Integrated Services Digital Network (ISDN)

Integrated Services Digital Network (ISDN) was originally conceived as an all-digital replacement for the existing phone network. ISDN is capable of moving digital voice, data, video, and more over existing telephone wires. Unfortunately, the deployment of ISDN hasn’t been nearly as comprehensive as service providers and various industry committees once thought it would be. Challenges in deploying ISDN have included different standards early in its development, the large investment required by service providers in new Central Office switching equipment, and the emergence of newer, faster technologies like DSL. Having said that, ISDN service certainly has a place in the world of Wide Area Networking, and is a popular choice for dial-on-demand and backup connections.

The world of ISDN is full of terms and acronyms. For example, different types of equipment are designated by codes, depending upon their function and whether or not they are ISDN-capable. There are still other codes used to reference the various ISDN interfaces between equipment. Finally, there are codes that reference the various ISDN standards and protocols.

PPP Authentication

Cisco routers support two main authentication methods on PPP links – PAP and CHAP. One benefit of configuring PPP authentication is that it allows routers to be sure of the identity of the router at the other end of a link. PPP authentication is optional, and is often not configured on dedicated PPP links like leased lines. Recall, however, that PPP is the standard protocol used for dial-up connections. As such, a company might configure a demand-dial connection (using modems or ISDN) between two locations. In such a case, using PPP authentication would be a very good idea, in order to verify the identity of a router attempting to make a connection.

Although two authentication choices exist for PPP connections, you should make a point of avoiding the Password Authentication Protocol (PAP). PAP sends username and password information across a link in plain text, meaning that this information could be captured and read by a protocol analyzer like Ethereal or Sniffer.

A much better choice for PPP authentication is the Challenge Handshake Authentication Protocol (CHAP). CHAP uses a “challenge” technique to authenticate hosts, rather than requiring that username and password information be passed along with a connection request. This makes it a much more secure authentication method. The process begins with the authenticating router sending out a challenge request. When received by the router who initiated the connection, it will calculate a value for the challenge using a one-way MD-5 hash function, with the configured password as its input (you’ll look at configuration shortly). This hashed value will be sent back to the authenticating router. If that router has calculated the same hash value, the remote router will be successfully authenticated, and the connection is permitted. CHAP also supports mutual authentication, allowing routers at either end of a PPP connection to authenticate each other.

The configuration of PAP or CHAP requires that both routers be configured with a hostname, as well as an appropriate username and password combination for authentication purposes. The network used in this example is illustrated in the figure below.

Figure: Both the Toronto and Accra routers need to be configured appropriately to use PPP authentication.

Both routers need to be configured properly in order for PPP authentication to work. For example, the username specified on the Toronto router should be the hostname of the connecting router (Accra in this case), and the passwords for both systems must be identical. The configuration of Toronto router would be as follows:

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname toronto
toronto(config)#username accra password ppp-is-fun

Similar steps need to be taken on the Accra router, although the username specified this time would be Toronto.

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname accra
accra(config)#username toronto password ppp-is-fun

After these steps have been completed, an authentication mechanism needs to be specified on the appropriate PPP interfaces. For example, the configuration of CHAP on the Toronto router’s S0 interface would be:

toronto(config)#int s0
toronto(config-if)#ppp authentication chap
Similarly, the configuration of CHAP on the Accra router would be as follows:
accra(config)#int s1
accra(config-if)#ppp authentication chap

The command to use PAP authentication is ppp authentication pap. In cases where both methods are configured on a PPP interface, the router will attempt to use the first authentication method specified, and will only use the second in cases where the first method fails. Again, PAP authentication should generally be avoided as a security best practice.

Configuring PPP Connections

The configuration of PPP on Cisco routers isn’t difficult, but can vary depending upon which options you choose to implement. For example, configuring PPP can be as simple as specifying that the appropriate serial interface on each router should use PPP encapsulation. This is accomplished by issuing the encapsulation ppp command from interface configuration mode.

RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int s0
RouterA(config-if)#encapsulation ?
atm-dxi ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc Serial HDLC synchronous
lapb LAPB (X.25 Level 2)
ppp Point-to-Point protocol
smds Switched Megabit Data Service (SMDS)
x25 X.25
RouterA(config-if)#encapsulation ppp

After configuring interface S0 on RouterA to use PPP, notice the truncated output of the show int s0 command shown below. While the encapsulation is set to PPP, the status of the port shows that Serial 0 is up, but the line protocol is down. This is because the other end of the link on my network is still configured to use HDLC encapsulation. Recall from Chapter 7 that frame type mismatches will result in this message. Notice also that the LCP status shows a REQsent message (if properly connected, this would be open), and that the NCP used to configure IP (IPCP) is also closed.

RouterA#show int s0
Serial0 is up, line protocol is down
Hardware is HD64570
Internet address is 192.168.2.200/28
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP REQsent
Closed: IPCP

After changing the encapsulation type on the other end of the link to PPP, the output of the show int s0 command on RouterA displays the following:

RouterA#show int s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 192.168.2.200/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP

Now that both ends of the link are configured to use PPP encapsulation, the line protocol has changed to up; LCP is open, as is the NCP for IP (IPCP). IP traffic should now be able to move across the link without a problem. If additional protocols like IPX or AppleTalk were also configured on both interfaces, their associated NCPs would also be listed.

Point-to-Point Protocol (PPP)

The Point-to-Point Protocol is another Data Link layer protocol, and one that you may already be familiar with. While it can be used to encapsulate data over dedicated leased lines, PPP is also commonly used for dial-up connections to corporate networks and the Internet. As such, PPP works over both synchronous and asynchronous serial interfaces. PPP is an IETF-standard protocol capable of encapsulating a variety of upper-layer protocols including IP, IPX, and AppleTalk to name but a few. It has largely replaced an earlier standard known as the Serial Link Internet Protocol (SLIP). One of the main disadvantages of SLIP is that it only supports point-to-point connections that use IP at the Network layer.

PPP offers a wide variety of configurable options that make it a robust choice for encapsulating data over leased lines. First and foremost, PPP supports authentication, which can be used to confirm the identity of equipment or users at either end of a point-to-point connection. Both the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP) can be used for authentication on a Cisco router. PPP also supports a variety of data compression techniques including Stacker, Predictor, and Microsoft Point-to-Point Compression (MPPC). Finally, PPP provides the ability to combine multiple synchronous and asynchronous serial links such that they work as a single logical connection, a technique referred to as PPP Multilink.

PPP is comprised of multiple protocols at the Data Link Layer, each with different areas of responsibility. It can also run over a variety of different physical layer standards, although EIA/TIA-232 (formerly RS-232) is the most commonly used. The ways in which the various PPP protocols and standards map to the OSI model is shown in the figure below.

Figure: Point-to-Point Protocol (PPP) protocols and standards as they relate to the OSI model.

The three protocols used by PPP at the Data Link layer are HDLC, the Link Control Protocol (LCP), and various implementations of the Network Control Protocol (NCP). Each is described below.

  • HDLC. HDLC is the data framing method used over PPP links. In the case of PPP, the OSI standard version is used rather than the Cisco proprietary version. This standardization helps to ensure that PPP implementations by different vendors can communicate properly.
  • LCP. The Link Control Protocol is used for establishing, testing, configuring, and terminating PPP connections. PPP options such as authentication, compression, and multilink are all configured by LCP. The three main types of LCP frames used on a PPP connection are link-establishment, link-maintenance, and link-termination
  • NCP. Network Control Protocol frames are used to negotiate and configure the Network layer protocols that can be used over a PPP session. For example, there are specialized NCPs for IP (IPCP), IPX (IPXCP), AppleTalk (ATCP), and others. NCPs allow PPP to work in conjunction with many Network layer protocols over the same link.

There are four main steps in involved in establishing, maintaining, and terminating a PPP session, as outlined below.

  1. The first step in establishing a PPP session between devices involves both sending LCP link-establishment frames for configuration and testing purposes. These frames also define which options a given PPP host is using, such as compression, authentication, and multilink. If authentication is defined and required (PPP authentication is optional), it will take place during this phase.
  2. The second step is optional, and uses LCP frames to test the quality of a link. The information gathered can be used to determine whether the link is capable of handling various upper-layer protocols.
  3. In step 3, NCP frames are sent over a link to establish which individual Network layer protocols need to be configured. For example, a link may need to be configured to use IP, IPX, AppleTalk, and so forth.
  4. When a PPP session needs to be terminated, LCP link-termination frames are used to close the connection. The third LCP frame type (link-maintenance) is used to manage and debug PPP connections.

