CCNA :: Part 9 - Point-to-Point Lines WAN BASICS The following table gives the basic definitions for the

three types of WAN servi ces: Term Description Leased Line A dedicated, always-on circuit between two endpoints. The servic e provider just passes a constant rate bit stream; it does not interpret or make decisions based on the bits sent over the circuit. Generally is more expensive than packet switching today. Circuit switching/dial Provides dedicated bandwidth between two points, but onl y for the duration of the call. Typically used as a cheaper alternative to lease d lines, particularly when connectivity is not needed all the time. Also is usef ul for backup when a leased line or packet-switched service fails. Packet switching Provides virtual circuits between pairs of sites, with c ontracted traffic rates for each VC. Each site s physical connectivity consists of a leased line from the site to a device in the provider s network. Generally cheaper than leased lines. Many options for WAN connectivity are available, including synchronous point-topoint serial links. These synchronous point-to-point links include a cable from a service provider, with the service including the capability to send and receiv e bits across that cable at a predetermined speed. The physical connection inclu des a CSU/DSU on each end of the link, as shown in the following Fig. 34. Fig. 34 After the CSU/DSUs are configured and the lines are installed, only a small amou nt of configuration is required on the routers. To get the two routers working s o that they can ping each other across the link, you actually only need to confi gure IP addresses on each router and do a no shutdown command on each interface. In some cases, two routers are physically close to each other, but they still ne ed a point-topoint WAN link. You can instead do a cabling trick, connecting a DCE cabl e to a DTE cable to create a point-to-point WAN link. Fig. 35 shows the basic id ea behind the cabling with the DCE and DTE cables, which allows the two routers to send and receive bits without a pair of CSU/ DSUs and a leased line. Fig. 35 Using the principal of the above picture, the configurations of both routers are as followes: R1(config)# R1(config)#int se 1/0 R1(config-if)#clock rate ? With the exception of the following standard values not subject to rounding, 1200 2400 4800 9600 14400 19200 28800 38400 56000 64000 128000 2015232 accepted clockrates will be bestfitted (rounded) to the nearest value supportable by the hardware. <246-8064000> DCE clock rate (bits per second)

R1(config-if)#clock rate 64000 ? <cr> R1(config-if)#clock rate 64000 R1(config-if)#ip address 10.10.2.1 255.255.255.0 R1(config-if)#no shu R1(config-if)#end R1# R2(config)#int se1/0 R2(config-if)#

R2(config-if)#clock rate 64000 R2(config-if)#ip address 10.10.2.2 255.255.255.0 R2(config-if)#no shu R2(config-if)#end R2# R2#ping 10.10.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/67/120 ms R2# The clock rate command sets the clock rate on interfaces when a DCE cable has be en used. The clock rate 64000 command sets the clock rate to 64 000 bps. If exte rnal CSU/DSUs were used, as in Fig. 34, as is typical when you use an actual lea sed line from a provider, this command is unneeded. In fact, the router wouldn t let you add the command to the configuration if a DTE cable was connected to the in terface! DATA-LINK PROTOCOLS WAN data-link protocols used on point-to-point serial links provide the basic fu nction of data delivery across that one link. The two most popular WAN data-link protocols are High-Level Data Link Control (HDLC) and PPP. Each of these WAN pr otocols has the following functions in common: HDLC and PPP provide for the delivery of data across a single point-to-point ser ial link. HDLC and PPP deliver data on synchronous serial links; PPP also supports asynchr onous serial links. Each synchronous serial data-link protocol uses the concept of framing. Each dat a-link protocol defines the beginning and end of the frame, the information and format of a header and trailer, and the location of the packet between the heade r and trailer. In other words, synchronous WAN data-link protocols are frame-ori ented, just like LAN data-link protocols. Synchronous WAN links require the CSU/DSUs on each end of the link to operate at the exact same speed. Essentially, the CSU/DSUs on each side of the WAN link ag ree to use a certain clock rate, or speed, to send and receive bits. It is expen sive to build CSU/DSUs that can truly operate at exactly the same speed, so afte r they agree to a particular speed, both CSU/DSUs try to operate at that speed. Then one CSU/DSU watches for small differences in clock rates between itself and the other CSU/DSU and makes small adjustments. Synchronous CSU/DSUs adjust their clocks by noticing when the electrical signal received on the physical line changes. When the routers send data frames across the link, plenty of signal transitions are made, because the transitions are typ ically used to imply either a 1 or a 0. However, if no traffic were sent across the link, there would be no transitions in the electrical signal, and clock sync hronization would be lost. So synchronous data-link protocols send frames contin uously, even sending idle frames when there is no end-user data to be sent over the link. By always at least sending frames with no data in them, the routers en sure that there are plenty of electrical signal transitions on the line, allowin g the clock adjustments required for synchronization. So HDLC and PPP define idl e frames, called "Receiver Ready", implying that the sender has nothing to send other than idle frames to allow for continued synchronization. Unlike asynchronous links, in which no bits are sent during idle times, synchron ous data links define idle frames. These frames do nothing more than provide ple nty of signal transitions so that clocks can be adjusted on the receiving end, c onsequently maintaining synchronization. HDLS and PPP Synchronous protocols allow more throughput over a serial link than asynchronous protocols. However, asynchronous protocols require less-expensive hardware, bec ause there is no need to watch transitions and adjust the clock rate. For links between routers, synchronous links are typically desired and used. When you use

