nat,acl,wan,ipv6, wireless by mohand
DESCRIPTION
cisco ccna 4TRANSCRIPT
Nat – ACL – WAN –Ipv6Wireless
By: MohandFor: arabhardware
Network Address Translation
To go to the Internet we need to get an public IP address and it is unique all over the world. If each host in the world required a unique public IP address, we would have run out of IP address years ago. But by using Network Address Translation (NAT) we can save tons of IP addresses for later uses. We can understand NAT like this:
“NAT allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet”
For example your computer is assigned a private IP address of 10.0.0.9 and of course this address can not be routed on the internet but you can still access the internet. This is because your router (or modem) translates this address into a public IP address, 123.12.23.1 for example, before routing your data into the internet.
Of course when your router receives a reply packet destined for 123.12.23.1 it will convert back to your private IP 10.0.0.9 before sending that packet to you.
Maybe you will ask “hey, I don’t see any difference of using NAT to save tons of IP addresses because you still need a public IP address for each host to access the Internet and it doesn’t save you anything, why you need to use NAT?”
Ok, you are right :), in the above example we don’t see its usefulness but you now understand the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but your Internet Service Provider (ISP) only gives you 50 public IP addresses. It means that you can only allow 50 hosts to access the internet at the same time. Here NAT comes to save your life!
One thing you should notice that in real life, not all of your employees uses internet at the same time. Say, maybe 50 of them use internet to read newspaper at the morning; 50 others use internet at noon for checking mail… By using NAT you can dynamically assign these 50 public IP addresses to those who really need them at that time. This is called dynamic NAT.
But the above NAT solution does not solve our problem completely because in some days there can be more than 50 people surfing web at the morning. In this case, only the first 50 people can access internet, others must wait to their turns.
Another problem is, in fact, your ISP only gives you much lesser IP addresses than the number 50 because each public IP is very precious now.
To solve the two problems above, another feature of NAT can be used: NAT Overload or sometimes called Port Address Translation (PAT)
PAT permits multiple devices on a local area network (LAN) to be mapped to a single public IP address with different port numbers. Therefore, it’s also known as port address translation (PAT). When using PAT, the router maintains unique source port numbers on the inside global IP address
to distinguish between translations. In the below example, each host is assigned to the same public IP address 123.1.1.1 1 but with different port numbers (from 1000 to 1002).
Note: Cisco uses the term inside local for the private IP addresses and inside global for the public IP addresses replaced by the router.
The outside host IP address can also be changed with NAT. The outside global address represents the outside host with a public IP address that can be used for routing in the public Internet.
The last term, outside local address, is a private address of an external device as it is referred to by devices on its local network. You can understand outside local address as the inside local address of the external device which lies at the other end of the Internet.
Maybe you will ask how many ports can we use for each IP? Well, because the port number field has 16 bits, PAT can support about 216 ports, which is more than 64,000 connections using one public IP address.
Now you has learned all the most useful features of NAT but we should summary all features of NAT:
There are two types of NAT translation: dynamic and static.
Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor requires you to have one real Internet IP address for every host on your network.
Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as in static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT router with more IP addresses in the inside local address list than in the inside global address pool. When being defined in the inside global address pool, the router allocates registered public IP addresses from the pool until all are allocated. If all the public IP addresses are already allocated, the router discards the packet that requires a public IP address.
PAT (NAT Overloading): is also a kind of dynamic NAT that maps multiple private IP addresses to a single public IP address (many-to-one) by using different ports. Static NAT and Dynamic NAT both require a one-to-one mapping from the inside local to the inside global address. By using PAT, you can have thousands of users connect to the Internet using only one real global IP address. PAT is the technology that helps us not run out of public IP address on the Internet. This is the most popular type of NAT.
Besides NAT gives you the option to advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the public world really well, giving you some additional security for your network.
NAT terms:
Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.
Access Control List
Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.
Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Standard IP Access List
Standard IP lists (1-99) only check source addresses of all IP packets.
Configuration Syntax
access-list access-list-number {permit | deny} source {source-mask}
Apply ACL to an interface
ip access-group access-list-number {in | out}
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but
shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.
Note: The “0.255.255.255″ is the wildcard mask part of network “10.0.0.0″. We will learn how to use wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.
Configuration Syntax
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]
Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.
As we can see, the destination of above access list is “187.100.1.6 0.0.0.0″ which specifies a host. We can use “host 187.100.1.6″ instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699
Named IP Access List Configuration Syntax
ip access-list {standard | extended} {name | number}
Example of Named IP Access List
This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from host 10.0.0.1/8 to host 187.100.1.6.
Define the ACL:
Router(config)#ip access-list extended in_to_out permit tcp host 10.0.0.1 host 187.100.1.6 eq telnet
(notice that we can use ‘telnet’ instead of port 23)
Apply this ACL to an interface:
Router(config)#interface Fa0/0
Router(config-if)#ip access-group in_to_out in
Where to place access list?
Standard IP access list should be placed close to destination.
Extended IP access lists should be placed close to the source.
How many access lists can be used?
You can have one access-list per protocol, per direction and per interface. For example, you can not have two access lists on the inbound direction of Fa0/0 interface. However you can have one inbound and one outbound access list applied on Fa0/0.
How to use the wildcard mask?
Wildcard masks are used with access lists to specify a host, network or part of a network.
The zeros and ones in a wildcard determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes. For example, we want to create a standard ACL which will only allow network 172.23.16.0/28 to pass through. We need to write an ACL, something like this:
access-list 1 permit 172.23.16.0 255.255.240.0
Of course we can’t write subnet mask in an ACL, we must convert it into wildcard mask by converting all bits 0 to 1 & all bits 1 to 0.
