Wan networks

www.professordkinney.com

04/10/23Instructional Design-Computer Networking - Bridges Educational Group

Wide-Area Networks


Lessons Summary:Understanding WAN Technologies Configuring Serial Encapsulation Introducing VPN Solutions Configuring GRE Tunnels


Wide-Area Networks

Understanding WAN Technologies

WAN’s – The needSharing of dataOrganization to organization Remote usersOver large distanceLAN – Falls shortCompany Growth

Wide-Area Networks

WAN functions in terms of the OSI Reference Model

The physical layer (OSI Layer 1) protocols describe how to provide electrical, mechanical, operational, and

functional connections to the services of a communications service provider.

The data link layer (OSI Layer 2) protocols define how data is encapsulated for transmission toward a remote

location and the mechanisms for transferring the resulting frames. A variety of different technologies are used, such as Frame Relay and ATM. Some of these

protocols use the same basic framing mechanism, High-Level Data Link Control (HDLC), an ISO standard,

or one of its subsets or variants.

Wide-Area Networks

WAN physical layer concepts for network and Internet communications

Wide-Area Networks

•WAN physical-layer protocols describe how to provide electrical, mechanical, operational, and functional connections for WAN services.

• The WAN physical layer also describes the interface between the DTE and the DCE.

Wide-Area Networks

WAN data link layer protocols used in today’s Enterprise WAN networks

Data link layer protocols define how data is encapsulated for transmission to remote sites

and the mechanisms for transferring the resulting

frames.

ATM uses small fixed-size cells of 53 bytes (48 bytes for data),

Wide-Area Networks

Switching technologies used for WANs in an Enterprise setting

A circuit-switched network is one that establishes a dedicated circuit (or channel)

between nodes and terminals before the users may communicate.

PSTN and ISDN are two types of circuit-switching technology that may be used to implement a WAN in an enterprise setting.

Packet switching splits traffic data into packets that are routed over a shared network. Packet-switching networks do not require a circuit to be

established, and they allow many pairs of nodes to communicate over the same channel. Packets are

divided and sent through available connections.

There are two approaches to this link determination, connectionless or connection-

oriented.

Wide-Area Networks

List the various options for connecting subscribers to the WAN

Wide-Area Networks

Enterprises use leased line services to provide a WAN connection

Point-to-point lines are usually leased from a carrier and are called leased lines.

Wide-Area Networks

Circuit switching options available to provide a WAN connection

Wide-Area Networks

Packet switching options available to provide a WAN connection

Wide-Area Networks

List factors to consider when selecting a WAN connection

Wide-Area Networks

Configuring Serial EncapsulationCircuit Switching


Wide-Area Networks

Public Switched Telephone Network


Wide-Area Networks

PSTN Considerations Advantages Simplicity Availability Cost Disadvantages Low data rates Relatively long connection setup timeLeased Line


Wide-Area Networks

Leased Line

Configuring a Serial InterfaceEnter global configuration mode-RouterX#configure terminal RouterX(config)#

Specify interface-RouterX(config)#interface serial 0/0/0RouterX(config-if)#

Set clock rate (on DCE interfaces only)-RouterX(config-if)#clock rate 64000 RouterX(config-if)#

Set bandwidth (recommended)-RouterX(config-if)#bandwidth 64 RouterX(config-if)#exit RouterX(config)#exit RouterX#


Wide-Area Networks

Point-to-Point Considerations Advantages Simplicity Quality Availability Disadvantages Cost Limited flexibility


Wide-Area Networks

PPP Configuration Example

HDLC and Cisco HDLC


Wide-Area Networks

Configuring HDLC EncapsulationRouterX(config-if)# encapsulation hdlc Enables Cisco HDLC encapsulation Uses the default encapsulation on synchronous serial interfaces .

Enable PPP Encapsulation and Configuring Authentication RouterX(config-if)# encapsulation ppp

Enables PPP encapsulation RouterX(config)# hostname name

Assigns a hostname to your router RouterX(config)# username name password password

Identifies the username and password of remote router

RouterX(config-if)# ppp authentication {chap | chap pap | pap chap | pap}

Enables PAP or CHAP authentication 04/10/23

Instructional Design-Computer Networking - Bridges Educational Group

Wide-Area Networks

PPP and CHAP Configuration Example


Wide-Area Networks

Verifying a Serial Interface ConfigurationRouterX# show interface s0/0/0 Serial0/0/0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 38021 packets input, 5656110 bytes, 0 no buffer Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 38097 packets output, 2135697 bytes, 0 underruns 0 output errors, 0 collisions, 6045 interface resets 0 output buffer failures, 0 output buffers swapped out 482 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up rial Interface Configuration


Wide-Area Networks

Verifying the HDLC and PPP Encapsulation Configuration RouterX# show interface s0/0/0 Serial0/0/0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 38021 packets input, 5656110 bytes, 0 no buffer Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 38097 packets output, 2135697 bytes, 0 underruns 0 output errors, 0 collisions, 6045 interface resets 0 output buffer failures, 0 output buffers swapped out 482 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up


Wide-Area Networks

Verifying PPP Authentication


Wide-Area Networks

Introducing VPN Solutions An academic definition of a VPN is “connectivity deployed on a sharedinfrastructure with the same policies and performance as a private network, withlower total cost of ownership.”


Wide-Area Networks


Wide-Area NetworksBenefits Of VPN

VPNs offer flexiblity as site-to-site and remote-access connections can be set up quickly and over existing infrastructure. A variety of security policies can be provisioned in a VPN, enabling flexible interconnection of different security domains.

VPNs also offer scalability over large areas, as IP transport is universally available. This in turn reduces the number of physical connections and simplifies the underlying structure of a customer WAN.

Lower cost is one of the main reasons for migrating from traditional connectivity options to a VPN connection, as customers may reuse existing links and take advantage of statistical packet multiplexing features of IP networks, used as a VPN transport.

The Cisco hardware and Cisco IOS software provide a full set of VPN tools, not only for just VPNs but for security, management, and all related needs.

The Cisco remote access line of routers is compatible with the Cisco Secure VPN Client PC client software. The slide lists some of the IPSec capabilities one would expect (and find) in such a client. Some of these will be covered in more detail in the next module on IPSec-based VPNs.

With client IPSec encryption, a public Internet connection can be used as part of a virtual private dial-up network (VPDN) solution.


Wide-Area Networks

VPNs come in a number of flavors.VPNs are designed based on one of two architectural options—client-initiated

or network access server (NAS)-initiated VPNs.Client-initiated VPNs—Users establish a tunnel across the Internet service

provider (ISP) shared network to the customer network. The customer manages the client software that initiates the tunnel. The main advantage of client-initiated VPNs is that they secure the connection between the client and ISP. However, client-initiated VPNs are not as scalable and are more complex than NAS-initiated VPNs.

NAS-initiated VPNs—Users dial in to the ISP NAS, which establishes a tunnel to the private network. Network access server (NAS)-initiated VPNs are more robust than client-initiated VPNs and do not require the client to maintain the tunnel-creating software. NAS-initiated VPNs do not encrypt the connection between the client and the ISP, but this is not a concern for most customers because the Public Switched Telephone Network (PSTN) is much more secure than the Internet.

VPNs can also run from a remote client PC or remote office router across the Internet or an IP service provider network to one or more corporate gateway routers. VPNs between a company’s offices are a company intranet. VPNs to external business partners are extranets.

04/10/23

Instructional Design-Computer Networking - Bridges Educational Group

Wide-Area Networks

Voluntary tunnels are those initiated by the client PC. Voluntary tunnels are where the client voluntarily starts up the tunnel. Compulsory tunnels take service provider participation and awareness. Compulsory tunnels leave the client no choice.

The slide shows some of the features of (remote) access VPNs. They can be used with whatever access is available, and ubiquity is important. This means they should work with modem, Integrated Service Digital Network (ISDN), xDSL, or cable. They provide potential operations and infrastructure cost savings because a company can outsource its dial plant, getting out of the remote access server business.

It is best if VPDN and access VPN connectivity involves only a single ISP. With more than one ISP involved, no service level agreements are possible.


Wide-Area Networks

An extranet is where you also use the Internet or one or two SPs to connect to business partners. Security policy becomes very important at this point, because you would hate for a hacker to spoof an order for 1 million widgets from a business partner.


Wide-Area Networks

Intranet VPNs extend the basic remote access VPN to other corporate offices with connectivity across the Internet or across the SP IP backbone. Service levels are likely to be maintained and enforced within a single SP. With VPNs across the Internet, there are no performance guarantees—no one is in charge of the Internet.

