In this article I will talk about a well known service that can be configured on Cisco devices, DHCP or Dynamic Host Control Protocol. This is a network service that automatically configures any device that uses the Internet Protocol, with all the elements needed to communicate inside a network. DHCP is a transparent process (to the user) that has helped a lot network administrators with managing IP addresses. Before this service became available, every device would required static entries that would bind a physical device to a unique IP address. Imagine how hard it was for network administrators to maintain all changes of locations and IPs for all devices. DHCP offers an easy way to manage and troubleshoot IP allocation and also provides a scalable service meaning that is not affected by network growth. Beside the workstation IP address, DHCP can automatically assign the network mask, default gateway, DNS servers and much more.
Hello dear readers,
Frame Relay operates by using two main elements: the Physical layer and the link layer. The Physical layer is responsible for determining the electrical and mechanical specifications that must be used during transmission. The link layer specifies the protocol that will establish the WAN connection between the DTE and DCE. Let’s say information is sent from one node (DTE device such as a router) to another node in a remote location. The DTE will sent the packets to the closest DCE device, in this case it would be a WAN edge equipment such as a Frame Relay switch. Once the packet reaches the edge switch through the local loop, the client responsibility ends. How packets are sent between switches in the Frame Relay network is the ISP’s responsibility. In the end, the closest switch to the destination network delivers the packets to the client’s DTE device.
As I’ve told you earlier, Frame Relay uses the concept of Virtual Circuits to identify the logical path used to forward packets between two nodes. There are two types of VC that can be established:
Switched Virtual Circuits (SVC) – can change their configuration dynamically according to network changes.
Permanent Virtual Circuits (PVC) – are configured by the carrier before any transmission can be made.
DLCI values are set by the the Frame Relay provider and have local significance only. This means that two DTE devices can use different DLCI numbers when sending data between them. DLCI numbers can be configured from 16 to 1007 while 0 to 15 and 1008 to 1023 are reserved. Another feature of Frame Relay is that a client’s DTE device can use multiple DLCIs when sending data to different destinations. Let’s take the following example: suppose we have three DTE devices (routers) A, B and C. A uses DLCI 100 for sending data to router B and DLCI 101 when sending data to router C. B uses DLCI 105 for sending packets to router A and 106 for sending data to router C. Remember that these numbers have local significance only. By using multiple DLCIs the cost is significantly reduced since the same physical devices are used.
Frame Relay receives packets from the network layer, encapsulates them into frames by adding DLCI numbers and checksums (CRC). Each frame is delimited by the 01111110 flag and then it is sent to the Physical layer for final delivery. Usually, Frame Relay topologies can be full mesh, partial mesh, star or hub and spoke. We have talked about these kind of topologies in the networking fundamentals articles. Frame Relay DLCIs are mapped to remote IP addresses. A DLCI would be used to forward packets to a certain network. In Frame Relay networks, inverse ARP is used to obtain the IP address (layer 3) of a remote network from the DLCI number (layer 2). Inverse ARP is enabled by default on all Cisco devices. Remember that Frame Relay can support multiple protocols like IP, AppleTalk or IPX. The address mapping can be done in two ways:
dynamic mapping – a router will sent inverse ARP requests throughout the PVC to obtain the IP address for each hop. The router will then use the responses received to populate a local address table (also known as mapping table) that will be used for sending and receiving data.
static mapping – as a Network Administrator, you can configure static mappings between DLCI numbers and IP addresses. If you choose to assign a static mapping to an IP address, the dynamic mapping obtained by the inverse ARP protocol will be ignored.
Another aspect that you will need to remember about Frame Relay is that LMI (Local Management Interface) messages are exchanged between the DTE and the DCE equipment, to check the status of the Frame Relay connection. You can view the status by typing the show frame-relay lmi command from the privilege mode. By default the interval in which lmi messages are exchanged is 10 seconds. This interval can be modified using the keepalive command. There are many other aspects of the lmi mechanism, but are not needed for the CCNA exam. Feel free to add anything you know about lmi or Frame Relay in general, in the comments section.