255 = 1111 1111 -> convert into 0000 0000
240 = 1111 0000 -> convert into 0000 1111
0 = 0000 0000 -> convert into 1111 1111
Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255
Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. Now let’s analyze our wildcard mask.
Two first octets are all 0′s meaning that we care about the network 172.23.x.x. The third octet, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16 ; maximum: 0001111 = 31).
The fourth octet is 255 (all 1 bits) that means I don’t care.
Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.
Some additional examples:
+ Block TCP packets on port 30 from any source to any destination:
Router(config)#access-list 101 deny tcp any any eq 30
+ Permit any IP packets in network 192.23.130.128 with subnet mask 255.255.255.248 to any network:
Router(config)#access-list 101 permit ip 192.23.130.128 0.0.0.7 any
Apply the access control list to an interface:
Router(config)#interface fastEthernet0/0
Router(config-if)#ip access-group 101 in
IPv6
Internet has been growing extremely fast so the IPv4 addresses are quickly approaching complete depletion. Although many organizations already use Network Address Translators (NATs) to map multiple private address spaces to a single public IP address but they have to face with other problems from NAT (the use of the same private address, security…). Moreover, many other devices than PC & laptop are requiring an IP address to go to the Internet. To solve these problems in long-term, a new version of the IP protocol – version 6 (IPv6) was created and developed.
IPv6 was created by the Internet Engineering Task Force (IETF), a standards body, as a replacement to IPv4 in 1998. So what happened with IPv5? IP Version 5 was defined for experimental reasons and never was deployed.
While IPv4 uses 32 bits to address the IP (provides approximately 232 = 4,294,967,296 unique addresses – but in fact about 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses), IPv6 uses up to 128 bits which provides 2128 addresses or approximately 3.4 * 1038 addresses. Well, maybe we should say it is extremely extremely extremely huge :)
IPv6 Address Types
Address Type Description
Unicast One to One (Global, Link local, Site local)+ An address destined for a single interface.
Multicast One to Many+ An address for a set of interfaces+ Delivered to a group of interfaces identified by that address.+ Replaces IPv4 “broadcast”
Anycast One to Nearest (Allocated from Unicast)+ Delivered to the closest interface as determined by the IGP
A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast)
IPv6 address format
Format:
x:x:x:x:x:x:x:x – where x is a 16 bits hexadecimal field and x represents four hexadecimal digits.An example of IPv6:2001:0000:5723:0000:0000:D14E:DBCA:0764
There are:+ 8 groups of 4 hexadecimal digits.+ Each group represents 16 bits (4 hexa digits * 4 bit)+ Separator is “:”+ Hex digits are not case sensitive, so “DBCA” is same as “dbca” or “DBca”…
IPv6 (128-bit) address contains two parts:+ The first 64-bits is known as the prefix. The prefix includes the network and subnet address. Because addresses are allocated based on physical location, the prefix also includes global routing information. The 64-bit prefix is often referred to as the global routing prefix.+ The last 64-bits is the interface ID. This is the unique address assigned to an interface.
Note: Addresses are assigned to interfaces (network connections), not to the host. Each interface can have more than one IPv6 address.
Rules for abbreviating IPv6 Addresses:
+ Leading zeros in a field are optional
2001:0DA8:E800:0000:0260:3EFF:FE47:0001 can be written as
2001:DA8:E800:0:260:3EFF:FE47:1
+ Successive fields of 0 are represented as ::, but only once in an address:
2001:0DA8:E800:0000:0000:0000:0000:0001 -> 2001:DA8:E800::1
Other examples:– FF02:0:0:0:0:0:0:1 => FF02::1– 3FFE:0501:0008:0000:0260:97FF:FE40:EFAB = 3FFE:501:8:0:260:97FF:FE40:EFAB = 3FFE:501:8::260:97FF:FE40:EFAB– 0:0:0:0:0:0:0:1 => ::1– 0:0:0:0:0:0:0:0 => ::
IPv6 Addressing In Use
IPv6 uses the “/” notation to denote how many bits in the IPv6 address represent the subnet.
The full syntax of IPv6 is
ipv6-address/prefix-length
Where
+ ipv6-address is the 128-bit IPv6 address+ /prefix-length is a decimal value representing how many of the left most contiguous bits of the address comprise the prefix.
Let’s analyze an example:2001:C:7:ABCD::1/64 is really2001:000C:0007:ABCD:0000:0000:0000:0001/64+ The first 64-bits 2001:000C:0007:ABCD is the address prefix+ The last 64-bits 0000:0000:0000:0001 is the interface ID+ /64 is the prefix length (/64 is well-known and also the prefix length in most cases)
The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the assignment of IPv6 addresses. ICANN assigns a range of IP addresses to Regional Internet Registry (RIR) organizations. The size of address range assigned to the RIR may vary but with a minimum prefix of /12 and belong to the following range: 2000::/12 to 200F:FFFF:FFFF:FFFF::/64.
Each ISP receives a /32 and provides a /48 for each site-> every ISP can provide 2(48-32) = 65,536 site addresses (note: each network organized by a single entity is often called a site).Each site provides /64 for each LAN -> each site can provide 2(64-48) = 65,536 LAN addresses for use in their private networks.So each LAN can provide 264 interface addresses for hosts.
