CCNP BCRAN Exam Cram 2 (Exam Cram 642-821)

BCRAN Eric Quinn Fred Glauser BCRAN Exam Cram 2 (642-821) Publisher Copyright © 2004 by Que Publishing Paul Boger ...

Author: Eric Quinn | Fred Glauser

33 downloads 1095 Views 2MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

BCRAN Eric Quinn Fred Glauser

BCRAN Exam Cram 2 (642-821)

Publisher

Copyright © 2004 by Que Publishing

Paul Boger

All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. International Standard Book Number: 0-789-73020-0 Library of Congress Catalog Card Number: 2003109278

First Printing: November 2003 4

Jeff Riley

Acquisitions Editor Carol Ackerman

Development Editor Michael Watson

Managing Editor Charlotte Clapp

Printed in the United States of America

06 05 04 03

Executive Editor

Project Editor 3

2

1

Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Elizabeth Finney

Copy Editor Kris Simmons

Indexer Erika Millen

Proofreader Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author(s) and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it.

Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected]

Tracy Donhardt

Technical Editors Matthew Miller Jeremy Cioara Michelle Plumb Claudia Vautz

Team Coordinator Pamalee Nelson

Multimedia Developer Dan Scherf

Interior Designer

For sales outside of the U.S., please contact

Gary Adair

International Sales +1-317-428-3341 [email protected]

Cover Designer Anne Jones

Page Layout Julie Parks

Que Certification • 800 East 96th Street • Indianapolis, Indiana 46240

A Note from Series Editor Ed Tittel You know better than to trust your certification preparation to just anybody. That’s why you, and more than two million others, have purchased an Exam Cram book. As Series Editor for the new and improved Exam Cram 2 series, I have worked with the staff at Que Certification to ensure you won’t be disappointed. That’s why we’ve taken the world’s best-selling certification product—a finalist for “Best Study Guide” in a CertCities reader poll in 2002—and made it even better. As a “Favorite Study Guide Author” finalist in a 2002 poll of CertCities readers, I know the value of good books. You’ll be impressed with Que Certification’s stringent review process, which ensures the books are high-quality, relevant, and technically accurate. Rest assured that at least a dozen industry experts—including the panel of certification experts at CramSession—have reviewed this material, helping us deliver an excellent solution to your exam preparation needs. We’ve also added a preview edition of PrepLogic’s powerful, full-featured test engine, which is trusted by certification students throughout the world. As a 20-year-plus veteran of the computing industry and the original creator and editor of the Exam Cram series, I’ve brought my IT experience to bear on these books. During my tenure at Novell from 1989 to 1994, I worked with and around its excellent education and certification department. This experience helped push my writing and teaching activities heavily in the certification direction. Since then, I’ve worked on more than 70 certification-related books, and I write about certification topics for numerous Web sites and for Certification magazine. In 1996, while studying for various MCP exams, I became frustrated with the huge, unwieldy study guides that were the only preparation tools available. As an experienced IT professional and former instructor, I wanted “nothing but the facts” necessary to prepare for the exams. From this impetus, Exam Cram emerged in 1997. It quickly became the best-selling computer book series since “…For Dummies,” and the best-selling certification book series ever. By maintaining an intense focus on subject matter, tracking errata and updates quickly, and following the certification market closely, Exam Cram was able to establish the dominant position in cert prep books. You will not be disappointed in your decision to purchase this book. If you are, please contact me at [email protected]. All suggestions, ideas, input, or constructive criticism are welcome!

The Smartest Way To Study for Your CCNP Certification! Exam Cram 2 offers the concise, focused coverage you need to pass your CCNP exams. These books are designed to be used as a refresher on important concepts, as well as a guide to exam topics and objectives. Each book offers: • • •

CD that includes a PrepLogic Practice Exam Two text-based practice exams with detailed answers Tear-out Cram Sheet that condenses the important information into a handy two-page study aid

•

Key terms and concepts for the topic, notes, exam alerts and tips

Check out these other CCNP Exam Cram 2 titles:

CCNP BSCI Exam Cram 2, Exam 642-801

CCNP BCMSN Exam Cram 2, Exam 642-811

CCNP CIT Exam Cram 2, Exam 642-831

ISBN: 0789730170

ISBN: 0789729911

ISBN: 0789730219

$29.99

$29.99

$29.99

Buy the pack and SAVE! Get all four CCNP Exam Cram 2 titles with CDs for just $99.99! ISBN: 0789730979

Books are available online or at your favorite bookstore.

www.examcram2.com

No dedication would be complete without thanking my family for their support and patience during the writing process. Carolann and Lee are given my biggest thanks for being there. —Eric Quinn ❧ I would like to dedicate my half of this book to the two most precious people in my life, Angela and Kallin. I could never ask for a better wife, companion, or partner, Angela; I love you, and it’s as simple as that. Kallin, you make my life such a joy; thanks for letting me teach you the OSI model at age two. Now it’s time to read you some of your books. Thank you both not only for helping me to reach the end of the rainbow, but also for pointing out the rainbow along the way. I would also like to thank my parents for helping me become the man that I am. I would like to think that I turned out all right, and they were a great part of that. Thanks. —Fred Glauser ❧

About the Authors

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Eric Quinn (CCNP and voice and security specializations) currently supports the network infrastructure for the U.S. Department of State. Eric has four years of experience teaching Cisco routers, switches, and security devices, as well as teaching concepts and standards-based protocols both in person and over the Internet. Eric pioneered the first version of the Cisco 6500 series switch class, teaching more than 150 Cisco engineers. Eric also has 10 years of experience in various administration, management, and consulting roles, supporting routers, switches, firewalls, and VPN devices. He has supplied design and implementation guidance to banks, airports, media, and finance organizations, among others. Eric co-authored the original Remote Access Exam Cram from The Coriolis Group and has coauthored three other books on LAN switching and security with Sybex. Eric currently is based in Athens, Greece. Fred Glauser (CCNP, CSS1, CCSP, CCDA, CCNA, MCSA, MCSE, MCT, CNE, MCNE, CNI, MCNI, CISSP, INFOSEC) has more than 14 years of networking experience supporting Cisco, Microsoft, and Novell. He has spent several years as a network operations manager. For the last four years, Fred has operated a consulting and training company with clients across the country. Clients include the federal government, FBI, DOJ, INS, Air Force, Army, and various state and local governments. You can often find Fred in the Colorado mountains, running Cisco CCNP and CCSP bootcamps for Acrew.net. Fred is currently pursuing his CCIE for both routing/ switching and security.

About the Technical Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Jeremy Cioara has focused on network technologies for more than a decade. During this time, he has achieved many certifications, including CCIE, MCSE, and CNE. Some of his field work includes network design and consulting at MicroAge, Qwest, and Terminal Processing Systems. He is currently focusing on technical instruction and authoring on such topics as Cisco IP telephony, routing, and switching. Matthew J. Miller is a senior network engineer with Derive Technologies, LLC, in New York. He is a CCDP with 10 years of experience designing, implementing, and troubleshooting LAN/WAN solutions in corporate environments. You can reach Matthew at [email protected]. Michelle Plumb is a full-time instructor focusing on Cisco and the Cisco IP telephony track with 15 years in the field as an IT and telephony specialist. Michelle maintains a high level of Cisco and Microsoft certifications, including CCNP, Cisco IP Telephony Support Specialist, Unity, MCSE NT/2000, and MCT. Michelle has technically reviewed numerous books for the Cisco CCNP track and Microsoft 2000. Claudia Vautz holds a Bachelor of Science degree and many industry certifications leading to designations including MCSE (NT4 & W2K), Novell CNA, CCNP, CCDP, and CompTIA (Network+ & Server+) certified. For the past 5 years Claudia has worked in an educational role, creating and delivering training for Microsoft and Cisco certifications concentrating in MCSE, CCNP, and CCDP subject matter.

Acknowledgments

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

There are many people that I owe thanks to, for enabling me to get where I am today. Trace and Bob were the first people to allow me to go as far as I could within their organization, and their contacts led me to much bigger and better opportunities. I thank Rick Gardner for my first taste of a big infrastructure, where I was bitten by the Cisco bug. I must owe my greatest professional gratitude to Vick Tagawa, for taking a chance on someone who was good technically but inexperienced as an instructor, and later Ted Hernandez, for taking the teaching techie and making a professional presenter. Dian Schaffhauser has been both a friend and a mentor, introducing me to the writing trade. You three have given me skills that, unlike technical ability, will not fade. Most recently, I thank the “71st Specialist class,” for putting up with my occasional ramblings as well as sometimes an inability to socialize because “I must get a chapter done.” You are an amazingly talented group of people. Although there isn’t a single one of you that I wouldn’t gladly serve with, let’s make it at a modern tropical place. I’d like to specifically ask Dan Cook to come out of the village and join us there. —Eric Quinn I thank David Waldron for his work in the async and WAN connection chapters, helping me build my CCIE lab and getting Cavlon Consulting up and running. Brian Quinn and Linda Frampton, thanks for helping put me on this path so many years ago, building up the consulting and training team, and of course being my friends. “It’s all about networking.” A thank you goes out to all my editors at Que Publishing, for their patience, flexible deadlines, and understanding. —Fred Glauser

We Want to Hear from You! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. As an executive editor for Que Publishing, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book. When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your comments and share them with the author and editors who worked on the book. Email: [email protected] Mail:

Jeff Riley Executive Editor Que Publishing 800 East 96th Street Indianapolis, IN 46240 USA

For more information about this book or another Que Certification title, visit our Web site at www.examcram2.com. Type the ISBN (excluding hyphens) or the title of a book in the Search field to find the page you’re looking for.

Contents at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction

xxi

Self Assessment Chapter 1

xxx

CCNP Certification Exams

1

Part I WAN Services Chapter 2

WAN Technologies and Components

17

Chapter 3

Securing the Network with AAA

Chapter 4

PPP Authentication with PAP and CHAP

Chapter 5

Using Network Address Translation

35 51

77

Part II WAN Access Chapter 6

Modems and Asynchronous Connections

Chapter 7

Using ISDN

Chapter 8

Dial-on-Demand Routing

Chapter 9

Using Frame Relay

Chapter 10

113 139

157

Introduction to Broadband

185

95

Part III WAN Options Chapter 11

Enabling a Backup Connection

Chapter 12

Traffic Management

Chapter 13

Securing the Network with VPNs

Chapter 14

Practice Exam 1

Chapter 15

Answer Key 1

Chapter 16

Practice Exam 2

Chapter 17

Answer Key 2

207

221 245

271 295 315 335

Part IV Appendixes A

What’s on the CD-ROM

B

Using the PrepLogic Practice Exams, Preview Edition Software 361 Glossary Index

369

383

359

Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction .....................................................................xxi Self-Assessment...............................................................xxx Chapter 1 CCNP Certification Exams .....................................................1 Assessing Exam Readiness 2 The Test Objectives 3 The Testing Situation 4 Test Layout and Design 5 Using the Test Software Effectively Taking Testing Seriously 9 Question-Handling Strategies 9 Mastering the Inner Game 11 Additional Resources 12

8

Part I WAN Services ...................................................15 Chapter 2 WAN Technologies and Components .......................................17 WAN Connection Types 18 Dedicated 18 Circuit Switched 19 Packet Switched 19 WAN Encapsulation Protocols 20 PPP 20 HDLC 21 Frame Relay 21 Additional Encapsulations 22 WAN Connection Determination 22 Key Decision Factors 23 Site Requirements 24 Hardware Selection 26

xiv

Table . . . .of. Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions 28 Need to Know More? 33

Chapter 3 Securing the Network with AAA .............................................35 The Cisco Security Options 36 CiscoSecure ACS and AAA 36 Authentication 36 Authorization 36 Accounting 37 ACS Components 37 ACS Protocols 37 Router Access Modes 38 AAA Operation 38 AAA Authentication Commands 39 AAA Authorization Commands 41 AAA Accounting Commands 42 Exam Prep Questions 45 Need to Know More? 49

Chapter 4 PPP Authentication with PAP and CHAP ...................................51 Remote Access 52 Connectivity 52 Authentication 55 Hashing 56 Configuring PPP for CHAP Authentication 57 Basic PPP Configuration Commands 57 Configuring CHAP 59 Protecting Configuration Contents 60 Additional PPP Settings 60 PPP Callback 60 Compressed PPP 63 Multilink PPP 64 Login Banners 66 Link Quality Monitoring 67 Troubleshooting PPP 68 debug ppp negotiation 69 debug ppp authentication 70 Exam Prep Questions 71 Need to Know More? 75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Chapter 5 Using Network Address Translation ........................................77 NAT Overview 78 NAT Considerations 78 NAT Terminology 80 NAT in Operation 81 Static NAT 81 Dynamic NAT 82 Overloading NAT 84 Overlapping NAT 84 Configuring Load Sharing 85 NAT Troubleshooting 86 Exam Prep Questions 88 Need to Know More? 92

Part II WAN Access ....................................................93 Chapter 6 Modems and Asynchronous Connections ..................................95 Modems 96 Modem Technologies 96 Modem Standards 97 Configuring the Router 98 Logical Router Configuration 98 Physical Interface Configuration 99 Attaching the Modem 100 Using the Modem 101 Configuring the Modem 102 Manually Configuring the Modem 102 Manipulating the Modemcap Database 103 Automatically Configuring a Known Modem Type 105 Automatically Configuring an Unknown Modem Type 105 Troubleshooting 106 Debugging Modem Autoconfiguration 106 Additional Troubleshooting 107 Exam Prep Questions 108 Need to Know More? 112

xv

xvi

Table . . . .of. Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 7 Using ISDN ....................................................................113 ISDN 114 BRI 114 PRI 115 ISDN Usage 116 Equipment 116 Geographical Concerns 117 Reference Points 117 Call Progress 118 Call Setup 118 Call Teardown 119 ISDN BRI Configuration 120 ISDN Switch Type 120 Configuring Interesting Traffic 121 Interface Configuration 121 Routing 123 Bandwidth Usage 123 Additional BRI Options 124 ISDN PRI Configuration 125 Configuring the Controller 125 Configuring Timeslots 126 Layer 1 Communication 126 Configuring the Interface 128 ISDN Troubleshooting 129 Q.921 129 Q.931 130 ISDN show Commands 130 Debugging ISDN 132 Exam Prep Questions 134 Need to Know More? 138

Chapter 8 Dial-on-Demand Routing ...................................................139 Introduction to Dial-on-Demand Routing Interesting Traffic 140 Uninteresting Traffic 141 Snapshot Routing 141 Access Lists 142

140

xvii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Dialer Profiles 143 Dialer Interface 143 Dialer Pools 146 Map Classes 146 Incoming Calls with Rotary Groups 147 Configuring Rotary Groups 148 Configuration Example and Explanation 148 Exam Prep Questions 152 Need to Know More? 156

Chapter 9 Using Frame Relay ..........................................................157 Frame Relay Concepts 158 Maximum Burst Rate 158 CIR 158 Oversubscription 159 Frame Relay Components 160 DLCI 160 LMI 160 Encapsulation 161 Mapping 161 Frame Relay Configuration 161 Connecting a Single Interface to Multiple Locations 163 Network Design Types 163 Frame Relay and Multiple Sites 164 Configuring Subinterfaces 166 Frame Relay Traffic Shaping 169 BECNs and FECNs 169 Configuring Traffic Shaping 170 Traffic Shaping Commands 171 Frame Relay Fragmentation 173 Per-Interface Priority Queuing 174 Configuring PIPQ 175 EIGRP over Frame Relay 175 Monitoring and Troubleshooting Frame Relay Operation 176 Configuration Troubleshooting 176 Troubleshooting a Previously Configured Connection 176 Exam Prep Questions 178 Need to Know More? 184

xviii Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 10 Introduction to Broadband ..................................................185 Cable 186 Terminology 187 Provisioning 189 DSL 189 ADSL 191 Configuring the PPPoE Client 192 Configuring DSL for PPPoA 195 Troubleshooting DSL 196 Exam Prep Questions 197 Need to Know More? 203

Part III WAN Options .................................................205 Chapter 11 Enabling a Backup Connection .............................................207 Dial Backup 208 Configuring Dial Backup for Primary Link Failure 208 Floating Static Routes 210 Activating Dial Backup to Support a Primary Link 212 Using Dial Backup with Dialer Profiles 213 Load Sharing and Dial Backup 213 Verifying a Dial Backup Configuration 215 Exam Prep Questions 216

Chapter 12 Traffic Management .........................................................221 Introduction 222 Understanding Basic Queuing 222 Determining the Necessary Queuing Strategy WFQ 223 PQ 225 CQ 228 Advanced Queuing 232 PQ-WFQ 232 Class-based WFQ 233 Low-Latency Queuing 235 Case Study 235

223

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table . . .of. Contents . . . . .

Data Compression 236 Link Compression 237 Payload Compression 238 Header Compression 238 Modem Compression 239 CPU Cycles Versus Memory Exam Prep Questions 240 Need to Know More? 244

239

Chapter 13 Securing the Network with VPNs ..........................................245 VPN Overview 246 Types of VPNs 247 VPN and IPSec Terminology 247 The Fives Steps of IPSec 250 Step 1: Defining Interesting Traffic 250 Step 2: IKE Phase 1 250 Step 3: IKE Phase 2 251 Step 4: IPSec Encrypted Tunnel 251 Step 5: Tunnel Termination 251 Configuring IPSec 252 Task 1: Preparing for IKE and IPSec 252 Task 2: Configuring IKE 254 Task 3: Configuring IPSec 257 Task 4: Testing and Verifying IPSec 261 Exam Prep Questions 264 Need to Know More? 269

Chapter 14 Practice Exam 1 ..............................................................271 Sample Test 271 Questions, Questions, Questions 271 Picking Proper Answers 272 Decoding Ambiguity 273 Working Within the Framework 273 Deciding What to Memorize 274 Preparing for the Test 275 Taking the Test 275

Chapter 15 Answer Key 1 .................................................................295

xix

xx

Table . . . of . . Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 16 Practice Exam 2 ..............................................................315 Chapter 17 Answer Key 2 .................................................................335

Part IV Appendixes ...................................................357 Appendix A What’s on the CD-ROM ......................................................359 The PrepLogic Practice Exams, Preview Edition Software An Exclusive Electronic Version of the Text 360

359

Appendix B Using the PrepLogic Practice Exams, Preview Edition Software .....361 The Exam Simulation 361 Question Quality 362 The Interface Design 362 The Effective Learning Environment 362 Software Requirements 362 Installing PrepLogic Practice Exams, Preview Edition 363 Removing PrepLogic Practice Exams, Preview Edition from Your Computer 363 How to Use the Software 364 Starting a Practice Exam Mode Session 364 Starting a Flash Review Mode Session 365 Standard PrepLogic Practice Exams, Preview Edition Options 365 Seeing Time Remaining 366 Getting Your Examination Score Report 366 Reviewing Your Exam 366 Contacting PrepLogic 367 Customer Service 367 Product Suggestions and Comments 367 License Agreement 367

Glossary .......................................................................369 Index ............................................................................383

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Welcome to the BCRAN Exam Cram 2! Whether this book is your first or your fifteenth Exam Cram 2 series book, you’ll find information here that will help ensure your success as you pursue knowledge, experience, and certification. This introduction explains Cisco’s certification programs in general and talks about how the Exam Cram 2 series can help you prepare for Cisco’s Certified Network Professional exams. Chapter 1 discusses the basics of Cisco certification exams, including a description of the testing environment and a discussion of test-taking strategies. Chapters 2 through 15 are designed to remind you of everything you need to know to take—and pass— the 642-821 Cisco BCRAN certification exam. The two sample tests at the end of the book should give you a reasonably accurate assessment of your knowledge—and, yes, we’ve provided the answers and their explanations. Read the book and understand the material, and you’ll stand a very good chance of passing the test. Exam Cram 2 books help you understand and appreciate the subjects and materials you need to pass Cisco certification exams. Exam Cram 2 books are aimed strictly at test preparation and review. They do not teach you everything you need to know about a topic. Instead, we present and dissect the questions and problems we’ve found that you’re likely to encounter on a test. We’ve worked to bring together as much information as possible about Cisco certification exams. Nevertheless, to completely prepare yourself for any Cisco test, we recommend that you begin by taking the “Self Assessment” that is included in this book, immediately following this introduction. The self-assessment tool helps you evaluate your knowledge base against the requirements for a Cisco Certified Network Professional (CCNP) under both ideal and real circumstances. Based on what you learn from the “Self Assessment,” you might decide to begin your studies with some classroom training, some practice with the IOS, or some background reading. On the other hand, you might decide to pick up and read one of the many study guides available from Cisco or thirdparty vendors on certain topics. We also recommend that you supplement

xxii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

your study program with visits to http://www.examcram2.com to receive additional practice questions, get advice, and track the CCNP program. We also strongly recommend that you configure and play around with the software that you’ll be tested on because nothing beats hands-on experience and familiarity when it comes to understanding the questions you’re likely to encounter on a certification test. Book learning is essential, but without a doubt, hands-on experience is the best teacher of all! The CD also includes the PrepLogic Practice Exams, Preview Edition exam-simulation software. The Preview Edition exhibits most of the full functionality of the Premium Edition but offers only enough questions for one practice exam. To get the complete set of practice questions and exam functionality, visit http:// www.preplogic.com.

Taking a Certification Exam After you’ve prepared for your exam, you need to register with a testing center. Each computer-based Cisco exam costs $125, and if you don’t pass, you can retest for an additional $125 for each additional try. In the United States and Canada, tests are administered by Prometric and by VUE. Here’s how you can contact them: ➤ Prometric—You can sign up for a test through the company’s Web site, http://www.prometric.com.

Within the United States and Canada, you can register by phone at 800-829-6387. If you live outside this region, you should check the Prometric Web site for the appropriate phone number. ➤ VUE—You can sign up for a test or get the phone numbers for local

testing centers through the Web at http://www.vue.com/cisco. To sign up for a test, you must possess a valid credit card or contact either Prometric or VUE for mailing instructions to send a check (in the United States). Only when payment is verified or your check has cleared can you actually register for the test. To schedule an exam, you need to call the number or visit either of the Web pages at least one day in advance. To cancel or reschedule an exam, you must call before 7 p.m. Pacific standard time the day before the scheduled test time (or you might be charged, even if you don’t show up to take the test). When you want to schedule a test, you should have the following information ready:

xxiii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . ➤ Your name, organization, and mailing address. ➤ Your Cisco test ID. (Inside the United States, testing organizations have

been getting away from using Social Security numbers; citizens of other nations should call ahead to find out what type of identification number is required to register for a test.) ➤ The name and number of the exam you want to take. ➤ A method of payment. (As mentioned previously, a credit card is the

most convenient method, but alternate means can be arranged in advance, if necessary.) After you sign up for a test, you are told when and where the test is scheduled. You should arrive at least 15 minutes early. You must supply two forms of identification—one of which must be a photo ID—and sign a nondisclosure agreement to be admitted into the testing room. All Cisco exams are completely closed book. In fact, you are not permitted to take anything with you into the testing area, but you are given a blank sheet of paper and a pen (or in some cases an erasable plastic sheet and an erasable pen). We suggest that you immediately write down on that sheet of paper all the information you’ve memorized for the test. In Exam Cram 2 books, this information appears on a tear-out sheet inside the front cover of each book. You are given some time to compose yourself, record this information, and take a sample orientation exam before you begin the real thing. We suggest that you take the orientation test before taking your first exam, but because all the certification exams are more or less identical in layout, behavior, and controls, you probably don’t need to do so more than once. When you complete a Cisco certification exam, the software tells you immediately whether you’ve passed or failed. If you need to retake an exam, you have to schedule a new test with Prometric or VUE and pay another $125. The first time you fail a test, you can retake the test as soon as the next day. However, if you fail a second time, you must wait 14 days before retaking that test. The 14-day waiting period remains in effect for all retakes after the second failure.

Tracking Certification Status As soon as you pass any Cisco exam, Cisco generates transcripts that indicate which exams you have passed. You can view a copy of your transcript at any time by going to the Certification Tracking System secured site and select-

xxiv Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ing Test History and Certification Progress. These tools enable you to print a copy of your current transcript and confirm your certification status. After you pass the necessary set of exams, you are certified. Official certification is normally granted after three to six weeks, so you shouldn’t expect to get your credentials overnight. The package for official certification that arrives includes a Welcome Kit that contains a number of elements (see the Cisco Web site for other benefits of specific certifications): ➤ A certificate that is suitable for framing, along with a wallet card. ➤ A license to use the applicable logo, which means you can use the logo

in advertisements, promotions, and documents and on letterhead, business cards, and so on. Along with the license comes a logo sheet, which includes camera-ready artwork. (Note that before you use any of the artwork, you must sign and return a licensing agreement that indicates you’ll abide by its terms and conditions.) Many people believe that the benefits of CCNP certification go well beyond the perks that Cisco provides to newly anointed members of this elite group. We’re starting to see more job listings that request or require applicants have CCNA, CCNP, and other certifications, and many individuals who complete Cisco certification programs can qualify for increases in pay and responsibility. As an official recognition of hard work and broad knowledge, one of the Cisco credentials is a badge of honor in many IT organizations.

How to Prepare for an Exam Preparing for any Cisco-related test (including Exam 642-821) requires that you obtain and study materials designed to provide comprehensive information about the product and its capabilities that will appear on the specific exam for which you are preparing. The following materials can help you study and prepare: ➤ The exam-preparation advice, practice tests, questions of the day, and

discussion groups on the http://www.examcram2.com e-learning and certification destination Web site. In addition, you might find any or all of the following materials useful in your quest for Cisco expertise: ➤ Cisco training kits—Cisco Press offers a training kit that specifically tar-

gets Exam 642-821. For more information, visit http://www.ciscopress. com. This training kit contains information that you will find useful in preparing for the test.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . ➤ Internet Protocol Journal—This quarterly magazine is published by Cisco

and covers new and emerging technologies as well as real-life scenarios and implementations stories. More information appears at http://www. cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_ journal.html.

➤ Packet Magazine—This quarterly magazine provides more of a product

focus that the IPJ does. Packet provides a lot of information about new and up and coming technologies, the Cisco implementation of them, and how they can fit into your network. Subscribe to Packet at http:// www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html. ➤ Classroom training—Cisco-authorized training partners, online partners,

and third-party training companies all offer classroom training on BCRAN. These companies aim to help you prepare to pass Exam 642821 (or other exams). Although such training runs upward of $350 per day in class, most of the individuals lucky enough to partake find this training to be worthwhile. ➤ Other publications—There’s no shortage of materials available about

remote access. The “Need to Know More?” resource sections at the end of each chapter in this book give you an idea of where we think you should look for further discussion. This set of required and recommended materials represents an unparalleled collection of sources and resources about Cisco remote access and related topics. We hope you’ll find that this book belongs in this company.

What This Book Will Not Do This book will not teach you everything you need to know about computers or even about a given topic. Nor is this book an introduction to computer technology. If you’re new to applications development and looking for an initial preparation guide, check out http://www.quepublishing.com, where you will find a whole section dedicated to the Cisco certifications. This book reviews what you need to know before you take the test, with the fundamental purpose dedicated to reviewing the information needed on the Cisco 642821 certification exam. This book uses a variety of teaching and memorization techniques to analyze the exam-related topics and to provide you with ways to input, index, and retrieve everything you need to know to pass the test. Once again, it is not an introduction to application development.

xxv

xxvi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

What This Book Is Designed to Do This book is designed to be read as a pointer to the areas of knowledge you will be tested on. In other words, you might want to read the book one time, just to get an insight into how comprehensive your knowledge of computers is. The book is also designed to be read shortly before you go for the actual test and to give you a distillation of the entire topic in as few pages as possible. We think that you can use this book to get a sense of the underlying context of any topic in the chapters—or to skim-read for Exam Alerts, bulleted points, summaries, and topic headings. We’ve drawn on material from the Cisco list of knowledge requirements, from other preparation guides, and from the exams themselves. We’ve also drawn from a battery of third-party test-preparation tools and technical Web sites, as well as from our own experience with the topic and the exam. Our aim is to walk you through the knowledge you need—looking over your shoulder, so to speak—and point out those things that are important for the exam (Exam Alerts, practice questions, and so on). The 642-821 exam makes a basic assumption that you already have a strong background of experience with routing and switching technologies, the Cisco IOS, and related terminologies. On the other hand, because the IOS is so complex, no one can be a complete expert. We’ve tried to demystify the jargon, acronyms, terms, and concepts. Also, wherever we think you’re likely to blur past an important concept, we’ve defined the assumptions and premises behind that concept.

About This Book In case you’re preparing for the 642-821 certification exam for the first time, we’ve structured the topics in this book to build upon one another. Therefore, the topics covered in later chapters might refer to previous discussions in earlier chapters. We suggest you read this book from front to back. You won’t be wasting your time because nothing we’ve written is a guess about an unknown exam. We’ve had to explain certain underlying information on such a regular basis that we’ve included those explanations here. Once you’ve read the book, you can brush up on a certain area by using the index or the table of contents to go straight to the topics and questions you want to reexamine. We’ve used the headings and subheadings to provide outline information about each given topic. After you’ve been certified, we think you’ll find this book useful as a tightly focused reference and an essential foundation of IOS understanding.

xxvii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . .

Chapter Formats Each Exam Cram 2 chapter follows a regular structure, along with graphical cues about especially important or useful material. The structure of a typical chapter is as follows: ➤ Opening hotlists—Each chapter begins with lists of the terms you’ll need

to understand and the concepts you’ll need to master before you can be fully conversant with the chapter’s subject matter. We follow the hotlists with a few introductory paragraphs, setting the stage for the rest of the chapter. ➤ Topical coverage—After the opening hotlists, each chapter covers the top-

ics related to the chapter’s subject. ➤ Exam Alerts—Throughout the topical coverage section, we highlight

material most likely to appear on the exam by using a special Exam Alert layout that looks like this: This is what an Exam Alert looks like. An Exam Alert stresses concepts, terms, software, or activities that will most likely appear in one or more certification exam questions. For that reason, we think any information offset in Exam Alert format is worthy of unusual attentiveness on your part.

Even if material isn’t flagged as an Exam Alert, all the content in this book is associated in some way with test-related material. What appears in the chapter content is critical knowledge. ➤ Notes—This book is an overall examination of networking. As such, we

dip into many aspects of networks. Where a body of knowledge is deeper than the scope of the book, we use notes to indicate areas of concern or specialty training. Cramming for an exam will get you through a test, but it won’t make you a competent IT professional. Although you can memorize just the facts you need to become certified, your daily work in the field will rapidly put you in water over your head if you don’t know the underlying principles of application development.

➤ Tips—We provide tips that will help you build a better foundation of

knowledge or focus your attention on an important concept that will reappear later in the book. Tips provide a helpful way to remind you of the context surrounding a particular area of a topic under discussion.

xxviii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

You should also read Chapter 1, “CCNP Certification Exams,” for helpful strategies for taking a test. The introduction to “Practice Exam 1” in Chapter 14 contains additional tips on how to figure out the correct response to a question and what to do if you draw a complete blank.

➤ Practice questions—This section presents a short list of test questions

related to the specific chapter topic. Each question has an explanation of both correct and incorrect answers. The practice questions highlight the areas we found to be most important on the exam. ➤ Need to Know More?—Every chapter ends with a section titled “Need to

Know More?” This section provides pointers to resources that we found to be helpful in offering further details on the chapter’s subject matter. If you find a resource you like in this collection, use it, but don’t feel compelled to use them all. We use this section to recommend resources that we have used on a regular basis, so none of the recommendations will be a waste of your time or money. These resources might go out of print or be taken down (in the case of Web sites), so we’ve tried to reference widely accepted resources. The bulk of the book follows this chapter structure, but we would like to point out a few other elements : ➤ Practice Exams—The practice exams, which appear in Chapters 14 and

16 (with answer keys in Chapters 15 and 17), are very close approximations of the types of questions you are likely to see on the current 642-821 exam. ➤ Answer keys—These keys provide the answers to the sample tests, com-

plete with explanations of both the correct responses and the incorrect responses. ➤ Glossary—This chapter is an extensive glossary of important terms used

in this book. ➤ The Cram Sheet—This sheet appears as a tear-away sheet inside the front

cover of this Exam Cram 2 book. It is a valuable tool that represents a collection of the most difficult-to-remember facts and numbers we think you should memorize before taking the test. Remember, you can dump this information out of your head onto a piece of paper as soon as you enter the testing room. These items are usually facts that we’ve found require brute-force memorization. You only need to remember this information long enough to write it down when you walk into the test room. Be advised that you will be asked to surrender all personal belongings before you enter the exam room itself.

xxix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . .

You might want to look at the Cram Sheet in your car or in the lobby of the testing center just before you walk into the testing center. The Cram Sheet is divided under headings, so you can review the appropriate parts just before each test. ➤ The CD—The CD includes many helpful code samples that demonstrate

all the topics on the exam. If you work through the samples on the CD, you’ll understand the techniques that you’re likely to be tested on. The CD also contains the PrepLogic Practice Exams, Preview Edition examsimulation software. The Preview Edition exhibits most of the full functionality of the Premium Edition but offers only enough questions for one practice exam. To get the complete set of practice questions and exam functionality, visit http://www.preplogic.com.

Code and Commands The limitations of printed pages, many times, required us to write output with smaller margins than you might see in practice. In some cases, the margins forced us to introduce line continuations into output that’s automatically generated by a Cisco device, even though you won’t see those continuations when you recreate the output on your own device.

Contacting the Author We’ve tried to create a real-world tool that you can use to prepare for and pass the 642-821 BCRAN certification exam. We’re interested in any feedback you would care to share about the book, especially if you have ideas about how we can improve it for future test-takers. We’ll consider everything you say carefully and respond to all reasonable suggestions and comments. You can reach us via email through the publisher at [email protected]. Let us know whether you found this book to be helpful in your preparation efforts. We’d also like to know how you felt about your chances of passing the exam before you read the book and then after you read the book. Of course, we’d love to hear that you passed the exam—and even if you just want to share your triumph, we’d be happy to hear from you. Thanks for choosing us as your personal trainers, and enjoy the book. We would wish you luck on the exam, but we know that if you read through all the chapters and work with the product, you won’t need luck; you’ll pass the test on the strength of real knowledge!

Self Assessment

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

We’ve included a “Self Assessment” in this Exam Cram 2 to help you evaluate your readiness to tackle Cisco Certified Network Professional (CCNP) certification. It should also help you understand what you need to master the topic of this book—namely, Exam 642-821, “Building Cisco Remote Access Networks.” Before you tackle this “Self Assessment,” however, we talk about the concerns you might face when pursuing Cisco CCNP certification and what an ideal candidate might look like.

Cisco System Administrators in the Real World In the next section, we describe an ideal CCNP system administrator candidate, knowing full well that only a few actual candidates meet this ideal. In fact, our description of that ideal candidate might seem downright scary. But take heart: Although the requirements to obtain a CCNP certification might seem formidable, they are by no means impossible to meet. However, you should be keenly aware that it does take time, requires some expense, and calls for a substantial effort. You can get all the real-world motivation you need from knowing that many others have gone before you. You can follow in their footsteps. If you’re willing to tackle the process seriously and do what it takes to gain the necessary experience and knowledge, you can take—and pass—the certification tests. In fact, the Exam Cram 2s and, as available per topic, the companion Training Guides are designed to make it as easy as possible for you to prepare for these exams, but prepare you must! The same, of course, is true for other Cisco certifications, including the following: ➤ Building Scalable Cisco Internetworks (BSCI), which concentrates on

the routing aspects. Topics covered include Variable Length Subnet Masking (VLSM), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).

xxxi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment . . . . . . . . . ➤ Building Cisco Multilayer Switched Networks (BCMSN), which covers

asynchronous learning networks (ALN) switching topics. This exam tests your knowledge of different types of switches and their functions, as well as switching standards and features. ➤ Cisco Internetwork Troubleshooting (CIT), which is the troubleshoot-

ing component of the CCNP. It tests your troubleshooting ability across the board with Cisco products. This exam expands on all the troubleshooting components in the other CCNP exams.

The Ideal CCNP Candidate Just to give you some idea of what an ideal CCNP candidate is like, here are some relevant statistics about the background and experience such an individual might have. Don’t worry if you don’t meet these qualifications (or, indeed, if you don’t even come close), because this world is far from ideal, and where you fall short is simply where you’ll have more work to do. The ideal candidate has the following: ➤ Academic or professional training in Cisco IOS, the operating system

that runs Cisco routers. This hands-on experience might be with real networking devices or with simulator applications. ➤ Two-plus years of professional system administration experience, includ-

ing experience installing, monitoring, and troubleshooting systems and network problems. You should have a solid understanding of business demands on a network. We believe that well under half of all certification candidates meet these requirements. In fact, most probably meet less than half of these requirements (that is, at least when they begin the certification process). However, because all those who have their certifications already survived this ordeal, you can survive it, too—especially if you heed what this “Self Assessment” can tell you about what you already know and what you need to learn.

Put Yourself to the Test The following series of questions and observations is designed to help you figure out how much work you will face in pursuing Cisco certification and what kinds of resources you can consult on your quest. Be absolutely honest in your answers, or you’ll end up wasting money on exams you’re not ready to take. There are no right or wrong answers, only steps along the path to certification. Only you can decide where you really belong in the broad spectrum of aspiring candidates.

xxxii

Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Two things should be clear from the outset, however: ➤ Even a modest background in computer science is helpful. ➤ Hands-on experience with Cisco IOS and routing and switching tech-

nologies is an essential ingredient for certification success.

Educational Background 1. Have you ever taken any computer-related classes? (Yes or No)

If yes, proceed to question 2; if no, proceed to question 4. 2. Have you taken any classes or passed previous exams on Cisco routers?

(Yes or No) If yes, you will probably be able to handle the discussions relating to the IOS and system administration. If the answer is no, consider some basic reading in this area or starting with the CCNA certification. We strongly recommend a good Cisco system administration book, such as the CCNA Certification Library from Cisco Press. 3. Have you taken any networking concepts or technologies classes? (Yes

or No) If yes, you will probably be able to handle the networking terminology, concepts, and technologies (but brace yourself for frequent departures from normal usage). If you’re rusty, brush up on basic networking concepts and terminology. If your answer is no, you might want to check out some titles on Transport Communication Protocol/Internet Protocol (TCP/IP). 4. Have you done any reading on networks? (Yes or No)

If yes, review the requirements from questions 2 and 3. If you meet them, move to the next section, “Hands-On Experience.” If you answered no, consult the recommended reading for both topics. This kind of strong background is a great help in preparing for the Cisco exams.

Hands-On Experience Another important key to success on all the Cisco tests is hands-on experience. If we leave you with only one realization after taking this “Self Assessment,” it should be that there’s no substitute for time spent designing, configuring, and using the various Cisco commands and tools on which you’ll be tested repeatedly and in depth.

xxxiii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment . . . . . . . . . 5. Have you installed, configured, and worked with Cisco IOS? (Yes or

No) If yes, make sure you understand the basic concepts covered in Exam 642-821. If you haven’t worked with Cisco IOS, you might consider purchasing a used router or two, as well as using simulator software. Then, learn about the installation and administration. You can obtain the exam objectives, practice questions, and other information about Cisco exams from the Cisco’s Training and Certification page on the Web at http://www.cisco.com/en/US/learning/le3/le2/le37/le10/learning_certification_ type_home.html.

Before you even think about taking any Cisco exam, make sure you’ve spent enough time with the IOS to understand how it can be installed and configured, how to maintain such an installation, and how to troubleshoot that software when things go wrong. It will help you in the exam—as well as in real life. If you have the funds or your employer will pay your way, consider taking a class at a Cisco training partner.

Testing Your Exam Readiness Whether you attend a formal class on a specific topic to get ready for an exam or use written materials to study on your own, some preparation for the Cisco certification exams is essential. At $125 a try, pass or fail, you want to do everything you can to pass on your first try. That’s where studying comes in. We include in this book several exam prep questions for each chapter and practice exams, so if you don’t score well on the chapter questions, you can study more and then tackle the practice exams. If you don’t earn a score of at least 70% on each practice exam, you’ll want to investigate the other practice-test resources available via the Web. (Locate them by using your favorite search engine.) For any given subject, consider taking a class if you’ve tackled self-study materials, taken the test, and failed anyway. If you can afford the privilege, the opportunity to interact with an instructor and fellow students can make

xxxiv Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

all the difference in the world. For information about Cisco classes, visit the Certification Program page at http://www.cisco.com/pcgi-bin/front.x/ wwtraining/CELC/index.cgi?action=IncSearchForm. If you have more time than money, you might consider attending a Cisco Network Academy. Typically offered at established education institutions such as a college, the classes tend to run at a more leisurely pace and cost less. Find out more at http://cisco.netacad.net/public/gln/overview/index.html.

6. Have you taken a practice exam on your chosen test subject? (Yes or

No) If yes—and you scored 70% or better—you’re probably ready to tackle the real thing. If your score isn’t above that crucial threshold, keep at it until you break that barrier. If you answered no, obtain all the free and low-budget practice tests you can find (or afford) and get to work. Keep at it until you can comfortably break the passing threshold. There is no better way to assess your test readiness than to take a good-quality practice exam and pass with a score of 70% or better. When we’re preparing, we shoot for 80+%, just to leave room for the “weirdness factor” that sometimes shows up on Cisco exams.

Assessing Your Readiness for Exam 642-821 In addition to the general exam-readiness information in the previous section, other resources are available to help you prepare for the exams. Three Web sites come to mind: http://www.groupstudy.com, http://www.tcpmag.com, and http://www.williamson.cx. Also, the comp newsgroups alt.certification.cisco and comp.dcom.sys.cisco are available via news services or http://google.com. The groups at http://groups.google.com are great places to ask questions about topics you are having trouble understanding and to get good answers or simply to observe the questions others ask (along with the answers, of course). We’d also like to recommend that you check out these books as you prepare to take the exam:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment . . . . . . . . . ➤ Cisco Press. Internetworking Technologies Handbook. Indianapolis, Indiana:

Cisco Systems, 2003. ➤ Stallings, William. Data and Computer Communications. Upper Saddle

River, New Jersey: Prentice Hall, 2003. One last note: We hope it makes sense to stress the importance of hands-on experience in the context of the exams. As you review the material for Cisco exams, you’ll realize that hands-on experience with Cisco commands, tools, and utilities is invaluable.

Onward, Through the Fog! After you’ve assessed your readiness, undertaken the right background studies, obtained the hands-on experience that will help you understand the products and technologies at work, and reviewed the many sources of information to help you prepare for a test, you’ll be ready to take a round of practice tests. When your scores come back positive enough to get you through the exam, you’re ready to go after the real thing. If you follow our assessment regimen, you’ll not only know what you need to study, but also know when you’re ready to make a test date at Prometric or VUE. Good luck!

xxxv

1 CCNP Certification Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Multiple-choice question formats Radio button Check box Exhibit Drag and drop Fill in the blank (free choice) Careful reading Process of elimination

Techniques you’ll need to master: ✓ ✓ ✓ ✓ ✓ ✓ ✓

Assessing your exam readiness Preparing to take a certification exam Practicing (to make perfect) Making the best use of the testing software Budgeting your time Saving the hardest questions until last Guessing (as a last resort)

2

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

As experiences go, test-taking is not something most people anticipate eagerly, no matter how well they’re prepared. In most cases, familiarity helps reduce test anxiety. In plain English, this means you probably won’t be as nervous when you take your fourth or fifth certification exam as when you take your first one. Whether it’s your first test or your tenth, understanding the exam-taking particulars (how much time to spend on questions, the setting you’ll be in, and so on) and the testing software will help you concentrate on the material rather than on the environment. Likewise, mastering a few basic testtaking skills should help you recognize—and perhaps even outfox—some of the tricks and gotchas you’re bound to find in some of the test questions. In this chapter, we explain the testing environment and software and describe some proven test-taking strategies that you should be able to use to your advantage.

Assessing Exam Readiness Before you take any Cisco exam, we strongly recommend that you read through and take the “Self Assessment” included with this book. It will help you compare your knowledge base to the requirements for obtaining the CCNP certification and help you identify parts of your background or experience that might need improvement, enhancement, or further learning. If you get the right set of basics under your belt, obtaining Cisco certification is that much easier. After you’ve gone through the “Self Assessment,” you can remedy those topical areas where your background or experience might not measure up to that of an ideal certification candidate. You can also tackle subject matter for individual tests at the same time, so you can continue making progress while you’re catching up in some areas. After you work through this Exam Cram 2, read the supplementary materials, and take the practice exams in Chapters 14 and 16, you’ll have a pretty clear idea of when you should be ready to take the real exam. Although we strongly recommend that you keep practicing until your scores top the 70% mark, a goal of 75% would give you some margin for error in a real exam situation (where stress plays more of a role than in practice situations). When you hit that point, you should be ready to go. If you get through the practice exams in this book without attaining that score, however, you should keep taking practice exams and studying the materials until you get there. You’ll

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CCNP . . . .Certification . . . . . . Exams . . . .

find more information about other practice materials in the “Self Assessment,” along with even more pointers on how to study and prepare. But now, on to the exam itself!

The Test Objectives The test objectives for Cisco exams are posted on the Cisco Web site at http://www.cisco.com/en/US/learning/le3/le2/le37/le10/learning_ certification_type_home.html.

Tables 1.1 through 1.4 provide a quick chapterto-test objective cross-reference. Table 1.1 Chapter–to–Exam Test Objectives for General Knowledge Chapter

Test Objective

All

Describe how you can use different WAN technologies to provide remote access to a network, including asynchronous dial-in, Frame Relay, ISDN, cable modem, and DSL

11

Describe traffic-control methods used to manage traffic flow on WAN links

3, 4

Explain the operation of remote network access-control methods

4

Identify PPP components and explain the use of PPP as an access and encapsulation method

13

Describe the structure and operation of virtual private network (VPN) technologies

5

Describe the process of network address translation (NAT)

Table 1.2

Chapter–to–Exam Test Objectives for Implementation and Operation

Chapter

Test Objective

6

Configure asynchronous modems and router interfaces to provide network access

7

Configure an ISDN solution for remote access

9

Configure Frame Relay operation and traffic control on WAN links

3, 4

Configure access control to manage and limit remote access

10

Configure DSL operation using Cisco IOS

13

Configure VPN operation using Cisco IOS

5

Configure NAT

3

4

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 1.3 Chapter–to–Exam Test Objectives for Planning and Design 6

Design a Cisco remote access solution using asynchronous dial-up technology

7, 11

Plan a Cisco ISDN solution for remote access or primary link backup

9

Design a Cisco Frame Relay infrastructure to provide access between remote network components

9

Design a solution of access control to meet required specifications

9, 11

Plan traffic shaping to meet required quality of service (QoS) on access links

Table 1.4 Chapter–to–Exam Test Objectives for Troubleshooting All

Troubleshoot nonfunctional remote access systems

13

Troubleshoot a VPN system

12

Troubleshoot traffic control problems on a WAN link

The Testing Situation When you arrive at the testing center where you scheduled your test, you need to sign in with a test coordinator. He or she will ask you to produce two forms of identification, one of which must be a photo ID. After you’ve signed in and your time slot arrives, you’ll be asked to leave any books, bags, or other items you brought with you, and you’ll be escorted into a closed room. Typically, that room will be furnished with anywhere from one to half a dozen computers, and each workstation will be separated from the others by dividers designed to keep you from seeing what’s happening on someone else’s computer. You’ll be furnished with a pen or pencil and a blank sheet of paper or, in some cases, an erasable plastic sheet and an erasable felt-tip pen. You’re allowed to write down any information you want on this sheet, and you can write on both sides of the page. We suggest you memorize as much as possible of the material on the “Cram Sheet” (on this book’s inside back cover) and then write that information on the blank sheet as soon as you sit down in front of the test machine. You can refer to the sheet any time you like during the test, but you’ll have to surrender it when you leave the room. Most test rooms feature a wall with a large window, which allows the test coordinator to monitor the room, prevent test-takers from talking to one another, and observe anything out of the ordinary that might be going on.


The test coordinator will have preloaded the Cisco certification exam you’ve signed up for, and you’ll be permitted to start as soon as you’re seated in front of the machine. Each Cisco certification exam permits you to take up to 75 minutes to complete the test. (The test itself maintains an onscreen counter/clock so that you can check the time remaining whenever you like.) The passing score varies for each exam and Cisco has been known to change the passing score after an exam has been available for a while. All Cisco certification exams are computer generated and use a multiplechoice, drag-and-drop, or fill-in-the-blank format. Although this setup might sound easy, the questions are constructed not just to check your mastery of basic Cisco system administration, but also to require you to evaluate one or more sets of circumstances or requirements. Often, you’ll be asked to give more than one answer to a question; likewise, you might be asked to select the best or most effective solution to a problem from a range of choices, all of which technically are correct. The tests are quite an adventure, and they involve real thinking. This book shows you what to expect and how to deal with the problems, puzzles, and predicaments you’re likely to find on the exams.

Test Layout and Design Question 1 depicts a typical test question. It’s a multiple-choice question that requires you to select a single correct answer. Following the question is a brief summary of each potential answer and why it was either right or wrong.

Question 1 Which of the following is the addressing protocol of the Internet? ❍ A. AppleTalk ❍ B. TCP/IP ❍ C. IPX ❍ D. DNS ❍ E. BGP

Answer B is correct. TCP/IP is the protocol suite that provides the addressing that the Internet uses to connect devices. Domain Name System (DNS) and Border Gateway Protocol (BGP) operate in conjunction with TCP/IP to

5

6

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

provide some services. AppleTalk and Internetwork Packet Exchange (IPX) are two other network addressing protocols but are not used for Internet addressing. This sample question corresponds closely to those you’ll see on Cisco certification exams. To select the correct answer during the test, you position the cursor over the radio button next to Answer B and click the mouse to select that particular choice. The only difference between the questions on the certification exams and questions such as this one is that the real questions are not immediately followed by the answers. In the following question, one or more answers are possible. This type of question provides check boxes rather than radio buttons for marking all the correct selections.

Question 2 Which of the following are WAN protocols? (Select all that apply.) ❑ A. Frame Relay ❑ B. Token Ring ❑ C. ISDN ❑ D. FDDI

Answers A and C are correct. Answers B and D are LAN protocols. For this type of question, you must select one or more answers to answer the question correctly. For Question 2, you have to position the cursor over the check boxes next to items A and C and click on both to get credit for a correct answer. These two types of questions can appear in many forms and constitute the foundation on which most Cisco certification exam questions rest. More complex questions might include so-called exhibits, which are usually tables or data-content layouts of one form or another. You’ll be expected to use the information displayed in the exhibit to guide your answer to the question. Other questions involving exhibits might use charts or diagrams to help document a workplace scenario that you’ll be asked to troubleshoot or configure. Paying careful attention to exhibits is the key to success; be prepared to toggle between the picture and the question as you work. Often, both are complex enough that you might not be able to remember all of either one. Some questions are fill in the blank. This format involves entering the name of a command, filename, command-line argument, or Cisco-related termi-


nology. A typical fill-in-the-blank question appears in Question 3. This question provides a box in which to enter the answer.

Question 3 Enter the command to see the active TCP/IP routing table on a Cisco router.

The correct answer is show

ip route.

Be sure to read this type of question very carefully. Without having any answers in front of you, there is nothing to jog your memory and it makes guessing almost impossible. A question that asks for the command to be placed in a text box will want the full command, no abbreviations. In a simulator question, you usually can use abbreviations because the simulator is measuring whether the task gets accomplished, as opposed to how precise the command entry was. In some simulator questions, you are even able to use the question mark (?) if you need help. Be as specific as possible when answering the core question, however. Cisco also includes drag-and-drop questions that are very similar to matching questions.

Question 4 Arrange the layers of the OSI model from Layer 7 to Layer 1: ❍ A. Transport layer ❍ B. Data link layer ❍ C. Application layer ❍ D. Session layer ❍ E. Physical layer ❍ F. Presentation layer ❍ G. Network layer

The correct order is C, F, D, A, G, B, E. This type of question usually has a set of boxes on one side of the screen and a set of items on the other side that need to be dragged into the boxes. The question might require a specific order, as this one did, or it might involve matching terms to definitions. The drag-and-drop questions aren’t new to the Cisco exams, but they are fairly new to many of the CCNP exams. They provide a table consisting of two columns of data, such as technical terms and their definitions. All terms

7

8

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

have to be positioned (using the mouse) in front of their respective definitions to be correct. To drag a term, position the mouse over the term and press the left mouse button. Then move the mouse to drag the term to the correct location. Release the mouse button to drop the term in front of its definition.

Using the Test Software Effectively A well-known test-taking principle is to read over the entire test from start to finish first but to answer only those questions that you feel absolutely sure of on the first pass. On subsequent passes, you can dive into more complex questions, knowing how many such questions you have to deal with. Although this process is not possible with this specific Cisco exam, it is still a valid approach for preparation. Fortunately, the test software makes this approach easy to implement. At the bottom of each question, you’ll find a check box that permits you to mark that question for a later visit. (Note that marking questions makes review easier, but you can return to any question by clicking the Forward and Back buttons repeatedly until you get to the question.) As you read each question, if you answer only those you’re sure of and mark for review those that you’re not, you can keep going through a decreasing list of open questions as you knock off the trickier ones in order. Remember that you won’t be able to mark questions and return to them when taking this Cisco exam.

Keep working on the questions until you’re absolutely sure of all your answers or until you know you’ll run out of time. If unanswered questions remain, you should zip through them and guess. No answer guarantees that no credit will be given for a question, and a guess has at least a chance of being correct. (Blank answers and incorrect answers are scored as equally wrong.) You’re better off guessing than leaving questions blank or unanswered.


Taking Testing Seriously The most important advice we can give you about taking any test is this: Read each question carefully. Some questions are deliberately ambiguous, some use double negatives, and others use terminology in incredibly precise ways. We’ve taken numerous practice tests and real tests, and in nearly every test, we’ve missed at least one question because we didn’t read it closely or carefully enough. Here are some suggestions on how to deal with the tendency to jump to an answer too quickly: ➤ Make sure you read every word in the question. If you find yourself

jumping ahead impatiently, go back and start over. ➤ As you read, restate the question in your own terms. If you can do it,

you should be able to pick the correct answers more easily. ➤ When returning to a question after your initial read-through, reread

every word again; otherwise, your mind can fall quickly into a rut. Sometimes, seeing a question afresh after turning your attention elsewhere lets you see something you missed, but the strong tendency is to see what you’ve seen before. Avoid that tendency at all costs. ➤ If you reread a question more than twice, articulate to yourself what you

don’t understand about the question, why the answers don’t appear to make sense, or what appears to be missing. If you chew on the subject for a while, your subconscious might provide the details that are lacking or you might notice a “trick” that points to the right answer. Above all, deal with each question by thinking through what you know about being a Cisco administrator—commands, characteristics, behaviors, facts, and figures. By reviewing what you know (and what you’ve written down on your information sheet), you can often recall or understand things sufficiently to determine the answer to the question.

Question-Handling Strategies Based on the tests we’ve taken, a couple of interesting trends in the answers have become apparent. For those questions that take only a single answer, usually two or three of the answers are obviously incorrect, and two of the answers are plausible. Of course, only one can be correct. Unless the answer leaps out at you (and if it does, reread the question to look for a trick; sometimes they are the ones you’re most likely to get wrong), begin the process of answering by eliminating answers that are obviously wrong.

9

10

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Things to look for in the “obviously wrong” category include spurious command choices or filenames, nonexistent software or command options, and terminology you’ve never seen before. If you’ve done your homework for a test, no valid information should be completely new to you. In that case, unfamiliar or bizarre terminology probably indicates a totally bogus answer. As long as you’re sure what’s right, it’s easy to eliminate what’s wrong. Numerous questions assume that the default behavior of a particular Cisco command is in effect. It’s essential to know and understand the default settings for the various commands. If you know the defaults and understand what they mean, this knowledge will help you cut through many Gordian knots. Likewise, when dealing with questions requiring multiple answers, you must know and select all the correct options to get credit. This style, too, qualifies as an example of why careful reading is so important. As you work your way through the test, another counter the exam provides will come in handy: the number of questions completed and questions outstanding. Budget your time by making sure you’ve completed one fourth of the questions one quarter of the way through the test period. Check again three quarters of the way through. Most Cisco exams have approximately 65 questions, other than CCIE written or beta exams; you won’t see an exam with too many more or less. Keeping to a pace of a question per minute will make sure you have the necessary time to deal with the couple of complex scenario questions that will crop up.

Cisco Exam Scoring Most Cisco exams are scored from 300 to 1000 with a passing mark that has varied from as low as 580 to as high as the low 900s. Something that often confuses people is what percentage of correct questions the passing score is. A passing score of 800 is not 80%. A range of 300 to 1000 is a range of 700 so 300 to 1000 is the same as 1 to 700 or 500 to 1200. Some of these ranges have “bonus” points that you get just for knowing your testing ID number, but they are all ranges of 700 points. The first step to figuring out the percentage is to figure out how many bonus points are being awarded. With a range of 300 to 1000, 300 bonus points are being awarded. Using a passing score of 800 as an example, we need to remove the bonus points to get an accurate percentage. Subtracting 300 from 800 leaves 500 earned points to pass the exam, out of 700 total earned points. To get the passing score percentage, dividing 700 into 500 gives us a passing score of 71.4%. Once you realize you can earn only 700 points, you see that 70 points is 10%. If the passing score is 930, the passing percentage is 90%. If the passing score is 895, the passing percentage is 85%.


If you’re not through after 80 minutes, use the last 10 minutes to guess your way through the remaining questions. Remember, guesses are more valuable than blank answers because blanks are always wrong, but a guess might turn out to be right. If you haven’t a clue about any of the remaining questions, pick answers at random or choose all As, Bs, and so on. The important thing is to submit a test for scoring that has an answer for every question.

Mastering the Inner Game In the final analysis, knowledge breeds confidence, and confidence breeds success. If you study the materials in this book carefully and review all the questions at the end of each chapter, you should be aware of those areas requiring additional studying. Next, follow up by reading some or all of the materials recommended in the “Need to Know More?” section at the end of each chapter. The idea is to become familiar enough with the concepts and situations you find in the sample questions to be able to reason your way through similar situations on a real test. If you know the material, you have every right to be confident that you can pass the test. As you work your way through the book, test your knowledge with the exam prep questions. After you work your way through the book, take the practice exams. The tests provide a reality check and help you identify areas that you need to study further. Make sure you follow up and review materials related to the questions you miss before scheduling the real tests. Only when you cover all the ground and feel comfortable with the whole scope of the practice tests should you take the real tests. If you do not score at least 80% on the practice exam, you will want to study further.

Armed with the information in this book and the determination to augment your knowledge, you should be able to pass the certification exam. If you don’t work at it, however, you’ll spend the test fee more than once before you finally do pass. If you prepare seriously, the exam should go flawlessly. Good luck!

11

12

Chapter . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Additional Resources By far, the best source of information about Cisco certification exams comes from Cisco itself. Because its products and technologies—and the tests that go with them—change frequently, the best place to go for exam-related information is online. If you haven’t already visited the Cisco certification pages, do so right now. As we’re writing this chapter, the certification home page resides at http://www.cisco.com/en/US/learning/le3/learning_career_certifications_and learning_paths_home.html.

The certification home page might not be at the same URL by the time you read this, or it might have been replaced by something new and different because the Cisco site changes regularly. Should this happen, please read the sidebar “Coping with Change on the Web” later in this chapter.

This Web page points to additional information in the certification pages. Here’s what to check out: ➤ Overview—An overview of the certification process and exams ➤ Supporting courseware—Classroom courses and self-paced computer-

based training offered by Cisco that cover the information listed in the exam objectives ➤ Exam objectives—A detailed list of the topics that will be covered on the

exams ➤ Sample questions—A limited number of sample questions and answers ➤ Registration—Information on purchasing a Cisco voucher and registering

with Prometric or VUE to schedule the exams ➤ FAQs—Frequently asked questions; yours might get answered here

As you browse through the certification pages—and we strongly recommend that you do—you’ll probably find other items we didn’t mention here that are every bit as interesting and compelling.

Coping with Change on the Web Sooner or later, all the specifics we’ve shared with you about the Cisco certification pages, and all the other Web-based resources we mention throughout the rest of this book, will go stale or be replaced by newer information. In some cases, the URLs you find here might lead you to their replacements; in other cases, the URLs will go nowhere, leaving you with the dreaded “404 file not found” error message.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CCNP . . . .Certification . . . . . . Exams . . . . When that happens, please don’t give up. There’s always a way to find what you want on the Web—if you’re willing to invest some time and energy. To begin with, most large or complex Web sites—and the Cisco site qualifies on both counts—offer a search engine. As long as you can get to the Cisco home page (and we’re sure it will stay at http://www.cisco.com for a long while yet), you can use this tool to help you find what you need. The more focused you can make a search request, the more likely it is that the results will include information you can use. For example, you can search for the string “training and certification” to produce a lot of data about the subject in general, but if you’re looking for the details on the Cisco Certified System Administrator tests, you’ll be more likely to get there quickly if you use a search string such as this: “Administrator” AND “certification”

Likewise, if you want to find the training and certification downloads, try a search string such as this: “training and certification” AND “download page”

Finally, don’t be afraid to use general search tools such as http://www.search.com, http://www.altavista.com, or http://www.excite.com to search for related information. Even though Cisco offers information about its certification exams online, there are plenty of thirdparty sources of information, training, and assistance in this area that do not have to follow a party line, as Cisco does. The bottom line is this: If you can’t find something where the book says it lives, start looking around.

13

PART I WAN Services 2 WAN Technologies and Components 3 Securing the Network with AAA 4 PPP Authentication with PAP and CHAP 5 Using Network Address Translation

2 WAN Technologies and Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


WAN Dedicated connection Circuit switching Packet switching Synchronous and asynchronous Central site Branch office Home office

Techniques you’ll need to master: ✓ ✓ ✓ ✓ ✓

Selecting hardware Determining bandwidth requirements Selecting a WAN connection Selecting a backup connection Choosing and Configuring WAN encapsulations

18

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Designing and deploying a wide-area network (WAN), regardless of its size, is an essential skill for the network professional. One of the steps of this task involves configuring remote access. The ability to work efficiently and effectively from a remote location—whether it’s a branch office, small office/ home office (SOHO), or a mobile location—is critical to virtually every industry and company. Knowing what technologies are available, how they can interact, and how to manage those technologies is a key component of any professional’s skill set.

WAN Connection Types Meeting the connection requirements in an enterprise WAN takes careful planning, and is an ongoing process. To successfully deploy and manage your WAN environment, you must be comfortable with the technology involved. WAN connections fall into three major categories: dedicated, packet switched, and circuit switched. It is important to know the benefits and drawbacks of each, why you would use one over another, and how to configure and troubleshoot each.

Dedicated Dedicated WAN connections, also sometimes referred to as point-to-point or leased lines, are the pinnacles of the WAN hierarchy. A dedicated WAN connection, in a nutshell, is a private line, dedicated to your private use, from one point to another. It is the WAN equivalent of an Ethernet cable from the central site to the branch office. Table 2.1 lists some of the pros and cons of the dedicated connection. Table 2.1 Dedicated Connections Pros

Cons

The bandwidth you purchase is dedicated to your exclusive use.

You pay for your bandwidth, regardless of whether you use it.

The connection is already established and ready to use at all times.

Because the provider cannot “oversubscribe” your line, it is usually more expensive.

Typically, it allows for higher connection speeds, even greater than T3.

It is only cost-effective with long connection times or critical data and short distances.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .WAN . . .Technologies . . . . . . . and . . Components . . . . . . .

Circuit Switched A circuit-switched WAN connection uses a dedicated circuit through the underlying network, typically the phone company, for the duration of the session. Circuit-switched technologies include asynchronous modem connections and ISDN. As Table 2.2 shows, circuit-switched connections have some distinct advantages as well as some major disadvantages. Table 2.2 Circuit-Switched Connections Advantages

Disadvantages

Circuit-switched connections are readily available almost anywhere.

Circuit-switched connections are usually not as fast as other WAN technologies.

Connections are established on an “as-needed” basis, instead of remaining on.

Suboptimal path selection can result in poor performance for the duration of the call.

Circuit-switched connections are inexpensive to set up and maintain.

The more data that needs to be transmitted, the longer the connection is active.

The single biggest advantage to a circuit-switched WAN connection is that they are typically available wherever there is a phone line. The speed limitation on the circuit-switched connection, which is a result of their wide availability and the underlying technology, is its biggest drawback. The exception to the availability rule is ISDN. Although ISDN is digital, it is still circuit-switched, and it is not necessarily available everywhere that phone service is available. ISDN still needs a dedicated line run from the CO.

Packet Switched Packet-switched network connections share a lot of the benefits of both dedicated and circuit-switched networks while minimizing the drawbacks. Like a circuit-switched network, the packet-switched network uses a public, readily available backbone, usually the phone company, for network connectivity. Unlike the circuit-switched network, each packet is switched independently of the others. If the network encounters a problem, resulting in the loss of one or more packets, it can route the rest of the transmission around the problem. As with a dedicated circuit, a packet-switched circuit makes greater speeds available to you, typically T1 or better. Packet-switched connections have one major advantage over dedicated circuits, however, and that is cost.

19

20

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Because you are sharing the “backbone” connection with other subscribers, the cost is usually a fraction of what a dedicated connection would be.

WAN Encapsulation Protocols You need to be familiar with three main WAN encapsulation protocols. Each protocol usually accompanies a certain connection type, although it is certainly not a 1:1 relationship. The main encapsulation protocols you need to know are Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC), and Frame Relay. Additional encapsulations you might encounter are Asynchronous Transfer Mode (ATM), X.25, and Serial Line Internet Protocol (SLIP). To configure an encapsulation on an interface, issue the following command in interface configuration mode: encapsulation {ppp,hdlc,frame-relay} Router(config-if)# encapsulation ppp

PPP PPP is most commonly associated with dial-up or ISDN connections to the Internet. Although PPP is well suited for this task, it is certainly not limited to dial-up. Many of the benefits of PPP do, however, have specific relevance to dial-up, as mentioned in the following list. You can use PPP over dedicated connections, circuit-switched connections, and, in some cases, packetswitched connections. Packet-switched connections typically don’t use PPP because there are more robust protocols available for that type of connection.

The major features and benefits of PPP follow: ➤ Multilink—PPP offers the ability to aggregate multiple connections

together for more bandwidth. Multilink is sometimes referred to as MP for multilink protocol. ➤ Compression—PPP allows for packets to be compressed before transmis-

sion. PPP supports all hardware and software compression standards and uses the Compression Control Protocol to manage compression on both the sending and receiving ends.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .WAN . . .Technologies . . . . . . . and . . Components . . . . . . . ➤ Callback—PPP supports both dynamic and fixed callback. Callback

allows the remote access server to call back the initiating party. You can use callback as a security mechanism by limiting where a user can request callback to. Callback can also be a means of controlling the cost of remote connections by centralizing billing. ➤ Encrypted authentication—Instead of sending the username and password

in cleartext, PPP supports a number of methods that protect usernames and passwords during authentication. PPP encapsulation is only the beginning; you can expect to see ISDN and other configuration questions on encryption, callback, and multilink using PPP.

HDLC HDLC is typically used only on dedicated connections. It is the default encapsulation on Cisco router serial interfaces. This version of HDLC, however, is not an industry standard. The two types of HDLC are Cisco HDLC and IEEE HDLC, and they are not compatible. The HDLC that a Cisco router speaks is the Cisco proprietary version. If you are not communicating with a Cisco device at the other end, it is suggested that you use PPP as the encapsulation for the connection.

Frame Relay Frame Relay is more or less the standard for high-speed, nonconsumer networks and Internet connectivity. Frame Relay provides access rates up to T3 in a packet-switched environment. Frame Relay is typically used as an internetwork connection protocol over reliable WAN connections. Frame Relay has lower overhead than other encapsulations because it leaves the error checking and correction to the higher-layer protocols. As with just about any encapsulation, you can have more than one type on a router, but only one type per interface. The “addressing” of a Frame Relay interface is called the data-link circuit identifier (DLCI). The DLCI is locally significant, meaning that you are the only one who cares what your end of the connection is called. Most service providers instruct you to use DLCI 16 on your side of the Frame Relay connection. As long as you only have one

21

22

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Frame Relay connection, you can use DLCI 16, but if you have more than one connection, you have to use unique numbers for each DLCI. Think of a DLCI as a doorway out of the router, and each doorway must have a unique name to go with its unique destination.

With Frame Relay, you should be aware of your committed information rate (CIR). The CIR is what determines the guaranteed speed of your connection to the network. The CIR becomes important when working with central sites and branch offices. Typically, a central site has substantially more bandwidth than a branch or home office does, and CIR becomes an important variable when setting up and tuning those connections. Frame Relay is tested very heavily on this exam because it is the most widely implemented packet-switched network technology. Be comfortable with the commands to configure, debug, and troubleshoot Frame Relay as well as the terminology.

Additional Encapsulations You should also know that Cisco routers support SLIP, X.25, and ATM as encapsulation methods. X.25 is falling out of favor because it is a slower technology. It has substantially more overhead than Frame Relay because it has its own error checking and correction. SLIP can only use IP and has been replaced by PPP. ATM is still a viable choice but its full use is beyond the scope of this book.

WAN Connection Determination Once you determine that you need a WAN, you need to choose the technologies you will implement. The bulk of your design decisions rest on several key factors. Cisco specifically uses seven different key factors: availability, bandwidth, cost, ease of management, application traffic, quality of service (QoS) and reliability, and access control. It is up to you to decide what weight you assign to each factor. You need to choose your connection type based on the requirements of the location. The major locations that you should consider when designing your network are the central site, branch office, and SOHO.


Key Decision Factors The seven different factors you consider fall into two major areas. Availability, bandwidth, and cost typically have physical components associated with them and are less subject to your direct control. Ease of management, application traffic, QOS/reliability, and access control are more logical in nature and more subject to your control.

Availability Availability is probably one of the biggest considerations you need to make. Not all physical WAN implementations are available everywhere. Newer technologies and higher speeds require updates at the phone company’s central office (CO). The current demand might not warrant the expense.

Bandwidth Bandwidth, in conjunction with cost, is the next most important consideration. Usually bandwidth and cost are directly proportionate: the higher the bandwidth, the more it is going to cost. Different technologies for faster speeds, such as ATM, have different hardware requirements as well.

Cost In the end, it always comes down to cost, doesn’t it? You want the biggest bang for the buck. Typically, it comes as a tried and true technology, such as Frame Relay, but as newer, faster WAN types emerge, the prices on all of them typically decrease. As important as price is, however, don’t let it be the overriding factor. Cutting too many corners to lower the cost can have a farreaching negative impact on the overall performance of the network and its capabilities.

Ease of Management As part of your “total cost of ownership,” you need to consider how easy this WAN environment will be to manage. Will you or someone on your team need additional training? Will you have to deploy new hardware or software, and how expensive will it be to bring in a consultant if necessary?

Application Traffic Your WAN connection requirement is also based, at least partially, on what you are going to use it for. Voice traffic, for example, requires a large amount of bandwidth that needs to be readily available at all times. Web browsing,

23

24

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

on the other hand, requires less bandwidth and can usually be accommodated by a connection that isn’t as reliable.

QoS/Reliability The type of traffic you are expecting also has an impact on the QoS and reliability of a connection. Again, voice traffic needs a very reliable connection with a high QoS, such as Frame Relay or ATM. You can support Web browsing with something less reliable, such as cable or DSL, with less guaranteed bandwidth allocated to a specific type of traffic.

Access Control The last consideration, but certainly not the least, is access control. Restricting access to parts of the network or specific Web sites is the least of these controls. You also need to consider restricting types of traffic and the directions you allow traffic to flow. Examples include restricting Telnet but allowing Secure Shell (SSH). Make sure that the router platform you choose can support the types of access control you require. Different access-control mechanisms, ranging from simple access lists to complex firewall filtering, require different amounts of processing power and memory.

Site Requirements The sites in your WAN and the connection requirements of each site will dictate the connection types you choose. Each site falls into one of three categories: central site, remote office/branch office (ROBO), or SOHO. Higher bandwidth requirements and different types of application traffic require a more robust, faster, and more reliable connection. Infrequent, less critical traffic can be accommodated by slower, less reliable connections. Be sure you know which router platforms Cisco suggests for each company site.

Central Site The central site is, well, central to your network. You typically have the greatest need for bandwidth, reliability, and flexibility at this location. The central site needs to accept connections from asynchronous users, slowspeed packet-switched networks, and virtual private network (VPN) connec-


tions. Additionally, the central site needs to be able to service several connections at once. The central site should allow for the most concurrent connections possible while keeping cost to a minimum. Another requirement at the central site is controlling access to secure information. You can implement access control both to protect information and to guarantee the best QoS for the applications that need access to the connection. The central site should also have backup and redundancy built into its network design. There should always be more than one way “out” of the central site.

Central site routers are typically one or more of the following: ➤ 2600 Series ➤ 3600/3700 Series ➤ 4000 Series ➤ 7200/7500 Series

These routers provide flexibility in design by allowing you to customize the interfaces available on the router. They also have the processing power to deal with multiple simultaneous connections and the expandability necessary for most planned growth.

Branch Office The branch office has far fewer considerations when it comes to deciding what hardware and connection types to use. Typically, a branch office needs a fast, reliable connection to the central site but isn’t supporting incoming connections. The branch office supports fewer users as well. The branch office will usually take advantage of a leased line, ISDN, Frame Relay, or broadband service as its primary connection to the central site. The branch office should also have a backup connection that is less expensive but still fairly reliable. Don’t spend too much time on the backup connection, however; a lot of money spent on a connection that doesn’t get used often is a waste of money. It’s not a good idea, unless absolutely necessary, to back up a 512Kbps Frame Relay connection with another 512Kbps Frame Relay connection. The money spent on the backup in this case would be overkill.

25

26

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Branch-office hardware doesn’t need to be as fast or as robust as that for its central-site cousin. Typically, branch-office equipment is one of the following: ➤ 1600 Series ➤ 1700 Series ➤ 2500 Series ➤ 2600 Series

The routers at the branch office are usually modular, but several fixed-configuration 2500 series routers can do a fine job at the branch office.

SOHO The site with the lightest hardware and connection requirements is the SOHO. The SOHO is characterized by a small staff with very light datatransfer requirements. By supporting fewer people and leveraging local resources, the SOHO can get by with the lower-end equipment on the Cisco scale and use a less expensive WAN connection. It is not uncommon to see ISDN or DSL as the main connection with an asynchronous modem backup connection into the central site. Hardware at the SOHO is usually one of the following: ➤ 800 Series ➤ 1000 Series ➤ 1700 Series The routers at the SOHO can be modular, and both the main connection and the backup connection can be managed by a single router.

Hardware Selection You should know some basics about a few of the hardware platforms Cisco offers for remote access. Specifically, you need to know the information in Table 2.3 for the Cisco 800, 1600, 1700, 2500, 2600, 3600, 3700, AS5000, and 7200. Knowing how many and which interface types are available on each hardware platform will help you select the correct router for each of the different environments.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .WAN . . .Technologies . . . . . . . and . . Components . . . . . . . Table 2.3 General Router Platforms and Capabilities Router

Capabilities

800

ISDN Basic Rate Interface (BRI), serial, Public Switched Telephone Network (PSTN), and broadband ports with Cisco IOS software

1600

ISDN BRI, 1 WAN slot, and 1 LAN port

1700

2 WAN slots, as many as 2 voice interface card (VIC) slots, and 1 or 2 LAN ports

2500

2 high-speed serial ports (up to T1), up to 8 low-speed serial ports (up to 64Kbps), 1 or 2 10Mbps LAN interfaces, and up to 1 ISDN BRI

2600

1 or 2 fixed LAN ports (10 or 10/100Mbps), 2 WAN slots, and 1 network module slot

3600/3700

2 (36/3720), 4 (36/3740), or 6 (36/3760) network module slots with no fixed interfaces on the 3x20 and 3x40 and 2 fixed Fast Ethernet LAN interfaces on the 3x60

AS5000

Access server with support for multiple T1/E1 interfaces and digital, internal modems

7200

Wide range of WAN connectivity options and high port density for maximum scalability

27

28

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 What is the default encapsulation method on a Cisco router serial interface? ❍ A. PPP ❍ B. SDLC ❍ C. HDLC ❍ D. Frame Relay

Answer C is correct; on serial interfaces, Cisco routers use the Cisco version of HDLC as their default encapsulation type. Answer A is incorrect; to enable PPP encapsulation on a serial interface, issue the encapsulation ppp command in interface configuration mode. Answer B is incorrect; if the router supports it (and not all Cisco routers do), the command to enable SDLC on a serial interface is encapsulation sdlc in interface config mode. Answer D is incorrect; to enable Frame Relay, from interface config mode, type encapsulation frame-relay.

Question 2 Which of the following would provide connectivity between a branch office and the central site, assuming that the branch office supports a group of salespeople who need regular access to email and file servers at the central site at no more than 256Kbps? ❑ A. Dedicated ❑ B. ISDN ❑ C. Asynchronous modem ❑ D. Frame Relay

Answers B and D are correct. ISDN supports up to 128Kbps and is considered the slowest connection that is usable between branch and central sites. Frame Relay is the standard primary connection from most branches to the central site. Answer A is incorrect; a dedicated connection is probably overkill in this scenario. Answer C is incorrect; an asynchronous modem would be too slow to support multiple concurrent users connecting to remote servers.


Question 3 Which of the following can be considered either branch-office or central-site equipment? ❍ A. 1700 Series router ❍ B. 2600 Series router ❍ C. 3600 Series router ❍ D. 7200 Series router

Answer B is correct; the 2600 Series router is considered the highest you would use at a branch office and the slowest router for a central site. Answer A is incorrect; the 1700 is considered too slow and does not provide sufficient scalability for the central site. Answer C is incorrect; the 3600 Series router is a central-site router and considered overkill for a branch office. Answer D is incorrect; the 7200 Series router is a high-end router suitable for incredibly high speeds. A branch office would never fully utilize the 7200.

Question 4 Which of the following would be considered a backup connection for a SOHO? ❍ A. Dedicated connection ❍ B. Frame Relay ❍ C. DSL ❍ D. Asynchronous modem

Answer D is correct; a SOHO typically requires no more than DSL, cable, or ISDN as its primary connection. The asynchronous modem is slower than any of these primary connections and is suitable for backup. Answer A is incorrect; a dedicated connection would be a primary connection if used at all in a SOHO environment. Answer B is incorrect; like a dedicated connection, if Frame Relay were used, it would be the primary connection at a SOHO. Answer C is incorrect; DSL is usually considered a primary connection and would therefore not be a secondary or backup connection.

29

30

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 5 Assuming all the following technologies are available, which of the following would be the best choice for a telecommuter who uploads a large amount of data once a day? ❍ A. ISDN/PRI ❍ B. ISDN/BRI ❍ C. Frame Relay ❍ D. Asynchronous modem

Answer B is correct; telecommuters are typically in the SOHO environment. ISDN, like an asynchronous modem, is a dial-on-demand connection but has greater bandwidth potential. BRI is much less expensive than PRI. Answer A is incorrect; and ISDN/PRI would be the equivalent of a T1, which is overkill for a SOHO. Answer C is incorrect; like an ISDN/PRI, Frame Relay would be overkill at a SOHO. Answer D is incorrect; a large amount of data would take too long over an asynchronous modem connection.

Question 6 Which of the following would be a dial-on-demand technology? ❍ A. Dedicated connection ❍ B. ISDN ❍ C. ATM ❍ D. Frame Relay

Answer B is correct; ISDN can be “dialed up” as needed. Answer A is incorrect; a dedicated connection is already established and therefore not brought up “on-demand.” Answer C is incorrect; like a dedicated connection, ATM is already connected all the time. Answer D is incorrect; most service providers do not allow for switched virtual circuits (SVCs). As such, Frame Relay connections are always connected.


Question 7 Why are broadband connections not used more frequently as a WAN connection mechanism? ❍ A. Cost ❍ B. Reliability ❍ C. Availability ❍ D. Difficult to manage

Answer C is correct; the main reason broadband connections are not more frequently utilized is that their availability is much lower in comparison to other, older technologies. Answer A is incorrect; for the most part, broadband connections are cheaper than their nonbroadband counterparts. Answer B is incorrect; the reliability of broadband connections is nearing the reliability of the other WAN technologies. Answer D is incorrect; broadband connections are easy to set up and manage.

Question 8 Which of the following would help you decide to use a leased line as opposed to a Frame Relay circuit? (Choose all that apply.) ❑ A. Short connect times ❑ B. Long connect times ❑ C. Short distances ❑ D. Long distances

Answers B and C are correct; if you will be connecting for long periods of time over short distances, it can be cost-effective, in some circumstances, to have a leased, dedicated line. The leased, dedicated line ensures that you will not be sharing the bandwidth with any other entity. Answer A is incorrect; short connect times typically don’t warrant a dedicated connection. Answer D is incorrect; long distances are usually cost-prohibitive when considering a leased, dedicated line.

31

32

Chapter . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 9 Which of the following are circuit-switched connections? (Choose all that apply.) ❑ A. ISDN ❑ B. Frame Relay ❑ C. DSL ❑ D. Asynchronous modem

Answers A and D are correct. ISDN uses the same underlying framework as a typical modem. The key to a circuit-switched connection is that once the connection is established, you must break the connection and reconnect to get a different and better signal. Asynchronous modems use the PSTN to make and receive calls. The PSTN is based, even if only in theory in newer environments, on individual electronic circuits opening and closing for the duration of a call, from point A to point B. Answer B is incorrect; Frame Relay is a packet-switched technology. Answer C is incorrect; DSL is an ATM technology that uses cell switching, not circuit switching. Cell switching is similar in concept to packet switching.

Question 10 Which of the following would allow you to accept ISDN/BRI calls at the central site? (Choose all that apply.) ❑ A. Frame Relay ❑ B. ISDN/PRI ❑ C. Asynchronous modem ❑ D. ISDN/BRI

Answers B and D are correct. An ISDN/PRI can accept connections from as many as 23 BRI clients if each client uses only 1 B channel. The minimum requirement to accept a BRI phone call would be a BRI. Answer A is incorrect; Frame Relay circuits cannot, natively, accept a BRI phone call. Answer C is incorrect; an asynchronous modem cannot accept an ISDN/BRI connection.


Need to Know More? To find out more about Frame Relay, visit the Cisco Web site at http://www.cisco.com/en/US/tech/tk713/tk237/tech_protocols_list.html. For additional information about ISDN, the Cisco Web site has both configuration examples and tech notes at http://www.cisco. com/en/US/tech/tk801/tk379/tech_technical_documentation.html. You can find a wealth of additional technical information on the Cisco Web site, http://www.cisco.com, by searching on WAN, ISDN, Frame Relay, configuration examples, tech notes, and combinations of these terms.

33

3 Securing the Network with AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand ✓ CiscoSecure Access Control Server (ACS) ✓ Authentication, authorization, and accounting (AAA) ✓ Terminal Access Controller Access Control System (TACACS) ✓ Remote Authentication Dial-In User Service (RADIUS) ✓ Packet mode ✓ Character mode

Techniques you’ll need to master: ✓ ✓ ✓ ✓ ✓ ✓

Starting the AAA process on a router Configuring AAA addresses and passwords Enabling authentication Enabling authorization Enabling accounting Understanding the AAA commands

36

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Cisco Security Options Cisco provides IOS options and hardware products to help secure your network and make securing the network easier. The router IOS now has a number of security options, such as virtual private network (VPN) capabilities and integration with intrusion detection system (IDS) sensors and the firewall feature set. Each of the different security options is also available as a separate security appliance; typically, an appliance is another piece of hardware designed for a specific task. Some of the different appliances follow: ➤ VPN concentrators and hardware clients—An appliance designed specifical-

ly for encryption and decryption to offload the work from routers, servers, workstations, and other infrastructure devices. ➤ IDSs—Available to examine traffic passing along the wire looking for

known signatures of attacks as well as other anomalies. One IDS option is an add-on card for the 6500 catalyst switch, a separate appliance for critical servers, known as a host-based IDS. ➤ PIX Firewall—The PIX Firewall uses its own proprietary operating sys-

tem, featuring a stateful packet-inspecting system based on the Adaptive Security Algorithm (ASA), cut-through proxy, hot standby, and failover capabilities.

CiscoSecure ACS and AAA The feature and product this chapter discusses most is the CiscoSecure ACS. It is available on UNIX and Windows platforms, and is what provides a Cisco network with AAA capabilities. The CiscoSecure ACS has a graphical user interface (GUI) accessible from a Web browser. It is a highly scalable Web-based Java tool that allows multiple administrators to work with it simultaneously. Let’s examine the three different AAA services in detail.

Authentication Authentication happens before a user is permitted onto the network. It is the ability to identify the user and determine whether he should be allowed.

Authorization Authorization is what a user is allowed to do on a network. You can control which protocols and services are permitted. You can also control what system

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securing . . . . . the . . Network . . . . . with . . .AAA . .

levels and configuration modes the user can reach and what commands are available at that point.

Accounting Accounting allows an administrator to keep track of a number of things: the duration of a connection, the amount of traffic transmitted, and the commands entered on a device.

ACS Components The CiscoSecure ACS has three components: ➤ AAA clients—Makes requests and communicates with the AAA server,

sending usernames and other parameters. ➤ AAA server—Receives authentication requests from the clients, com-

pares them to a database, authorizes the client, and begins accounting tasks. ➤ User or accounts database—Can be Open Database Connectivity (ODBC),

Lightweight Directory Access Protocol (LDAP), Novell Directory Services (NDS), or Windows NT, 2000, or 2003. It allows an administrator to easily manage users and groups with different levels of permissions.

ACS Protocols The two most common AAA protocols are TACACS+ and RADIUS. When a Cisco router communicates with an AAA server, it uses either TACACS+ or RADIUS: ➤ TACACS+ is a Cisco proprietary protocol for use with the CiscoSecure

ACS. It uses TCP/IP, encrypts all data, and allows multiple levels of authorization, and can use other methods of authentication, such as Kerberos. ➤ RADIUS is an open Internet Engineering Task Force (IETF) standard;

it uses User Datagram Protocol (UDP) and encrypts only passwords. It also combines authentication and authorization as a single service; it is not separated as TACACS+ is.

37

38

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Router Access Modes It is important to understand that you can put in place AAA controls for traffic passing through a router or traffic destined for the router. Traffic passing through the router is defined as a packet moving from one network to another. Traffic destined for the router is a Telnet session to the router itself. AAA environments are usually in place for two reasons: first, as a method to authenticate dial-in or remote users, and second, as a means to manage an IT team. It is common to find elaborate and complex AAA configurations that only regulate the IT staff. With AAA in place, you no longer need to give an administrator the enable password to any device. She connects to a router, the router prompts her for a username and password, and they are sent to the AAA server. Based on her profile, the administrator obtains access to the device at the appropriate system or configuration levels, and AAA logs a record of everything she does. Based on the two uses, dialing in and managing, the router supports two modes. The two modes are packet mode and character mode. In packet mode, also known as interface mode, the data passes through the router from one network to another through ports, such as asynchronous, Basic Rate Interface (BRI), Primary Rate Interface (PRI), serial, and dialer interfaces. The format of the packet requesting AAA services dictates the type. Packet mode is expressed as Service-Type = Framed-User and Framed-Type

In character mode or line mode, the data is destined to the router to a TTY, VTY, AUX, or CON port, most likely for configuration and maintenance reasons. The format of a packet for character mode is Service-Type = Exec-User

AAA Operation To enable AAA on the router, go to configuration mode and simply enter Router(config)#aaa new-model

Specify the protocol and location of the AAA server with one of the following lines: tacacs-server host ip-address [single-connection] radius-server host ip-address


The host ip-address specifies the IP address of the AAA TACACS or RADIUS server, and the single-connection option only available with TACACS specifies that the router maintain a single open connection for confirmation from an AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). The single-connection option does give better performance, but it is not the default. The last command to get AAA up and running configures the shared password between the router and the AAA server. The passwords are casesensitive: tacacs-server key key radius-server key key

A complete example looks something like this: Router(config)#aaa new-model Router(config)#tacacs-server host 192.168.1.100 single-connection Router(config)#tacacs-server key MyPassWord

AAA Authentication Commands specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define: aaa authentication login

aaa authentication login {default | list-name} group ➥{group-name | radius | tacacs+} [method 2...3...4]

Using the name default means its settings are applied to all lines (console, VTY, TTY, and so on) and interfaces (async, serial, Ethernet, and so on) unless you define and use another name. A unique list name overrides the default and its settings when applied to a specific line or interface. The group parameter has three options: a group-name, radius, or tacacs+. If you use either tacacs+ or radius, the router uses all those types of servers that you configured using the tacacs/radius-server host ip-address command, or you can build a custom group and call it with its group name. The other methods are used if the method before it has an error. One other method of special note is none with the option that if all others fail, you are authenticated. All the different authentication methods appear in Table 3.1.

39

40

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 3.1 AAA Authentication Methods Method

Explanation

enable

Uses the router’s enable password

krb5

Uses Kerberos Version 5

group radius

Uses the list of all RADIUS servers for authentication

group tacacs+

Uses the list of all TACACS+ servers for authentication

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group command

line

Uses the line password for authentication

local

Uses the local username database for authentication

local-case

Uses case-sensitive local username authentication

none

Uses no authentication

Here is a working example of two different authentication settings: Router(config)#aaa authentication login default group tacacs+ local Router(config)#aaa authentication login fallback group tacacs+ enable Router(config)#line vty 0 4 Router(config-line)#login authentication fallback

The first command builds the default list. It tries to authenticate to all TACACS servers configured, and if it receives no response, it uses the next configured setting for authentication—in this example, the local username database. The second command creates a list called fallback. It checks the TACACS servers, and if it receives no response, it uses the enable password. The third and fourth commands apply the fallback list to the five VTY lines, 0 through 4. A trick question here is to ask what authentication settings are in use for Line Console 0; the answer is the default list. Remember that once a default list is built, it applies to all interfaces and lines unless overridden by an explicit assignment as you saw on the VTY ports.

Another feature worth pointing out is that when you turn on authentication using the default group, it is applied to all interfaces. You will find yourself locked out of the router if you have not finished setting up your authentication sources and you log out or your session times out.


AAA Authorization Commands Once a user is authenticated, you can set parameters that restrict the user’s access on the network using the aaa authorization command. The authorization commands have the same look and feel as the authentication command: aaa authorization {network | exec | commands level | reverse-access} ➥{default | list-name} [method 2...3...4]

Table 3.2 lists the four areas of control where you can grant specific authorization. Table 3.2 AAA Authorization Command Keyword

Explanation

network

Starts authorization for all network-related service such as Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP)

exec

Starts authorization to determine whether the user is allowed to run an EXEC shell

commands level

Starts authorization for all commands at the specified privilege level (0 to 15)

reverse-access

For reverse access connections, such as reverse Telnet

Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. There are a number of ways in which a user can be authenticated; Table 3.3 lists the options for the AAA authorization command. Table 3.3 AAA Authorization Methods Method

Explanation

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group command.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

local

Uses the local username database for authentication.

none

No authorization is performed.

41

42

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For authorization, let’s take a look at two different examples: one for character mode and the other for packet mode. Remember, in character mode, you are usually securing the router itself: Router(config)#aaa authorization exec default group tacacs+ none

In this example, a user must be authorized by a TACACS+ server before he can gain access to an EXEC shell or prompt. If the TACACS+ servers are unreachable, then the user is automatically granted access because of the none option at the end. This method is used mainly for administrators who still have physical access to the device. Let’s examine a packet-level example: Router(config)#aaa authorization network checkem group tacacs+ ➥if-authenticated Router(config)#int serial 0 Router(config-if)#ppp authorization checkem

The first command determines whether a user is allowed to make a packetlevel connection. It built a list called checkem that looks to the TACACS+ servers first; if the servers are down, it allows access if the user has been authenticated. The last command applies the checkem list to PPP services on Serial 0.

AAA Accounting Commands Accounting allows you to track individual and group usage of network resources. When AAA accounting is activated, the router logs user activity to the TACACS+ or RADIUS server. You can then analyze this data for network management, client billing, security, or auditing. The accounting command looks like this: aaa accounting {system | network | exec | connection | commands level} ➥{default | list-name} {start-stop | wait-start | stop-only | none} ➥ [method 2...3...4]

The aaa accounting command is unlike the authorization and authentication commands that have two halves. Accounting has three parts: what service or services you want to audit (see Table 3.4), which events trigger it, and where to send the information.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securing . . . . . the . . Network . . . . . with . . .AAA . . Table 3.4 AAA Accounting Command Keyword

Explanation

system

Performs accounting for all system-level events not associated with users, such as reloads

network

Runs accounting for all network-related services such as SLIP and PPP

exec

Runs accounting for an EXEC shell session

connection

Keeps information about all outbound connections made from the router, such as Telnet and rlogin

commands level

Runs accounting for all commands at the specified privilege level (0 to 15)

Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. Also worth mentioning is that the aaa accounting system command is the only command that doesn’t apply to packet or character mode. The different events that you can use for accounting appear in Table 3.5. Table 3.5 AAA Accounting Events Keyword

Explanation

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The user’s process begins regardless.

wait-start

Same as a start-stop except the process doesn’t begin until the accounting service request is acknowledged from the AAA server.

stop-only

Sends a stop accounting notice at the end of a requested user process.

none

Disables accounting services on this line or interface.

Then, the accounting command indicates for which server groups the information is recorded and logged. Table 3.6 lists accounting methods for server groups. Table 3.6 AAA Accounting Methods Method

Explanation

group radius

Uses the list of all RADIUS servers for authentication

group tacacs+

Uses the list of all TACACS+ servers for authentication

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group command

43

44

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Let’s look at an example of the aaa accounting command. Here we use the command twice to set up accounting for two different events: Router(config)#aaa accounting connection default start-stop group tacacs+ Router(config)#aaa accounting commands 15 default start-stop group tacacs+

The first command monitors any Telnet, rlogin, or other outbound connections, such as when they start and stop, and logs the information to the AAA servers configured under TACACS+. The second command turns on accounting for privilege Level 15 commands, which is enable mode, and logs their use to the TACACS servers. You can also use Level 1 for user mode access.


Exam Prep Questions Question 1 What are the three components of the CiscoSecure ACS? ❑ A. AAA server ❑ B. User database ❑ C. VPN ❑ D. AAA client

Answers A, B, and D are correct. The three components are the AAA server, typically a TACACS+ or RADIUS server; the AAA client, such as a router or switch; and the user database, which is typically housed on the AAA server. Answer C is incorrect because VPN is not part of the CiscoSecure ACS.

Question 2 What does AAA stand for? ❑ A. Authority ❑ B. Authorization ❑ C. Auditing ❑ D. Authentication ❑ E. Accounting

Answers B, D, and E are correct. AAA stands for authentication, authorization, and accounting. Answers A and C are not part of AAA.

Question 3 Which command starts AAA on a Cisco router? ❍ A. aaa-server ❍ B. aaa new-model ❍ C. tacacs ❍ D. aaa tacacs-server

45

46

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer B is correct. Answer A, aaa-server, starts the AAA process, but it does so on a PIX Firewall, so it is incorrect. The aaa new-model is not the most intuitive command, but it starts AAA on a router. Answers C and D are incorrect and do not work.

Question 4 What are the two most common AAA protocols? ❑ A. TCP/IP ❑ B. RADIUS ❑ C. TACACS+ ❑ D. PPP

Answers B and C are correct. Answer A, TCP/IP, is certainly a well used protocol, and is in fact used by TACACS+, but it is not an AAA protocol. Answer D is not an AAA protocol.

Question 5 What are three characteristics of RADIUS? ❑ A. Proprietary ❑ B. Developed by the IETF ❑ C. Encrypts passwords only ❑ D. Uses TCP/IP ❑ E. Uses UDP/IP

Answers B, C, and E are correct. RADIUS is an open standard developed by the IETF; it uses UDP/IP and is only able to encrypt passwords. Answers A and D describe TACACS+; it is Cisco proprietary, uses TCP/IP, and encrypts all the data.


Question 6 Which ports are used in character mode? (Choose three.) ❑ A. Serial 2/0 ❑ B. AUX ❑ C. BRI ❑ D. CON 0 ❑ E. VTY

Answers B, D, and E are correct. Character mode is for data destined to the router. Serial 2/0, Answer A, and BRI, Answer C, represent interfaces; packets would travel into, out of, and through those interfaces. VTY, AUX, CON, and TTY typically represent character-mode ports.

Question 7 Which aaa accounting keyword monitors outbound Telnet traffic? ❍ A. connection ❍ B. start-stop ❍ C. network ❍ D. telnet

Answer A is correct. You use the keyword connection for all outbound connections. You use Answer B, start-stop, to record when a service or connection starts and stops, not just Telnet. Answer C is incorrect; network is for auditing service requests such as SLIP and PPP. There is no telnet keyword with accounting, so Answer D is wrong.

Question 8 How do you set an encryption key of CISCO for your RADIUS server? ❍ A. tacas-server key CISCO ❍ B. aaa-server CISCO ❍ C. username RADIUS password CISCO ❍ D. radius-server key CISCO

47

48

Chapter . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer D is correct. Answer A would be valid if the question was about a TACACS server. Answer B is made up and is incorrect. Answer C would create a local account called RADIUS with a password of CISCO, so it is also a wrong answer.

Question 9 What command would you enter to set up authentication on your router to query the TACACS servers and, if unable to communicate to the servers, authenticate from the enable password? ❍ A. aaa authentication login default group radius enable ❍ B. aaa authentication login default group tacacs+ local ❍ C. aaa authentication login default group tacacs+ enable ❍ D. aaa authentication login default group tacacs+ none

Answer C is correct; it tries TACACS first and then uses the enable password. All four of the commands are valid in some circumstances. Answer A is wrong because it goes to a RADIUS server. Answer B uses the local database if the TACACS server is down, so it is incorrect. Answer D is incorrect because it allows access if the TACACS server is unavailable because of the none option.

Question 10 If you enable aaa authentication login default and do nothing else, what happens? ❍ A. The TACACS server will use a guest account. ❍ B. Nothing, because authentication has not been applied anywhere yet. ❍ C. When your session times out, you are locked out from the router. ❍ D. You need to set up authorization and accounting before any settings go into effect.

Answer C is correct. Remember that when authentication is configured with the default option, it is applied everywhere. When you disconnect or your session times out, you cannot log in to your router. The router wants to authenticate you before allowing you access, and there is no way configured for the router to do that. You will be locked out. Answer A is incorrect because it does not use a guest account by default. Answer B is the exact opposite of the right answer; it is applied everywhere as soon as authentication is enabled. Answer D is wrong because each of the services is independent of the other.


Need to Know More? There is a huge amount of material on the Cisco Web site about AAA and the CiscoSecure ACS. The online documentation has a number of examples and different configurations. The Cisco IOS Security Configuration Guide discusses AAA at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/ 122cgcr/fsecur_c/fsaaa/index.htm.

The Cisco IOS Security Command Reference discusses AAA at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/ 122cgcr/fsecur_r/faaacr/index.htm.

49

4 PPP Authentication with PAP and CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Point-to-Point Protocol (PPP) Negotiation Authentication Challenge Handshake Authentication Protocol (CHAP) Hashing Callback Compression Multilink

Techniques you’ll need to master ✓ Configuring PPP ✓ Link quality monitoring ✓ Troubleshooting ✓ Analyzing debug output

52

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Remote Access Today’s corporate environments contain more telecommuters than ever before. As a result, dial-in access is an important part of network connectivity. Although users need to have several computer components, including a Layer 3 protocol and necessary applications, this chapter primarily covers the login process using PPP. PPP is not the only dial-in type supported; Cisco routers support Serial Line Internet Protocol (SLIP) by default. The biggest problem with SLIP is that it only works with Transmission Control Protocol/Internet Protocol (TCP/IP). For users who need to send Internetwork Packet Exchange (IPX) or AppleTalk traffic, PPP is the protocol of choice. You can configure a router to automatically accept a certain type of connection when a user dials in. Go into line configuration mode for the appropriate line and enter the following command: autoselect <arap | ppp | slip | during-login>

The PPP option for autoselect looks for frames that contain the hexadecimal value 7E, 01111110 in binary, in the flag field. during-login causes a username/password prompt to appear, allowing the user to immediately enter the username and password without pressing any keys to bring the prompt up. The user needs to configure PPP on a Windows machine to open a terminal window after dial-in.

Connectivity Table 4.1 shows how PPP compares to the Open Systems Interconnect (OSI) model. PPP spans from the connection to Layer 1 to the connection to Layer 3. The Link Control Protocol (LCP) controls everything related to call setup. All sorts of authentication, compression, and so on are handled here. LCP is responsible for everything that is negotiated during call setup. On the other end of PPP are the Network Control Protocol (NCP) plug-ins. The NCP plug-ins are the plug-ins that encapsulate a useful protocol in the PPP format. Cisco uses both “Control Protocol” and “Control Program” for defining the “CP” part of the NCP abbreviation.

. . . . . . . . . . . . . . . . . . . . . . . . . . . PPP . . .Authentication . . . . . . . with . . . PAP . . .and . . CHAP . . .

Not every protocol here is strictly a network-layer protocol. If you look on a router after setting it up, you see a Cisco Discovery Protocol (CDP) control protocol (CP). Table 4.1 OSI Model and PPP Chart IP

IPX

Additional Protocols

Layer

IP

IPX

Other protocols

Layer 3

IPCP

IPXCP

Other CPs

Layer 3

NCP (directly connected to specific NCP above)

Layer 2

LCP

Layer 2

Standards-based high-level data link control (HDLC but not the Cisco version)

Layer 2

Physical connectivity, including cables (EIA/TIA 232, V.35, and so on)

Layer 1

PPP consists of several types of CPs that do a variety of things: ➤ HDLC—This control is not the Cisco encapsulation across serial lines;

instead, it is based on ISO standards. PPP is more than an encapsulation type and needs something to do other than just encapsulation. ➤ LCP—This protocol handles the connectivity part beyond the HDLC

portion. The LCP is responsible for hello packets, authentication, and so on. It is one of the primary items to observe via debug commands if you have a problem connecting. ➤ NCP—A base form of NCP has several extensions, much like a fork.

Each tine of the fork, each protocol-specific CP, allows that protocol to transport data across a PPP connection. This portion sets PPP apart from SLIP. As mentioned earlier, the LCP is responsible for authentication, among other things. You have two choices for authentication, Password Authentication Protocol (PAP) and CHAP. As with any type of authentication, a username and password are required. In addition to authentication the LCP allows for callback, compression, and multilink:

53

54

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Callback—A setting that allows the router that the user called to turn

around and call the user back. If you remember the days of the bulletin board system (BBS), some BBSs wouldn’t allow a user to dial in and do whatever. Instead, the BBS software would hang up and call the user back to make sure that the user was who he said he was by calling the number in the user’s record. Cisco bills callback as a method to provide “billing consolidation,” but it also increases security. Callback was first supported with IOS 11.0(3). ➤ Compression—Allows for more data to cross WAN links than the link

natively supports. Several different types of compression supported have different resource-utilization levels. They are covered in more detail later in this chapter. Compression was first supported in IOS 10.3. ➤ Multilink—Allows for multiple data circuits to be logically bound

together to increase throughput. Frames are broken up and transmitted across the series of channels at the same time and then recombined at the destination. Multilink was first supported in IOS 11.0(3). Because PPP is an encapsulation protocol, it normally only travels across part of the network. Figure 4.1 shows how you can use PPP in a remote access setting. PC server Remote PC PC server

Access server

UNIX server

PPP Occurs Here

Figure 4.1 A PPP connection.

A user dials up a remote network and needs to connect with servers on that network or maybe beyond. From the user’s computer to the access server, data is encapsulated in a format suitable for a serial connection. PPP is one of the potential formats, but other serial connection methods include Frame Relay, HDLC, SLIP, and others. PPP is used here because it supports the features that we need. Because we don’t necessarily know where the other end of the connection is, when a user dials up and wants access to our network, it makes sense to provide for authentication control. Because mobile users often use low-speed circuits, a form of compression might also be useful. Neither of these features are supported in the Frame Relay or HDLC standards, but they are with PPP.


Authentication PAP and CHAP are the two types of router-based authentication supported under PPP. In addition to local authentication, PPP supports sending a request to an authentication server, such as Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS). PAP’s one major problem is passwords that cross the line in clear text. The user sends a request to the router saying, “Let me in; this is my username and this is my password.” The router then permits or denies the user based on that information. The user controls the connection and authentication attempt. From user to router, the authentication is one way. The router attempts to authenticate the user and that’s it. With a router-to-router connection, each router authenticates the other. CHAP is a bit more secure. The called router doesn’t just accept whatever information is given to it; it makes sure the remote device is not spoofing by sending a challenge to the remote device. Next, the calling router sends its password in a hash generated with an MD5 (Message Digest 5) hashing function. The called router compares the received hash against its copy to validate. This process prevents anyone sniffing the circuit to easily see the password. Finally, CHAP has a third feature that makes it more desirable than PAP: the use of repeated challenges. Every two minutes, the called device generates a challenge that the remote device must respond to. Because all these challenges contain a random part, an attacker can’t analyze the circuit and play back the hash to gain access. Cisco has maintained for several versions of older IOS that CHAP automatically generated authentication requests when in fact, it did not. This feature had also been testable in previous versions of this exam.

The following steps outline the CHAP authentication process: 1. The user dials into the CHAP authenticating device. 2. The called device generates a challenge. This challenge has a challenge

identifier (a type 01), a sequencing ID, a random value, and the authentication name of the challenger.

55

56

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. The calling device responds to the challenge by providing its username

and password, the sequencing ID, and the random value. The password, ID, and random number are hashed and put into a packet with a response ID (a type 02), the sequencing ID, and the calling device’s username. 4. When the authenticating device receives the response, it looks at the

sequencing ID to find the original challenge packet for the random value. Then, it places the ID, the random value, and the password the called device has for the calling device into the hashing program and generates a hash. The two hashes are compared. 5. One of two things now happens. If the authentication is successful,

then a message is sent authorizing access. This message uses a type 03 CHAP message. If the comparison of hashes fails, then access is denied with a type 04 message.

Hashing Just what is a hash? Hashing is the process of performing an irreversible encryption. Two popular methods for hashing are MD5, which uses 128-bit keys, and Secure Hash Algorithm (SHA), which uses 160-bit keys. The information gets encrypted, then the hashing process truncates or pads as necessary to have a 96-bit hash value. Every CHAP hash is the same length, 96 bits. Once the hashing algorithm is done, it should be nearly impossible to reliably regenerate the original message. Hashes are used in many applications but are normally used in two ways. The first is to hash a value and send both across the network. You use this type of transmission if you don’t care whether anyone sees the data; you’re concerned about it being changed. An example is a routing update. It probably isn’t too important if someone sees a routing update for 10.1.2.0, but if the update got changed, you would have problems. This method is useful if the target doesn’t know what the data is supposed to be. Another way of using a hash involves sending just the hashed value, which is what CHAP does. Both sides must know what the value is supposed to be, so when the hashed value arrives, it’s what the recipient was expecting. Suppose 98765 is the value that we want to send. For us to send it hashed, we need to apply the hash process to this value. Let’s say the hashing algorithm says that we must reverse the number and multiply by 543; then, it says we have to send four digits:


98765 becomes 56789 56789 * 543 = 30836427 Because 30836427 is more than four digits, we must truncate. If we had only three digits of output, we would pad the hash by adding a digit. In this case, 30836427 becomes 3083. So if our password is 98765, our router runs the password through the hashing process and comes up with 3083. Once it reaches the far side with the authentication request, the remote router takes the password it has for the user in question, hashes the password, and compares the hash with the one from the initiating router. If the hashes match, the password is good and the user is allowed access.

Configuring PPP for CHAP Authentication Before we move on to options for PPP, you should know how to configure the basics. Any true geek should be champing at the bit by this point to get going. If you’re not champing, then we still have a ways to go to fully convert you.

Basic PPP Configuration Commands The first thing you need to do is set up PPP on a serial interface using Router(config-if)#encapsulation . You also need to specify whether the user has a choice about how she wants to access the router. Use the command Router(config-if)#async mode dedicated if you want the user to only access the internal network via this method. If you want the user to be able to run PPP, SLIP, or EXEC tasks, you need to use Router(configif)#async mode interactive. If you are configuring the async interface for user access only, then you should use the async mode dedicated command. If you need to connect to configure the router, use the async mode interactive command. Although you have the option of setting up either PPP or SLIP, SLIP isn’t a protocol that is being rolled out en masse. You need to know that you can implement SLIP, but most of the knowledge required for the exam is about PPP.

57

58

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chances are that the user is using IP so we discuss those commands necessary for addressing. The Router(config-if)# peer default ip address command specifies how the user gets an address generated by one of your devices. The pool name option also requires the command Router(config)#ip local pool pool-name startingaddress ending-address. If you want the user to specify an address, use Router(config-if)#async dynamic address. You use this command when the user has a static address and the called interface must be in interactive mode. Finally, you can also use IP unnumbered. Table 4.2 explains the commands line-by-line. Table 4.2 PPP Configuration Commands Command

Explanation

Router(config-if)#encapsulation

This command sets PPP or SLIP encapsulation on the interface. Remember, SLIP is IP only.

Router(config-if)#async mode dedicated

This command places the interface into dedicated SLIP or PPP access mode with no EXEC capability.

Router(config-if)#async mode interactive

This mode is required for either SLIP or PPP to access EXEC on the router.

Router(config-if)#peer default ip address

This command says what IP address the client will receive. You can specify an address or a pool of addresses or that the client should use DHCP. Using DHCP might require additional DCHP configuration, depending on your network.

Router(config-if)#async dynamic address

This command allows the client to specify his own IP address with a static configuration. The dial-in interface must be in interactive mode for it to work.

Router(config-if)#ip unnumbered interface-type interface-number

Because an unnumbered interface does not have an IP address, it uses the address of the specified interface. Use only on point-to-point connections.

. . . . . . . . . . . . . . . . . . . . . . . . . . . PPP . . .Authentication . . . . . . . with . . . PAP . . .and . . CHAP . . . Table 4.2 PPP Configuration Commands (continued) Router(config)#ip local pool pool-name starting-address ending-address

To use a pool of addresses, you actually have to configure a pool. The command ip local pool XYZCorp 10.1.1.1 10.1.1.254 establishes a set of 254 addresses for dial-up use.

Router(config)#ip address-pool dhcp-proxy client

This command tells the router to act as a proxy client for DHCP addressing. For it to work, it’s helpful to also have the command Router(config)#ip dhcp-server because otherwise, the router doesn’t know where to get an address.

Configuring CHAP Once PPP and addressing are established, it only takes a couple more lines to set up CHAP authentication on two routers. Table 4.3 is a side-by-side comparison. It omits the other configuration information to avoid confusing the issue. Each configuration starts in global configuration mode, with each line explained in the bullet list after the configuration. Table 4.3 CHAP Configuration Comparision Router “One”

Router “Two”

Hostname One Username Two password Cisco Interface serial1 Encapsulation ppp PPP authentication CHAP

Hostname Two Username One password Cisco Interface serial1 Encapsulation ppp PPP authentication CHAP

➤ The first line tells the router what its name is. It is the username that

actually gets sent when authenticating. ➤ The second line says, “When authenticating with this device, use this

password.” So when device One wants to call device Two, it sends its hostname and the listed password. Both the username and password are case sensitive. ➤ The third line just tells the router we are about to configure interface

Serial 1.

59

60

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ The fourth line tells the router to use PPP encapsulation on this

interface. ➤ The last line tells the router to use CHAP authentication.

Protecting Configuration Contents Hiding the password as it crosses the circuit is only half the battle; you need to make sure that the password can’t be viewed by anyone who isn’t supposed to view it. If you’re sitting at a console, logged into a router, and viewing the contents of the configuration file when someone walks up behind you, there is a chance that person could view username and password pairs. Passwords are not scrambled by default, but it is easy to make them scrambled when viewing the configuration file. You can use the command service router-encryption to scramble passwords associated with Telnet, console, usernames in all forms, and so on. Enabling this command is a one-way process for a password. If there is a password on the system when the command is enabled, the password gets scrambled. If the command is reversed, the scrambled passwords do not become clear text again, but any new passwords remain in clear-text mode in the configuration file. It is not necessary to enable this command to use CHAP. The service password-encryption command only protects passwords as they are stored; CHAP only protects passwords as they cross the WAN.

Additional PPP Settings As mentioned earlier, PPP has a couple of other settings that can be useful in a corporate environment. This section discusses PPP callback, compression, and multilink, plus a couple of new options in link quality monitoring and login banners.

PPP Callback Callback is designed by Cisco to aid in bill consolidation. Instead of having numerous telecommuting employees pay long-distance fees that they have to expense, the router calls them back after the person is authenticated. Although Cisco does not officially market callback as a security feature, many organizations use it as such. It allows the organization to control the phone numbers that the router will connect with.


When a user dials in, PPP still communicates and sets up the connection, the user authenticates, but then the call is disconnected. The remote device calls the user back and the connection proceeds normally. The following list outlines the PPP callback steps: 1. The user/callback client calls the remote router/callback server. If the

user is configured to request callback, callback may occur. This request is sent during the LCP negotiation phase. 2. The callback server checks its own configuration to verify it can per-

form callback services. 3. Authentication takes place as normal with PPP. 4. Once the callback client is authenticated, the callback server checks its

configuration to find the callback string for this specific client. The router uses the username of the client to find this information. 5. The call is disconnected. 6. The callback server uses the specified client dial string to call the client

back. Only one attempt is made, so if something interferes with the callback process, the client needs to call the server again. 7. Once a connection is made when the server calls back the client,

another round of authentication happens. If successful, there is an active connection. What can prevent the second phase of callback from completing? Anything that can interrupt a phone line can disrupt the process. Such an interruption would be someone else calling or a household member picking up the phone; on the callback-server side, traffic using the last modem can prevent the return connection from happening. You can configure callback for both plain old telephone system (POTS) and ISDN lines. Table 4.4 lists the commands necessary to configure callback. Table 4.4 Callback Configuration Commands Callback Command

Explanation

Router(config-if)#ppp callback request

This command tells the client to request callback from the callback server it is dialing. This command is placed in the dialing interface.

61

62

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 4.4 Callback Configuration Commands (continued) Router(config-if)#dialer hold-queue timeout seconds

This command tells the client to wait the specified number of seconds for callback to take place. The router holds packets going to the destination for this period. This command is optional and can also be used on the callback server.

Router(config-if)#dialer hold-queue packets

This command indicates how many packets the hold queue may contain. The range is 0 through 100. This command is helpful if the dialer holdqueue timeout command has been configured, because otherwise, the router drops packets while it waits for callback.

Router(config-if)#ppp callback accept

This command tells the router to accept callback requests that arrive on this interface. It is a callback server command.

Router(config-if)#ppp callback initiate

This command is another callback server command. (The rest of the commands are too.) It allows the router to start a callback session to a remote device capable of auto-answering.

Router(config-line)#callback forced-wait <seconds>

Used on a line, this command tells the router to wait so many seconds before beginning callback.

Router(config-line)#script callback script-name

This command gives specific AT commands the modem should use for this callback session.

Router(config)#username <password password>

Options to the usual username name password password configuration for CHAP authentication include options for callback. They are defined individually next.

. . . . . . . . . . . . . . . . . . . . . . . . . . . PPP . . .Authentication . . . . . . . with . . . PAP . . .and . . CHAP . . . Table 4.4 Callback Configuration Commands (continued) Callback-dialstring phone-number

This line indicates what phone number the callback server dials to reach this device.

Callback-line line-number

Use this line to specify a line to be used when calling this device.

Callback-rotary rotary-group

Rather than specify a particular line, you can specify a group of dial-out devices by using the callback-rotary command.

Compressed PPP You can configure a router interface to compress the data that passes through it. PPP supports four main types of compression: ➤ Stacker—Stacker compression uses a Lempel-Ziv (LZ) compression

algorithm to compress data. Stacker maps where data appears in a stream and only sends each type once. Stacker is more CPU intensive than Predictor because it compresses everything, including traffic that is already compressed. ➤ Predictor—Predictor examines data to see whether it is already com-

pressed. If the data is not compressed, Predictor compresses and then forwards the data. If it is compressed, Predictor does not compress the data. Predictor is more memory intensive, due to all the checking it does, than either Stacker or Microsoft Point-to-Point Compression (MPPC) protocol. Predictor is the preferred method if your router has a lot of CPU-intensive tasks but not many memory-intensive ones. ➤ MPPC—MPPC enables a user with a Microsoft workstation to connect

to a Cisco router and compress the data that flows between them. MPPC is also an LZ algorithm. MPPC is more CPU intensive than Predictor for the same reason that Stacker is. ➤ TCP Header—TCP Header compression does not do any compression

on the data portion of the packet; instead, it compresses only the TCP headers. The following list provides examples of when you use each method, and Table 4.5 illustrates the commands used:

63

64

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Stacker—You use Stacker compression when you know the majority of

your data is not already compressed. Compressing already compressed data can lead to an increase in file size, but always results in wasted CPU cycles. ➤ Predictor—You use Predictor compression in the opposite scenario given

for Stacker: when you have quite a bit of compressed data crossing a WAN link and you don’t want to use the processing cycles needed to compress already compressed data. ➤ MPPC—This one is easy. Just remember what the M is for, Microsoft.

Use this type of compression when connecting Microsoft operating-system clients to a routed interface. It operates under the same assumption that the Stacker version does: that most of the traffic can be compressed. ➤ TCP Header—You always want to compress the largest part of a packet

that you can, so if you are sending packets where the TCP headers take up more bandwidth on average than the data portion, you use this type of compression. An example of appropriate use is if an organization has a lot of Telnet traffic crossing a WAN link. Table 4.5

PPP Compression Commands

PPP Compression Option

Explanation

Router(config-if)#compress stac

Use this command at the appropriate interface to enable Stacker compression.

Router(config-if)#compress predictor

This command enables Predictor compression.

Router(config-if)#compress mppc

This command enables MPPC compression.

Router(config-if)#ip tcp header-compression <passive>

This command enables TCP Header compression on an interface. The passive command is optional and tells the interface to compress only if it receives compressed headers from the other side of the WAN.

Multilink PPP Multilink allows for bundling data circuits into a larger virtual pipe. For example, ISDN has two data channels that each support up to 64Kbps. You can use each channel separately, or you can bind them together to form a virtual 128Kbps pipe. Multilink accomplishes it by load-balancing across the


circuits. Multilink ensures that packets do not arrive out of order by fragmenting the packets and then shooting the fragments across the multilinked bundle. Figure 4.2 shows two routers connected via a two-channel Basic Rate Interface (BRI) circuit. The circuits are logically bundled together to give the appearance of a single link, and like other PPP options, Multilink is negotiated during the LCP phase. BRI 1

BRI 2

Figure 4.2 Channel bundling.

In addition to the normal commands that you need to make a remote connection possible, Multilink needs two other commands. You issue both commands in interface configuration mode. The first command, ppp multilink, establishes an interface as a member of a Multilink bundle with other interfaces that have been configured with the command. The other command indicates when circuits should be brought up in support of the bundle. It might not be desirable to dial all multilink circuits at the beginning of a connection if the bandwidth isn’t needed and charges are made based on the number of calls or on the length of a call. You can use the dialer-load threshold command to activate additional circuits. This command and its options are explained in more detail in Chapter 8, “Dial-on-Demand Routing.” Multilink PPP (MLP) is supported by multiple vendors under RFC 1990, an update to RFC 1717. You do not have to have Cisco equipment on both sides of the WAN to multilink. A router uses the Maximum Received Reconstructed Unit (MRRU) during LCP negotiation to tell the device on the far side that it is capable of forming a multilink bundle. Multilink is best used in environments where bandwidth requirements are dynamic. Cisco targets Multilink usage to telecommuters and the small office/home office (SOHO) market. Multilink adds headers to the packet fragments so that the fragments can be reconstructed. These headers may be 2, 4 or 8 bytes, and they are used for sequencing. The Cisco 700 series ISDN devices use 2-byte headers, whereas Cisco IOS uses 4-byte headers. Cisco routers also support a feature called multilink fragment interleaving. This feature is desired when there are both large data frames and small timesensitive packets, such as those carrying voice traffic. Interleaving, shown in Figure 4.3, allows the voice to get mixed in with the fragmented data, allowing the voice to arrive at the far side quicker than it might have otherwise.

65

66

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Data

Data

Voice

Data

Voice

Figure 4.3 Interleaving fragments.

Figure 4.3 shows that traffic can enter the router from two different interfaces, and even though the streams are both headed across the WAN, prioritization can be given to one type over another. More on prioritization appears in Chapter 12, “Traffic Management.” Although the full topic is beyond the scope of this book, no discussion of MLP would be complete without taking the design to the extreme. Regular Multilink works well when all the connections terminate at a single access server, but environments that might have several hundred or more circuits coming in probably won’t terminate them all at the same device (if for no other reason than redundancy). It’s possible for your load threshold command to bring a secondary circuit up in support of the primary and for both to be attached to different devices! Needless to say, you end up with two separate connections rather than a single logical connection. Multichassis multilink fixes this problem. All access server devices are placed into a pool called a stack group. When the user calls up, a member of the pool is assigned to the connection based on a process called bidding. Bidding can take into account processing capabilities, but it’s usually based on which device has the most lines free. If the user calls up with a second connection utilizing a multilink process, the device handling the initial connection gets a bonus to its bid. Typically, as long as the device handling the original connection can handle the additional load, it gets the new connection, even if it would have lost the bid otherwise. In this fashion, we can ensure that the same device terminates both circuits.

Login Banners With the emphasis on security and making sure that a company is legally covered, it often is a good idea to provide a means of letting intruders know that they aren’t welcome into the system. A strongly worded warning against unauthorized access is difficult to defend against in a court of law, but a weak notice might be considered ambiguous or even inviting! A banner is available


on all of the major login/authentication systems on the market today, and Cisco provides one with an IOS router, such as an AS5300 as a remote access server. The format of the banner operates the same way as a message-of-the-day banner does in the IOS. You enter global configuration mode and use the command banner slip-ppp ? <message> ?. The question marks are delimiting characters. When you use the same character in each space, they indicate the beginning and end of the message. You’re the administrator of a Cisco remote access router and you want to provide a login banner that says “Authorized Access Only, Press “Enter” and Then Log In to Proceed.” It’s important to ensure that users take a positive action, reducing the chance someone can claim he got into the network “by mistake.” Let’s take a look at two examples of how you can configure this command. In the first example, you enter the command

banner slip-ppp “Authorized

Access Only, Press “Enter” and Then Log In to Proceed.”.

The intent is to use a quote mark (“) to indicate the beginning and end of the text. The router displays all text after the first delimiting character until it sees that character a second time. It’s normally a bad idea to use any letter as a delimiting character, and you have to be careful with symbols as well. In the preceding example, the output is “Authorized Access Only, Press” because it’s at that point where the second quote, the one that ends the banner, appears. A better example of the same banner is

banner slip-ppp ^Authorized Access

Only, Press “Enter” and Then Log In to Proceed.^.

The first carat starts the banner, and the router displays all text until it encounters the second carat. Symbols make better delimiting characters because most aren’t used very often. Be careful: That @ symbol is fine until you list an email address in the banner.

Link Quality Monitoring Devices using PPP send keepalive packets to each other to ensure both sides stay awake. If one side stops receiving keepalives, it is assumed that something has happened to the circuit and the link is normally terminated. One exception to this rule is when link quality monitoring (LQM) is used. LQM uses link quality reports (LQRs) instead of keepalives. On one level, the

67

68

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

purpose is the same: to show that both sides exist on an active link. But an LQR is also a report of how many packets and bytes have been sent out by the device in question. If a router is configured for LQM, then it is configured to shut down the link if the circuit degrades past a certain point. If router A and router B are attached via a dialup link and each is configured with an LQM level of 75%, each wants to see 75% of the sent packets and bytes arrive at the router on the far side. If more than 25% of the traffic gets lost, the detecting side shuts down the circuit. It is assumed that the circuit would be reestablished through normal means and that there is a good chance that the new connection would not suffer from the problems the old one did. You configure LQM in interface configuration mode with the ppp quality % command. Enter a numerical value for the LQM percentage and if that percentage is not maintained, the link is disconnected. Don’t set the level too high or you risk never having a stable link due to disconnects, but setting it too low avoids fixing any problems you’re having. This command normally requires monitoring and tweaking to find the best value. LQM is defined in RFC 1989 but is typically used only on network hardware, as opposed to client PCs.

Troubleshooting PPP Table 4.6 shows several commands you can use to troubleshoot a PPP connection. Table 4.6 PPP Troubleshooting Commands PPP Troubleshooting Command

Explanation

show dialer

This command gives basic information about calls, including successes and attempts for a particular phone number, as well as current status and, if up, what brought a link up.

show ppp multilink

This command gives the current status and configuration of multilink bundles.

debug ppp negotiation

This command shows what PPP interaction is happening during the negotiation phase. To debug successfully, it is best to turn on debugging before bringing up the link.

debug ppp authentication

This debug only shows PAP and CHAP authentication information.

. . . . . . . . . . . . . . . . . . . . . . . . . . . PPP . . .Authentication . . . . . . . with . . . PAP . . .and . . CHAP . . . Table 4.6 PPP Troubleshooting Commands (continued) debug ppp packet

This command shows what PPP-oriented packets are being sent.

debug ppp multilink

This command gives packet fragmentation information regarding a multilink bundle. Because the information is almost real time and a link often has traffic, this command is not a command to use frequently in a production environment. Consider CPU utilization before debugging multilink.

debug ppp multilink negotiation

This command gives information about the status of a forming multilink bundle.

debug ppp negotiation Listing 4.1 is output from a router negotiating link establishment. Notice that when the interface is started, PPP becomes active and the LCP process begins negotiation. The last part of the LCP is authentication where you can see the names of the devices that are trying to talk. Once the devices authenticate, they need to figure out which control programs to use. At the bottom of the display, you’ll notice that IP and CDP are the protocols that can be used between the routers. Listing 4.1 Debugging PPP negotiation 0:06:37: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up 00:06:37: Se1/1 PPP: Treating connection as a dedicated line 00:06:37: Se1/1 PPP: Phase is ESTABLISHING, Active Open 00:06:37: Se1/1 LCP: O CONFREQ [Closed] id 5 len 15 00:06:37: Se1/1 LCP: AuthProto CHAP (0x0305C22305) 00:06:37: Se1/1 LCP: MagicNumber 0x505AB72C (0x0506505AB72C) 00:06:37: Se1/1 LCP: I CONFREQ [REQsent] id 39 len 15 00:06:37: Se1/1 LCP: AuthProto CHAP (0x0305C22305) 00:06:37: Se1/1 LCP: MagicNumber 0x5056251B (0x05065056251B) 00:06:37: Se1/1 LCP: O CONFACK [REQsent] id 39 len 15 00:06:37: Se1/1 LCP: AuthProto CHAP (0x0305C22305) 00:06:37: Se1/1 LCP: MagicNumber 0x5056251B (0x05065056251B) 00:06:37: Se1/1 LCP: I CONFACK [ACKsent] id 5 len 15 00:06:37: Se1/1 LCP: AuthProto CHAP (0x0305C22305) 00:06:37: Se1/1 LCP: MagicNumber 0x505AB72C (0x0506505AB72C) 00:06:37: Se1/1 LCP: State is Open 00:06:37: Se1/1 PPP: Phase is AUTHENTICATING, by both 00:06:37: Se1/1 CHAP: O CHALLENGE id 2 len 25 from “p1r2” 00:06:37: Se1/1 CHAP: I CHALLENGE id 3 len 25 from “p1r3” 00:06:37: Se1/1 CHAP: O RESPONSE id 3 len 25 from “p1r2” 00:06:37: Se1/1 CHAP: I RESPONSE id 2 len 25 from “p1r3” 00:06:37: Se1/1 CHAP: O SUCCESS id 2 len 4 00:06:37: Se1/1 CHAP: I SUCCESS id 3 len 4 00:06:37: Se1/1 PPP: Phase is UP 00:06:37: Se1/1 CDPCP: O CONFREQ [Closed] id 3 len 4 00:06:37: Se1/1 IPCP: I CONFREQ [Not negotiated] id 3 len 10

69

70

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing 4.1 Debugging PPP negotiation (continued) 00:06:37: Se1/1 IPCP: Address 192.168.1.2 (0x0306C0A80102) 00:06:37: Se1/1 LCP: O PROTREJ [Open] id 6 len 16 protocol IPCP ➥(0x80210103000A0306C0A80102) 00:06:37: Se1/1 CDPCP: I CONFREQ [REQsent] id 3 len 4 00:06:37: Se1/1 CDPCP: O CONFACK [REQsent] id 3 len 4 00:06:37: Se1/1 CDPCP: I CONFACK [ACKsent] id 3 len 4 00:06:37: Se1/1 CDPCP: State is Open 00:06:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed ➥state to up

debug ppp authentication The debug ppp authentication command provides a subset of the data shown in debug ppp negotiation. Only the authentication phase is shown when you use this command. Compare the output in Listing 4.2 to the preceding output. Listing 4.2 Debugging PPP authentication 00:08:19: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up 00:08:19: Se1/1 PPP: Treating connection as a dedicated line 00:08:21: Se1/1 PPP: Phase is AUTHENTICATING, by both 00:08:21: Se1/1 CHAP: O CHALLENGE id 3 len 25 from “p1r2” 00:08:21: Se1/1 CHAP: I CHALLENGE id 4 len 25 from “p1r3” 00:08:21: Se1/1 CHAP: O RESPONSE id 4 len 25 from “p1r2” 00:08:21: Se1/1 CHAP: I RESPONSE id 3 len 25 from “p1r3” 00:08:21: Se1/1 CHAP: O SUCCESS id 3 len 4 00:08:21: Se1/1 CHAP: I SUCCESS id 4 len 4 00:08:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed ➥state to up


Exam Prep Questions Question 1 The best compression type to use when connecting to a Microsoft client is ❍ A. Stacker ❍ B. Predictor ❍ C. MPPC ❍ D. TCP Header

Answer C is correct. In most cases, the best type of compression for a client using a Microsoft operating system is MPPC because most clients do not have the necessary application software to activate the other types on compression. Therefore Answers A, B, and D are not correct. MPPC is the only one that comes with the Windows operating system.

Question 2 The best compression type to use with primarily Telnet traffic is ❍ A. Stacker ❍ B. Predictor ❍ C. MPPC ❍ D. TCP Header

Answer D is correct. You should use TCP Header compression when the TCP headers are larger than the data portion of the packet. You shouldn’t use Answers A and B, Stacker and Predictor, because they will just slow down the router without a measurable increase in compression. You shouldn’t use Answer C, MPPC, because a Microsoft client wasn’t mentioned, and even if it had been, MPPC would give the same result as Stacker.

71

72

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 3 The best compression type to use with traffic that contains a lot of compressed data is ❍ A. Stacker ❍ B. Predictor ❍ C. MPPC ❍ D. TCP Header

Answer B is correct. Predictor examines packets to see whether they are already compressed and, if so, won’t compress them again. This process saves a small amount of bandwidth, as well as CPU cycles on the receiving device. Answers A, C, and D don’t examine packets to see whether it will be a waste of time compressing them.

Question 4 Which dial-up encapsulations support compression? ❍ A. PPP ❍ B. HDLC ❍ C. Frame Relay ❍ D. SLIP

Answer A is correct. Answer C, Frame Relay, isn’t what we would call a dialup encapsulation type, and of the remaining choices, only Answer A, PPP, natively supports compression.

Question 5 What hashing algorithms are used with CHAP? ❍ A. MD-4 ❍ B. MD-5 ❍ C. SHA ❍ D. IKE

Answer B is correct. When protecting a password with CHAP, the router uses MD-5 to hash the text before sending it across the WAN. MD-4 is an ancestor of both MD-5 and SHA that provides a weak hashing algorithm,


whereas SHA provides greater security than MD-5 but is not used by CHAP. Internet Key Exchange (IKE) is a process used in IPSec encryption.

Question 6 Which ways can CHAP send passwords? (Choose two.) ❑ A. Encrypted using the Djikstra algorithm ❑ B. Plain text ❑ C. MD5 encrypted hash ❑ D. Djikstra-encrypted hash

Answers B and C are correct. CHAP can send passwords both in plain text (not a good idea) or by using the MD5 format to create an encrypted hash. The Djikstra algorithm is used with link-state routing protocols, not authentication. Therefore, Answers A and D are not correct.

Question 7 Which issues prevent a device from calling back the device that called it when using callback? (Choose two.) ❑ A. Authentication failure ❑ B. Another call being made or received that uses the last available interface ❑ C. Authentication success ❑ D. Interesting traffic arriving

Answers A and B are correct. Success in authenticating continues the process but doesn’t prevent the return call. If interesting traffic uses the last available dial-out interface, it prevents the call, but interesting traffic itself doesn’t stop the process. Authentication success normally continues the process, so Answer C is not correct. Although Answer D, interesting traffic arriving, can stop the process if it uses the last available interface, the traffic arriving doesn’t necessarily cause a problem.

73

74

Chapter . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 The command to enable Stacker compression is ❍ A. compression stac ❍ B. compression stacker ❍ C. compress stac ❍ D. compress stacker

Answer C is correct. You use the command compress compression. Answers A, B, and D are just incorrect.

stac

to enable Stacker

Question 9 Which option for the command ip tcp header-compression tells the interface to compress TCP headers only if the destination device sends packets with compressed TCP headers? ❍ A. active ❍ B. passive ❍ C. receive ❍ D. transmit

Answer B is correct. The command ip tcp header-compression passive tells the router to compress TCP headers only if it receives a compressed header from the other device. Answers A, C, and D don’t exist.

Question 10 Cisco IOS uses which size headers on multilink packets? ❍ A. 2 byte ❍ B. 4 byte ❍ C. 8 byte ❍ D. 16 byte

Answer B is correct. The IOS uses 4-byte headers when sending packets across multilinked lines. The 700 series ISDN devices, which don’t use IOS, use 2-byte headers, the specification allows for 8-byte headers, and 16-byte headers are not allowed. Therefore, Answers A, C, and D are not correct.


Need to Know More? Most of the PPP RFCs are in the 1900s, but many of the important specifications are outside this range. You can find details about MLP in RFC 1990, LCPs in RFC 1661, Microsoft CHAP in RFC 2433, and CHAP itself in RFC 1994 at http://www.faqs.org/rfcs/. Cisco hosts a number of design and implementation white papers on the topic of PPP at http://www.cisco.com/pcgi-bin/Support/browse/ psp_view.pl?p=Internetworking:PPP. The Internet Engineering Task Force (IETF) forms working groups to recommend specifications on technologies. The PPP extensions working group appears at http://www.ietf.org/html.charters/ pppext-charter.html.

75

5 Using Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Network address translation (NAT) Port address translation (PAT) Inside Outside Local Global Overloading Overlapping


Configuring static NAT Configuring dynamic NAT Configuring overloaded NAT Configuring overlapped NAT Understanding how to verify and troubleshoot NAT

78

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NAT Overview NAT is a powerful tool in connecting networks. One of the biggest challenges in networking is addressing, and the challenge only becomes bigger as networks scale and grow connected. NAT gives us great flexibility in our use of addresses. With NAT, we can use a variety of different or similar address schemes. Simply put, NAT gives us the ability to convert one address to another. However, it is an oversimplification to say that NAT only translates addresses; NAT is a solution for a number of problems: ➤ With the depletion of public addresses on the Internet, NAT has come

to the rescue. For companies that do not have enough valid unique addresses to connect all their hosts to the Internet, NAT can be configured on a router bordering the Internet and convert an organization’s addresses that are on the inside of the network to legitimate addresses on the public network. The translation or mapping can be one to one, many to one, or ranges, as we discuss later. ➤ NAT can also be used in the migration from one Internet service

provider (ISP) to another, where you receive a new IP addressing scheme. Typically, when using NAT, you only need to change a few public addresses as opposed to renumbering your entire private IP network. ➤ NAT can also be useful for merging networks. Suppose two companies

that are using the same address range merge. We can use NAT to convert between the two networks, presenting each side with an address that is unique within the range they are using. ➤ NAT can even be used for destination-based load balancing. NAT can

take incoming server requests destined for a single address and disperse them in a round-robin fashion to multiple servers, each with its own unique addresses. NAT is defined in RFC 1631, and Cisco has supported NAT on its routers since IOS release 11.2.

NAT Considerations As with most things, NAT has both advantages and disadvantages. You will want to understand the implications of using NAT on your network. Let’s start with the advantages:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using . . . .Network . . . . .Address . . . . Translation . . . . . . ➤ Conservation—Using NAT, you save on the number of addresses needed

to connect to the Internet. You can use a handful of public addresses to represent thousands of private addresses. ➤ Flexibility—Changing service providers requires only minor changes to

your NAT configuration. The only addresses that you need to change are public addresses; NAT allows you to keep your private addressing intact. ➤ Overlapping networks—You can use the same address range in multiple

locations and use NAT to connect them. ➤ Ease IP renumbering—As networks expand and you need new addressing

schemes, you can roll out the changes gradually. Existing address schemes can remain unchanged. ➤ Security—The actual IP addresses of your hosts are hidden from the out-

side world. In many instances, the only thing that appears to the Internet is a single IP address doing a lot of surfing. For the exam, remember all the advantages and disadvantages of using NAT.

Some of the disadvantages of using NAT follow: ➤ Latency—Translating an address takes time. To further complicate

things, some protocols also have the address in the payload of the packet, adding more time because two instances of the address need to change. ➤ Functionality—Some applications simply do not work with NAT. Often,

NAT cannot find and accurately convert a second address in the payload. Cisco regularly updates NAT’s functionality with IOS updates. ➤ Traceability—With multiple NAT translations, it becomes increasingly

difficult to trace packets. Sometimes considered a good thing for privacy, it does make troubleshooting your network harder. ➤ Resource use—Translation requires extra CPU cycles to process packets,

especially packets with an additional address in the payload. Also, the router consumes additional memory to maintain the translation table.

79

80

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NAT Terminology One of the biggest challenges to learning and understanding NAT is the terms that are used to describe the different concepts and configurations. The terms that cause the most confusion are associated with the addressing: inside, outside, local, and global. More than one of these terms can apply to an address, depending on your perspective: ➤ Inside or outside—Specifies the physical location of a host based on the

device performing NAT. ➤ Local or global—Specifies the client’s point of view based on the NAT

device. Inside and local refer to the same side of the NAT device, typically called the private or internal network. Outside and global refer to the other side of the NAT device, known as the public or external network. The four possible combinations are described in Table 5.1. Table 5.1 NAT Terminology Term

Explanation

Inside local address

The IP address assigned to a host on the private or internal network. Usually based on RFC 1918.

Inside global address

A legitimate address on the public or external network. Usually provided by your ISP. This translated address is viewable to the outside world that maps back to your inside local address.

Outside global address

Someone else’s inside global address. An address of an external host on the public network. A routable address provided by the ISP.

Outside local address

An IP address of an outside host as it appears to the private or internal network. Not necessarily a legitimate address, it is allocated from the inside address space. Usually based on RFC 1918.

RFC 1918 sets aside network ranges to be used for private networks: ➤

10.0.0.0

➤

172.16.0.0

➤

192.168.0.0

to 10.255.255.255 to 172.31.255.255 to 192.168.255.255

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using . . . .Network . . . . .Address . . . . Translation . . . . . .

NAT in Operation NAT can handle a variety of situations and configurations based on the needs of the network; some translations need to be strictly defined, whereas others can vary. You can use NAT to connect everyone to the Internet with just one address or use it to connect two companies that happen to choose the same addressing scheme. Next, we examine the different scenarios and their configurations.

Static NAT A static mapping is usually used to help make available a shared resource (Web, email, FTP server, and so on) on the private side of your network to the outside. The issue is that the address on the internal resource is not valid for the outside, so what needs to be configured is a connection between a valid outside address and your internal resource’s private address. You enter the following command in global configuration mode: ip nat inside source static local-ip global-ip

address is the address of the resource on the inside, and global-ip is the address that will be visible on the public network. local-ip

Remember that static mapping is usually used to make a shared resource on the private side of your network available to the outside.

Table 5.2 describes the basic IP NAT command. Table 5.2 ip nat inside source static Term

Explanation

local-ip

The IP address of the local inside host to be translated

global-ip

The IP address on the global outside network that represents the inside host

(A disclaimer about the addresses in this chapter: All the addresses that the examples use are based on RFC 1918, “Address Allocation for Private Internets.” We understand that it makes no sense to convert from one of these addresses to another; however, in the interest of not using a real address visible on the Internet, we decided to use addresses conforming to RFC 1918. The network of 172.30.0.0 is the network used to represent the public space.)

81

82

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Let’s look at a working example: Router(config)#ip nat inside source static 192.168.1.10 172.30.0.20

Based on this example, requests destined for 172.130.0.20 are converted and redirected to the address of 192.168.1.10. To be a little more complex, we use the static command to redirect requests sent to one public address to multiple private addresses based on ports. To do this, use the following command: ip nat inside static tcp|udp local-ip local-port global-ip global-port

Notice that we added a protocol designator for Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and then a port assignment for each address: Router(config)#ip nat inside source static tcp 192.168.1.10 80 172.30.0.20 80 Router(config)#ip nat inside source static udp 192.168.1.25 69 172.30.0.20 69

The first line will take incoming requests using TCP port 80 (HTTP) destined for the public address of 172.30.0.20 and send them to the Web server at 192.168.1.10. The second line will take requests using UDP port 69 (Trivial File Transfer Protocol [TFTP]) going to the same public address, but will redirect them to a different private address 192.168.1.25. This setup makes for a simple way to distribute load across multiple servers. For NAT and all the preceding translations to be successful, you need to specify which interfaces will be used in NAT and which role they will play. You enter the command to do so in interface config mode. The ip nat inside command specified at the configuration interface level tells the router to use this interface as the inside of NAT translations: Router(config-if)#ip nat inside

Then, using the ip nat outside command on another interface sets up the pairing for the translation to occur. Each direction is now defined: Router(config-if)#ip nat outside

Besides using the static NAT command to translate private addresses to public addresses, you can replace the inside keyword with outside and work the translation in the opposite direction.

Dynamic NAT With static NAT, we configure a one-to-one mapping. Using dynamic NAT, we can convert our inside addresses to a range of outside addresses. This


range gives us more flexibility and the ability to support more clients. To configure dynamic NAT, we need to use a standard access list to specify those addresses that we want converted (inside or private) and a nat pool command to specify the range of translated addresses (outside or public). Remember that dynamic NAT converts inside addresses to a range of outside addresses.

The nat

pool

command looks like this:

ip nat pool pool-name start-ip end-ip ➥{netmask netmask | prefix-length prefix-length} [type rotary]

Table 5.3 explains the command. Table 5.3 ip nat pool Term

Explanation

pool-name

The name of the pool

start-ip

The beginning of the address range to be used in the global pool

end-ip

The end of the address range to be used in the global pool

netmask netmask

The subnet mask of the address pool range

prefix-length prefix-length

A bit count or classless interdomain routing (CIDR) notation describing the number of 1s for the netmask

type rotary

(Optional) Used for TCP load distribution among real inside hosts

Table 5.4 explains the options for the following command: ip nat inside source {list {access-list-number | name} pool name.

Table 5.4 ip nat inside source for Dynamic Term

Explanation

list access-list-number

A standard IP access list number. Packets that match the access list will be dynamically translated to the global addresses in the pool.

list name

A named standard IP access list. Packets that match the access list will be dynamically translated to the global addresses in the pool.

pool name

The name of the pool defined by the ip nat pool command.

83

84

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

An example of the two commands used together looks something like this: Router(config)#ip nat pool small-range ➥172.30.1.5 172.30.1.25 netmask 255.255.255.0 Router(config)#ip nat inside source list my-access-list pool small-range

The first command will build a pool named small-range that represents the numbers between 172.30.1.5 and 172.30.1.25 to be used as global outside addresses. The second command specifies that any source address that matches the addresses in the named access list will be converted to the global addresses defined in the pool small-range. It is possible to combine static and dynamic NAT. To do so, make sure the access list in dynamic NAT has a deny statement for any address used with the static NAT configuration.

Overloading NAT Most organizations do not have a range of legal public address at their disposal; many have only an address or two to use. With NAT overloading, you specify that you want all private inside translations to be represented by a single outside global address. All you need to do is add the keyword overload to the end of the ip nat inside source command: Router(config)#ip nat inside source list 10 interface serial 0 overload

This command will translate packets that match the source addresses specified in access list 10 to the IP address of the serial 0 interface. The keyword overload at the end tells the router that it will need to use TCP and UDP ports to track the individual conversations because all outbound conversations will have the same address. When NAT uses ports to track separate conversations, we often refer to it as port address translation (PAT). PAT is a form or subset of NAT; translation still occurs, but because of the limit of available outside addresses, port numbers identify the separate conversions.

Overlapping NAT When a company needs to connect two networks that are using the same address range, you normally would have a problem; however, NAT once again comes to the rescue. The solution to the problem is rather simple: You NAT in both directions. You set up a translation to go from the inside to the outside as in preceding examples. Then, you set up a translation in the opposite direction—that is, from the outside to the inside. This type of translation


is best for a temporary fix; you would rather not have an overlapped network. Most overlapped networks are the result of company mergers or branch offices being connected when designers never thought they would be. The overall problem solved by NAT is that you are trying to reach a location that is outside your network. However, the address of that outside location is an address that appears on the inside of your network.

Configuring Load Sharing Load sharing is the process of sharing the load between multiple destinations. It is possible to configure a router so that if a packet comes in destined for a particular address, the NAT process assigns it a new destination from its configured pool, in a round-robin fashion. If there are four addresses in the pool, the first four separate packet streams are assigned to a different IP address. Of course, each IP address must have the ability to process the requests, or else you have additional issues to deal with. The following commands deal with implementing load sharing. Applying the NAT statements to the interfaces operates just as it did in the previous examples, so those lines have been omitted. The first thing you need to do is identify the IP addresses that will be used for load sharing. In this case, four devices will be receiving packets: Router(config)#ip nat pool load-share 10.1.2.11 10.1.2.14 netmask ➥255.255.255.0

The following command links the pool name to the access list that will be used to identify the IP address being matched: Router(config)#ip nat outside destination list 1 pool load-share rotary

There are two important changes here, compared to the way this command was used with regular NAT. The first is that instead of the option source, we use the option destination. It tells the router which field in the IP header it needs to manipulate, the destination IP address. The second important component is the addition of the command rotary at the end. This command tells the router to do load sharing. Without this command, four packet streams would be translated and no other conversations could get through. The access-list statement tells the router what destination IP address it’s looking for: Router(config)#access-list 1 permit 10.1.2.10 0.0.0.0

85

86

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

All the packet streams that want to be serviced use 10.1.2.10 as their destination. The router examines the IP header, replaces the destination address with one of the four from the pool, and forwards the packet to the appropriate device. No caching occurs.

NAT Troubleshooting A few commands can be very useful in troubleshooting and verifying NAT. One of the more common commands is show ip nat translation. With it, you can verify one-to-one mappings as well as port address translation (PAT). If your translations are one-to-one, you only see inside global to inside local mappings. If you use PAT or overloading, you see additional details, such as protocol, ports, and outside addresses. The following example shows the command in use with basic NAT: router#show ip nat translation Pro Inside global Inside local --- 172.30.0.10 192.168.1.20 --- 172.30.0.11 192.168.1.24

Outside local -----

Outside global -----

Next is an example with PAT or overloading. Notice that the inside local addresses are different, but the inside global remains the same. The port numbers are used to track the different conversations: router#show ip nat translation Pro Inside global Inside local tcp 172.30.0.10:917 192.168.1.20:917 tcp 172.30.0.10:713 192.168.1.25:713

Outside local 10.1.1.2:23 10.1.1.3:23

Outside global 10.1.1.2:23 10.1.1.3:23

The next command is show ip nat statistics, which displays the number and type of active translations. The key word there is active; as translations are added or terminated, the statistics increment or decrement appropriately. It also shows you the number of times a translation appears in the table (a hit) or whether a new entry needs to be built (a miss). Here is a sample output from the show ip nat statistics command: router#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2.5 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 1 pool small-range refcount 0 pool small-range: netmask 255.255.255.0 start 172.30.1.5 end 172.30.1.25 type generic, total addresses 2, allocated 0 (0%), misses 0


You can use the clear ip nat translation command in a number of different ways: with a * to clear all translations or with inside or outside to clear all translations to a specific inside or outside address. You can be as granular as you need by getting all the way down to the protocol and port level using the protocol and port options. Being specific allows you to leave current translations active while dropping the ones you want. There is also a debug command that has one option, debug ip nat or debug ip With the detailed option, you get additional information about active NAT sessions such as protocols and ports. Without detailed, you only see basic translation entries being built. As with most debugging commands, you only want to use them for troubleshooting and verification; turn them off as soon as possible so you don’t affect the performance of the router. Here is output of the debug ip nat command during two ping packets and their responses:

nat detailed.

NAT: NAT: NAT: NAT:

s=192.168.1.1->172.30.1.1, d=172.30.1.10 s=172.30.1.10, d=172.30.1.1->192.168.1.1 s=192.168.1.1->172.30.1.1, d=172.30.1.10 s=172.30.1.10, d=172.30.1.1->192.168.1.1

[0] [0] [1] [1]

87

88

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 What are three disadvantages of NAT? ❑ A. The loss of end-to-end IP traceability. ❑ B. The wasting of public addresses. ❑ C. Additional load on the router’s CPU and memory. ❑ D. Some programs cannot work with NAT.

Answers A, C, and D are correct. All three are disadvantages; additionally, your network can experience delays during translation. Answer B is the opposite of what NAT does; it helps preserve the public address space.

Question 2 What is the name of a public address that represents a translated internal host to the outside world? ❍ A. Outside global IP address ❍ B. Inside global IP address ❍ C. Outside local IP address ❍ D. Inside local IP address

The answer is B. The address that represents a host on the Internet which has been translated is the inside global IP address. Remember that the terminology changes based on the perspective of the router performing NAT. An outside global address represents everyone else on the Internet but your machines, so Answer A is wrong. Answer C is incorrect; it is the address of an outside host as it appears to your inside machines. Answer D is also wrong because it is the address of local machines without NAT occurring.


Question 3 What is the name of an address that is configured on your host machines? ❍ A. Outside global IP address ❍ B. Inside global IP address ❍ C. Outside local IP address ❍ D. Inside local IP address

Answer D is correct; it is the address of your internal hosts. An outside global address represents everyone else on the Internet but your machines, so Answer A is wrong. Answer B is the translated address, so it’s wrong. Answer C is incorrect; it is the address of an outside host as it appears to your inside machines.

Question 4 NAT can help with which two things? ❑ A. Security ❑ B. Performance ❑ C. Address conservation ❑ D. Authentication

Answers A and C are correct. Answer A, security, is a benefit of NAT because it hides the internal address space. Answer C, address conservation, is why NAT was created: to convert private addresses to public addresses. Answer B is incorrect because NAT usually causes a slight delay, and Answer D is also wrong because NAT has nothing to do with authentication.

Question 5 What type of NAT uses TCP and UDP ports for multiple inside hosts, translated to a single outside address? ❍ A. Overlapping ❍ B. Static ❍ C. Dynamic ❍ D. Overloading

89

90

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answers D is correct; overloading translates many inside addresses to a single outside address, and ports differentiate clients, sometimes referred to as PAT. Answer A is incorrect; overlapping NAT connects similarly numbered networks. Answer B is also incorrect; static NAT is for one-to-one mappings. Answer C is wrong because dynamic NAT converts to a range of addresses.

Question 6 You can use static and dynamic NAT simultaneously. ❍ A. True ❍ B. False

Answer A is true; you can use static and dynamic NAT at the same time. In your configuration, you need to make sure that the addresses for each configuration don’t overlap. This configuration is a common configuration to have; you use static mappings to allow connectivity to your shared resources and dynamic NAT to service your clients.

Question 7 What command would you use to always take a host (10.1.1.5) on the inside network and convert it to an outside address of 172.30.3.3? ❍ A. ip nat outside source static 10.1.1.5 172.30.3.3 ❍ B. ip nat inside source static 172.30.3.3 10.1.1.5 ❍ C. ip nat inside static address 10.1.1.5 172.30.3.3 ❍ D. ip nat inside source static 10.1.1.5 172.30.3.3

Answer D is correct. ip nat inside source static 10.1.1.5 172.30.3.3 sets up a static mapping for the inside host 10.1.1.5 to the outside address of 172.30.3.3. Answers A and C have incorrect syntax. Answer B is correct except it is in the opposite direction.


Question 8 If you want NAT to use only one address for all of its translations, what command would you use? ❍ A. ip nat inside source list 1 interface serial 0 overload ❍ B. ip nat inside source list 1 interface serial 0 overbooking ❍ C. ip pat inside source list 1 interface serial 0 ❍ D. ip pat inside source list 1 interface serial 0 overload

Answers A is correct. There is no overbooking option, so Answer B is incorrect. Answers C and D are also incorrect because there is no pat option either.

Question 9 What command would you use to clear all NAT entries? ❍ A. flush nat all ❍ B. flush nat * ❍ C. clear xlate ❍ D. clear ip nat translations *

Answer D is correct; clear ip nat translations * would erase all translations. Answers A and B are fake commands and wrong. Answer C would be correct if you were working on a PIX Firewall.

Question 10 To verify NAT, you use what command? ❍ A. show ip nat statistics ❍ B. show ip nat config ❍ C. show nat translations ❍ D. show port-mapping nat

Answer A is correct; it allows you to view current stats. Answers B and D do not exist and are therefore wrong. Answer C is almost correct, but the command is show ip nat translations.

91

92

Chapter . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? One of the better resources on the Web to understanding NAT is http://www.cisco.com/warp/public/556/nat-cisco.shtml. You can find a good troubleshooting document and a number of examples at http://www.cisco.com/en/US/tech/tk648/tk361/tk438/ tech_protocol_home.html.

The

two

RFCs

mentioned

in

this

chapter

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1631.html www.cis.ohio-state.edu/cgi-bin/rfc/rfc1918.html.

appear at and http://

PART II WAN Access 6 Modems and Asynchronous Connections 7 Using ISDN 8 Dial-on-Demand Routing 9 Using Frame Relay 10 Introduction to Broadband

6 Modems and Asynchronous Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ Data Terminal Equipment (DTE) and Data Communications Equipment (DCE) ✓ Recommend Standard (RS)-232 and Electronic Industries Association/Telecommunications Industry Association (EIA/TIA)-232-C ✓ Request to Send (RTS), Clear to Send (CTS), Data Terminal Ready (DTR), Carrier Detect (CD), and Data Set Ready (DSR) ✓ Pulse code modulation (PCM) encoding ✓ Error detection and correction ✓ Compression ✓ Reverse Telnet ✓ Autoconfiguration ✓ Modemcap database

Techniques you’ll need to master: ✓ ✓ ✓ ✓ ✓ ✓

Configuring an asynchronous line Selecting cables and adapters Setting up modem autoconfiguration Configuring modems manually Maintaining the modemcap database Debugging modem autoconfiguration

96

Chapter . . . . .6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Asynchronous connections via modem have and will continue to be an integral part of any wide-area network (WAN) implementation. Although it has been relegated to “backup” status in most cases, the asynchronous connection still has many things going for it, not the least of which are its ready availability and low cost. Regardless of the nature of the asynchronous connection you are using, you need to be able to correctly choose and deploy the proper cabling and master the configuration of the router, its resources, and modems attached to the router. Cisco and the computer industry as a whole have done an admirable job of streamlining and simplifying this process.

Modems Although the term “modem” is almost universally understood in concept, the actual operation of the modem is usually not. Outside of knowing that a modem is a device that modulates and demodulates digital signals into analog sounds, understanding how a modem does what it does is essential. You must understand the modem process to fully use and optimize it.

Modem Technologies All devices you connect a modem to are called DTE. DTE devices can communicate with each other directly, but typically employ DCE, such as a modem, to manage the connection. The current standard used to make a DTE/DCE connection is EIA/TIA232-C. EIA/TIA-232 replaced RS-232 as the connection standard. You will be glad to know that RS-232 was approved and that all our computers, modems, and other devices aren’t obsolete. All traffic through the Public Switched Telephone Network (PSTN) is digitally encoded through a process of PCM encoding. The DTE and DCE devices control their communication through five main signals sent between devices. The signals are one of two types, hardware flow control, shown in Table 6.1, and modem control, detailed in Table 6.2.

. . . . . . . . . . . . . . . . . . . . . . . . . . Modems . . . . . and . . Asynchronous . . . . . . . . Connections . . . . . . . Table 6.1 Hardware Flow Control Signals Signal

Purpose

RTS

Request to Send. Generated by DTE, indicates that the DTE has buffers to receive data from the DCE.

CTS

Clear to Send. Generated by DCE, indicates that the DCE has buffers to receive data from the DTE.

Table 6.2 Modem Control Signals Signal

Purpose

DTR

Data Terminal Ready. Generated by DTE, informs the DCE that it is ready to receive an incoming call.

CD

Carrier Detect. Generated by DCE, indicates that DCE-to-DCE communication has been established.

DSR

Data Set Ready. Generated by DCE, informs the DTE that it is ready for use.

Modem Standards Modem connections are governed by several standards that were developed to provide faster communication and higher levels of data integrity. There are a number of standards for error detection/correction and compression. As important as it is to know the standards, it is equally important to know that they only define the mechanism by which a specific task is to be accomplished. Compression standards, for example, can only define how compression works and the maximum compression that can be realized. They do not guarantee that all data will be, or even can be, compressed. Error detection/correction standards fall into two groups, Microcom Networking Protocol (MNP) and Consultative Committee for International Telegraph and Telephone (CCITT). The CCITT changed its name to ITUT (International Telecommunication Union Telecommunication Standardization Sector) in March 1993. The MNP standards are MNP 2-4 (for use in the public domain) and MNP 10 (for use with cellular technologies). The CCITT standard is also sometimes referred to as Link Access Procedure for Modems (LAP-M). The main compression standards in use today are MNP 5, which provides a 2:1 ratio, V.42bis (4:1), and V.44 (6:1). The general rule is that any compression mechanism can be paired with any error detection/correction mechanism.

97

98

Chapter . . . . .6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring the Router To use the modem, the router must be properly configured to access it. There are two phases of configuration necessary when preparing the router to use the modem. The first is the logical configuration of the asynchronous interface. The second phase is the configuration of the physical characteristics of the asynchronous line. Once you prepare the router to physically see the modem, you must configure it to use the specific modem attached to it. This final phase can be manual, automatic, or a combination of the two.

Logical Router Configuration Much confusion stems from the two separate phases of asynchronous configuration on a router. Simply put, the asynchronous interface configuration of the router is the logical information about a connection, such as the IP address, encapsulation mechanism, and authentication. Before the logical configuration can begin, however, you must have access to at least one asynchronous interface. Depending on the router, you might have to put a serial interface into asynchronous mode. The command to place a serial interface into asynchronous mode is physical-layer {sync | async} issued from interface configuration mode: Router(config-if)# physical-layer async

This command configures the interface to interact with the asynchronous modem, as opposed to waiting for or providing clocking for a synchronous connection. To verify that an interface is in asynchronous mode, display the current status of the router’s lines from privileged exec mode, using the show line command: Router#show line Tty Typ Tx/Rx A * 0 CTY 1 TTY 115200/115200 65 AUX 9600/9600 * 66 VTY 67 VTY 68 VTY 69 VTY 70 VTY -

Modem inout -

Roty AccO AccI -

Uses 0 0 0 8 3 1 0 0

Noise 0 0 0 0 0 0 0 0

Overruns 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/0

You must have at least one line showing as TTY to successfully configure a modem.

. . . . . . . . . . . . . . . . . . . . . . . . . . Modems . . . . . and . . Asynchronous . . . . . . . . Connections . . . . . . .

One important aspect of the logical configuration is the encapsulation. You configure encapsulation with the encapsulation {slip | ppp} command: Router(config-if)#encapsulation ppp

The command configures the router to attempt either Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP) encapsulation. Cisco routers support only SLIP or PPP encapsulation. The logical configuration is the same you use with ISDN and dial-on-demand routing (DDR). The importance of putting the serial interface into asynchronous mode cannot be stressed enough. If the serial interface is not in asynchronous mode, it will not be configurable as a line and will be unavailable for use with a modem.

Physical Interface Configuration The physical configuration of the router interface, which you perform in line config mode, consists of the physical characteristics of the connection. At this point, we define the speed of the connection, flow control, whether the modem is to be used for incoming only or incoming and outgoing calls, and where the database for authentication resides: login (local,tacacs) flowcontrol (none,software,hardware) speed (0-4294967295) modem (dialin,inout)

A basic physical configuration would be as follows: Router(config-line)# Router(config-line)# Router(config-line)# Router(config-line)#

login local flowcontrol hardware speed 115200 modem inout

The first line, login local, specifies that the local router database will be used for authentication, as opposed to a Terminal Access Controller Access Control System + (TACACS+) server. Flowcontrol hardware tells the port that the flow control mechanism will be built-in hardware, as opposed to software. The speed 115200 command determines the speed at which the router will send data to the modem. The last command, modem inout, establishes that the modem can be used for both incoming and outgoing calls. In addition, you can define data bits, stop bits, parity, and which protocols will be passed through the line.

99

100 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Know the minimum configuration requirements for configuring access to a modem. It must be in asynchronous mode, and it must have one of the modem commands (inout or dialin).

Attaching the Modem This entire configuration process does us absolutely no good unless the modem is attached to the router. Although it might seem a rather simple task, it is important to know which mechanisms are available to make the connection between devices. Depending on the interfaces available to you, you can use several cable sets and combinations of cable and adapter to connect the modem and router. The simplest connection uses a serial cable, with the appropriate connector on one end for the router and a 25-pin EIA/TIA-232 male connector on the other end. The male connector attaches to the 25-pin female port on the modem. This configuration works well when you have a small number of modems (one or two) to attach to a single router. Routers that are explicitly designed to connect to multiple modems are called access servers, and they employ one of two techniques to attach the modems. When attaching more than two modems to a router, you typically use an 8port “octal” or “octopus” cable. An octal cable has a wide connector, similar to an SCSI3 interface, which plugs into the corresponding port on the router. The other end of the cable has eight RJ-45 connectors that you can either connect directly to specialized modems or adapt with an RJ-45-toDB-25 male adapter. The alternative to an octal cable and external modems is a bank of internal modems, referred to as modem ISDN channel aggregation (MICA) modems. The knowledge of the existence of MICA modems should be sufficient to answer most questions relating to them on the exam.

You can make the final connection between a router and modem through the aux port. When connecting the modem through the aux port, you plug a console cable (rollover cable) directly into the aux port. You plug the other end of the cable directly into the modem or into an RJ-45-to-DB-25 male adapter that you plug into the modem.

. . . . . . . . . . . . . . . . . . . . . . . . . . Modems . . . . . and . . Asynchronous . . . . . . . . Connections . . . . . . .

Although the majority of modems use a 25-pin connector, only 8 pins are used to communicate between the DTE and DCE devices. Table 6.3 shows the pins used on either end of the connection and what each is used for. Table 6.3 Modem Signaling Pinout DTE Device

Signal Direction

DCE Device

TxD (Transmit)

2

->

2

TxD

RxD (Receive)

3

4

RTS

CTS

5

20

DTR

CD

8

<modem-script script-name> <system-script script-name>

The dialer map command is a fairly complex animal but allows for a lot of flexibility with dialer interfaces. The original dialer string command only lets you call one location, but the dialer map command lets you call multiple locations per interface. The protocol configuration wants a Layer 3 protocol followed by the address of the device you are connecting to. Every other command is optional. If you want to dial out, you also need to put in the remote device’s phone number. The ISDN subaddress is also optional. This command must be last in the dialer-map statement.

PPP multilink

Establishes this interface as a member of a multilink relationship with other circuits.

PPP authentication <pap | chap | ms-chap>

States that when calling this location, the specified authentication type is used.

Some components of the dialer map are required, depending on the circumstances. You use the name option with PPP authentication. Use speed when selecting between 56Kbps and 64Kbps ISDN channels. You need the broadcast option to send broadcast packets, such as RIP routing updates, across the wire. The modem-script and system-script commands let you use custom scripts per connection.

Remember that you can place multiple dialer maps on an interface, but they need to be pointing to different destinations. For example, you can use the same interface to make a connection to get information to the 20.0.0.0 network and call a number for the 30.0.0.0 network. These numbers can be the same; the router is only looking at the network in question. Once it figures out which network it needs to forward traffic to, it looks at the number linked to it and dials. A sample dialer interface configuration follows: Dialer Interface 1 Ip address 192.168.4.9 255.255.255.252 Encapsulation ppp Dialer remote-name corporate PPP authentication chap Dialer-group 5 Dialer pool 3 Dialer string 5551212 Dialer hold-queue 20

146 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Dialer Pools A dialer pool is a group of physical interfaces. You need to configure each physical interface you want to be a member of the pool with a pool ID and priority information. Once an interface is a member of a pool, a dialer interface that uses the pool will use the physical interface that has the highest priority for an outgoing call. Use the dialer pool number priority priority command to configure it in interface configuration mode. An interface may belong to multiple pools. If a pool contains multiple interfaces, you need to configure a priority level for the physical interface. When a router needs to make a call, it uses the highest priority available interface in the pool to make the next call. Just remember that physical interfaces are grouped into pools and may be part of more than one. A dialer interface uses a pool to decide which physical interface to use to make a call.

Listing 8.1 shows two Basic Rate Interfaces (BRIs) that are each configured to be members of two dialer pools. Listing 8.1 Configuring pool membership Router(config)#interface Router(config-if)#dialer Router(config-if)#dialer Router(config)#interface Router(config-if)#dialer Router(config-if)#dialer

BRI 0 pool 1 pool 2 BRI 1 pool 1 pool 2

priority 200 priority 150 priority 150 priority 200

Map Classes A map class is a useful part of a dialer profile. Although they are optional components, you can use them to specify different Layer 1 characteristics for a call. The commands in Table 8.2 tend to revolve around connection characteristics. Table 8.2 Map Class Commands Command

Explanation

map-class dialer class-name

This command creates a map class with the specified unique name and puts you in map class configuration mode.

147 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Dial-on-Demand . . . . . . . . .Routing . . . . Table 8.2 Map Class Commands (continued) dialer idle-timeout seconds

When a call is in progress but no interesting traffic is crossing the line, this command tells the router when to kill the link. By default, the router drops the line 120 seconds after the last piece of interesting traffic crosses.

dialer fast-idle seconds

If no interesting traffic is crossing a link and there are packets waiting to use the interface to call a different destination, the dialer fast idle timer kicks in. Rather than wait 2 minutes for the idle-timeout timer to expire, the fast idle timer only activates when there is contention for an interface and it expires much quicker. The default value of the timer is 20 seconds.

dialer wait-for-carrier-time seconds

This command is useful on analog lines because it tells the router how long to wait for a carrier signal. When used in conjunction with an asynchronous interface, the timer includes the time needed for the chat script to run. The default is 30 seconds, but Cisco recommends 60 seconds on asynchronous interfaces.

dialer isdn speed speed

This command gives you a choice between 56Kbps and 64Kbps when making a connection via ISDN. Check with your service provider to make sure it supports 64Kbps ISDN channels.

Incoming Calls with Rotary Groups When you have multiple lines and only one phone number for incoming calls, you need to use a roll-over or hunt group. This concept is the same one a lot of companies use for customer service. Call one number and the next available person picks up the phone. We use the same concept here except for data calls. You can use this technique if you have a lot of people calling from outside your organization, for example, if you are with an Internet service provider (ISP). Give your customers one number that can reach a large number of modems, and the next available one answers. You can also use rotary groups for outgoing calls, but they have largely been replaced by dialer profiles, which provide greater flexibility. With incoming calls, however, we have a little more predictability because most low-speed

148 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

traffic comes across analog lines and we can often dictate settings to the people calling in. We don’t have to worry much about the different switch types and speeds ISDN uses because this technique is most often used for analog dial-up.

Configuring Rotary Groups When configuring a rotary group, we need to specify a dialer interface and tell the router which physical interfaces will participate in the hunt group. We do so with the interface dialer number command and the dialer rotarygroup number commands shown in Table 8.3. Table 11.3 Rotary Group Commands Command

Explanation

Router(config-if)#dialer rotary-group number

This command tells a physical interface that it is going to participate in the hunt group defined by the dialer interface with the specified number.

Router(config)#interface dialer number

From global configuration mode, this command sets up a dialer interface of the specified number. The number of the rotary group and the dialer interface need to be the same. The number range is 0 through 255.

When configuring a rotary group for outgoing calls, you need to configure dialer strings on the dialer interface. Don’t forget to put the dialer inband command on interfaces with modems to turn on DDR.

Configuration Example and Explanation This next section illustrates how to configure a router for DDR. We’ve broken each applicable section of a router configuration into manageable chunks with explanations. We start with Listing 8.2 with static routes and authentication.

149 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Dial-on-Demand . . . . . . . . .Routing . . . . Listing 8.2 Sample configuration dialer-list 1 protocol ip permit ip route 20.1.1.0 255.255.255.0 10.1.2.1 ip route 20 1.2.0 255.255.255.0 10.1.3.1 ip route 21.1.2.0 255.255.255.0 11.1.2.1 ip route 21.1.3.0 255.255.255.0 11.1.3.1 ip route 22.1.2.0 255.255.255.0 12.1.2.1 ip route 22.1.3.0 255.255.255.0 12.1.3.1 username router1 password cisco username router2 password cisco username router3 password cisco username router4 password cisco username router5 password cisco username router6 password cisco

The dialer-list command tells the router what traffic is considered interesting. In this case, all IP traffic is interesting and will bring up a link pointing to dialer list 1. You can also specify an access list to get more granular. The ip route statements tell the router that to get to the specified network, it needs to send packets to the specified IP address. This address is a remote address. The username and password statements indicate that when the router calls a remote device with a hostname equal to the username, it needs to use the associated password. The following code adds dynamic routing to the router and includes the static routes in our routing updates through the redistribute static command: router rip network 10.0.0.0 network 11.0.0.0 network 12.0.0.0 redistribute static

This setup allows other RIP devices to know where to send packets to us, if they need to get packets to the remote networks. Next, we configure the physical interfaces: interface bri 0 encapsulation ppp dialer-pool member 1 priority 200 ppp multilink

You must configure encapsulation, pool membership, and multilink here, whereas you configure everything else on the dialer interfaces. The dialerpool statement tells the router that this interface is a member of dialer pool 1, and because it has a higher priority than the other interface in pool 1, this interface is used first for dial out.

150 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The next code performs the same task as earlier on this interface, but this interface is a member of two pools: interface bri 1 encapsulation ppp dialer-pool member 1 priority 150 dialer-pool member 2 priority 200 ppp multilink

It has a high priority on one pool and a medium on the other. The way we are configuring the pools means that this interface is the primary for pool 2 and the secondary for pool 1. We need to configure a couple more interfaces and set them into the appropriate pools. Then, the dialer interfaces must be able to use the pools to decide which physical interface to make the call with. Next, the dialer interfaces get most of the configuration information. We need to configure IP addressing on this interface, and we can either configure the interface so that the network overlaps with both destinations or configure two IP addresses and specify one as a secondary address: interface bri 2 encapsulation ppp dialer-pool member 2 priority 200 dialer-pool member 3 priority 150 ppp multilink interface bri 3 encapsulation ppp dialer-pool member 3 priority 200 ppp multilink interface dialer 1 ip address 10.1.1.1 255.255.0.0 ppp authentication chap dialer map ip 10.1.2.1 name router1 dial-string 5551212 dialer map ip 10.1.3.1 name router2 dial-string 5551313 dialer-group 1 dialer pool 1

We set up Challenge Handshake Authentication Protocol (CHAP) authentication, specified that this interface will use physical interfaces that are members of dialer pool 1 to make our calls, and specified dialer group 1 to determine interesting traffic. (See dialer list 1 earlier.) The dialer map statements allow us to call multiple sites from one interface by specifying a remote IP address; the remote router name, which is used for authentication; and the phone number we need to call to get there. The following sample configuration shows how multiple dialer interfaces use dialer pools. When a dialer interface needs to forward a packet, it checks what interfaces are available by referring to the dialer pool that has been configured. Dialer interface 2 will only use physical interfaces that are members

151 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Dial-on-Demand . . . . . . . . .Routing . . . .

of dialer pool 2, whereas dialer interface 3 will only use physical interfaces that are members of pool 3: A single interface may be a member of more than one pool.

interface dialer 2 ip address 11.1.1.1 255.255.0.0 ppp authentication chap dialer map ip 11.1.2.1 name router3 dialer map ip 11.1.3.1 name router4 dialer-group 1 dialer pool 2 interface dialer 3 ip address 12.1.1.1 255.255.0.0 ppp authentication chap dialer map ip 12.1.2.1 name router5 dialer map ip 12.1.3.1 name router6 dialer-group 1 dialer pool 3

dial-string 5551414 dial-string 5551515

dial-string 5551616 dial-string 5551717

152 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 When configuring a rotary group, you need to specify an interface and interface number that other interfaces will be members of. What type of interface collects the multiple interfaces? ❍ A. serial ❍ B. dialer ❍ C. rotary ❍ D. BRI

Answer B is correct. A dialer interface is responsible for collecting all physical interfaces that the rotary group will use. Answer C is incorrect because rotary is used with a group of physical interfaces for incoming calls. Answers A and D are incorrect because they are physical interfaces.

Question 2 The maximum value for a dialer group number is ❍ A. 2 ❍ B. 16 ❍ C. 64 ❍ D. 255

The correct answer is D. The range goes up to 255. Answers A, B, and C are incorrect because they don’t go to 255.

Question 3 What command enables DDR on a serial interface? ❍ A. dialer inband ❍ B. dialer async ❍ C. dialer outband ❍ D. dialer inout


Answer A is correct. You must place the dialer inband statement on synchronous and asynchronous serial interfaces to tell the interface it needs to interact with an external device. The commands in Answers B, C, and D don’t exist as shown.

Question 4 When an interface is in use and a packet stream needs to make a call, it waits until an interface times out. What command speeds up the timeout value when there is contention for an interface? ❍ A. dialer wait-for-carrier ❍ B. dialer fast-idle ❍ C. dialer idle-timeout ❍ D. None of the above

Answer B is correct. The dialer fast-idle command tells the router to use a different timeout value when there is contention for an interface. Answer A doesn’t exist, Answer C controls the normal timeout value, and Answer D is incorrect because B is the correct answer.

Question 5 Dialer profiles consist of up to three major elements. These elements are ❑ A. Map class ❑ B. Dialer interface ❑ C. Dialer pool ❑ D. Dialer string

The correct answers are A, B, and C, which are elements of a dialer profile. Answer D is incorrect because the dialer string is a part of the dialer interface and specifies the phone number to be dialed.

154 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 6 Dialer profiles accept what types of encapsulation? ❍ A. SDLC ❍ B. PPP ❍ C. X25 ❍ D. Frame Relay ❍ E. HDLC

Answers B and E are correct. Cisco HDLC and PPP are supported encapsulation types for dialer profiles. Answers A, B, and D are incorrect; SDLC, X.25, and Frame Relay are all valid encapsulations on a Cisco router but not on a dialer interface.

Question 7 What command do you use to make an interface participate in a dialer pool? ❍ A. dialer pool-member (at the interface) ❍ B. dialer pool (at the interface) ❍ C. dialer interface (at the pool) ❍ D. dialer priority (at the pool)

Answer A is correct. You configure the dialer pool-member command at the interface to tell the interface to participate in a pool. Answer B indicates which pool the dialer interface should use to make the call, whereas Answers C and D can’t be configured as shown. Dialer priority sets the priority of an interface, and dialer interface enters configuration mode for the virtual interface.

Question 8 While a conversation is waiting for an interface, the packets need to be buffered. What command sets up the holding area for the packets? ❍ A. dialer buffer ❍ B. dialer queue ❍ C. dialer fast-idle queue ❍ D. dialer hold-queue


Answer D is correct. The dialer hold-queue command tells the router how much buffer space to set aside for waiting packets. Answers A, B, and C don’t exist.

Question 9 The maximum number of packets that can be queued is what? ❍ A. 25 ❍ B. 50 ❍ C. 64 ❍ D. 100 ❍ E. 128 ❍ F. 255

Answer D is correct. You may store up to 100 waiting packets if the router is so configured. Answers A, B, and C are options but not the maximum, and Answers E and F are too high to be valid.

Question 10 The default value for the fast-idle timer is ❍ A. 10 seconds ❍ B. 20 seconds ❍ C. 30 seconds ❍ D. 60 seconds

Answer B is correct. The default is 20 seconds. Answers A, C, and D are not the default values for the fast-idle.

156 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? The persistent DDR circuit was introduced in IOS version 12.2. You can find more information on this feature at http:// www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/ 122t/122t11/ftdperst.htm.

The complete Dial Technologies Configuration Guide appears at http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/ 123cgcr/dial_vcg.htm.

9 Using Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Data-link Connection Identifier (DLCI) Backward Explicit Congestion Notification (BECN) Forward Explicit Congestion Notification (FECN) Committed Information Rate (CIR) Local Management Interface (LMI) Inverse Address Resolution Protocol (Inverse-ARP) Traffic shaping Burst rate Oversubscription

Techniques you’ll need to master: ✓ Ordering correct line speeds ✓ Configuring interfaces for Frame Relay ✓ Monitoring Frame Relay operation

158 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Frame Relay Concepts Frame Relay is a standard supported by both the American National Standards Institute (ANSI) and the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) that originated from X.25. Unlike X.25, Frame Relay does not provide for error correction. The Frame Relay standard defines the encapsulation from the customer premises equipment (CPE) to the data circuit-terminating equipment (DCE) at the regional provider’s switch. Once at the provider, Frame Relay stops, and something else, usually Asynchronous Transfer Mode (ATM), takes over. Frame Relay is normally used as a way to connect to remote sites. It’s cheaper than a leased line and provides more bandwidth than a Basic Rate Interface (BRI) ISDN line. DSL is currently giving it a run for its money in the ultra-value market, but Frame Relay is still the preferred choice in the mid- to large-sized corporate segment. Frame Relay uses two types of circuits, the permanent virtual circuit (PVC) and switched virtual circuit (SVC). A PVC is a permanent connection to the service provider, like a T1. An SVC is more like an ISDN line in that it only connects when data needs to be transferred. With the adoption of ANSI standard T1.617 and ITU-T Q.933 and Q.922, the Cisco IOS supports SVCs on Frame Relay as of version 11.2, but many service providers do not offer the service. Because the majority of circuits are PVCs and because Cisco will not test on it, this chapter does not discuss SVCs in more detail. The concept of Frame Relay revolves around a couple of different threshold levels on an individual link. The first is what you contract for.

Maximum Burst Rate When you need a new line, you need to figure out what is the maximum amount of data that you need to transfer per second. You call a service provider and ask for a Frame Relay link of this size. This size is the maximum that your line can handle, and it is your maximum burst rate.

CIR The next thing you need to know, which is just as important as your maximum line rate but often overlooked, is the CIR. The CIR is the guaranteed rate you receive. Now, isn’t this rate the same as the maximum burst rate? No, which leads us to the next section.

159 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using . . . Frame . . . . Relay . . .

Oversubscription Service providers oversell their lines on the assumption that not everyone will use their full throughput at the same time. This process is not illegal, but many people are confused by all the acronyms and just sign the contract without asking questions. Later, they find out that the bandwidth they thought they bought really isn’t a T1 equivalent at all. A service provider adds up all the CIRs of its customers on a given wire, and as long as the total does not exceed the maximum throughput of the line in question, they’re fine. Let’s consider an example. Arctic Bell has a 1.5Mbps Frame Relay circuit running into an office park where several subscribers do business. It can handle a maximum of 1.5Mbps of data at any one time. Subscriber A wants a 1.5Mbps Frame circuit with a CIR of 256Kbps, subscriber B wants a 768Kbps Frame circuit with a CIR of 384Kbps, and subscriber C wants a 384Kbps Frame circuit with a CIR of 128Kbps. Arctic Bell has total contract rates of one and three-fourth times its available bandwidth. What it has actually guaranteed each customer so far, however, is one-half of its available bandwidth. The end result is that if each customer stays within its CIR, its packets will always be handled. Problems start occurring when customers begin to send more data than they have CIR for. If A, B, and C all start sending data at their maximum burst rates, Arctic Bell’s circuit will not be able to handle the traffic. This situation results in packets getting lost. At this time, you’re probably wondering, “Why would anyone buy Frame Relay?” Not everyone is going to be maxing out its WAN link at the same time. A WAN connection bandwidth usage chart is filled with peaks and valleys, and Arctic Bell plans to fill in the valleys in subscriber A’s traffic with the peaks from subscribers B and C. Because Frame Relay doesn’t normally guarantee the full bandwidth, it’s usually a cheaper option than a leased line. Frame Relay also has a number of management and traffic-shaping options that aren’t available on a leased line, giving you greater control over a Frame Relay circuit.

When you pay careful consideration to the CIR requirements of your business, Frame Relay is a cost-effective method of WAN access. Be on the lookout, however, for service providers who try to sell you a 0Kbps (zero) CIR. None of your packets are guaranteed to get through! By selling a 0Kbps CIR, they can oversubscribe to their heart’s content and not be in breach of contract. Their only limit is how many businesses are in the area. Overall, a good

160 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

rule of thumb is that your CIR should equal one-fourth of your maximum burst rate. It’s always a good idea to ask about the number of packets dropped due to network congestion.

Frame Relay Components After ordering your line, you waited your 60 days; you sacrificed a couple of old ISA network cards to the circuit gods; and lo and behold, your circuit is ready a few days early. Now that you have a line, what do you need to know to talk to another location?

DLCI You need a DLCI to talk to the service provider’s switch. A DLCI is basically a pointer for the switch telling it where this particular packet needs to go. Each switch at the service provider’s central office (CO) has a configuration the switch can access. This configuration is like the address on an envelope. The DLCI says, “This packet needs to go to port 8, switch 32, at CO 68 for service provider 3,” or wherever your other end is. As the packet moves through the service provider’s WAN cloud, the intervening switches just need to look at the service provider information and pass the packet along. Once the packet is at the target service provider, the switches forward the packet to the correct CO. This description is an oversimplification, but this book is not designed to discuss Stratacom switch, the Cisco telco line of products, or methods of operation. You get the DLCI from the service provider. How you use it depends on how you configure your router, which is discussed later.

LMI LMI is a signaling standard between your router and the CO switch. LMI is responsible for making sure both devices know the other is there. In addition to acting as keepalives, LMI also acts as a form of Cisco Discovery Protocol (CDP). LMI can provide the router with its DLCI number and IP information regarding the device on the other side of the cloud. Keepalives are packets that each device on a wire generates to verify connectivity. The packets “keep alive” a connection.


IOS version 11.2 enabled routers to autosense the LMI type the Frame Relay switch is using. With versions prior to 11.2, you have to configure the LMI type. There are three options, and the thing to remember is that you want to use the LMI type used by the Frame Relay switch: ➤ Cisco—An LMI type developed by “the Gang of Four”: Cisco,

Stratacom, Northern Telecom, and Digital Equipment Corporation ➤ Ansi—Annex D, a standard defined in ANSI standard T1.617 ➤ Q933a—An ITU-T standard for Annex A

Encapsulation You need to specify Frame Relay encapsulation on the interface, but there are two types, Cisco and IETF. If you do not specify, the router defaults to Cisco encapsulation. This default causes problems if you are not connecting to a Cisco router on the other side of the service provider’s cloud. If you are connecting to a non-Cisco router, make sure you specify IETF.

Mapping The router must understand that if it needs to send packets to a given destination, it needs to use the Frame Relay connection. You convey this understanding by mapping a Layer 3 address to the DLCI. Think of where a static route says, “To get to network www.xxx.yyy.zzz, I need to send packets out interface serial 1.” The mapping works the same way, except it says, “To get to device www.xxx.yyy.zzz, I need to use Frame Relay DLCI xxx.” You can establish mappings manually or automatically. Both ways require you to tell the interface what DLCI it is connected to, but Inverse-ARP is enabled by default. It takes the LMI information and sends a query across the service provider cloud to find out the address of the device on the other end, and then it creates a mapping.

Frame Relay Configuration You can use several commands to establish Frame Relay. Dynamic address mapping is enabled by default. If, for some reason, you need to, you can manually configure the map with the following commands. Table 9.1 explains each part of the commands:

162 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤

Router(config-if)#encapsulation frame-relay {cisco | ietf}

➤

Router(config-if)#frame-relay lmi-type {ansi | cisco | q933a}

➤

Router(config-if)#frame-relay map protocol protocol-address DLCI other options

Table 9.1 Frame Relay Map Options Command

Explanation

protocol

The Layer 3 protocol you are mapping to a DLCI. You must map the link for each Layer 3 protocol via Inverse-ARP or manually.

protocol-address

The Layer 3 address of the interface on the other side of the cloud.

DLCI

What DLCI the router uses to talk to the interface across the cloud.

broadcast

An optional command that allows broadcast messages to be sent across the Frame Relay link. Extremely useful if you want routing updates to cross.

ietf | cisco

What encapsulation will be used on this particular configuration. Also optional. Cisco is the default, but only use it when both ends are Cisco devices.

payload-compress packet-by-packet

The command that establishes compression on the data or payload portion of the packet using the Cisco proprietary STAC compression method. Rather resource-intensive but often useful for slow WAN links.

Suppose a company has two routers it wants to connect via Frame Relay, router A and router B. Router A’s IP address on its Frame Relay interface is 10.1.2.1, and it connects to the local CO switch with DLCI 100. Router B’s IP address is 10.1.2.2 using DLCI 200. The company wants to use static mappings and provide for routing updates and for compression. The following line is the router A example: frame-relay map ip 10.1.2.2 100 broadcast payload-compress packet-by-packet

The next line is the router B example: frame-relay map ip 10.1.2.1 200 broadcast payload-compress packet-by-packet


What you must remember is that the DLCI is a local identifier between the router and the telco switch. Because the DLCI is local, both routers can be using the same DLCI—something that people often don’t realize. The other thing to remember is that you need to map the remote interface address to the local DLCI address.

Connecting a Single Interface to Multiple Locations What we have discussed so far is good for small Frame Relay connections, but what about the needs of large organizations? If you have to connect a couple of central routers to hundreds or thousands of remote locations, you don’t want to pay for multiple installations, more interface cards for the routers, more CSUs, and more serial cables. Now the subinterface comes in handy. By using subinterfaces, you can logically connect dozens of Frame Relay connections to a single physical interface.

Network Design Types Frame Relay networks have a few popular designs. In addition to point-topoint connections, they have the full-mesh, partial-mesh, and hub and spoke (also called star) designs, as described in Table 9.2. Table 9.2 Frame Relay Network Design Types Type

Description

Full mesh

The full-mesh design is where each router is connected to every other router in the network. This method costs more than either of the other two methods, but when properly implemented, it results in faster data access and terrific reliability.

Partial mesh

This design combines full mesh and point-to-point. Some routers have full-mesh connections between them, whereas other routers have connections only to other specific routers. An example is a company that has several data centers with a full-mesh design between them and each data center responsible for connection to remote sites within a limited geographic area.

164 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 9.2 Frame Relay Network Design Types (continued) Hub and spoke (star)

In this design, every site is only connected to one central router or set of routers. For remote site A to talk to remote site B, it must send packets via the corporate office routers. This design is cost efficient but does not provide any method of routing around down links. If you use this method, keep backhoes away from your property.

Frame Relay and Multiple Sites Before we jump into how subinterfaces can solve all your problems, we need to look at why you use them. Primarily, we are concerned with reachability, which involves two different connection types: point-to-point and multipoint. With a point-to-point configuration, think of a leased line. With a leased line, you have a starting point, a single possible ending point, and nothing to be concerned about in between. A router at either end of a single serial cable is an example of a point-to-point configuration. Figure 9.1 shows a three-router Frame Relay network where there are separate IP networks between the router on the left and each router on the right. The router on the left has a single interface that is logically divided into two. This setup is called a subinterface, which is explained later in the chapter. 10.1.1.2

10.1.1.1

10.2.2.1

10.2.2.2

Figure 9.1 A point-to-point network.

With a multipoint configuration, think of some type of shared media, such as Ethernet. You can have more than two devices connected to the same wire segment. As shown in Figure 9.2, Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI) are all examples of multipoint configurations.

165 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using . . . Frame . . . . Relay . . . 10.3.3.2

10.3.3.1

10.3.3.3

Figure 9.2 A multipoint network.

Why do you care about the two different ways that you can configure Frame Relay? Think back to what you know about distance-vector routing and routing loops. One method that distance-vector routing uses to prevent loops is split horizon. Split horizon tells the router not to send information about a route out the interface that the update arrived on. In a true multipoint environment, such as Ethernet, this restriction is not a problem. All routers send either broadcasts or multicasts, and each router on that segment receives and processes the update. Because of DLCIs, Frame Relay networks do not follow this process. Without using subinterfaces, you would need to configure an interface as multipoint to connect a single router interface to multiple sites. If a router receives a routing update through a physical interface, the router assumes that every device it can reach through that interface also received the update. With routers accessed via multiple DLCIs, that might not be the case. Split horizon was designed to prevent a router from advertising a route out the interface it learned the information from, to prevent routing loops. Figure 9.3 shows a router connected to two others via point-to-point subinterfaces. If router B sends a routing update to router A, split horizon tells router A not to forward it out the same physical interface the update arrived on. This means that router C won’t receive the update. Split horizon should be off by default on Frame Relay interfaces, but it can be turned on and is on by default for some router protocols. If your routers have trouble pinging beyond the hub in a hub and spoke network, consider that split horizon might be the problem.

166 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1.1.2 A

B

10.1.1.1

10.2.2.1

C

10.2.2.2

Figure 9.3 Point-to-point Subinterfaces

Configuring Subinterfaces A subinterface is logically a slice of a physical interface. Let’s assume we have a Frame Relay link connecting to physical interface serial 1. The router we are configuring needs to be able to talk to three remote sites via the single physical link: 1. Identify the physical interface that the Frame Relay link is connected

to. Because we know it is serial 1, we need to set Frame Relay encapsulation on interface serial 1: Router(config-if)#encapsulation frame-relay {cisco | ietf}

2. Identify how many connections are needed via this link. For our pur-

poses, we need three. We then create them by typing interface serial where x is a number. Here, we use serial 1.1, 1.2, and 1.3. You need to specify whether a subinterface is supposed to be point-to-point or multipoint. Typing the preceding command dynamically creates the logical interface in much the same way that typing interface loopback 0 activates the loopback 0 interface. 1.x

3. Make sure that no Layer 3 address exists on the physical interface con-

figuration. This step is very important because otherwise, the router gets confused. You can use the no protocol address interface command to remove a Layer 3 address without needing to look up the specific address. 4. Specify on each subinterface what DLCI it is connected to by using the

command Router(config-subif)#frame-relay

interface-dlci DLCI.

5. Apply Layer 3 addresses to each subinterface.

Figure 9.4 shows a close-up of the router with the subinterfaces. Interface serial 1 is logically divided into circuits 1.1, 1.2, and 1.3.

167 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using . . . Frame . . . . Relay . . . S1.1 Serial 1 S1.2

S1.3

Figure 9.4 Subinterfaces illustrated.

Table 9.3 contains an example of configuring the router. Table 9.3 Sample Walkthrough Command

Explanation

Router(config)#interface serial 1

This command moves the router into interface configuration mode for serial 1.

Router(config-if)#no ip address

This command removes any IP address that exists on interface serial 1.

Router(config-if)#encapsulation frame-relay

This command establishes Frame Relay encapsulation for physical interface serial 1. All subinterfaces will now use Frame Relay encapsulation.

Router(config)#interface serial 1.1 point-to-point

This command creates the serial 1.1 subinterface, establishes it as a pointto-point interface, and moves the router into subinterface configuration mode.

Router(config-subif)#ip address 10.1.1.1 255.255.255.0

This command puts an IP address in subinterface serial 1.1. Remember that the device on the other side of the Frame Relay cloud needs to have a Layer 3 address that is a member of the same network.

Router(config-subif)#frame-relay interface-dlci 100

This command tells the router that to talk to other devices on network 10.1.1.0 (one device in this case, because we specified a point-to-point connection), the router needs to send information via Frame Relay DLCI 100.

Router(config-subif)#bandwidth 256

This command changes the interface bandwidth value from the default of a T1 (1.544Mbps) to the actual value, 256Kbps in this instance.

168 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 9.3 Sample Walkthrough (continued) Router(config)#interface serial 1.2 point-to-point

This command creates the serial 1.2 subinterface, establishes it as a pointto-point interface, and moves the router into subinterface configuration mode.


This command puts an IP address in subinterface serial 1.2.

Router(config-subif)#frame-relay interface-dlci 200

This command tells the router that to talk to other devices on network 10.2.2.0 (one device in this case, because we specified a point-to-point connection), the router needs to send information via Frame Relay DLCI 200.



Router(config)#interface serial 1.3 multipoint

This command creates the serial 1.3 subinterface, establishes it as a multipoint interface, and moves the router into subinterface configuration mode.


This command adds an IP address to subinterface serial 1.3.

Router(config-subif)#frame-relay map ip 10.3.3.2 300 broadcast Router(config-subif)#frame-relay map ip 10.3.3.3 400 broadcast

Frame Relay map statements tell the router which DLCI to use to get to a specific IP address because interface routing can’t be relied on in a multipoint environment.



By using subinterfaces, we are able to connect a single Frame Relay line to a single physical interface and connect to multiple remote locations. Point-topoint subinterfaces allow for routing information to come in from remote location A on a subinterface and get forwarded out to remote location B via a different subinterface. This setup allows routing information to get sent out while not sacrificing protection from routing loops.


Frame Relay Traffic Shaping In one form, traffic shaping is just a fancy term for adjusting the speed on the link. If you have a T1 talking to a 56Kbps link, sometimes the T1 is able to send at full speed. If it does, it overwhelms the 56Kbps device. When it happens, the Frame Relay switches notify the T1 device to stop sending so many packets. Traffic shaping can involve more than just adjusting the apparent link speed, such as the prioritization of the frames on a DLCI-by-DLCI basis. Finally, traffic shaping can also involve tweaking transmission times to allow for time-sensitive frames such as Voice over Frame Relay.

BECNs and FECNs BECN and FECN packets are how Frame Relay devices tell other Frame Relay devices, “Hey! You’re sending me too many packets. Slow down.” Frame Relay switches in the service provider cloud normally generate them, which is why they go both directions. When a Frame Relay device becomes congested and BECNs and FECNs get generated, this situation creates problems for you. If the router does not throttle back how many packets it is sending out per second, packets over the CIR value are dropped. Suppose a router is connected to a Frame Relay cloud with a T1 connection with a CIR of 256Kbps. If devices within the cloud become congested, they tell the router to slow down. The router slows down its data throughput to 256Kbps. If it does not slow down, then devices within the cloud begin dropping packets over the 256Kbps mark. A second example leads to major problems. Suppose you have two devices, router A connected to the Frame Relay cloud via a T1 with a 256Kbps CIR, and router B connected to the cloud via a 56Kbps line with a 32Kbps CIR. Router A starts sending data and overwhelms the 56Kbps router. Router A receives BECNs and slows down to 256Kbps. It continues to overwhelm Router B. Packets constantly get dropped and have to be resent. Traffic can be prioritized inside the router based on the DLCI that is being used. If a company has a physical cable that has two Frame Relay circuits attached, one to its ISP and the other to a remote office, which circuit carries the most important traffic? Is Web browsing traffic more important than the database replies going to the remote office? Only you know for sure, but rather than treat traffic in a weighted fair queuing (WFQ) fashion, you can tell the router that one DLCI is more important than another. If the interface gets congested, the router forwards the traffic for the important DLCI before forwarding traffic for the less important DLCI.

170 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Traffic Shaping To determine what traffic is more important that other types, you can use queuing to prioritize certain types of traffic. When the router starts to throttle back the amount of data it sends, the more important types of traffic have a better chance of not being delayed. Figure 9.5 shows a sample circuit with data flowing down it. At various times, the amount of data is either below the CIR or above it. Rate

Port Speed

CIR

Time

Figure 9.5 Circuit usage.

It’s important to remember the following equation: excessive burst + committed burst = maximum circuit speed. The amount of data above the CIR is called excessive burst (Be), and the maximum amount of data in a given time period offered to the network for which the provider has guaranteed delivery is the committed burst (Bc). If a circuit has a maximum burst of 1.5Mbps and a CIR of 128Kbps, then the first 128Kbps of data can be marked as nondiscard eligible, and everything else over 128Kbps gets the discard eligible (DE) bit set. 128Kbps would be the Bc, and 1.5Mbps would be the Be. If congestion is later encountered, the frame with the DE bit set is more likely to be discarded than a frame without it. Bc, DE, and CIR are the three primary values that you need to configure with traffic shaping. You measure CIR in bits per second, and you average it over a period of time, referred to as the committed time interval or Tc. Bc and Be are displayed in bits and compared against a time shown in Tc. A lot of confusion results because Bc is usually the same as the CIR, but over the operation of the circuit, the values might not be the same. If an interface is configured to respond to congestion frames, the primary CIR can be lowered, which results in bursting to the point of the old CIR, with DE bits being set. You can set a mincir value to limit how far responding to BECNs reduces the CIR.


Traffic Shaping Commands The first thing that you need to define when determining traffic shaping is a map class. A map class is the go-between for the interface and the queuing configuration. You need to type the following command: Router(config)#map-class frame-relay map-class-name

It puts the router into map class configuration mode. Next, you specify the average rate the interface or subinterface should send at, as well as the maximum: Router(config-map-class)#frame-relay traffic-rate average maximum

Although the maximum value is optional, the average field normally matches the CIR of the circuit, and the maximum value is equal to the Be. If you want the router to respond to BECNs and modify the amount of data it sends based on that information, use the following command: Router(config-map-class)#frame-relay adaptive-shaping becn

Once you decide what type of queuing to use (see Chapter 12, “Traffic Management,” for more information), you need to link the queue configuration to the map class. Use the following command: Router(config-map-class)#frame-relay {custom-queue-list | priority-group } list-number

Once you build the queuing policy, you need to enable traffic shaping on the appropriate interface: Router(config-if)frame-relay traffic-shaping

To link the map class to all the virtual circuits on a physical interface, use the following command: Router(config-if)frame-relay class map-class-name

It forces all subinterfaces on the physical interface to use the same map class configuration. A sample configuration, assuming Frame Relay is already configured, and minus the queuing configuration, appears in Table 9.4.

172 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 9.4 Traffic-Shaping Example Traffic-Shaping Commands

Explanations

Router(config)#map-class frame-relay map-class-name

This line puts the router into map class configuration mode, allowing you to configure the map class.

Router(config-map-class)#frame-relay traffic-rate 128000 384000

This command tells the router that the average traffic rate is 128,000 bits per second with a maximum value of 384,000.

Router(config-map-class)#frame-relay custom-queue-list queue-list-number

This command tells the router to use a certain queue configuration in determining what traffic is more important than other types of traffic.

Router(config-map-class)#frame-relay priority-group <list_number>

This line links an access list to a map class configuration. The list number must match the access list number used to define the important traffic.

Router(config-map-class)#frame-relay [ cir | be | bc ]

This command establishes the different rates for the circuit. Optionally, you can also use the direction.

Router(config-if)#frame-relay traffic-shaping

This line tells the router to be prepared to throttle back sending data if necessary.

Router(config-if)#frame-relay class map-class-name

This command tells the router for a specific interface to use the trafficshaping configuration found within the map-class-name configuration.