We will continue talking about Frame Relay configuration commands. Given the following topology we will configure Frame-Relay on the these Cisco routers:
First, we’ll have to enable Frame-Relay on an interface, I will enable Frame-Relay on the interface serial 0/1/0 of router (R1):
In this article I will talk about one technology used especially for restricting and securing access throughout a network, ACLs (Access Control Lists). This is one of the most important lesson that you need to learn in order to pass the CCNA exam. As a network administrator you’ll have to know how to create and modify ACLs because you’ll probably use them on a daily basis. You’ve probably used ACLs in different technologies without knowing it, to secure access to a file, computer, application etc. Firewalls are hardware devices that use ACLs to restrict network access based on source and destination IPs, port numbers, protocol, etc. Even permissions on Windows shared folders can be seen as layer 7 ACLs because users are restricted/granted access to that resource. I will talk about ACLs used only to restrict network traffic, because you will need to know them very good for your exam.
We will talk about different types of ACLs, how each one works and how you can use them to make your network more secure. At the base of the network layer sits the IP address, the element which provides the means of communication between devices. Before two devices (remember client-server model) can start forwarding data between them, a network connection must be established. This means that these devices must first determine the source/destination MAC address, the source/destination IP address and the ports that will provide the communication mechanisms. If you can’t remember or you haven’t studied my networking fundamentals tutorials, take a look again at the TCP connection establishment and at the TCP/IP network layer. I’ve written earlier that network traffic can be filtered using ACLs, these are nothing more than lists of rules that dictate what traffic is allowed or denied to enter or to exit a network. Packet filtering can be made based on source and destination IP address, protocol, or source and destination ports. Upon receiving a packet, the router will simply check each ACL from top to bottom and based on the information gathered from here, it will grant or deny access. As you can see, the logic behind this technology is pretty simple but effective (remember that the packet filtering is made at the network layer). ACLs can be configured on the inbound or outbound direction of an interface and by default routers will not have any ACL configured. You will have to remember that you can apply one ACL per-protocol (IP, TCP, UDP), per-direction (the ACL will filter traffic only in one direction, outbound/inbound) and per-interface (FastEthernet 0/1, Serial 0/0/0). But how do ACLs work? Each rule or statement from an access-list is tested against the received packet. ACLs are read from top to bottom line by line and if a match is made (the packet is denied or permitted by a rule) then rest of the lines are skipped. Remember that every access-list has an implicit deny all at the end of all statements. This means that if no permit rule is made, all traffic is denied by default (deny any any – you will understand this statement later in this article). For this reason, an ACL must have at least one permit rule. An inbound ACL will process packets before they are forwarded to the exit interface while an outbound ACL will process packets after they are routed to the exit interface. Now let’s talk a little bit about the types of ACLs that can be configured on Cisco routers:
– standard ACL – this type of access-list will filter traffic based on source IP address. A standard ACL is composed of the access-list statement, number, permit or deny flag, source IP address and wildcard mask. An example of a standard ACL is access-list 20 deny 172.16.0.0 0.0.255.255.
– extended ACLs – can filter traffic based on source and destination IP address, source and destination port (it could be a TCP or UDP port) and protocol. This is how an extended ACL would look like:
access-list 103 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255.
These are the two main ACL types used today, there are also special ACL types used, but we will talk about them later (reflexive ACL, dynamic ACL or time based ACL). The number of an ACL is simply used for identifying each access-list, newer versions of IOS offer support for named ACLs (you can assign a name/description to an access-list). To see the available numbers that you can assign to an ACL, type access-list ? from the global configuration mode of a router:
Normally, this command will display many options, but only these are implemented in my version of Packet Tracer. Named ACLs can use letters and numbers and each entry can be deleted or modified. It is recommended that you place ACLs where they have the biggest effect. Based on this rule, place standard ACLs as close as possible to the destination because they use source address. Extended ACLs have the best effect when they are configured as close as possible to the source where traffic is denied.
First, I will show you how to configure a standard ACL on a Cisco router. As I’ve told you earlier, standard ACLs make decisions based on the source IP address, no port, protocol or destination address can be used in a standard ACL. For best practice, always put the most used statement at the top of the ACL. By using this method, you reduce the time needed by the router to check each entry in the ACL.
To configure a standard ACL on a Cisco router, use the access-list [number] [deny/permit] IP address wildcard. To add another statement in the same ACL use the same number when configuring the new entry. The following image displays a standard ACL configured with two entries:
[operator] [port name/number] destination IP address and wildcard [operator] [destination port] [establish]
5. Apply the access-list to an interface:
In this article I will talk about the Point-to-Point Protocol(PPP) used in point-to-point communications. PPP is one of the most used WAN technologies in data networks all around the world. This type of serial connection is mostly used to connect LANs between each other or to connect an enterprise network with a Service Provider. A point-to-point connection between a company and an ISP (Internet Service Provider) is also known as a leased line. PPP offers support for many WAN technologies like Frame Relay or ATM, but also provides a multi-protocol architecture for TCP/IP, Appletalk or IPX. I will show you how to configure Point-to-Point connections, how to troubleshoot them and also how to configure PPP and CHAP authentication modes.