-> Global routing information is identified within the first 64-bit prefix.Note: The number that represents the range of addresses is called a prefix
Now let’s see an example of IPv6 prefix: 2001:0A3C:5437:ABCD::/64:
In this example, the RIR has been assigned a 12-bit prefix. The ISP has been assigned a 32-bit prefix and the site is assigned a 48-bit site ID. The next 16-bit is the subnet field and it can allow 216, or 65536 subnets. This number is redundant for largest corporations on the world!
The 64-bit left (which is not shown the above example) is the Interface ID or host part and it is much more bigger: 64 bits or 264 hosts per subnet! For example, from the prefix 2001:0A3C:5437:ABCD::/64 an administrator can assign an IPv6 address 2001:0A3C:5437:ABCD:218:34EF:AD34:98D to a host.
IPv6 Address Scopes
Address types have well-defined destination scopes:
IPv6 Address Scopes
Description
Link-local address + only used for communications within the local subnetwork (automatic address configuration, neighbor discovery, router discovery, and by many routing protocols). It is only valid on the current subnet.+ routers do not forward packets with link-local addresses.+ are allocated with the FE80::/64 prefix -> can be easily recognized by the prefix FE80. Some books indicate the range of link-local address is FE80::/10, meaning the first 10 bits are fixed and link-local address can begin with FE80, FE90,FEA0 and FEB0 but in fact the next 54 bits are all 0s so you will only see the prefix FE80 for link-local address.+ same as 169.254.x.x in IPv4, it is assigned when a DHCP server is unavailable and no static addresses have been assigned+ is usually created dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on 48-bit MAC address).
Global unicast address
+ unicast packets sent through the public Internet+ globally unique throughout the Internet+ starts with a 2000::/3 prefix (this means any address beginning with 2 or 3). But in the future global unicast address might not have this limitation
Site-local address + allows devices in the same organization, or site, to exchange data.+ starts with the prefix FEC0::/10. They are analogous to IPv4′s private address classes.+ Maybe you will be surprised because Site-local addresses are no longer supported (deprecated) by RFC 3879 so maybe you will not see it in the future.
All nodes must have at least one link-local address, although each interface can have multiple addresses.
However, using them would also mean that NAT would be required and addresses would again not be end-to-end.Site-local addresses are no longer supported (deprecated) by RFC 3879.
Special IPv6 Addresses
IPv6 Address Description
::/0 + All routes and used when specifying a default static route+ Equivalent to the IPv4 quad-zero (0.0.0.0)
::/128 + Unspecified address and is initially assigned to a host when it first resolves its local link address.
::1/128 + Loopback address of local host.+ Equivalent to 127.0.0.1 in IPv4.+ can be used to verify that the TCP/IP protocol stack has been properly installed on the host
FE80::/10 + Link-local unicast address.+ Similar to the Windows auto-configuration IP address of 169.254.x.x.
FF00::/8 + Multicast addresses
All other addresses
+ Global unicast address
Reserved IPv6 Multicast Addresses
Reserved Multicast Address
Description
FF02::1 + All nodes on a link (link-local scope).
FF02::2 + All routers on a link
FF02::9 + All routing information protocol (RIP) routers on a link
FF02::1:FFxx:xxxx + All solicited-node multicast addresses used for host auto-configuration and neighbor discovery (similar to ARP in IPv4)+ The xx:xxxx is the far right 24 bits of the corresponding unicast or anycast address of the node
FF05::101 + All Network Time Protocol (NTP) servers
Wireless In this article we will discuss about Wireless technologies mentioned in CCNA.
Wireless LAN (WLAN) is very popular nowadays. Maybe you have ever used some wireless applications on your laptop or cellphone. Wireless LANs enable users to communicate without the need of cable. Below is an example of a simple WLAN:
Each WLAN network needs a wireless Access Point (AP) to transmit and receive data from users. Unlike a wired network which operates at full-duplex (send and receive at the same time), a wireless network operates at half-duplex so sometimes an AP is referred as a Wireless Hub.
The major difference between wired LAN and WLAN is WLAN transmits data by radiating energy waves, called radio waves, instead of transmitting electrical signals over a cable.
Also, WLAN uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) instead of CSMA/CD for media access. WLAN can’t use CSMA/CD as a sending device can’t transmit and receive data at the same time. CSMA/CA operates as follows:
+ Listen to ensure the media is free. If it is free, set a random time before sending data+ When the random time has passed, listen again. If the media is free, send the data. If not, set another random time again+ Wait for an acknowledgment that data has been sent successfully+ If no acknowledgment is received, resend the data
IEEE 802.11 standards:
Nowadays there are three organizations influencing WLAN standards. They are:
+ ITU-R: is responsible for allocation of the RF bands+ IEEE: specifies how RF is modulated to transfer data+ Wi-Fi Alliance: improves the interoperability of wireless products among vendors
But the most popular type of wireless LAN today is based on the IEEE 802.11 standard, which is known informally as Wi-Fi.
* 802.11a: operates in the 5.7 GHz ISM band. Maximum transmission speed is 54Mbps and approximate wireless range is 25-75 feet indoors.* 802.11b: operates in the 2.4 GHz ISM band. Maximum transmission speed is 11Mbps and approximate wireless range is 100-200 feet indoors.* 802/11g: operates in the 2.4 GHz ISM band. Maximum transmission speed is 54Mbps and approximate wireless range is 100-200 feet indoors.
ISM Band: The ISM (Industrial, Scientific and Medical) band, which is controlled by the FCC in the US, generally requires licensing for various spectrum use. To accommodate wireless LAN’s, the FCC has set aside bandwidth for unlicensed use including the 2.4Ghz spectrum where many WLAN products operate.