The following sample configuration shows how you can configure a map class for an interface that has 1.5Mbps coming in with a 56Kbps CIR outgoing: map-class frame-relay phoenix frame-relay cir in 1500000 frame-relay cir out 56000

If traffic shaping is configured on a physical interface but the CIR on a subinterface is not set via a map class, the CIR is automatically set to 56000.


Frame Relay Fragmentation Fragmentation is the process of breaking a packet or frame into two or more pieces. It creates smaller pieces for the purpose of allowing the traffic across a link that doesn’t allow large frames or to allow more important packets to be interleaved in the stream. When a full-sized Ethernet frame hits a router and wants to continue across an ATM interface, there’s a problem. The Ethernet frame is a bit more than 1500 bytes long, and ATM can handle 48 bytes of payload per cell. The solution is for the router to break part of the Ethernet frame into pieces small enough to be transported by the ATM cells. Frame Relay doesn’t have the same size limits that ATM does (although the same thing would need to happen with Token Ring traffic), but Frame Relay gives the ability to manually fragment frames. A fragment size is configured on the Frame Relay interface, and frames are broken down to that size on exiting the interface. Suppose that time-sensitive traffic is crossing the circuit along with slow data traffic, and as each data frame hits the router interface, the time-sensitive traffic gets delayed due to the time needed to forward the larger frames. Sports cars can get on and off the freeway fairly quickly, but if a truck hauling three flatbeds of goods is on the entrance ramp as the sportscar gets to it, the car will be delayed. Fragmentation is where the truck’s payload is broken up; each flatbed is hauled by a different truck and cars can maneuver in between the trucks. Although there is still some delay, it isn’t as significant as it otherwise would have been. The delay experienced is a factor of both the frame size and the bandwidth of the interface. Table 9.5 shows some frame sizes and bandwidth values. Each number is in milliseconds (ms) except where the value is in microseconds. Table 9.5 Frame Relay Transmission Delay Link Speed Frame Size in Bytes

1

64

128

256

512

1024

1500

56Kbps

143 micro

9

18

36

72

144

214

256Kpbs

31 micro

2

4

8

16

32

46

768Kbps

10 micro

1.3

2.6

5.1

10.2

15

640 micro

174 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

As you can see, sending a large data frame out a slow interface can cause significant delay. It might not be too noticible if someone is just surfing the Web, but if a Voice over IP call is trying to access a 56Kbps circuit at the same time that 1500-byte data frames are using it, there will be quality issues. Total one-way delay for a voice call should be in the 150 to 200ms range; that’s being used up before the voice traffic even exits the building! You can use fragmentation to break up those large data frames by setting a maximum size for frame transmission on the appropriate interface. To do so, you need to create a map class: Frame(config)# map-class frame-relay fragment Frame(config-map-class)# frame-relay fragment 512 Frame(config-map-class)# interface s0/0.40 Frame(config-subif)# frame-relay interface-dlci 40 Frame(config-fr-dlci)# class fragment

Each subinterface could receive the same configuration information if you enter the class fragment command while in the correct configuration mode. You can use the command on different DLCIs to apply the configuration multiple times. Specifying the DLCI is important because a multipoint configuration contains multiple DLCIs on the same subinterface.

Per-Interface Priority Queuing Because Frame Relay uses logical circuit IDs, it becomes possible to prioritize traffic based on the circuit it wants to access. This process is called perinterface priority queuing (PIPQ). PIPQ is beneficial when certain types of traffic only use particular PVCs. If all voice traffic from Phoenix to Wichita uses the PVC marked with DLCI 105, and all data traffic from Phoenix to Wichita uses the PVC marked with DLCI 110, prioritization becomes a simple manner of giving all DLCI 105 traffic a higher preference. You can divide frames based on the prioritization they receive. The following levels are available: ➤ High ➤ Medium ➤ Normal ➤ Low


As you can see, these are the same types of queues used by priority queuing. The only difference is that rather than sort by address or protocol, prioritization is based on the outgoing DLCI. Although PIPQ is a nice tool for use on DLCIs that don’t carry mixed voice and data, it isn’t very effective on DLCIs that do carry mixed voice and data. For those circuits, you want a different type of queuing.

Configuring PIPQ Configuring PIPQ is a simple extension of the map classes that you have used for fragmentation and traffic shaping. There is a single command with four options: Router(config-map-class)#frame-relay interface-queue priority <priority>

The priority value can be either high, medium, normal or low. As traffic exits the router on two different DLCIs, the router looks to see which should be sent out first. It sees that traffic on DLCI 34 has a higher priority than traffic on DLCI 56, sending the DLCI 34 traffic first. It’s important to remember that PIPQ only makes decisions based on the DLCI the traffic wants access to. Other types of queuing detertmine traffic importance based on the type of traffic, as you’ll see in Chapter 12. PIPQ’s strength is quick decision-making as opposed to protocol and application flexibility.

EIGRP over Frame Relay Enhanced Interior Gateway Routing Protocol (EIGRP) is a routing protocol developed by Cisco. They call it a hybrid because it is a distance-vector protocol that has some properties of a link-state protocol. EIGRP is proprietary to Cisco equipment. An in-depth discussion of EIGRP appears in CCNP BSCI Exam Cram 2, but a feature of EIGRP interests us here. A poorly designed network, and occasionally a well designed network, can suffer from routing protocol updates taking up most or all of a slow WAN link, leaving little room for data. If you are using EIGRP, you can tell it not to use more than a certain percentage of the total bandwidth for routing protocol traffic. This ability makes it very important to set the interface bandwidth to a correct value: Router(config-if)#ip bandwidth-percentage eigrp autonomous-system-number bandwidth-percentage

176 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The autonomous-system-number is the one that EIGRP is using on that interface, and the bandwidth-percentage is the percentage of bandwidth you want to allow EIGRP to consume in a worst-case scenario. This command is also available for Internetwork Packet Exchange (IPX) and AppleTalk.

Monitoring and Troubleshooting Frame Relay Operation The two types of troubleshooting commands involved troubleshooting a configuration and troubleshooting a previously configured connection. Remember that you must execute all show commands in privileged EXEC mode.

Configuration Troubleshooting Using the following command displays configuration information about serial devices: Router#show interfaces serial

You will be able to tell what encapsulation is set, what DLCIs are being used, and so on. Using the next command shows configuration information regarding both static and dynamic Frame Relay mappings: Router#show frame-relay map

It displays Layer 3 information, DLCIs, and the status of the link. This command is also useful for troubleshooting a previously working connection. If you get configuration information via Inverse-ARP and someone at the telco messes up a configuration, it could change how your router views mappings.

Troubleshooting a Previously Configured Connection The following command displays LMI information for a specific interface: Router#show frame-relay lmi interface-type interface-number

The interface information is optional, so you can get information regarding all interfaces.


The next command displays statistics about a specific DLCI on a specific interface: Router#show frame-relay pvc interface-type interface-number dlci

The DLCI and interface are optional, so you can get all PVC information as well. The status is active if the circuit is ready for use, inactive if there is a problem reaching the remote router, and disabled if there is a problem reaching the telco switch. The following output shows PVC information from Serial 1/0. PVC Statistics for interface S1/0 (Frame Relay NNI) DLCI = 76, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE input pkts 0 output pkts 0 in bytes 0 out bytes 0 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 outbcast pkts 0 outbcast bytes 0 pvc create time 0:00:01 last time pvc status changed 0:00:01

The following command gives global Frame Relay traffic statistics since the last time the router has been rebooted or the statistics cleared: Router#show frame-relay traffic

The next command gives header compression statistics for TCP/IP traffic. It requires that header compression be established: Router#show frame-relay ip tcp header-compression

The interface status itself can give a lot of information regarding troubleshooting. If the interface is up but the line protocol is down, the problem is often related to receiving LMI packets from the switch. The wrong encapsulation or LMI type might be set or there might be other issues. The next command generates output specific to LMI reception and transmission: Router#debug frame-relay lmi

You might also receive a message similar to “Encapsulation failed, no map entry link.” In this case, the problem is that the router doesn’t know where to forward the traffic. You might have an IP route, but the router doesn’t have a link mapping the IP address to the DLCI. This problem occurs when you initially establish new manually configured routes, and with map statements configured via Inverse-ARP where the connection has failed.

178 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 If two routers are connected via Frame Relay and router A is connecting to DLCI 100, what DLCIs can router B use? ❍ A. 100 ❍ B. 101 ❍ C. 150 ❍ D. 200 ❍ E. 201 ❍ F. All of the above ❍ G. None of the above

Answer F is correct. The DLCI is a local configuration between the router and the CO switch. On the other side of the cloud, it makes absolutely no difference what DLCI is being used, except in relation to devices connected to that switch. Any valid connection will work no matter the numbering. Answers A, B, C, D, and E are incorrect because there is no single correct answer, and Answer G is incorrect because any of those values will work if the service provider sets it up.

Question 2 What do BECNs do? ❍ A. Share a route ❍ B. Tell the router what configuration to use when talking to a switch ❍ C. Tell the switch to send more data ❍ D. Tell the router to send less data

Answer D is correct. A BECN tells the router that a device between the two routers can’t handle it sending so much data and that if it continues to do so, packets will be dropped. Answer B refers to a DLCI, and Answers A and C aren’t options. Therefore, Answers A, B, and C are incorrect.


Question 3 Which ANSI standard supports SVCs for Frame Relay? ❍ A. Q.933 ❍ B. T1.617 ❍ C. 232 ❍ D. Q.922

Answer B is correct. Q.933 and Q.922 are ITU-T standards for SVCs over Frame Relay, and 232 is a cable standard, so Answers A, C, and D are incorrect.

Question 4 CIR stands for ❍ A. Carry interface ratio ❍ B. Carry interface rate ❍ C. Committed information ratio ❍ D. Committed information rate

Answer D is correct. CIR stands for committed information rate, which is the guaranteed portion of the virtual circuit. Answers A, B, and C are incorrect.

Question 5 Which is not an option for LMI type selection? ❍ A. Cisco ❍ B. ANSI ❍ C. IETF ❍ D. Q933a

Answer C is correct. All the others are valid LMI type selections, making Answers A, B, and D incorrect.

180 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 6 Which two are valid selections for a Frame Relay encapsulation type? (Choose two.) ❍ A. Cisco ❍ B. ANSI ❍ C. IETF ❍ D. Q933a

Answers A and C are correct. Cisco is the default encapsulation type, whereas you use IETF encapsulation if the router on the other side of the cloud isn’t a Cisco router. Answers B and D are incorrect.

Question 7 What is wrong with the following configuration? (Choose two.) Interface serial 1: encapsulation frame-relay ip address 10.1.0.1 255.255.0.0 Interface serial 1.1 point-to-point: ip address 10.2.0.1 255.255.0.0 frame-relay interface-dlci 101 bandwidth 128 frame-relay cir 64 Interface serial 1.2 point-to-point: ip address 10.3.0.1 255.255.0.0 frame-relay interface-dlci 201 bandwidth 256 frame-relay cir 64

❍ A. The frame-relay interface-dlci statements should be frame-relay local-dlci. ❍ B. The CIR values should be one quarter of the available bandwidth. ❍ C. There should not be an IP address on the physical interface. ❍ D. Each subinterface needs the command encapsulation frame-relay placed on it. ❍ E. The frame-relay cir command goes in a map class configuration.

Answers C and E are correct. When using subinterfaces, you should not place a Layer 3 address on the primary interface, and CIR is specified in a map class. Answer A is incorrect because you use frame-relay local-dlci to specify a DLCI on a physical interface. You can use this command if the circuit is up but the router can’t receive LMI. Answer B is wrong because there is no such rule. It’s a good rule of thumb, though. Answer D is just wrong.


Question 8 At least which Cisco IOS version do you need to autosense LMI type? ❍ A. 10.3 ❍ B. 11.2 ❍ C. 12.0 ❍ D. 11.1 ❍ E. 11.3

Answer B is correct. Cisco added autosensing to the IOS beginning with version 11.2. All other IOS versions in A, C, D, and E are incorrect.

Question 9 Subinterfaces are used in a routed environment because of what? ❍ A. Split horizon ❍ B. Poison reverse ❍ C. Hold-down timers ❍ D. Routing loops

Answer A is correct. Split horizon tells the router not to send routing updates out the interface it learned that route from. A remote site could send a routing update and our central site router would not forward it out the same interface to other remote sites. Using subinterfaces solves this problem. Answers B and C, although dealing with ways to prevent routing loops as split horizon does, have no bearing on Frame Relay. Answer D is why we use the other three. Answers B, C, and D are incorrect.

Question 10 Two types of Frame Relay connections are ❍ A. Contention-based ❍ B. Point-to-point ❍ C. Packet-based ❍ D. Multipoint

182 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answers B and D are correct. These designs reflect how many Frame Relay routers exist on the subnet. There are two in a point-to-point scenario and an unspecified number in a multipoint scenario. Answers A and C don’t exist.

Question 11 Frame Relay was based on what technology? ❍ A. X.25 ❍ B. ISDN ❍ C. ATM ❍ D. Token Ring

Answer A is correct. X.25 is the precursor to Frame Relay. Answers B, C, and D are not the precursors to Frame Relay, so those answers are incorrect.

Question 12 What does DLCI stand for? ❍ A. Dynamic-link connection identifier ❍ B. Dynamic-link control identifier ❍ C. Data-link control identifier ❍ D. Data-link connection identifier

Answer D is correct. DLCI is the abbreviation for data-link connection identifier. Because Answers A, B, and C are not valid definitions for DLCI, they are incorrect.

Question 13 Always-up circuits are called ❍ A. PVCs ❍ B. AVCs ❍ C. NVCs ❍ D. SVCs

Answer A is correct. Always-up circuits are called PVCs or permanent virtual circuits. Answer D stands for switched virtual circuit, a non-always up circuit. Answers B and C don’t exist.


Question 14 In what ways can a router get a DLCI for a circuit? (Choose two.) ❍ A. Inverse-ARP ❍ B. DHCP ❍ C. An ARP request ❍ D. Manual configuration

Answers A and D are correct. A router can learn the DLCI for a circuit via both Inverse-ARP and manual configuration. Multiple circuits on a single physical interface need to be manually configured. Answers B and C refer to IP processes and are incorrect.

184 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? One of the best all-purpose Web sites about Frame Relay is the Frame Relay Forum, an association of organizations interested in Frame Relay and Frame Relay standards. Visit its site at http://www.frforum.com. Documentation regarding Frame Relay implementation on Cisco routers appears at http://www.cisco.com/en/US/products/sw/iosswrel/ ps1835/products_configuration_guide_chapter09186a0080080fdc.html. An in-depth explanation on PIPQ with examples appears at http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/ products_feature_guide09186a008007fe83.html#1015437.

More information on Frame Relay fragmentation appears at http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/ products_feature_guide09186a008008038b.html.

10 Introduction to Broadband . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Broadband Headend Hybrid fiber coax (HFC) Radio frequency (RF) Downstream Upstream Data Over Cable Service Interface Specification (DOCSIS) Cable modem termination system (CMTS) Cable modem (CM) Digital subscriber line (DSL)

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Asymmetric DSL (ADSL) Symmetric DSL (SDSL) G.SHDSL ISDN DSL (IDSL) Very high data-rate DSL (VDSL) High data-rate DSL (HDSL) DSL access multiplexer (DSLAM) Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) PPP over Ethernet (PPPoE)

✓ ✓ ✓ ✓

Describing ADSL Describing PPPoE and PPPoA Configuring PPPoE and PPPoA Troubleshooting DSL configurations


Describing broadband Describing cable modems Describing a cable modem infrastructure Describing DSL Describing the different DSL types

186 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

With the advent and availability of broadband access to the Internet, companies big and small have a whole new world of options. Broadband in this instance is defined as sustained rates above 128Kbps. In this chapter we examine four broadband technologies. We take a cursory look at direct broadcast satellite (DBS) and fixed wireless providers, then we spend a little more time on cable modems, and last we take an exhaustive look at DSL. Broadband enables a remote user to be productive on a network where traditional dial-up falls short. It is further defined as always on, high-speed access supporting voice and video services. Satellite services can deliver downstream services in bursts up to 400Kbps and upstream speeds reaching 125Kbps. A typical DBS system requires a 1.2 meter (m) or smaller satellite dish, often referred to as a pizza. Workstations are usually connected via an Ethernet cable or universal serial bus (USB) port; the connection usually remains on, allowing you to skip logins for faster access. Geostationary orbit (GSO) satellites are approximately 22,300 miles away; because of this distance and the asymmetric communications, some applications such as Voice over IP (VoIP) do not perform well because of the high latency. The wireless options discussed are based on line of sight, known as wireless bridges, not a wireless access point that you would typically have inside a home or business. You can obtain 2Mbps throughput at distances up to 25 miles. There are four wireless segments: local multipoint distribution service (LMDS); multichannel multipoint distribution service (MMDS); industrial, scientific, and medical (ISM); and unlicensed national information infrastructure (U-NII) bands. Based on need, distance, and budget, the newer technologies reach speeds from 128Kbps to 53Mbps.

Cable Cable is currently the most common broadband service. It is readily available, and has constant connectivity and high-speed asymmetric access. Its biggest disadvantage is that the bandwidth is shared among all users in a particular area; during high utilization, users can see a decrease in performance. Originally called community antenna television (CATV), cable refers to the use of coaxial cable for transmitting signals. Many of today’s cable networks have moved from an all coaxial network to extensive use of fiber, which allows for longer runs and a reduced number of amplifiers. Cable can be very cost-effective and can offer a variety of services such as virtual private network (VPN), interactive television, and voice and data capabilities.

187 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . .to. Broadband . . . . . .

Terminology Before we examine how a cable system works, it would be best to cover some of the terminology. The terms are discussed in order of use, starting at the cable company and ending in your home: ➤ Antenna site—This location is where antennas and satellite receivers

receive broadcast signals. ➤ Headend—Similar to a telephone company’s central office (CO), the

headend is where the signals are processed and formatted for transmission onto the distribution network. ➤ Distribution network—The trunk or backbone made of fiber and coaxial

cabling brings the signal to the subscriber drop. ➤ Subscriber drop—This connection from your television to the distribution

network consists of the cable, set-top box, grounding, and attachment hardware. ➤ Transportation network—Transportation networks often appear between

the antenna site and headend or the headend and the distribution network. They are used when necessary to maintain the link. Now that you have a basic understanding of the different sections in the transmission path, let’s look at some additional terms and definitions of cable technology: ➤ Broadband—A type of data transmission in which a single medium (a

wire) can carry several signals at once. Usually, the transmission involves frequency division multiplexing (FDM). ➤ Hybrid Fiber Coax (HFC)—Provides two-way, high-speed data access to

the home using a combination of fiber optics and coaxial cable. Each channel, upstream and downstream, gets a 6MHz channel to transmit and receive its signals. Downstream gets a 50 to 860MHz range, and upstream gets a 5 to 42 MHz range. ➤ Radio Frequency (RF)—Any frequency within the electromagnetic spec-

trum associated with radio wave propagation. ➤ Coaxial cable—A type of wire that consists of a center wire surrounded by

insulation and a grounded shield of braided wire. Coaxial cable suffers from attenuation, which is the weakening of the signal due to resistance. ➤ Downstream—The transmission from the headend to a subscriber, also

called the forward path.

188 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Upstream—The transmission from a subscriber to the headend, also

called the return or reverse path. ➤ Data Over Cable Service Interface Specification (DOCSIS)—Developed by

CableLabs and approved by the International Telecommunication Union (ITU) in March 1998. DOCSIS defines interface standards for cable modems and supporting equipment. Version 1.0 was the first standard, 1.1 added VoIP capabilities; Version 2.0 is currently in the works and should allow for 30Mbps in the upstream path. ➤ Cable Modem Termination System (CMTS)—A system of devices located

in the headend that allows cable providers to offer high-speed Internet access. The CMTS provides many of the same functions provided by the DSLAM in a DSL system. ➤ Cable Modem (CM)—A modulator-demodulator at subscriber locations

for use in conveying data packets on a cable television system. ➤ Spectrum reuse—Takes advantage of a “sealed” cable or network. A cable

company can place signals on a wire that it could otherwise not use. The fact that the signal is trapped within means that it doesn’t conflict with other signals. ➤ National Television System Committee (NTSC)—Responsible for setting

television and video standards in the United States, which use a 6MHz modulated signal. ➤ Phase Alternating Line (PAL)—The dominant television standard in

Europe, which uses a 6MHz, 7MHz, or 8MHz modulated signal, depending on the version. Now that you have a good understanding of the terms, you should already have an idea of the interaction between the different devices and components. Internet capabilities are added to the headend and sent out over the distribution network. The signal that eventually enters the CM is an RF signal. The CM tunes into the signal and demodulates it into digital data ready for the PC. That covers the trip downstream; now check out the trip back. The CM takes the digital data signal from the PC, converts it into an RF signal at the appropriate frequency, and sends it on up. The signal is eventually received at the headend by the CMTS, where it is converted back to a digital data signal and routed to the Internet. It is worth noting that two cable modems in neighboring houses can never communicate directly; the CMTS must act as a go-between during the “conversation.”


Provisioning The last thing to examine is the process of provisioning the CM, which follows a number of steps: 1. On powering up, the CM scans for the RF channel used for the down-

stream. 2. Next, it examines maintenance messages in the downstream path on

how to use the upstream path. 3. Layer 1 and 2 communications are established with the CMTS. 4. The CM requests an IP address through Dynamic Host Configuration

Protocol (DHCP). The DHCP server must be RFC-2131–compliant. 5. Now that it has an address, the CM downloads a DOCSIS configura-

tion file from a Trivial File Transfer Protocol (TFTP) server. The TFTP server must be RFC-1350–compliant. 6. The CM registers with the CMTS and negotiates any quality of serv-

ice (QoS) parameters. The CM is now ready for use, and workstations can request their own address and begin using the Internet. Cable modems receive IP addresses from DHCP and DOCSIS configuration files via TFTP.

DSL DSL takes advantage of unused bandwidth on traditional phone lines, working at a higher frequency than a voice conversation. It allows you to use the high-speed access at the same time a voice conversation is occurring. Typically, a DSL connection is always on; however, some service providers have adopted techniques much like PPP. In fact, they are PPPoE or PPPoA, which we discuss later. Some of the challenges with DSL are distance requirements no greater than 18,000 feet, your CO might not support DSL, and the fact that any fiber lines that are in use will severely limit DSL options. DSL operates between the customer premises equipment (CPE), such as a Cisco 827 router, and the DSLAM. The DSLAM terminates DSL connections at the CO. DSL has a number of different flavors or variants, each

190 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

designed for a different reason, such as the level of service, speed, and distance. ADSL, for example, can coexist with the plain old telephone system (POTS), whereas SDLS cannot. There are a variety of DSL technologies, ranging from those designed for the home user to those for large corporations. DSL technologies are anything but static; there is a large amount of research and development for the betterment of DSL. Some of the varying xDSL specifications follow: ➤ ADSL—Designed for residential use, it is the most popular form of DSL

technology. The key to ADSL is that the upstream and downstream bandwidth is asymmetric, or uneven. In practice, the bandwidth from the provider to the user (downstream) will be the higher speed path. This difference is in part due to the limitation of the telephone cabling system, but it also accommodates typical Internet usage, where the majority of data is sent to the user downstream. ADSL is rated for distances up to 18,000 feet and lets you place traditional phone calls while a DSL connection is active. ➤ SDSL—Designed more for business, the line speed is the same in both

directions. SDSL allows for greater upstream speeds than ADSL; because of the greater available bandwidth for upstream communication, services can be hosted at the customer’s site. Distances can be up to 12,000 feet. ➤ G.SHDSL—Also known as G.991.2, G.SHDSL is an international stan-

dard for SDSL developed by the ITU. This technology is the first DSL technology to be developed from the ground up as an international standard; it supports longer distances (28,000 feet) and is predicted to be the most adopted standard in the future. ➤ IDSL—IDSL uses 2B1Q line coding and can be configured to use the

full bandwidth of two 64Kbps bearer channels plus one 16Kbps delta channel. ISDN lines and the routers’ ISDN U interfaces are used for connectivity. Major benefits of switching to IDSL from ISDN are the always-on connection, no call setup, and flat-rate billing instead of perminute fees. Distances can be up to 18,000 feet. ➤ VDSL—VDSL transmits data in the 13Mbps to 55Mbps range over

short distances, usually between 1,000 and 4,500 feet. The shorter the distance, the faster the connection rate. ➤ HDSL—Used as a replacement for T1 or E1 services, this service is lim-

ited to 12,000 feet, whereas a traditional T1 requires repeaters every 6,000 feet.


The typical tradeoff for DSL is speed versus reach (distance). The longer the loop, the lower the speed. A number of other conditions can also slow down a DSL connection: distance, thickness of the wire (gauge), bridge taps, crosstalk, and AM radio.

ADSL As mentioned before, ADSL is a great solution for residential markets. It has fast download speeds, up to 8Mbps, and adequate upload speeds, close to 1Mbps. One of the biggest selling points is that it can coexist with POTS. Consumers can use the same line as their regular phone line and, more importantly, use them both at the same time. The three modulation techniques are carrierless amplitude and phase (CAP), discrete multitone (DMT), and consumer/mass-market DMT (G.lite). G.lite is the most used standard and supports only 1.5Mbps downstream and 640Kbps upstream.

DSL is a Layer 1 transmission protocol. ATM is the Layer 2 protocol used on top of DSL. The purpose of both is to move IP data packets, and there are three methods for doing that: ➤ RFC 1483/2684 Bridged—You can use two methods here, bridged or

routed. We are only concerned with bridged. Ethernet frames are bridged to a router over ATM. There are a number of advantages to bridging: it is simple to use, easy to install, and involves less sophisticated devices, which are ideal for a single user. Some of the disadvantages are that bridging involves heavy use of broadcasts, it is insecure, and both broadcast attacks and IP address hijacking are possible. ➤ PPPoE—Covered in RFC 2516, PPPoE is a bridged solution. Ethernet

frames are bridged over ATM, as with RFC 1483, but this time, the Ethernet packets encapsulate PPP inside. Because PPP is in use, we have all the advantages of PPP, such as IP negotiation, authentication, and AAA server support. Also, because of the encapsulation, the maximum receive unit (MRU) must be negotiated at 1492 bytes or less so that with the additional headers, we do not exceed 1500 bytes. PPPoE goes through four steps in the discovery stage:

192 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. The PPPoE client broadcasts a PPPoE active discovery initiation

(PADI) packet. 2. The PPPoE server responds with a PPPoE active discovery offer

(PADO) packet. 3. The client switches to unicast and sends a PPPoE active discovery

request (PADR) packet back to the server. 4. The server responds with a PPPoE active discovery session-confir-

mation (PADS) packet to finish the process. At this point, PPP can then negotiate its parameters to establish connectivity. After a successful conversation, when the devices are ready to terminate the session, either the client or the server sends a PPPoE active discovery terminate (PADT) packet. ➤ PPPoA—This solution is a routed solution. No host-based software is

required as with PPPoE; the CPE routes packets to the aggregation router. The steps are much simpler because it is able to jump right to PPP negotiation. You need hostnames and passwords for Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). The aggregation router sends an IP address negotiated through IP Control Protocol (IPCP). The CPE performs NAT to give host workstations connectivity out.

Configuring the PPPoE Client Cisco IOS 12.1(3)XG introduced a PPPoE client feature for the Cisco 827 router. It lets the router, rather than the workstation, handle the PPPoE functionality. Now, multiple PCs can be behind the router and their traffic is sent via the PPPoE session. It can be encrypted and filtered and run by NAT. There are six steps to configuring the CPE as a PPPoE client. We examine just the basics, enough to get the router up and running: 1. The first group of commands configures a PPPoE virtual private

dialup network (VPDN) group. The first thing to do is enable VPDN with Router(config)#vpdn enable

Then, you can build the group with the vpdn-group Router(config)#vpdn-group dsl-isp Router(config-vpdn)#

name

command.


Notice that the configuration mode has shifted to config-vpdn. Any commands entered at this point are specific to that group. You then specify request-dialin, which creates a subgroup inside your VPDN. In the subgroup, you define which protocols are going to be supported by entering protocol pppoe. The code would look something like Listing 10.1. Listing 10.1 Configuring a VPDN group Router(config)#vpdn enable Router(config)#vpdn-group dsl-isp Router(config-vpdn)#request-dialin Router(config-vpdn-req-in)#protocol pppoe Router(config-vpdn-req-in)#exit Router(config-vpdn)#exit

2. After the VPDN group is built, you need to configure the ATM inter-

face. You specify which ATM interface you are using with the interface atm number command. Next, you identify the permanent virtual circuits (PVCs), virtual path identifiers (VPIs), and virtual circuit identifiers (VCIs) with pvc vpi/vci. That command moves the router into the atmvc config mode, where you specify the dialer-pool number, which binds the dialer interface and configures PPPoE client encapsulation: Router(config)#interface atm 0 Router(config-if)#pvc 9/8 Router(config-if-atm-vc)#pppoe-client dial-pool-number 7

3. Now you are ready to build the dialer interface that was referenced in

the preceding step. The dialer-interface configuration is the same as any configuration you used earlier; however, you need to check a few items. You need to allow for dynamic IP address assignments through IPCP, which you do with ip address negotiated. Another key parameter is that the packet sizes should not exceed 1492 bytes so that when the PPPoE headers are added, you stay at or below 1500 bytes. To define the packet size, use the ip mtu 1492 command. The rest of the commands are ones that you should know already. One interesting item is that we call a dialer list with the dialer-group command; remember, the purpose of the dialer list is to specify interesting traffic. Because DSL is an always-on technology, you should not need a dialer list, but it does show up in most configurations and examples (better safe than sorry). Listing 10.2 builds a dialer interface and configures it for PPPoE.

194 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing 10.2 Dialer interface configured for PPPoE Router(config)#int dialer 0 Router(config-if)#ip address negotiated Router(config-if)#encapsulation ppp Router(config-if)#dialer pool 7 Router(config-if)#dialer-group 1 Router(config-if)#ip mtu 1492 Router(config-if)#ppp chap hostname [email protected] Router(config-if)#ppp chap password abc123 Router(config-if)#exit Router(config)#

The maximum packet size must be 1492 bytes or smaller so that with the additional 8 bytes from the PPPoE header, the packet stays at or below the 1500 byte total.

4. NAT overloading or port address translation (PAT) gives your inside

hosts a valid address to the outside. With PPPoE, you negotiate or receive just one address, and you most likely want to allow all the inside machines access out. You must configure NAT for overloading and define an access list for the address allowed to be translated. Refer to Chapter 5, “Using Network Address Translation,” for detailed explanations of the commands, but it would look something like this: Router(config)#ip nat inside source list 100 interface dialer0 overload Router(config)#access-list 100 permit ip any any

5. Next, you need to configure a DHCP server; fortunately, the Cisco IOS

DHCP server has all the features you need. We could spend an entire chapter on configuring the DHCP server with different options and scenarios, but here we are only interested in a quick working solution. The first command is to build a DHCP pool: enter ip dhcp pool name to build a pool and enter its configuration mode. Next, enter import all, which tells this DHCP server to get additional information from a central DHCP server. Next, you specify the network of the pool with network network-address subnet-mask, and the final step is to specify the default gateway/router with a default-router host-address command. In Listing 10.3, you can see the steps combined to configure the DHCP pool. Listing 10.3 DHCP configuration example Router(config)#ip dhcp pool home Router(dhcp-config)#import all Router(dhcp-config)#network 192.168.1.0 255.255.255.0 Router(dhcp-config)#default-router 192.168.1.1 Router(dhcp-config)#exit Router(config)#

195 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . .to. Broadband . . . . . . 6. The last step in the process is to configure a default route that will

direct all traffic out the dialer interface, which is configured for PPPoE: Router(config)# ip route 0.0.0.0 0.0.0.0 dialer0

Configuring DSL for PPPoA There are five steps to configuring the CPE for PPPoA. The process is almost the same as that for PPPoE, but there are a few differences and they all occur in the first step, the configuration of the ATM interface: 1. To configure the ATM interface for PPPoA, you need to set the line

mode. The Cisco 827 ADSL interface is in auto-detect mode by default and will auto-detect the line encoding. If you need to change it, you use the dsl operating-mode command. Some of the other options are shown as well:. Router(config)#interface atm 0 Router(config-if)#dsl operating-mode ? ansi-dmt ANSI full rate mode auto auto detect mode itu-dmt ITU full rate mode splitterless G.lite mode ansi-dmt auto itu-dmt splitterless

ANSI full rate mode auto detect mode ITU full rate mode G.lite mode

The other unique part is to set encapsulation for ATM with the encapsulation aal5mux ppp dialer command and to associate it with the appropriate dialer interface with the dialer pool-member number command: Router(config)#interface atm 0 Router(config-if)#pvc 9/17 Router(config-if-atm-vc)#encapsulation aal5mux ppp dialer Router(config-if-atm-vc)#dialer pool-member 1

The remainder of the steps are identical to those of PPPoE with the exception of the numbering. 2. Configure a dialer interface. 3. Configure PAT. 4. Configure a DHCP server. 5. Configure a default route.

196 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Troubleshooting DSL DSL connectivity is a multilayer process; as such, it helps in troubleshooting because we can break it down on a per-layer basis. To troubleshoot at Layer 1, the show dsl interface atm 0 command can check whether the router has trained to the DSLAM. If you receive a screen full of statistics, chances are that Layer 1 is good; if the display indicates that the line is not activated, then you need to troubleshoot at Layer 1. One item to check is the carrier-detect light. If it is on, then Layer 1 is not the issue; if it is off, then the next thing to check is your DSLAM modulation with your provider. Also check, of course, the obvious things such as the plug. The 827 uses a different power supply from other 800 series routers. Check whether the DSL router is cabled to the wall jack. A 6-pin cable uses pins 3(Tip) and 4(Ring); a 4-pin cable uses pins 2(Tip) and 3(Ring). You usually track down Layer 2 issues with debug commands. debug atm events shows you whether there is any activity. Some of the traffic should indicate the VPIs and VCIs that are in use. There should be some ATM maintenance traffic flowing at regular intervals; if no output is detected, you should contact your provider. As with any debug commands, you should use them sparingly because they can have an adverse effect on performance. Use the undebug all or no debug all command to disable debugging. You can also execute a show int atm0 command to see that input and output packet counters are increasing. At this point, look at PPP and make sure it is negotiating properly. You can use debug ppp authentication to see just the authentication process or use the debug ppp negotiation to see the entire setup and initialization steps. Refer to the Chapter 4, “PPP Authentication with PAP and CHAP,” for additional help.


Exam Prep Questions Question 1 Broadband provides sustained speeds above? ❍ A. 64Kbps ❍ B. 96Kbps ❍ C. 128Kbps ❍ D. 256Kbps

Answer C is correct; sustained speeds above 128Kbps or 128,000bps are defined as broadband. Answers A and B are incorrect because they are not fast enough. Answer D is wrong; it is a broadband speed, but other speeds slower than that are classified as broadband.

Question 2 The cable distribution network starts at what point? ❍ A. Headend ❍ B. Subscriber drop ❍ C. DSLAM ❍ D. CO

Answer A is correct; the distribution network starts at the headend. Answer B is wrong because that is the end of the distribution network. Answer C is incorrect because that is the equipment at a DSL CO. Answer D is also incorrect because it is a term usually reserved for the phone company, not a cable company.

Question 3 What is the name of the device located at the headend that communicates with the CMs? ❍ A. DSLAM ❍ B. Another CM ❍ C. Backend ❍ D. CMTS

198 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer D is correct; the CMTS handles all the communication to the CMs. Answer A is wrong; a DSLAM is used for DSL but is equivalent to the CMTS. Answer B is incorrect because CMs cannot talk to each other directly, and backend is a made-up term, so Answer C is wrong.

Question 4 A CM should follow what standard? ❍ A. DOCSIS ❍ B. NTSC ❍ C. PAL ❍ D. HDTV

Answer A is correct; DOCSIS is the standard that should be used for CM equipment. Answers B, C, and D are incorrect because they are all televisionsignaling standards, not CM standards.

Question 5 What TV standard is most used in the United States? ❍ A. PAL ❍ B. NTSC ❍ C. DOCSIS ❍ D. DSLAM

Answer B is correct; NTSC or the North American TV technical standard is used most in the United States. Answer A is wrong; it is the most used in Europe. Answer C is a little tricky but wrong; it is the most used CM standard in the United States but not a television standard. Answer D is incorrect because it has to do with DSL.

Question 6 A CM uses what service to get its configuration files? ❍ A. FTP ❍ B. HTTP ❍ C. SSL ❍ D. TFTP


Answer D is correct; the CM after provisioning communicates with a TFTP server to get the appropriate configuration files. Answers A, B, and C are incorrect; they are not used by the CM for configuration.

Question 7 What is the maximum transmission unit (MTU) size that you should select with PPPoE? ❍ A. 1492 bytes ❍ B. 1518 bytes ❍ C. 1500 bytes ❍ D. 1942 bytes

Answer A is correct; 1492 bytes leaves room for the additional 8 bytes of headers for a total no bigger than 1500 bytes. Answers B, C, and D are wrong because the sizes are incorrect.

Question 8 What are three conditions that can affect DSL speeds? (Choose three.) ❑ A. Distance to the CO ❑ B. FM radio ❑ C. Bridge taps ❑ D. Crosstalk

Answers A, C, and D are correct; distances, bridge taps, and crosstalk can all slow down the speeds of DSL. Answer B is close but still wrong because it is AM radio that causes interference which can reduce speeds.

Question 9 What are two characteristics of G.lite standard? (Choose two.) ❑ A. Defines valid DOCSIS encoding ❑ B. Supports 1.5Mbps downstream and 640Kbps upstream ❑ C. Is the most common ADSL modulation ❑ D. Cannot be used with PPPoE

200 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answers B and C are correct; it supports only 1.5Mbps downstream and 640Kbps upstream and is the most used consumer/mass-market DMT. Answer A is incorrect because it has nothing to do with cable modems, and Answer D is also wrong because it can be used with PPPoE.

Question 10 What is the PPP protocol that negotiates IP addresses? ❍ A. LCP ❍ B. DHCP ❍ C. IPCP ❍ D. CDP

Answer C is correct; PPP uses IPCP to negotiate the IP address. Answer A, LCP, is wrong; it is used by PPP but not for IP addresses. Answer B is incorrect; it might seem like a good choice because DHCP assigns addresses, but not within PPP and not without IPCP. Answer D is also wrong because Cisco Discovery Protocol does not negotiate addresses.

Question 11 What is the command that defines the maximum payload size of 1492 bytes? ❍ A. mtu 1492 ❍ B. max-packet 1492 ❍ C. ip mtu 1492 ❍ D. frame-size mtu 1492

Answer C is correct; it is the only valid command and it does set the MTU to 1492 bytes. Answers A, B, and D are all incorrect because the commands do not exist.


Question 12 What is the ATM command to configure the VPI and VCI as provided by the service provider? ❍ A. vpi/vci 9/7 ❍ B. encapsulation vpi/vci 9/7 ❍ C. encoding vpi/vci 9/7 ❍ D. pvc 9/7

Answer D is correct; pvc 9/7 sets both the VPI and VCI. Answers A, B, and C are all incorrect because the commands do not exist.

Question 13 What is the command to let a DSL router detect and set its modulation? ❍ A. dsl modulation auto ❍ B. dsl modulation discover ❍ C. dsl modulation dynamic ❍ D. modulation dsl encapsulation discover

Answer A is correct; dsl modulation auto allows the router to dynamically discover the modulation type. It is on by default. Answers B, C, and D are incorrect because the commands do not exist.

Question 14 What command in ATM interface configuration mode sets the encapsulation for PPPoA? ❍ A. encapsulation auto ppp dialer ❍ B. encapsulation pppoa client dialer ❍ C. encapsulation dialer aal5mux ❍ D. encapsulation aal5mux ppp dialer

Answer D is correct; encapsulation aal5mux ppp dialer configures the ATM interface for PPPoA. Answers A, B, and C are incorrect because the commands do not exist.

202 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 15 On a Cisco 827 router, what pins do you use with a 4-pin RJ-11 connector? ❍ A. 1 and 2 ❍ B. 2 and 3 ❍ C. 3 and 4 ❍ D. 1 and 4

Answer B is correct; you use pins 2 and 3 with a 4-pin connector. You use pins 3 and 4 in a 6-pin connector. Remember, you always use the middle pair for each pinout. Answers A, C, and D are wrong because you do not use those pins.

Question 16 What three things can you use to verify whether Layer 1 is functioning? (Choose three.) ❑ A. show dsl interface atm 0 ❑ B. show interface atm 0 ❑ C. The DSL connect LED is on. ❑ D. The CD LED is on.

Answers A, B, and D are correct; they can all help verify whether Layer 1 is up and functioning. Answer C is incorrect because there is no DSL connect LED.


Need to Know More? There are a number of resources available on the web about broadband technology. One of our favorites for an end user as well as an enthusiast is the DSL reports at http://www.dslreports.com. The Cisco technology home page is a great place to start. Just look for links about CMs and DSL, or whatever strikes your fancy, when you visit http://www.cisco.com/en/US/tech/index.html. For CMs, try http://www.cablelabs.com. For DSL information, go to http://www.dslforum.org. For PPPoE information, look at RFC 2516 at

http://www.cis.

ohio-state.edu/cgi-bin/rfc/rfc2516.html.

Read about old multiprotocol encapsulation over ATM adaptation Layer 5 at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1483.html. Check out new multiprotocol encapsulation over ATM adaptation Layer 5 at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2684.html.

PART III WAN Options 11 Enabling a Backup Connection 12 Traffic Management 13 Securing the Network with VPNs 14 Practice Exam 1 15 Answer Key 1 16 Practice Exam 2 17 Answer Key 2

11 Enabling a Backup Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Dial backup Primary Backup Link Interface Load Keepalives Carrier detect Administrative distance (AD)

Techniques you’ll need to master ✓ Using the backup load command ✓ Determining routing protocol preferences ✓ Calculating backup delay

208 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Dial Backup Having a second connection that can move data in the event the primary connection fails is a wise move for today’s corporate environment. You can back up a permanent connection or use dial backup, as it’s usually called, in several ways to both alleviate congested conditions and provide an alternate route in the event of a link failure. Dial backup should not be confused with load sharing. Load sharing uses multiple paths to the same destination to send packets. Although dial backup can do this, this feature is usually secondary to making sure that data has a means to get to its destination. Because of this need, dial backup is usually performed on much slower links than load sharing is. Dial backup can use several different types of interfaces. It’s normally configured for an ISDN Basic Rate Interface (BRI) or an analog modem attached to an asynchronous interface, but in advanced setups it might be configured to use a dialer pool or another serial interface. In addition to backing up a primary link in the event it goes down, a backup interface can also be configured to support a primary line in the event of congestion. The administrator can establish that the backup interface begins to transport data when a given bandwidth threshold on the primary is reached or exceeded.

Configuring Dial Backup for Primary Link Failure To configure a dial backup link to take over data transport in the event a primary link goes down, you have to do several things. See Listing 11.1 for an example. Listing 11.1 Dial backup configuration example Router(config)# interface serial 0/0 Router(config-if)# backup interface bri0/0 Router(config-if)# backup delay ? Seconds never Never activate the backup line Router(config-if)# backup delay 20 ? Seconds never Never activate the backup line Router(config-if)# backup delay 20 20

209 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling . . . . .a .Backup . . . . Connection . . . . . .

The tasks can be broken down as follows: ➤ Identify the primary link, the link currently carrying traffic that you

want to back up. ➤ Identify the dialup link that will back up the primary. ➤ Configure the primary link (if you haven’t already done so) to support

the necessary encapsulation, routed protocols, and routing protocols. ➤ Place the

backup interface interface-type number

command in the inter-

face configuration for the primary interface. ➤ Configure how long the backup interface should delay coming up when

the primary fails and how long it should wait before dropping when the primary comes back up by using the command: backup delay {enable-delay | never} {disable-delay | never}

The backup interface command options are as follows: ➤

interface-type number—Which interface will back up the primary interface? Remember that interface values vary depending on the router you’re configuring. Some routers use the format interface serial 1, whereas a modular router uses the format interface serial 1/1, specifying both the slot and port numbers.

➤

enable-delay—How

➤

disable-delay—How

➤

never—This

many seconds must pass before the backup interface takes over for the primary? This setting is a good way to make sure that the primary won’t return immediately.

many seconds must pass before the backup link goes down, once the primary returns? This setting is a good way to make sure that the primary won’t drop off again. keyword prevents the backup line from being enabled or disabled. It is not recommended that you use it for both enable and disable in the same command. The enable-delay and disable-delay values are the number of seconds you want the interface to wait before coming up or going down. These values can be useful in the event your primary line has a tendency to bounce or go down for just a few seconds occasionally. Although the disable-delay never option has its uses, you’ll use the enable-delay never option very few times in a production environment.

Once you configure both the primary and backup interfaces, you place the backup interface in a standby mode. The standby mode simulates a down interface until needed. No traffic passes through the backup interface, and traffic doesn’t use the properly configured routes through the interface.

210 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The router with the backup interface configured monitors the status of keepalives, small packets that networking devices send to each other. If carrier isn’t detected on the primary link or if keepalives don’t arrive from the neighbor router on a regular basis, then your router assumes the primary link has failed and activates the backup.

Floating Static Routes A static route is a route that someone has manually configured. It tells the router that to reach a certain network you must send data out this interface. Here are two examples of static routes: Router(config)#ip route 192.168.4.0 255.255.255.0 BRI0/0 Router(config)#ip route 192.168.5.0 255.255.255.0 172.16.4.1

The first route points all data that wants to go to the 192.168.4.0/24 network out local interface BRI0/0. Whatever this interface is connected to will be able to forward the data to the destination network. The second instance tells the router to forward all data going to the 192.168.5.0/24 network to a specific remote host, 172.16.4.1. This host might be a device the router is directly connected to or it might be a few hops away. In any case, the router must have a route to this device to forward traffic to it. Because a router must have a way to determine the best route, it prefers certain routing protocols to others. Cisco routers believe the information provided by static routes is extremely accurate and prefer those routes instead of routes learned via dynamic routing protocols. Table 11.1 shows the relative importance of some routing processes. Table 11.1 Some Popular Routing Protocols and Their ADs Routing Protocol

AD

Directly connected

0

Static route reflecting a local interface

0

Static route reflecting a remote device

1

Enhanced Interior Gateway Routing Protocol (EIGRP)

90

Interior Gateway Routing Protocol (IGRP)

100

Open Shortest Path First (OSPF)

110

Routing Information Protocol (RIP)

120

This preference leads to a problem. If you’re running a dynamic routing protocol across the primary link on your router, you need to establish a static route to the other networks via the dial backup interface. But if you do so,


then the router will prefer to use the dial backup interface rather than the (probably faster) primary interface. A solution exists in the form of a floating static route. In a floating static route, like the one shown in the next line of code, the AD for a static route is changed from 0 or 1 to something higher than the AD for the dynamic routing protocol you’re using across the primary: Router(config)#ip route 192.168.4.0 255.255.255.0 172.16.4.1 130

This example shows an alternate route to the 192.168.4.0/24 network. The primary method of getting to the destination network is through BRI0/0, but this command has added a less desirable but still valid option. The router compares the AD of the two routes and use the one pointing to BRI0/0 first because it has the lower AD; 0 is lower than 130. If the BRI interface is ever inactive, the router begins looking for alternatives and uses this route if it has the best AD of those available. If you have a router running OSPF, the AD is 110. If you set up a static route pointing to an IP network that OSPF already knows about, then the router will prefer to use the path specified by the static route. You can fool the router by changing the AD the static route uses to something higher than the value your routing protocol uses. If you establish a static route and tell the router that the AD for this route is 130, then the router will prefer to use OSPF routes if they are available. This technique allows you to run a dynamic routing protocol across the primary link but have an alternate route via the backup link. The command follows: ip route <destination-network> <destination-network mask> {local-interface | remote device address}

The ip

route

command’s options follow:

➤

destination-network—The

➤

destination-network mask—Generally

➤

local-interface—The local interface by which data needs to leave the router if you want the data sent to this network. This option has an AD of 0.

➤

remote device address—Much

remote network that this static route refers to. To get to the network, we send packets to the location specified by the rest of the command.

an IP subnet mask. Helps the router choose between subsets of the same classful IP network number.

the same as local-interface. Specifies the remote device address you need to send data to if you want the data sent to this network. This option has an AD of 1.

212 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤

AD—The

AD for the route you’re creating. The AD should be higher than that of your regular routing protocol. The value 130 is good because it’s higher than the AD of the four primary routing protocols and, thus, will be used only when the dynamic routing protocol doesn’t have an active route.

An example is ip route 10.1.2.0 255.255.255.0 BRI0 130. This command tells the router that to send routes to network 10.1.2.0, it should use interface BRI0. By adding the AD of 130, you make the router compare this route to its existing routing table. In the event of multiple paths to the 10.1.2.0 network, the router uses the active route with the lowest AD. The command ip route 10.1.2.0 255.255.255.0 192.168.1.4 130 also makes the router check its routing table, but instead of sending packets out of the BRI0 interface, the router forwards packets to the device 192.168.1.4. To keep things simple, this device should be a neighboring device.

Activating Dial Backup to Support a Primary Link You can configure dial backup to activate an interface when the amount of traffic on the primary link reaches or exceeds a certain threshold. Once you select and configure the primary link interface, you need to add this command: backup load {enable-threshold | never} {disable-threshold | never}

Listing 11.2 shows the console output of a router as this command is being entered. Listing 11.2 Configuring the backup load Router(config)# interface serial 0/0 Router(config-if)# backup load ? Percentage never Never activate the backup line Router(config-if)# backup load 70 Percentage never Never activate the backup line Router(config-if)# backup load 70 40

The backup

load

command’s threshold options follow:

➤

of use on the primary link at which the backup link will be enabled and start load sharing traffic

➤

disable-threshold—Percentage

enable-threshold—Percentage

of use on the primary link at which the

backup link will be disabled ➤

never—Prevents

the backup link from being enabled or disabled

213 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling . . . . .a .Backup . . . . Connection . . . . . . Unlike many Cisco interface references, the backup load command doesn’t use a portion of 255 in the command. The value referenced is a straight percentage of the link’s capability.

Do not use values of 0 or 100 in this command. The activation and deactivation values are based on a floating five-minute average, and setting either value to 0 results in a backup link that either always stays up or never comes up.

Using Dial Backup with Dialer Profiles A physical interface can be either an active interface or a dial backup interface. This limitation led to customers wanting to fully utilize all of the interfaces they were purchasing. The solution was to allow a backup interface command to map to a dialer pool. Because a dialer pool is attached to a virtual interface called a dialer interface, and a physical interface can be a member of multiple dialer pools, this arrangement lets you use a physical interface in the normal course of business even though it might someday be called on to serve as a backup to a primary interface. You need to configure a dialer interface as shown in Chapter 7, “Using ISDN.” Once you finish that, go into interface configuration mode for the primary link and enter the following command: backup interface dialer number

This command tells the primary link to use the dialer pool as the backup interface. When the primary link goes down, the router uses a physical interface that is a member of the specified dialer pool to serve as a backup link.

Load Sharing and Dial Backup Using the backup load command enables you to activate one link and help out the primary link. Routing protocols, however, tend to have their own ideas about what paths traffic should take. For example, if you previously configured a router to bring up an ISDN connection to help out a T1 when the T1 had a certain load, a routing protocol such as OSPF isn’t going to make use of the ISDN line without a little bit of help. OSPF determines the best path by looking at the bandwidth of the link. Because a T1 has greater bandwidth

214 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

than ISDN, OSPF will prefer to send all data across the T1 and ignore the ISDN line. You use load sharing with dial backup on an OSPF routed network by using the following command in interface configuration mode for the dial backup interface: ip OSPF cost cost

Doing so tricks OSPF into thinking that a 128Kbps ISDN line is really a 10Mbps Ethernet link or whatever you need to simulate. OSPF will then load-share data across both lines. IGRP and EIGRP aren’t as difficult to work with. They both support load sharing across links of different speeds, although with a few additional commands. The problem most people have with load sharing with IGRP and EIGRP is the number of factors these protocols take into account when determining the best path. Assume that you want to back up a T1 with an ISDN connection. A T1 has a bandwidth of 1.544Mbps, whereas an ISDN line has two channels with bandwidth of 128Kbps. It would take 12 ISDN lines to equal one T1. This gives you a variance of 12. Using the following command in routing protocol configuration mode tells the router to use the ISDN line even though it isn’t nearly as fast as the T1: variance multiplier

Doing so creates a problem because the router will load-balance equally across both lines. This arrangement is undesirable: either the ISDN line will become saturated or the T1 will be underutilized. To fix this issue, you have the following command, which you also configure in routing protocol configuration mode: traffic-share {balanced | min}

The balanced option in this command tells the router that for every packet sent across the ISDN line, it should send 12 across the T1. The load-sharing options for the commands discussed in this section follow: ➤

cost—In

➤

multiplier—Determines

OSPF, the wire’s bandwidth in bits per second divided into 100 million. Thus, a 10Mbps Ethernet link has a cost of 10. The cost command tricks the OSPF protocol into thinking that the link is a different speed from what it really is. the range of wires that may be used for load sharing. Each load-sharing link must be within a range of x to y, where x is the value of the primary link and y is x divided by the variance value.

215 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling . . . . .a .Backup . . . . Connection . . . . . . ➤

balanced—Tells

the router to load-share according to the capabilities of

each line. ➤

min—Tells

the router to divide traffic only among routes with the best

metrics.

Verifying a Dial Backup Configuration The following command displays the status of the configured interface: show interface type number

You see information on which device is serving as a backup, the delay before the backup is enabled, and the delay before the backup is disabled once the primary is restored. The section in question appears at the beginning of the interface status and looks like this: Backup interface Serial0/0, failure delay 0 sec, secondary disable delay 0 sec, kickin load 60%, kickout load 40%

The kickin and kickout load values determine when the backup circuit activates and deactivates. It’s common to think that you display this information via a show backup command instead of the show interface command.

216 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 To create a floating static route when you’re running the RIP routing protocol, what AD would work best? ❍ A. 120 ❍ B. 100 ❍ C. 140 ❍ D. 80 ❍ E. 1

Answer C is correct. When creating a floating static route, you need to make sure that the specified AD is higher than that of the routing protocol you’re using. This way, the router only uses this route when it doesn’t have a route to the specified network in its routing table. Because RIP has an AD of 120, you need an AD that is higher than 120. Therefore, answers A, B, D, and E are incorrect.

Question 2 What command allows IGRP to load share across links of unequal bandwidth? ❍ A. split ❍ B. variance ❍ C. load-share ❍ D. None of the above

Answer B is correct. The variance command tells IGRP and EIGRP to use a specified value in determining what links are available for load sharing. Answers A and C are not valid options, thus incorrect; because a valid answer exists, answer D is also incorrect.


Question 3 What type of configuration allows an interface to both back up another link and be used on a regular basis? ❍ A. Dialer pool ❍ B. Dialer interface ❍ C. Serial interface ❍ D. BRI interface

Answer A is correct. A dialer pool acts as a go-between for a physical interface and a dialer interface. Answer B, the dialer interface, is referenced in the backup interface command; when needed, it selects a physical interface out of those available in the pool. Answers C and D are physical interfaces. Answers B, C, and D are all incorrect.

Question 4 In the command backup delay 20 30, when the primary link drops, how long does it take before the backup link is activated? ❍ A. 30 seconds ❍ B. 20 seconds ❍ C. 30 minutes ❍ D. 20 minutes

Answer B is correct. The first number in the command states how long the interface waits before becoming active. Therefore, answers A, C, and D are not correct. This value is in seconds.

Question 5 The maximum value for the disable-threshold portion of the backup load command is ❍ A. 1000 ❍ B. 255 ❍ C. 128 ❍ D. 100

218 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Answer D is correct. The values in the backup load command are percentages of the capacity of the primary link. Thus, the maximum value is 100. Therefore, answers A, B, and C are not correct. However, using 100 is not recommended because the load sharing will be removed very quickly in most cases.

Question 6 The AD for OSPF is ❍ A. 90 ❍ B. 100 ❍ C. 110 ❍ D. 120

Answer C is correct. The AD for OSPF is 110. Answers A, B, and D are the ADs for, in order, EIGRP, IGRP, and RIP.

Question 7 In the command backup delay 10 50, how many seconds after the primary comes back online does the backup link wait before dropping? ❍ A. 10 seconds ❍ B. 40 seconds ❍ C. 50 seconds ❍ D. 60 seconds ❍ E. None of the above

Answer C is correct. The delay value being referenced is the second value, which says “When the primary comes back online, wait 50 seconds before dropping the backup link.” Therefore, answers A, B, D, and E are not correct. You use the delay to make sure that the primary is going to remain online.


Question 8 In the command ip ospf cost cost, what does the cost variable refer to? ❍ A. The cost of the link in dollars. We use expensive links more often to get our money’s worth. ❍ B. The cost of the link in bandwidth. We can trick OSPF routing with this command. ❍ C. The cost of the link in bandwidth. We can trick OSPF spanning tree with this command. ❍ D. The additional cost of this link to take into account additional processing overhead from another process, such as route redistribution.

Answer B is correct. This command tells OSPF to ignore the bandwidth values it knows for this link and instead substitute the given value. Therefore, answers A, C, and D are incorrect. This command can really mess up a routing table if you use it incorrectly.

Question 9 Which routing protocols can easily load-share across links of different bandwidth sizes? ❑ A. RIP ❑ B. IGRP ❑ C. OSPF ❑ D. EIGRP ❑ E. BGP

Answers B and D are correct. The Cisco protocols IGRP and EIGRP have a variance option that allows the protocols to load-balance across links of unequal bandwidth. Although OSPF and RIP also do this with varying amounts of configuration to trick the routing protocols, only IGRP and EIGRP can do it with one command.

220 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 10 What is a valid value for the backup load threshold command? ❍ A. 7 ❍ B. 56 ❍ C. 134 ❍ D. 218 ❍ E. All of the above ❍ F. Only A and B

Answer F is the correct answer. The backup load threshold command uses values from 0 through 100 and because the numbers 7 and 56 are the only ones in that range, they are the only correct answers.

12 Traffic Management Terms you’ll need to understand

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

✓ ✓ ✓ ✓ ✓ ✓

Weighted fair queuing Priority queuing Custom queuing Low-latency queuing Queue limits Compression

Techniques you’ll need to master ✓ ✓ ✓ ✓

Basic queuing Advanced queuing Traffic importance Compression

222 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction The router performs queuing to handle arriving traffic in such a way that it benefits the organization more than the default configuration does. Queuing can place certain types of traffic ahead of other types when the router decides what packet to route next. This process can be useful when an organization uses protocols that are more sensitive to delay than other protocols. This chapter covers when to use each of the three types of queuing, how to configure the router for each type, and the potential pitfalls. Queuing is most effective on slow “bursty” links. Generally, these links are WAN serial lines. If a link experiences a small amount of congestion, then traffic queuing might be an option to improve the user’s perception of increased traffic throughput. If a link does not ever get congested or is always congested, then it is unlikely that traffic queuing will be of much benefit. A router can establish separate bandwidth allocations for each of the many protocols and types of traffic.

Understanding Basic Queuing Cisco routers offer three basic queuing strategies: ➤ Weighted fair queuing (WFQ) ➤ Priority queuing (PQ) ➤ Custom queuing (CQ)

WFQ raises the priority level of packets that are smaller above the priority level of large packets. This process tends to benefit traffic generated by applications where the user would notice a lag. An example is Telnet traffic. Telnet sends small TCP packets containing a single character. Once the packet is returned to the user, the character is placed on the screen. A user notices the delay if this placement does not happen quickly, and in many cases, productivity suffers. As of Cisco IOS version 11.3, WFQ is the default on serial interfaces up to 2.048Mbps, assuming the interface supports it. PQ places traffic in groups according to the configured priority of the traffic in question. It is possible to place Internetwork Packet Exchange (IPX) traffic in a higher priority group than IP and vice versa. CQ is an extension of PQ. The administrator has more options available and can differentiate to a greater degree than with PQ.

223 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Traffic . . . . Management . . . . . . .

Determining the Necessary Queuing Strategy The first thing to determine when it comes to traffic queuing is what type of traffic deserves priority. This decision depends on the needs of the organization. Typically, any traffic generated by some sort of terminal or terminal emulator is a prime candidate to benefit from traffic queuing. These applications are susceptible to perceived delays from the user. In other cases, the administrator might decide that all IPX traffic has priority because it is mission-critical, whereas IP is not. What type of traffic the administrator determines is important has a big impact on the appropriate selection of a queuing strategy. To determine which type of queuing is appropriate, administrators should ask themselves the following questions: 1. Are the links congested? If not, no queuing strategy is necessary

because traffic is not being delayed by bandwidth. If there is a delay, but the links are not congested, then the problem might be caused by upstream or downstream links. A router that isn’t robust enough for the job at hand could also be the cause. 2. Does the administrator require strict control over the order of traffic?

If not, WFQ is the answer in most cases. 3. Can all traffic handle a delay? If not, refer to the section on PQ. If so,

see the section on CQ. The following three sections describe each type of queuing in detail and provide an example.

WFQ WFQ follows a modified “first in, first out” (FIFO) strategy. Normally, a router routes traffic based on the standard definition of FIFO, except on slow serial links. Unfortunately, this process often means that a router spends its time waiting for a large packet to finish arriving when a small packet is sitting there waiting its turn.

WFQ Concepts The modified FIFO strategy tells the router to route the first packet that arrives completely. When a small packet and a large one head toward the router and they start arriving at close to the same time, the small packet finishes arriving long before the large packet. Rather than wait for the large

224 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

packet to finish arriving, the router routes the small packet. Figure 12.1 shows an example.

Figure 12.1 WFQ

WFQ also breaks up streams of packets into conversations. Because packet streams can hog the available bandwidth, the router breaks up the stream and inserts other packets that need to be routed. An example of a packet stream is an FTP transfer. WFQ breaks up the megabytes associated with the download and allows time-sensitive traffic to be routed. The router can break up streams into several different types of conversations, including the following: ➤ Source or destination MAC address ➤ Source or destination network address ➤ Source or destination port or socket address ➤ Frame Relay data-link connection identifier (DLCI) ➤ Quality-of-service (QoS) values

WFQ is enabled by default on all physical interfaces that have bandwidth of not more than 2,048Mbps and that do not use Synchronous Data Link Control (SDLC) Protocol; Point-to-Point Protocol (PPP) with compression; X.25; or Link Access Procedure, Balanced (LAPB) encapsulation. WFQ might not be enabled on interfaces that have these items configured.

WFQ Configuration You use the fair-queue command to establish WFQ on an interface. In addition, this command sets a congestive-discard-threshold value. This value controls how many packets in a given conversation are queued before the router discards new packets. This setting is what helps alleviate the effects of packet streams. The following code illustrates how to configure WFQ, as well as provides a sample configuration statement: Router(config-if)#fair-queue congestive-discard-threshold-number dynamic-queues reservable-queues Router(config-if)fair-queue 128 256 0


If the congestive-discard-threshold-number is set to 128, up to 128 packets are placed in the queue for a given conversation. Once the 128 packet limit is reached, the router discards packets arriving for that conversation until the number of packets queued for that conversation falls below one-fourth of the value, in this case 32. The default value for the congestive-discard-thresholdnumber is 64. Its range is 1 through 512, inclusive. The number of dynamic queues determines the number of ongoing conversations that don’t require any special resource reservations. The minimum number is 16 with options doubling until a maximum of 4096. The default is a function of the bandwidth configured on the interface: a 64Kbps interface has a default of 16, and a 512Kbps interface has 256 queues by default. The reservable queues are used for conversations that have some sort of bandwidth reservation attached to them, such as a Resource Reservation Protocol (RSVP) conversation. The available range is 0 through 1000 with a default of 0. If you are using RSVP but haven’t specifically configured it on an WFQ interface, normal queues are used for reserved bandwidth traffic.

PQ PQ allows the administrator to tell the router to send all packets of a certain type before moving on to other packets. For example, an administrator can configure PQ to send all Telnet traffic before sending any other type.

PQ Concepts PQ consists of four queues where packets can be placed while waiting to be routed, as shown in Figure 12.2. These queues and their default packet sizes are High

20 packets

Medium

40 packets

Normal

60 packets

Low

80 packets

The more important queues don’t require as large a buffer because the router always services those queues before servicing lower queues. Once the High queue is empty, the router moves on to the lower queues. When the router examines a queue, it routes any packets whose times-to-live (TTLs) have not yet expired. The router then checks the High queue again and works its way down the list. If the High queue contains too much traffic, there is a risk that the router will not service the lower-level queues.

226 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

High

Medium

Normal

Low

Figure 12.2 PQs

PQ Configuration Once you decide to use PQ, you must decide what protocols go to what queues. More than one protocol may inhabit a queue, and you must assign a default queue to capture any traffic not specified. You do so via a priority list. You can configure a priority list by both interface and protocol: a single list might state that all TCP/IP traffic goes to the High queue, and all traffic coming in interface Ethernet 2 goes to the Medium queue. The following command strings, in order, show how to configure a priority list by protocol and by interface, followed by syntax explanations in Table 12.1 and value descriptions in Table 12.2: Router(config)#priority-list list-number protocol protocol-name (high | medium | normal | low) queue-keyword keyword-value Router(config)#priority-list list-number interface interface-type interface-number (high | medium | normal | low)

Table 12.1 PQ Configuration Parameter

Explanation

list-number

In IOS versions 11.2 and higher, any value from 1 to 16 inclusive. In IOS versions 11.1 and earlier, 1 through 10, inclusive.

protocol-name

aarp, arp, apollo, appletalk, bridge (transparent), clns, clns_es, clns_is, compressedtcp, cmns, decnet, decnet_node, decnet_router-l1, decnet_router-l2, ip, ipx, pad, rsrb, stun, vines, xns, or x25. Please note that with the decnet-router types, the last character is a number and the character preceding the number is a lowercase L.

queue-keyword and keyword_value

See Table 12.2.

interface-type

The type of interface, such as Ethernet or serial.

interface-number

The number of the specified interface.

227 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Traffic . . . . Management . . . . . . . Table 12.2 Queue Keywords and Values Queue Keyword

Keyword Value

byte-count

gt, greater than, or lt, less than

list

An access list number

(tcp | udp) port

A port number or name

fragments

An IP only option, this assigns a value to fragmented IP packets

The following commands, in order, show how to specify which queue is the default, change the queue sizes, and attach the priority list to an interface. Each command is then explained in Table 12.3: Router(config)#priority-list list-number default (high | medium | normal | ➥low) Router(config)#priority-list list-number queue-limit high-queue-limit medium-queue-limit normal-queue-limit low-queue-limit Router(config-if)#priority-group list-number

Table 12.3 Queue Sizes Queue

Size

high-queue-limit

Number of datagrams you can store in the High queue. The default is 20.

medium-queue-limit

Number of datagrams you can store in the Medium queue. The default is 40.

normal-queue-limit

Number of datagrams you can store in the Normal queue. The default is 60.

low-queue-limit

Number of datagrams you can store in the Low queue. The default is 80.

Cisco put a lot of effort into making the default queue values efficient. Think carefully before changing the values. A change might leave lower queues not serviced as often or at all.

A PQ Example The following is an example of a PQ configuration and interface application. The following command places all Telnet traffic into the High queue: Router(config)#priority-list 1 protocol ip high tcp 23

The next command places all IP traffic allowed by access list 1 into the High queue: Router(config)#priority-list 1 protocol ip high list 1

228 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This command places all other IP traffic into the Medium queue: Router(config)#priority-list 1 protocol ip medium

The next command places all non-IP traffic arriving from Serial 1 into the Normal queue. Previous statements already placed any IP traffic into queues: Router(config)#priority-list 1 interface serial 1 normal

This command places all AppleTalk traffic into the Low queue: Router(config)#priority-list 1 protocol appletalk low

The following line places all IPX traffic into the Low queue: Router(config)#priority-list 1 protocol ipx low

The next line establishes the Low queue as the queue where all nonspecified traffic will go: Router(config)#priority-list 1 default low

The next line changes the default settings for how many packets each queue can hold from 20 for the High, 40 for the Medium, 60 for the Normal, and 80 for the Low to 20 for the High, 50 for the Medium, 60 for the Normal, and 80 for the Low: Router(config)#priority-list 1 queue-limit 20 50 60 80

This line is the access list referenced earlier: Router(config)#access-list 1 permit 192.168.72.6

The following command moves from global configuration mode to interface configuration mode for Ethernet 0: Router(config)#interface Ethernet 0

The next command applies the priority group to interface Ethernet 0: Router(config-if)#priority-group 1

CQ CQ allows the administrator to prioritize traffic so that important traffic is serviced more frequently. At the same time, this queuing strategy does not ignore certain protocols because it is too busy handling others. Whereas PQ handles all traffic in an upper queue before moving to a lower queue, CQ handles a certain amount of data in a given queue and then moves on to the next queue.


CQ Concepts CQ allocates traffic to up to 16 queues via a queue list, 10 queues if using an IOS version prior to 11.0. The list chooses a queue for a packet according to the protocol, the interface the packet arrived from, the TCP/IP application the packet is for, and other characteristics. When the router begins handling queued packets, it looks in the first queue available. The first queue, queue 0, handles router system traffic such as keepalives. Once the first queue is empty, certain rules take over. The first rule is that traffic is handled in a “round robin” fashion. Once the router is finished with a given queue, it moves on to the next. The CQ router does not start at the beginning as it does with PQ. The second rule is that the router is finished servicing a queue once it pulls a certain number of packets or a certain number of bytes out of that queue, regardless of whether more packets are waiting to be serviced.

CQ Configuration The following commands show how to configure custom queuing based on protocol and interface and the details appear in Table 12.4: Router(config)#queue-list list-number protocol protocol-name queue-number queue-keyword keyword-value Router(config)#queue-list list-number interface interface-type interface➥number queue-number

Table 12.4 CQ Parameters Parameter

Value

list-number

The number of the queue list from 1 to 16, as in PQ.

protocol-name

The name of the protocol, as in PQ.

queue-number

The number of the custom queue from 1 to 16. You do not have to configure them in any specific order, and you can leave gaps between queues.

queue-keyword keyword-value

gt (greater than), lt (less than), list, tcp or udp, and a port value.

interface-type

The name of the interface.

interface-number

The number of the interface.

The administrator must also assign a default queue for packets that are not covered by the queue list. The administrator can change the number of packets each queue will hold. Those commands follow, with explanations in Table 12.5:

230 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Router(config)#queue-list list-number default queue-number Router(config)#queue-list list-number queue queue-number limit limit-number

Table 12.5 CQ Numbering and Sizes Parameter

Value

list-number

The number of the queue list from 1 to 16.

queue-number

The number of the custom queue from 1 to 16.

limit-number

The maximum number of packets that a queue may hold at any one time. Values range from 0 through 32,767, inclusive, with a default value of 20.

The administrator can specify how long the router remains forwarding packets from any one queue. You do so by configuring how many bytes the router may forward before moving on to the next queue. Assuming that z queue contains more packets than the router is configured to forward at any one time, the router forwards enough packets to reach the configured limit, even if the last packet forces the router over that limit. Once it reaches the limit, the router moves on to the next queue. When customizing how many packets the router may forward from any one queue, it is a good idea to pay attention to the packet size of the topology. If you configure the first queue for 2000 bytes and all remaining queues for 1500 bytes, Ethernet packets in the first queue will get twice the attention of Ethernet packets in any other queue. Ethernet packets are slightly larger than 1500 bytes. The router forwards one packet from each queue with a limit of 1500 bytes, but forwards two packets from the first queue. Following is the command to configure how many bytes are transferred from each queue every time the router accesses that queue and the command to set the queue list on an interface. Table 12.6 explains the options that you can use here: Router(config)#queue-list list-number queue queue-number byte-count bytecount-number Router(config-if)#custom-queue-list list

Table 12.6 CQ Throughput and Interface Application Parameter

Value

list-number

The number of the queue list from 1 to 16.

queue-number

The number of the CQ from 1 to 16.

byte-count-number

The minimum number of bytes the router is to forward from a specific queue. The default for all queues is 1500 bytes.

list

The queue list number created to place packets in queues.


A CQ Example This example shows how you can give Telnet traffic the highest priority, followed by other IP traffic and anything entering the router via interface Serial 1; AppleTalk, IPX, and all other traffic is considered less critical. It is important to note that when a packet fits more than one queue, it is placed in the queue with the higher priority. The first command puts all Telnet (TCP port 23) traffic in queue 1: Router(config)#queue-list 1 protocol ip 1 tcp 23

The next command places all other IP traffic in queue 2: Router(config)#queue-list 1 protocol ip 2

This command puts all traffic that is not IP traffic, but is traffic arriving from Serial 0/1, in queue 3: Router(config)#queue-list 1 interface s0/1 3

The following command puts all AppleTalk traffic in queue 4: Router(config)#queue-list 1 protocol appletalk 4

This line puts all IPX traffic in queue 5: Router(config)#queue-list 1 protocol ipx 5

The next line creates a default queue for all other traffic that the router might be configured to support: Router(config)#queue-list 1 default 6

This command raises the number of packets that queue 1 can store from 20 to 40: Router(config)#queue-list 1 queue 1 limit 40

The next command raises the number of bytes that the router can forward when handling queue 1 from 1,500 to 3,000: Router(config)#queue-list 1 queue 1 byte-count 3000

The following line reduces the number of bytes that the router will forward for AppleTalk traffic in queue 5 from 1500 to 500. This setting can be useful if you do not want the router to spend much time forwarding many small packets for network informational purposes: Router(config)#queue-list 1 queue 5 byte-count 500

232 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The next line is a duplicate of the preceding line, affecting IPX packets in queue 6: Router(config)#queue-list 1 queue 6 byte-count 500

The following line moves from global configuration mode to interface configuration mode for Ethernet 0/0: Router(config)#interface Ethernet 0/0

This command applies the list to interface Ethernet 0: Router(config-if)#custom-queue-list 1

Advanced Queuing Advanced queuing concepts typically combine one or more of the queuing methods previously discussed with new data-transfer techniques.

PQ-WFQ PQ and WFQ have traditionally been the most popular ways to prioritize traffic (until the Voice over IP boom, that is). The problem is that voice is highly time-sensitive, and although a router can examine various parts of a packet against an access list to see whether it is a voice packet, such a process take time. PQ-WFQ is designed to add a priority function to a WFQ process, as shown in Figure 12.3. Essentially, it gives the router two WFQ systems, one for normal traffic and another for voice. The high-priority traffic is always serviced before the lower-priority traffic, but otherwise, there is no other prioritization. Everything is treated in a fair-queue fashion. High Priority Voice

Data

Voice

Data

Weighted Fair

Figure 12.3 PQ-WFQ


You use the following command in interface configuration mode to tell the router to look for Real-Time Transport Protocol (RTP) packets and assign them priority: Router(config-if)#ip rtp priority starting-rtp-port-number port-number-range ➥bandwidth

The port number is the port that the voice application will begin using, and the range indicates how many ports can be used. The router first looks in the User Datagram Protocol (UDP) header to see whether it’s a voice packet before digging deeper for the actual RTP header. If it doesn’t see a port in the appropriate UDP port range, it treats the packet as any other traffic. The bandwidth option indicates how much bandwidth in Kbps can be used for the priority traffic.

Class-based WFQ You would use class-based WFQ (CB-WFQ) for reasons similar to why you would use PQ-WFQ; the primary difference is the way traffic is handled. It too uses WFQ on different classes of traffic, but at the core of CB-WFQ lies the token bucket, which controls the rate at which data can cross the circuit, no matter how much bandwidth is available. When configured, a token bucket collects tokens that represent an amount of data transferred in a given time. Before data can be transferred, the sender needs to collect tokens out of the bucket, allowing it to send the data. This process ensures that the data being sent fits the proscribed bandwidth available. It can also be linked to a moving target, such as a Frame Relay committed information rate (CIR).

CB-WFQ Steps You need take only a few steps when configuring CB-WFQ. First, you define the traffic that will apply. You typically do so by creating a map class and using an access list to strictly define the traffic. Another way uses protocol. Next, you provide the traffic-specific information, such as average and peak bandwidth bit rates. You do so in a policy map. The policy map also contains the configured map class information. It’s important to note that there can be several classes defined inside a single policy. Last, you apply the whole thing to an interface. Before traffic of the specific type can leave the interface, the router needs to pull tokens out of the token bucket, representing how much data is crossing within a certain time frame.

234 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Although you can configure CB-WFQ on serial, Asynchronous Transfer Mode (ATM), and Ethernet interfaces, among others, you cannot configure CB-WFQ on Ethernet subinterfaces, such as those routing virtual LAN (VLAN) information.

Configuring CB-WFQ This section shows the commands that you can use to configure CB-WFQ and describes what each one is doing. The first line configures a map class called demo on the router and places the router into map class configuration mode: Router(config)#class-map demo

The next command says that access list 102 will define the traffic that is interesting to this bandwidth segment: Router(config-cmap)#match access-group 102

The following line defines a policy map on the router called circuit and places the router into policy map configuration mode: Router(config)#policy-map circuit

The next command attaches the configured map class to the policy: Router(config-pmap)#class demo

This line keeps the maximum bandwidth used at the CIR of 384,000 bits per second: Router(config-pmap-c)#shape average 384000

The following command indicates how much bandwidth in Kbps is available for the traffic that matches the access list in the map class defined by demo: Router(config-pmap-c)#bandwidth 256

The next command defines a second class called class-default. Not requiring a specific configuration, this class defines what to do with all other traffic that doesn’t match an access list entry: Router(config-pmap-c)#class class-default

The next command indicates that unclassified flows should be treated in a fashion consistent with WFQ: Router(config-pmap-c)#fair-queue


The following line places the router into interface configuration mode for Serial 0/0: Router(config)#interface serial 0/0

This command applies the policy to the interface. You can apply policies toward traffic either arriving or leaving: Router(config-if)#service-policy output circuit

You can configure a number of other options as well. For example, you might want to define the precedence tag in the IP header for traffic that matches the access list entry. You could do so in the policy for the specific map class through the set ip precedence command and define an input policy on the interface instead of an output.

Low-Latency Queuing The primary component missing from CB-WFQ is that of prioritization. There’s no way to say that this one type of traffic always goes first without giving it a high amount of bandwidth. Prioritization with CB-WFQ directly depends on how much bandwidth you assign. Designed for time-sensitive interactive traffic such as audio, low-latency queuing is a simple add-on to CB-WFQ. When complete, it allows the router to examine the IP packet, looking for RTP information inside. If it finds an RTP packet, the router puts the packet in the priority queue, allowing it to be forwarded before any other traffic. The following command gives strict priority to a class within a policy map, and you use it with commands from CB-WFQ. The bandwidth is the amount in Kbps (that will be reserved for the high-priority traffic). Any amount beyond it will spill into the lower-priority queues, possibly down to the undefined traffic queues: Router(config-pmap-c)# priority bandwidth

Case Study Acme Corporation is a large organization with offices throughout the Southwest. Its major client is Desert Predators, Inc. Due to the large volume of orders that Desert Predators generates, it has a leased line connection direct to Acme’s network. Since Acme set up its Internet connectivity, the traffic generated by employees using the Internet for business purposes has caused some unacceptable delays in filling orders from Desert Predators, as

236 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

well as from other customers. Desert Predators accesses the Acme network via a TCP/IP Telnet connection. Orders are placed on a server on the Acme network, which then converts the information into a format that the Acme backend systems can process. Acme’s problem is that customers entering data often experience many short delays in seeing data on their screens. To ensure that data is entered correctly, the order-entry people often wait several seconds to make sure the system is accepting their information. Acme wants to correct this problem. Acme management wants all customer traffic to receive top priority and wants to ensure the least amount of delay possible. They look at Internet access as a convenience to their employees, and as such, performance may be permitted to suffer if it makes their customers happier: ➤ Customer order entry times are unacceptable. ➤ While the Internet is used, it is regarded as less important than cus-

tomer data. ➤ Acme uses protocols beyond TCP/IP.

The goal of the exercise is to determine what type of traffic-management configuration you should use in what fashion.

Data Compression In addition to the queuing methods mentioned previously, Cisco routers also support several forms of compression. Compression increases the efficiency of WAN links by making packets smaller, reducing the amount of bandwidth they use. This compression comes at a cost of increased processor usage on the routers on either side of the WAN link. The supported types of compression are ➤ Link compression (also known as per-interface compression) ➤ Payload compression (also known as per-virtual circuit compression) ➤ TCP header compression ➤ Microsoft Point-to-Point Compression (MPPC)

In addition, a hardware compression card is available on some Cisco devices. The exam does not cover hardware-compression features.


Link Compression Link compression, also called per-interface compression, involves compressing both the header portion and the data portion of the packet. Although link compression is Layer 3 protocol independent, it is not encapsulation independent. You may use link compression when using PPP or LAPB encapsulation utilizing either Predictor or STAC compression, which are explained later in this chapter. If using High-Level Data Link Control (HDLC) encapsulation, you may only use STAC compression. The best time to use link compression is on slow, point-to-point WAN links. 56Kbps Frame Relay or ISDN lines are good examples.

Predictor Predictor compression attempts to predict a sequence of characters by examining a sequence in a dictionary. Predictor then looks at the next string of bits in the data portion to see whether there is a match. If there is a match, then the new character sequence replaces the old. If it does not match, Predictor starts the process again with the next set of characters.

STAC An offshoot of one of the first desktop compression algorithms, STAC was developed by STAC Electronics, and is a Lempel-Ziv compression algorithm. STAC examines data strings for redundant characters and replaces them with a smaller token. For example, if a data string contains the characters 2345678 several times, STAC can replace that string with the notation @3. This notation, being smaller than the original string, reduces bandwidth usage. The notation is converted back to the original string on the other side of the WAN.

MPPC The MPPC protocol allows Cisco routers to communicate with Microsoft clients using a compressed data stream. When enabled on an access server interface, this protocol allows the client to gain increased bandwidth. This type of compression is highly recommended for corporate dial-in customers where the clients must dial an 800 number and are using a Microsoft operating system.

238 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use the following command to configure point-to-point software compression for an LAPB, PPP, or HDLC link: Router(config-if)#compress < predictor | stac | mppc >

Using a lossless compression algorithm, an algorithm that exactly recreates the original data streams without degradation, routers can reliably transport data across a WAN. If you are using PPP encapsulation across a point-topoint, you can use the following interface configuration command instead of the compress command: Router(config-if)#ppp compress < predictor | stac >

Payload Compression Sometimes known as per-virtual circuit compression, payload compression compresses only the data portion of the data stream, leaving the header intact. This process, which keeps the header readable to all devices, is primarily used in networks that can’t guarantee that a packet will always cross a particular point-to-point link. Payload compression is well suited for switched and cell-based networking topologies, such as Frame Relay, X.25, Switched Multimegabit Data Service (SMDS), and ATM. You can use the frame-relay payload-compress command to enable STAC compression on a Frame Relay point-to-point interface or subinterface. Payload compression is also effective with packets where the data portion is at least 80% of the entire packet and the packet is crossing slow links.

Header Compression Header compression is primarily used in situations where the payload of the packet is much smaller than the header. TCP/IP header compression only works on the TCP/IP protocol, and the primary usage is on packets with small payloads, such as Telnet, while crossing slow WAN links. TCP/IP header compression leaves the Layer 2 portion of the packet uncompressed; it compresses only the TCP/IP headers. Use the following command: Router(config-if)# ip tcp header-compression <passive>

If you use the passive option, the router only compresses outgoing packets when it receives an incoming packet that is compressed.


Modem Compression In dial environments, compression can occur in the modem. If you decide to allow the modem to handle compression, then do not enable compression on the router interface. Two common modem compression standards are Microcom Networking Protocol 5 (MNP5) and the International Telecommunication Union Telecommunication Standardization (ITU-T) V.42bis. MNP5 and V.42bis offer up to two times and four times compression, respectively. The two specifications are not compatible. The modems at both ends of the connection negotiate the standard to use.

CPU Cycles Versus Memory The amount of memory that a router needs depends on a number of factors. How many circuits are attached? How many and what kinds of access lists are running? Even when running a single Layer 3 protocol, the memory and CPU usage can vary widely, especially if more than one routing protocol is running. Thus, it is almost impossible to say how much of a hit a router will receive if you run compression on an interface. You will find that, in general, Predictor uses more memory than STAC does and that payload compression uses more memory than link compression. The flip side is that link compression uses more CPU time than payload compression does. In general, the most important factor for determining how compression will affect your router is how many packets are being compressed. The more packets you have that are being compressed and decompressed, the larger performance hit your router will take.

240 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 What transport protocol will not support WFQ? (Choose the most correct answer.) ❍ A. Frame Relay ❍ B. PPP ❍ C. ISDN ❍ D. AppleTalk

Answer B is the most correct. WFQ will not operate with X.25 or compressed PPP. It will operate with other serial protocols, including Frame Relay, ISDN, and AppleTalk, as long as those protocols aren’t using X.25 or compressed PPP and they operate at 2.048Mbps or slower. Therefore, Answers A, C, and D are incorrect.

Question 2 The default number of packets that the normal queue in PQ can hold is ❍ A. 20 ❍ B. 40 ❍ C. 60 ❍ D. 80

Answer C is correct. The normal queue can hold 60 packets by default. Therefore, Answers A, B, and D are incorrect.

Question 3 The default data-transfer rate in bytes per queue with CQ is ❍ A. 4,500 ❍ B. 4,000 ❍ C. 3,000 ❍ D. 1,500 ❍ E. 500


Answer D is correct. The default transfer rate in bytes per queue is 1,500. Therefore, Answers A, B, C, and E are incorrect.

Question 4 Payload compression is best suited to what type of traffic? ❍ A. Telnet ❍ B. FTP ❍ C. ATM ❍ D. ISDN

Answer B is correct. Payload compression works well with packets where the data portion is large compared to the header portion: for example, FTP traffic. The header portion of Telnet traffic is larger than the payload. Therefore, Answer A is incorrect. ATM cells are a fixed size, and the amount of payload available depends on the AAL in use. Although the data might be compressed, ATM cells themselves might not be, so Answer C is incorrect. Just because a link is slow doesn’t mean you should use payload compression. Look at the type of traffic first. ISDN is slow, but that alone isn’t a valid reason for payload compression. Therefore, Answer D is incorrect.

Question 5 The compression option that allows compression for Microsoft operating-system clients is ❍ A. mppc ❍ B. msppc ❍ C. ppc ❍ D. mpc

Answer A is correct. The compress mppc command provides compression to Microsoft clients. Answers B, C, and D don’t exist as options for compression.

242 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 6 How many queues are supported with PQ-WFQ? ❍ A. 2 ❍ B. 4 ❍ C. 8 ❍ D. 16

Answer A is correct. PQ-WFQ supports two queues, a high-priority queue and a second queue that treats all remaining traffic in a weighted-fair fashion. Answers B, C, and D are incorrect.

Question 7 The default congestive discard threshold value for WFQ is ❍ A. 16 ❍ B. 32 ❍ C. 64 ❍ D. 128 ❍ E. 256

Answer C is correct. The default congestive discard threshold value for WFQ is 64 packets. The other values are valid settings but must be manually configured. Therefore, Answers A, B, D, and E are incorrect.

Question 8 What Layer 3 protocol supports header compression? ❍ A. AppleTalk ❍ B. IPX ❍ C. Systems Network Architecture (SNA) ❍ D. TCP/IP

Answer D is correct. Only TCP/IP supports header compression. You can use header compression when tunneling IP packets across an X.25 network. The other protocols don’t include TCP headers to compress. Therefore, Answers A, B, and C are incorrect.


Question 9 The compress command has three options you can use. Which of these are not options? (Choose three.) ❑ A. stac ❑ B. stacker ❑ C. predict ❑ D. predictor ❑ E. mpc ❑ F. mppc

Answers B, C, and E are correct. The options available with the compress command are stac, predictor, and mppc. Therefore, Answers A, D, and F are incorrect. The stacker option exists, but with the command ppp compress stacker, not the compress command. The IOS and Cisco exams can be finicky.

Question 10 What is the default number of packets that a CQ can hold? ❍ A. 20 ❍ B. 40 ❍ C. 60 ❍ D. 64 ❍ E. 80

Answer A is correct. The default number of packets that a CQ can hold is 20, with a range of 0 through 32,767. Therefore, Answers B, C, D, and E are incorrect.

244 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Need to Know More? More information about basic queuing commands appears in the Congestion Management section of the documentation area of the Cisco Web site at http://www.cisco.com/en/US/products/sw/iosswrel/ ps1835/products_configuration_guide_book09186a00800b6bd4.html. More information about class-based traffic shaping and the many permutations available appears at http://www.cisco.com/en/US/ products/sw/iosswrel/ps1835/products_configuration_guide_ chapter09186a00800bd8ed.html#15609.

The Lempel-Ziv compression algorithm has quite a bit of controversy relating to its use on software. To learn more about the LZ algorithm, check out the Indiana University Knowledge Base at http://kb.indiana.edu/data/aghf.html. Information regarding the MPPC compression scheme appears in RFC 2118, information about the Predictor compression scheme appears in RFC 1978, and information on the Stacker compression scheme appears in RFC 1967 at http:www.faqs.org/rfcs/.

13 Securing the Network with VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms you’ll need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Virtual private network (VPN) Tunnel Transport Encryption Decryption Data Encryption Standard (DES) Triple DES (3DES) Cipher block chaining (CBC) Initialization value (IV) Hashing Hashed Message Authentication Codes Message Digest 5 (HMAC-MD5) HMAC Secure Hash Algorithm 1 (HMAC-SHA-1) Key management

✓ ✓ ✓ ✓

✓ ✓

Certificate authority (CA) Cryptosystem Diffie-Hellman (D-H) Rivest, Shamir, and Adleman (RSA) digital signatures RSA nonces IP Security (IPSec) Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Internet Security Association and Key Management Protocol (ISAKMP) Security association (SA) Transform sets

✓ ✓ ✓ ✓ ✓ ✓ ✓

Defining AH and ESP Describing how IKE works Describing how an SA is built and used Preparing for IKE and IPSec Configuring IKE Configuring IPSec Testing and verifying IPSec

✓ ✓ ✓ ✓ ✓ ✓


Defining VPN and listing its advantages Describing tunneling and encryption Identifying different VPN scenarios and solutions Describing the components in cryptography Describing the five steps of IPSec

246 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VPN Overview With the availability of so many high-speed and affordable WAN connections, it’s no wonder that companies large and small have embraced VPN technology. The key to the popularity of VPNs is that they can replace traditionally high-priced dedicated WAN connections for a fraction of the cost. Some of the key advantages of a VPN over a traditional leased line are ➤ Lower costs ➤ Flexibility ➤ Simplified management It might seem obvious, but make sure you can describe what a VPN offers and how it compares to leased lines.

VPNs provide three critical functions: confidentiality, integrity, and authentication (CIA): ➤ Confidentiality or encryption—A sender of a packet can encrypt the packet

before it is transmitted across the network, thereby preventing anyone eavesdropping on a conversation from being able to read the data. ➤ Data integrity—The receiver of the packet can verify that it has not been

altered or changed. ➤ Origin authentication—The receiver can also verify the source of the

packet as the sender of the data. Some of the VPN technologies are Generic Routing Encapsulation (GRE), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), Point-toPoint Tunneling Protocol (PPTP), and IPSec. The types of packets you will be sending dictate what VPN options you will use, such as the level of encryption and whether it is unicast, multicast, or a protocol besides IP. One thing to point out is that neither LT2P nor GRE support data encryption by themselves; you need to combine them with an encryption protocol. IPSec is the focus of this chapter. Traffic that is IP unicast should only use IPSec. If you need to send multiple protocols or multicast traffic, use GRE or L2TP. IPSec doesn’t support multicast or any protocol other than IP.

247 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . .

Whenever you hear of VPNs, you normally think of a tunnel. A tunnel is a virtual point-to-point connection; it carries one protocol inside of another, takes clear text and encrypts it, then the other end of the tunnel decrypts the data back to cleartext. The encrypted data is known as ciphertext. There are four major VPN topologies: ➤ Router to router ➤ Router to many routers ➤ PC to a router or concentrator ➤ Router to firewall and PC to firewall

Types of VPNs Cisco organizes VPN solutions into two categories: ➤ Remote access VPNs—Connect remote users to the enterprise. Remote

access clients are usually routers and VPN clients, and there are two types: ➤ Client initiated—Remote users use VPN clients to establish the secure

tunnel to the enterprise. They are an extension to dial-in networks. The client VPN is usually terminated at a router, firewall, or concentrator. ➤ Network access server (NAS) initiated—A remote user connects to the

Internet service provider (ISP), and the ISP builds a secure tunnel to the enterprise. ➤ Site-to-site VPNs—Connect entire networks to an enterprise network.

They are an extension to the classic WAN network. They can be built by routers, firewalls, and concentrators, and there are two types: ➤ Intranet VPNs—Connect your remote and branch offices to the

enterprise ➤ Extranet VPNs—Connect third-party organizations to your

enterprise

VPN and IPSec Terminology One of the biggest challenges to learning about VPNs and IPSec is the tremendous amount of terms, acronyms, and definitions. We discuss a great majority of them here and then use them throughout the chapter. Following is a list of VPN and IPSec terms:

248 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ Tunnel—A tunnel is a virtual point-to-point connection that carries traf-

fic from one protocol encapsulated in another. Security is provided for the original IP packet, and the encrypted packet is placed inside another packet, which amounts to ciphertext inside a new IP packet. The IP address of the new packet is used to traverse the network. In tunnel mode, the hosts are not aware that encryption is taking place. ➤ Transport—Security is provided at the transport layer and above. It pro-

tects the data of the packet but exposes the IP address. The original IP address is used to traverse the network. Transport mode is used for endhost-to-end-host communication. Tunnel mode is more common. ➤ Encryption—Encryption is the process of taking cleartext and converting

it into ciphertext to protect it from unauthorized viewing. The two types of encryption are symmetric, which uses a single shared secret key, and asymmetric, which uses a public and private key. ➤ Decryption—Decryption is the process of taking ciphertext and convert-

ing it back into cleartext so that authorized users can view it. ➤ DES—Single DES encryption uses a 56-bit key to encrypt and decrypt

packet data. ➤ 3DES—3DES repeats the encryption with a different 56-bit key three

times. You will see 3DES called 168-bit encryption as well. ➤ CBC—One of several methods of implementing DES, CBC requires

that an IV is the same for both IPSec peers before encryption can take place. ➤ Advanced Encryption Standard (AES)—AES is a privacy transform for

IPSec and IKE. It was developed to replace DES, and it uses a 128-, 192-, or 256-bit key. ➤ Hashing—Hashing uses an algorithm or formula to convert data and a

key into a hash. The hash ensures that the transmitted message has not been tampered with. The sender generates a hash of the message and key, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. The recalculated hash verifies that the message and the key are intact. ➤ HMAC-MD5—This hashing algorithm uses a 128-bit shared secret key.

IKE, AH, and ESP can use MD5 for authentication. ➤ HMAC-SHA-1—This hashing algorithm uses a 160-bit shared secret

key. SHA stands for Secure Hash Algorithm. IKE, AH, and ESP can use SHA-1 for authentication.

249 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . . ➤ Key—Usually random binary digits, a key is the information used to set

up and possibly change the operations of a cryptosystem. You can think of it as x (71399 × x = hash); although it’s not technically accurate, you get the point. ➤ Preshared key—This type of key is a shared secret key or password that is

usually entered manually on each peer for use in setting up an SA. It is used for authentication. ➤ Key management—Key management is the control of keys generated,

stored, revoked, transferred, and used. ➤ CA—A trusted third-party service that eases in establishing secured

communications, a CA produces digital certificates. The digital certificates can be used for key material in establishing a VPN. CAs allow tremendous scalability in a VPN infrastructure. ➤ Cryptosystem—It is the system that performs the encryption, decryption,

hashing, authentication, and key management. ➤ D-H—D-H is a public-key cryptography protocol, which allows two

parties to establish a shared secret key over an insecure communications channel. We look at two groups of D-H, group 1 at 768 bits and group 2 at 1024 bits. ➤ RSA Digital Signatures—This public-key cryptographic system is used

for authentication. A CA provides RSA digital certificates, which can be used to produce a digital signature and allow for authentication without operator intervention. A D-H exchange can be authenticated with RSA signatures. ➤ RSA encrypted nonces—A nonce is a pseudo-random number. Peers do

not exchange public keys with this form of authentication. ➤ AH—AH provides data authentication, integrity, and optionally antire-

play. The AH process is applied to an entire datagram except mutable fields. A mutable field would be something like TTL (time to live), which gets modified by every router in the transmission path. AH provides no encryption and does not work with network address translation (NAT). ➤ ESP—ESP provides encryption, integrity, and optionally authentication

and antireplay. With ESP, the entire IP packet is encapsulated. ESP does work with NAT. ➤ IKE—IKE is a hybrid protocol of the Oakley key exchange and Skeme

key exchange. IKE is synonymous with ISAKMP; you will see both terms used and referenced throughout Cisco materials.

250 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ➤ ISAKMP—ISAKMP provides the authentication of IPSec peers, the

negotiation of IKE and IPSec SAs, and the establishment of keys for IPSec encryption algorithms. ➤ SA—An SA is built between two or more peers and describes the securi-

ty services that have been set up or negotiated. SAs are unidirectional and protocol specific. If two peers are communicating securely with an AH and an ESP, each host builds a separate SA for each protocol, inbound and outbound. There would be four SAs per peer. We discuss SAs further, but it is worth noting here that there is an SA for IKE and an SA for IPSec. ➤ Transform sets—Transform sets define the combinations of IPSec algo-

rithms for encryption and authentication. A transform set describes authentication (such as AH), encryption (such as ESP), and mode (tunnel versus transport).

The Fives Steps of IPSec IPSec, which is described in RFC 2401, is responsible for protecting your data with the necessary security protocols and algorithms. It is important to remember that IPSec is not a protocol; it is a framework of open standard protocol suites designed to give you CIA. If we look at the IPSec process, we can identify five high-level steps:

Step 1: Defining Interesting Traffic Interesting traffic causes the IPSec process to start. Interesting traffic is usually defined by an access list called a crypto map. A permit means to encrypt, whereas a deny means to send it in cleartext. It does nothing to restrict the flow of traffic but only indicates what is encrypted or expected to be encrypted. Crypto maps are symmetrical, meaning that if you send the data encrypted, the other side needs to expect it to arrive that way, and vice versa.

Step 2: IKE Phase 1 IKE Phase 1 authenticates the IPSec peers, negotiates a matching IKE SA policy to protect the IKE exchange, performs an authenticated D-H exchange to produce matching shared secret keys, and then establishes a secure tunnel to negotiate Phase 2. In IKE Phase 1, IKE SAs are established. There are two modes in which Phase 1 is negotiated:

251 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . . ➤ Main mode—The recommended mode for IKE. It is a touch slower than

aggressive mode but more secure and reliable. It consists of six message exchanges, three in each direction. ➤ Aggressive mode—Faster than main mode because it sends a total of three

messages. The drawback is that information is exchanged before a secure channel is established. IKE is used to dynamically build a secure channel for the IPSec parameters to be negotiated.

Step 3: IKE Phase 2 The purpose of IKE Phase 2 is to set up IPSec SAs. IKE negotiates IPSec SA parameters inside the secure channel built in Phase 1, establishes an SA through matching IPSec parameters, periodically renegotiates the SAs, and optionally performs additional D-H exchanges called Perfect Forward Secrecy (PFS) to refresh the keying material for greater security.

Step 4: IPSec Encrypted Tunnel After Phase 2 occurs, you have a secure VPN tunnel set up to transmit your data. The VPN tunnel’s security parameters were negotiated during IKE Phase 2.

Step 5: Tunnel Termination After the interesting data is transmitted, the SAs end by being deleted or timing out. An SA has a lifetime measured either in seconds or in bytes: the amount of time an SA has been up or the total data that has been transferred. If you exceed your limits but you still need to transfer data, the keying material is refreshed dynamically and transparently, and the SA lifetimes start over. The IKE tunnel protects the SA negotiation and the IPSec tunnel protects the data. Remember that each step is dependant upon the preceding step being completed and successful. This dependency actually makes it easier for troubleshooting because you can take a complicated process and break it down into smaller steps.

252 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco has been spearheading the IETF in a revision of IKE known as IKEv2. In fact, Cisco chairs the committee on IPSec and has been instrumental in producing a number of enhancements; one in particular is the ability to assign addresses remotely, which allows a gateway to download an IP address to the client as part of an IKE negotiation. IKEv2 was in final call (finished specification) in June 2003.

Configuring IPSec The process of setting up a VPN can seem daunting; in fact, it is probably the most complex task you will perform in achieving your CCNP certification. The reason is that there are about as many commands and options to use as terms and definitions we just discussed. The trick is to break it down into manageable chunks. The four major tasks are preparing for IKE and IPSec, configuring IKE, configuring IPSec, and testing and verification. As we begin to look at the IPSec commands, it is important to note that we will not examine all the different options available. We focus on the most used and tested choices.

Task 1: Preparing for IKE and IPSec Configuring IKE and IPSec can be complicated, but you can resolve a number of issues before the deployment with careful planning. You need to design the different policies to be used, ensure that current configurations work, and ensure that they will be compatible in the future.

Step 1: Determining IKE (IKE Phase 1) Policy One of the most important steps is planning. A properly planned out policy helps eliminate needless troubleshooting and frustration. The goal is to minimize or eliminate misconfiguration. There are a number of items to examine: ➤ Determine the key distribution method—How your keys are distributed is

usually decided by the number and locations of your IPSec peers. With small networks, using manually configured preshared keys might be easiest; for a large number of peers, using a CA is the best choice because it scales more easily and is easier to manage. ➤ Determine the authentication method—Your authentication method is

based on your key-distribution choice. You use preshared keys for a manual environment but RSA signatures or nonces in a CA configuration. Preshared keys are covered on the exam and throughout this text. ➤ Identify the IPSec peer’s IP addresses and host names—You need to identify

either through hostnames or IP addresses all the peers and preshared keys that will be in use.

253 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . . ➤ Determine ISAKMP policies for peers—An ISAKMP policy is a combina-

tion of all the security parameters in IKE negotiation. You should determine the policies ahead of time. Any one device can have a number of policies, but you can only build a secure channel if there is a match. We examine the policies in Task 2, Step 2.

Step 2: Determining IPSec (IKE Phase 2) Policy Once again, a key step is planning. This time, however, you are planning for IPSec. Properly planned, it helps in configuring and troubleshooting. The goal is still to minimize or eliminate configuration errors. There are a number of steps: ➤ Determine the IPSec algorithms—Determine the type of security that will

be applied to the protected data. You might need to choose it based on performance, strength, and laws. ➤ Select transforms and transform sets—The IPSec algorithms are known as

transforms and transform sets. These are your AH and ESP choices. AH is rarely used because it is not compatible with NAT or port address translation (PAT), and its functionality has been added to other ESPs. We look at the options in Task 3, Step 1. ➤ Identify IPSec peer details—Identify the hostnames or IP addresses of all

the peers. ➤ Identify IPSec peer details—Identify which networks, hosts, and applica-

tions should be protected between the local and remote peers. ➤ Choose manual or IKE-built SAs—You can use either manually created

SAs or IKE-established SAs. The preferred and covered method is the IKE SAs.

Step 3: Checking the Current Configuration You need to examine the routers’ current configurations to see whether there has been a previous IPSec deployment. The idea is that you don’t want to reinvent the wheel if you don’t need to. You can save time if you can use previously configured IKE and IPSec policies. At the least, you need to know that they exist so you can plan accordingly. Some of the commands you use are show running-config, show crypto isakmp policy, show crypto map, and show crypto ipsec transform-set. We look at these commands later in the “Verifying IKE Configuration” and “Verifying IPSec Configuration” sections.

254 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Step 4: Ensuring That the Network Works Without Encryption This step might sound like an obvious guideline, but you would be surprised how many people wonder whether they were able to reach the intended network before encryption was set up. It is important to see whether you can ping, Telnet, log in, and so on before you set up IPSec. If it worked before and it doesn’t now, you know where to start troubleshooting. If it doesn’t work now and you don’t know whether it did before, where should you start to look for a cause?

Step 5: Ensuring That Access Control Lists Are Compatible with IPSec IKE and IPSec use different ports and protocols to work. You need to make sure any access control lists (ACLs) allow those specific settings through. Specifically, ISAKMP uses UDP port 500, ESP uses IP protocol number 50, and AH uses IP protocol 51.

Task 2: Configuring IKE At this point, we are ready to start the configuration of the router; specifically, we start with setting up IKE. This task includes enabling ISAKMP and configuring policies, preshared keys, and verification.

Step 1: Enabling or Disabling IKE The first step to configuring IKE is to enable it. ISAKMP or IKE is enabled from global config mode, and the command is simply crypto isakmp enable. To disable, just add no in front of the command: RouterA(config)#crypto isakmp enable

On newer releases of IOS, ISAKMP is enabled by default so it does not show up in your configuration files unless it is disabled.

Step 2: Creating IKE Policies The next thing is to configure an IKE policy. Remember, you need to have matching policies on each peer. From config mode, you enter crypto isakmp policy priority to go into a sub-config mode (config-isakmp), as shown in Listing 13.1.

255 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . . Listing 13.1 IKE policy configuration example RouterA(config)#crypto isakmp policy 50 RouterA(config-isakmp)#encryption des RouterA(config-isakmp)#hash md5 RouterA(config-isakmp)#authentication pre-share RouterA(config-isakmp)#group 2 RouterA(config-isakmp)#lifetime 86400 RouterA(config-isakmp)#exit RouterA(config)#

The priority setting is configurable between 1 and 10,000. Now that you have seen the command, let’s examine the different policy settings in Table 13.1. Table 13.1 IKE Policy Parameters Parameter

Choice

Keyword

Default

Encryption algorithm

DES 3DES

des 3des

DES

Hash algorithm

MD5 SHA-1

md5 sha

SHA-1

Authentication method

Preshared keys RSA nonces RSA signatures

pre-share rsa-encr rsa-sig

RSA signatures

768 bit

Key exchange (D-H) IKE SA lifetime

768-bit D-H

1

1024-bit D-H

2

60 to 86,400 seconds (sec)

#

86,400 sec (1 day)

If you have not specified any ISAKMP policies, the default settings from the table are used. If you create a policy and only define some settings, the default settings are used for the undeclared values. Earlier, we mentioned that each peer must negotiate with the other peer to find a matching policy. Policies have a number, and the lower-numbered policies are tried first until there is a match. Take the time to plan out the policies and their numbers so you get the desired results.

Step 3: Configuring ISAKMP Identity During IKE negotiations, peers authenticate each other using the preshared key and the ISAKMP identity. The identity can be either an IP address or a hostname; the IP address is the default. If you use hostnames, you either

256 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

need to have DNS set up or a host entry configured on your router. The command to set the identity is crypto isakmp identity {address | hostname}: RouterA(config)#crypto isakmp identity address

Once again, because address is the default, it is not displayed in configuration files. If you use hostname, however, you can see it.

Step 4: Configuring Preshared Keys You now need to configure the preshared keys that IKE will use for authentication. The command has two options based on address or hostname. Also, the preshared key must be identical on each peer. The command is crypto isakmp key keystring address peer-address or crypto isakmp key keystring hostname peer-hostname: RouterA(config)#crypto isakmp key secret123 address 172.16.1.5 RouterA(config)#crypto isakmp key passwd58 hostname RouterC

The preshared keys are only if the negotiated IKE policy declares their use. It is recommended as a security precaution to use different passwords for different peers, but remember that each side’s password needs to match. Preshared keys might be the easiest, but they don’t scale nearly as well as a CA.

Step 5: Verifying IKE Configuration The easiest step in the process, verification, is the last one, assuming everything is correct. You can only verify some of your settings by viewing your running-config because defaults do not appear. You can, however, view your policies in their entirety by typing show crypto isakmp policy: RouterA#show crypto isakmp policy Protection suite of priority 50 encryption algorithm: DES - Data Encryption Standard (56 bit ➥keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit ➥keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit RouterA#


Notice that you see the policy you configured, number 50, and the default. If you had set up a number of other policies, they would be listed as well. Remember that IKE negotiates using the lowest-numbered policy first and then continues higher. If no policies match, then the default policy is attempted. If it doesn’t match, an IKE SA is not built, and that was the whole purpose. Make sure you can describe some of the features and benefits of IKE/ISAKMP.

Task 3: Configuring IPSec The next major task is to configure the IPSec parameters that were defined in the planning stages. These settings include the transform sets, SA lifetimes, access lists, and crypto maps. After you define and configure them, you then apply them to an interface.

Step 1: Configuring Transform Sets A transform set defines the combinations of IPSec algorithms for encryption and authentication. Transform sets work like IKE policies in that you need to have matched sets on each peer. Transform sets are negotiated in IKE Phase 2. A transform set describes authentication (such as AH), encryption (such as ESP), and mode (tunnel versus transport). The syntax for creating a transform set is crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]. It is quite common to have a transform set and only one transform defined: RouterA(config)#crypto ipsec transform-set secure esp-3des esp-sha-hmac RouterA(cfg-crypto-trans)#exit

Remember from earlier discussions that an AH is not used very often because AH functionality was added to some of the ESP transforms. Table 13.2 lists the different options. You can specify up to one AH, one ESP encryption, and one ESP authentication. Table 13.2 Supported Transforms Transform

Explanation

ah-md5-hmac

AH transform; authentication based on MD5.

ah-sha-hmac

AH transform; authentication based on SHA.

esp-des

ESP transform; encryption based on a 56-bit cipher.

258 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 13.2 Supported Transforms (continued) esp-3des

ESP transform; encryption based on a 168-bit cipher.

esp-md5-hmac

ESP transform; authentication based on MD5. Must be used with esp-des or esp-3des.

esp-sha-hmac

ESP transform; authentication based on SHA. Must be used with esp-des or esp-3des.

esp-null

ESP transform; specifies that there is no encryption. Not recommended for a production environment.

Step 2: Configuring Global IPSec Lifetimes The lifetime of an SA is governed by the command

crypto ipsec security-

association lifetime {seconds seconds | kilobytes kilobytes}.

The seconds value can be anywhere from 120 to 86,400; the default is 3600 sec. The kilobytes can be anywhere from 2560 to 536,870,912; the default is 4608. The settings allow the SAs to be refreshed at regular controlled intervals. The longer an SA is established, or the more data that passes through, the more vulnerable it is. With the defaults, the parameters are recalculated and you are more secure. Cisco recommends that you use the defaults.

Step 3: Creating Crypto ACLs The purpose of a crypto access list is to specify what traffic should be protected and what traffic is allowed in the clear. With crypto access lists, a permit means encrypt and deny means do not encrypt. The lists are symmetrical, so you need a mirrored ACL on each router. The syntax is the same as that for a traditional access list. You usually employ extended access lists for greater control over the encryption: RouterA(config)#access-list 100 permit tcp host 192.168.1.5 host 192.168.2.10

Later when the ACL is applied, it specifies that all traffic between the two hosts using TCP needs to be encrypted. ACLs used for crypto maps specify what should or shouldn’t be encrypted. They do nothing about restricting traffic, with the exception of denying received traffic that should’ve been encrypted. Remember, they are symmetrical with the VPN peer.

Step 4: Creating Crypto Maps Crypto maps are the glue for putting together all the various IPSec configurations. Just like the ISAKMP policies configured to build the IKE SAs, the


crypto map defines the IPSec SAs. You specify a number of things, such as the method of SA establishment, the type of transform sets applied, the type of traffic to be encrypted or not, the identity of the peer and where the traffic should be sent, the local address to be used for the IPSec traffic, and any other parameters that might be necessary in defining an IPSec SA. You can have only one crypto map per interface, which should not be a problem; inside each crypto map, you can define groups of settings that are applicable to different peers. The different groups are defined by sequence numbers, and once again, lower sequence numbers are negotiated first. We examine first the crypto map command and its three main options and then its sub-config mode. The command looks like crypto map map-name seq-num [cisco | ipsec-manual | ipsec-isakmp]. Table 13.3 describes the parts of the command. Table 13.3 The crypto map Command Parameters

Explanation

map-name

The name you assign the crypto map.

seq-num

The number assigned to the crypto map entries. Remember that the number is used as a grouping and that lower numbers are negotiated first.

cisco

Indicates that Cisco encryption technology (CET) should be used instead of IPSec, which is the default. Newer IOS releases have it removed from the command, so CET encryption is now end-of-life, IPSec being its replacement.

ipsec-manual

Specifies that IKE will not establish the IPSec SAs.

ipsec-isakmp

Specifies that IKE will establish the IPSec SAs.

dynamic

Specifies that a preexisting crypto map be used. If you use this option, no additional configuration is necessary because the parameters are pulled from the referenced crypto map.

dynamic-map-name

The name of the crypto map to be used as a template.

Once you enter the crypto map command, the router prompt changes and places you in config-crypto-map mode, as shown in the example. Following the example, we cover the options in this new mode: RouterA(config)#crypto map myfirstmap 10 ipsec-isakmp RouterA(config-crypto-map)#

Now that you have seen the beginnings of the crypto map command, you need to look at how the command works and its syntax. Table 13.4 shows just that. Note the match and set options.

260 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 13.4 The config-crypto-map Command Command

Explanation

match address [access-list number | name]

Specifies the access list that defines the traffic which should be encrypted. It is the access list you built in the preceding step. You can call it by a number or name, depending on how it was built.

set

Used to define the peer, PFS, SA lifetime, and transform set.

peer [address | hostname]

Defines the peer to be used by IPSec.

pfs [group1 | group2]

Specifies D-H group 1 or group 2.

security-association lifetime

Sets the lifetime in sec or KB.

transform-set [set-name(s)]

Defines the transform set that will be used to protect your data. (You can have up to six sets.)

no

Used to remove any set or match commands.

exit

Exits the crypto map configuration mode.

Now that you have seen the parameters that you can control inside the crypcommand, let’s examine a working example from start to finish, as shown in Listing 13.2. Notice that the configuration starts with either the set or match keywords. Also, you can use the no option to remove a setting.

to map

Listing 13.2 Crypto map example RouterA(config)#crypto map myfirstmap 10 ipsec-isakmp RouterA(config-crypto-map)#match address 100 RouterA(config-crypto-map)#set peer 172.16.1.5 RouterA(config-crypto-map)#set pfs group2 RouterA(config-crypto-map)#set security-association lifetime seconds 86400 RouterA(config-crypto-map)#set transform-set secure RouterA(config-crypto-map)#exit RouterA(config)#

In the section “Testing and Verifying IPSec,” you can see the show command used to verify the settings.

crypto map

Step 5: Configuring IPSec Crypto Maps Once again, the last step is one of the easiest. Now that you have built your crypto maps, you need to apply them. You enter into interface configuration mode and enter the command crypto map map-name:

261 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . . RouterA(config)#int serial 2/1 RouterA(config-if)#crypto map myfirstmap

That’s it. You should now have a crypto map applied to the correct interface, and at this point, you should be ready to test your shiny brand new IPSec VPN.

Task 4: Testing and Verifying IPSec You can use a number of commands to test and verify that IPSec is up and running. We have looked at a few to get to this point and have a few more to discuss. The fact that you are able to communicate to a peer doesn’t mean that all is secure; how do you know that the conversation you are having is encrypted? We review a couple commands and introduce you to a few others, not only for troubleshooting a broken VPN, but also to verify that one is working as it should. We hope that you tested that you had connectivity before you set up encryption. If you didn’t, you’re on your own. Remember that IPSec doesn’t happen all at once and that it is a multistep process. That aids us in troubleshooting. The first step is to examine the IKE policies with a show crypto isakmp policy. You need to check that you have matching options on each peer: RouterA#show crypto isakmp policy Protection suite of priority 50 encryption algorithm: DES - Data Encryption Standard (56 bit ➥keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit ➥keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit RouterA#

ISAKMP policies are negotiated by priority number, from lowest to highest. If a match isn’t found, the default policy is tried.

Next, check whether an ISAKMP SA has been established, using the command:

crypto isakmp sa

show

262 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RouterA#show crypto isakmp sa dst src state 172.16.1.5 172.16.1.1 QM_IDLE RouterA#

47

conn-id 5

slot

From the output, you can see that you have an SA for IKE; the IDLE specifies that it’s built but waiting. The next thing to check is that you have matching transform sets on each peer. To view your configured transforms, enter show crypto ipsec transform-set. You will see something similar to the following based on the transforms you have configured: RouterA#show crypto ipsec transform-set Transform set secure: { esp-des esp-sha-hmac will negotiate = { Tunnel, },

}

RouterA#

If you verified that you have matching transforms, you should check whether an IPSec SA has been established. Type show crypto ipsec sa. The command output has been truncated, but the important pieces are at the top, specifically the crypto map in use and the IP addresses for the peers. You can also see a packet counter for the number of packets encrypted and decrypted: Router# show crypto ipsec sa interface: Ethernet0 crypto map tag: router-alice, local addr. 172.16.1.1 local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.16.1.5/255.255.255.255/0/0) current_peer: 172.16.1.5 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 0, #recv errors 0 local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.5 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F

The next command to use will verify your crypto maps. Earlier, we mentioned that you can have only a single map per interface but that a map could have multiple entries. In the example produced by the show crypto map command, you can see that we have a map built called myfirstmap and that it has two sets of parameters. The first one, number 10, connects to the 172.16.1.5 address with its specific parameters. The second policy goes to a different address with slightly different security parameters: RouterA#show crypto map Crypto Map “myfirstmap” 10 ipsec-isakmp Peer = 172.16.1.5 Extended IP access list 100 access-list 100 permit tcp host 192.168.1.5 host 192.168.2.10 Current peer: 172.16.1.5 Security association lifetime: 4608000 kilobytes/86400 seconds PFS (Y/N): Y DH group: group2

263 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Securing . . . . .the . .Network . . . . with . . . VPNs . . . Transform sets={ secure, } Interfaces using crypto map myfirstmap: Crypto Map “myfirstamp” 20 ipsec-isakmp Peer = 172.16.20.5 Extended IP access list 110 access-list 110 permit tcp host 192.168.1.5 host 192.168.7.10 Current peer: 172.16.20.5 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): Y DH group: group1 Transform sets={ secure, } Interfaces using crypto map myfirstamp: RouterA#

A command that is not covered or tested but is quite interesting is the show It gives you a packet counter for encrypted packets as well as the algorithms that are in use. If you’re still unable to get your VPN up and working, it must be time for the debug commands. The two debug commands that are covered are debug crypto isakmp and debug crypto ipsec. Each will show you the different steps that are happening during negotiations. They produce pages of output, so remember that debug commands can have an adverse effect on your network and should only be used appropriately. After issuing the debug commands, you will most likely want to force the SAs to be reestablished. Enter a clear crypto sa command, which will disrupt anyone using the VPN tunnel until it is reconnected but will cause the SAs to be reestablished. crypto engine connections active.

ISAKMP Error Messages There are two common messages that you might receive if ISAKMP is having problems: %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange ... SA is not authenticated!

This message indicates that the other side tried to negotiate ISAKMP without being authenticated. You need to examine the peer router. The next error message follows: The %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute ... not offered or changed.

This message indicates that you where unable to negotiate a matching ISAKMP policy and that the other side responded with a policy not requested.

264 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exam Prep Questions Question 1 What type of device can you use to terminate a VPN? (Choose the best answer.) ❍ A. Concentrator ❍ B. Firewall ❍ C. Router ❍ D. All of the above

Answer D is correct; each of the devices can be the termination point for a VPN. Answers A, B, and C are correct but not the most correct; each one individually is not the best answer because you can use all of them to terminate a VPN.

Question 2 What is the number of bits used with a 3DES encryption key? ❍ A. 128 ❍ B. 56 ❍ C. 168 ❍ D. 158

Answer C is correct; 3DES uses three 56-bit keys for a total of 168 bits. Answer B is single DES, so it is wrong. Answers A and D are the incorrect values.

Question 3 ISAKMP or IKE uses which of the following? ❍ A. TCP 500 ❍ B. UDP 500 ❍ C. IP 500 ❍ D. ICMP 500

Answer B is correct; ISAKMP uses UDP port 500. Answers A, C, and D are incorrect; they have the right value but the wrong protocols.


Question 4 What IP port does ESP use? ❍ A. 50 ❍ B. 23 ❍ C. 51 ❍ D. 500

Answer A is correct; ESP uses port 50. Answer C is incorrect because it is used by AH. Answers B and D are the wrong IP port numbers.

Question 5 What IP port does AH use? ❍ A. 23 ❍ B. 50 ❍ C. 51 ❍ D. 500

Answer C is correct; AH uses port 51. Answer B is incorrect because it is used by ESP. Answers A and D are the wrong IP port numbers.

Question 7 Which ISAKMP mode is faster? ❍ A. Main mode ❍ B. Aggressive mode ❍ C. Fast mode ❍ D. Ala mode

Answer B is correct; it is faster than main mode but not as secure. Answer A is incorrect; it is the slower but more secure of the two modes. Answer C is wrong because there is no such mode, and Answer D is incorrect because it’s how I like my pie for dessert.

266 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 Which is the strongest keying algorithm? ❍ A. D-H ❍ B. DES ❍ C. 3DES ❍ D. 5DES

Answer A is correct, but this question is definitely a trick question. D-H uses either 768 or 1024 bits. Answer B is wrong because it uses only 56 bits. Answer C is incorrect because it uses 168 bits, and Answer D is wrong because there is no 5DES.

Question 9 What is the key size for HMAC-SHA-1? ❍ A. 56 bits ❍ B. 64 bits ❍ C. 128 bits ❍ D. 160 bits

Answer D is correct; HMAC-SHA-1 is 160 bit. Answer C, 128, is wrong because it is used by HMAC-MD5. Answers A and B are not the correct bit counts.

Question 10 What are three things that IKE does? ❑ A. Specifies the encryption algorithms ❑ B. Specifies what traffic to encrypt ❑ C. Negotiates ISAKMP SAs ❑ D. Defines the lifetime of an SA

Answers A, C, and D are correct. IKE will specify what encryption algorithm is used, identify the peer, and build an SA, and it can specify the lifetime of the SA. It does not, however, specify the traffic to encrypt—you do that with an access list and a crypto map—so Answer B is wrong.


Question 11 What command starts the IKE process? ❍ A. enable ike ❍ B. enable isakmp ❍ C. crypto isakmp enable ❍ D. crypto ike enable

Answer C is correct; crypto isakmp enable is all that you need to start IKE or ISAKMP. Remember, they are one and the same. Also it is a global setting not per interface. Answers A, B, and D are all made-up commands and are therefore wrong.

Question 12 What happens if there is a duplicate ISAKMP policy set up on peers? ❍ A. That policy will be skipped and different ones chosen. ❍ B. The peers will build a tunnel and function normally. ❍ C. The peers will build a tunnel, but intermittent errors might occur. ❍ D. You will receive a duplicate policy message.

Answer B is correct; that is the point. We want IKE to negotiate and find matching parameters. Answers A, C, and D are all extremely wrong because there are no issues with matching policies. They are supposed to match.

Question 13 At what point are transform sets negotiated? ❍ A. During IKE Phase 1 ❍ B. During IKE Phase 2 ❍ C. During IPSec Phase 1 ❍ D. During IPSec Phase 2

Answer B is correct; the IPSec parameters for transform sets are negotiated during IKE Phase 2. Answer A is wrong because its job is to build a secure tunnel for Phase 2 to use. Answers C and D are wrong and don’t exist.

268 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 14 Crypto maps do what three things? ❑ A. Specify the traffic to be encrypted ❑ B. Specify how peers will be authenticated ❑ C. Specify the local address used for IPSec traffic ❑ D. Specify the destination of protected IPSec traffic

Answers A, C, and D are all correct. A crypto map will specify the traffic to be encrypted and the source and destination addresses of the tunnel. Answer B, how peers authenticate, is covered by IKE, so it is incorrect.

Question 15 What two commands allow you to view information about the transform sets? ❑ A. show crypto isakmp policy ❑ B. show crypto ipsec transform-set ❑ C. show crypto map ❑ D. show transform-set

Answers B and C are correct; show crypto ipsec transform-set shows the defined transform sets and show crypto map lets you see the transform set associated with a crypto map. Answer A is incorrect because it shows ISAKMP policies, and Answer D is wrong because there is no such command.

Question 16 Which two debug commands do you use to troubleshoot your VPNs? ❑ A. debug crypto ipsec ❑ B. debug ipsec ❑ C. debug crypto negotiation ❑ D. debug crypto isakmp

Answers A and D are correct; they both give you an excessive amount of data that you can use to solve VPN problems. Answers B and C are incorrect because those commands do not exist.


Need to Know More? There are a number of resources available for IPSec, and as you noticed, there are a lot of terms and definitions. The Cisco Internetworking Terms and Acronyms page is a good place to start at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/. A good and definitive source of information is always the RFCs, even if they aren’t much of a read. See the RFCs for IPSec at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2401.html.

Read the RFCs for AH

at http://www.cis.ohio-state.edu/cgi-bin/

rfc/rfc2402.html.

Read the RFCs for ESP


rfc/rfc2406.html.

Read the RFCs for ISAKMP

at

http://www.cis.ohio-state.edu/

cgi-bin/rfc/rfc2408.html.

Read the RFCs for IKE


rfc/rfc2409.html.

The IETF, as you would expect (there is a charge), has a large amount of information on IPSec at http://www.ietf.org/html. charters/ipsec-charter.html.

Of course, you can do a search on the Cisco site to get all sorts of Cisco-specific examples, configurations, and solutions; visit http://www.cisco.com.

14 Practice Exam 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Sample Test In this chapter, we provide pointers to help you develop a successful testtaking strategy, including how to choose proper answers, how to decode ambiguity, how to work within the Microsoft testing framework, how to decide what you need to memorize, and how to prepare for the test. At the end of the chapter, we include 65 questions on subject matter pertinent to Cisco Exam 642-821 Building Cisco Remote Access Networks v2.0 (BCRAN). In the next chapter, you’ll find the answer key to this test. Good luck!

Questions, Questions, Questions There should be no doubt in your mind that you are facing a test full of specific and pointed questions. The version of the exam that you take is fixedlength, will include 60-70 questions, and you will be allotted 75 to 90 minutes to complete the exam. You will not be able to mark questions or go back to prior questions on the exam. The exam questions will belong to one of three basic types: ➤ Multiple choice with a single answer ➤ Multiple choice with multiple answers ➤ Simulations whereby you access the IOS of multiple routers and config-

ure or troubleshoot the given scenario

272 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

You should always take the time to read a question at least twice before selecting an answer, and you should always look for an Exhibit button as you examine each question. Exhibits include graphics information related to a question. An exhibit is usually a screen capture of program output or GUI information that you must examine to analyze the question’s contents and formulate an answer. The Exhibit button displays graphics and charts used to help explain a question, provide additional data, or illustrate page layout or program behavior. Not every question has only one answer; many questions require multiple answers. Therefore, you should read each question carefully, determine how many answers are necessary or possible, and look for additional hints or instructions when selecting answers. Such instructions often appear in brackets immediately following the question itself (for multiple-answer questions).

Picking Proper Answers Obviously, the only way to pass any exam is to select enough of the right answers to obtain a passing score. However, Cisco’s exams are not standardized like the SAT and GRE exams; they are far more diabolical and convoluted. In some cases, questions are strangely worded, and deciphering them can be a real challenge. In those cases, you may need to rely on answer-elimination skills. Almost always, at least one answer out of the possible choices for a question can be eliminated immediately because it matches one of these conditions: ➤ The answer does not apply to the situation. ➤ The answer describes a nonexistent issue, an invalid option, or an

imaginary state. ➤ The answer may be eliminated because of information in the question

itself. After you eliminate all answers that are obviously wrong, you can apply your retained knowledge to eliminate further answers. Look for items that sound correct but refer to actions, commands, or features that are not present or not available in the situation that the question describes. If you’re still faced with a blind guess among two or more potentially correct answers, reread the question. Try to picture how each of the possible remaining answers would alter the situation. Be especially sensitive to terminology; sometimes the choice of words (“remove” instead of “disable”) can make the difference between a right answer and a wrong one.

273 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Only when you’ve exhausted your ability to eliminate answers but remain unclear about which of the remaining possibilities is correct should you guess at an answer. An unanswered question offers you no points, but guessing gives you at least some chance of getting a question right; just don’t be too hasty when making a blind guess.

Decoding Ambiguity Cisco exams have a reputation for including questions that can be difficult to interpret, confusing, or ambiguous. In our experience with numerous exams, we consider this reputation to be completely justified. The Cisco exams are tough, and they’re deliberately made that way. The only way to beat Cisco at its own game is to be prepared. You’ll discover that many exam questions test your knowledge of things that are not directly related to the issue raised by a question. This means that the answers you must choose from, even incorrect ones, are just as much a part of the skill assessment as the question itself. If you don’t know something about most aspects of remote access topics and the IOS configuration, you may not be able to eliminate answers that are wrong because they relate to an area of Cisco other than the one that’s addressed by the question at hand. In other words, the more you know about the routing and remote access, the easier it will be for you to tell right from wrong. Questions often give away their answers, but you have to be Sherlock Holmes to see the clues. Often, subtle hints appear in the question text in such a way that they seem almost irrelevant to the situation. You must realize that each question is a test unto itself and that you need to inspect and successfully navigate each question to pass the exam. Another common difficulty with certification exams is vocabulary. Cisco has an uncanny knack for spelling out acronyms in some questions and leaving them in their abbreviated form in others. Be sure to brush up on the key terms presented at the beginning of each chapter of this book. You may also want to read the glossary at the end of this book the day before you take the test.

Working Within the Framework When you’re taking a Cisco exam and you see something in a question or in one of the answers that jogs your memory on a topic, or that you feel you should record if the topic appears in another question, write it down on your

274 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

piece of paper. Just because you can’t go back to a question in an exam doesn’t mean you can’t take notes on what you see early in the test, in hopes that it might help you later in the test. For Cisco exams, don’t be afraid to take notes on what you see in various questions. Sometimes, what you record from one question can help you on other questions later on, especially if it’s not as familiar as it should be or it reminds you of the name or use of some utility or interface details.

Deciding What to Memorize The amount of memorization you must undertake for an exam depends on how well you remember what you’ve read and how well you know the software by heart. If you’re a visual thinker and can see the command-line interface in your head, you won’t need to memorize as much as someone who’s less visually oriented. However, the exam will stretch your abilities to memorize the theory behind routing and remote access with topics such as quality of service (QoS), remote access network design, and traffic shaping configuration. At a minimum, you’ll want to memorize the following kinds of information: ➤ WAN connection types and criteria ➤ Remote access cabling pins and types ➤ Modem configuration commands ➤ ISDN and PPP configuration commands ➤ Dialer profile functionality ➤ Frame Relay traffic shaping terminology ➤ Dialer backup configuration ➤ Quality of Service (QoS) tools and uses ➤ DSL and Cable terminology

If you work your way through this book while accessing the IOS interface, as well as diagramming network topologies as they’re discussed throughout, you should have little or no difficulty mastering this material. Also, don’t forget that The Cram Sheet at the front of the book is designed to capture the material that’s most important to memorize; use this to guide your studies as well.

275 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Preparing for the Test The best way to prepare for the test—after you’ve studied—is to take at least one practice exam. I’ve included one here in this chapter for that reason; the test questions are located in the pages that follow. (Unlike the questions in the preceding chapters in this book, the answers don’t follow the questions immediately; you’ll have to flip to the next chapter to review the answers separately.) Give yourself 105 minutes to take the exam, and keep yourself on the honor system—don’t look at earlier text in the book or jump ahead to the answer key. When your time is up or you’ve finished the questions, you can check your work in the next chapter. Pay special attention to the explanations for the incorrect answers; these can also help to reinforce your knowledge of the material. Knowing how to recognize correct answers is good, but understanding why incorrect answers are wrong can be equally valuable.

Taking the Test Relax. Once you’re sitting in front of the testing computer, there’s nothing more you can do to increase your knowledge or preparation. Take a deep breath, stretch, and start reading that first question. You don’t need to rush, either. You have plenty of time to complete each question. Both easy and difficult questions are intermixed throughout the test in random order. Don’t cheat yourself by spending too much time on a hard question early in the test, thereby depriving yourself of the time you need to answer the questions at the end of the test. Set a maximum time limit for questions, and watch your time on long or complex questions. If you hit your limit, it’s time to guess and move on. Don’t deprive yourself of the opportunity to see more questions by taking too long to puzzle over questions, unless you think you can figure out the answer. Otherwise, you’re limiting your opportunities to pass. That’s it for pointers. Here are some questions for you to practice on. Good luck!

276 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 What function does the channel service unit/data service unit (CSU/DSU) have? ❍ A. It identifies interesting traffic patterns. ❍ B. It translates between data signaling methods. ❍ C. It encapsulates network protocol packets. ❍ D. It modulates digital signals to analog signals.

Question 2 Standards that define the data terminal equipment-to-data communications equipment (DTE-to-DCE) interface and signaling include the following: (Choose three.) ❍ A. RS-232 ❍ B. V.90 ❍ C. V.35 ❍ D. HSSI

Question 3 The RTS and CTS signals in an EIA/TIA-232 standard cable are used for what function? ❍ A. Hardware flow control ❍ B. Modem control ❍ C. Data transfer ❍ D. Rate Selection

Question 4 Which modem modulation standard provides a transfer rate of 56Kbps? ❍ A. v.22 ❍ B. v.32bis ❍ C. v.34 ❍ D. v.90 ❍ E. v.34bis

277 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 5 Which of the following compression algorithms do high-speed modems commonly use? (Choose two.) ❍ A. v.42bis ❍ B.

v.42

❍ C.

Microcom Networking Protocol 5 (MNP5)

❍ D.

Microcom Networking Protocol 4 (MNP4)

❍ E. v.32bis ❍ F. Link Access Procedure for Modems (LAPM)

Question 6 You connect to an access server and you need to make a configuration change to an attached modem. What action do you take? ❍ A. Reverse Telnet to the modem. ❍ B. Telnet to the attached modem. ❍ C. Access interface configuration mode. ❍ D. Attach to the modem console port.

Question 7 What must you do to allow an asynchronous line to support Dial-on-Demand Routing (DDR)? ❍ A. Use the dialer in-band command. ❍ B. Use the physical-layer async command. ❍ C. Use the async mode dedicated command. ❍ D. You cannot use an asynchronous line for DDR.

278 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 Which of the following can you configure for asynchronous operation for a modem to use? ❍ A. TTY ❍ B. AUX ❍ C. Console port ❍ D. VTY

Question 9 Which of the following statements are true about a dialer list? ❍ A. Defines traffic that will initiate a call ❍ B. Must be configured when implementing DDR ❍ C. Contains the phone numbers of remote dial-up hosts ❍ D. Links to a configured dialer group

Question 10 A technician will be connecting a new usr_sportster modem to the access server in the evening. You want to configure the access server now so that it automatically configures the modem with the necessary initialization strings when the technician connects the modem in the evening. Which two options can you use to configure this modem? ❍ A. Reverse Telnet ❍ B. Auto discovery by router ❍ C. Console port ❍ D. Predefined initialization string

279 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 11 When configuring a modem connected to a TTY line, what is an important reason for completing the line configuration before proceeding to configure the modem-specific parameters? ❍ A. You cannot set line parameters once the modem is initialized. ❍ B. To enable reverse telnet support to the attached modem. ❍ C. You cannot initialize the modem until line parameters are set. ❍ D. To configure the modem autoconfigure type command.

Question 12 Which of the following are true about queuing as supported by the Cisco IOS version 12.0 or later? (Choose two.) ❍ A. A serial E1 interface uses FIFO queuing by default. ❍ B. Prioritization is especially useful on WAN links with a constant traffic flow. ❍ C. There are four supported methods of queuing. ❍ D. You can apply only one type of queuing per interface.

Question 13 Your branch office uses a relatively slow WAN link to the central office. The traffic that is exchanged is not particularly sensitive to delay, but sometimes the link becomes congested due to larger file transfers or bandwidth-hogging applications. You want to prioritize traffic in such a way that the lower-volume traffic flows will have priority over large traffic flows, such as the file transfers with the least amount of configuration. What do you configure? ❍ A. Weighted fair queuing (WFQ) ❍ B. Custom queuing (CQ) ❍ C. Priority queuing (PQ) ❍ D. FIFO queuing

280 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 14 If a traffic queuing method requires the traffic flows to be reordered, which of the following must you use? ❍ A. WFQ ❍ B. CQ ❍ C. PQ ❍ D. FIFO queuing

Question 15 What command do you use to enable WFQ? ❍ A. router(config)#fair-queue 256 ❍ B. router(config)#weighted-fair-queue 256 ❍ C. router(config-if)#weighted-fair-queue 256 ❍ D. router(config-if)#fair-queue 256

Question 16 An interface using priority queuing ❍ A. Uses low-, normal-, medium-, and high-priority output queues ❍ B. Should be implemented on interfaces of E1 (2.048Mbps) or greater ❍ C. Ensures all queues are serviced even when an interface receives a large volume of higher-priority traffic ❍ D. Empties queues in order from high to low priority

Question 17 Priority queuing can be based on which of the following criteria? ❍ A. Access list ❍ B. Protocol type ❍ C. Packet size ❍ D. Incoming interface

281 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 18 Which of the following security protocols are supported by the Cisco IOS? ❍ A. Terminal Access Controller Access Control System Plus (TACACS+) ❍ B. Kerberos ❍ C. Authentication, authorization, and accounting (AAA) ❍ D. Remote Authentication Dial-In User Service (RADIUS)

Question 19 What type of scenario would require the use of Kerberos over TACACS+ or RADIUS with AAA? ❍ A. If centralized user validation is required ❍ B. If a client/system must be used for AAA ❍ C. If authentication must use the Data Encryption Standard (DES) algorithm ❍ D. If the user database is stored on a UNIX system

Question 20 Which of the Cisco IOS supported AAA security protocols does not provide the authorization or accounting component of AAA? ❍ A. Kerberos ❍ B. RADIUS ❍ C. TACACS+ ❍ D. They all provide authorization and accounting.

Question 21 Which of the following characteristics is true regarding the TACACS+ security protocol? ❍ A. Uses secret-key authentication ❍ B. Is a Cisco-proprietary protocol ❍ C. Makes use of User Datagram Protocol (UDP) ❍ D. Supports all AAA features

282 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 22 What command do you use to enable AAA on a Cisco access server? ❍ A. aaa enable ❍ B. aaa new-model ❍ C. aaa authentication ❍ D. aaa client

Question 23 Which of the following include authentication types handled by AAA? ❍ A. Console terminal access ❍ B. PPP authentication requests ❍ C. Virtual terminal line login ❍ D. Privileged EXEC mode access

Question 24 Network address translation (NAT) has which of the following characteristics? ❍ A. Decreases the packet forwarding delay ❍ B. Modifies the addresses in IP packet headers ❍ C. Allows the use of private addressing schemes ❍ D. Adds to the depletion of the IP address supply

Question 25 The process of manually mapping a specific inside local address to a predetermined outside global address is best described as ❍ A. Dynamic translation ❍ B. Static translation ❍ C. Port address translation (PAT) ❍ D. Fixed translation

283 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 26 PAT is often referred to as ❍ A. One-to-one NAT ❍ B. Many-to-one NAT ❍ C. One-to-many NAT ❍ D. Many-to-many NAT

Question 27 Ethernet 0/0 connects the NAT router to the internal network. What must you do to have this interface participate in NAT operation? ❍ A. Issue the ip nat inside source list command. ❍ B. Issue the ip nat inside command. ❍ C. Issue the ip nat pool command. ❍ D. Issue the ip nat outside command.

Question 28 You need to clear all mappings in the translation table of your router running dynamic NAT. What command would you use? ❍ A. clear nat table ❍ B. clear ip nat translation all ❍ C. clear ip nat translation * ❍ D. clear nat translation table

Question 29 Which of the options provided is not a characteristic of Frame Relay? ❍ A. Provides a very high level of reliability ❍ B. Lacks sequencing and windowing mechanisms ❍ C. Ranges from 56Kbps to 2Mbps in throughput ❍ D. Uses packet-switching technology

284 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 30 The Frame Relay WAN consists of two main categories of devices. Which category of device is generally found on the customer’s premises? ❍ A. DLCI ❍ B. DCE ❍ C. CPE ❍ D. DTE

Question 31 Which of the following commands configures Frame Relay subinterface number 15 on your router’s Serial 2 interface? ❍ A. Router(config)#subinterface s2.15 point-to-point ❍ B. Router(config-if)#interface s2.15 multipoint ❍ C. Router(config-if)#interface s2.15 point-to-multipoint ❍ D. Router(config-subif)#interface s2.15

Question 32 Which is not a valid state of a Frame Relay permanent virtual circuit (PVC)? ❍ A. Deleted ❍ B. Active ❍ C. Inactive ❍ D. Standby

Question 33 The signaling standard used between the customer’s equipment and the service provider’s Frame Relay switch is the Local Management Interface (LMI). What are the three Frame Relay LMI types? ❍ A. ansi ❍ B. ietf ❍ C. cisco ❍ D. q933a

285 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 34 Which of the following events initiates dial backup? ❍ A. The primary line interface receives interesting traffic. ❍ B. The traffic load on the primary link exceeds a set limit. ❍ C. The interface of the primary link is detected to be down. ❍ D. Priority queuing is configured on the secondary link.

Question 35 Which command do you use to set the amount of time the router waits before bringing up a backup interface? ❍ A. backup timer ❍ B. backup delay ❍ C. dialer backup delay ❍ D. backup interface delay

Question 36 You issue the show interface dialer command on a router that uses a primary Frame Relay serial link and a dial backup interface that is currently not activated. What appears in the backup interface output? ❍ A. Dialer0 is inactive mode, line protocol is down. ❍ B. Dialer0 is standby mode, line protocol is down. ❍ C. Dialer0 is standby mode, line protocol is up. ❍ D. Dialer0 is inactive mode, line protocol is up.

Question 37 The primary use of a backup interface is for ❍ A. Increased bandwidth ❍ B. Multilink bundling ❍ C. Link redundancy ❍ D. Load sharing

286 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 38 Which of the following is commonly used for backup links? ❍ A. ISDN Basic Rate Interface (BRI) ❍ B. Modem ❍ C. T3 line ❍ D. Frame Relay

Question 39 Which of the following primary lines can experience failure without initiating the backup link? ❍ A. ISDN BRI ❍ B. Async lines ❍ C. Multipoint Frame Relay interface ❍ D. Point-to-point Frame Relay subinterfaces

Question 40 You have configured a dialer list, which references a predefined access list. How do you configure the appropriate interface to use this dialer list for initiating DDR calls? ❍ A. Using the dialer pool command ❍ B. Using the dialer-list command ❍ C. Using the dialer-group command ❍ D. Using the dialer map command

Question 41 The main purpose of DDR is to establish a connection on an as-needed basis. Once all of the information is exchanged, the connection is again dropped. What event triggers DDR to establish a connection? ❍ A. Routing protocol updates ❍ B. Router keepalive messages ❍ C. Predefined interesting traffic ❍ D. Time-sensitive protocols

287 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 42 How do you define when a DDR connection is brought down once there is no more interesting traffic? ❍ A. dialer idle-timeout ❍ B. dialer load-threshold ❍ C. dialer fast-idle ❍ D. dialer idle-timer

Question 43 What happens to uninteresting traffic that is received on a DDR dialer interface that is already connected? ❍ A. The traffic causes the connection to be brought down. ❍ B. The traffic is dropped at the dialer interface. ❍ C. The traffic is sent and the idle timer is reset. ❍ D. The traffic is transmitted across the DDR connection.

Question 44 An IP RIP site uses DDR to establish an ISDN connection to a remote site. Routes learned by RIP frequently disappear from the routing table. What can you use to maintain dynamic routing table entries while minimizing the use of the DDR link by routing updates? ❍ A. Static route entries ❍ B. Snapshot routing ❍ C. Keepalive spoofing ❍ D. Bandwidth-on-demand

Question 45 Multilink PPP (MLP) provides load balancing over multiple connections. Which of the following statements is false regarding MLP? ❍ A. Multiple links are brought up in response to a defined load threshold. ❍ B. You configure load thresholds using the dialer load-threshold command.

288 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ❍ C. The load value is expressed as a link utilization percentage ranging from 1 to 100. ❍ D. Load thresholds can be determined for inbound, outbound, or either direction.

Question 46 ISDN services can be in the form of a BRI or Primary Rate Interface (PRI). Identify the statement that is not a characteristic of ISDN service. ❍ A. ISDN PRI E1 offers 30 B-channels. ❍ B. ISDN BRI B-channels operate at 64Kbps. ❍ C. ISDN PRI D-channels operate at 16Kbps. ❍ D. ISDN PRI T1 offers 1.544Mbps throughput.

Question 47 You can view ISDN BRI call setup and network connection teardown messages using which command? ❍ A. debug dialer ❍ B. debug isdn q921 ❍ C. debug isdn q931 ❍ D. debug isdn events

Question 48 The ISDN BRI consists of a number of components and reference points. What is the abbreviation for the interface between an NT2 device and subscriber equipment TA devices? ❍ A. U ❍ B. R ❍ C. S ❍ D. T

289 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 49 Which of the following commands is unique in that you can apply it at both the global and ISDN interface configuration mode? ❍ A. encapsulation ppp ❍ B. isdn switch-type ❍ C. isdn spid1 ❍ D. dialer map

Question 50 A Cisco router is configured with a serial point-to-point link to a remote office. If the default encapsulation was used, what protocol is being used on this serial interface? ❍ A. High-Level Data Link Control (HDLC) ❍ B. Point-to-Point Protocol (PPP) ❍ C. Link Access Procedure, Balanced (LAPB) ❍ D. Serial Line Internet Protocol (SLIP)

Question 51 Which Cisco IOS feature can you use to replace the static configuration of physical interfaces, such as the mapping of a remote host to a destination IP address and ISDN number? ❍ A. Dialer map ❍ B. DDR ❍ C. Rotary groups ❍ D. Dialer profiles

Question 52 What responsibility does the PPP Network Control Protocol (NCP) handle? ❍ A. Establishes and configures the link ❍ B. Negotiates the PPP link options ❍ C. Configures network-layer protocols ❍ D. Sets authentication mechanism

290 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 53 What is the effect of the ppp callback accepts command? ❍ A. Configures an interface to request PPP callback ❍ B. Configures an interface to accept PPP callback requests ❍ C. Configures an interface as a dialer map class member ❍ D. Configures an interface to use callback security

Question 54 You can verify a successful Challenge Handshake Authentication Protocol (CHAP) authentication event using which command? ❍ A. debug ppp negotiation ❍ B. show dialer ❍ C. debug ppp packet ❍ D. show caller

Question 55 Which of the following are characteristics of MLP? ❍ A. Allows the bundling of multiple physical links ❍ B. Transmits fragments over multiple parallel links ❍ C. Reassembles packets at the opposite end of the link ❍ D. Improves throughput and decreases latency

Question 56 You want to allow PPP users to automatically start a PPP session when dialing in on a line. What Cisco IOS command do you use to allow it to take place? ❍ A. modem dialin ❍ B. ppp session-default ❍ C. autoselect ppp ❍ D. ppp authentication chap dialins

291 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 57 Virtual private network (VPN) connectivity provides ❍ A. Faster transmission of traffic ❍ B. Tunneling for multiple protocols ❍ C. Increased network complexity ❍ D. Access to a corporate extranet

Question 58 Of the Cisco IOS supported VPN encapsulation protocols, which are predominantly used for remote-access VPNs and rely on the PPP? ❍ A. IPSec ❍ B. PPTP ❍ C. GRE ❍ D. L2TP

Question 59 Which of the VPN tunneling protocols do not provide data encryption for the secure tunnel? (Choose two.) ❍ A. IPSec ❍ B. GRE ❍ C. L2TP ❍ D. PPTP

Question 60 Which of the following statements are true about an IPSec tunnel that uses Internet Key Exchange (IKE)? (Choose two.) ❍ A. Transfers interesting traffic as it is received ❍ B. Negotiates a set of security associations (SAs) ❍ C. Uses authenticated key exchange technology ❍ D. Uses authentication but not encryption

292 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 61 DSL uses Asynchronous Transfer Mode (ATM) as its Layer 2 protocol. Which of the following are valid encapsulation methods used to carry IP packets over the DSL/ATM connection? (Choose all correct answers.) ❍ A. Point-to-Point over Ethernet (PPPoE) ❍ B. Point-to-Point Protocol over ATM (PPPoA) ❍ C. RFC 1483 bridging ❍ D. Voice over IP (VoIP)

Question 62 Asymmetric Digital Subscriber Line (ADSL) and Plain Old Telephone Service (POTS) are able to coexist for which of the following reasons? (Choose two.) ❍ A. The implementation of bridge taps at the central office (CO) ❍ B. The use of microfilters at the customer site ❍ C. The use of frequency ranges that do not overlap ❍ D. The separation of the signal by the DSL Access Multiplexer (DSLAM)

Question 63 You are using a DSL modem and have a downstream rate of 6.1Mbps and an upstream bandwidth of 640Kbps. What type of DSL are you subscribed to? ❍ A. ADSL ❍ B. High-data rate DSL (HDSL) ❍ C. Single-line DSL (SDSL) ❍ D. Very-high-data-rate DSL (VDSL)

Question 64 Which characteristic do HDSL and SDSL have in common? ❍ A. The use of two copper twisted pairs ❍ B. Equal upstream and downstream capacity ❍ C. Used as alternative to T1 or E1 connections ❍ D. Deliver more downstream than upstream capacity

293 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 1.

Question 65 A telecommuter must connect to the corporate network once a day for a couple of hours to transfer several large files. What connection method would you recommend for the remote user? ❍ A. Dial-up modem ❍ B. ISDN PRI ❍ C. ISDN BRI ❍ D. Leased T1 line

15 Answer Key 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. B

23. A, B, C, D

45. C

2. A, C, D

24. B, C

46. C

3. A

25. B

47. C

4. D

26. B

48. C

5. A, C

27. B

49. B

6. A

28. C

50. A

7. A

29. A

51. D

8. A, B, C, D

30. D

52. C

9. A, B, D

31. B

53. B

10. B, D

32. D

54. A

11. B

33. A, C, D

55. A, B, C, D

12. C, D

34. B, C

56. C

13. A

35. B

57. B, D

14. A, B, C

36. B

58. A, B, D

15. D

37. C

59. B, C

16. A, D

38. A, B

60. B, C

17. A, B, D

39. D

61. A, B, C

18. A, B, D

40. C

62. B, C

19. C

41. C

63. A

20. A

42. A

64. B

21. B, D

43. D

65. C

22. B

44. B

296 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 The correct answer is B. The primary function of the channel service unit/data service unit (CSU/DSU) is to translate the signaling method on the Local Area Network (LAN) to a signal on the Wide Area Network (WAN) and vice versa. Furthermore, it is a component that provides loopback and diagnostic functionality. A CSU/DSU can be an external component attached to a router or can be an internal WAN interface card. The CSU/DSU does not identify interesting traffic or perform an encapsulation function; therefore, Answers A and C are incorrect. Answer D is incorrect; modulation and demodulation of digital to analog signals are performed by a modem.

Question 2 The correct answers are A, C, and D. There are various data terminal equipment-to-data communications equipment (DTE-to-DCE) signaling standards, including RS-232 (also known as EIA/TIA-232), V.35, and HighSpeed Serial Interface (HSSI). The type of signaling standard, interfaces, and cabling will vary depending on the type of DCE or DTE being used. Answer B is incorrect because V.90 is a modem modulation standard, not a DTE-toDCE signaling standard.

Question 3 The correct answer is A. The EIA/TIA-232 standard cable groups its pins according to function. Pin 4 handles the DTE-controlled Request To Send (RTS) signal, and Pin 5 handles the Clear To Send (CTS) signal, which tells the DTE that it can proceed with data transfer. These two functions are referred to as hardware flow control. Answers B and C are incorrect; the RTS and CTS signals are not involved in modem control or data transfer. Rate selection is not a valid functional group, making Answer D incorrect.

Question 4 The correct answer is D. The v.90 modem modulation standard offers a 56Kbps transmission speed. Answers A, B, C, and E are incorrect because they do not provide a transfer rate of 56Kbps. V.22, v.32bis, v.34, and v.34bis

297 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

modems provide modulation at up to 1200bps, 14.4Kbps, 28.8Kbps, and 33.6Kbps, respectively.

Question 5 The correct answers are A and C. Two compression algorithms commonly used by modems are v.42bis and Microcom Networking Protocol 5 (MNP5) compression. Compression features are generally combined with error-correction mechanisms, of which Microcom Networking Protocol 4 (MNP4), v.42, and Link Access Procedure for Modems (LAPM) are examples; therefore, Answers B, D, and F are incorrect. The v.32bis protocol provides error correction and compression but applies to slow-speed modems of 14.4Kbps and less, making Answer E incorrect.

Question 6 The correct answer is A. A modem connected to a line on an access server can be configured in one of two ways: automatically by the access server or manually by entering the appropriate commands directly through a modem connection. Answer B is incorrect; because the modem is attached to a line on the access server, you need to establish a reverse Telnet, rather than a forward Telnet, session to the modem to configure it. You cannot configure the modem directly through interface configuration mode, nor is the modem configured using a modem console port; therefore, Answers C and D are incorrect.

Question 7 The correct answer is A. To use an asynchronous dial-up line for Dial-onDemand Routing (DDR), you must issue the dialer in-band command in interface configuration mode. Answer B is incorrect; you use the physicallayer async command to specify that a slow-speed serial interface operate in asynchronous mode. Answer C is incorrect because you use the async mode dedicated command to place a line into dedicated asynchronous Serial Line Internet Protocol (SLIP) or Point-to-Point Protocol (PPP) mode. The statement in Answer D is incorrect; you can use asynchronous lines for DDR.

298 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 The correct answers are A, B, C, and D. You can configure all these ports and interface types to operate in asynchronous mode for use with a modem. TTY lines correspond to asynchronous ports (for example, serial interfaces) on the access server or router. VTY lines are virtual terminal lines that are dynamically assigned to a device’s synchronous interfaces.

Question 9 The correct answers are A, B, and D. One of the core configuration steps for DDR is the specification of a dialer list, which defines the traffic that will trigger a call on a DDR interface. The dialer-list command makes reference to a number, which represents the dialer group of interfaces that will be used to make the call. A dialer list does not specify the phone numbers of remote hosts, making Answer C incorrect.

Question 10 The correct answers are B and D. A modem that uses automatic configuration will obtain its configuration information in one of two ways: through either modem autodiscovery or modem autoconfiguration. The modem autodiscovery feature involves a process where the router runs through all initialization strings in its modemcap database until it finds one that initializes the modem. The modem autoconfiguration feature involves the preconfiguration of a specific initialization string to use on a line; this option is often used when the modem type is known. Reverse Telnet is not an option because the modem is to be automatically configured; therefore, Answer A is incorrect. Answer C is incorrect because using the console port is not a viable configuration solution.

Question 11 The correct answer is B. Although it is recommended that you configure line parameters, especially the line speed, before you initialize the modem, you can configure both line and modem parameters before or after initialization. The main reason to configure the line first, however, is to enable the transport input command, which you need to establish a reverse Telnet connec-

299 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

tion to the modem. Answers A, C, and D are all incorrect because you can configure line and modem parameters before or after modem initialization.

Question 12 The correct answers are C and D. Cisco IOS supports four different types of queuing, including FIFO (first-in first-out) queuing, WFQ (weighted fair queuing), priority queuing (PQ), and custom queuing (CQ). You can configure only one type of queuing on a particular interface. By default, serial interfaces at E1 (2.048Mbps) speeds and lower use flow-based WFQ, making Answer A incorrect. The other types of queuing, which function by prioritizing traffic patterns, are most useful on WAN links that exhibit periods of congestion due to low data rates and bursty traffic. Answer B is incorrect because WAN links with a constant traffic flow do not require queuing.

Question 13 The correct answer is A. You can configure the prioritization of traffic using WFQ, CQ, or PQ, but based on the outlined scenario, it would be most suitable to use WFQ. WFQ is designed to give low-traffic flows priority over high-traffic flows so that a packet or a small number of packets does not have to wait in the device’s output buffer. PQ gives priority to queues rated high, normal, medium, and low in order from highest to lowest. It does not give preference to low-traffic flows; therefore, Answer C is incorrect. CQ assigns a percentage of the bandwidth to specific protocols and does not necessarily give low-traffic flows priority over large transfers; therefore, Answer B is incorrect. Both CQ and PQ can also be complicated to configure, particularly compared to WFQ. Answer D is incorrect because FIFO queuing does not prioritize traffic.

Question 14 The correct answers are A, B, and C. Aside from serial interfaces of E1 bandwidth speeds (2.048Mbps) and lower, which use WFQ, the default queuing method on interfaces is FIFO. FIFO queuing transmits packets in the order in which they are received by the outgoing buffer without reordering, making Answer D incorrect. All other queuing methods (WFQ, CQ, and PQ) reorder the packets before transmitting them.

300 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 15 The correct answer is D. You enable WFQ on an interface basis using the fair-queue {congestive-discard-threshold} command. The congestive-discard threshold parameter represents the maximum number of packets belonging to a conversation that will be held in the queue before further packets will be discarded. This number can have a value from 1 to 512 and uses a default value of 64. Answers A, B, and C are all incorrect because they do not provide the proper command syntax.

Question 16 The correct answers are A and D. PQ categorizes traffic into four types, each having a different priority. The four output queues are low, normal, medium, and high. Priority lists define what type of traffic is assigned to the different queues, which are then emptied in the order of high priority to low priority. This means that the lower-priority queues might not get serviced until higher-priority queues are emptied; therefore, Answer C is incorrect. Answer B is incorrect because packet prioritization using PQ is generally used on lowspeed WAN links of T1 speeds (1.544Mbps) or less.

Question 17 The correct answers are A, B, and D. The priority-list command has a number of variations and can define traffic to be queued based on an access list, protocol, and even an incoming interface. Answer C is incorrect because packet size is not one of the command options available.

Question 18 The correct answers are A, B, and D. Security protocols are used by hosts, such as an access server, to communicate with a central security server, which is responsible for maintaining username and password, authorization, and accounting information for the network. You can configure Cisco IOS to use Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), and Kerberos as security protocols. Answer C is incorrect because AAA is not a security protocol.

301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

AAA uses security protocols to provide a system for the authentication and authorization of users and the accounting of computer resources accessed by users.

Question 19 The correct answer is C. On a device running Cisco IOS, you can configure authentication, authorization, and accounting (AAA) to support one of three security protocols: TACACS+, RADIUS, or Kerberos. Kerberos is an authentication protocol that uses secret-key technology and the Data Encryption Standard (DES) cryptographic algorithm to encrypt information exchanged during authentication. The use of a UNIX database or a client/ server system is not a reason to use Kerberos over TACACS+ and RADIUS, making Answers B and D incorrect. TACACS+ generally provides centralized user validation using a UNIX database, whereas RADIUS provides a client/server system to ensure authorized access. Answer A is incorrect because the need for central user validation is not a requirement unique to Kerberos.

Question 20 The correct answer is A. Kerberos is supported for use with an AAA configuration and provides a very secure authentication process because the passwords are not sent over the medium. However, Kerberos does not provide authorization or accounting capabilities. You must use RADIUS and TACACS+ to provide support for the authorization and accounting features of AAA. Answers B and C are incorrect options because they do provide the authorization and accounting components of AAA. Answer D is incorrect because only RADIUS and TACACS+ provide authorization and accounting.

Question 21 The correct answers are B and D. TACACS+ is a Cisco-proprietary security protocol that supports the authentication, authorization, and accounting features of AAA and uses TCP for communication between clients and server. Answer A is incorrect because it is Kerberos that uses a secret-key authentication process. Answer C is incorrect because TACACS+ uses TCP for communication.

302 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 22 The correct answer is B. You globally enable AAA using the aaa new-model command. Answers A and D are incorrect because aaa client and aaa enable are not valid commands to enable AAA on the router. You use the aaa authentication command to configure the method of authentication used with AAA, making Answer C incorrect.

Question 23 The correct answers are A, B, C, and D. You can configure all of these actions for AAA authentication, which is configured using the aaa authentication type command. Keywords available for the type of authentication include arap, enable, login, nasi, and ppp.

Question 24 The correct answers are B and C. You use network address translation (NAT) to hide the true identity of internal network hosts and allow network clients using private addressing to access the Internet. NAT functions by altering the source address or destination address in the IP headers of packets. It replaces overlapping, private, or confidential IP addresses with addresses from a pool of public addresses. Answer D is incorrect because this mechanism conserves the number of public addresses that need to be assigned to a company while preserving the ability of internal clients to access the Internet. The implementation of features that process and modify packets generally does not decrease and might actually add to the packet forwarding delay, making Answer A incorrect.

Question 25 The correct answer is B. NAT generally uses dynamic translation, where addresses are allocated from a pool of reusable public addresses. However, these mappings are only temporary and they are lost after a preconfigured period of time, after which they are available for a different mapping. In contrast, static translation configures specific internal to public address mappings in a lookup table. This method of translation, although it hides the

303 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

identity of internal host addresses, does not conserve IP addresses. Answers A, C, and D are incorrect because they are not the proper terms used to describe the process of mapping inside local addresses to predetermined outside global addresses.

Question 26 The correct answer is B. Port address translation (PAT) is a subset of NAT, which effectively allows several internal addresses to be mapped to a single outside public address. This many-to-one mapping is possible because the NAT router keeps track of traffic translations by maintaining the TCP and UDP port number mappings in a translation table. Answers A, C, and D are incorrect because these options do not properly describe the process of PAT.

Question 27 The correct answer is B. When you configure NAT, one of the steps is to enable NAT on the interfaces that will be participating in address translation. Only packets that are received on an interface that have been enabled for NAT are translated. You enable the interface receiving NAT traffic from the internal network using the ip nat inside command. Similarly, you enable interfaces that will be interfacing with the external network (such as the Internet) using the ip nat outside command, making Answer D incorrect. Answer C is incorrect; you use the ip nat pool command to configure the pool of global addresses to be used by dynamic NAT. Answer A is incorrect; you use the ip nat inside source list command to perform either static or dynamic NAT translation of inside source addresses.

Question 28 The correct answer is C. You can delete all NAT entries recorded in the device’s translation table using the clear ip nat translation * command. You can also clear certain entries containing inside translations, outside translations, or both by using variations of the clear ip nat translation command. Answers A, B, and D are incorrect because they are not valid commands to clear NAT translation entries.

304 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 29 The correct answer is A. Frame Relay is a packet-switching technology that defines the interface between the customer and the service provider’s equipment. Due to newer digital transmission facilities that have moved from copper to fiber optic links, Frame Relay has replaced the once popular X.25 protocol. Contrary to X.25, Frame Relay does not provide extensive error checking, which results in much lower overhead and provides transmission speeds ranging from 56Kbps to 2Mbps. Answers B, C, and D are all incorrect because they are valid characteristics of the Frame Relay technology.

Question 30 The correct answer is D. Frame Relay devices are classified in two main categories: data communications equipment (DCE) and data terminal equipment (DTE). The devices at the customer’s premises that connect to the Frame Relay service provider’s equipment are DTEs. An example of a DTE is the customer’s router. Answer B is incorrect because DCE refers to devices owned by the service provider, which are usually packet switches. DCEs are the devices that are located at the edge of the Frame Relay WAN cloud and that handle the actual transmission of data into the WAN network. Answer C is not correct because it is not one of the two main categories of Frame Relay devices. Answer A is incorrect; DLCI stands for data-link connection identifier, which is not a Frame Relay device type.

Question 31 The correct answer is B. Once you configure a physical interface for Frame Relay encapsulation, you use the interface serial number.subinterface-number {multipoint | point-to-point} command to define logical subinterfaces. You can configure subinterfaces at either interface or global configuration mode and you can receive a number ranging from 1 to 4,294,967,295. Answers A, C, and D are incorrect because they do not provide the proper command syntax.

Question 32 The correct answer is D. Frame Relay supports both permanent virtual circuits (PVCs) and switched virtual circuits (SVCs). As the name implies,

305 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

PVCs are permanently established connections, which are used by customers who have frequent data traffic traveling across the Frame Relay network. Answers A, B, and C are incorrect options because they are valid PVC states. Possible PVC states include active, inactive, deleted, or static. You can verify PVC status with the show frame-relay pvc command. An active state indicates that the link between two sites is up. An inactive state appears if the data-link connection identifier (DLCI) configured is provider-assigned but is currently not being used by the router. A deleted state is the result of no DLCI having been configured or of an invalid DLCI number that has not been assigned by the service provider. A static PVC status indicates that no keepalive has been configured on the router interface.

Question 33 The correct answers are A, C, and D. The three Local Management Interface (LMI) types are ansi, cisco, and q933a. LMI provides keepalive, status, and multicast mechanisms. It also provides the ability to use global addressing, giving DLCIs global instead of just local significance. This in effect identifies an interface to the whole Frame Relay network. Answer B is incorrect because it is not a proper LMI type.

Question 34 The correct answers are B and C. Dial backup interfaces provide a secondary WAN connection should the primary link fail. You can also configure the primary link to activate the secondary backup link in response to a specified traffic load. If the traffic load exceeds the configured threshold value, the dial-up line is used for transfer of traffic. You use the backup load command to set when the backup interface should be enabled or disabled. Neither a specific queuing method nor interesting traffic on the primary link are factors that initiate a backup link, making Answers A and D incorrect.

Question 35 The correct answer is B. Once a primary router interface has been detected to be down, the backup interface must be triggered. The device waits a specified amount of time before bringing up the backup interface. You configure this delay on the backup interface using the backup delay command. The time parameters specified with this command are in seconds. All other options are

306 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

not valid IOS commands to configure the backup delay; therefore, Answers A, C, and D are incorrect.

Question 36 The correct answer is B. You use the show interface dialer command to verify the backup interface configuration. If the line is properly configured and is not currently in use, the first line of the output indicates that the dialer interface is in standby mode and that the line protocol is down. The backup interface remains in a standby state until the primary interface or subinterface fails. Answers A, C, and D do not provide the correct line syntax shown in the show interface dialer command output.

Question 37 The correct answer is C. The primary purpose of a backup interface is redundancy in case the primary link fails. Backup interfaces are not specifically implemented to provide increased bandwidth, but they can be configured to activate if the primary link reaches a defined load threshold, thereby providing a secondary link that provides additional bandwidth. Answers A, B, and D are incorrect because they do not represent the primary purpose of the backup interface.

Question 38 The correct answers are A and B. Dial backup links commonly use modems or ISDN Basic Rate Interface (BRI). These technologies are suitable for backup connections because they can be configured to place a call when necessary and disconnected when they are no longer required. Answers C and D are incorrect because, unlike dedicated serial connections (such as Frame Relay or a T3 line), dial-up lines are only charged for the connection time used.

Question 39 The correct answer is D. You associate primary interfaces with a backup interface using the backup interface command. This command specifies the dialer interface that will be initiated in the event that the primary connection

307 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

is lost, which means that it depends on the failure of the primary interface. The problem with multipoint Frame Relay interfaces is that the failure of one of the PVCs might not be detected, resulting in a failure to initiate the backup connection. Answers A, B, and C are incorrect because failure of any of the other types of interfaces is properly detected by the dial backup configuration.

Question 40 The correct answer is C. The dialer list uses the access control list (ACL) to define interesting traffic that initiates a DDR call. You must assign the dialer list to the interface that is responsible for making the call using the dialergroup command You use the dialer pool command to specify the dialer pool used by a dialer interface, making Answer A incorrect. You create the dialer list using the dialer-list command, making Answer B incorrect. Answer D is incorrect because you use the dialer map command to configure an interface with the parameters needed to place a call to a destination.

Question 41 The correct answer is C. DDR is built around the premise that “interesting traffic” is defined and responsible for initiating a call to establish the WAN connection. You define traffic that is considered interesting using a dialer list, which can also be refined by referring to an access list. The second component is the dialer interface, which you must configure to make the call once traffic that needs to be transmitted is received. Answers A, B, and D are incorrect because they are not factors that trigger the establishment of a DDR connection.

Question 42 The correct answer is A. A line that has been brought up by DDR uses an idle timer to keep track of how much time has passed since the interface has received and forwarded interesting traffic, causing the link to be idle. This parameter is set to 120 seconds by default, but can be modified using the dialer idle-timeout command. Answer C is incorrect; the dialer fast-idle command specifies how long a line that is needed for another call can remain idle before being disconnected to be used by the contending call. Answer B is incorrect; you use the dialer load-threshold command to set the interface

308 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

load, which triggers the dialer to place another call to the destination. Answer D is incorrect because dialer idle-timer is not a valid Cisco IOS command to set the idle timeout.

Question 43 The correct answer is D. A DDR call is only placed and a connection established when interesting traffic is received on the dialer interface. Once the connection is established and the idle timeout has not expired, both uninteresting and interesting traffic is transmitted across the link. Answer C is incorrect; only interesting traffic resets the idle-timeout timer, meaning that uninteresting traffic is still transmitted but the timer continues to count down to the configured value. Answers A and B are incorrect because uninteresting traffic is not dropped nor does it bring down the connection.

Question 44 The correct answer is B. Snapshot routing is a mechanism specifically designed to address the exchange of routing updates across a DDR connection. Updates sent by distance-vector protocols, such as RIP, could keep a DDR link up for a costly amount of time. Snapshot routing allows DDR environments to continue to use dynamic routing entries in their tables by implementing an active period and quiet period. This way, routing updates can be exchanged and they initiate a DDR call during the active period. During the quiet period, no updates are sent and the routing table is placed in a frozen state, preventing the loss of dynamic routing updates. Answers A, C, and D are incorrect because these options do not help to conserve dynamic routing information while minimizing the use of the DDR link.

Question 45 The correct answer is C. You configure the load threshold that triggers an additional link to be brought up when using bandwidth-on-demand with the dialer load-threshold command. However, the value used for the load parameter of this command is a link utilization percentage in the range of 1 to 255, where 255 signifies 100%. The dialer load-threshold command also provides the ability to specify whether the load calculation is based on inbound, outbound, or either direction of traffic flow. Answers A, B, and D are incorrect because they are all true statements regarding Multilink PPP (MLP).

309 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

Question 46 The correct answer is C. The ISDN PRI D-channel actually operates at a rate of 64Kbps. ISDN BRI, which uses two 64Kbps B-channels and one 16Kbps D-channel, provides a maximum total speed of 192Kbps. ISDN PRI T1 (23 B-channels) and E1 (30 B-channels) provide a total speed of 1.544Mbps and 2.048Mbps. Answers A, B, and D are incorrect because they are all valid characteristics of ISDN service.

Question 47 The correct answer is C. Call setup and connection teardown occurs on the D-channel at the network layer or Layer 3. The debug command that displays information messages dealing with Layer 3 is debug isdn q931. Answer B is incorrect; to view information on signaling taking place between the ISDN switch and the router at Layer 2, you can use the debug isdn q921 command. Answers A and D are incorrect; you use the debug dialer command to view debugging information about packets being received on the ISDN dialer interface, and you use the debug isdn events command to display information on ISDN events taking place on an ISDN interface.

Question 48 The correct answer is C. The interface between an NT2 device and a TA (converter for non-ISDN device) or TE1 (ISDN device) is the S reference point. The interface between an NT1 and NT2 is called the T reference point, making Answer D incorrect. Answer B is incorrect because the R reference point describes the interface between a non-ISDN TE2 device and the TA. Answer A is incorrect because the U reference point refers to the interface between the local loop terminating NT1 and the ISDN local exchange (LE). The BRI S and T interfaces have the exact same characteristics, which is why the interface between a TE1 or TA and an NT1 device is often combined and referred to as the S/T interface.

Question 49 The correct answer is B. The configuration of the ISDN switch type is very important because the type used by the router and service-provider switch

310 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

must match. The switch type is configured at the global level, which automatically assigns that switch type to all ISDN interfaces. However, in certain scenarios an interface requires a configuration different from the globally assigned switch type. In these cases, you also use the isdn switch-type command at the interface level. The encapsulation ppp, isdn spid1, and dialer map commands are all configured at the interface level, making Answers A, C, and D incorrect.

Question 50 The correct answer is A. The default encapsulation for ISDN and serial interfaces on a Cisco router is High-Level Data Link Control (HDLC). Answers B, C, and D are incorrect because they are not the default encapsulation protocols used on serial interfaces.

Question 51 The correct answer is D. The static configuration that associates a remote host with a destination IP address and ISDN number is called a dialer map. You can replace this step and other legacy ISDN interface configuration steps by using dialer profiles. Dialer profiles separate physical and logical configurations of the ISDN interface, allowing the interface to dynamically use different characteristics, depending on the particular call. For example, dialer profiles can define different encapsulations or ACLs to be used for different incoming or outgoing calls. Answers A, B, and C are incorrect because they are not Cisco IOS features that can replace the use of static configurations of physical interfaces.

Question 52 The correct answer is C. The Network Control Protocol (NCP) is responsible for the configuration of different network-layer protocols that are used on the link. Supported protocols include IP, Internetwork Packet Exchange (IPX), and AppleTalk. Answers A, B, and D are incorrect because it is the Link Control Protocol (LCP) that handles the establishment and configuration of data-link connections, including PPP options.

311 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

Question 53 The correct answer is B. For dialer interfaces to function as callback clients or servers, they need to be configured with the ppp callback command. A callback client requests callback, and you configure it with the ppp callback request command. A callback server accepts callback requests, and you configure it with the ppp callback accept command. Answers A, C, and D are incorrect because they do not describe the effect of configuring the ppp callback accepts command.

Question 54 The correct answer is A. You can use the debug ppp negotiation command to verify aspects of PPP operation, including packets exchanged during the negotiation of PPP options such as Challenge Handshake Authentication Protocol (CHAP) authentication. None of the other show and debug commands provided display information on the specific PPP negotiation events such as CHAP authentication; therefore, Answers B, C, and D are incorrect.

Question 55 The correct answers are A, B, C, and D. All these features are provided by Multilink PPP (MLP). MLP is an option negotiated by the LCP during the establishment of a PPP connection. By bundling multiple links, MLP provides faster throughput and decreased latency when the traffic load becomes high or simply load-balances among the available connections to avoid congestion. Packets are split into fragments and transmitted over parallel links to the destination, where they are reassembled.

Question 56 The correct answer is C. Depending on the line configuration, remote dialin users have the option to start an EXEC session or a PPP session. Configuring the autoselect ppp command on dial-in lines allows a PPP session to start automatically. Answer A is incorrect; the modem dialin command configures a line to set an attached modem to accept incoming calls only. Answer D is incorrect because you use the ppp authentication chap dialins command to specify the method of authentication to use on a line. The ppp

312 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . session-default command is not a valid Cisco IOS command; therefore, Answer B is incorrect.

Question 57 The correct answers are B and D. Virtual private networks (VPNs) provide a number of useful functions and benefits of which confidentiality due to encryption, authentication capabilities, and data integrity are the most important for most companies. Answer C is incorrect; eliminating the need to maintain a complicated remote access infrastructure, you can create secure virtual tunnels to the corporate network from telecommuters, remote offices, and even customer sites. VPNs are not created to provide faster transmission of traffic; therefore, Answer A is incorrect.

Question 58 The correct answers are A, B, and D. VPNs continue to be a popular choice for the low-cost deployment of secure networks using an intermediary public network. There are two main types of VPN solutions at this time: LAN-toLAN connection mechanisms and remote-access scenarios. Encapsulation methods commonly used for remote-access VPNs using PPP include IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol (L2TP). Site-to-site configurations often use Generic Routing Encapsulation (GRE) for the tunnel encapsulation process; therefore, Answer C is incorrect. GRE encapsulates all traffic, providing tunneling for multiple protocols including routing protocols.

Question 59 The correct answers are B and C. The GRE and L2TP protocols do not support data encryption or data integrity. If the VPN tunnel must provide one or both of these features, you can combine GRE and L2TP with IPSec, which provides encryption and authentication using Internet Key Exchange (IKE). Answers A and D are incorrect because these protocols do provide data encryption.

313 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 1.

Question 60 The correct answers are B and C. The use of IKE enhances the capabilities of an IPSec secure tunnel. IKE implements authenticated key exchange processes using security associations (SAs). Router peers at each end of the IPSec tunnel must first be authenticated and must have a set of SAs negotiated by IKE before interesting traffic is encrypted and transmitted across the tunnel to the peer router; therefore, Answer A is incorrect. Answer D is incorrect because an IPSec tunnel using IKE provides both authentication and encryption capabilities.

Question 61 The correct answers are A, B, and C. Three major encapsulation methods can transfer IP over the Asynchronous Transfer Mode (ATM)-based DSL connection: RFC 1483 bridging, Point-to-Point Protocol over Ethernet (PPPoE), and Point-to-Point Protocol over ATM (PPPoA). The bridging approach is considered to be the easiest to implement; however, PPPoE and PPPoA provide more flexibility to service providers because they offer an authentication and connection feature all in one. VoIP is not an encapsulation method used to carry IP packets over the DSL/ATM connection; therefore, Answer D is incorrect.

Question 62 The correct answers are B and C. Asymmetric Digital Subscriber Line (ADSL) uses a different frequency range from Plain Old Telephone Service (POTS) voice service and can therefore use the same wire as voice traffic. You do need to split the voice and data traffic, which you do using a POTS splitter at the central office (CO) and a POTS splitter or microfilter at the customer site. The POTS splitter at the CO separates the two types of traffic, sending POTS signals on to a voice switch and data traffic to the DSL Access Multiplexer (DSLAM). Answers A and D are incorrect because bridge taps and the DSLAM are not responsible for splitting the voice and data signals.

314 Chapter 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 63 The correct answer is A. ADSL provides a downstream rate ranging from 1.5 to 9Mbps and an uplink capacity ranging from 16 to 640Kbps. However, as with other DSL technologies, the rate experienced by the customer might be lower, depending on various factors, including the distance from the CO. Answers B, C, and D are incorrect; HDSL and SDSL provide 1.544Mbps of bandwidth in both directions, and VDSL delivers high rates ranging from 13 to 52Mbps downstream and 1.5 to 2.3Mbps upstream.

Question 64 The correct answer is B. High-data-rate DSL (HDSL) provides equal upstream and downstream rates of 1.544Mbps and uses two copper twisted pairs. Because it offers T1 speeds in both directions, this DSL technology is often used as a T1 or E1 replacement; therefore, Answer C is incorrect. Symmetric DSL (SDSL) also provides equal upstream and downstream speeds of 1.544Mbps but uses one copper twisted pair, making Answer A incorrect. Answer D is incorrect because both technologies provide equal upstream and downstream rates.

Question 65 The correct answer is C. The most suitable technology to recommend for the telecommuter is an ISDN BRI connection. Answers A and D are incorrect; a permanent connection would be excessive, and a regular analog dialup link would not provide a reasonable transfer rate for the large documents. The capacity provided by an ISDN PRI connection would also be excessive and would not be used for this telecommuter scenario; therefore, Answer B is incorrect.

16 Practice Exam 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

316 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 You are connected to an access server and you need to establish a session with a modem attached to an asynchronous line. Which of the following statements are correct? (Choose three.) ❍ A. You can connect to the modem using a reverse Telnet session. ❍ B. You specify a TCP port of 2000 + n as part of the command parameters. ❍ C. You need to know the line to which the modem is attached. ❍ D. You need to set the modem inout command in global configuration mode.

Question 2 You attempt to establish a reverse Telnet connection to a modem attached to a line on the access server but are unable to do so. What should you do? (Choose two.) ❍ A. Verify the transport input command has been set on the line. ❍ B. Configure the rlogin command on the access server line. ❍ C. Issue the show users EXEC command to verify that the line is not in use. ❍ D. Configure the modem dialin command on the access server line.

Question 3 Which of the following configuration commands are set at the logical interface interface async 7? ❍ A. encapsulation ppp ❍ B. modem inout ❍ C. speed 115200 ❍ D. autoselect ppp ❍ E. ppp authentication chap

317 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 4 Which command do you use to create a logical asynchronous interface for a group of multiple asynchronous lines? ❍ A. transport input all ❍ B. interface async ❍ C. dialer-group ❍ D. interface group-async

Question 5 Indicate the command used to restrict a line on an access server to allow a modem to accept incoming calls only. ❍ A. modem accept ❍ B. modem dialin ❍ C. modem callout ❍ D. modem inout

Question 6 You want to view the contents of a specific modemcap database entry. Which of the following will provide the desired information? ❍ A. show modemcap ❍ B. show modemcap usr_sportster ❍ C. show modemcap entry usr_sportster ❍ D. show modemcap entry

Question 7 If the attached modem type is known, modem autoconfiguration is preferred over modem discovery for an automatic modem configuration method. ❍ A. True ❍ B. False

318 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 Which two tasks can you perform using the modemcap edit command? ❍ A. View the contents of a modemcap entry ❍ B. Add attributes to an existing modemcap entry ❍ C. Remove a modem entry from the modemcap ❍ D. Create a new entry in the modem cap database

Question 9 Which of the following commands can you use to verify the physical modem and line parameters on a virtual terminal line? ❍ A. show vty ❍ B. show interface ❍ C. show modem ❍ D. show line

Question 10 Which of the following standard modem commands loads the factory defaults? ❍ A. AT&0 ❍ B. AT&F ❍ C. ATS0=n ❍ D. AT\Q3

Question 11 Priority list configurations have been set on a router to assign packets to queues according to an access list. Which of the following is true about traffic that does not match any of the rules defined in the priority list? ❍ A. You can assign all undefined traffic to a queue using the priority-list default command. ❍ B. All undefined traffic is automatically placed in the low-priority queue. ❍ C. All undefined traffic must be discarded. ❍ D. All undefined traffic is automatically placed in the high-priority queue.

319 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 12 Which of the following characteristics most accurately describe custom queuing (CQ)? (Choose two.) ❍ A. Causes unfavorable delays in the transmission of low-importance traffic ❍ B. Transmits sequentially a configured percentage of traffic from each queue ❍ C. Allows the assignment of a portion of the bandwidth to each queue ❍ D. Can only prioritize traffic based on the protocol type

Question 13 You need to configure the size of queue number 2. What is the correct command to make this change? ❍ A. queue-list queue limit ❍ B. priority-list queue limit ❍ C. queue-list queue byte-count ❍ D. priority-list queue byte-count

Question 14 You can optimize traffic flow on a WAN link through the use of compression. Per-interface (or link) compression on a point-to-point connection between Cisco devices ❍ A. Is protocol independent ❍ B. Compresses the header ❍ C. Compresses the payload ❍ D. Can use the Predictor algorithm ❍ E. Can use the STAC algorithm ❍ F. All of the above

320 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 15 You use congestion-avoidance techniques to reduce the likelihood of congestion on the network. Which is the default packet-dropping mechanism used by the Cisco IOS quality-of-service (QoS) features? ❍ A. Random Early Detection (RED) ❍ B. Weighted Random Early Detection (WRED) ❍ C. Tail drop ❍ D. Spoofing

Question 16 Identify which of the following statements is not true regarding WRED: ❍ A. You can use the WRED mechanism to avoid tail drops. ❍ B. It combines RED algorithm features with IP precedence. ❍ C. It is a Cisco IOS QoS feature for congestion avoidance. ❍ D. It is more likely to drop packets of high IP precedence.

Question 17 Indicate the command that specifies the IP address of the CiscoSecure Access Control Server (ACS) to be used for authentication, authorization, and accounting (AAA) services: ❍ A. aaa new-model ❍ B. radius-server host ❍ C. aaa authentication ❍ D. tacacs-server key

Question 18 Which of the following is not one of the core components of CiscoSecure? ❍ A. AAA client ❍ B. AAA ACS ❍ C. Firewall ❍ D. Database

321 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 19 Which AAA component is responsible for the identification of a user requesting access to network resources? ❍ A. Authorization ❍ B. Accounting ❍ C. Authentication ❍ D. Association

Question 20 Which AAA command do you use to define the local method list for login authentication? ❍ A. login authentication ❍ B. aaa new-model ❍ C. aaa authentication login ❍ D. ppp authentication

Question 21 You want to audit all system-level events on a CiscoSecure ACS. What command do you use to enable auditing of this information? ❍ A. aaa accounting connection ❍ B. aaa accounting events ❍ C. aaa accounting command ❍ D. aaa accounting system

Question 22 Which of the following Frame Relay traffic-shaping terms refers to the rate at which a Frame Relay switch agrees to transfer data traffic? ❍ A. Bc ❍ B. Be ❍ C. CIR ❍ D. BECN

322 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 23 You have set the Frame Relay encapsulation on an interface. Which command do you now use to enable Frame Relay traffic shaping on the interface? ❍ A. encapsulation frame-relay ❍ B. map-class frame-relay ❍ C. frame-relay traffic-shaping ❍ D. frame-relay class

Question 24 You have enabled traffic shaping on your Frame Relay interface and you have defined a map class. You now want to associate that map class with specific multipoint subinterfaces. What command do you use? ❍ A. frame-relay map ❍ B. map-class frame-relay ❍ C. frame-relay class ❍ D. frame-relay map-class

Question 25 You need to avoid reachability problems caused by split horizon on your huband-spoke Frame Relay network. Which of the following configuration tasks is commonly used to address the issues caused by split horizon? ❍ A. Configuring Frame Relay map statements ❍ B. Implementing Frame Relay subinterfaces ❍ C. Disabling the forwarding of broadcasts ❍ D. Configuring a loopback interface

Question 26 What do you use the frame-relay adaptive-shaping command for? ❍ A. To set virtual circuit (VC) rate adjustment to be based on backward explicit congestion notification (BECN) messages ❍ B. To set the committed information rate (CIR) for a virtual circuit

323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2. ❍ C. To specify the excess burst (Be) size for outgoing traffic ❍ D. To enable Frame Relay traffic shaping and per-virtual circuit queuing on an interface

Question 27 Which command do you use to configure traffic-shaping rate enforcement when defining Frame Relay map class parameters? ❍ A. map-class frame-relay ❍ B. frame-relay interface-dlci ❍ C. frame-relay traffic-rate ❍ D. frame-relay class

Question 28 You would like to display packets sent on a particular Frame Relay interface, including the destination address, size, and type of the packet. Which command do you use? ❍ A. debug events ❍ B. debug frame-relay packet ❍ C. debug frame-relay ❍ D. debug frame-relay out

Question 29 In which situation must you set service profile identifiers (SPIDs) during the ISDN Basic Rate Interface (BRI) configuration process? ❍ A. You must never configure SPIDs for an ISDN BRI. ❍ B. You must always configure SPIDs for an ISDN BRI. ❍ C. You must set SPIDs to use the D-channel for data transmission. ❍ D. You must configure SPIDs when required by the service provider.

324 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 30 A Frame Relay router has a data-link connection identifier (DLCI) to IP address mapping table that it uses to route outgoing traffic to the appropriate virtual circuit. There are two methods by which DLCI numbers are mapped to IP addresses. What are they? (Choose two.) ❍ A. Dynamically using Address Resolution Protocol (ARP) ❍ B. Dynamically using inverse ARP ❍ C. Statically using the frame-relay address command ❍ D. Statically using the frame-relay map command

Question 31 Which statements best describe a floating static route? (Choose two.) ❍ A. A static alternative route used only when a dynamic route to a network is lost ❍ B. A static route to a network that is preferred over an available dynamic route ❍ C. Routes with a smaller administrative distance than dynamic routing protocols ❍ D. Routes with a greater administrative distance than dynamic routing protocols

Question 32 Which of the following commands used to verify Frame Relay traffic shaping provides information on traffic-shaping parameters and the queuing algorithm in use? ❍ A. show frame-relay pvc ❍ B. show frame-relay lmi ❍ C. show frame-relay map ❍ D. show frame-relay traffic

325 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 33 You can use Point-to-Point Protocol (PPP) encapsulation on which of the following WAN connection types? (Choose all that apply.) ❍ A. Synchronous serial ❍ B. Asynchronous serial ❍ C. Broadband ❍ D. ISDN

Question 34 Which of the following choices of WAN technologies provides the fastest connection speed? ❍ A. Cable ❍ B. DSL ❍ C. ISDN Primary Rate Interface (PRI) ❍ D. T3 line

Question 35 The router’s dial backup configuration includes the following command: backup load 75 5

Which statements are true regarding this configuration command? (Choose all that apply.) ❍ A. The backup link is brought down when it drops to 5% capacity. ❍ B. The backup link comes up when the primary line is at 75% capacity. ❍ C. The backup link is brought down when the aggregate load on backup and primary is 5% of primary’s capacity. ❍ D. Seventy-five is the backup line enable threshold represented by a percentage of the primary line’s available bandwidth.

326 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 36 You must configure the router with the necessary information to dial a destination router. What do you use? ❍ A. dialer-script ❍ B. dialer map ❍ C. dialer-group ❍ D. dialer host

Question 37 Which of the following dial-on-demand routing (DDR) commands do you use to determine how long a line can remain idle before it is disconnected for use by a contending call? ❍ A. dialer idle-timeout ❍ B. dialer load-threshold ❍ C. dialer release-timer ❍ D. dialer fast-idle

Question 38 What does the 40 signify in the backup delay 30 40 command? ❍ A. The primary link capacity at which the backup link is brought up ❍ B. The amount of time delay before the backup link is brought down ❍ C. The amount of time delay before the backup link is brought up ❍ D. The primary link capacity at which the backup link is brought down

Question 39 Which command do you use on the backup interface to enable dialer watch? ❍ A. dialer watch ❍ B. dialer watch-group ❍ C. dialer watch-list ❍ D. dialer watch-enable

327 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 40 You are configuring a point-to-point connection to be used for DDR. Part of the configuration will include PPP callback. You want to make sure interesting packets received on the interface while the connection is being established will be buffered rather than dropped. What command can you use to enable the storing of packets until the dialer interface is ready for packet transfer? ❍ A. dialer-queue ❍ B. dialer hold-queue ❍ C. dialer enable-timeout ❍ D. dialer hold-time

Question 41 What command do you use to assign a physical interface to a dialer pool? ❍ A. dialer string ❍ B. dialer pool ❍ C. dialer-group ❍ D. dialer pool-member

Question 42 Which of the following DDR backup features monitors the status of a certain list of routes instead of relying entirely on interesting traffic to trigger calls on a secondary link? ❍ A. Floating static routes ❍ B. Spoofing ❍ C. Dialer watch ❍ D. Dialer profiles

328 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 43 A router with a native BRI interface is what type of device? ❍ A. TE2 ❍ B. TE1 ❍ C. NT1 ❍ D. NT2

Question 44 ISDN rate adaptation is used for what? ❍ A. To evenly load-balance between ISDN B-channels ❍ B. To allow a TE1 device to connect to the ISDN network ❍ C. To deal with congestion on the ISDN connection ❍ D. To allow the ISDN channel to adjust to a lower speed

Question 45 Part of your DDR configuration includes the command passive-interface dialer0. What is the purpose of this command? ❍ A. It specifies the backup interface. ❍ B. It configures the interface for outgoing calls only. ❍ C. It prevents routing updates from initiating DDR calls. ❍ D. It prevents interesting traffic from initiating DDR calls.

Question 46 An access server is using 42 asynchronous interfaces for point-to-point connections between remote users and the corporate IP network. You need to assign IP addresses to all the interfaces. Which command do you use to conserve the number of IP addresses for the asynchronous interfaces? ❍ A. ip address ❍ B. peer default ip address ❍ C. ip unnumbered ❍ D. ip local-pool dialin

329 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 47 What effect does the dialer load-threshold 128 command have? (Choose two.) ❍ A. It brings up a backup link if the primary link fails. ❍ B. It brings up subsequent links using Multilink PPP (MLP). ❍ C. It comes into effect when the link speed reaches 128Kbps. ❍ D. It comes into effect once 50% of the bandwidth is used.

Question 48 Which of the following are reasons why you would use Password Authentication Protocol (PAP) for authentication? (Choose two.) ❍ A. Security is not a concern. ❍ B. Hashed passwords must be exchanged. ❍ C. Hosts are running legacy PPP software. ❍ D. A leased point-to-point connection is used.

Question 49 Which of the following commands configures the router to screen incoming ISDN calls to verify that they have been initiated from an allowed number? ❍ A. isdn caller-id ❍ B. isdn caller ❍ C. isdn answer ❍ D. isdn dialin

Question 50 Which command do you use to set a slow-speed serial interface to operate in asynchronous mode? ❍ A. autoselect ppp ❍ B. async mode dedicated ❍ C. interface async ❍ D. physical-layer async

330 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 51 Examples of a remote-access virtual private network (VPN) scenario include which of the following? (Choose two.) ❍ A. A secure tunnel is established between a network access server and the corporate network. ❍ B. A secure tunnel is created between the branch office network and the corporate network. ❍ C. A customer site connects to corporate network resources through a secure tunnel. ❍ D. A client connects to its Internet service provider (ISP) and establishes a secure tunnel to the corporate network.

Question 52 You can apply IP Security (IPSec) security protocols in two different modes. Which of the statements best describe the transport mode? (Choose two.) ❍ A. Encrypts the entire IP packet ❍ B. Requires IPSec to be implemented on the end hosts ❍ C. Provides security for the upper protocol layers ❍ D. Requires no involvement by the end hosts

Question 53 You are in the process of configuring network address translation on your router and you enter the ip nat pool command. What do you use this command for? ❍ A. To define the inside network that will participate in address translation ❍ B. To define the range of global IP addresses that are used for dynamic network address translation (NAT) ❍ C. To define the range of local IP addresses participating in address translation ❍ D. To define the pool of global IP addresses to be used for static NAT mappings

331 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2.

Question 54 Which of the following security protocols are used for IPSec encapsulation? (Choose two.) ❍ A. Encapsulating Security Payload ❍ B. Encryption Security Protocol ❍ C. Authentication Header ❍ D. Advanced Hashing

Question 55 PAT, or port address translation, is a form of network address translation that is also referred to as ❍ A. Static translation ❍ B. Address overlapping ❍ C. Address overloading ❍ D. Advanced NAT

Question 56 You are troubleshooting NAT on your router and want to view information on packet translations taking place and possible translation errors. Which command provides this type of information? ❍ A. debug ip nat statistics ❍ B. debug ip nat translations ❍ C. debug ip nat detailed ❍ D. debug ip nat entries

Question 57 Two methods used by IPSec to determine the keys that will be used by security algorithms include ❍ A. Message Digest 5 (MD5) ❍ B. Internet Key Exchange (IKE) ❍ C. Security associations (SAs) ❍ D. Preshared keys

332 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 58 Which of the following terms is also used to describe public-key encryption? ❍ A. Asymmetric encryption ❍ B. Symmetric encryption ❍ C. Secret-key encryption ❍ D. Hashing

Question 59 Which of the following statements are true regarding the following PRI configuration command? (Choose two.) Interface serial 1/0: 15

❍ A. This is an E1 PRI line. ❍ B. D-channel signaling uses serial subinterface 15. ❍ C. The channelized controller is located on Port 1 of Slot 0. ❍ D. This command accesses configuration mode for the PRI B channels.

Question 60 How do you configure binary 8-zero substitution line-coding for a T1 PRI connection? ❍ A. framing command ❍ B. linecode command ❍ C. binary-coding command ❍ D. clock-source command

Question 61 Which of the following International Telecommunications Union (ITU) categories of ISDN protocols addresses how ISDN signaling and switching should operate? ❍ A. Protocols beginning with E ❍ B. Protocols beginning with Q

333 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice . . . . . Exam . . . 2. ❍ C. Protocols beginning with S ❍ D. Protocols beginning with I

Question 62 Consider the following partial configuration on RouterA: Interface bri0 ip address 192.168.5.1 255.255.0.0 encapsulation ppp ppp authentication chap dialer idle-timeout 180 dialer map ip 192.168.5.2 name routerb 2055551234 dialer-group 1 access-list 100 deny tcp any any eq telnet access-list 100 deny ip any any eq icmp access-list 100 deny udp any any eq snmp access-list 100 permit ip any any dialer-list 1 protocol ip list 100

Which conclusions can you draw about this ISDN BRI interfaced based on the information provided? ❍ A. BRI0 is used for DDR. ❍ B. BRI0 is used for MLP. ❍ C. Ping traffic will trigger an ISDN call. ❍ D. Simple Network Management Protocol (SNMP) traffic will not trigger an ISDN call. ❍ E. The dialer-list references an extended access list. ❍ F. The dialer-list references a standard access list.

Question 63 Consider the following configuration excerpt: vpdn enable vpdn-group 1 accept dialin protocol pppoe virtual-template 1 interface atm 2/0.2 multipoint pvc 0/32 encapsulation aal5snap protocol pppoe interface virtual-template 1 ip addr 10.10.2.2 255.255.255.0 mtu 1492

334 Chapter 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

What is being configured on this router? ❍ A. PPP over Asynchronous Transfer Mode (ATM)(PPPoA) ❍ B. PPP over Ethernet (PPPoE) ❍ C. PPPoE over ATM ❍ D. PPPoE over ISDN

Question 64 What is the most suitable backup technology that will allow the use of DDR between a branch office and central site that is currently using Frame Relay as its primary WAN connectivity? ❍ A. Asynchronous dialup ❍ B. ISDN ❍ C. T1 line ❍ D. DSL

Question 65 A customer requires a recommendation for the company’s new WAN connection. You must connect two geographically dispersed regional offices. The offices need a connection suitable for high link utilization and long connection times at the lowest cost. What type of WAN connection do you recommend to connect these two large offices? ❍ A. Asynchronous circuit-switched connection ❍ B. On-demand circuit-switched connection ❍ C. Packet-switched connection ❍ D. Dedicated circuit-switched connection

17 Answer Key 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. A, B, C

23. C

45. C

2. A, C

24. C

46. C

3. A, E

25. B

47. B, D

4. D

26. A

48. A, C

5. B

27. C

49. B

6. B

28. B

50. D

7. A

29. D

51. A, D

8. B, D

30. B, D

52. B, C

9. D

31. A, D

53. B

10. B

32. A

54. A, C

11. A

33. A, B, C, D

55. C

12. B, C

34. D

56. C

13. A

35. B, C, D

57. B, D

14. F

36. B

58. A

15. C

37. D

59. A, B

16. D

38. B

60. B

17. B

39. B

61. B

18. C

40. B

62. A, D, E

19. C

41. D

63. C

20. C

42. C

64. B

21. D

43. B

65. C

22. C

44. D

336 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 1 The correct answers are A, B, and C. To establish a session from the access server to a modem that is attached to an asynchronous line, you must use reverse Telnet. You use the telnet command to make this reverse connection. It uses the IP address of an up interface, such as a LAN or loopback interface, followed by port number 2000 + n, where n represents the number of the asynchronous lines to which the modem is attached. Answer D is incorrect; you issue the modem inout command in line configuration mode.

Question 2 The correct answers are A and C. The transport input command specifies protocols allowed for incoming connections on a line. Session establishment might be unsuccessful because the Telnet protocol was not allowed. Connection establishment might also fail if the line is already in use; you can check it using the show users EXEC command, which displays all current active users. Answers B and D are incorrect because neither the rlogin nor the modem dialin command helps establish a successful reverse Telnet session. rlogin is an EXEC command used to establish an rlogin connection to a host, and the modem dialin command specifies that the modem be used for incoming calls only.

Question 3 The correct answers are A and E. When configuring an asynchronous port, you configure logical aspects using the interface async command and physical aspects using the line command. The logical configuration includes protocol parameters such as encapsulation and authentication. Answers B, C, and D are incorrect because the modem inout, speed, and autoselect ppp commands are physical settings configured for the line.

Question 4 The correct answer is D. You create a logical asynchronous interface using the interface group-async command, which provides parameters to the associated physical lines. You assign the physical lines that are members of this

337 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

interface group using the group-range command. Answers A, B, and C are not used to create a logical asynchronous interfaces; therefore these options are incorrect.

Question 5 The correct answer is B. You can configure a line attaching a modem to an access server or router with the modem dialin line configuration command to specify that the modem accept incoming calls only. Answers C and D are incorrect; the modem callout command configures a line for reverse connections, and the modem inout command configures a line to support both incoming and outgoing calls. The modem accept command is not a valid Cisco IOS command; therefore, Answer A is incorrect.

Question 6 The correct answer is B. You can use the show modemcap command to view the current modemcap entries. To view the attribute values configured for a specific entry, use the show modemcap command followed by the modem-name. Answer A is incorrect because this option displays all modemcap entries. Answers C and D are incorrect because they do not provide the proper syntax to display the contents of a specific modemcap entry.

Question 7 The correct answer is A. The router can automatically configure modems using two methods: through modem autoconfiguration or through modem autodiscovery. Configuring the modem type using the modem autoconfigure type modem_name command is preferred over the discovery option whenever possible; therefore, Answer B is incorrect. With modem discovery, the router attempts to determine the modem type based on the response that is returned to AT commands sent to the modem. This process can create more overhead than autoconfiguration because it tries modem types in the modemcap database until it receives a desired response. It also occasionally results in a modem type assignment that is not the best match for the attached modem. You configure autodiscovery using the modem autoconfigure discovery command.

338 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 8 The correct answers are B and D. You can use the modemcap edit command to add new attributes to an existing modemcap entry or to create a new modemcap entry for the database. You remove current modemcap entries or attributes in an existing entry with the no modemcap entry command; therefore, Answer C is incorrect. You use the show modemcap modem-name command to view the contents of a specific modemcap entry, making Answer A an incorrect option.

Question 9 The correct answer is D. The show line command provides information on the physical and, to a certain extend, logical state of a line. To view the parameters of a particular line, use the syntax show line line-number. Information displayed includes settings such as the transmit and receive rate, modem type and state, types of modem signals configured on the line, and statistics about the use of the line. Answers A, B, and C are incorrect because they do not provide information on the physical and logical state of a line.

Question 10 The correct answer is B. A number of modem commands for settings such as hardware flow control, compression, and error correction are nonstandardized and are different from one type of modem to the other. Other commands are common to different modem types, including the AT&F command, which you use to load the factory default settings. The other AT commands provided do not reload the modem default settings; therefore, Answers A, C, and D are incorrect.

Question 11 The correct answer is A. You can use the command priority-list list-number default {high | medium | normal | low} to assign packets that do not match any rules in the priority list to a specific default queue. Answer B is incorrect because undefined traffic is not automatically placed in the low-priority queue. Answer C is incorrect because undefined traffic does not need to be discarded. Answer D is incorrect because undefined traffic is not automatically placed in the high-priority queue.

339 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

Question 12 The correct answers are B and C. Custom queuing (CQ) is particularly suitable for environments that require a minimal level of services for a number of different protocols. Queues are processed sequentially, and you can configure each queue with a different percentage of traffic that will be transmitted before the next queue is serviced. With this type of queuing, you can assign time-sensitive traffic a large portion of the available bandwidth while reserving a portion of bandwidth for lower-priority traffic. Answers A and D are incorrect because they do not describe characteristics of CQ methods.

Question 13 The correct answer is A. CQ uses numbered queues. You can configure the size of a particular queue using the queue-list list-number queue queue-number limit limit-number command, where limit-number represents the maximum number of packets that the queue can contain. Answer C is incorrect; you use the queue-list list-number queue queue-number byte-count byte-count-number command to specify the minimum number of bytes to be transferred at a time from a particular custom queue. Answers B and D are incorrect because you use them to configure priority queuing (PQ).

Question 14 The correct answer is F, indicating that each possible answer is correct. Perinterface (or link) compression is often used on point-to-point lines such as an ISDN connection or leased line. This type of compression is protocol independent and effectively compresses the entire data stream transmitted over the WAN link. The per-interface algorithm can use STAC or Predictor to compress the complete packet, including the header and data payload.

Question 15 The correct answer is C. The Cisco IOS quality-of-service (QoS) features provide tail drop and Weighted Random Early Detection (WRED) as congestion-avoidance mechanisms. Answer B is incorrect because the default mechanism used if WRED is not configured is tail drop. Tail drop does not differentiate between types of traffic; if the network experiences congestion

340 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

and queues reach their maximum capacity, tail drop causes packets to be dropped until congestion subsides and there is once again room in the queue. Cisco IOS QoS does not use Random Early Detection (RED) as its packetdropping mechanism; therefore, Answer A is incorrect. Answer D is incorrect because it is not a packet-dropping mechanism.

Question 16 The correct answer is D. WRED is the Cisco IOS QoS implementation of the Random Early Detection (RED) congestion-avoidance mechanism. WRED is based on the RED algorithm’s features but also adds IP precedence recognition, allowing traffic handling to consider the IP priority of a packet. This way, lower-precedence packets are more likely to be dropped than high-precedence packets. WRED works to anticipate congestion and can discard packets before congestion occurs and before queues become full; this process avoids the occurrence of tail drops, where all packets are dropped once the queue reaches its capacity. Answers A, B, and C are all valid characteristics of WRED; therefore, they are incorrect options.

Question 17 The correct answer is B. When using authentication, authorization, and accounting (AAA) and CiscoSecure, the basic network-access server configuration includes steps such as enabling AAA, specifying the CiscoSecure ACS, and setting the encryption key. You globally enable AAA on the access server using the aaa new-model command; therefore, Answer A is not the correct option. You specify the CiscoSecure ACS by IP address or hostname using the radius-server host command (or tacacs-server host with a TACACS+ server). You then use the radius-server key (or tacacs-server key) command to configure the shared secret encryption key to be used for encrypting data between the network access server and the CiscoSecure ACS, making Answer D an incorrect answer. Answer C is incorrect because it is not used in the CiscoSecure ACS AAA configuration.

Question 18 The correct answer is C. The CiscoSecure three main components include the AAA ACS, the AAA clients, and some type of user database. Authentication information is collected from the AAA-configured clients by

341 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

the ACS, which is then verified using the user database. Clients are then permitted or denied access based on the information stored in the database. Answers A, B, and D are incorrect options because they represent the three core components of CiscoSecure.

Question 19 The correct answer is C. AAA provides three components: authentication, authorization, and accounting. Authentication is the process of identifying users before they are permitted access to the network and its services. Answer A is incorrect; authorization determines what users are permitted to do once they are authenticated. Answer B is incorrect; accounting is responsible for tracking what services users are accessing for auditing, reporting, or billing purposes. Answer D is incorrect because it is not a valid AAA component.

Question 20 The correct answer is C. When configuring a router or access server for AAA authentication, one of the tasks includes defining the method or list of methods that are used for the authentication process during login. To set the login authentication method, use the aaa authentication login command, which has the following syntax: aaa authentication login {default | list-name} method1 [method2...]. Answer A is incorrect because it is not a valid AAA configuration command. Answer B is incorrect because you use this command to globally enable AAA. Answer D is incorrect because you use this command to set the PPP authentication method.

Question 21 The correct answer is D. Aside from its access control function, CiscoSecure provides a central location for the storage of AAA accounting information. You enable accounting using the aaa accounting command, which presents a variety of auditing options. Some examples include auditing system-level commands using the system keyword, auditing commands at a specified privilege level using the command level option, and auditing outbound connections using the connection keyword. Answers A, B, and C are incorrect because they do not enable auditing for system events.

342 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 22 The correct answer is C. Committed information rate (CIR) is the rate in bits per second that the Frame Relay switch commits to transfer data. This rate is generally calculated as an average over a period of time. This period of time is called the Tc or committed rate measurement interval. The bit number for the CIR comes from a value called committed burst, or Bc, which is the maximum number of data bits that the switch agrees to transfer over a period of time. Therefore, the relationship between these three values is CIR = burst size divided by time interval, or CIR = Bc/Tc. Answers A, B, and D are incorrect; they do not include the term used to represent the rate at which a switch agrees to transfer traffic.

Question 23 The correct answer is C. Traffic shaping allows the router to control the output rate of virtual circuits. When configuring an interface for Frame Relay Traffic Shaping (FRTS), you must first enable Frame Relay encapsulation on the interface. You then use the frame-relay traffic-shaping interface configuration command to enable traffic shaping for the interface. Performing these configuration tasks enables both traffic shaping and per-VC (virtual circuit) queuing for all the interface’s VCs. Answers A, B, and D are not valid commands used to enable Frame Relay traffic shaping on an interface.

Question 24 The correct answer is C. The map-class frame-relay command specifies a map class name and enters map-class configuration mode to allow the configuration of traffic-shaping parameters for that map class. Once defined, the map class is associated with VCs on the Frame Relay interface using the framerelay class command. You can map classes to both the interface (all VCs) or to specific subinterfaces (individual VCs). Answers A, B, and D are incorrect because they are not commands used to associate a map class with logical subinterfaces.

343 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

Question 25 The correct answer is B. Split horizon enforces that routing updates received on one interface cannot be forwarded out the same interface. A hub router that uses one interface to connect to multiple spokes on the Frame Relay network cannot forward updates received from one spoke onto another because it is equivalent to sending updates received on one interface back out the same interface. However, if you configure the interface with separate virtual connections to each spoke router using subinterfaces, you overcome the split-horizon rule and updates can be forwarded to different spoke routers on the network. Answers A, C, and D are incorrect; you cannot alleviate issues caused by split horizon by configuring Frame Relay map statements, disabling the forwarding of broadcasts, or configuring a loopback address.

Question 26 The correct answer is A. You use the frame-relay adaptive-shaping command to configure the adjustment of sending rates for VCs, which can be based on backward explicit congestion notification (BECN) messages. Although BECN is common, you can also adapt sending rates based on ForeSight notification messages as well as interface congestion. ForeSight is a Cisco proprietary technology, which means that you can implement adaptive-shaping based on this type of notification message only between Cisco IOS devices. Answers B, C, and D are incorrect; you do not use this command to set the CIR, set the excess burst rate, or enable FRTS and per-virtual circuit queuing.

Question 27 The correct answer is C. You can configure the traffic-shaping characteristics of VCs using the frame-relay traffic-rate command. Its syntax is framerelay traffic-rate average [peak], where the average value is generally equivalent to the CIR. You can also specify a peak rate, which is generally the average rate plus the Excess Information Rate (EIR); however, if no peak is defined, the average rate is used as the peak rate. Answers A, B, and D are incorrect because they are not valid commands used to configure trafficshaping rate enforcement when defining map class parameters.

344 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 28 The correct answer is B. To display and analyze Frame Relay packets sent on an interface, use the debug frame-relay packet command. To limit the output of packets that are sent, you can indicate a specific interface or data-link connection identifier (DLCI) value. The information displayed includes the destination protocol address of the packet, the decimal value of the DLCI, the type of packet, and the size of the packet. Answer C is incorrect; to view information for packets that are received on a Frame Relay interface, use the debug frame-relay command. Answers A and D are incorrect because they are not valid debug commands used to monitor packet transfer on a Frame Relay interface.

Question 29 The correct answer is D. When ordering ISDN service for your router, the service provider might assign one or two service profile identifiers (SPIDs). Some service providers require SPIDs, whereas others do not use them at all or consider them optional; therefore, Answers A and B are incorrect. SPIDs identify devices that are using the ISDN service. If your ISDN provider does require SPIDs, you should configure them using the isdn spid1 (and isdn spid2) commands because the ISDN device cannot receive or place calls until valid SPIDs are provided to the ISDN switch. SPIDs are not set to use the ISDN D-channel for data transmission; therefore, Answer C is incorrect.

Question 30 The correct answers are B and D. DLCI to IP address mapping can happen statically or dynamically. You use Frame Relay Inverse Address Resolution Protocol (Inverse ARP) for dynamic mapping of a network layer address to the DLCI number of the virtual connections. Destination network protocol addresses are statically mapped to DLCIs using the frame-relay map command, which uses the syntax frame-relay map protocol protocol-address dlci [broadcast][ietf | cisco]. Answer A is incorrect because you use Inverse ARP for dynamic mapping. Answer C is incorrect because you create static mappings using the frame-relay map command.

345 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

Question 31 The correct answers are A and D. Static routes are manually entered into the routing table and are by default assigned a low administrative distance parameter, which makes them preferred over routes obtained through a dynamic routing protocol (dynamic routes). Floating static routes are assigned an administrative distance parameter greater than that of the dynamic routing protocols. The purpose of the floating static route is to act as an alternative route to dynamic routes that are only used if the route provided through the dynamic routing protocol is lost. Answers B and C are incorrect because they are not valid characteristics of floating static routes.

Question 32 The correct answer is A. You use the show frame-relay pvc command to obtain statistics on Frame Relay permanent virtual circuits (PVCs). Its syntax is show frame-relay pvc [interface interface][dlci]. Use the command without parameters to view statistics on all PVCs, or specify an interface to view only information for all PVCs on that interface. To view detailed information for PVCs, specify the DLCI number with the command. It will provide such information as the policy map configuration, the priority of the PVC, and the congestion-management configuration for PVCs using traffic shaping. Answers B, C, and D are incorrect because they do not display the required information.

Question 33 The correct answers are A, B, C, and D. As a standard (RFC 1331) encapsulation protocol, Point-to-Point Protocol (PPP) can encapsulate upper-layer protocols for transmission over a range of connection types, including asynchronous and synchronous serial links, ISDN connections, and even broadband technologies. PPP uses the NCP (Network Control Protocol) component to encapsulate multiple protocols and LCP (Link Control Protocol) to negotiate the link options such as compression, an authentication method, and the multilink feature.

346 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 34 The correct answer is D. Each WAN technology has a maximum theoretical connection speed. These characteristic WAN speeds might or might not be reached, depending on the technology and the factors that result in lower than theoretical speeds. However, from the technologies listed, a T3 connection provides a DS3 rate of 44.736Mbps and is the fastest connection. Answers A and B are incorrect; cable and DSL technologies can generally offer around 4Mbps and 1Mbps, respectively. Finally, ISDN Primary Rate Interface (PRI) has a theoretical speed comparable to a T1 connection, which is 1.544Mbps, making Answer C an incorrect option.

Question 35 The correct answers are B, C, and D. You can configure dial backup to activate the secondary line based on the primary line’s traffic load using the backup-load {enable-threshold | never}{disable-threshold | never} command. The enable-threshold, which is set to 75 in this case, is the percentage of the primary line’s available bandwidth. Once 75% of the primary line’s bandwidth is used, the secondary line is activated. The disable-threshold specifies when the secondary line is brought down again. This percentage value is the aggregate load of the primary and secondary lines. Therefore, once the aggregate load is equal to, in this example, 5% of the primary line’s available bandwidth, the secondary line is brought down. Answer A is incorrect because it is not a true statement about the command provided.

Question 36 The correct answer is B. Once a dial-on-demand routing (DDR) interface is configured to initiate a call, the router must be provided with the information needed to dial the remote host. You provide these dialing parameters using the dialer map command, which maps the next-hop protocol address to a dial-string or phone number. The dialer map command provides a number of parameters, such as name for the remote system’s hostname, speed for the speed to be used on the line, and broadcast to specify whether broadcasts are to be forwarded to this destination address. There are also a number of optional parameters, depending on the particular configuration needs. Answers A, C, and D do not provide the correct commands used to configure a router to dial a destination router.

347 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

Question 37 The correct answer is D. One of the parameters that you can configure on a DDR interface is the fast-idle timer, which you do using the dialer fast-idle command followed by a time value in seconds. This timer specifies how long the current call should remain idle before it is disconnected when there is another call waiting to use the line. Answers A, B, and C are not used to set the timer that determines how long a line is to remain idle before it is disconnected.

Question 38 The correct answer is B. You use the backup delay command to set two delay times in response to a status change in the primary line: one that is started once the primary line goes down and the other that is started once the primary line comes back up. Therefore, the first number in the backup delay {enable-delay| never} {disable-delay| never} command signifies how much time in seconds should elapse after the primary line goes down until the backup line is brought up. The second number represents the amount of time that should elapse before the backup line is brought back down after the primary line is functional again. Answers A, C, and D are all incorrect statements regarding the backup delay command.

Question 39 The correct answer is B. Dialer watch is a feature that brings up a backup connection in response to primary link failure. A basic dialer-watch configuration includes defining which IP addresses or IP networks are to be placed on the watch list using the dialer watch-list command and enabling the dialer-watch feature on the interface that will serve as the backup link using the dialer watch-group command. As with other backup link configurations, you can optionally configure a delay timer using the dialer watch-disable command, which specifies a delay time in seconds; therefore, Answers A, C, and D are incorrect.

348 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 40 The correct answer is B. You can define the dialer hold-queue packets command as part of the callback configuration to create a hold queue that will store a predefined number of packets while the connection is being established. The command specifies a number of packets ranging from 0 to 100. Answer C is incorrect because it is not the command you use to enable queuing of packets until the dialer interface is ready. Answers A and D are not valid Cisco IOS DDR commands.

Question 41 The correct answer is D. A dialer pool is part of the dialer-interface configuration, which is linked to a physical interface. Once you create a dialer pool, you can assign asynchronous, synchronous, or ISDN interfaces to the dialer profile’s dialing pool using the dialer pool-member command. The general syntax of the command is dialer pool-member number [priority priority]. The number parameter references the dialer pool, to which you can give a number ranging from 1 to 255. You can also assign the pool member a priority ranging from lowest (0) to highest (255); higher-priority members in the dialer pool are selected first for dialing. Answers A, B, and C are incorrect because they are not commands to assign a physical interface to a dialer pool.

Question 42 The correct answer is C. DDR backup features bring up a secondary link in case the primary WAN connection is lost. A router can use different approaches to initiate a backup connection. It may use a backup interface, which stays in standby mode until the line protocol of the primary interface is detected as down. It can also use floating static routes, which are assigned a higher administrative distance than dynamic routes maintained in the routing table. Should the dynamic route be lost, static floating routes can take over to provide an alternate path using the backup link. Finally, the router can use the dialer watch feature, which combines dial backup with routing capabilities. Using dialer watch, the router configures a set of “watched routes” that define the primary interface. Should a watched route no longer be present according to the routing protocol, the primary interface is considered down and the router starts dialing the backup link. Therefore, interesting traffic is not necessary to trigger a call because dialer watch places a call if there are no longer any viable routes to a destination using the primary

349 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

interface. Answer A is incorrect because floating static routes do not monitor a list of routes. Answers B and D are incorrect because they are not backup features involved in triggering a call.

Question 43 The correct answer is B. A Cisco router can be one of two types of ISDN end devices: a TE1 (Terminal Equipment type 1) or a TE2 (Terminal Equipment type 2). A TE1 device has a built-in ISDN Basic Rate Interface (BRI). A TE2 is a non-ISDN device, which needs a TA (terminal adapter) to connect to the ISDN network; therefore, Answer A is incorrect. Answers C and D are not used to refer to this ISDN network router component.

Question 44 The correct answer is D. Rate adaptation allows an ISDN channel to adjust to a lower speed. In some cases, the destination device might not use or support the full ISDN channel rate of 64Kbps. You can then use rate adaptation to pass the slower rate data stream over the higher-rate ISDN link. Two rate adaptation methods commonly used over ISDN are the V.110 and V.120 International Telecommunications Union (ITU) standards. Answers A, B, and C are incorrect; rate adaptation is not used for load-balancing or needed for a TE1 device to connect to the ISDN network, and it does not address congestion on the ISDN link.

Question 45 The correct answer is C. You can use the passive-interface command to prevent dynamic routing updates on the dialer interface to keep the updates from bringing up a DDR link. Answers A, B, and D are incorrect because they do not describe the purpose of the passive-interface command.

Question 46 The correct answer is C. In situations where you need a large number of IP addresses, as with an access server with many asynchronous interfaces, you can conserve IP addresses by using the ip unnumbered command. Asynchronous point-to-point connections on an access server are not gener-

350 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ally all used at the same time, which makes assigning individual IP addresses a waste of the address pool. When you use the ip unnumbered command, the asynchronous interface is not assigned an actual IP address; instead, the interface borrows another interface’s address as the source address when transferring packets on the point-to-point connection. The remote host also needs an IP address to participate on the TCP/IP network. Answers B and D are incorrect because you use commands such peer default ip address and ip local-pool dialin to assign dial-in hosts IP addresses. Answer A is incorrect; you use this command to assign an interface an IP address, but it does not help to conserve IP addresses.

Question 47 The correct answers are B and D. The dialer load-threshold command specifies a load value for the link at which the dialer rotary group brings up additional links to add to the Multilink PPP (MLP) bundle. The load value is a fraction of 255, meaning that 255 represents 100%. Therefore, with a load threshold of 128, additional links are brought up and added to the bundle when the bandwidth utilization reaches 50%. This command can also specify whether the threshold applies to outbound, inbound, or either direction of traffic. Answers A and C are incorrect because they are not effects of configuring the dialer load-threshold command.

Question 48 The correct answers are A and C. PPP provides authentication using the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Both protocols use username and password pairs for authentication purposes, but PAP has the disadvantage of sending password information in cleartext making it a less secure authentication method. It is also less secure because, although it uses two-way authentication between routers, it uses a one-way process between a host and a router. For that reason, PAP is generally only used where security is not highly important or where hosts are running legacy software that does not support CHAP. CHAP uses a two-way method; it uses a challenge and response method and hash function between the router and remote host and does not send the actual username and password information across the link. PPP connections established across a leased point-to-point connection do not usually require any authentication process; therefore, Answer D is incorrect. Answer B is incorrect because PAP does not exchange hashed passwords.

351 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

Question 49 The correct answer is B. Screening the identification of the caller can provide a measure of security. You can use the isdn caller number command to configure one or multiple allowed caller numbers on an interface. With caller ID screening enabled, the router verifies the identity of callers by their ISDN numbers and accepts calls from numbers that have been configured using the isdn caller command. Answers A, C, and D are incorrect because they are not valid Cisco IOS commands.

Question 50 The correct answer is D. You can set slow-speed serial interfaces to operate in either synchronous or asynchronous mode using the physical-layer {sync | async} command. The default mode is synchronous, so for a low-speed serial interface to support interface configuration commands that apply to high-speed asynchronous serial interfaces, it must first be set to operate in asynchronous mode. Answer A is incorrect because you use this command to configure a line to automatically start a PPP session. Answer B is incorrect because you use this command to place a line in a dedicated asynchronous mode. Answer C is incorrect because you use this command to access configuration mode for an async interface.

Question 51 The correct answers are A and D. Virtual private network (VPN) tunnels can be two types: remote-access connections or site-to-site connections. Remote-access VPNs are secure tunnels established with the corporate network by a remote client such as a telecommuter or mobile user. The remote user first connects to the local ISP to access the public network (for example, the Internet) and then initiates a secure connection with the corporate LAN. Another option is to use a Network Access Server (NAS). In this scenario, the users first connect to the public network and then use a secure tunnel that has been established between the NAS and the corporate network. Answers B and C do not describe valid remote-access scenarios; therefore, they are incorrect.

352 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question 52 The correct answers are B and C. You can use IPSec protocols in two different modes: transport and tunnel. The basic differences between the modes are in where IPSec is implemented and in the portion of the IP packet that is protected. In transport mode, IPSec encapsulation actually takes place on the end hosts and protection is provided from the transport layer and above. In tunnel mode, end hosts are unaware of the IPSec encapsulation because it is implemented on the gateway devices. Tunnel mode provides security for the whole IP packet by encrypting it and encapsulating it in another IP packet. Answers A and D are incorrect because these statements refer to tunnelmode operation.

Question 53 The correct answer is B. Using dynamic network address translation (NAT), a pool of public IP addresses is configured to be available for the translation process. You enter the command to define this pool of addresses in global configuration mode, and it has the following syntax: ip nat pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length} [type rotary]. Answers A, C, and D are incorrect because they are not valid uses of the ip nat pool command.

Question 54 The correct answers are A and C. IPSec uses Encapsulating Security Payload (ESP) and Authentication Header (AH) as its security protocols. Tunnels based on AH offer authentication, integrity, and replay protection. AH encapsulates the IP packet in another packet; the new packet consists of a new IP header, an AH header, followed by the original IP header and data payload. The data portion is not encrypted, meaning that AH does not provide data confidentiality. ESP, on the other hand, offers authentication, integrity, replay protection, and data confidentiality because it essentially encrypts the original IP packet and then adds new headers and a trailer. This process results in a partially encrypted (the original packet) and partially cleartext (IP header, ESP header, and ESP trailer) packet. Answers B and D are incorrect because they are not valid security protocols.

353 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

Question 55 The correct answer is C. NAT where multiple inside unregistered IP addresses are mapped to a single registered IP address is called overloading or port address translation (PAT). As the name suggests, multiple inside global addresses can be associated to one public address by using different port numbers in the mapping. Answer B is incorrect; you use the NAT process referred to as address overlapping when the internal network is using registered IP addresses. With overlapping address spaces, the NAT router maintains a lookup table of the overlapping IPs and replaces them with unique public addresses on the way to the outside and also translates external addresses to unique addresses when passing packets to the internal network. Answers A and D are incorrect; they are not valid terms used to refer to types of address translation.

Question 56 The correct answer is C. To view the NAT translations taking place for packet arriving on the inside and outside interfaces of the NAT-configured router, use the debug ip nat [list | detailed] command. This command is useful for troubleshooting purposes because the output might provide information on translation errors. With the detailed option, debug ip nat not only provides the source, translated, and destination address, it also displays the protocol and port numbers for the inbound and outbound translations. Answers A, B, and D are incorrect because they do not provide valid variations of the debug ip nat command used to view the required information.

Question 57 The correct answers are B and D. IPSec provides authentication, integrity, and confidentiality using several keyed encryption and hash algorithms. Examples of algorithms used for integrity and authentication by AH and ESP include Hash-based Message Authentication Codes with Message Digest 5 (HMAC-MD5), HMAC with Secure Hash Algorithm (HMACSHA), Data Encryption Standard (DES), and Triple Data Encryption Standard (3DES). The keys used by IPSec algorithms can be determined in two ways: through manual, preshared keys and through the Internet Key Exchange (IKE). When using preshared keys, tunnel peers are manually configured with the keys prior to the creation of the tunnel. With IKE, tunnel

354 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

peers negotiate the keys and algorithms for the tunnel in preparation for the creation of the tunnel. Answers A and C are incorrect because the two methods used by IPSec are Answers B and D.

Question 58 The correct answer is A. Asymmetric encryption is also referred to as public-key encryption. It uses a public key and private key and can use the same or different (yet complimentary) algorithms to encrypt and decrypt data. Both communication parties need to generate their own private and public key pairs. Private keys in asymmetric encryption are known only to the receivers, whereas the public key and its distribution is not a secret. In symmetric encryption, cleartext is encrypted and again decrypted at the destination using a shared secret key known to the two parties. Answers B, C, and D are not terms used to describe public-key encryption; therefore, these answers are incorrect.

Question 59 The correct answers are A and B. Aside from configuring the physical PRI controller, ISDN PRI B channels and the D channel interface must also be configured with the necessary parameters. Among these configuration steps is the use of the interface serial {slot/port | unit:}{23 | 15} command, which represents the serial interface for the PRI D channel. The values of 23 or 15 represent the serial port subinterface that is used by the signaling channel; 23 is used for a T1 and 15 for an E1 signaling channel. The numbers 15 and 23 represent PRI channels 16 and 24 because the numbering of serial interfaces on the Cisco router starts at 0. Answer C is incorrect because the command uses slot/port syntax, meaning that the controller is located on port 0 of slot 1. Answer D is incorrect because you do not use this command to access configuration mode for an ISDN B channel.

Question 60 The correct answer is B. You must configure T1 controller parameters to match the digital facility of the provider. One of these parameters is the signaling method used on the line, which you set using the linecode command. The syntax of this command provides the following line-coding types to be configured: linecode {ami | b8zs | hdb3}, b8zs being binary 8-zero substitu-

355 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer . . . . Key . . 2.

tion, which is commonly used in T1 PRI configurations. You use the framing command to set the frame type used by the service provider and clock source {line | internal} to set the T1/E1 clock source on the router. Answers A, C, D are incorrect because you cannot use them to set the line-coding types of a PRI connection.

{sf | esf | crc4 | no-crc4}

Question 61 The correct answer is B. The ITU categorizes ISDN protocols into three general types, including the Q series, E series, and I series. Protocols that begin with the letter Q cover switching and signaling processes; protocols beginning with E deal with ISDN telephone network standards; and protocols beginning with I relate to methods, concepts, and terminology; therefore, Answers A and D are incorrect. Answer C is incorrect because there are no S-series ISDN protocols.

Question 62 The correct answers are A, D, and E. This ISDN interface is configured for DDR using a legacy dialer map and a dialer-list that defines interesting traffic. The dialer-list command references an extended access list that considers Telnet, Internet Control Message Protocol (ICMP), and Simple Network Management Protocol (SNMP) traffic as uninteresting and all other IP traffic as interesting. When it receives interesting traffic, the ISDN BRI places a call to the destination router after which traffic is transmitted over the link. Answer B is incorrect; it is not a Multilink PPP (MLP) configuration excerpt. Answer C is incorrect; ping uses ICMP, which is considered uninteresting traffic.

Question 63 The correct answer is C. Branch offices using DSL connections are multiplexed at a DSL access device, which provides access to the Asynchronous Transfer Mode (ATM) network. You can configure PPP over Ethernet (PPPoE) to allow PPPoE clients to establish a connection with the central office peer router over the ATM network. The configuration excerpt provided is an example of a router being configured for PPPoE over ATM. You configure physical interfaces for the PPPoE sessions using the vpdn enable, vpdn group, accept dialin, protocol pppoe, and pppoe limit per-vc commands.

356 Chapter 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

They are also linked to a predefined virtual template interface using the vircommand. Also shown are the pvc, encapsulationall5snap, and protocol pppoe commands, which you use to configure the (ATM) PVC for PPPoE. Answers A, B, and D are incorrect because this configuration specifies parameters for PPPoE over ATM. tual-template

Question 64 The correct answer is B. ISDN would provide the most suitable on-demand backup solution for this branch to central site connection. You can monitor the primary Frame Relay connection using the Cisco IOS DDR features and the backup connection initiated in case primary connectivity is lost. You can also use ISDN in a bandwidth-on-demand scenario, where the backup link is brought up when the primary link capacity is approaching a maximum. Answer A is incorrect because a dialup link would not provide adequate bandwidth for a connection to the central site. Answers C and D are incorrect because they are not suitable technologies to be used with DDR.

Question 65 The correct answer is C. A packet-switched connection is the best solution for this customer. The two regional offices’ traffic needs a link that provides high utilization and long connection types. Therefore, an on-demand connection is not as suitable as a dedicated link, making Answer B an incorrect option. Packet-switched service is generally available at a lower cost and the offices are separated by a considerable distance, making a dedicated circuitswitched connection such as a leased line less suitable; therefore, Answer D is incorrect. Answer A is incorrect because an asynchronous connection would not provide the necessary bandwidth.

PART IV Appendixes A What’s on the CD-ROM B Using the PrepLogic Practice Exams, Preview Edition Software

A What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This appendix provides a brief summary of what you’ll find on the CD-ROM that accompanies this book. For a more detailed description of the PrepLogic Practice Exams, Preview Edition exam simulation software, see Appendix B, “Using the PrepLogic Practice Exams, Preview Edition Software.” In addition to the PrepLogic Practice Exams, Preview Edition software, the CD-ROM includes an electronic version of the book, in Portable Document Format (PDF), and the source code used in the book.

The PrepLogic Practice Exams, Preview Edition Software PrepLogic is a leading provider of certification training tools. Trusted by certification students worldwide, PrepLogic is the best practice-exam software available. In addition to providing a means for evaluating your knowledge of this book’s material, PrepLogic Practice Exams, Preview Edition features several innovations that help you improve your mastery of the subject matter. For example, the practice exams allow you to check your score by exam area or domain to determine which topics you need to study further. Another feature allows you to obtain immediate feedback on your responses in the form of explanations for the correct and incorrect answers. PrepLogic Practice Exams, Preview Edition exhibits all the full-test simulation functionality of the Premium Edition but offers only a fraction of the total questions. To get the complete set of practice questions, visit http://www.preplogic.com and order the Premium Edition for this and other exam training guides.

360 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For a more detailed description of the features of the PrepLogic Practice Exams, Preview Edition software, see Appendix B.

An Exclusive Electronic Version of the Text As mentioned previously, the CD-ROM that accompanies this book also contains an electronic PDF version of this book. This electronic version comes complete with all figures as they appear in the book. You can use Acrobat’s handy search capability for study and review purposes.

B Using the PrepLogic Practice Exams, Preview Edition Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

This book includes a special version of the PrepLogic Practice Exams software, a revolutionary test engine designed to give you the best in certification-exam preparation. PrepLogic offers sample and practice exams for many of today’s most in-demand and challenging technical certifications. A special Preview Edition of the PrepLogic Practice Exams software is included with this book as a tool to use in assessing your knowledge of the training-guide material, while also providing you with the experience of taking an electronic exam. This appendix describes in detail what PrepLogic Practice Exams, Preview Edition is, how it works, and what it can do to help you prepare for the exam. Note that although the Preview Edition includes all the test-simulation functions of the complete retail version, it contains only a single practice test. The Premium Edition, available at http://www.preplogic.com, contains a complete set of challenging practice exams designed to optimize your learning experience.

The Exam Simulation One of the main functions of PrepLogic Practice Exams, Preview Edition is exam simulation. To prepare you to take the actual vendor certification exam, PrepLogic is designed to offer the most effective exam simulation available.

362 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Question Quality The questions provided in PrepLogic Practice Exams, Preview Edition are written to the highest standards of technical accuracy. The questions tap the content of this book’s chapters and help you review and assess your knowledge before you take the actual exam.

The Interface Design The PrepLogic Practice Exams, Preview Edition exam-simulation interface provides you with the experience of taking an electronic exam. It enables you to effectively prepare to take the actual exam by making the test experience familiar. Using this test simulation can help eliminate the sense of surprise or anxiety you might experience in the testing center because you will already be acquainted with computerized testing.

The Effective Learning Environment The PrepLogic Practice Exams, Preview Edition interface provides a learning environment that not only tests you through the computer, but also teaches the material you need to know to pass the certification exam. Each question includes a detailed explanation of the correct answer, and most of these explanations provide reasons why the other answers are incorrect. This information helps reinforce the knowledge you already have and also provides practical information you can use on the job.

Software Requirements PrepLogic Practice Exams requires a computer with the following: ➤ Microsoft Windows 98, Windows Me, Windows NT 4.0, Windows

2000, or Windows XP ➤ A 166MHz or faster processor ➤ A minimum of 32MB of RAM ➤ 10MB of hard-drive space

363 . . . . . . . . . . . . . . .Using . . . the . . PrepLogic . . . . . . Practice . . . . .Exams, . . . .Preview . . . . Edition . . . . Software . . . . . As with any Windows application, the more memory, the better the performance.

Installing PrepLogic Practice Exams, Preview Edition You install PrepLogic Practice Exams, Preview Edition by following these steps: 1. Insert the CD-ROM that accompanies this book into your CD-ROM

drive. The Autorun feature of Windows should launch the software. If you have Autorun disabled, select Start, Run. Go to the root directory of the CD-ROM and select setup.exe. Click Open, and then click OK. 2. The Installation Wizard copies the PrepLogic Practice Exams, Preview

Edition files to your hard drive. It then adds PrepLogic Practice Exams, Preview Edition to your desktop and the Program menu. Finally, it installs test-engine components to the appropriate system folders.

Removing PrepLogic Practice Exams, Preview Edition from Your Computer If you elect to remove the PrepLogic Practice Exams, Preview Edition you can use the included uninstallation process to ensure that it is removed from your system safely and completely. Follow these instructions to remove the software from your computer: 1. Select Start, Settings, Control Panel. 2. Double-click the Add/Remove Programs icon. You see a list of soft-

ware installed on your computer. 3. Select the PrepLogic Practice Exams, Preview Edition title you want

to remove. Click the Add/Remove button. The software is removed from you computer.

364 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

How to Use the Software PrepLogic is designed to be user friendly and intuitive. Because the software has a smooth learning curve, your time is maximized because you start practicing with it almost immediately. PrepLogic Practice Exams, Preview Edition has two major modes of study: Practice Exam and Flash Review. Using Practice Exam mode, you can develop your test-taking abilities as well as your knowledge through the use of the Show Answer option. While you are taking the test, you can expose the answers, along with detailed explanations of why answers are right or wrong. This helps you better understand the material presented. Flash Review mode is designed to reinforce exam topics rather than quiz you. In this mode, you are shown a series of questions but no answer choices. You can click a button that reveals the correct answer to each question and a full explanation for that answer.

Starting a Practice Exam Mode Session Practice Exam mode enables you to control the exam experience in ways that actual certification exams do not allow. To begin studying in Practice Exam mode, you click the Practice Exam radio button from the main exam customization screen. It enables the following options: ➤ The Enable Show Answer button—Clicking this button activates the Show

Answer button, which allows you to view the correct answers and full explanation for each question during the exam. When this option is not enabled, you must wait until after your exam has been graded to view the correct answers and explanation for each question. ➤ The Enable Item Review button—Clicking this button activates the Item

Review button, which allows you to view your answer choices. This option also facilitates navigation between questions. ➤ The Randomize Choices option—You can randomize answer choices from

one exam session to the next. This process makes memorizing question choices more difficult, thereby keeping questions fresh and challenging longer. On the left side of the main exam customization screen, you are presented with the option of selecting the preconfigured practice test or creating your own custom test. The preconfigured test has a fixed time limit and number of questions. Custom tests allow you to configure the time limit and the number of questions in your exam.

365 . . . . . . . . . . . . . . .Using . . . the . . PrepLogic . . . . . . Practice . . . . .Exams, . . . .Preview . . . . Edition . . . . Software . . . . .

The Preview Edition on this book’s CD-ROM includes a single preconfigured practice test. You can get the complete set of challenging PrepLogic Practice Exams at http://www.preplogic.com to make certain you’re ready for the big exam. You click the Begin Exam button to begin your exam.

Starting a Flash Review Mode Session Flash Review mode provides an easy way to reinforce topics covered in the practice questions. To begin studying in Flash Review mode, you click the Flash Review radio button from the main exam customization screen. Then, you select either the preconfigured practice test or create your own custom test. You click the Begin Exam button to begin a Flash Review mode session.

Standard PrepLogic Practice Exams, Preview Edition Options The following list describes the function of each of the buttons you see across the bottom of the screen: Depending on the options, some of the buttons will be grayed out and inaccessible— or they might be missing completely. Buttons that are appropriate are active.

➤ Exhibit—This button is visible if an exhibit is provided to support the

question. An exhibit is an image that provides supplemental information that is necessary to answer a question. ➤ Item Review—This button leaves the question window and opens the

Item Review screen, from which you can see all questions, your answers, and your marked items. You can also see correct answers listed here, when appropriate. ➤ Show Answer—This option displays the correct answer, with an explana-

tion about why it is correct. If you select this option, the current question is not scored. ➤ Mark Item—You can check this box to flag a question that you need to

review further. You can view and navigate your marked items by clicking

366 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

the Item Review button (if it is enabled). When your exam is being graded, you are notified if you have any marked items remaining. ➤ Previous Item—You can use this option to view the previous question. ➤ Next Item—You can use this option to view the next question. ➤ Grade Exam—When you finish your exam, you can click Grade Exam to

end your exam and view your detailed score report. If you have unanswered or marked items remaining, you are asked whether you want to continue taking your exam or view the exam report.

Seeing Time Remaining If your practice test is timed, the time remaining appears on the upper-right corner of the application screen. It counts down the minutes and seconds remaining to complete the test. If you run out of time, you are asked whether you want to continue taking the test or end your exam.

Getting Your Examination Score Report The Examination Score Report screen appears when the Practice Exam mode ends—as a result of time expiration, completion of all questions, or your decision to terminate early. This screen provides a graphical display of your test score with a breakdown of scores by topic domain. The graphical display at the top of the screen compares your overall score with the PrepLogic Exam Competency Score. The PrepLogic Exam Competency Score reflects the level of subject competency required to pass the particular vendor’s exam. Although this score does not directly translate to a passing score, consistently matching or exceeding this score does suggest that you possess the knowledge needed to pass the actual vendor exam.

Reviewing Your Exam From the Your Score Report screen, you can review the exam that you just finished by clicking the View Items button. You can navigate through the items, viewing the questions, your answers, the correct answers, and the explanations for those questions. You can return to your score report by clicking the View Items button.

367 . . . . . . . . . . . . . . .Using . . . the . . PrepLogic . . . . . . Practice . . . . .Exams, . . . .Preview . . . . Edition . . . . Software . . . . .

Contacting PrepLogic If you want to contact PrepLogic for any reason, including to get information about its extensive line of certification practice tests, you can do so online at http://www.preplogic.com.

Customer Service If you have a damaged product and need to contact customer service, please call 800-858-7674.

Product Suggestions and Comments PrepLogic values your input! Please email your suggestions and comments to [email protected].

License Agreement YOUExams AGREE TO THE TERMS AND CONDITIONS OUTLINED IN THE END USER LICENSE AGREEMENT (“EULA”) PRESENTED TO YOU DURING THE INSTALLATION PROCESS. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT INSTALL THE SOFTWARE.

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3DES (Triple DES) The same as DES except that it repeats the encryption with a different 56-bit key three times. You will see 3DES called 168-bit encryption as well.

AAA (authentication, authorization, and accounting) The generic reference to applications that provide security for remote access, such as Terminal Access Controller Access Control System (TACACS+) and Remote Authentication Dial-In User Service (RADIUS).

accounting Allows an administrator to keep track of a number of things, such as the duration of a connection, the amount of traffic transmitted, and the commands that were entered on a device.

administrative distance (AD) The believability level of knowledge gained via a routing protocol.

Although customizable, the defaults indicate that Routing Information Protocol (RIP) routes are less believable than Open Shortest Path First (OSPF) learned routes, but Enhanced Interior Gateway Routing Protocols (EIGRP) routes are more reliable.

ADSL (Asymmetric DSL) The most popular form of DSL technology. The key to ADSL is that the upstream and downstream bandwidth is asymmetric, or uneven. In practice, the bandwidth from the provider to the user (downstream) is the higher speed path. This difference is in part due to the limitation of the telephone cabling system, but it also accommodates the typical Internet usage, where the majority of data is sent to the user downstream. ADSL is rated for distances up to 18,000 feet.

370 AES (Advanced Encryption Standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AES (Advanced Encryption Standard) A privacy transform for IP Security (IPSec) and Internet Key Exchange (IKE) that was developed to replace DES. It uses a 128-, 192-, or 256-bit key.

aggressive mode Faster than main mode because it sends a total of three messages. The drawback is that information is exchanged before a secure channel is established.

AH (Authentication Header) Provides data authentication, integrity, and optionally antireplay. The AH process is applied to an entire datagram except for mutable fields. A mutable field would be something like time to live (TTL), which gets modified by every router in the transmission path. AH provide no encryption and does not work with network address translation (NAT).

antenna site The location where antennas and satellite receivers receive broadcast signals.

asynchronous A serial connection where the transmission of data, and the way in which it should be interpreted, is managed by each device on the network. Each packet has “decoding” information built into it, taking away from the usable bandwidth of the connection for data.

authentication A process that happens before a user or device is allowed onto the network. It is the ability to verify their identity and determine whether they should be allowed.

authorization Indicates what a user is allowed to do on a network. You can control protocols, services, commands, and system levels.

backup circuit Might be always up but is often a dial-on-demand link. The backup comes up when the primary is down or if the primary is congested and the backup is configured to help.

Basic Rate Interface (BRI) A dial-on-demand form on ISDN. BRIs consist of three DS0 channels, two for data and one that uses 48KB for signaling.

BECN (Backward Explicit Congestion Notification) A message from the telco cloud back to the router that generated some traffic indicating that the traffic had to be discarded due to congestion. See also FECN.

branch office Remote locations where smaller groups of people work. Users connect through a LAN but require WAN access to reach the central office.

BRI See Basic Rate Interface.

371 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIR . . .(committed . . . . . . information . . . . . . rate) . . .

broadband A type of data transmission in which a single medium (wire) can carry several signals at once. Usually, it transmits using frequency division multiplexing (FDM).

burst rate A measurement in Frame Relay, which has a committed burst rate and an excess burst rate. The committed burst is the amount that the service provider has guaranteed to provide. The excess burst rate is an amount that can be stored to go above the committed burst rate, without a guarantee that the traffic will make it across the cloud.

CA (certificate authority) A trusted third-party service that eases in the establishment of secured communications. A CA produces digital certificates, and the digital certificates can be used for key material in establishing a virtual private network (VPN). Using a CA allows for tremendous scalability in a VPN infrastructure.

callback A feature in Point-to-Point Protocol (PPP) that you can configure in two ways. The first allows a user to call in with the router returning the call. The second configures the router to only call a single phone number. You can use callback for security or for bill consolidation.

CBC (Cipher Block Chaining) One of several methods of implementing DES. CBC requires that

an initialization value (IV) be the same for both IPSec peers before encryption can take place.

CD (Carrier Detect) Generated by data circuit–terminating equipment (DCE), indicates that DCE-to-DCE communications has been established.

central site The main office where the majority of a corporation is located, usually the destination point for remote users and branch offices.

channel A distinct amount of bandwidth, usually allowing 64Kbps but possibly 56Kbps, depending on the line code in use.

CHAP (Challenge Handshake Authentication Protocol) Used by PPP to hide passwords as they cross the network. Hashing encrypts the password and then possibly pads or truncates the result to achieve a 96-bit payload.

character mode Often referred to as line mode. The data is destined to the router, specifically to a TTY, VTY, aux, or con port, most likely for configuration and maintenance reasons.

CIR (committed information rate) The amount of bandwidth that the service provider has guaranteed. Anything in excess of this value may be discarded without breaching any contracts.

372 circuit switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

circuit switching

coaxial cable

The switching system in which a dedicated physical circuit path must exist between the sender and the receiver for the duration of the “call.” It is used heavily in the telephone company network. Circuit switching can be contrasted with contention and token passing as a channel-access method and with message switching and packet switching as a switching technique.

A type of wire that consists of a center wire surrounded by insulation and then a grounded shield of braided wire. The shield minimizes electrical and radio frequency interference. Coaxial cable suffers from attenuation, which is the weakening of the signal due to resistance. Coaxial cable is the primary type of cabling used by the cable television industry.

CiscoSecure Access Control Server (CSACS)

compression

What provides a Cisco network with AAA capabilities. It is available on UNIX and Windows platforms.

A method of reducing transmitted data by using an algorithm that reduces the number of bits needed to describe a particular data stream, thus reducing bandwidth usage.

CM (cable modem)

cryptosystem

A modulator-demodulator at subscriber locations for use in conveying data packets on a cable television system.

The system that performs encryption, decryption, hashing, authentication, and key management.

CMTS (cable modem termination system) A system of devices located in the headend that allows cable providers to offer high-speed Internet access. The CMTS provides many of the same functions provided by the DSL access multiplexer (DSLAM) in a DSL system.

CO (central office) The local telephone company office to which all local loops in a given area connect and in which circuit switching of subscriber lines occurs.

CSU/DSU (channel service unit/data service unit) Basically a conversion device. It sits between the telco’s connection, T1, and your network router. It is used to terminate and convert the signal into a usable format by the router. Some routers use an internal CSU/DSU; others require an external device to perform the function.

CTS (Clear to Send) Generated by DCE, indicates that the DCE has buffers to receive data from the DTE.

373 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DSL . . .(digital . . . .subscriber . . . . . .line) . .

custom queuing (CQ) A mechanism where all queues have the same priority but some can have more traffic removed from them at a time than others. Each queue is serviced in a roundrobin fashion.

DCE (data circuit–terminating equipment) The physical equipment on a network that connects to the outside world and the underlying WAN network. This device provides the clocking on a network.

decryption The process of taking ciphertext and converting it back into cleartext so that authorized users can view it.

There are multiple groups of D-H, such as group 1 at 768 bits, group 2 at 1024 bits, and others.

distribution network The trunk or backbone made of fiber and coaxial cabling that brings the signal to the subscriber drop.

DLCI (data-link connection identifier) Identifies the Frame Relay circuit that will go from one device to another.

DOCSIS (Data Over Cable Service Interface Specification)

A WAN connection that has guaranteed bandwidth from one point to another. A dedicated connection is analogous to a single Ethernet connection from one branch to another.

Defines interface standards for CMs and supporting equipment. Developed by CableLabs and approved by the International Telecommunications Union (ITU) in March 1998, version 1.0 was the first standard and version 1.1 added VoIP capabilities. Version 2.0 is currently in the works and should allow for 30Mbps in the upstream path.

DES (Data Encryption Standard)

Downstream

A 56-bit key used to encrypt and decrypt packet data.

The transmission from the headend to a subscriber, also called the forward path.

dedicated connection

dial backup A dial-on-demand circuit configured to dial and connect if a primary link is unavailable.

Diffie-Hellman (D-H) A public-key cryptography protocol that allows two parties to establish a shared secret key over an insecure communications channel.

DSL (digital subscriber line) Refers collectively to all types of digital subscriber lines. DSL technologies use sophisticated modulation schemes to pack data onto copper wires. They are referred to as last-mile technologies because they are used only for connections from a central office to a home or office.

374 DSLAM (DSL access multiplexer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DSLAM (DSL access multiplexer)

error detection and correction

Terminates DSL connections at the CO. DSLAM is a device that connects many lines to a network by multiplexing the DSL traffic onto one or more network trunk lines.

When the modem detects that data has changed since it was sent and requests that the data be retransmitted. Error detection is the realization that data has changed. Error correction is the request for a retransmission of the data.

DS0 See channel.

DSR (Data Set Ready) Pin 6 of the Electronic Industries Association/Telecommunications Industry Association (EIA/TIA)232 interface standard. Generated by the DCE, it informs the DTE that it is ready for use.

DTE (data terminal equipment) A device on the customer side of a carrier network that accepts the clocking or synchronization from the DCE device.

DTR (Data Terminal Ready) Pin 20 of the EIA/TIA-232 interface standard. Generated by the DTE, it informs the DCE that it is ready to receive an incoming call.

EIA/TIA-232-C The finalized standard for serial connections. EIA/TIA-232-C standardized on a 25-pin connector.

encryption The process of taking cleartext and converting it into ciphertext to protect it from unauthorized viewing. There are two types of encryption: symmetric, which uses a single shared secret key, and asymmetric, which uses a public and private key.

ESP (Encapsulating Security Payload) Provides encryption, integrity, and optionally authentication and antireplay. The E stands for encapsulation, which makes it different from AH. With ESP, the entire IP packet is encapsulated. ESP works with NAT.

FECN (Forward Explicit Congestion Notification) Sent from the telco cloud to the destination of a piece of information when there is congestion and the frame is discarded. See also BECN.

global address An address outside the organization. An example is an address on the Internet.

G.SHDSL Also known as G.991.2, an international standard for Symmetric DSL (SDSL) developed by the ITU. This is the first DSL technology to be developed from the ground up as an international standard; it supports longer distances (28,000 feet) and is predicted to be the most adopted standard in the future.

375 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .inside . . . global . . . .address . . . .

hashing Uses an algorithm or formula to convert data and a key into a hash. The hash is used to ensure that the transmitted message has not been tampered with. The sender generates a hash of the message and key, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. The recalculated hash is used to verify that the message and the key are intact. Common algorithms include Message Digest 5 (MD5) and Secure Hash Algorithm-1 (SHA-1).

headend Similar to a telephone company’s CO. This is where the signals are processed and formatted for transmission onto the distribution network.

HDSL (High data rate DSL) Used as a replacement for T1 or E1 services. The distances are limited to 12,000 feet.

HFC (hybrid fiber coax) Provides two-way, high-speed data access to the home using a combination of fiber optics and coaxial cable. Each channel, upstream and downstream, gets a 6MHz channel to transmit and receive its signals. Downstream gets 50 to 860MHz, and upstream gets 5 to 42MHz.

HMAC-MD5 (Message Authentication Codes using Hashing-Message Digest 5) A hashing algorithm that uses a 128-bit shared secret key. IKE, AH, and ESP can use MD5 for authentication.

HMAC-SHA-1 A hashing algorithm that uses a 160-bit shared secret key. IKE, AH, and ESP can use SHA-1 for authentication.

home office A location where a user works out of his or her home, usually using a dial-on-demand connection. Broadband is changing this situation.

IDSL (ISDN DSL) Uses 2B1Q line coding and the full bandwidth of two 64Kbps bearer channels plus one 16Kbps delta channel. Major benefits of switching to IDSL from ISDN are the always-on connection, no call setup, and flat rate billing instead of per-minute fees. Distances can be 18,000 feet.

IKE (Internet Key Exchange) A hybrid protocol of Oakley key exchange and Skeme key exchange. IKE is synonymous with ISAKMP; you will see both terms used and referenced throughout Cisco materials.

inside global address A legitimate address on the public or external network, usually provided by your ISP. This translated

376 inside global address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

address is viewable to the outside world that maps back to your inside local address.

IPSec security associations (SAs), and the establishment of keys for IPSec encryption algorithms.

inside local address

ISDN (Integrated Services Digital Network)

The IP address assigned to a host on the private or internal network. It is usually based on RFC 1918.

interface The connection between two systems or devices. The physical ports on a router that the media plugs into, such as serial, Ethernet, ISDN, console, aux, and so on, are examples of interfaces.

Inverse-Address Resolution Protocol (ARP) A Frame Relay mechanism for discovering the network address of a device on the far end of a link and mapping that network address to a DLCI.

IPSec (IP Security) A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

ISAKMP (Internet Security Association and Key Management Protocol) Provides authentication of IPSec peers, negotiation of IKE and

A WAN technology utilizing a standard single pair of wires from the telephone company to provide a higher bandwidth connection to a fixed location. ISDN basic rate allows for 2 B (bearer) channels at up to 64Kbps each for a maximum throughput of 128Kbps. ISDN also uses a single D of 16Kbps (data or delta) channel for signaling, call setup, and call disconnection.

IV (initialization value) Input parameter that sets the starting state of a cryptographic algorithm or mode.

keepalives Pieces of information that flow between two devices. The purpose is for each device to alert the other that it is still online and available.

key The information used to set up and possibly change operations of a cryptosystem, usually random binary digits. You can think of it as x (71,399 * x = hash), which is not technically accurate, but you get the point.

key management The control of keys generated, stored, revoked, transferred, and used.

377 . . . . . . . . . . . . . . . . . . . . . . . .NTSC . . .(National . . . . . Television . . . . . System . . . . .Committee) . . . . . .

LMI (Local Management Interface) The signaling standard between the CPE device and the Frame Relay switch. It is responsible for managing and maintaining the connection. The three LMI types are Cisco, ANSI, and Q933A.

load A measure of bandwidth usage, often used with a backup configuration to allow the backup connection to come up and help the primary when the primary becomes congested.

local address An address inside a network using NAT.

low-latency queuing An add-on to class-based weighted fair queuing. LLQ allows a high level of prioritization for voice traffic as well as bandwidth allocation for nonvoice traffic.

main mode The recommended mode for IKE. It is a touch slower than aggressive mode, but more secure and reliable. It consists of six message exchanges, three in each direction.

map class Configures interface-level components such as the idle timeout or the interface speed.

modemcap database The internal database built into the Cisco IOS that defines the modems which can be automatically detect-

ed by the router. You can modify and add to this database.

multilink Connecting two or more distinct circuits together to be represented by a single larger virtual circuit.

NAT (network address translation) Provides a method for address conservation and the ability to translate local addresses for use on the Internet. NAT is typically used in an effort to hide a network behind a set of nonpublicly routable IP addresses, such as with the 10.0.0.0 network.

negotiation The process of two devices communicating and sharing what they are capable of, for the purpose of forming a communications connection.

nonbroadcast multi-access (NBMA) A network where a single network address can send traffic to multiple destinations, such as Ethernet. Although Frame Relay supports NBMA with a multipoint configuration, by default it does not allow broadcast traffic across and the Frame Relay map must show that broadcasts are allowed through manual configuration or through Inverse-ARP.

NTSC (National Television System Committee) Responsible for setting television and video standards in the United States. It uses a 6MHz modulated signal.

378 outside global address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

outside global address

packet switching

Someone else’s inside global address, an address of an external host on the public network, or a routable address provided by the ISP.

Networking method in which nodes share bandwidth with each other by sending packets. Compare with circuit switching.

outside local address

The dominant television standard in Europe. It uses a 6MHz, 7MHz, or 8MHz modulated signal, depending on the version.

An IP address of an outside host as it appears to the private or internal network. Not necessarily a legitimate address, it is allocated from the inside address space. It is usually based on RFC 1918.

overlapping A scenario where the same addresses are used on two different networks and the networks are trying to reach each other. You can use NAT to make this scenario possible.

overloading

PAL (Phase Alternating Line)

PAT (port address translation) Translation method that allows the user to conserve addresses in the global address pool by allowing source ports in TCP connections or User Datagram Protocol (UDP) conversations to be translated. Different local addresses then map to the same global address, with port translation providing the necessary uniqueness.

A NAT scenario where all outbound address translations use the same address. Port numbers are used for uniqueness. It is also referred to as port address translation (PAT) because it uses ports.

PCM (pulse code modulation) encoding

oversubscription

port

Where there is more traffic than there is available bandwidth.

In IP terminology, a field in both the TCP and UDP headers that is used to identify a service. Ports are numbered, and each number is associated with a specific process or service. There are 65,535 useable ports for each TCP and UDP.

packet mode Also known as interface mode. The data passes through the router from one network to another through such ports as async, BRI, Primary Rate Interface (PRI), serial, and dialer interfaces.

Technique of encoding analog voice into a 64kbit data stream by sampling with 8-bit resolution at a rate of 8000 times per second.

PPP (Point-to-Point Protocol) An encapsulation protocol that you can use on serial links as well as some Ethernet implementations.

379 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SA . .(security . . . . .association) . . . . . .

PPP provides several functions such as multilink, callback, authentication, and compression.

taking a waiting packet out of a lower-ranking queue.

PPPoA (PPP over Asynchronous Transfer Mode [ATM])

The logical component of a dialon-demand routing (DDR) configuration. You use the profile to separate physical interface configurations from logical components such as encapsulation or phone numbers.

A routed solution by which the CPE routes packets to the aggregation router. No host-based software is required as with PPPoE.

PPPoE (PPP over Ethernet) A bridged solution covered in RFC 2516. Ethernet frames are bridged over ATM as with RFC 1483/2684, but this time, the Ethernet packets encapsulate PPP. The PPP session is established between the end-user PC and the aggregation router.

preshared key A shared secret key or password that is usually entered manually on each peer for use in setting up an SA. It is used for authentication.

PRI See Primary Rate Interface.

profile

Q.921 The ISDN standard that defines signaling between the router and the telco switch.

Q.931 The ISDN standard that defines ISDN communication between the two end devices.

reference point Defines for ISDN a set of standards for interconnecting two devices.

rotary group

The circuit that the organization wants up most of the time. If the primary is not available, the backup takes over.

Used when there is a single phone number and multiple modems that can service calls. All users can dial the same number, and no one gets a busy signal until all the modems are busy.

Primary Rate Interface (PRI)

SA (security association)

A bundle of 64Kbps DS0 channels. PRIs include T1s and E1s.

Built between two or more peers that describe the security services which have been set up or negotiated between the available options. SAs are unidirectional and protocol specific; there is an SA for IKE and an SA for IPSec.

primary

priority queuing (PQ) A queuing strategy that places traffic into one of four queues: high, medium, normal, or low. Each queue must be totally empty before

380 SDSL (Symmetric DSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SDSL (Symmetric DSL)

T1/T3

Designed more for business. The line speed is the same in both directions, allowing for greater upstream speeds than ADSL, and it is generally used as a substitute for T1/E1. SDSL is becoming popular as a way to provide full-duplex symmetric data communication. The greater available bandwidth for upstream communication can handle requests for services hosted at the customer’s site. Distances can be up to 12,000 feet.

Speed standards utilized in the United States. A T1 has a bandwidth capacity of 1.544Mbps, and a T3 has a capacity of approximately 54Mbps.

spectrum reuse Takes advantage of a “sealed” cable or network. A cable company can place signals on a wire that they could otherwise not use. Because the signal is trapped within, it doesn’t conflict with other signals.

subscriber drop The connection from your television to the distribution network, consisting of the cable, set-top box, grounding, and attachment hardware.

synchronous A serial connection where the sending and receiving of packets on the network is managed by one single source. All traffic is synchronized based on a clocking signal on the line. When a line uses a standard clock, more bandwidth can be dedicated to the actual transmission of data.

TACACS+ (Terminal Access Controller Access Control System) A Cisco proprietary protocol for use with the CSACS. It uses TCP/IP, encrypts all data, and allows multiple levels of authorization, and it can use other methods of authentication such as Kerberos.

traffic shaping Configuring a router to treat some types of traffic with a higher priority than other types. Prioritization may be based on size of the packet, the type of traffic, the source or destination of the traffic, or some combination of factors.

transform sets Define the combinations of IPSec algorithms for encryption and authentication. A transform set describes authentication (such as AH), encryption (such as ESP), and mode (tunnel versus transport).

transportation network Often found between the antenna site and headend or the headend and the distribution network. It is used when necessary to maintain the link.

381 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .weighted . . . . .fair . . queuing . . . . .(WFQ) . . .

transport mode

VDSL (Very high data rate DSL)

Used for end-host-to-end-host communication. Security is provided at the transport layer and above; it protects the data of the packet but exposes the IP address. The original IP address is used to traverse the network. Tunnel mode is more common.

Transmits data in the 13Mbps to 55Mbps range over short distances, usually between 1,000 and 4,500 feet. The shorter the distance, the faster the connection rate.

tunnel A virtual point-to-point connection that carries traffic from one protocol encapsulated in another. Security is provided for the original IP packet. The encrypted packet is placed inside another packet, which amounts to ciphertext inside a new IP packet. The IP address of the new packet is used to traverse the network. In tunnel mode, the hosts are not aware that encryption is taking place.

Upstream The transmission from a subscriber to the headend, also called the return or reverse path.

VPN (virtual private network) Enables IP traffic to travel securely over any network by encrypting traffic from one network to another. VPNs are often associated with tunneling.

WAN (wide-area network) Makes data connections across a broad geographical area. Much like a LAN but bigger in scope, a WAN uses various broadband and leased connections to provide connectivity.

weighted fair queuing (WFQ) An extension to first-in, first-out queuing. The router keeps track of the packets that fully arrive first and forward based on that criteria, weighting toward smaller packets.

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Symbols @ (at symbol), 67 ^ (caret), 67 3DES, 248 800 routers, 27 1600 routers, 27 1700 routers, 27 2500 routers, 27 2600 routers, 27 3600 routers, 27 3700 routers, 27 7200 routers, 27

A AAA (authentication, authorization, and accounting), 36-37 accounting events, 43 accounting methods, 42-44 authentication methods, 39-40 authorization methods, 41-42 clients, 37 enabling, 38-39 exam prep questions, 45-47 RADIUS protocol, 37 router access modes, 38

servers, 37 TACACS+ protocol, 37 aaa accounting command, 42, 44 aaa authentication login command, 39-40 aaa authorization command, 41-42 access control (WANs), 24 access control lists. See ACLs Access Control Server (ACS), 36-37. See also AAA (authentication, authorization, and accounting) access-list command, 85, 142 access lists, 142-143 accounting, 37, 42-44. See also AAA (authentication, authorization, and accounting) ACLs (access control lists) compatibility with IPSec, 254 crypto ACLs, 258 Acme Corporation case study, 235-236 ACS (Access Control Server), 36-37. See also AAA (authentication, authorization, and accounting) addresses, NAT (Network Address Translation) advantages, 78-79 disadvantages, 79

384 addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dynamic NAT, 82-84 exam prep questions, 88-91 inside global addresses, 80 inside local addresses, 80 load sharing, 85-86 outside global addresses, 80 outside local addresses, 80 overlapping, 84-85 overloading, 84 resources, 92 static NAT, 81-82 troubleshooting, 86-87 administration compression, 236 CPU cycles versus memory, 239 exam prep questions, 240-243 header compression, 238 Lempel-Ziv compression algorithm, 244 link compression, 237 modem compression, 239 MPPC compression, 237-238 payload compression, 238 predictor compression, 237 STAC compression, 237 queuing case study, 235-236 CB-WFQ (class-based weighted fair queuing), 233-235 CQ (custom queuing), 222, 228-232 determining queuing strategy, 223 exam prep questions, 240-243 low-latency queuing, 235 PQ (priority queuing), 222, 225-228 PQ-WFQ (priority queuing weighted fair queuing), 232-233 WFQ (weighted fair queuing), 222-225 ADSL (asymmetric DSL), 190-192

AES (Advanced Encryption Standard), 248 aggressive mode (IKE), 251 ah-md5-hmac transform, 257 ah-sha-hmac transform, 257 AHs (authentication headers), 249 ALERTING message (ISDN), 119 algorithms HMAC-MD5, 248 HMAC-SHA-1, 248 MD5, 56 SHA, 56 Alternate Mark Inversion (AMI), 126 ambiguous questions, 273 American National Standards Institute (ANSI), 158 AMI (Alternate Mark Inversion), 126 ANSI (American National Standards Institute), 158 Ansi LMI (Local Management Interface), 161 answer key for practice exam #1, 295-314 answer key for practice exam #2, 335-356 antenna sites, 187 AS5000 routers, 27 assessing exam-readiness, 2-3 asymmetric DSL (ADSL), 190-192 async dynamic address command, 58 async mode dedicated command, 58 async mode interactive command, 58 asynchronous modem connections CD (Carrier Detect) signals, 97 compression standards, 97 CTS (Clear to Send) signals, 97 DCE (Data Communications Equipment), 96 DSR (Data Set Ready) signals, 97 DTE (Data Terminal Equipment), 96 DTR (Data Terminal Ready) signals, 97 EIA/TIA-232-C standard, 96

385 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic . . . .Rate . . Interface . . . . . error detection/correct standards, 97 exam prep questions, 108-111 Hayes AT commands, 101-102 modem configuration known modem types, 105 manual configuration, 102-103 modemcap database, 103-104 unknown modem types, 105-106 resources, 112 routers attaching to modems, 100-101 logical router configuration, 98-99 physical interface configuration, 99 RS-232 standard, 96 RTS (Request to Send) signals, 97 troubleshooting modem autoconfiguration, 106-107 serial interfaces, 107 undetected modems, 107 at symbol (@), 67 AT&C1 command, 102 AT&D2 command, 102 AT&F command, 101 ATE0 command, 101 ATM, 22 ATM0 command, 101 ATS0 command, 101 ATS2 command, 101 authentication, 36. See also AAA (authentication, authorization, and accounting) AHs (authentication headers), 249 authentication methods, 39-40 authorization methods, 41-42 CHAP (Challenge Handshake Authentication Protocol) authentication process, 55-56 configuring, 59-60

CIA (confidentiality, integrity, and authentication), 246 enabling, 39-40 PAP (Password Authentication Protocol), 55 PPP (Point to Point Protocol), 52 authentication headers (AHs), 249 authorization, 36, 41-42. See also AAA (authentication, authorization, and accounting) automatic configuration known modem types, 105 unknown modem types, 105-106 autoselect command, 52 availability (WANs), 23

B B8ZS, 126 backup delay command, 209 backup interface command, 209, 213 backup load command, 212-213 backups backup loads, 212-213 dial backups backup load, 212-213 configuring for primary link failure, 208-210 dialer profiles, 213 exam prep questions, 216-218 floating static routes, 210-212 load sharing, 213-215 verifying configuration of, 215 Backward Explicit Congestion Notification (BECNs), 169 bandwidth ISDN BRI (Basic Rate Interface), 123-124 WANs (wide area networks), 23 bandwidth command, 167, 234 banner slip-ppp command, 67 banners (login), 66-67 Basic Rate Interface. See BRI

How can we make this index more useful? Email us at [email protected]

386 BECNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BECNs (Backward Explicit Congestion Notification), 169 bidding, 66 branch offices, 25-26 BRI (Basic Rate Interface), 114-115 bandwidth usage, 123-124 caller ID screening, 124-125 dialer lists, 121 dialer maps, 122 idle timer, 124 interesting traffic, 121 interface configuration, 121 routing, 123 SPIDs (service provider IDs), 122-123 switch types, 120 bridges, wireless, 186 broadband cable, 186 antenna sites, 187 CMs (cable modems), 188-189 CMTS (cable modem termination system), 188 coaxial cable, 187 distribution networks, 187 DOCSIS (Data Over Cable Service Interface Specification), 188 DS (downstream) transmissions, 187 headend, 187 HFC (hybrid fiber coax), 187 NTSC (National Television System Committee), 188 PAL (Phase Alternating Line), 188 provisioning, 189 RF (radio frequency), 187 spectrum reuse, 188 subscriber drops, 187 transportation networks, 187 US (upstream) transmissions, 188

DBS (direct broadcast satellite), 186 defined, 187 DSL (digital subscriber line), 189-191 ADSL (asymmetric DSL), 190-192 HDSL (high data rate DSL), 190 IDSL (ISDN DSL), 190 PPPoA, 192, 195 PPPoE, 191-195 RFC 1483/2684 Bridged, 191 SDSL (symmetric DSL), 190 troubleshooting, 196 VDSL (very high data rate DSL), 190 exam prep questions, 197-202 resources, 203 wireless bridges, 186 broadcast command, 162 burst rates, 158 buttons (PrepLogic Practice Exams, Preview Edition), 365-366 byte-count keyword (priority-list command), 227 byte-count-number option (queue-list command), 230

C cable connections, 186 antenna sites, 187 CMs (cable modems), 188-189 CMTS (cable modem termination system), 188 coaxial cable, 187 distribution networks, 187 DOCSIS (Data Over Cable Service Interface Specification), 188 DS (downstream) transmissions, 187 headend, 187 HFC (hybrid fiber coax), 187

387 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CCNP . . . certification . . . . . . .exams . . . NTSC (National Television System Committee), 188 PAL (phase alternating line), 188 provisioning, 189 RF (radio frequency), 187 spectrum reuse, 188 subscriber drops, 187 transportation networks, 187 US (upstream) transmissions, 188 cable modem termination system (CMTS), 188 cable modems (CMs), 188-189 CALL PROCEEDING message (ISDN), 119 callback, 54, 60-63 Callback-dialstring phone-number command, 63 callback forced-wait command, 62 Callback-line line-number command, 63 Callback-rotary rotary-group command, 63 caller ID (ISDN BRI), 124-125 calls (ISDN) caller ID screening, 124-125 disconnecting, 119-120 setting up, 118-119 CAP (carrierless amplitude and phase) modulation, 191 caret (^), 67 Carrier Detect (CD) signals, 97 carrierless amplitude and phase (CAP) modulation, 191 CAs (certificate authorities), 249 CATV (community antenna television). See cable connections CB-WFQ (class-based weighted fair queuing) configuring, 233-235 defined, 233 low-latency queuing, 235 CBC (cipher block chaining), 248

CCITT (Consultative Committee for International Telegraph and Telephone) standards, 97 CCNP certification exams ambiguous questions, 273 assessing readiness for, 2-3 exam prep questions AAA (authentication, authorization, and accounting) questions, 45-47 broadband, 197-202 DDR (dial-on-demand routing), 152-155 dial backups, 216-218 Frame Relay, 178-183 ISDN, 134-137 modems, 108-111 NAT (Network Address Translation), 88-91 PPP (Point to Point Protocol), 71-74 traffic management, 240-243 VPNs (virtual private networks), 264-268 WANs (wide area networks), 28-32 layout and design, 5-8 practice exam #1, 271-293 answer key, 295-314 practice exam #2, 315-334 answer key, 335-356 preparation for, 274-275 PrepLogic Practice Exams, Preview Edition, 359-361 buttons, 365-366 customer service, 367 exam simulation, 361 Examination Score Report, 366 Flash Review mode, 364-365 installation, 363 interface design, 362 learning environment, 362 license agreement, 367


388 CCNP certification exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practice Test mode, 364-365 PrepLogic contact information, 367 product suggestions/comments, 367 question quality, 362 software requirements, 362 time remaining, 366 uninstallation, 363 question formats, 271-272 drag-and-drop questions, 7 exhibits, 6 fill-in-the-blank questions, 6-7 multiple-choice questions, 5-6 question-handling tips, 9-11 resources for, 12 scoring, 10 software tips, 8 studying for, 11 test objectives, 3-4 test-taking tips, 272-275 testing environment, 4-5 CD (Carrier Detect) signals, 97 CD-ROM, 359-360 central sites, 24-25 certificate authorities (CAs), 249 certification exams. See CCNP certification exams Challenge Handshake Authentication Protocol. See CHAP channel service unit/data service unit (CSU/DSU), 116 channels, 116 CHAP (Challenge Handshake Authentication Protocol) authentication process, 55-56 configuring, 59-60 character mode (routers), 38 CIA (confidentiality, integrity, and authentication), 246 cipher block chaining (CBC), 248 ciphertext, 247

CIR (Committed Information Rate), 158 circuits circuit-switched WAN connections, 19 PVCs (permanent virtual circuits), 158 SVCs (switched virtual circuits), 158 Cisco IOS Security Command Reference, 49 Cisco IOS Security Configuration Guide, 49 Cisco LMI (Local Management Interface), 161 cisco parameter (crypto map command), 259 Cisco Web site, 3, 13 Congestion Management section, 244 Training and Certification page, 12 CiscoSecure ACS (Access Control Server), 36-37. See also AAA (authentication, authorization, and accounting) class-based weighted fair queuing (CBWFQ) configuring, 233-235 defined, 233 low-latency queuing, 235 class-map command, 234 classes, map classes, 146-147, 171 clear crypto sa command, 263 clear ip nat translation command, 87 clear line command, 103, 106 Clear to Send (CTS) signals, 97 client-initiated VPNs (virtual private networks), 247 clients AAA clients, 37 PPPoA clients, 195 PPPoE clients, 192-195 clock source command, 128 clocking (ISDN PRI), 128

389 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . commands . . . . . . CMs (cable modems), 188-189 CMTS (cable modem termination system), 188 coaxial cable, 187 code listings backup load configuration, 212 cryto map example, 260 DDR (dial-on-demand routing) sample configuration, 149 debugging PPP authentication, 70 debugging PPP negotiation, 69-70 DHCP configuration, 194 dial backup configuration, 208 dialer pool membership configuration, 146 IKE policy configuration, 255 PPPoE configuration, 194 VPDN configuration, 193 commands aaa accounting, 42-44 aaa authentication login, 39-40 aaa authorization, 41-42 access-list, 85, 142 async dynamic address, 58 async mode dedicated, 58 async mode interactive, 58 AT&C1, 102 AT&D2, 102 AT&F, 101 ATE0, 101 ATM0, 101 ATS0, 101 ATS2, 101 autoselect, 52 backup delay, 209 backup interface, 209, 213 backup load, 212-213 bandwidth, 167, 234 banner slip-ppp, 67 broadcast, 162 callback forced-wait, 62 Callback-dialstring phone-number, 63

Callback-line line-number, 63 Callback-rotary rotary-group, 63 class-map, 234 clear crypto sa, 263 clear ip nat translation, 87 clear line, 103, 106 clock source, 128 compress, 238 compress mppc, 64 compress predictor, 64 compress stac, 64 config-crypto-map, 260 controller t1, 125 crypto ipsec security-association lifetime, 258 crypto ipsec transform-set, 257 crypto isakmp enable, 254 crypto isakmp key, 256 crypto isakmp policy, 254 crypto map, 259 custom-queue-list, 230-232 debug confmodem, 106-107 debug crypto ipsec, 263 debug crypto isakmp, 263 debug frame-relay lmi, 177 debug ip nat, 87 debug isdn event, 132 debug isdn q921, 132 debug isdn q931, 132 debug ppp authentication, 68-70, 196 debug ppp multilink, 69 debug ppp multilink negotiation, 69 debug ppp negotiation, 68-70, 196 debug ppp packet, 69 default-router, 194 dialer fast-idle, 147 dialer-group, 144, 193 dialer-group 1, 122 dialer hold-queue, 62, 144 dialer hold-queue timeout, 62 dialer idle-timeout, 124, 147


390 commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dialer isdn speed, 147 dialer-list, 121, 149 dialer load-threshold, 65, 123, 144 dialer map, 122, 145, 150 dialer pool, 144-146, 149 dialer pool-member, 195 dialer remote-name, 144 dialer rotary-group, 148 dialer string, 144 ebug atm events, 196 encapsulation, 58, 99 encapsulation aal5mux ppp dialer, 195 encapsulation frame-relay, 162, 166-167 fair-queue, 224-225 flowcontrol hardware, 99 frame-relay, 172 frame-relay class, 172 frame-relay custom-queue-list, 172 frame-relay interface-dlci, 166-168 frame-relay interface-queue priority, 175 frame-relay lmi-type, 162 frame-relay map ip, 168 frame-relay map protocol, 162 frame-relay payload-compress, 238 frame-relay priority-group, 172 frame-relay traffic-rate, 172 frame-relay traffic-shaping, 172 framing esf, 128 import all, 194 interface atm, 193 interface dialer, 148 interface serial, 128 interface serial 0/0, 235 interface serial 1, 167 interface serial 1.1 point-to-point, 167 interface serial 1.2 point-to-point, 168 interface serial 1.3 multipoint, 168

ip address, 144, 167-168 ip address negotiated, 193 ip address-pool, 59 ip bandwidth-percentage eigrp, 175 ip dhcp pool, 194 ip local pool, 59 ip mtu 1492, 193 ip nat inside source, 83-84 ip nat inside source static, 81 ip nat outside destination, 85 ip nat pool, 83 ip nat pool load-share, 85 ip OSPF cost, 214 ip route, 211-212 ip rtp priority, 233 ip tcp header-compression, 64, 238 ip unnumbered, 58 isdn caller, 124 isdn incoming-voice modem, 129 isdn spid1, 123 isdn spid2, 123 isdn switch-type, 120, 125 linecode, 127 login local, 99 map-class dialer, 146 map-class frame-relay, 172 match access-group, 234 modem autoconfigure discovery, 105 modem autoconfigure type, 105 modem inout, 99, 102 modemcap edit, 104 no debug all, 196 no ip address, 167 operating-mode, 195 passive interface, 141 payload-compress packet-by-packet, 162 peer default ip address, 58 physical-layer, 98 physical-layer async, 98, 107 policy-map, 234

391 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . compression . . . . . . . PPP authentication, 145 ppp callback accept, 62 ppp callback initiate, 62 ppp callback request, 61 ppp compress, 238 ppp multilink, 65, 145 ppp quality, 68 priority-group, 227 priority-list, 226-228 protocol, 162 protocol pppoe, 193 pvc, 193 queue-list, 229-232 redistribute static, 149 request-dialin, 193 rotary, 85 script callback script-name, 62 service-policy output circuit, 235 set ip precedence, 235 show, 130-131 show crypto engine connections active, 263 show crypto ipsec sa, 262 show crypto ipsec transform-set, 262 show crypto isakmp policy, 256, 261 show crypto isakmp sa, 261 show crypto map, 262 show dialer, 68 show dsl interface atm 0, 196 show frame-relay ip tcp headercompression, 177 show frame-relay lmi, 176 show frame-relay map, 176 show frame-relay pvc, 177 show frame-relay traffic, 177 show int atm0, 196 show interface, 215 show interface bri, 130 show interfaces serial, 176 show ip nat statistics, 86 show ip nat translation, 86

show isdn active, 131 show isdn status, 131 show line, 98, 102, 107 show modemcap, 103-104 show ppp multilink, 68 speed 115200, 99 timeslots, 126 traffic-share, 214-215 transport input all, 102 undebug all, 196 username, 62 variance, 214 vpdn enable, 192 vpdn-group, 192 wait-for-carrier-time, 147 commands keyword aaa accounting command, 43 aaa authorization command, 41 Committed Information Rate (CIR), 158 community antenna television (CATV). See cable connections companion CD-ROM, 359-360 compress command, 238 compress mppc command, 64 compress predictor command, 64 compress stac command, 64 compression, 54, 236 CPU cycles versus memory, 239 exam prep questions, 240-243 header compression, 238 Lempel-Ziv compression algorithm, 244 link compression, 237 modem compression, 97, 239 MPPC compression, 63-64, 237-238 payload compression, 238 PPP (Point to Point Protocol), 63-64 Predictor compression, 63-64, 237 STAC compression, 237


392 compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stacker compression, 63-64 TCP Header compression, 63-64 concentrators (VPN), 36 confidentiality, integrity, and authentication (CIA), 246 config-crypto-map command, 260 configuring CB-WFQ (class-based weighted fair queuing), 233-235 CHAP (Challenge Handshake Authentication Protocol), 59-60 CQ (custom queuing), 229-230 crypto maps, 260 DDR (dial-on-demand routing) access lists, 142-143 dialer interfaces, 143-145 dialer pools, 146 dialer profiles, 143 map classes, 146-147 rotary groups, 148 sample configuration, 148-151 dial backups backup load, 212-213 exam prep questions, 216-218 for primary link failure, 208-210 verifying configuration of, 215 Frame Relay configuration commands, 161-163 multipoint configuration, 164-165 point-to-point configuration, 164-165 subinterfaces, 166-168 IKE (Internet Key Exchange) enabling/disabling, 254 ISAKMP identities, 255 policies, 254-255 preshared keys, 256 verifying configuration, 256 IPSec crypto ACLs, 258 crypto maps, 258-261

global IPSec lifetimes, 258 transform sets, 257-258 verifying configuration, 261-263 ISDN BRI (Basic Rate Interface), 118-119 bandwidth usage, 123-124 caller ID screening, 124-125 dialer lists, 121 dialer maps, 122 idle timer, 124 interesting traffic, 121 interface configuration, 121 routing, 123 SPIDs (service provider IDs), 122-123 switch types, 120 ISDN PRI (Primary Rate Interface) clocking, 128 controllers, 125 framing, 127-128 interface configuration, 128-129 line code, 126-127 switch types, 125 timeslots, 126 modems known modem types, 105 manual configuration, 102-103 modemcap database, 103-104 unknown modem types, 105-106 PIPQ (per-instance priority queuing), 175 PPP (Point to Point Protocol), 57-59 PPPoA clients, 195 PPPoE clients, 192-195 PQ (priority queuing), 226-227 PQ-WFQ (priority queuing weighted fair queuing), 232-233 rotary groups, 148 routers attaching to modems, 100-101 Hayes AT commands, 101-102

393 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .DCE . . logical router configuration, 98-99 physical interface configuration, 99 traffic shaping, 170 WFQ (weighted fair queuing), 224-225 Congestion Management section (Cisco Web site), 244 congestive-discard-threshold value (fair-queue command), 224 congestive-discard-threshold-number value (fair-queue command), 225 CONNECT ACKNOWLEDGEMENT message (ISDN), 119 connection keyword (aaa accounting command), 43 conservation (NAT), 79 Consultative Committee for International Telegraph and Telephone (CCITT) standards, 97 control protocols (CPs), 53 controller t1 command, 125 controllers (ISDN PRI), 125 conversations (WFQ), 224 costs (WANs), 23 CPE (customer premises equipment), 158 CPs (control protocols), 53 CQ (custom queuing) configuring, 229-230 defined, 222, 228 example, 231-232 traffic management, 229 CRC (cyclic redundancy check), 128 crypto ACLs (access control lists), 258 crypto ipsec security-association lifetime command, 258 crypto ipsec transform-set command, 257 crypto isakmp enable command, 254 crypto isakmp key command, 256 crypto isakmp policy command, 254

crypto map command, 259 crypto maps, 258-261 config-crypto-map command, 259-260 configuring, 260 crypto map command, 259 example, 260 cryptosystem, 249 CSU/DSU (channel service unit/data service unit), 116 CTS (Clear to Send) signals, 97 custom queuing (CQ) configuring, 229-230 custom-queue-list command, 230-232 defined, 222, 228 example, 231-232 traffic management, 229 custom-queue-list command, 230-232 customer premises equipment (CPE), 158 customer service (PrepLogic), 367 cyclic redundancy check (CRC), 128

D data circuit-terminating equipment (DCE), 158 Data Communications Equipment (DCE), 96 data compression. See compression Data Over Cable Service Interface Specification (DOCSIS), 188 Data Set Ready (DSR) signals, 97 Data Terminal Equipment (DTE), 96 Data Terminal Ready (DTR) signals, 97 Data-link Connection Identifier (DLCI), 160 databases, modemcap, 103-104 DBS (direct broadcast satellite), 186 DCE (data circuit-terminating equipment), 158


394 DCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DCE (Data Communications Equipment), 96 DDR (dial-on-demand routing) access lists, 142-143 dialer interfaces, 143-145 dialer pools, 146 dialer profiles, 143 exam prep questions, 152-155 interesting traffic, 140 map classes, 146-147 persistent DDR circuit, 141 resources, 156 roll-over groups, 147 rotary groups, 147-148 sample configuration, 148-151 code listing, 149 dialer map command, 150 dialer-list command, 149 dialer-pool command, 149 multiple dialer interfaces, 150-151 redistribute static command, 149 snapshot routing, 141 uninteresting traffic, 141 debug confmodem command, 106-107 debug crypto ipsec command, 263 debug crypto isakmp command, 263 debug frame-relay lmi command, 177 debug ip nat command, 87 debug isdn event command, 132 debug isdn q921 command, 132 debug isdn q931 command, 132 debug ppp authentication command, 68-70, 196 debug ppp multilink command, 69 debug ppp multilink negotiation command, 69 debug ppp negotiation command, 68-70, 196 debug ppp packet command, 69

debugging ISDN, 132-133 modems, 106-107 PPP (Point-to-Point Protocol). 68-70 decryption, 248 dedicated WAN (wide area network) connections, 18 default-router command, 194 demarcation points, 116 design of CCNP certification exams, 5-8 designing networks full mesh design, 163 hub and spoke design, 164 partial mesh design, 163 WANs (wide area networks), 23-24 detailed option (debug ip nat command), 87 dial backups backup load, 212-213 configuring for primary link failure, 208-210 dialer profiles, 213 exam prep questions, 216-218 floating static routes, 210-212 load sharing, 213-215 verifying configuration of, 215 dial-on-demand routing. See DDR dialer fast-idle command, 147 dialer-group 1 command, 122 dialer-group command, 144, 193 dialer hold-queue command, 62, 144 dialer hold-queue timeout command, 62 dialer idle-timeout command, 124, 147 dialer interfaces, 143-145 dialer isdn speed command, 147 dialer-list command, 121, 149 dialer lists, 121 dialer load threshold command, 65, 123, 144

395 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .encapsulation . . . . . . . dialer map command, 122, 145, 150 dialer maps, configuring, 122 dialer pool command, 144-146, 149 dialer pool-member command, 195 dialer pools, 146 dialer profiles, 143, 213 dialer remote-name command, 144 dialer rotary-group command, 148 dialer string command, 144 dialer wait-for-carrier-time command, 147 Diffie-Hellman (D-H), 249 digital signatures, 249 digital subscriber line. See DSL direct broadcast satellite (DBS), 186 disabling IKE (Internet Key Exchange), 254 DISCONNECT message (ISDN), 119 disconnecting ISDN calls, 119-120 discrete multitone (DMT) modulation, 191 distribution networks, 187 DMT (discrete multitone) modulation, 191 DOCSIS (Data Over Cable Service Interface Specification), 188 downstream (DS) transmissions, 187 drag-and-drop questions, 7 DS (downstream) transmissions, 187 DSL (digital subscriber line), 189-191 ADSL (asymmetric DSL), 190-192 HDSL (high data rate DSL), 190 IDSL (ISDN DSL), 190 PPPoA, 192, 195 PPPoE, 191-195 RFC 1483/2684 Bridged, 191 SDSL (symmetric DSL), 190 troubleshooting, 196 VDSL (very high data rate DSL), 190 DSR (Data Set Ready) signals, 97 DTE (Data Terminal Equipment), 96

DTR (Data Terminal Ready) signals, 97 dynamic NAT (Network Address Translation), 82-84 dynamic-map-name parameter (crypto map command), 259 dynamic parameter (crypto map command), 259

E E1 connections, 116 ease of management (WANs), 23 ebug atm events command, 196 EIA/TIA-232-C standard, 96 EIGRP (Enhanced Interior Gateway Routing Protocol), 175-176 enable authentication method, 40 Enable Item Review button (PrepLogic Practice Exams, Preview Edition), 364 Enable Show Answer button (PrepLogic Practice Exams, Preview Edition), 364 enabling AAA (authentication, authorization, and accounting), 38-39 accounting, 42-44 authentication, 39-40 authorization, 41-42 IKE (Internet Key Exchange), 254-255 WFQ (weighted fair queuing), 224 Encapsulating Security Payload (ESP), 249 encapsulation, 20 ATM, 22 ESP (Encapsulating Security Payload), 249 Frame Relay, 21-22, 161 HDLC (High-Level Data Link Control), 21 PPP (Point to Point Protocol), 20-21


396 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SLIP, 22 X.25, 22 encapsulation aal5mux ppp dialer command, 195 encapsulation command, 58, 99 encapsulation frame-relay command, 162, 166-167 encrypted tunnels, 251 encryption 3DES, 248 AES (Advanced Encryption Standard), 248 ciphertext, 247 D-H (Diffie-Hellman), 249 defined, 248 DES (Data Encryption Standard), 248 passwords, 60 end-ip option (ip nat pool command), 83 Enhanced Interior Gateway Routing Protocol (EIGRP), 175-176 error detection/correct standards (modems), 97 ESF (Extended Superframe), 127 ESP (Encapsulating Security Payload), 249 esp-3des transform, 258 esp-des transform, 257 esp-md5-hmac transform, 258 esp-null transform, 258 esp-sha-hmac transform, 258 events, accounting, 43 Examination Score Report (PrepLogic Practice Exams, Preview Edition), 366 exams ambiguous questions, 273 assessing readiness for, 2-3 exam prep questions AAA (authentication, authorization, and accounting) questions, 45-47 broadband, 197-202

DDR (dial-on-demand routing), 152-155 dial backups, 216-218 Frame Relay, 178-183 ISDN, 134-137 modems, 108-111 NAT (Network Address Translation), 88-91 PPP (Point to Point Protocol), 71-74 traffic management, 240-243 VPNs (virtual private networks), 264-268 WANs (wide area networks), 28-32 layout and design, 5-8 practice exam #1, 271-293 answer key, 295-314 practice exam #2, 315-334 answer key, 335-356 preparation for, 274-275 PrepLogic Practice Exams, Preview Edition, 359-361 buttons, 365-366 customer service, 367 exam simulation, 361 Examination Score Report, 366 Flash Review mode, 364-365 installation, 363 interface design, 362 learning environment, 362 license agreement, 367 Practice Test mode, 364-365 PrepLogic contact information, 367 product suggestions/comments, 367 question quality, 362 software requirements, 362 time remaining, 366 uninstallation, 363

397 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Frame . . . . Relay . . . question formats, 271-272 drag-and-drop questions, 7 exhibits, 6 fill-in-the-blank questions, 6-7 multiple-choice questions, 5-6 question-handling tips, 9-11 resources for, 12 scoring, 10 software tips, 8 studying for, 11 test objectives, 3-4 test-taking tips, 272-275 testing environment, 4-5 exec keyword aaa accounting command, 43 aaa authorization command, 41 Exhibit button (PrepLogic Practice Exams, Preview Edition), 365 exhibits, 6, 272 exit parameter (config-crypto-map command), 260 Extended Superframe (ESF), 127 extranet VPNs (virtual private networks), 247

F fair-queue command, 224-225 FECNs (Forward Explicit Congestion Notification), 169 FIFO (first in, first out) strategy, 223 fill-in-the-blank questions, 6-7 finding Web sites, 12 firewalls, 36 Flash Review mode (PrepLogic Practice Exams, Preview Edition), 364-365 flexibility of NAT (Network Address Translation), 79 floating static routes, 210-212 flowcontrol hardware command, 99 Forward Explicit Congestion Notification (FECNs), 169

fragmentation, 173-174 fragments keyword (priority-list command), 227 Frame Relay, 21-22 CIR (Committed Information Rate), 158 configuring configuration commands, 161-163 multipoint configuration, 164-165 point-to-point configuration, 164-165 subinterfaces, 166-168 CPE (customer premises equipment), 158 DCE (data circuit-terminating equipment), 158 DLCI (Data-link Connection Identifier), 160 EIGRP (Enhanced Interior Gateway Routing Protocol), 175-176 encapsulation, 161 exam prep questions, 178-183 fragmentation, 173-174 full mesh network design, 163 hub and spoke network design, 164 LMI (Local Management Interface), 160-161 mapping, 161 maximum burst rate, 158 oversubscription, 159-160 partial mesh network design, 163 PIPQ (per-instance priority queuing), 174-175 PVCs (permanent virtual circuits), 158 resources, 184 SVCs (switched virtual circuits), 158 traffic shaping BECNs (Backward Explicit Congestion Notification), 169 commands, 171-172


398 Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configuring, 170 FECNs (Forward Explicit Congestion Notification), 169 map classes, 171 troubleshooting, 176-177 frame-relay class command, 172 frame-relay command, 172 frame-relay custom-queue-list command, 172 frame-relay interface-dlci command, 166-168 frame-relay interface-queue priority command, 175 frame-relay lmi-type command, 162 frame-relay map ip command, 168 frame-relay map protocol command, 162 frame-relay payload-compress command, 238 frame-relay priority-group command, 172 frame-relay traffic-rate command, 172 frame-relay traffic-shaping command, 172 framing (ISDN PRI), 127-128 framing esf command, 128 full mesh network design, 163

G G.lite, 191 geographical concerns, 117 geostationary orbit (GSO) satellites, 186 global addresses, 80 global-ip option (ip nat inside source static command), 81 global IPSec lifetimes, 258 glossary, 369-381 Grade Exam button (PrepLogic Practice Exams, Preview Edition), 366 group authentication method, 40

group authorization method, 41 group keyword (aaa accounting command), 43 group radius authentication method, 40 group radius authorization method, 41 group radius keyword (aaa accounting command), 43 group tacacs+ authentication method, 40 group tacacs+ authorization method, 41 group tacacs+ keyword (aaa accounting command), 43 groups roll-over groups, 147 rotary groups, 147-148 stack groups, 66 GSO (geostationary orbit) satellites, 186

H hardware selection (WANs), 26-27 hashing, 56-57, 248 Hayes AT commands, 101-102 HDB3, 126 HDLC (High-Level Data Link Control), 21, 53 HDSL (high data rate DSL), 190 headend, 187 header compression, 238 HFC (hybrid fiber coax), 187 high data rate DSL (HDSL), 190 High-Level Data Link Control (HDLC), 21, 53 high-queue-limit option (priority-list command), 227 HMAC-MD5 algorithm, 248 HMAC-SHA-1 algorithm, 248 home pages. See Web sites hub and spoke network design, 164 hunt groups, 147 hybrid fiber coax (HFC), 187

399 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet . . . . .broadband . . . . . .connections . . . . . .

I idle timer (ISDN BRI), 124 IDs, SPIDs (service provider IDs), 122-123 IDSL (ISDN DSL), 190 IDSs (intrusion detection systems), 36 if-authenticated authorization method, 41 IKE (Internet Key Exchange), 249 enabling/disabling, 254 IKEv2, 252 Phase 1, 250-253 Phase 2, 251-253 policy configuration, 254-255 preshared keys, 256 verifying configuration of, 256-257 IKEv2, 252 import all command, 194 Indiana University Knowledge Base, 244 industrial, scientific, and medical (ISM) bands, 186 inside local addresses, 80 installing PrepLogic Practice Exams, Preview Edition, 363 Integrated Services Digital Network. See ISDN interesting traffic, 140 configuring, 121 IPSec, 250 interface atm command, 193 interface dialer command, 148 interface-number option priority-list command, 226 queue-list command, 229 interface serial 0/0 command, 235 interface serial 1 command, 167 interface serial 1.1 point-to-point command, 167 interface serial 1.2 point-to-point command, 168 interface serial 1.3 multipoint command, 168

interface serial command, 128 interface-type option priority-list command, 226 queue-list command, 229 interfaces, dialer, 143-145 International Telecommunication Union Telecommunication Standardization Sector (ITU-T), 97, 158 Internet broadband connections cable, 186 antenna sites, 187 CMs (cable modems), 188 CMTS (cable modem termination system), 188 coaxial cable, 187 distribution networks, 187 DOCSIS (Data Over Cable Service Interface Specification), 188 DS (downstream) transmissions, 187 headend, 187 HFC (hybrid fiber coax), 187 NTSC (National Television System Committee), 188 PAL (Phase Alternating Line), 188 provisioning, 189 RF (radio frequency), 187 spectrum reuse, 188 subscriber drops, 187 transportation networks, 187 US (upstream) transmissions, 188 DBS (direct broadcast satellite), 186 defined, 187 DSL (digital subscriber line), 189-191 ADSL (asymmetric DSL), 190-192 HDSL (high data rate DSL), 190


400 Internet broadband connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IDSL (ISDN DSL), 190 PPPoA, 192, 195 PPPoE, 191-195 RFC 1483/2684 Bridged, 191 SDSL (symmetric DSL), 190 troubleshooting, 196 VDSL (very high data rate DSL), 190 exam prep questions, 197-202 resources, 203 wireless bridges, 186 Internet Key Exchange. See IKE Internet Security Association and Key Management Protocol (ISAKMP), 250, 255, 263 intranet VPNs (virtual private networks), 247 intrusion detection systems (IDSs), 36 ip address command, 144, 167-168 ip address negotiated command, 193 ip address-pool command, 59 ip bandwidth-percentage eigrp command, 175 ip dhcp pool command, 194 ip local pool command, 59 ip mtu 1492 command, 193 ip nat inside source command, 83-84 ip nat inside source static command, 81 ip nat outside destination command, 85 ip nat pool command, 83 ip nat pool load-share command, 85 ip OSPF cost command, 214 ip route command, 211-212 ip rtp priority command, 233 ip tcp header-compression command, 64, 238 ip unnumbered command, 58 IPSec 3DES, 248 ACLs (access control lists), 254 AES (Advanced Encryption Standard), 248

AHs (authentication headers), 249 CAs (certificate authorities), 249 checking configuration of, 253-254 crypto ACLs (access control lists), 258 crypto maps, 258-261 config-crypto-map command, 259-260 configuring, 260 crypto map command, 259 example, 260 cryptosystem, 249 D-H (Diffie-Hellman), 249 decryption, 248 DES (Data Encryption Standard), 248 encrypted tunnels, 251 ESP (Encapsulating Security Payload), 249 exam prep questions, 264-268 global IPSec lifetimes, 258 hashing, 248 IKE (Internet Key Exchange) enabling/disabling, 254 IKEv2, 252 key management, 249 Phase 1, 250-253 Phase 2, 251-253 policy configuration, 254-255 preshared keys, 249, 256 verifying configuration of, 256-257 interesting traffic, defining, 250 ISAKMP (Internet Security Association and Key Management Protocol), 250, 255, 263 resources, 269 RSA (Rivest, Shamir, and Adleman) digital signatures, 249 SA (security association), 250 testing, 261-263 transform sets, 250, 257-258

401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . krb5 . . . authentication . . . . . . . . method . . . . transport, 248 tunnels, 248, 251 verifying, 261-263 ipsec-manual parameter (crypto map command), 259 ISAKMP (Internet Security Association and Key Management Protocol), 250, 255, 263 ISDN (Integrated Services Digital Network) BRI (Basic Rate Interface), 114-115 bandwidth usage, 123-124 caller ID screening, 124-125 dialer lists, 121 dialer maps, 122 idle timer, 124 interesting traffic, 121 interface configuration, 121 routing, 123 SPIDs (service provider IDs), 122-123 switch types, 120 call setup, 118-119 call teardown, 119-120 channels, 116 CSU/DSU (channel service unit/data service unit), 116 debugging, 132-133 demarcation points, 116 E1 connections, 116 exam prep questions, 134-137 geographical concerns, 117 PRI (Primary Rate Interface), 115 clocking, 128 controllers, 125 framing, 127-128 interface configuration, 128-129 line code, 126-127 switch types, 125 timeslots, 126 reference points, 117-118 resources, 138

routers, 116 T1 connections, 116 temporary circuits, 118 troubleshooting Q.921, 129-130 Q.931, 130 show command, 130-131 voice circuits, 116 isdn caller command, 124 ISDN DSL (IDSL), 190 isdn incoming-voice modem commands, 129 isdn spid1 command, 123 isdn spid2 command, 123 isdn switch-type command, 120, 125 ISM (industrial, scientific, and medical) bands, 186 Item Review button (PrepLogic Practice Exams, Preview Edition), 365 ITU-T (International Telecommunication Union Telecommunication Standardization Sector), 97, 158

J-K keepalives, 160 keys (IKE) enabling/disabling, 254 IKEv2, 252 key management, 249 Phase 1, 250-253 Phase 2, 251-253 policy configuration, 254-255 preshared keys, 249, 256 verifying configuration of, 256-257 keyword-value option (priority-list command), 226 known modem types, configuring automatically, 105 krb5 authentication method, 40


402 LADP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

L LADP (Link Access Protocol, D Channel), 129 latency (NAT), 79 layout of CCNP certification exams, 5, 7-8 LCI (Data-link Connection Identifier), 160 LCP (Link Control Protocol), 53 learning environment (PrepLogic Practice Exams, Preview Edition), 362 Lempel-Ziv compression algorithm, 244 lifetimes, global IPSec, 258 limit-number option (queue-list command), 230 line authentication method, 40 line code (ISDN PRI), 126-127 linecode command, 127 Link Access Protocol, D Channel (LAPD), 129 link compression, 237 Link Control Protocol (LCP), 53 link quality monitoring (LQM), 67-68 list keyword (priority-list command), 227 list option ip nat inside source command, 83 queue-list command, 230 list-number option priority-list command, 226 queue-list command, 229-230 listings. See code listings lists access lists, 142-143 ACLs (access control lists) compatibility with IPSec, 254 crypto ACLs, 258 dialer lists, 121 priority lists, 226

LMDS (local multipoint distribution service), 186 LMI (Local Management Interface), 160-161 load sharing, 85-86 defined, 208 dial backups, 213-215 local addresses, 80 local authentication method, 40 local authorization method, 41 Local Management Interface (LMI), 160-161 local-case authentication method, 40 local-ip option (ip nat inside source static command), 81 local multipoint distribution service (LMDS), 186 logical router configuration, 98-99 login banners, 66-67 login local command, 99 low-latency queuing, 235 low-queue-limit option (priority-list command), 227 LQM (link quality monitoring), 67-68

M main mode (IKE), 251 manually configuring modems, 102-103 map-class dialer command, 146 map-class frame-relay command, 172 map classes, 146-147, 171 mapping Frame Relay, 161 maps crypto maps, 258-261 config-crypto-map command, 259-260 configuring, 260 crypto map command, 259 example, 260 dialer maps, 122 map classes, 146-147, 171

403 . . . . . . . . . . . . . . . . . . . . . . . . . multichannel . . . . . . . multipoint . . . . . .distribution . . . . . . service . . . . Mark Item button (PrepLogic Practice Exams, Preview Edition), 365 match access-group command, 234 match address parameter (config-crypto-map command), 260 maximum burst rate, 158 Maximum Received Reconstructed Unit (MRRU), 65 MD5 hashing, 56 medium-queue-limit option (prioritylist command), 227 messages (ISDN) ALERTING, 119 CALL PROCEEDING, 119 CONNECT ACKNOWLEDGEMENT, 119 DISCONNECT, 119 RELEASE, 119 RELEASE COMPLETE, 120 SETUP, 119 SETUP ACKNOWLEDGE, 119 MICA (Modem ISDN channel aggregation) modems, 129 Microcom Networking Protocol (MNP) standards, 97 MLP (Multilink Point-to-Point Protocol), 64-66, 124 MMDS (multichannel multipoint distribution service), 186 MNP (Microcom Networking Protocol) standards, 97 modem autoconfigure discovery command, 105 modem autoconfigure type command, 105 modem inout command, 99, 102 Modem ISDN channel aggregation (MICA) modems, 129 modemcap database, 103-104 modemcap edit command, 104 modems CD (Carrier Detect) signals, 97 CMs (cable modems), 188-189

compression standards, 97, 239 configuring known modem types, 105 manual configuration, 102-103 modemcap database, 103-104 unknown modem types, 105-106 CTS (Clear to Send) signals, 97 DCE (Data Communications Equipment), 96 DSR (Data Set Ready) signals, 97 DTE (Data Terminal Equipment), 96 DTR (Data Terminal Ready) signals, 97 EIA/TIA-232-C standard, 96 error detection/correct standards, 97 Hayes AT commands, 101-102 MICA (Modem ISDN channel aggregation) modems, 129 routers attaching to modems, 100-101 logical router configuration, 98-99 physical interface configuration, 99 RS-232 standard, 96 RTS (Request to Send) signals, 97 troubleshooting exam prep questions, 108-111 modem autoconfiguration, 106-107 resources, 112 serial interfaces, 107 undetected modems, 107 monitoring LQM (link quality monitoring), 67-68 MPPC compression, 63-64, 237-238 MRRU (Maximum Received Reconstructed Unit), 65 multichannel multipoint distribution service (MMDS), 186


404 multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . multilink, 54 MLP (Multilink Point-to-Point Protocol), 64-66, 124 multilink fragment interleaving, 65 multiple dialer interfaces, 150-151 multiple-choice questions, 5-6 multipoint networks, 164-165

N NAS (network access server) initiated VPNs, 247 NAT (Network Address Translation) advantages, 78-79 disadvantages, 79 dynamic NAT, 82-84 exam prep questions, 88-91 inside local addresses, 80 load sharing, 85-86 outside global addresses, 80 outside local addresses, 80 overlapping, 84-85 overloading, 84 resources, 92 static NAT, 81-82 troubleshooting, 86-87 National Television System Committee (NTSC), 188 NCP (Network Control Protocol), 53 netmask option (ip nat pool command), 83 network access server initiated VPNs (virtual private networks), 247 Network Control Protocol (NCP), 53 network keyword aaa accounting command, 43 aaa authorization command, 41 networks. See also security broadband cable, 186-189 DBS (direct broadcast satellite), 186

defined, 187 DSL (digital subscriber line), 189-196 exam prep questions, 197-202 resources, 203 wireless bridges, 186 DDR (dial-on-demand routing) access lists, 142-143 dialer interfaces, 143-145 dialer pools, 146 dialer profiles, 143 exam prep questions, 152-155 interesting traffic, 140 map classes, 146-147 persistent DDR circuit, 141 resources, 156 roll-over groups, 147 rotary groups, 147-148 sample configuration, 148-151 snapshot routing, 141 uninteresting traffic, 141 dial backups backup load, 212-213 configuring for primary link failure, 208-210 dialer profiles, 213 exam prep questions, 216-218 floating static routes, 210-212 load sharing, 213-215 verifying configuration of, 215 full mesh network design, 163 hub and spoke network design, 164 ISDN (Integrated Services Digital Network) BRI (Basic Rate Interface), 114-115, 120-125 call setup, 118-119 call teardown, 119-120 channels, 116 CSU/DSU (channel service unit/data service unit), 116

405 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . networks . . . . . debugging, 132-133 demarcation points, 116 E1 connections, 116 exam prep questions, 134-137 geographical concerns, 117 PRI (Primary Rate Interface), 115, 125-129 reference points, 117-118 resources, 138 routers, 116 T1 connections, 116 temporary circuits, 118 troubleshooting, 129-131 voice circuits, 116 NAT (Network Address Translation) advantages, 78-79 disadvantages, 79 dynamic NAT, 82-84 exam prep questions, 88-91 inside local addresses, 80 load sharing, 85-86 outside global addresses, 80 outside local addresses, 80 overlapping, 84-85 overloading, 84 resources, 92 static NAT, 81-82 troubleshooting, 86-87 partial mesh network design, 163 queuing case study, 235-236 CB-WFQ (class-based weighted fair queuing), 233-235 CQ (custom queuing), 222, 228-232 determining queuing strategy, 223 exam prep questions, 240-243 low-latency queuing, 235 PQ (priority queuing), 222, 225-228

PQ-WFQ (priority queuing weighted fair queuing), 232-233 WFQ (weighted fair queuing), 222-225 routers access modes, 38 attaching to modems, 100-101 Hayes AT commands, 101-102 logical router configuration, 98-99 physical interface configuration, 99 VPNs (virtual private networks) 3DES, 248 advantages, 246 AES (Advanced Encryption Standard), 248 AHs (authentication headers), 249 CA (certificate authorities), 249 CBC (cipher block chaining), 248 CIA (confidentiality, integrity, and authentication), 246 ciphertext, 247 client initiated VPNs, 247 crypto ACLs (access control lists), 258 crypto maps, 258-261 cryptosystem, 249 D-H (Diffie-Hellman), 249 decryption, 248 DES (Data Encryption Standard), 248 ESP (Encapsulating Security Payload), 249 exam prep questions, 264-268 extranet VPNs, 247 global IPSec lifetimes, 258 hashing, 248 IKE (Internet Key Exchange), 249-257


406 networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . intranet VPNs, 247 ISAKMP (Internet Security Association and Key Management Protocol), 250, 255, 263 keys, 249, 256 network access server initiated VPNs, 247 remote access VPNs, 247 resources, 269 RSA (Rivest, Shamir, and Adleman) digital signatures, 249 SA (security association), 250 site-to-site VPNs, 247 topologies, 247 transform sets, 250, 257-258 transport, 248 tunnels, 247-248, 251 VPN concentrators, 36 WANs (wide area networks) branch offices, 25-26 central sites, 24-25 circuit-switched WAN connections, 19 dedicated WAN connections, 18 design factors, 23-24 encapsulation protocols, 20-22 exam prep questions, 28-32 hardware selection, 26-27 packet-switched WAN connections, 19-20 resources, 33 SOHO, 26 never option (backup load command), 212 Next Item button (PrepLogic Practice Exams, Preview Edition), 366 no debug all command, 196 no ip address command, 167 no parameter (config-crypto-map command), 260 none authentication method, 40

none authorization method, 41 none keyword (aaa accounting command), 43 normal-queue-limit option (prioritylist command), 227 NTSC (National Television System Committee), 188

O objectives for exam, 3-4 operating-mode command, 195 OSI (Open Systems Interconnect) model, 52-53 outside global addresses, 80 outside local addresses, 80 overlapping NAT (Network Address Translation), 84-85 networks, 79 overload option (ip nat inside source command), 84 overloading NAT (Network Address Translation), 84 oversubscription, 159-160

P packet mode (routers), 38 packet-switched WAN (wide area network) connections, 19-20 packets, 160. See also queuing PAL (phase alternating line), 188 PAP (Password Authentication Protocol), 55 partial mesh network design, 163 passive interface command, 141 Password Authentication Protocol (PAP), 55 passwords encryption, 60 PAP (Password Authentication Protocol), 55

407 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PPPoE . . . . payload-compress packet-by-packet command, 162 payload compression, 238 peer default ip address command, 58 peer parameter (config-crypto-map command), 260 per-instance priority queuing (PIPQ), 174-175 per-interface compression, 237 permanent virtual circuits (PVCs), 158 persistent DDR (dial-on-demand routing) circuit, 141 pfs parameter (config-crypto-map command), 260 phase alternating line (PAL), 188 physical interface configuration, 99 physical-layer async command, 98, 107 physical-layer command, 98 PIPQ (per-instance priority queuing), 174-175 PIX Firewall, 36 point-to-point networks, 164-165 Point-to Point Protocol (PPP), 20-21 points (ISDN) demarcation points, 116 reference points, 117-118 policies (IKE), 254-255 policy-map command, 234 pool option (ip nat inside source command), 83 pool-name option (ip nat pool command), 83 pools, dialer, 146 PPP (Point-to-Point Protocol), 20-21 callback, 54, 60-63 CHAP (Challenge Handshake Authentication Protocol) authentication process, 55-56 configuring, 59-60 compared to OSI (Open Systems Interconnect) model, 52-53 compression, 54, 63-64

configuration commands, 57-59 connectivity, 52-54 exam prep questions, 71-74 hashing, 56-57 HDLC (high-level data link control), 53 LCP (Link Control Protocol), 53 login banners, 66-67 LQM (link quality monitoring), 67-68 MLP (Multilink PPP), 64-66 multilink, 54 multilink fragment interleaving, 65 NCP (Network Control Protocol), 53 PAP (Password Authentication Protocol), 55 password encryption, 60 remote access, 52 resources, 75 troubleshooting debug ppp authentication command, 68-70 debug ppp multilink command, 69 debug ppp multilink negotiation command, 69 debug ppp negotiation command, 68-70 debug ppp packet command, 69 show dialer command, 68 show ppp multilink command, 68 PPP authentication command, 145 ppp callback accept command, 62 ppp callback initiate command, 62 ppp callback request command, 61 ppp compress command, 238 ppp multilink command, 65, 145 ppp quality command, 68 PPPoA, 192, 195 PPPoE, 191-195


408 PQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PQ (priority queuing) configuring, 226-227 defined, 222 example, 227-228 queue types, 225 PQ-WFQ (priority queuing - weighted fair queuing), 232-233 practice exams practice exam #1, 271-293 answer key, 295-314 practice exam #2, 315-334 answer key, 335-356 PrepLogic Practice Exams, Preview Edition, 359-361 buttons, 365-366 customer service, 367 exam simulation, 361 Examination Score Report, 366 Flash Review mode, 364-365 installation, 363 interface design, 362 learning environment, 362 license agreement, 367 Practice Test mode, 364-365 PrepLogic contact information, 367 product suggestions/comments, 367 question quality, 362 software requirements, 362 time remaining, 366 uninstallation, 363 Practice Test mode (PrepLogic Practice Exams, Preview Edition), 364-365 Predictor compression, 63-64, 237 prefix-length option (ip nat pool command), 83 PrepLogic Practice Exams, Preview Edition, 359-361 buttons, 365-366 customer service, 367

exam simulation, 361 Examination Score Report, 366 Flash Review mode, 364-365 installation, 363 interface design, 362 learning environment, 362 Practice Test mode, 364-365 PrepLogic contact information, 367 product suggestions/comments, 367 question quality, 362 software requirements, 362 time remaining, 366 uninstallation, 363 PrepLogic Web site, 359 preshared keys, 249, 256 Previous Item button (PrepLogic Practice Exams, Preview Edition), 366 PRI (Primary Rate Interface), 115 clocking, 128 controllers, 125 framing, 127-128 interface configuration, 128-129 line code, 126-127 switch types, 125 timeslots, 126 primary link failure, configuring dial backups for, 208-210 priority lists, 226 priority-group command, 227 priority-list command, 226-228 priority queuing (PQ) configuring, 226-227 defined, 222 example, 227-228 queue types, 225 priority queuing - weighted fair queuing (PQ-WFQ), 232-233 product suggestions/comments (PrepLogic), 367 profiles, 143, 213 program listings. See code listings

409 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . protocols . . . . . protocol command, 162 protocol-name option priority-list command, 226 queue-list command, 229 protocol pppoe command, 193 protocols ATM, 22 CHAP (Challenge Handshake Authentication Protocol) authentication process, 55-56 configuring, 59-60 checking configuration of, 253 EIGRP (Enhanced Interior Gateway Routing Protocol), 175-176 Frame Relay, 21-22 HDLC (High-Level Data Link Control), 21 IPSec 3DES, 248 ACLs (access control lists), 254 AES (Advanced Encryption Standard), 248 AHs (authentication headers), 249 CAs (certificate authorities), 249 checking configuration of, 254 crypto ACLs (access control lists), 258 crypto maps, 258-261 cryptosystem, 249 D-H (Diffie-Hellman), 249 decryption, 248 DES (Data Encryption Standard), 248 encrypted tunnels, 251 ESP (Encapsulating Security Payload), 249 exam prep questions, 264-268 global IPSec lifetimes, 258 hashing, 248 IKE (Internet Key Exchange), 249-257

interesting traffic, 250 ISAKMP (Internet Security Association and Key Management Protocol), 250, 255, 263 keys, 249, 256 resources, 269 RSA (Rivest, Shamir, and Adleman) digital signatures, 249 SA (security association), 250 testing, 261-263 transform sets, 250, 257-258 transport, 248 tunnels, 248, 251 verifying, 261-263 LADP (Link Access Protocol, D Channel), 129 MLP (Multilink Point-to-Point Protocol), 124 PAP (Password Authentication Protocol), 55 PPP (Point-to-Point Protocol), 20-21 callback, 54, 60-63 CHAP (Challenge Handshake Authentication Protocol), 55-56, 59-60 compared to OSI (Open Systems Interconnect) model, 52-53 compression, 54, 63-64 configuration commands, 57-59 connectivity, 52-54 exam prep questions, 71-74 hashing, 56-57 HDLC (high-level data link control), 53 LCP (Link Control Protocol), 53 login banners, 66-67 LQM (link quality monitoring), 67-68 MLP (Multilink PPP), 64-66


410 protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . multilink, 54 multilink fragment interleaving, 65 NCP (Network Control Protocol), 53 PAP (Password Authentication Protocol), 55 password encryption, 60 remote access, 52 resources, 75 troubleshooting, 68, 70 Q.921, 129-130 Q.931, 130 RADIUS, 37 routing protocols, 210 SLIP, 22 TACACS+, 37 X.25, 22-23 provisioning, 189 pvc command, 193 PVCs (permanent virtual circuits), 158

Q Q.921, 129-130 Q.931, 130 Q933a LMI (Local Management Interface), 161 QoS (WANs), 24 question formats drag-and-drop questions, 7 exhibits, 6 fill-in-the-blank questions, 6-7 multiple-choice questions, 5-6 question-handling tips, 9-11 question-handling tips, 9-11 queue-keyword keyword-value option (queue-list command), 229 queue-keyword option (priority-list command), 226 queue-list command, 229-232 queue-number option (queue-list command), 229-230

queuing case study, 235-236 CB-WFQ (class-based weighted fair queuing) configuring, 233-235 defined, 233 low-latency queuing, 235 CQ (custom queuing) configuring, 229-230 defined, 222, 228 example, 231-232 traffic management, 229 determining queuing strategy, 223 exam prep questions, 240-243 low-latency queuing, 235 PIPQ (per-instance priority queuing), 174-175 PQ (priority queuing) configuring, 226-227 defined, 222 example, 227-228 queue types, 225 PQ-WFQ (priority queuing weighted fair queuing), 232-233 WFQ (weighted fair queuing) configuring, 224-225 conversations, 224 defined, 222 enabling, 224 FIFO (first in, first out) strategy, 223

R radio frequency (RF), 187 Randomize Choices button (PrepLogic Practice Exams, Preview Edition), 364 readiness for exams, assessing, 2-3 reading questions, 9-11 redistribute static command, 149 reference points, 117-118 RELEASE COMPLETE message (ISDN), 120

411 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .security . . . . RELEASE message (ISDN), 119 reliability (WANs), 24 remote access VPNs (virtual private networks), 247 Request to Send (RTS) signals, 97 request-dialin command, 193 resources, 12 reverse-access keyword (aaa authorization command), 41 RF (radio frequency), 187 RFC 1483/2684 Bridged, 191 Rivest, Shamir, and Adleman (RSA) digital signatures, 249 roll-over groups, 147 rotary command, 85 rotary groups, 147-148 routers, 26-27. See also routing access modes, 38 attaching to modems, 100-101 Hayes AT commands, 101-102 ISDN (Integrated Services Digital Network), 116 logical router configuration, 98-99 physical interface configuration, 99 routing. See also routers DDR (dial-on-demand routing) access lists, 142-143 dialer interfaces, 143-145 dialer pools, 146 dialer profiles, 143 exam prep questions, 152-155 interesting traffic, 140 map classes, 146-147 persistent DDR circuit, 141 resources, 156 roll-over groups, 147 rotary groups, 147-148 sample configuration, 148-151 snapshot routing, 141 uninteresting traffic, 141 floating static routes, 210-212

ISDN BRI (Basic Rate Interface), 123 routing protocols, 210 RS-232 standard, 96 RSA (Rivest, Shamir, and Adleman) digital signatures, 249 RTS (Request to Send) signals, 97

S SA (security association), 250 satellite, 186 scoring of exams, 10 script callback script-name command, 62 SDSL (symmetric DSL), 190 search engines, 13 searching Web sites, 12 Secure Hash Algorithm (SHA), 56 security AAA (authentication, authorization, and accounting), 36-37 accounting events, 43 accounting methods, 42-44 authentication methods, 39-40 authorization methods, 41-42 clients, 37 enabling, 38-39 exam prep questions, 45-47 RADIUS protocol, 37 router access modes, 38 servers, 37 TACACS+ protocol, 37 AHs (authentication headers), 249 CAs (certificate authorities), 249 CiscoSecure ACS (Access Control Server), 36-37 cryptosystem, 249 digital signatures, 249 encryption 3DES, 248 AES (Advanced Encryption Standard), 248


412 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ciphertext, 247 D-H (Diffie-Hellman), 249 DES (Data Encryption Standard), 248 password encryption, 60 ESP (Encapsulating Security Payload), 249 IDSs (intrusion detection systems), 36 IKE (Internet Key Exchange), 249 IPSec 3DES, 248 ACLs (access control lists), 254 AES (Advanced Encryption Standard), 248 AHs (authentication headers), 249 CAs (certificate authorities), 249 checking configuration of, 253-254 crypto ACLs (access control lists), 258 crypto maps, 258-261 cryptosystem, 249 D-H (Diffie-Hellman), 249 decryption, 248 DES (Data Encryption Standard), 248 encrypted tunnels, 251 ESP (Encapsulating Security Payload), 249 exam prep questions, 264-268 global IPSec lifetimes, 258 hashing, 248 IKE (Internet Key Exchange), 249-257 interesting traffic, 250 ISAKMP (Internet Security Association and Key Management Protocol), 250, 255, 263 keys, 249, 256 resources, 269

RSA (Rivest, Shamir, and Adleman) digital signatures, 249 SA (security association), 250 testing, 261-263 transform sets, 250, 257-258 transport, 248 tunnels, 248, 251 verifying, 261-263 NAT (Network Address Translation), 79 PIX Firewall, 36 SA (security association), 250 VPN (virtual private network) concentrators, 36 security association (SA), 250 security-association lifetime parameter (config-crypto-map command), 260 self-assessment, 2-3 servers AAA servers, 37 ACS (Access Control Server), 36-37 service-policy output circuit command, 235 service provider IDs (SPIDs), 122-123 set ip precedence command, 235 set parameter (config-crypto-map command), 260 setting up ISDN calls, 118-119 SETUP ACKNOWLEDGE message (ISDN), 119 SETUP message (ISDN), 119 SHA (Secure Hash Algorithm), 56 shaping traffic. See traffic shaping sharing loads, 85-86 defined, 208 dial backups, 213-215 Show Answer button (PrepLogic Practice Exams), 365 show command, 130-131 show crypto engine connections active command, 263 show crypto ipsec sa command, 262

413 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .traffic . . . show crypto ipsec transform-set command, 262 show crypto isakmp policy command, 256, 261 show crypto isakmp sa command, 261 show crypto map command, 262 show dialer command, 68 show dsl interface atm 0 command, 196 show frame-relay ip tcp header-compression command, 177 show frame-relay lmi command, 176 show frame-relay map command, 176 show frame-relay pvc command, 177 show frame-relay traffic command, 177 show int atm0 command, 196 show interface bri command, 130 show interface command, 215 show interfaces serial command, 176 show ip nat statistics command, 86 show ip nat translation command, 86 show isdn active command, 131 show isdn status command, 131 show line command, 98, 102, 107 show modemcap command, 103-104 show ppp multilink command, 68 signals, 97 signatures, 249 site-to-site VPNs (virtual private networks), 247 SLIP, 22 snapshot routing, 141 software, PrepLogic Practice Exams, Preview Edition requirements, 362 software tips for exams, 8 SOHO, 26 spectrum reuse, 188 speed 115200 command, 99 SPIDs (service provider IDs), 122-123 STAC compression, 237 stack groups, 66 Stacker compression, 63-64

star network design, 164 start-ip option (ip nat pool command), 83 start-stop keyword (aaa accounting command), 43 statements. See commands static NAT (Network Address Translation), 81-82 static routes, 210-212 stop-only keyword (aaa accounting command), 43 studying for exams, 11 subinterfaces, 166-168 subscriber drops, 187 SVCs (switched virtual circuits), 158 switched virtual circuits (SVCs), 158 switches ISDN BRI (Basic Rate Interface), 120 ISDN PRI (Primary Rate Interface), 125 symmetric DSL (SDSL), 190 system keyword (aaa accounting command), 43

T T1 connections, 116 TACACS+ protocol, 37 TCP Header compression, 63-64 Techfest Web site, 138 temporary circuits (ISDN), 118 testing IPSec, 261-263 tests. See exams time remaining (PrepLogic Practice Exams, Preview Edition), 366 timeslots (ISDN PRI), 126 timeslots command, 126 topologies (VPNs ), 247 traffic compression, 236 CPU cycles versus memory, 239 header compression, 238


414 traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lempel-Ziv compression algorithm, 244 link compression, 237 modem compression, 239 MPPC compression, 237-238 payload compression, 238 predictor compression, 237 STAC compression, 237 exam prep questions, 240-243 Frame Relay traffic shaping BECNs (Backward Explicit Congestion Notification), 169 commands, 171-172 configuring, 170 FECNs (Forward Explicit Congestion Notification), 169 map classes, 171 interesting traffic, 140 configuring, 121 IPSec, 250 queuing case study, 235-236 CB-WFQ (class-based weighted fair queuing), 233-235 CQ (custom queuing), 222, 228-232 determining queuing strategy, 223 low-latency queuing, 235 overview, 222 PQ (priority queuing), 222, 225-228 PQ-WFQ (priority queuing weighted fair queuing), 232-233 WFQ (weighted fair queuing), 222-225 uninteresting traffic, 141 WANs (wide area networks), 23 traffic shaping (Frame Relay) BECNs (Backward Explicit Congestion Notification), 169 commands, 171-172

configuring, 170 FECNs (Forward Explicit Congestion Notification), 169 map classes, 171 traffic-share command, 214-215 Training and Certification page (Cisco Web site), 12 transform sets, 250, 257-258 transform-set parameter (config-crypto-map command), 260 transport, 248 transport input all command, 102 transportation networks, 187 troubleshooting DSL (digital subscriber line), 196 Frame Relay configuration programs, 176 exam prep questions, 178-183 previously configured connections, 176-177 resources, 184 ISDN Q.921, 129-130 Q.931, 130 show command, 130-131 modems modem autoconfiguration, 106-107 serial interfaces, 107 undetected modems, 107 NAT (Network Address Translation), 86-87 PPP (Point-to-Point Protocol) debug ppp authentication command, 68-70 debug ppp multilink command, 69 debug ppp multilink negotiation command, 69 debug ppp negotiation command, 68-70 debug ppp packet command, 69

415 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPNs . . . show dialer command, 68 show ppp multilink command, 68 tunnels, 247-248, 251 type rotary option (ip nat pool command), 83

U U-NII (unlicensed national information infrastructure) bands, 186 undebug all command, 196 undetected modems, troubleshooting, 107 uninstalling PrepLogic Practice Exams, Preview Edition, 363 uninteresting traffic, 141 unknown modem types, configuring automatically, 105-106 unlicensed national information infrastructure (U-NII) bands, 186 US (upstream) transmissions, 188 username command, 62

V variance command, 214 VDSL (very high data rate DSL), 190 verifying dial backup configuration, 215 IKE (Internet Key Exchange) configuration, 256-257 IPSec, 261-263 very high data rate DSL (VDSL), 190 virtual private dialup network (VPDN), 192 virtual private networks. See VPNs voice circuits (ISDN), 116 VPDN (virtual private dialup network), 192 vpdn enable command, 192 vpdn-group command, 192

VPNs (virtual private networks). See also IPSec 3DES, 248 AES (Advanced Encryption Standard), 248 AHs (authentication headers), 249 CA (certificate authorities), 249 CBC (cipher block chaining), 248 CIA (confidentiality, integrity, and authentication), 246 ciphertext, 247 client initiated VPNs, 247 concentrators, 36 crypto ACLs (access control lists), 258 crypto maps, 258-261 config-crypto-map command, 259-260 configuring, 260 crypto map command, 259 example, 260 cryptosystem, 249 D-H (Diffie-Hellman), 249 decryption, 248 DES (Data Encryption Standard), 248 ESP (Encapsulating Security Payload), 249 exam prep questions, 264-268 extranet VPNs, 247 global IPSec lifetimes, 258 hashing, 248 IKE (Internet Key Exchange), 249 enabling/disabling, 254 IKEv2, 252 key management, 249 Phase 1, 250-253 Phase 2, 251-253 policy configuration, 254-255 preshared keys, 249, 256 verifying configuration of, 256-257


416 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . intranet VPNs, 247 ISAKMP (Internet Security Association and Key Management Protocol), 250, 255, 263 network access server initiated VPNs, 247 remote access VPNs, 247 resources, 269 RSA (Rivest, Shamir, and Adleman) digital signatures, 249 SA (security association), 250 site-to-site VPNs, 247 topologies, 247 transform sets, 250, 257-258 transport, 248 tunnels, 247-248, 251 VPN concentrators, 36

W-Z wait-start keyword (aaa accounting command), 43 WANs (wide area networks) branch offices, 25-26 central sites, 24-25 circuit-switched WAN connections, 19 dedicated WAN connections, 18 design factors, 23-24 encapsulation protocols ATM, 22 Frame Relay, 21-22 HDLC (High-Level Data Link Control), 21 PPP (Point to Point Protocol), 20-21 SLIP, 22 X.25, 22 exam prep questions, 28-32 hardware selection, 26-27 packet-switched WAN connections, 19-20 resources, 33 SOHO, 26

Web sites broadband resources, 203 Cisco, 3, 13 Congestion Management section, 244 IOS Security Command Reference, 49 IOS Security Configuration Guide, 49 Training and Certification page, 12 finding, 12 Indiana University Knowledge Base, 244 PrepLogic, 359 search engines, 13 searching, 12 Techfest, 138 WFQ (weighted fair queuing) configuring, 224-225 conversations, 224 defined, 222 enabling, 224 FIFO (first in, first out) strategy, 223 wide area networks. See WANs wireless bridges, 186 X.25, 22

CCNP BCRAN Exam Cram 2 (Exam Cram 642-821)

CCNP BCMSN Exam Cram 2

CSIDS Exam Cram 2

SECUR Exam Cram 2

RFID+ Exam Cram 2

PMP Exam Cram 2

ICDL Exam Cram 2

CISSP Exam Cram 2

Network+ Exam Cram 2

Exam Cram 2: CISA

CCNP CIT Exam Cram 2 (642-831)

CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)

Cisco BSCI Exam Cram 2 (Exam Cram 642-801)

CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)

Network+ Exam Cram 2 (Exam Cram N10-002)

A+ Exam Cram 2 (Exam Cram 220-221, Exam Cram 220-222)

CSPFA Exam Cram 2 (Exam 642-521)

CSVPN Exam Cram 2 (Exam 642-511)

CSI Exam Cram 2 (Exam 642-541)

CISA Exam Cram

CISSP Exam Cram

MCSE Windows 2000 Active Directory Services Infrastructure Exam Cram 2 (Exam 70-217) (Exam Cram)

CCNA Exam Cram (Exam 640-802)

CCENT Exam Cram. Exam 640-822

Java 2 Programmer Exam Cram 2 (Exam CX-310-035)

A+ Certification Practice Questions Exam Cram 2 (Exams : 220-301, 220-302) (Exam Cram 2)

Network+ Certification Practice Questions Exam Cram 2 (Exam N10-003)

Oracle 9i Fundamentals I Exam Cram 2

Security+ Exam Cram 2 Lab Manual

PMP Exam Cram 2: Project Management Professional

CCNP BCRAN Exam Cram 2 (Exam Cram 642-821)

CCNP BCMSN Exam Cram 2

CSIDS Exam Cram 2

SECUR Exam Cram 2

RFID+ Exam Cram 2

PMP Exam Cram 2

ICDL Exam Cram 2

CISSP Exam Cram 2

Network+ Exam Cram 2

Exam Cram 2: CISA

CCNP CIT Exam Cram 2 (642-831)

CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)

Cisco BSCI Exam Cram 2 (Exam Cram 642-801)

CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)

Network+ Exam Cram 2 (Exam Cram N10-002)

A+ Exam Cram 2 (Exam Cram 220-221, Exam Cram 220-222)

CSPFA Exam Cram 2 (Exam 642-521)

CSVPN Exam Cram 2 (Exam 642-511)

CSI Exam Cram 2 (Exam 642-541)

CISA Exam Cram

CISSP Exam Cram

MCSE Windows 2000 Active Directory Services Infrastructure Exam Cram 2 (Exam 70-217) (Exam Cram)

CCNA Exam Cram (Exam 640-802)

CCENT Exam Cram. Exam 640-822

Java 2 Programmer Exam Cram 2 (Exam CX-310-035)

A+ Certification Practice Questions Exam Cram 2 (Exams : 220-301, 220-302) (Exam Cram 2)

Network+ Certification Practice Questions Exam Cram 2 (Exam N10-003)

Oracle 9i Fundamentals I Exam Cram 2

Security+ Exam Cram 2 Lab Manual

PMP Exam Cram 2: Project Management Professional

Recommend Documents