Wan networks

www.professordkinney.com
08/26/13
Instructional Design-Computer Networking -
Bridges Educational Group

Wide-Area Networks
08/26/13

Lessons Summary:
Understanding WAN Technologies
Configuring Serial Encapsulation
Introducing VPN Solutions
 Configuring GRE Tunnels
08/26/13
Wide-Area Networks

Understanding WAN Technologies
WAN’s – The need
Sharing of data
Organization to organization
Remote users
Over large distance
LAN – Falls short
Company Growth
Wide-Area Networks

WAN functions in terms of the OSI Reference
Model The physical layer (OSI Layer 1) protocols describe
how to provide electrical, mechanical, operational, and
functional connections to the services of a
communications service provider.
The data link layer (OSI Layer 2) protocols define how
data is encapsulated for transmission toward a remote
location and the mechanisms for transferring the
resulting frames. A variety of different technologies are
used, such as Frame Relay and ATM. Some of these
protocols use the same basic framing mechanism,
High-Level Data Link Control (HDLC), an ISO standard,
or one of its subsets or variants.
Wide-Area Networks

WAN physical layer concepts for network and
Internet communications
Wide-Area Networks

•WAN physical-layer protocols describe how to provide electrical, mechanical,
operational, and functional connections for WAN services.
• The WAN physical layer also describes the interface between the DTE and the DCE.
Wide-Area Networks

WAN data link layer protocols used in today’s
Enterprise WAN networks
Data link layer protocols define
how data is encapsulated for
transmission to remote sites
and the mechanisms for
transferring the resulting
frames.
ATM uses small
fixed-size cells
of 53 bytes (48
bytes for data),
Wide-Area Networks

Switching technologies used for WANs in an
Enterprise setting
A circuit-switched network is one that
establishes a dedicated circuit (or channel)
between nodes and terminals before the users
may communicate.
PSTN and ISDN are two types of circuit-
switching technology that may be used to
implement a WAN in an enterprise setting.
Packet switching splits traffic data into packets that
are routed over a shared network. Packet-
switching networks do not require a circuit to be
established, and they allow many pairs of nodes to
communicate over the same channel. Packets are
divided and sent through available connections.
There are two approaches to this link
determination, connectionless or connection-
oriented.
Wide-Area Networks

List the various options for connecting subscribers to
the WAN
Wide-Area Networks

Enterprises use leased line services to provide a
WAN connection
Point-to-point lines are usually leased from a
carrier and are called leased lines.
Wide-Area Networks

Circuit switching options available to provide a
WAN connection
Wide-Area Networks

Packet switching options available to provide a
WAN connection
Wide-Area Networks

List factors to consider when selecting a WAN
connection
Wide-Area Networks

Configuring Serial Encapsulation
Circuit Switching
08/26/13
Wide-Area Networks

Public Switched Telephone Network
08/26/13
Wide-Area Networks

PSTN Considerations
Advantages
 Simplicity
 Availability
 Cost
Disadvantages
 Low data rates
 Relatively long connection setup time
Leased Line
08/26/13
Wide-Area Networks
Leased Line

Configuring a Serial Interface
Enter global configuration mode-
RouterX#configure terminal
RouterX(config)#
Specify interface-
RouterX(config)#interface serial 0/0/0
RouterX(config-if)#
Set clock rate (on DCE interfaces only)-
RouterX(config-if)#clock rate 64000
RouterX(config-if)#
Set bandwidth (recommended)-
RouterX(config-if)#bandwidth 64
RouterX(config-if)#exit
RouterX(config)#exit
RouterX#
08/26/13
Wide-Area Networks

Point-to-Point Considerations
Advantages
 Simplicity
 Quality
 Availability
Disadvantages
 Cost
 Limited flexibility
08/26/13
Wide-Area Networks
PPP Configuration Example

HDLC and Cisco HDLC
08/26/13
Wide-Area Networks

Configuring HDLC Encapsulation
RouterX(config-if)# encapsulation hdlc
 Enables Cisco HDLC encapsulation
 Uses the default encapsulation on synchronous serial
interfaces .
Enable PPP Encapsulation and Configuring Authentication
RouterX(config-if)# encapsulation ppp
Enables PPP encapsulation
RouterX(config)# hostname name
Assigns a hostname to your router
RouterX(config)# username name password password
Identifies the username and password of remote router
RouterX(config-if)# ppp authentication {chap | chap pap | pap chap | pap}
Enables PAP or CHAP authentication
08/26/13
Wide-Area Networks

PPP and CHAP Configuration Example
08/26/13
Wide-Area Networks

Verifying a Serial Interface Configuration
RouterX# show interface s0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up rial Interface Configuration
08/26/13
Wide-Area Networks

Verifying the HDLC and PPP Encapsulation Configuration
RouterX# show interface s0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
08/26/13
Wide-Area Networks

Verifying PPP Authentication
08/26/13
Wide-Area Networks

Introducing VPN Solutions
An academic definition of a VPN is “connectivity deployed on a shared
infrastructure with the same policies and performance as a private network, with
lower total cost of ownership.”
08/26/13
Wide-Area Networks

08/26/13
Wide-Area Networks
Benefits Of VPN

VPNs offer flexiblity as site-to-site and remote-access connections can be set up quickly and
over existing infrastructure. A variety of security policies can be provisioned in a VPN,
enabling flexible interconnection of different security domains.
VPNs also offer scalability over large areas, as IP transport is universally available. This in
turn reduces the number of physical connections and simplifies the underlying structure
of a customer WAN.
Lower cost is one of the main reasons for migrating from traditional connectivity options to
a VPN connection, as customers may reuse existing links and take advantage of
statistical packet multiplexing features of IP networks, used as a VPN transport.
The Cisco hardware and Cisco IOS software provide a full set of VPN tools, not only for just
VPNs but for security, management, and all related needs.
The Cisco remote access line of routers is compatible with the Cisco Secure VPN Client PC
client software. The slide lists some of the IPSec capabilities one would expect (and find)
in such a client. Some of these will be covered in more detail in the next module on
IPSec-based VPNs.
With client IPSec encryption, a public Internet connection can be used as part of a virtual
private dial-up network (VPDN) solution.
08/26/13
Wide-Area Networks

VPNs come in a number of flavors.
VPNs are designed based on one of two architectural options—client-initiated or network
access server (NAS)-initiated VPNs.
Client-initiated VPNs—Users establish a tunnel across the Internet service provider (ISP)
shared network to the customer network. The customer manages the client software
that initiates the tunnel. The main advantage of client-initiated VPNs is that they secure
the connection between the client and ISP. However, client-initiated VPNs are not as
scalable and are more complex than NAS-initiated VPNs.
NAS-initiated VPNs—Users dial in to the ISP NAS, which establishes a tunnel to the private
network. Network access server (NAS)-initiated VPNs are more robust than client-
initiated VPNs and do not require the client to maintain the tunnel-creating software.
NAS-initiated VPNs do not encrypt the connection between the client and the ISP, but
this is not a concern for most customers because the Public Switched Telephone
Network (PSTN) is much more secure than the Internet.
VPNs can also run from a remote client PC or remote office router across the Internet or an
IP service provider network to one or more corporate gateway routers. VPNs between a
company’s offices are a company intranet. VPNs to external business partners are
extranets.
08/26/13
Wide-Area Networks

Voluntary tunnels are those initiated by the client PC. Voluntary tunnels are where the
client voluntarily starts up the tunnel. Compulsory tunnels take service provider
participation and awareness. Compulsory tunnels leave the client no choice.
The slide shows some of the features of (remote) access VPNs. They can be used with
whatever access is available, and ubiquity is important. This means they should work
with modem, Integrated Service Digital Network (ISDN), xDSL, or cable. They provide
potential operations and infrastructure cost savings because a company can outsource its
dial plant, getting out of the remote access server business.
It is best if VPDN and access VPN connectivity involves only a single ISP. With more than
one ISP involved, no service level agreements are possible.
08/26/13
Wide-Area Networks

An extranet is where you also use the Internet or one or two SPs to connect to business
partners. Security policy becomes very important at this point, because you would hate
for a hacker to spoof an order for 1 million widgets from a business partner.
08/26/13
Wide-Area Networks

Intranet VPNs extend the basic remote access VPN to other corporate offices with
connectivity across the Internet or across the SP IP backbone. Service levels are likely to
be maintained and enforced within a single SP. With VPNs across the Internet, there are
no performance guarantees—no one is in charge of the Internet.
The main attractions of intranet VPNs are reduced WAN infrastructure needs,lower
ongoing leased line or Frame Relay charges, and operational savings.
Security on shared media (the Internet or SP backbone) is important too.
08/26/13
Wide-Area Networks

Tunneling Types
Most VPNs are really tunnels, whereby Point-to-Point Protocol (PPP) frames or IP packets
are tunneled inside some other protocol.
Microsoft Point-to-Point Tunneling Protocol (PPTP) (see the Layer 2 module) is a Layer 2
technique, where IP is used to encapsulate and transport PPP and IP packets to a
corporate gateway or server.
Cisco Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP) are also Layer 2
techniques. They simulate PPP connectivity directly from a client PC to a corporate
gateway router or server.
Multiprotocol Label Switching (MPLS) (see the module), generic routing encapsulation
(GRE), and IPSec are, however, Layer 3 tunnels, where Layer 3 information is
transported directly inside another Layer 3 header across the intervening SP network.
The terms Layer 2 and Layer 3 may be imprecise when applied to VPNs. Some people
consider Frame Relay and ATM to be Layer 2 VPNs. Others consider that to be an out-of
date usage of the term “VPN.”
08/26/13
Wide-Area Networks

The protocols used to transport Layer 2 frames and Layer-3 packets are:
 L2TP —Layer 2 Tunneling Protocol
 GRE – Generic Route Encapsulation
 PPTP – Point-to-Point Tunneling Protocol
 IPsec – IP security protocols
 MPLS – Multi Protocol Label Switching
Configuring GRE Tunnels
The Generic Route Encapsulation (GRE) is a standardized Layer-3 carrier encapsulation,
designed for generic tunneling of protocols. GRE is described in RFC 1701, and RFC 1702
defines how GRE uses IP as the transport protocol (GRE IP).
In Cisco IOS, GRE tunneling is used to tunnel multiple protocols (IPX, DECnet, AppleTalk,
and others) over an IP network. Also, GRE IP can tunnel IP over IP, which is useful when
building small-scale IP VPN network, which do not require substantial security. GRE has
no built-in security mechanisms built, but can be secured by additional mechanisms,
such as IPsec traffic protection, of the Cisco Encryption Technology protection.
08/26/13
Wide-Area Networks

The GRE protocol is an IP protocol with the protocol number of 47. The GRE header is of
variable length, and at the minimum defines the passenger protocol carried in a GRE
packet. The header is from 4 to 20 bytes long, depending on the GRE options (such as
optional sequencing) used within each packet.
08/26/13
Wide-Area Networks

The benefits of GRE IP tunneling are
 GRE enables simple and flexible deployment of basic IP VPNs.
 In Cisco IOS, GRE IP can tunnel almost any Layer-3 protocol.
GRE IP tunneling also has some drawbacks
 Provisioning of tunnels is not very scalable in a full-mesh network (every pointto-
 point association has to be defined separately; the Next-Hop Routing Protocol (NHRP)
can be used to achieve some configuration scalability, and point-to-multipoint tunnels
can be used as a remedy in strictly hub-and-spoke networks).
 Packet payload is not protected against snooping and unauthorized changes, and there
is no authentication of sender. IPsec provides all those functions, and can be combined
with GRE IP.
08/26/13
Wide-Area Networks

08/26/13
Wide-Area Networks
GRE Configuration Example
Within the tunnel interface, the tunnel source and tunnel destination commands
configure the tunnel endpoints. The tunnel source must be a local routers interface
address, such as, for example, a loopback address. The other peer’s tunnel source and
destination must exactly mirror the local peer’s configuration, that is, the tunnel must
be defined between the same IP addresses in both peers’ configuration. The tunnel
mode gre ip command specifies that GRE should be used as the tunnel carrier
encapsulation

Configuring Multiprotocol GRE Example
The figure shows the configurations of two routers configured for GRE tunneling. Note the
symmetric configuration of tunnel source and destination. IP and IPX are enabled over
the tunnel link, and OSPF provides routing over the tunnel, treating it like a point-to-
point link.
08/26/13
Wide-Area Networks

GRE Monitoring and Troubleshooting
The show ip interface brief command can be used to quickly determine the status of the
tunnel interface. The show interface command shows the configured tunnel parameters
and the interface traffic statistics.
08/26/13
Wide-Area Networks

Lessoned Learned:
WAN technologies.
VPN types.
GRE encapsulation
08/26/13
Wide-Area Networks

Wan networks

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to Wan networks (20)

More from Arnold Derrick Kinney (8)

Recently uploaded (20)

Wan networks

Editor's Notes