Wi-Fi: stands for Wireless Fidelity and is used to define any of the IEEE 802.11 wireless standards. The term Wi-Fi was created by the Wireless Ethernet Compatibility Alliance (WECA). Products certified as Wi-Fi compliant are interoperable with each other even if they are made by different manufacturers.
Access points can support several or all of the three most popular IEEE WLAN standards including 802.11a, 802.11b and 802.11g.
WLAN Modes:
WLAN has two basic modes of operation:
* Ad-hoc mode: In this mode devices send data directly to each other without an AP.
* Infrastructure mode: Connect to a wired LAN, supports two modes (service sets):
+ Basic Service Set (BSS): uses only a single AP to create a WLAN+ Extended Service Set (ESS): uses more than one AP to create a WLAN, allows roaming in a larger area than a single AP. Usually there is an overlapped area between two APs to support roaming. The overlapped area should be more than 10% (from 10% to 15%) to allow users moving between two APs without losing their connections (called roaming). The two adjacent APs should use non-overlapping channels to avoid interference. The most popular non-overlapping channels are channels 1, 6 and 11 (will be explained later).
Roaming: The ability to use a wireless device and be able to move from one access point’s range to another without losing the connection.
When configuring ESS, each of the APs should be configured with the same Service Set Identifier (SSID) to support roaming function. SSID is the unique name shared among all devices on the same wireless network. In public places, SSID is set on the AP and broadcasts to all the wireless devices in range. SSIDs are case sensitive text strings and have a maximum length of 32 characters. SSID is also the minimum requirement for a WLAN to operate. In most Linksys APs (a product of Cisco), the default SSID is “linksys”.
In the next part we will discuss about Wireless Encoding, popular Wireless Security Standard and some sources of wireless interference.
Wireless Encoding
When a wireless device sends data, there are some ways to encode the radio signal including frequency, amplitude & phase.
Frequency Hopping Spread Spectrum (FHSS): uses all frequencies in the band, hopping to different ones after fixed time intervals. Of course the next frequency must be predetermined by the transmitter and receiver.
The main idea of this method is signals sent on different frequencies will be received at different levels of quality. By hopping to different frequencies, signals will be greatly improved the possibility that most of it will get through. For example, suppose there is another device using the 150-250 kHz range. If our device transmits in this range then the signals will be significantly interfered. By hopping at different frequencies, there is only a small interference while transmitting and it is acceptable.
Direct Sequence Spread Spectrum (DSSS): This method transmits the signal over a wider frequency band than required by multiplying the original user data with a pseudo random spreading code. The result is a wide-band signal which is very “durable” to noise. Even some bits in this signal are damaged during transmission, some statistical techniques can recover the original data without the need for retransmission.
Note: Spread spectrum here means the bandwidth used to transfer data is much wider than the bandwidth needs to transfer that data.
Traditional communication systems use narrowband signal to transfer data because the required bandwidth is minimum but the signal must have high power to cope with noise. Spread Spectrum does the opposite way when transmitting the signal with much lower power level (can transmit below the noise level) but with much wider bandwidth. Even if the noise affects some parts of the signal, the receiver can easily recover the original data with some algorithms.
Now you understand the basic concept of DSSS. Let’s discuss about the use of DSS in the 2.4 GHz unlicensed band.
The 2.4 GHz band has a bandwidth of 82 MHz, with a range from 2.402 GHz to 2.483 GHz. In the USA, this band has 11 different overlapping DSSS channels while in some other countries it can have up to 14 channels. Channels 1, 6 and 11 have least interference with each other so they are preferred over other channels.
Orthogonal Division Multiplexing (OFDM): encodes a single transmission into multiple sub-carriers to save bandwidth. OFDM selects channels that overlap but do not interfere with each other by selecting the frequencies of the subcarriers so that at each subcarrier frequency, all other subcarriers do not contribute to overall waveform.
In the picture below, notice that only the peaks of each subcarrier carry data. At the peak of each of the subcarriers, the other two subcarriers have zero amplitude.
Below is a summary of the encoding classes which are used popularly in WLAN.
Encoding Used by
FHSS The original 802.11 WLAN standards used FHSS, but the current standards (802.11a, 802.11b, and 802.11g) do not
DSSS 802.11b
OFDM 802.11a, 802.11g, 802.11n
WLAN Security Standards
Security is one of the most concerns of people deploying a WLAN so we should grasp them.
Wired Equivalent Privacy (WEP)
WEP is the original security protocol defined in the 802.11b standard so it is very weak comparing to newer security protocols nowadays.
WEP is based on the RC4 encryption algorithm, with a secret key of 40 bits or 104 bits being combined with a 24-bit Initialisation Vector (IV) to encrypt the data (so sometimes you will hear “64-bit” or “128-bit” WEP key). But RC4 in WEP has been found to have weak keys and can be cracked easily within minutes so it is not popular nowadays.
The weak points of WEP is the IV is too small and the secret key is static (the same key is used for both encryption and decryption in the whole communication and never expires).
Wi-Fi Protected Access (WPA)
In 2003, the Wi-Fi Alliance developed WPA to address WEP’s weaknesses. Perhaps one of the most important improvements of WPA is the Temporal Key Integrity Protocol (TKIP) encryption, which changes the encryption key dynamically for each data transmission. While still utilizing RC4 encryption, TKIP utilizes a temporal encryption key that is regularly renewed, making it more difficult for a key to be stolen. In addition, data integrity was improved through the use of the more robust hashing mechanism, the Michael Message Integrity Check (MMIC).
In general, WPA still uses RC4 encryption which is considered an insecure algorithm so many people viewed WPA as a temporary solution for a new security standard to be released (WPA2).
Wi-Fi Protected Access 2 (WPA2)
In 2004, the Wi-Fi Alliance updated the WPA specification by replacing the RC4 encryption algorithm with Advanced Encryption Standard-Counter with CBC-MAC (AES-CCMP), calling the new standard WPA2. AES is much stronger than the RC4 encryption but it requires modern hardware.
Standard Key Distribution Encryption
WEP Static Pre-Shared Weak
WPA Dynamic TKIP
WPA2 Both (Static & Dynamic) AES
Wireless Interference
The 2.4 GHz & 5 GHz spectrum bands are unlicensed so many applications and devices operate on it, which cause interference. Below is a quick view of the devices operating in these bands:
+ Cordless phones: operate on 3 frequencies, 900 MHz, 2.4 GHz, and 5 GHz. As you can realize, 2.4 GHz and 5 GHz are the frequency bands of 802.11b/g and 802.11a wireless LANs.
Most of the cordless phones nowadays operate in 2.4 GHz band and they use frequency hopping spread spectrum (FHSS) technology. As explained above, FHSS uses all frequencies in the the entire 2.4 GHz spectrum while 802.11b/g uses DSSS which operates in about 1/3 of the 2.4 GHz band (1 channel) so the use of the cordless phones can cause significant interference to your WLAN.
An example of cordless phone
+ Bluetooth: same as cordless phone, Bluetooth devices also operate in the 2.4 GHz band with FHSS technology. Fortunately, Bluetooth does not cause as much trouble as cordless phone because it usually transfers data in a short time (for example you copy some files from your laptop to your cellphone via Bluetooth) within short range. Moreover, from version 1.2 Bluetooth defined the adaptive frequency hopping (AFH) algorithm. This algorithm allows Bluetooth devices to periodically listen and mark channels as good, bad, or unknown so it helps reduce the interference with our WLAN.
+ Microwaves (mostly from oven): do not transmit data but emit high RF power and heating energy. The magnetron tubes used in the microwave ovens radiate a continuous-wave-like at frequencies close to 2.45 GHz (the center burst frequency is around 2.45 – 2.46 GHz) so they can interfere with the WLAN.
+ Antenna: There are a number of 2.4 GHz antennas on the market today so they can interfere with your wireless network.
+ Metal materials or materials that conduct electricity deflect Wi-Fi signals and create blind spots in your coverage. Some of examples are metal siding and decorative metal plates.
+ Game controller, Digital Video Monitor, Wireless Video Camera, Wireless USB may also operate at 2.4 GHz and cause interference too.
Wan
Wan terms definitions Encapsulation method hdlc ppp
WANs use facilities provided by a service provider, or carrier, such as a telephone or cable company. They connect the locations of an organization to each other, to locations of other organizations, to external services, and to remote users. WANs generally carry a variety of traffic types, such as voice, data, and video.
WAN connections are made up of many types of equipment and components.data communications equipment (DCE) terminates a connection between two sites and provides clocking and synchronization for that connection; it connects to data termination equipment (DTE).A DTE is an end-user device, such as a router or PC, which connects to the WAN via the DCE.
Customer premises equipment (CPE) is equipment that's owned by the subscriber and located on the subscriber’s premises.
Demarcation pointThe demarcation point is the precise spot where the service provider’s responsibility ends and the CPE begins. It’s generally a device in a telecommunications closet owned and installed by the telecommunications company (telco). It’s your responsibility to cable (extended demarc) from this box to the CPE, which is usually a connection to a CSU/DSU or ISDN interface.
Local loopThe local loop connects the demarc to the closest switching office, which is called a central office.
Central office (CO)This point connects the customer’s network to the provider’s switching network.
Toll networkThe toll network is a trunk line inside a WAN provider’s network. This network is a collection of switches and facilities owned by the ISP. Definitely familiarize yourself with these terms because they’re crucial to understanding WAN technologies.
Synchronous V/s asynchronous
Synchronous serial connection allows you to simultaneously send and receive information without having to wait for any signal from the remote side. Nor does a synchronous connection need to indicate when it is beginning to send something or the end of a transmission. These two things, plus how clocking is done, are the three major differences between synchronous and asynchronous connections—asynchronous connections are typically used for dialup connections, such as modems.
Wide-area networking can be broken into three categories:
Leased line
Circuit switched
Packet switched
Leased-Line Connections
In lease line, you get your very own piece of wire from your location to the service provider's network. This is good because no other customer can affect your line, as can be the case with otherWAN services. You have a lot of control over this circuit to do things such as Quality of Service and other traffic management. The downside is that a leased line is expensive and gets a lot more expensive if you need to connect offices that are far apart.
These are usually referred to as a point-to-point or dedicated connection. A leased line is a pre-established WAN communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site.
The distance between the two sites is small, making them cost-effective.
You have a constant amount of traffic between two sites and need to guarantee bandwidth for certain applications
Circuit-Switched Connections
A circuit-switched WAN uses the phone company as the service provider, either with analog dial-up or digital ISDN connections. With circuit-switching, if you need to connect to the remote LAN, a call is dialed and a circuit is established; the data is sent across the circuit, and the circuit is taken down when it is no longer needed. Circuit-switched connections include the following types:
Asynchronous serial connectionsthese include analog modem dialup connections and the standard telephone system, which is commonly referred to as Plain Old Telephone Service (POTS) by the telephone carriers.
Synchronous serial connectionsthese include digital ISDN BRI and PRI dialup connections; they provide guaranteed bandwidth.
Packet-Switched Connections
Packet-switched WAN services allow you to connect to the provider's network in much the same way as a PC connects to a hub: When connected, your traffic is affected by other customers' and theirs by you. This can be an issue sometimes, but it can be managed. The advantage of this shared-bandwidth technology is that with a single physical connection from your router's serial port, you can establish virtual connections to many other locations around the world. Packet-switched connections use logical circuits to make connections between two sites. These logical circuits are referred to as virtual circuits (VCs). So if you have a lot of branch offices and they are far away from the head office, a packet-switched solution is a good idea.
X.25The oldest of these four technologies is X.25, which is an ITU-T standard. X.25 is a network layer protocol that runs across both synchronous and asynchronous physical circuits, providing a lot of flexibility for your connection options. X.25 was actually developed to run across unreliable medium. It provides error detection and correction, as well as flow control, at both the data link layer (by LAPB) and the network layer (by X.25). In this sense, it performs a function similar to what TCP, at the transport layer, provides for IP. Because of its overhead, X.25 is best delegated to asynchronous, unreliable connections. If you have a synchronous digital connection, another protocol, such as Frame Relay or ATM, is much more efficient.
Frame RelayFrame Relay is a digital packet-switched service that can run only across synchronous digital connections at the data link layer. Because it uses digital connections (which have very few errors), it does not perform any error correction or flow control as X.25 does. Frame Relay will, however, detect errors and drops bad frames. It is up to a higher layer protocol, such as TCP, to resend the dropped information.
ATMATM is also a packet-switched technology that uses digital circuits. Unlike Frame Relay and X.25, however, this service uses fixed-length (53 byte) packets, called cells, to transmit information. Therefore, this service is commonly called a cell-switched service. It has an advantage over Frame
Relay in that it can provide guaranteed throughput and minimal delay for a multitude of services, including voice, video, and data. However, it does cost more than Frame Relay services. ATM (sort of an enhanced Frame Relay) can offer a connection guaranteed bandwidth, limited delay, limited number of errors, Quality of Service (QoS), and more. Frame Relay can provide some minimal guarantees to connections, but not to the degree of precision that ATM can. Whereas Frame Relay is limited to 45 Mbps connections, ATM can scale to very high speeds: OC-192 (SONET), for instance, affords about 10 Gbps of bandwidth.
Encapsulation method
With each WAN solution, there is an encapsulation type. Encapsulations wrap an information envelope around your data that is used to transport your data traffic. If you use leased line as your wide-area networking choice, you can encapsulate your data inside a High-Level Data-Link Control (HDLC) frame, PPP frame, or Serial Line IP (SLIP) frame. For packet-switched networks, you can encapsulate or package your data in X.25 frames, Frame Relay, or Asynchronous Transfer Mode (ATM) frames.
HDLC
Based on ISO standards, the HDLC (High-Level Data Link Control) protocol can be used with synchronous and asynchronous connections and defines the frame type and interaction between two devices at the data link layer. Cisco's HDLC is a proprietary protocol and will not work with other company's router.
PPP
PPP (the Point-to-Point Protocol) is based on an open standard.
PPP has two main components:
LCP (Link Control Protocol)
NCP (Network Control Protocol)
NCP is responsible for supporting multiple Layer 3 protocols. Each protocol has its own NCP, such as the IPCP for IP communication and IPXCP for IPX communication. Think of NCP as the "packager"; it is responsible for packaging, or encapsulating, your packets into a control protocol that is readable by PPP.
The link control protocol is used for establishing the link and negotiating optional settings. These options include
Compression— You can compress your data to conserve bandwidth across your WAN. Options for compression are Stacker and Predictor.
Callback— With callback, you dial into a router using a modem or ISDN and then disconnect. The other router then calls you back at a predefined number. This option is used for centralized billing and security reasons.
Multilink— Multilink allows you to bundle together more than one link to create more bandwidth. (Traffic will load balance across the links.) For example, you can bundle two 64K channels together to get a combined 128K.
Authentication— You can use authentication to verify a router's identity when it is connecting into your router. Options for authentication include CHAP and PAP.
PPP Authentication
PAP goes through a two-way handshake process. In this process, the source sends its username (or hostname) and password, in clear text, to the destination. The destination compares this information with a list of locally stored usernames and passwords. If it finds a match, the destination sends back an accept message. If it doesn't find a match, it sends back a reject message.
CHAP uses a three-way handshake process to perform the authentication. The source sends its username (not its password) to the destination. The destination sends back a challenge, which is a random value generated by the destination. used by the source to find the appropriate password to use for authentication Both sides then take the source's username, the matching password, and the challenge and run them through the MD5 hashing function. The source then takes the result of thisfunction and sends it to the destination. The destination compares this value to the hashed output that it generated—if the two values match, then the password used by the source must have been the same as was used by the destination, and thus the destination will permit the connection.
Frame Relay
Let’s start this article with the question: Why do we need Frame Relay?
Let’s take a simple example. Suppose you are working in a big company and your company has just expanded to two new locations. The main site is connected to two branch offices, named Branch 1 & Branch 2 and your boss wants these two branches can communicate with the main site. The most simple solution is to connect them directly (called a leased line) as shown below:
To connect to these two branches, the main site router, HeadQuarter, requires two serial interfaces which a router can provide. But what happens when the company expands to 10 branches, 50 branches? For each point-to-point line, HeadQuarter needs a separate physical serial interface (and maybe a separate CSU/DSU if it is not integrated into the WAN card). As you can imagine, it will need many routers with many interfaces and lots of rack space for the routers and CSU/DSUs. Maybe we should use another solution for this problem? Luckily, Frame Relay can do it!
By using Frame Relay we only need one serial interface at the HeadQuarter to connect to all branches. This is also true when we expand to 10 or 50 branches. Moreover, the cost is much lesser than using leased-lines.
Frame Relay is a high-performance WAN protocol that operates at the physical and data link layers of the OSI reference model. It offers lower-cost data transfer when compared to typical point-to-point applications, by using virtual connections within the frame relay network and by combining those connections into a single physical connection at each location. Frame relay providers use a frame relay switch to route the data on each virtual circuit to the appropriate destination.
Maybe these terminologies of Frame Relay are difficult to understand so we will explain them in more detail in this article.
DCE & DTE
The first concept in Frame Relay you must grasp is about DTE & DCE:
+ Data terminal equipment (DTE), which is actually the user device and the logical Frame-relay end-system+ Data communication equipment (DCE, also called data circuit-terminating equipment), which consists of modem and packet switch
In general, the routers are considered DTE, and the Frame Relay switches are DCE. The purpose of DCE equipment is to provide clocking and switching services in a network. In our example, HeadQuarter, Branch 1 & Branch 2 are DTEs while Frame Relay switches are DCEs.
Virtual Circuits
The logical connection through the Frame Relay network between two DTEs is called a virtual circuit (VC). The term “virtual” here means that the two DTEs are not connected directly but through a network. For example, the HeadQuarter & Branch 1 (or Branch 2) can communicate with each other as if they were directly connected but in fact they are connected through a Frame Relay network with many Frame Relay switches between them.
There are two types of VCs+ switched virtual circuits (SVCs): are temporary connections that are only used when there is sporadic data transfer between DTE devices across the Frame Relay network. SVC is set up dynamically when needed. SVC connections require call setup and termination for each connection.+ permanent virtual circuits (PVCs): A predefined VC. A PVC can be equated to a leased line in concept.
Nowadays most service providers offer PVC service only to save additional costs for signaling and billing procedures.
In this part we will continue to discuss about other important Frame Relay parameters
DLCI
Although the above picture shows two VCs from the HeadQuarter but do you remember that the HeadQuarter only has only one serial interface? So how can it know which branch it should send the frame to?
Frame-relay uses data-link connection identifiers (DLCIs) to build up logical circuits. The identifiers have local meaning only, that means that their values are unique per router, but not necessarily in the other routers. For example, there is only one DLCI of 23 representing for the connection from HeadQuarter to Branch 1 and only one DLCI of 51 from HeadQuarter to Branch 2. Branch 1 can use the same DLCI of 23 to represent the connection from it to HeadQuarter. Of course it can use other DLCIs as well because DLCIs are just local significant.
By including a DLCI number in the Frame Relay header, HeadQuarter can communicate with both Branch 1 and Branch 2 over the same physical circuit.
DLCI values typically are assigned by the Frame Relay service provider (for example, the telephone company). In Frame Relay, DLCI is a 10-bit field.
Before DLCI can be used to route traffic, it must be associated with the IP address of its remote router. For example, suppose that:
+ HeadQuarter’s IP address is 9.9.9.9+ Branch 1′s IP address is 1.1.1.1+ Branch 2′s IP address is 2.2.2.2
Then the HeadQuarter will need to map Branch 1 IP address to DLCI 23 & map Branch 2 IP address to DLCI 51. After that it can encapsulate data inside a Frame Relay frame with an appropriate DLCI number and send to the destination. The mapping of DLCIs to Layer 3 addresses can be handled manually or dynamically.
* Manually (static): the administrators can statically assign a DLCI to the remote IP address by the following statement:
Router(config-if)#frame-relay map protocol dlci [broadcast]
For example HeadQuarter can assign DLCIs of 23 & 51 to Branch 1 & Branch 2 with these commands:
HeadQuarter(config-if)#frame-relay map ip 1.1.1.1 23 broadcastHeadQuarter(config-if)#frame-relay map ip 2.2.2.2 51 broadcast
We should use the “broadcast” keyword here because by default split-horizon will prevent routing updates from being sent back on the same interface it received. For example, if Branch 1 sends an update to HeadQuarter then HeadQuarter can’t send that update to Branch 2 because they are received and sent on the same interface. By using the “broadcast” keyword, we are telling the HeadQuarter to send a copy of any broadcast or multicast packet received on that interface to the virtual circuit specified by the DLCI value in the “frame-relay map” statement. In fact the copied packet will be sent via unicast (not broadcast) so sometimes it is called “pseudo-broadcast”.
Note: “frame-relay interface-dlci” command can be used to statically assign (bind) a DLCI number to a physical interface.
Note: In fact, we need to run a routing protocol (like OSPF, EIGRP or RIP…) to make different networks see each other
* Dynamic: the router can send an Inverse ARP request to the other end of the PVC for its Layer 2 address. In short, Inverse ARP will attempt to learn its neighboring devices IP addresses and automatically create a dynamic map table. By default, physical interfaces have Inverse ARP enabled.
We will take an example of how Inverse ARP works with the topology above. At the beginning, all routers are not configured with static mapping and HeadQuarter has not learned the IP addresses of
Branch 1 & 2 yet. It only has 2 DLCI values on s0/0 interface (23 & 51). Now it needs to find out who are attached to these DLCIs so it sends an Inverse ARP Request on s0/0 interface. Notice that the router will send Inverse ARP Request out on every DLCI associated with the interface.
In the Inverse ARP Request, HeadQuarter also includes its IP 9.9.9.9. When Branch 1 & 2 receive this request, they send back an Inverse ARP Reply with their own IP addresses.
Now all the routers have a pair of DLCI & IP address of the router at the other end so data can be forwarded to the right destination.
In this example you can see that each router has a DLCI first (Layer 2) and it needs to find out the IP address (Layer 3). This process is opposite of the ARP process (ARP translates Layer 3 address to Layer 2 address) so it is called Inverse ARP.
After the Inverse ARP process completes, we can use the “show frame-relay map” to check. The word “dynamic” indicates the mapping was learned through Inverse ARP (the output below is not related to the above topology):
By default, routers send Inverse ARP messages on all active DLCIs every 60 seconds.
Another thing you should notice is when you supply a static map (via “frame-relay map” command), Inverse ARP is automatically disabled for the specified protocol on the specified DLCI.
In the last part we will mainly learn about LMI, which is the signaling protocol of Frame Relay
LMI
Local Management Interface (LMI) is a signaling standard protocol used between your router (DTE) and the first Frame Relay switch. The LMI is responsible for managing the connection and maintaining the status of your PVC.
LMI includes:+ A keepalive mechanism, which verifies that data is flowing+ A multicast mechanism, which provides the network server (router) with its local DLCI.+ A status mechanism, which provides PVC statuses on the DLCIs known to the switch
In our example, when HeadQuarter is configured with Frame Relay, it sends an LMI Status Inquiry message to the DCE. The response from the DCE might be a small Hello message or a full status report about the PVCs in use containing details of all the VCs configured (DLCI 23 & 51). By default, LMI messages are sent out every 10 seconds.
The four possible PVC states are as follows:+ Active state: Indicates that the connection is active and that routers can exchange data.+ Inactive state: Indicates that the local connection to the Frame Relay switch is working, but the remote router connection to the Frame Relay switch is not working.+ Deleted state: Indicates that no LMI is being received from the Frame Relay switch, or that there is no service between the customer router and Frame Relay switch.+ Static state: the Local Management Interface (LMI) mechanism on the interface is disabled (by using the “no keepalive” command). This status is rarely seen so it is ignored in some books.
We can use the “show frame-relay lmi” to display LMI statistics of Frame Relay on enabled interfaces of the router. The output shows the LMI type used by the Frame Relay interface and the counters for the LMI status exchange sequence, including errors such as LMI timeouts.
Cisco routers support the following three LMI types:* Cisco: LMI type de?ned jointly by Cisco, StrataCom, Northern Telecom (Nortel), and Digital Equipment Corporation* ANSI: ANSI T1.617 Annex D* Q.933A: ITU-T Q.933 Annex A
Notice that three types of LMI are not compatible with each others so the LMI type must match between the provider Frame Relay switch and the customer DTE device.
From Cisco IOS Release 11.2, the router attempts to automatically detect the type of LMI used by the provider switch.
Note: LMI is required for Inverse ARP to function because it needs to know that the PVC is up before sending out Inverse ARP Request.
Now you learn most of Frame Relay mentioned in CCNA, some other Frame Relay’s characteristics you should know are mentioned below.
Other Frame Relay characteristics
+ Frame Relay provides no error recovery mechanism. It only provides CRC error detection.+ Unlike with LANs, you cannot send a data link layer broadcast over Frame Relay. Therefore, Frame Relay networks are callednonbroadcast multiaccess (NBMA) networks.+ Depending on the bandwidth needed for each virtual connection, the customer can order a circuit with a guaranteed amount of bandwidth. This amount is the Committed Information Rate (CIR). CIR defines how much bandwidth the customer is “guaranteed” during normal network operation.+ Any data transmitted above this purchased rate (CIR) is available for discard by the network if the network doesn’t have available bandwidth.+ If the Frame relay switch begins to experience congestion, it sends the upstream site (to the source) a Backward explicit congestion notification (BECN) and the downstream site (to the destination) a Forward explicit congestion notification(FECN).
+ There are two Frame Relay encapsulation types: the Cisco encapsulation and the IETF Frame Relay encapsulation, which is in conformance with RFC 1490 and RFC 2427. The former is often used to connect two Cisco routers while the latter is used to connect a Cisco router to a non-Cisco router.
+ Frame Relay does not define the way the data is transmitted within the service provider’s network once the traffic reaches the provider’s switch. So the providers can use Frame Relay, ATM or PPP… inside their networks.
Layer 2 Encapsulation Protocols
Besides Frame Relay there are other Layer 2 Encapsulation Protocols that you can implement instead:
High-Level Data Link Control (HDLC): The default encapsulation type for Cisco routers on point-to-point dedicated links and circuit-switched connections. HDLC is a Cisco proprietary protocol.
Point-to-Point Protocol (PPP): Provides connections between devices over several types of physical interfaces, such as asynchronous serial, High-Speed Serial Interface (HSS1), ISDN, and synchronous. PPP works with many network layer protocols, including IP and IPX. PPP can use either Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) for authentication.X.25/Link Access Procedure, Balanced (LAPB): Defines connections between DTE and DCE for remote terminal access. LAPB is a data link layer protocol specified by X.25.Asynchronous Transfer Mode (ATM): International standard for cell relay using fixed-length (53-byte) cells for multiple service types. Fixed-length cells allow hardware processing, which greatly reduces transit delays. ATM takes advantage of high-speed transmission media such as E3, T3, and Synchronous Optical Network (SONET)