a PC with a modem to dial up an Internet provider, you use an asynchronous link. Another comparison criteria is error recovery. Do not confuse error recovery wit h error detection. Almost all data-link protocols, PPP and HDLC included, perfor m error detection. All the data-link protocols described here use a field in the trailer, usually called the frame check sequence (FCS), that verifies whether b it errors occurred during transmission of the frame. If so, the frame is discard ed. Error recovery is the process that causes retransmission of the lost or erro red frame(s). Error recovery can be performed by the data-link protocol or a hig her-layer protocol, or it might not be performed at all. Regardless, all WAN dat a-link protocols perform error detection, which involves noticing the error and discarding the frame. Fig. 36 shows the framing details of HDLC and PPP, showing the proprietary HDLC Protocol field and the standardized PPP Protocol field. Fig. 36 The following table lists the important comparison points between HDLC and PPP. Protocol Error Correction Archytected Type Field Other HDLC No No HDLC serves as Cisco s default on serial links. Cisco uses a Proprietary Type field to support multiprotocol traffic. Supports synchronous l inks only. PPP Supported but not enabled by default Yes PPP was meant for multip rotocol interoperability from its inception, unlike HDLC. PPP also supports asyn chronous communication. CONFIGURATION HDLC and PPP configuration is pretty simple. You just need to be sure to configu re the same WAN data-link protocol on each end of the serial link. Otherwise, th e routers will misinterpret the incoming frames, because each WAN data-link prot ocol uses a different frame format. The following table summarize the configurat ion commands and EXEC commands used for HDLC and PPP configuration. Command Description encapsulation {hdlc | ppp} Interface subcommand compress [predictor | stac | mppc [ignore-pfc]] Interface subcommand show interfaces [type number] Lists statistics and details of interface config uration, including the encapsulation type. show compress Lists compression ratios. show processes [cpu] Lists processor and task utilization. Is useful for watc hing for increased utilization because of compression. The following example shows the configuration for PPP, followed by the changed c onfiguration for a migration to HDLC. Assume that Router R1 and Router R2 have a serial link attached to their serial 1/0 interfaces. Router R1 R1(config)# R1(config)#int se 1/0 R1(config-if)# R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#encap R1(config-if)#encapsulation ppp R1(config-if)#no shu R1(config-if)# R1(config-if)#end R1# R1# *Mar 1 00:04:23.367: %SYS-5-CONFIG_I: Configured from console by console R1# *Mar 1 00:04:23.599: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up R1# Router R2 R2(config)# R2(config)#int se 1/0 R2(config-if)#ip addr 10.0.0.2 255.0.0.0

R2(config-if)#encap ppp R2(config-if)#no shu R2(config-if)#end R2# *Mar 1 00:04:38.623: %SYS-5-CONFIG_I: Configured from console by console R2# *Mar 1 00:04:39.191: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up R2# *Mar 1 00:04:40.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up R2# R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/75/124 ms R2# And here there are two different ways to switch to HDLC encapsulation: Router R1 R1(config)#int se 1/0 R1(config-if)# R1(config-if)#encap hdlc R1(config-if)#end R1# *Mar 1 00:07:55.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down *Mar 1 00:07:55.479: %SYS-5-CONFIG_I: Configured from console by console R1# *Mar 1 00:07:57.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up R1# Router R2 R2(config)#int se 1/0 R2(config-if)#no encap ppp R2(config-if)# R2(config-if)#end R2# R2# *Mar 1 00:07:53.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down *Mar 1 00:07:54.559: %SYS-5-CONFIG_I: Configured from console by console R2# *Mar 1 00:07:55.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up R2# R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/79/188 ms R2# Did you see the trick? Yes, because HDLC is the default encapsulation you can sw itch from PPP to HDLC with executing the command no encapsulation ppp instead of encapsulation hdlc. PPP Features PPP was defined much later than the original HDLC specifications. As a result, t he creators of PPP included many additional features that had not been seen in W AN data-link protocols up to that time. As a result, PPP has become the most pop

ular and feature-rich WAN data link layer protocol. PPP uses a protocol that focuses on the features that apply regardless of the La yer 3 protocol used and another protocol to support each Layer 3 protocol suppor ted on the link. The PPP Link Control Protocol (LCP) provides the core features for PPP. For features related to a specific Layer 3 protocol, PPP uses a series of PPP control protocols, such as IP Control Protocol (IPCP). For example, IPCP provides for IP address assignment; this feature is used extensively with Intern et dialup connections today. PPP uses one LCP per link and one Control Protocol for each Layer 3 protocol def ined on the link. If a router is configured for IPX, AppleTalk, and IP on a PPP serial link, the router configured for PPP encapsulation automatically tries to bring up the appropriate control protocols for each Layer 3 protocol (for exampl e, IPCP). Cisco routers also use a PPP CP for supporting CDP traffic, called CDP CP. LCP provides a variety of optional features for PPP. You should at least be awar e of the concepts behind these features. They are summarized in the following ta ble. Function LCP Feature Description Error detection Link Quality Monitoring (LQM) PPP can take down a link based o n the percentage of errors on the link. LQM exchanges statistics about lost pack ets versus sent packets in each direction. When compared to packets and bytes se nt, this yields a percentage of errored traffic. The percentage of loss that cau ses a link to be taken down is enabled and defined by a configuration setting. Looped link detection Magic number Using different magic numbers, routers s end messages to each other. If you receive your own magic number, the link is lo oped. A configuration setting determines whether the link should be taken down w hen looped. Multilink support Multilink PPP Fragments of packets are load-balanced a cross multiple links. Authentication PAP and CHAP Exchanges names and passwords so that each devic e can verify the identity of the device on the other end of the link. AUTHENTICATION Security issues in a WAN can differ compared to security in a LAN. In a LAN, mos t devices can be under the control of the organization owning the devices. Traff ic between devices in the same building might not ever leave the confines of the office space used by that company. However, with WANs, by definition, the traff ic leaves one location and travels through some other network owned by the servi ce provider and back into another site. The term authentication refers to a set of security functions that help one devi ce ensure that it is communicating with the correct other device. For instance, if R1 and R2 are supposed to be communicating over a serial link, R1 might want R2 to somehow prove that it really is R2. Authentication provides a way to prove one s identity. WAN authentication is most often needed when dial lines are used. H owever, the configuration of the authentication features remains the same whethe r a leased line or dial line is used. PAP and CHAP Password Authentication Protocol (PAP) and Challenge Handshake Authentication Pr otocol (CHAP) authenticate the endpoints on either end of a point-to-point seria l link. CHAP is the preferred method today because the identifying codes flowing over the link are created using a Message Digest 5 (MD5) one-way hash, which is more secure than the clear-text passwords sent by PAP. Both PAP and CHAP require the exchange of messages between devices. When a diale d line is used, the dialed-to router expects to receive a username and password from the dialing router with both PAP and CHAP. With a leased line, one router s tarts the process, and the other responds. Whether leased line or dial, with PAP , the username and password are sent in the first message. With CHAP, the protoc ol begins with a message called a challenge, which asks the other router to send its username and password. Fig. 37 outlines the different processes in the case where the links are dialed. The process works the same when the link uses a lea sed line.

Fig. 37 PAP flows are much less secure than CHAP because PAP sends the host name and pas sword in clear text in the message. These can be read easily if someone places a tracing tool in the circuit. CHAP instead uses a one-way hash algorithm, with i nput to the algorithm being a password and a shared random number. The CHAP chal lenge states the random number; both routers are preconfigured with the password . The challenged router runs the hash algorithm using the just-learned random nu mber and the secret password and sends the results back to the router that sent the challenge. The router that sent the challenge runs the same algorithm using the random number (sent across the link) and the password (not sent across the l ink). If the results match, the passwords must match. The most interesting part of the process is that at no time does the password itself ever cross the link. With the random number, the hash value is different every time. So even if someo ne sees the calculated hash value using a trace tool, the value is meaningless a s a way to break in next time. CHAP authentication is difficult to break, even w ith a tracing tool on the WAN link. Here followes an example of configuring CHAP between routers R1 and R2, which ar e connected through serial communication on their serial 1/0 ports. Router R1 R1(config)#int se 1/0 R1(config-if)# R1(config-if)#encap ppp R1(config-if)#ppp authentication chap R1(config-if)#exi R1(config)# R1(config)#username R2 password s3cr3t Router R2 R2(config)#int se 1/0 R2(config-if)# R2(config-if)#encap ppp R2(config-if)#ppp authentication chap R2(config-if)#exi R2(config)# R2(config)#username R1 password s3cr3t R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/84/168 ms R2# Notice that each router refers to the other router s host name; each router uses its own host name in CHAP flows unless overridden by configuration. Each side confi gures the same password.