High Level Data Link Control Protocol (HDLC)

The High Level Data Link Control protocol (HDLC) is the default encapsulation used on the synchronous serial interfaces of a Cisco router. You’ll recall that synchronous serial interfaces require an external clocking device (such as a CSU/DSU) in order to synchronize the sending and receiving of data. HDLC is a superset of the Synchronous Data Link Control (SDLC) protocol that was originally developed by IBM for use in SNA environments. SDLC and SNA will be looked at in more detail later in this chapter.

HDLC is a Data Link layer protocol used to encapsulate and transmit packets over point-to-point links. It handles the transfer of data in full duplex, as well as link management functions. As an OSI standard, many vendors implement the HDLC protocol in their equipment. Unfortunately, these implementations are usually not interoperable. The reason is that when the HDLC frame format was defined, it did not include a field to identify the Network layer protocol that it was framing. As such, the OSI version of HDLC assumes that any link using HDLC is running only a single Network layer protocol like IP. Of course, many networks run IP, IPX, and other Layer 3 protocols simultaneously. This has led vendors (including Cisco) to implement HDLC using a proprietary frame format that includes a type code field, thus allowing the Network layer protocol within a frame to be properly identified.

The Cisco HDLC frame is illustrated in the figure below.

Figure: The Cisco HDLC frame format contains a Type Code field not found in the ISO standard HDLC frame.

Because of the proprietary nature of vendor HDLC implementations, you should only use HDLC framing on point-to-point links when the router at each end of a link is from the same vendor. In cases where you want to connect equipment from different vendors over a leased line, the Point-to-Point Protocol (PPP) should be used. Always remember that the router on both sides of a point-to-point link must be using the same data framing method in order to communicate.

Because HDLC is the default encapsulation method for synchronous serial interfaces on a Cisco router, it doesn’t require any explicit configuration. To view the current encapsulation type used on a router serial interface, use the show interface command. The example below shows a router using HDLC encapsulation on interface S0.

RouterA#show int s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 131.107.2.200/28
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)

If the encapsulation method used on a serial interface is ever changed, you can switch back to HDLC by issuing the command encapsulation hdlc from interface configuration mode.

RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int s0
RouterA(config-if)#encapsulation hdlc

Carrier Line Systems and Speeds

When provisioning WAN circuits from a service provider, it’s important to have an understanding of the various terms used to describe circuit speeds and their groupings. In North America, most digital links are grouped according to what is known as the digital signal standard. The base digital signal standard is known as DS0, and represents a digital channel with 64K of bandwidth, the same amount used for a typical voice call. The North American T, European E, and Japanese Y carrier systems use the DS0 channel as their base multiple in link calculations.

For example, a T1 line is made up of 24 DS0s or channels, for a total aggregate bandwidth of 1.544 Mbps. If you do the multiplication, you’ll notice that 24 channels of 64 Kbps yields only 1.536 Mbps – the “missing” 8 kilobits are used to channelize a T1 line. The list below outlines some of the common speeds associated with carrier lines in North America, Europe, and Japan.

Carrier line designations, DS0s, and speeds for North America, Europe, and Japan:

T1    24 DS0s   1.544 Mbps
T3    672 DS0s   44.736 Mbps
E1 (Europe)    30 DS0s    2.048 Mbps
E3 (Europe)    480 DS0s    34.064 Mbps
Y1 (Japan)    30 DS0s    2.048 Mbps

It is also possible to provision “fractional” service from most service providers. For example, not every company requires (or can afford) a full T1 link between locations. In order to better meet their customer’s need, most providers offer what is known as fractional T1 service. This allows customers to lease only a portion of a T1 line, usually in multiples of 64K. As such, a company could rent 4 channels of a T1 link, providing them with 256 Kbps of bandwidth in total.

WAN Hardware

Back in Chapter 6 I discussed the difference between Data Terminal Equipment (DTE) and Data Communications Equipment (DCE). You should recall that DTE equipment is usually the source or destination of a network communication session, such as a router, computer, or terminal. In order for DTE equipment to establish communication over a service provider’s data communications network, DCE equipment is required. Common examples of DCE equipment include:

Modems. A modem provides the ability to connect a DTE device to a service provider’s analog communications facilities. It does this by modulating the digital signal output by a DTE device into the analog signals used on the local loop portion of the Public Switched Telephone Network (PSTN). At the receiving end, a modem demodulates the analog signal back to its digital form. While modems can be used to form a WAN connection between locations, they are typically relegated to “backup duty” because of their relatively slow (56K or less) connection speeds.

Terminal Adapters. A terminal adapter is used in ISDN communications to connect a DTE device to a service provider’s ISDN network. Terminal adapters are similar in function to a modem, in that they are used to dial into a network. However, they do not convert digital signals to analog or vice versa, since an ISDN networks are completely digital.

CSU/DSUs. Channel Service Unit / Data Service Units are the modem-like devices that act as an intermediary between DTE equipment (such as a router) and the service provider’s digital circuit. The CSU/DSU handles the sending and receiving of data over the service provider’s circuit, as well as clocking functions.

Packet Switching

A third and increasingly common WAN connectivity technique is known as packet switching. Unlike with leased lines, where customers pay for a dedicated link and consistent bandwidth, packet switching allows a service provider’s network resources to be shared amongst many customers, which in turn reduces costs. This makes packet switching a great choice for companies whose WAN traffic is variable or “bursty” in nature.

On a packet switching network, companies still connect to the provider network as they normally would, but instead of provisioning a dedicated circuit between locations, they share bandwidth will all other customers. The theory is that at any given time, a company will not be using its fully allocated bandwidth, based on the variable nature of data traffic. This allows other companies to make use of the available bandwidth, which in turn ensures makes more efficient use of the service provider’s network. Because the service provider doesn’t have to provision a physical end-to-end circuit for a packet switched customer, they are able to offer the service at a lower price.

A packet switched network provides a great example of the service provider “cloud” in action. When companies connect to the cloud, the service provider generally guarantees the minimum average bandwidth they will have access to, while allowing their traffic to “burst” to higher speeds if excess bandwidth is available on the shared network. On a packet switching network, individual packets are sent from one location into the “cloud”. These packets may take different paths to reach their destination, as per available bandwidth and network resources. When they arrive at their destination, they are reassembled in the correct order. In order to connect company offices, the service provider defines what are known as a “virtual circuits” between locations. Virtual circuits will be looked at in more detail later in the chapter. Common examples of packet switching WAN technologies include Frame Relay, X.25, and ATM.

Circuit Switching

Circuit switching is a WAN connectivity technique that allows circuits to be created across a network on demand, and then terminated once they are no longer required. The perfect example of circuit switching in action is a normal telephone call – after you pick up the phone and dial a number, a circuit is created between your phone and the phone of the person you are calling. The circuit is static, meaning that the path over which data (or voice) travels is the same for the duration of the call. Once you hang up, the circuit is terminated.

Circuit switching is commonly used to interconnect networks in cases where a permanent connection is not required. For example, a company might need to transfer data to a branch office just once or twice a day. In cases such as this, the cost of a permanent link wouldn’t be justified. While beneficial in cases where data traffic requirements are low, circuit switched connections generally provide slower throughput rates than other technologies.  Examples of circuit switched WAN technologies include traditional analog dialup links using modems and ISDN connections.

Point-to-Point WAN Links (Leased Lines)

The terms “point-to-point link” and “leased line” refer to the same thing when describing WAN connections – a dedicated link through the service providers’ network. This link is not shared with other customers, and provides a dedicated circuit between two locations. This isn’t to say that the link is a single physical wire. In reality, it is a permanently established circuit through the service provider’s switched network, similar to what is illustrated in the figure below.

Figure: Two offices connected through a service provider’s network using a leased line.

A leased line is a good choice for customers who require consistent bandwidth between two locations. The speed of these dedicated links can vary – for example, a customer may choose a 64K leased line, or one at T1 speeds or higher. Leased lines are generally more expensive than other WAN connections, since the link is permanent and dedicated to the customer, regardless of the extent to which they use their allocated bandwidth. In other words, if a customer pays for a 128 Kbps leased line and then averages only 64 Kbps usage, they still pay for the full bandwidth that the link provides. Prices for leased line vary according to required bandwidth, and sometimes distance between locations. Leased lines will typically use either the Point-to-Point Protocol (PPP) or High Level Data Link Control (HDLC) protocol to encapsulate and send data between locations.