HSSI (High-Speed Serial Interface (HSSI) – HSSI – http://en.wikipedia.org/wiki/High-Speed_Serial_Interface
Remember that HDLC is the default encapsulation mode used by Cisco routers. To verify the encapsulation protocol, type show interfaces serial [number]:
The point-to-point protocol is used when you want to connect non Cisco devices between each other. This is a serial protocol known by all networking devices and it has some features that cannot be found in HDLC. It has a feature to detect the link quality and also it supports authentication using the PAP or CHAP protocols, we will talk about these two authentication protocols later in this article. PPP uses the HDLC protocol to encapsulate IP datagrams in point-to-point connections. PPP has another protocol called the LCP (Link Control Protocol) protocol used for configuring, establishing connections and for checking the state of point-to-point links. Another component of the PPP protocol is the NCP or the Network Control Protocol. NCPs are used to configure network protocols like IP, IPX or Appletalk, over the serial communication.
PPP uses the last three OSI layers, the physical, data-link and the network layer. At the physical layer, PPP can be configured in many serial interfaces like synchronous, asychronous or HSSI. The LCPs are used to establish, terminate, configure and test connections. You’ll have to know for the CCNA exam that the LCP layer from the PPP protocol is used to set the error detection, compression and authentication mechanisms. The NCP layer is used by PPP to encapsulate different network protocols. When a PPP connection is made, three phases must be done: connection, establishment, link quality and the network protocol determination. There is much to talk about the NCP or LCP operation, check the following link from tcpipguide for further details http://www.tcpipguide.com/free/t_PPPLinkControlProtocolLCP.htm.
The Point-to-Point protocol offers the following options:
– authentication – can provide two authentication mechanisms, PPP and CHAP.
– error detection – by using magic numbers and quality numbers, PPP ensures that the link doesn’t contain errors.
– multilink support – it is a mechanism used to load balance traffic over multiple physical PPP links.
– compression – using the Stacker and Predictor protocols, PPP can reduce the size of frames.
– PPP callback – a security mechanism in which one side must call the other side and by answering, the PPP link is established.
To configure PPP on a Cisco device, first set the encapsulation type to PPP from the interface configuration mode:
In our days, large corporations have multiple branches around a continent or even around the world. You can imagine that a company that spans multiple territories has a large data network. To interconnect multiple branches, WAN connections are used because they offer both cost effective and speed. You can imagine an enterprise network as multiple LANs interconnected. In this article I will talk about the main elements that are part of WAN connections and it will serve as an introduction for the following articles. As you already know, a Local Area Connection is a network that interconnects devices like computers, servers, printers etc and is usually located in a single geographical area. Wide Area Networks span large geographical areas and basically are a collection of multiple LANs interconnected. By leasing ISPs connections, companies can connect together networks that are situated in different territories and countries around the globe. WANs use serial connections to interconnect smaller networks, because this type of communication channel provides the highest amount of bandwidth available (increased speed). The Internet is actually a very large WAN because multiple networks (ISPs or large enterprises) are interconnected together to form one huge network in which devices can communicate between each other. VPN connections, branch or regional offices all relay on WAN connections. Enterprises grow from little companies to large ones in time so you can imagine that it’s impossible to implement a hierarchical network model from the beginning.
– Connectionless – packets sent over networks include all the information needed to route them (source and destination addresses).
– Connection-oriented – each packet has a predefined route and each one includes a unique identifier for that particular path. In Frame-Relay technology, these identifiers are called DLCIs (Data Link Connection Identifiers). Multiple DLCIs are used to forward packets from one point to another and all together they from a virtual circuit (VC).
That’s it for this article folks, I hope you’ve made a general idea of WANs. In the following articles we will continue talking about different WAN technologies used today. Have a wonderful day and enjoy IT training day.
Hello dear readers,
I will not talk much about these because they are not studied for the CCNA exam. You will have to know that they differ from each other in terms of area coverage, speed and applications. You can read more on this article from Wikipedia: http://en.wikipedia.org/wiki/Wireless_network.
WLAN connections use the RF(radio frequency) spectrum and are also known as 802.11 wireless LAN standard. RF uses the air medium to transmit signals from one point to another. These waves can be sent anywhere and through almost all materials. One big problem with wireless networks is the possibility of interference with other RF signals. Two devices that transmit RF signals between them must use the same transmission channel. Devices that use wireless connections must have a WNIC (Wireless Network Interface Card) hardware installed. Unlike Ethernet networks, wireless networks communicate using Access Points (AP) which are physical wireless devices. Another aspect of wireless technologies is the use of Collision Avoidance mechanism instead of Collision Detection. I don’t have a table with all the wireless standards, I will post a link from Wikipedia in which you can see all the available wireless standards used today: http://en.wikipedia.org/wiki/IEEE_802.11. What you will have to remember from here is that 802.11a and 802.11g have higher speeds (54 Mbps) than 802.11b (11 Mbps) and also they use a different modulation technology. 802.11b uses the DSSS (Direct Sequence Spread Spectrum) and 802.11a and 802.11g uses OFDM (Orthogonal Frequency Division Multiplexing). Remember that the area of coverage and the channels used are different from one technology to another. The 802.11n standard is a newer and much faster technology that uses a different band and modulation.
But what about the components needed in wireless communications? As I’ve written earlier, Wireless NICs are used as the main hardware component to transmit RF waves from one point to another. They encode data into RF signals by using the modulation mechanism. From mobile phones to laptops and even desktop computers, all use Wireless Network Interface Cards to communicate throughout the radio frequency spectrum. Usually, devices communicate with each other using Access Points (AP). These are physical devices, that convert Ethernet frames (802.3) into wireless frames (802.11), used in wireless communications. In wireless technologies, users must associate their devices with one AP in order to communicate with other wireless devices. Unlike Ethernet standard, wireless connections use the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) technology. The mechanism of this technology is pretty simple, devices must first check the RF spectrum before transmitting frames. If a signal is detected then they must wait until the medium is free. Once frames are received by APs, ACK(acknowledgement) messages are exchanged between the two transmitting nodes. This technology has a problem, wireless signals are affected by attenuation. This means that the more distant wireless devices are from the AP, the more weaker the signal is. This issue has introduced the hidden node problem (from Wikipedia: “In wireless networking, the hidden node problem or hidden terminal problem occurs when a node is visible from a wireless access point (AP), but not from other nodes communicating with said AP” http://en.wikipedia.org/wiki/Hidden_node_problem). To connect one wireless network to another, you can use a classic network router or a wireless router. This is nothing more than a physical wireless device that acts like a gateway for devices that are behind it. When configuring a wireless Access Point, you will have to specify the SSID (Service Set Identifier) which is an element that identifies wireless connections. Also, always check to see if the mode (it can be mixed-mode to support multiple standards or single-mode to support only one) that the AP uses is the one that you need (802.11a,b,g or n) and that the channels are different from one AP to another in order to avoid interference. Check this Wikipedia link to see an image with the available channels: en.wikipedia.org/wiki/List_of_WLAN_channels.
In terms of wireless topology, there are three main topologies used today:
Ad hoc – wireless networks that do not use APs. Devices communicate directly with each other (low coverage or BSA-Basic Service Area)
BSS (Basic Service Set) – a wireless network that uses an AP to provide the wireless communication channel between devices.
ESS (Extended Service Sets) – multiple BSSs connected between each other to provide an extended are of wireless coverage (multiple APs are connected to form a larger wireless network).
The association between a wireless device and an AP is made by using the following steps:
APs send beacons which are wireless messages that contain the SSID, speed rates and the authentication method. The beacons are received by wireless devices which will try to establish a connection with the AP. If wireless hosts are already configured for one wireless network, they will send probe messages to establish a wireless connection with an already known SSID. After this step is complete, the authentication is made between the client and the AP using the configured method. We will talk in a moment about authentication methods. If the authentication is successful then the two devices establish an association.
Probably the most important aspect that you need to consider when implementing wireless networks is the security. Because RF signals are transmitted in the air, these signals can be intercepted by malicious users. There are different security methods and technologies used today this is why you’ll have to ensure that you choose the best one for your desires. Attacks like man-in-the-middle, Dos or DDoS (Denial of Service or Distributed Denial of Service) are a real threat to wireless networks. In the first implementations of wireless networks, two security protocols where introduced, open and WEP (Wired Equivalent Privacy). Open meant that there is no security involved, a device would simply ask an AP to authenticate and the AP would simply grant access to the network. The WEP authentication method uses a shared key between an AP and a client. The client sends an authentication request to the AP. The AP receives the request and then sends a challenge text to the client. The client encrypts the text using the shared key and then the encrypted message is sent back to the AP. The AP decrypts the message using its own key and if the text is the same with the one that has been sent, the client is authenticated. Even if this mechanism introduced a certain level of security, it could be easily cracked because the shared key could be intercepted by a hacker. With the shared key in hands, the hacker could easily authenticate with the AP and gain control to the network resources. A new encryption algorithm was invented to provide better security to the WPA protocol, TKIP or Temporal Key Integrity Protocol (read more about this protocol on this article from Wikipedia: http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol). The Wi-Fi Protected Access (WPA) protocol was introduced as a better solution for the WPA protocol. This protocol uses a preshared key (PSK) and the TKIP protocol for encryption.
The most used standard in today’s enterprise networks is the 802.11i/WPA2 standard. This uses the AES encryption with a dynamic key management and a feature to authenticate clients using a Remote Authentication Dial In User Service (RADIUS) database. Enterprise networks, beside the normal authentication mechanism, often use a login mechanism using an authentication server. The following link from Cisco’s website will show you how EAP authentication works: http://www.cisco.com/en/US/i/000001-100000/65001-70000/65001-66000/65583.jpg . Other known security mechanisms are MAC address filtering and SSID broadcasting disabled. These methods are not so used because they can be easily cracked.
As a conclusion, remember always to take the necessary steps from installing the AP, configuring SSID, band, mode and channels, to implementing wireless network security using the WPA or WPA2 standards (authentication and encryption). Ensure that the APs will not suffer from interferences by placing them in the right locations and by selecting the appropriate channel. Ensure that you choose the best hardware devices to set up your wireless network and design a wireless map.
I think that’s it for this article folks, I hope I’ve covered all the elements of wireless networks, please share it to others and rate it. Have a wonderful day and stay tuned because more will come.
This article will be focused in explaining the basic principles of inter-vlan routing. This is a mechanism that provides communication between different VLANs. Because each VLAN has its own broadcast domain, devices from separate VLANs cannot communicate with each other. As the same suggest, inter-VLAN routing is made by connecting a router to a switched network. The router acts as a the point of contact between two or more VLANs. I will try to explain all the elements that make up inter-vlan routing and also I will show you how to configure it. What you have to remember so far is that inter-vlan routing is a mechanism used to forward traffic from on VLAN to another.
Older implementations of inter-vlan routing required that a router would have one physical interface for each VLAN. Newer implementations like “router-on-a-stick” can use one physical interface for all VLANs. “Router-on-a-stick” added a new features in which a router can have multiple subinterfaces for each physical interface. A router configured with subinterfaces can receive tagged traffic coming from a trunk link. The router must be connected to a switch port set in the trunk mode. Subinterfaces are configured in software and act like real interfaces(each one must have an IP and subnet mask configured). Basically, traffic is sent and received through one physical interface and the router makes its decisions based on the subinterface configuration and tagged traffic coming from the trunk link. The router acts somehow like a switch between subinterfaces. As I’ve told you previously, each subinterface must have an IP configured that is part of a specified VLAN subnet. The subinterface IP will act as the gateway for switches that make up a particular VLAN.
If you’ve read all my networking articles you now by now how to configure interfaces on a router. The limitation of the older implementation of inter-vlan routing was that with each new VLAN added, the router would have to provide a dedicated physical interface. Using the new inter-vlan routing design, a physical interface can be part of several VLANs while subinterfaces are assigned separately for each VLAN. A subinterface configuration looks similar to a physical interface configuration, you have to specify an IP address and subnet mask. The physical interface must be connected to a trunk port this is why when configuring subinterfaces, you will have to specify the encapsulation type for each VLAN. I will show you in a moment how to configure subinterfaces. The benefit of using subinterfaces is visible from the start, the cost is reduced because you use only one physical interface for many VLANs. Of course, subinterface configuration is more complex than physical interface configuration and the speed is reduced since all subinterfaces use the speed of one physical interface.
I will show you now how to configure inter-vlan routing without using subinterfaces, in order to see the difference between these two technologies. Assuming that you’ve already configured VLANs on the switches connected to the router, I will jump directly to the router configuration (if you didn’t configured VLANs, check out an earlier networking post). Let’s take the following topology: