward this packet from Fa0/0.
  • This packet will be received by Laptop1 (200.0.0.195).
  • Laptop1 ( source 200.0.0.195) will respond to PC3 (destination 200.0.0.131).
  • R2 will receive return packet in FastEthernet 0/0.
  • This interface has an inbound ACL (Named ACL-SecureManagement).
  • This ACL has not statement for this packet.
  • Every ACL has a default implicit deny statement in its end. This statement uses any (source) any (destination) keyword in matching criteria which means it does not care from where packet is coming and where it is going. It will match every packet that is compared with it. If packet does not match with any condition in ACL then it will be matched with implicit deny statement.
  • Since there is no defined condition for our packet, it will matched with default implicit deny statement.
  • Our packet will be dropped as soon as it meets with implicit deny statement.
  • This way source PC will never receive a response from destination PC.

extended acl data flow example

To allow return traffic from management section we need a permit statement for PC3.

Here I have question for you “How ACLs are processed and what is implicit deny?”

If you know the answer, great keep going. If you don’t know the answer, I would suggest you to take a pause here and go through the first part of this article.

First part of this article covers essential features of ACL in detail such as Implicit deny, ACL types, how ACL statements are processed and data flow directions.

Oaky lets arrange statements in proper order for ACL-SecureManagement

  • permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
  • permit udp host 200.0.0.194 host 200.0.0.228 eq 80
  • deny ip host 200.0.0.194 host 200.0.0.228
  • permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
  • deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
  • permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131

That’s all paper work we need to do before creating real ACLs. Well… you may be a little bit annoyed with all above preparation. But believe me friends; it will save a lot of time and effort in Cisco exams and as well as in job life.

Create Extended ACL

An extended ACL can be created in two ways:-

  1. Classic numbered method
  2. Modern numbered or named method

Classic numbered method uses following global configuration mode command

Router(config)#access-list ACL_Identifier_number permit|deny IP_protocol
source_address  source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]

Modern numbered or named method uses following global configuration mode commands

Router(config)#ip access-list extended ACL_name_number
Router(config-ext-acl)# permit|deny IP_protocol source_IP_address wildcard_mask [protocol_information] destination_IP_address wildcard_mask [protocol_information] [log]

I have already explained above commands and parameters in detail with examples in previous part of this article. For this part I assume that you are familiar with above commands.

In our example we will create two ACLs (110 and 120) in Router1 and one ACL (SecureManagement) in Router2.

Okay let’s create them one by one

ACL-110 (Configuration style – Classical Numbered)

Access CLI prompt of Router1 and enter in global configuration mode

access router cli packet tracer

Enter following commands

Router(config)#access-list 110 deny ip host 200.0.0.2 any
Router(config)#access-list 110 permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
Router(config)#access-list 110 deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
Router(config)#access-list 110 deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
Router(config)#access-list 110 permit ip 200.0.0.0 0.0.0.127  host 200.0.0.226
Router(config)#access-list 110 deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15

Great job, we have just created our first ACL with classic numbered method. Now let’s create our second ACL, but this time use modern numbered method.

ACL-120 (Configuration style – Modern Numbered)

Router(config)#ip access-list extended 120
Router(config-ext-acl)# permit ip  200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
Router(config-ext-acl)# permit ip host 200.0.0.131 200.0.0.192 0.0.0.31
Router(config-ext-acl)# deny ip 200.0.0.128 0.0.0.63 200.0.0.192 0.0.0.31
Router(config-ext-acl)# permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
Router(config-ext-acl)# deny ip host 200.0.0.130 host 200.0.0.227
Router(config-ext-acl)# permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
Router(config-ext-acl)# deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15
Router(config-ext-acl)#exit
Router(config)#

Good going, we have finished our ACL creation task or router R1. Now access the global configuration mode of router R2 and enter following commands to create ACL-SecureManagement

ACL- SecureManagement (Configuration style – Modern Named)

Router(config)#ip access-list extended SecureManagement
Router(config-ext-acl)#permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
Router(config-ext-acl)#permit tcp host 200.0.0.194 host 200.0.0.228 eq 80
Router(config-ext-acl)#deny ip host 200.0.0.194 host 200.0.0.228
Router(config-ext-acl)#permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
Router(config-ext-acl)#deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
Router(config-ext-acl)#permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131
Router(config-ext-acl)#exit
Router(config)#

Assign Extended ACLs in interfaces

No matter how we have created ACLs, assigning them in interfaces are the same steps process:-

Router(config)#interface type [slot_#] port_#
Router(config-if)#ip access-group ACL_# in|out

Commands and parameters are explained in previous part of this article. In this part we will use these commands in assigning the ACLs.

Let’s assign our ACLs in their respective interfaces

ACL-110 (R1’s Fa0/0 interface, Inbound direction)

Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 110 in
Router(config-if)#exit
Router(config)#

ACL-120 ( R1’s Fa0/1, Inbound direction)

Router(config)#interface fastethernet 0/1
Router(config-if)#ip access-group 120 in
Router(config-if)#exit
Router(config)#

ACL-SecureManagement (R2’s Fa0/0 interface, Inbound direction)

Router(config)#interface Fa0/0
Router(config-if)#ip access-group SecureManagement in
Router(config-if)#exit
Router(config)#

Testing Standard ACLs

Packet Tracer includes several tools to verify our implementation such as ping command that can be used to test the connectivity. We can use FTP and Web Browser to test applications level filter.