The main attractions of intranet VPNs are reduced WAN infrastructure needs,lower ongoing leased line or Frame Relay charges, and operational savings.

Security on shared media (the Internet or SP backbone) is important too.


Wide-Area Networks

Tunneling TypesMost VPNs are really tunnels, whereby Point-to-Point Protocol (PPP) frames

or IP packets are tunneled inside some other protocol.Microsoft Point-to-Point Tunneling Protocol (PPTP) (see the Layer 2 module)

is a Layer 2 technique, where IP is used to encapsulate and transport PPP and IP packets to a corporate gateway or server.

Cisco Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP) are also Layer 2 techniques. They simulate PPP connectivity directly from a client PC to a corporate gateway router or server.

Multiprotocol Label Switching (MPLS) (see the module), generic routing encapsulation (GRE), and IPSec are, however, Layer 3 tunnels, where Layer 3 information is transported directly inside another Layer 3 header across the intervening SP network.

The terms Layer 2 and Layer 3 may be imprecise when applied to VPNs. Some people consider Frame Relay and ATM to be Layer 2 VPNs. Others

consider that to be an out-of date usage of the term “VPN.”


Wide-Area Networks

The protocols used to transport Layer 2 frames and Layer-3 packets are: L2TP —Layer 2 Tunneling Protocol GRE – Generic Route Encapsulation PPTP – Point-to-Point Tunneling Protocol IPsec – IP security protocols MPLS – Multi Protocol Label Switching

Configuring GRE TunnelsThe Generic Route Encapsulation (GRE) is a standardized Layer-3 carrier

encapsulation, designed for generic tunneling of protocols. GRE is described in RFC 1701, and RFC 1702 defines how GRE uses IP as the transport protocol (GRE IP).

In Cisco IOS, GRE tunneling is used to tunnel multiple protocols (IPX, DECnet, AppleTalk, and others) over an IP network. Also, GRE IP can tunnel IP over IP, which is useful when building small-scale IP VPN network, which do not require substantial security. GRE has no built-in security mechanisms built, but can be secured by additional mechanisms, such as IPsec traffic protection, of the Cisco Encryption Technology protection.


Wide-Area Networks

The GRE protocol is an IP protocol with the protocol number of 47. The GRE header is of variable length, and at the minimum defines the passenger protocol carried in a GRE packet. The header is from 4 to 20 bytes long, depending on the GRE options (such as optional sequencing) used within each packet.


Wide-Area Networks

The benefits of GRE IP tunneling are GRE enables simple and flexible deployment of basic IP VPNs. In Cisco IOS, GRE IP can tunnel almost any Layer-3 protocol.GRE IP tunneling also has some drawbacks Provisioning of tunnels is not very scalable in a full-mesh network (every

pointto- point association has to be defined separately; the Next-Hop Routing

Protocol (NHRP) can be used to achieve some configuration scalability, and point-to-multipoint tunnels can be used as a remedy in strictly hub-and-spoke networks).

Packet payload is not protected against snooping and unauthorized changes, and there is no authentication of sender. IPsec provides all those functions, and can be combined with GRE IP.


Wide-Area Networks


Wide-Area NetworksGRE Configuration ExampleWithin the tunnel interface, the tunnel source and tunnel destination

commands configure the tunnel endpoints. The tunnel source must be a local routers interface address, such as, for example, a loopback address. The other peer’s tunnel source and destination must exactly mirror the local peer’s configuration, that is, the tunnel must be defined between the same IP addresses in both peers’ configuration. The tunnel mode gre ip command specifies that GRE should be used as the tunnel carrier encapsulation

Configuring Multiprotocol GRE ExampleThe figure shows the configurations of two routers configured for GRE

tunneling. Note the symmetric configuration of tunnel source and destination. IP and IPX are enabled over the tunnel link, and OSPF provides routing over the tunnel, treating it like a point-to-point link.


Wide-Area Networks

GRE Monitoring and TroubleshootingThe show ip interface brief command can be used to quickly determine the

status of the tunnel interface. The show interface command shows the configured tunnel parameters and the interface traffic statistics.


Wide-Area Networks

Lessoned Learned:WAN technologies.VPN types.GRE encapsulation


Wide-Area Networks

Date post:	14-Dec-2014
Category:	Technology
Upload:	arnold-derrick-kinney
View:	704 times
Download:	3 times