Let’s test implementation from PC0.

As per permission PC0 is allowed to access only its section. It is not allowed to access anything from outside.

extended acl testing

Let’s do one more testing form PC2. As per permission PC2 is allowed to access development section and only web service from server.

Test extended acl

Now it’s your turn to test remaining conditions. If you have followed all above steps then requirements should be fulfilled.
If you are missing any requirement or not getting result as expected, use my practice topology for cross check.

Download configured topology for Extended ACL configuration

Verifying Extended Access List configuration

Once created and activated ACLs, we can verify them with following privilege exec mode commands.

To show which ACLs are activated on which interfaces in which direction, we can use show ip interface command

show ip interface command router

From output we can see that ACL-110 is applied in inbound direction on FastEthernet0/0. By default above command will list all interfaces. To view a single interface, we need to specify it in above command as command line option. For example, to view only serial interface use show ip interface FastEthernet 0/1 command.

show ip interface fast ethernet 0

To view the conditions in ACL, we have two commands

Router#show access-lists ACL_Number_or_Name (Optional, used to see the specific ACL)

show access list command router

Router#show ip access-list ACL_Number_or_Name (Optional, used to see the specific ACL)

show ip access list command

Have you notice any difference between outputs? Second command provides more detailed information about modern style ACLs. It lists the sequence number of each condition in ACL. Sequence numbers are used to edit or delete any condition from ACL. Sequence numbers are available only when you create ACL from modern style.

Router keeps track of every match on every condition. To reset this counter, use clear command.

clear access list counters

We can also view all running configuration including ACLs from show running-config command.

show running configuration

Editing / Updating Extended ACLs

We can edit or update an extended ACL only if it is created from modern configuration style. If it is created from classic configuration style then we cannot edit or update it, we can only append it.

How will I know which ACL is created from which style?

ACLs created from modern way have sequence numbers. We can use show ip access-list command to know whether a specific ACL is created from classic style or modern style. If output of this command show sequence numbers in front of conditions then that ACL is created from modern style. For example following figure illustrates the output of show ip access-list command from router R2.

show ip access list command

As we can see in output, ACL-SecureManagement has sequence numbers. So it is created from modern named style.

Now suppose we want to allow host 200.0.0.194 full permission on Server 200.0.0.228.

Okay let’s update this ACL step by step.

Verify current status
Router#show ip access-list SecureManagement
Extended IP access list SecureManagement
 10 permit tcp host 200.0.0.194 host 200.0.0.228 eq ftp
 20 permit tcp host 200.0.0.194 host 200.0.0.228 eq www
 30 deny ip host 200.0.0.194 host 200.0.0.228
 40 permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
 50 deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
 60 permit ip any host 200.0.0.131

Currently host 200.0.0.194 is allowed to access only FTP and Web Service from server. In order to grant it full permission we need to remove three statements 10, 20 and 30. As host belong to network 200.0.0.192 which has full permission on server (statement 40), once deny statement is removed, host will get full permission automatically.

Remove old permission
Router(config)#ip access-list extended SecureManagement
Router(config-ext-nacl)#no 10
Router(config-ext-nacl)#no 20
Router(config-ext-nacl)#no 30
Router(config-ext-nacl)#exit
Router(config)#exit
Router#
Confirm removal
Router#show ip access-list SecureManagement
Extended IP access list SecureManagement
    40 permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
    50 deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
    60 permit ip any host 200.0.0.131
Router#
Insert new condition in extended ACL

Now suppose we want to allow host 200.0.0.195 to access only TFTP service from server. Currently this host has full permission on Server (See above output). For this requirement we need to allow TFTP service first and deny all services before full permission for network statement.

Router(config)#ip access-list extended SecureManagement
Router(config-ext-nacl)#10 permit udp host 200.0.0.195 host 200.0.0.228 eq 69
Router(config-ext-nacl)#20 deny ip host 200.0.0.195 host 200.0.0.228
Router(config-ext-nacl)#exit
Router(config)#exit
Router#
Verify update
Router#show ip access-lists SecureManagement
Extended IP access list SecureManagement
    10 permit udp host 200.0.0.195 host 200.0.0.228 eq 69
    20 deny ip host 200.0.0.195 host 200.0.0.228
    40 permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
    50 deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
    60 permit ip any host 200.0.0.131
Router#
How to delete a Standard ACL

We have two commands to delete an extended ACL.

Router(config)#no access-list [ACL_Number]
Router(config)#no ip access-list extended [ACL_Number_or_Name]

First command is used to delete numbered ACL while second command is used to delete both numbered and named ACLs. Let’s have an example of both commands.

Delete both ACLs from router R1.

Router(config)#no access-list 110
Router(config)#no ip access-list standard SecureManagement

That’s all for this tutorial.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo