ProCurve Networking by HP Student guide Technical training. WAN Technologies Version 5.21

Transcription

1 ProCurve Networking by HP Student guide Technical training WAN Technologies Version 5.21

2

3 Contents Overview Introduction... 1 Course Objectives... 1 Prerequisites... 2 Course Module Overviews... 2 Module 1: Overview of WAN Connections Objectives... 1 Introduction... 2 A WAN Connection Defined... 4 Basic Elements of a WAN Connection... 5 Physical Transmission Media and Infrastructure... 6 Types of WAN Circuits... 7 PSTN (United States and Canada)... 9 Public Telephone and Telegraph (PTT) Companies The Local Loop Local Loop Transmission Media Electrical Specifications and Related Technologies Digital Signal Zero (DS0) Pulse Code Modulation (PCM) Time Division Multiplexing (TDM) Digital Signal Hierarchies Digital Signal X (DSX) CEPT Digital Signal Hierarchy Japanese Digital Signal Hierarchy Encoding Schemes Data-Link Layer Protocols Module 1 Summary Module 2: Data-Link Layer Protocols Objectives... 1 Overview of the Data-Link Layer... 2 Data-Link Layer Protocols in the WAN... 3 High-Level Data Link Control... 5 Point-to-Point Protocol Suite... 7 Phases of a PPP Session... 9 Configuration Options Link Control Protocol Configuration Options Rev HP Restricted i

4 WAN Technologies Authentication Protocols PAP CHAP EAP NCP Compression Control Protocol Encryption Control Protocol Overview of Link-Aggregation Protocols Multilink PPP Bandwidth Allocation Protocol Bandwidth Allocation Protocol Frames BAP Configuration Options Bandwidth Allocation Control Protocol Tunneling Overview Generic Routing Encapsulation PPTP L2TP Module 2 Summary Module 3: Carrier Line WAN Connections Objectives... 1 Overview of Carrier Line WAN Connections... 2 Carrier Line WAN Connections... 4 Physical Infrastructure Common to Carrier Line Local Loops... 5 DSU... 7 CSU... 8 Capabilities of WAN Routers Characteristics of a T1 WAN Connection T1 CSU/DSU Connections Characteristics of an E1 WAN Connection E1 DSU Connections Characteristics of a J1 WAN Connection T1 WAN Connection over SONET (Japan) Characteristics of a T3 WAN Connection T3 CSU/DSU Connections Characteristics of an E3 WAN Connection E3 DSU Connections Characteristics of a DS3 WAN Connection (Japan) DS3 WAN Connection over SONET (Japan) Fiber Optic Carrier Networks SONET and SDH Digital Hierarchies Fiber Optic Media and Connectors Module 3 Summary ii HP Restricted Rev. 5.21

5 Contents Module 4: ISDN WAN Connections Objectives... 1 ISDN Overview... 2 ISDN WAN Connection... 4 Basic Rate Interface... 6 Primary Rate Interface... 8 Options for Higher Transmission Speeds ISDN Equipment at the Subscriber s Premises ISDN Interfaces Protocols for ISDN Standards Ordering ISDN Recording Information About the ISDN Service Module 4 Summary Module 5: DSL WAN Connections Objectives... 1 Overview of DSL WAN Connections... 2 Advantages and Disadvantages of xdsl... 4 xdsl Adoption: Number of xdsl Lines... 6 Broadband Density... 8 xdsl WAN Connection... 9 Two Groups of xdsl Symmetric xdsl Asymmetric xdsl ADSL Overview ADSL Modulation Techniques CAP Modulation DMT Modulation ADSL Components Physical Infrastructure of ADSL WAN Connection ADSL Internet Connection Protocols for ADSL ADSL Lite and RADSL ADSL ADSL ADSL Standards Module 5 Summary Rev HP Restricted iii

6 WAN Technologies Module 6: Frame Relay Objectives... 1 Overview of Frame Relay... 2 Frame Relay WAN Connection... 4 Frame Relay Physical Access Options... 6 Data Link Connection Identifier (DLCI)... 8 Committed Information Rate Excess Information Rate Congestion Management: DE Bit Congestion Management: FECN and BECN Frame Relay Standards Frame Relay Signaling Protocols Service Level Agreements Module 6 Summary Module 7: Virtual Private Networks Objectives... 1 Defining VPNs... 2 Types of VPNs... 3 IPSec Versus PPTP... 4 IPSec Standard... 5 IPSec Security Protocols... 6 Security Associations... 7 IPSec Modes... 8 Tunnel Mode... 9 Transport Mode IPSec Standard Key Management Process IPSec Standard Authentication Process Key Management and Authentication Digital Certificates Extended Authentication RADIUS Server Extended Authentication TACACS+ Server IPSec Standard Encryption Process Symmetric Key Encryption Asymmetric Key Encryption How IPSec Sends a Packet PPTP Module 7 Summary iv HP Restricted Rev. 5.21

7 Contents Module 8: Firewalls Objectives... 1 Defining Firewalls... 2 Firewall Architecture... 4 Dual-Homed Host Firewall Architecture... 5 Screened Host Firewall Architecture... 6 Screened Subnet Firewall Architecture... 7 Types of Firewalls... 8 Packet-Filtering Firewalls... 9 Circuit-Level Gateways Application-Level Gateways Stateful-Inspection Firewalls Network Address Translation (NAT) Single IP Address Translation Static and Dynamic NAT Port Address Translation (PAT) NAT Traversal (NAT T) What to Block Module 8 Summary Module 9: Quality of Service and Advanced WAN Routing Objectives... 1 Traffic Congestion Quality of Service... 2 Quality of Service Mechanisms... 3 DiffServ Packet Marking... 5 DiffServ Per Hop Behaviors... 7 Class-Based Queuing... 9 Weighted Random Early Discard (WRED) Committed Access Rate (CAR) Generic Traffic Shaping and Frame Relay Traffic Shaping Evaluating Traffic for QoS VLAN Support Virtual Router Redundancy Protocol (VRRP) Exterior Routing Protocols Exterior Gateway Protocol Border Gateway Protocol Module 9 Summary Rev HP Restricted v

8

9 Course Overview Introduction The ProCurve WAN Technologies course is designed to help support engineers and systems engineers understand the technologies used to create WAN connections. It outlines the basic elements required to create a WAN connection and provides an in-depth explanation of different types of WAN connections. In addition, this course describes Virtual Private Networks (VPNs), which create secure, private communication across an existing public network. Because VPNs connect a trusted network to an untrusted network primarily the Internet this course also explains the firewall technologies that companies can use to protect their network. Finally, this course discusses quality of service (QoS) mechanisms and advanced routing technologies such as exterior routing protocols. Course Objectives After completing this course, you should be able to: Describe the basic elements of a WAN connection Explain the role that public carrier networks play in creating WAN connections Define data-link layer protocols and explain the role they play in creating WAN connections Describe the specific characteristics and the physical infrastructure of carrier line WAN connections Describe the specific characteristics and the physical infrastructure of Integrated Services Digital Network (ISDN) WAN connections Describe the specific characteristics of Digital Subscriber Line (DSL) WAN connections Describe the physical infrastructure of Asymmetric DSL (ADSL) WAN connections and describe how data is transmitted from the customer s premises to the broadband network and the Internet Explain the relationship between Frame Relay and WAN connections Describe how data travels through a Frame Relay network Rev HP Restricted Overview - 1

10 WAN Technologies Prerequisites Define a VPN and explain how Internet Protocol Security (IPSec) is used to create VPNs Describe the firewall architectures that can be used to provide security for a company s internal network Explain what QoS means and describe methods of enforcing QoS: classifying traffic, policing traffic, shaping traffic, and managing congestion Explain the purpose of exterior routing protocols and describe the way they work Before taking this class, you should complete the HP ProCurve Adaptive Edge Fundamentals course and the HP ProCurve RSE course. For more information about HP ProCurve training, visit Course Module Overviews This course contains the following modules: Module 1 provides the foundation for understanding WAN connections. It introduces the three basic elements required for a WAN connection and describes the role each element plays in creating that connection. Module 2 describes the data-link layer protocols that control the transfer of data over a WAN connection. In particular, this module focuses on two generalpurpose, data-link layer protocols High-level Data Link Control (HDLC) and Point-to-Point Protocol (PPP). This module also describes a network-layer tunneling protocol called Generic Routing Encapsulation (GRE). Module 3 explains the specific characteristics and the physical infrastructure of carrier line WAN connections. This module also describes fiber optic carrier networks and the standards most commonly used to create them. Module 4 describes ISDN WAN connections. It explains the two types of ISDN services available and the equipment required at the subscriber s site. This module also outlines the information subscribers need to order an ISDN WAN connection. Module 5 provides an overview of the different types of DSL technologies used to create WAN connections. It then focuses on ADSL connections, explaining the physical infrastructure and the data flow from the customer s premises to the public carrier network and the Internet. This module also describes the ADSL2 and ADSL2+ enhancements. Module 6 explains the relationship between Frame Relay and WAN connections. It also describes the equipment necessary to create a Frame Relay network and the options offered by various Frame Relay carriers. Overview - 2 HP Restricted Rev. 5.21

11 Course Overview Module 7 introduces another method of connecting two sites VPNs. It explains how VPNs create secure, private communication across an existing public network and then describes how IPSec can be used to connect private networks or remote users to the corporate network. Module 8 explains how firewalls can be used to protect a trusted network from an untrusted network. It describes the firewall architectures that you can use to protect your network and explains how different types of firewalls work. Module 9 defines QoS and describes some QoS mechanisms that you can use to manage traffic across a WAN connection. It also explains why WAN routers should support features such as virtual LAN (VLAN) tagging and Virtual Redundancy Routing Protocol (VRRP). In addition, this module describes exterior routing protocols and CIDR. Rev HP Restricted Overview - 3

12

13 Overview of WAN Connections Module 1 Objectives This module introduces the basic elements of WAN connections and describes the role each element plays in creating that connection. After completing this module, you should be able to: Describe the three basic elements of a WAN connection Describe how public carrier networks are used to create a WAN connection Identify the three types of circuits used to create a WAN connection Describe how local loops connect the subscriber s premises to public carrier networks Identify the electrical signaling specifications and related technologies used in public carrier networks Explain the differences and similarities between T-, E-, and J-carrier WAN connections Rev HP Restricted 1 1

14 ProCurve WAN Technologies Introduction Companies that have multiple offices need a cost-effective, efficient means to exchange data between those offices. Many companies have created intranets or extranets, which enable users at different locations to view, upload, and download information. However, intranets and extranets are only a partial solution to the problem because the sharing of data is limited to what can be posted on the intranet or extranet. Each office must maintain its own database, and users cannot access data stored at other locations. For example, the accounting department at each office must have a separate database, which cannot be shared over an intranet. Security is also an issue because the intranet must be connected to the Internet, in order to serve multiple locations. The various offices connected through the intranet can be protected by firewalls, but firewalls are not impervious to attacks. For many companies, a Wide Area Network (WAN) is a better and more costeffective solution for connecting multiple branch offices to a main office. A WAN allows companies to exchange all types of information, including voice and data. Combining voice and data traffic can reduce operating expenses for many companies. 1 2 HP Restricted Rev. 5.21

15 Overview of WAN Connections This course focuses on WAN connections created using public carrier networks. Businesses, organizations, and government entities use public carrier networks to create WAN connections for three primary reasons: Using public carrier network infrastructure is almost always more cost effective than using privately owned infrastructure. Public carrier networks allow many subscribers to share the costs of installing, managing, and maintaining the infrastructure required to create WAN connections. Using privately owned infrastructure to create long-distance and international WAN connections is impractical, sometimes even impossible, and cost prohibitive. WAN connections that use privately owned infrastructure are generally limited to relatively short distances, and installing them is beyond the capacity of all but the largest organizations. WAN connections created through public carrier networks are substantially similar to WAN connections created using privately owned infrastructure in terms of security and performance. Public carrier networks also provide levels of reliability and redundancy that privately owned infrastructure typically cannot provide. WAN routers connect the LANs at each location, identify the traffic addressed to another LAN, and route the traffic to the next hop. As explained throughout this course, WAN routers support a variety of WAN connection types, including: Dedicated T-, E-, and J-carrier lines Integrated Services Digital Network (ISDN) Digital Subscriber Line (DSL) Rev HP Restricted 1 3

16 ProCurve WAN Technologies A WAN Connection Defined In the most general sense, a WAN is a geographically dispersed telecommunications network. For the purposes of this course, however, a WAN is defined as a network created to connect two or more LANs. WAN connections can connect LANs located in the same city or around the world. As the figure shows, a public carrier network is commonly used to create WAN connections between LANs in different parts of the world. Public carrier networks include the Public Switched Telephone Network (PSTN), which serves the United States and Canada, and Public Telephone and Telegraph (PTT) companies, which serve Mexico, Europe, Asia, South America, and other parts of the world. 1 4 HP Restricted Rev. 5.21

17 Overview of WAN Connections Basic Elements of a WAN Connection All WAN connections consist of three basic elements: The physical transmission media. Electrical signaling specifications for generating, transmitting, and receiving signals through various transmission media. Data-link layer protocols that provide logical flow control for moving data between peers in the WAN. (Peers are the devices at either end of a WAN connection.) As the figure shows, physical transmission media and electrical specifications are part of the physical layer (which is layer one) of the Open Systems Interconnection (OSI) model, and data-link layer protocols are part of the data-link layer (which is layer two). This module focuses on the physical transmission media, the electrical signaling specifications, and the related OSI layer-one technologies that are used to create WAN connections through public carrier networks. Data-link layer protocols are explained in detail in Module 2: Data-Link Layer Protocols. Rev HP Restricted 1 5

18 ProCurve WAN Technologies Physical Transmission Media and Infrastructure The first basic element of a WAN connection is the physical transmission medium. The most common physical transmission medium used in public carrier networks is twisted-pair copper wire, originally installed for Plain Old Telephone Service (POTS) connections. Twisted pair is currently used in the last mile of 90 percent of all WAN connections. Other physical transmission media include coaxial copper cable, fiber optic cable, and the Earth s atmosphere, which carries signals by such means as infrared and microwave transmissions. The physical transmission media are a large part of what is commonly called infrastructure. Infrastructure also includes telecommunications switching and routing equipment. WAN connections can be created using public carrier network infrastructure, privately owned infrastructure, or a combination of the two. 1 6 HP Restricted Rev. 5.21

19 Overview of WAN Connections Types of WAN Circuits As the figure shows, three types of circuits are used to create WAN connections through public carrier networks: Dedicated circuits Permanent virtual circuits (PVCs) Switched virtual circuits (SVCs) Dedicated Circuits Dedicated circuits are permanent circuits dedicated to a single subscriber. The connection is always active. The subscriber purchases dedicated time slots, or channels, that provide a specific amount of bandwidth that is always available for the subscriber to use. The channels in a dedicated circuit are created using time division multiplexing (TDM), which is discussed later in this module. In addition to providing guaranteed bandwidth at all times, dedicated circuits provide the most secure and reliable WAN connections available. Rev HP Restricted 1 7

20 ProCurve WAN Technologies Dedicated circuits are used to create the following point-to-point WAN connections: Carrier lines (which are explained later in this module and in Module 3: Carrier Line WAN Connections) DSL connections (which are explained in Module 5: DSL WAN Connections) Permanent Virtual Circuits (PVCs) PVCs are also permanent circuits dedicated to a single subscriber. The connection is always active. However, because multiple virtual circuits share a physical circuit, there is no guarantee that any specific amount of bandwidth will be available at any specific time. Sometimes there may not be any bandwidth available on the physical circuit because the physical circuit is saturated. When the physical circuit is saturated, the traffic is temporarily stored at a switching point until bandwidth becomes available. When bandwidth becomes available, the stored traffic is forwarded to its destination. This process is referred to as store-and-forward processing, or packet switching, which is the same processing method used on LANs. PVCs provide an average bandwidth guarantee through statistical multiplexing (STM), which underlies packet switching technology. Because PVCs are more cost effective for the public carrier, PVCs are usually less expensive for the subscriber than dedicated circuits. PVCs are commonly used for Frame Relay, which is explained in detail in Module 6: Frame Relay. Switched Virtual Circuits (SVCs) SVCs are identical to PVCs in all respects, except that they are temporary physical circuits. SVCs are activated when a subscriber initiates a connection to transmit data. When all data have been transmitted, the connection is deactivated, and the physical circuit resources are made available to other subscribers. SVCs are used to create dial-up WAN connections, including ISDN WAN connections, which are explained in Module 4: ISDN WAN Connections. 1 8 HP Restricted Rev. 5.21

21 Overview of WAN Connections PSTN (United States and Canada) In the United States and Canada, most WAN connections are created through the PSTN. As the figure shows, the PSTN consists of local exchange carriers (LECs) and interexchange carriers (IXCs). (LECs are also referred to as telcos.) Local Exchange Carriers LECs operate the infrastructure that provides access to the PSTN in a limited geographic area. The area served by a LEC is referred to as a local access and transport area (LATA). LECs include incumbent local exchange carriers (ILECs) and competitive local exchange carriers (CLECs). ILECs are the Regional Bell operating companies (RBOCs) that provide service in a specific LATA. For example, SBC is the current ILEC in California. ILECs were created in 1983 when the U.S. government deregulated the telecommunications industry and mandated the breakup of AT&T. Deregulation also led to the creation of CLECs, which provide the same services as ILECs and compete with ILECs in specific geographic areas. For example, Covad Communications is a CLEC that competes with SBC in California. Rev HP Restricted 1 9

22 ProCurve WAN Technologies Interexchange Carriers IXCs aggregate voice and data traffic from numerous LECs. They operate the infrastructure that connects LATAs to the interlatas that move traffic throughout the United States and Canada. AT&T, Sprint, and MCI are all IXCs based in the United States. IXCs are commonly referred to as long-distance carriers. IXCs also provide the infrastructure that enables PSTN subscribers to create WAN connections to PTT networks in Europe, Asia, South America, and other parts of the world HP Restricted Rev. 5.21

23 Overview of WAN Connections Public Telephone and Telegraph (PTT) Companies In most countries outside of the United States and Canada, the public telephone network is owned and operated by government-owned monopolies called PTTs. As the figure shows, a PTT operates the entire telecommunications infrastructure within a country s borders. For example, British Telecom (BT) provides border-toborder service in the United Kingdom, while Deutsche Telecom (DTAG) provides this service in Germany. PTTs provide both the local-access and long-distance transport infrastructure needed to create WAN connections through the public carrier network. As the figure shows, carrier interconnects link individual PTTs to provide an international public carrier system. Rev HP Restricted 1 11

24 ProCurve WAN Technologies The Local Loop The connection between a subscriber s premises and the public carrier s nearest central office (CO) is referred to as the local loop. The local loop includes the entire telecommunications infrastructure such as repeaters, switches, cable, and connectors required to connect a subscriber s premises to the CO. A line of demarcation (demarc) separates a subscriber s wiring and equipment from that of the public carrier. Each party owns, operates, and maintains the wiring and equipment on its side of the demarc. Public carrier networks were originally designed to carry analog voice calls. Therefore, copper wire is the most common physical transmission medium used on the local loop. Because of the limits in the signal-carrying capacity of copper wire, local loops that use copper wire are the slowest, least capable component of a WAN connection. Public carriers are beginning to install coaxial and fiber optic cable in local loops to meet ever-increasing bandwidth demands. Local loop connection types include carrier lines, which are described in Module 3: Carrier Line WAN Connections. Local loop connection types also include ISDN and DSL. ISDN and DSL are digital technologies designed to maximize the limited capabilities of existing local loop copper wiring. ISDN and DSL are discussed briefly in the next two sections HP Restricted Rev. 5.21

25 Overview of WAN Connections ISDN Local Loops ISDN provides integrated voice and data services by means of a fully digital local loop. An ISDN connection requires Category-3 (CAT-3) or higher twisted pair and is delivered by means of an SVC. ISDN is a local loop-only technology. When ISDN traffic reaches the public carrier s nearest CO, it is converted for transport through existing public carrier infrastructure. ISDN is available in two levels of service: Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI service provides 128 Kbps of bandwidth. PRI service provides Mbps in total bandwidth in T-carrier systems and Mbps in total bandwidth in E-carrier systems. ISDN is discussed in-depth in Module 4: ISDN WAN Connections. DSL Local Loops DSL is a digital service that exists only in the local loop. DSL provides a digital connection between the subscriber and the public carrier s CO. Like ISDN, DSL requires CAT-3 or higher twisted pair wiring. Unlike ISDN, DSL uses PVCs (rather than SVCs), so DSL connections are always active. A DSL modem or WAN router connects the subscriber s premises to the public carrier network. Different types of DSL are available. Each public carrier determines the types of DSL that are available in a local service area. The following are some examples of the types of DSL: Asymmetric DSL (ADSL) High bit rate DSL (HDSL) Symmetric DSL (SDSL) Very high bit rate DSL (VDSL) DSL is discussed in-depth in Module 5: DSL WAN Connections. Rev HP Restricted 1 13

26 ProCurve WAN Technologies Local Loop Transmission Media CAT-3 and CAT-5 Unshielded Twisted Pair (UTP) are the most common types of copper wire used in the local loop. In some applications where signal interference is an issue, Shielded Twisted Pair (STP) is used. In some areas, including parts of the United Kingdom and the Netherlands, a pair of coaxial cables is used instead of twisted pair to complete local loop connections. Other transmission media can be used to complete local loops if transmission speed is a primary consideration. For example, fiber optic cable and coaxial cable are both used to create T3 and E3 WAN connections, as discussed in Module 3: Carrier Line WAN Connections HP Restricted Rev. 5.21

27 Overview of WAN Connections Electrical Specifications and Related Technologies An electrical specification defines a set of communication parameters, or rules, that determine the transmission speed through a WAN connection. When engineers create an electrical specification, their objective is to find the best way to reliably transport traffic, as rapidly as possible, through a given transmission media. The electrical specifications used for public carrier networks are based on cooperative standards developed by the American National Standards Institute (ANSI), the International Standards Organization (ISO), the Conference of European Postal and Telecommunications (CEPT), ITU-T, and ITU-T s predecessor, the Consultative Committee for International Telegraph and Telephone (CCITT). Electrical specifications enable both synchronous and asynchronous communications over a WAN connection. Synchronous communications use a clock signal to precisely coordinate signal transport through the transmission media. Asynchronous communications use start and stop bits, rather than a clock, to coordinate signals. The remainder of this module focuses on the synchronous electrical specifications and related technologies that define the basic unit of bandwidth (the DS0 channel) used in copper-based public carrier networks. Rev HP Restricted 1 15

28 ProCurve WAN Technologies Digital Signal Zero (DS0) DS0 is a digital channel operating at 64 Kbps, the amount of bandwidth required to transmit a single analog voice call through a digital telecommunications network. Based on the ANSI T1.107 specification, DS0 was originally created in the mid 1960s by Bell Laboratories to transport voice traffic over T-carrier systems. PTTs subsequently adopted a modified version of ANSI T1.107, the ITU-T G.703 specification, which is the basis of European and international E-carrier systems. J-carrier systems are also based on a modified version of T1.107 and are similar to T-carrier systems. DS0 is the fundamental unit of bandwidth the fundamental channel in all copper-based T-, E-, and J-carrier systems. In E-carrier systems, DS0 is called E0, and in J-carrier systems, DS0 is called J0. However, the basic signal is virtually identical in all three carrier systems. DS0, E0, and J0 channels all use a process called Pulse Code Modulation (PCM) to convert analog (voice) signals into digital signals HP Restricted Rev. 5.21

29 Overview of WAN Connections Pulse Code Modulation (PCM) PCM is the basis of a standard DS0, E0, and J0 channel. PCM converts a continuously variable analog signal, such as a voice telephone call, into a stream of digital bits. As the figure shows, the PCM sampling process creates a digital signal that represents the original analog waveform. The analog signal is converted (modulated) into a digital signal that is sent over the WAN connection. On the receiving side, the digital signal is demodulated (converted) back to an analog signal that closely approximates the original analog waveform. In the PCM sampling process, the analog signal is sampled 8,000 times per second. Each sample is converted into an 8-bit binary code that represents the voltage of the analog waveform at the time the sample was taken. Thus, the PCM process is the mathematical basis for the bandwidth required for a standard DS0, E0, or J0 channel: 8 bits per sample x 8,000 samples per second = 64 Kbps Rev HP Restricted 1 17

30 ProCurve WAN Technologies Time Division Multiplexing (TDM) As the figure shows, TDM creates a high-bandwidth channel by combining, or multiplexing, multiple DS0 signals into a larger, more complex signal. Each DS0 receives an equal time slice within the complex signal in a rotating, repeating sequence, and thus receives an equal amount of bandwidth. On the receiving end, TDM is used to recover the original DS0 signals through a reverse process called demultiplexing. T-carrier and J-carrier systems use TDM to provision 24 DS0 channels for a T1 or J1 WAN connection. E-carrier systems use TDM to provision 32 DS0 channels for an E1 WAN connection. TDM is also used to provision larger channels that use T1/J1/E1 channels as base multiples, as described in the next section HP Restricted Rev. 5.21

31 Overview of WAN Connections Digital Signal Hierarchies Digital signaling hierarchies define the signal multiplexing used in each type of physical carrier and determine the transmission speed for each carrier. Digital signaling hierarchies use small bandwidth channels as base multiples for creating larger bandwidth channels, or carrier signals, in a carrier system. DS0, E0, and J0 channels serve as the base multiples for creating T1, E1, and J1 carrier signals. T1, E1, and J1, in turn, serve as the base multiples for creating the more complex, higher-bandwidth carrier signals used in T2, E2, J2, and higher carrier systems. T-, E-, and J-carrier systems use similar, but not identical, digital signaling hierarchies. T-carrier systems use Digital Signal X (DSX), E-carrier systems use the CEPT digital signal hierarchy, and J-carrier systems use the Japanese signal hierarchy. These signaling hierarchies are described in the following sections. Rev HP Restricted 1 19

32 ProCurve WAN Technologies Digital Signal X (DSX) DSX is the digital signal hierarchy that defines the signal multiplexing used in T-carrier systems. As the figure shows, DSX specifies that 24 DS0s are multiplexed to create the DS1 carrier signal used in a T1 carrier. A T1 carrier provides a total transmission rate of Mbps (24 x 64 Kbps = 1,536 Kbps + 8 Kbps for framing bits and timing signal synchronization). Similarly, DSX specifies the following: Four DS1 signals are multiplexed to create the DS2 signal used in T2 carriers, which provide a transmission rate of Mbps. 28 DS1 signals are multiplexed to create the DS3 signal used in T3 carriers, which provide a transmission rate of Mbps. 168 DS1 signals are multiplexed to create the DS4 signal used in T4 carriers, which provide a transmission rate of Mbps. 336 DS1 signals are multiplexed together to create the DS5 signal used in T5 carriers, which provide a transmission rate of Mbps HP Restricted Rev. 5.21

33 Overview of WAN Connections As the figure shows, DSX specifies the physical carriers used at each level in the hierarchy. (DSX does not define the physical carrier; ANSI T1.107 defines the physical components of T-carrier systems.) When combined, the physical carrier and the DSX hierarchy specify a usable physical layer for each type of carrier in a T-carrier system. DSX defines Digital Signal Designators (DSDs), or signaling methods, used to create the carrier signals used at each level of the hierarchy. DSX also defines DSX interfaces, which describe the physical connections (pinouts) and signaling logic (send timing, receive timing, send data, and receive data) necessary for connected devices to communicate. Rev HP Restricted 1 21

34 ProCurve WAN Technologies CEPT Digital Signal Hierarchy Like the DSX digital signal hierarchy used in T-carrier systems, the CEPT digital signal hierarchy defines the signal multiplexing used to create the signals carried in each E carrier. Unlike DSX, CEPT DSDs are identical to the physical carrier designator. As the figure shows, the CEPT hierarchy multiplexes 32 E0 channels to create the signal that is carried within an E1 physical carrier. An E1 carrier provides a total transmission rate of Mbps. Similarly, the CEPT hierarchy specifies the following: Four E1 signals are multiplexed to create the E2 signal used in E2 carriers, which provide a transmission rate of Mbps. 16 E1 signals are multiplexed to create the E3 signal used in E3 carriers, which provide a transmission rate of Mbps. 64 E1 signals are multiplexed to create the E4 signal used in E4 carriers, which provide a transmission rate of Mbps. 256 E1 signals are multiplexed together to create the E5 signal used in E5 carriers, which provide a transmission rate of Mbps HP Restricted Rev. 5.21

35 Overview of WAN Connections Japanese Digital Signal Hierarchy The Japanese digital signal hierarchy defines the signal multiplexing used to create the signals carried in each J carrier. Unlike DSX, Japanese DSDs are identical to the physical carrier designator. As the figure shows, the Japanese hierarchy multiplexes 24 J0 channels to create the J1 carrier signal that is carried within a J1 physical carrier. A J1 carrier provides a total transmission rate of Mbps. Similarly, the Japanese hierarchy specifies the following: Four J1 signals are multiplexed to create the J2 signal used in J2 carriers, which provide a transmission rate of Mbps. 30 J1 signals are multiplexed to create the J3 signal used in J3 carriers, which provide a transmission rate of Mbps. 240 J1 signals are multiplexed to create the J4 signal used in J4 carriers, which provide a transmission rate of Mbps. In Japan, most PTTs in Japan use the T1 standard for data; the J1 standard is used for voice. The reasons for using the T1 standard will be discussed in Module 3: Carrier Line WAN Connections. Rev HP Restricted 1 23

36 ProCurve WAN Technologies Encoding Schemes Encoding schemes define how digital signals are configured for transport through a physical transmission medium. Encoding schemes use electrical signals to represent the logical 0 and 1 bits in a data stream. The public carrier that provides the local loop service determines the encoding scheme for the WAN connection. All of the subscriber s equipment must be configured to use the public carrier s encoding scheme. Three encoding schemes are widely used in T-, E-, and J-carrier systems. Alternate mark inversion (AMI) Bipolar 8-zero substitution (B8ZS) High-density bipolar of order 3 (HDB3) AMI AMI uses alternating positive and negative voltage (referred to as alternating polarity or bipolarity) to represent logical 1s, and zero voltage to represent logical 0s. Because AMI uses zero voltage for logical 0, it can cause synchronization loss between peers at each end of a WAN connection when a data stream contains a long string of logical 0s HP Restricted Rev. 5.21

37 Overview of WAN Connections B8ZS HDB3 B8ZS is a modified version of AMI. B8ZS prevents the synchronization loss associated with AMI by limiting the number of consecutive 0s in a data stream to eight. When eight zeros are detected, B8ZS replaces them with two successive logical 1s of the same polarity in a process referred to as a bipolar violation. B8ZS is the predominant encoding scheme used in T-carrier systems. HDB3 is based on AMI and prevents synchronization loss in a manner similar to B8ZS. HDB3 limits the number of consecutive zeros in a data stream to four, and it replaces them with three logical 0s and a violation bit with the same polarity as the last AMI logical 1 detected. HDB3 is the predominant encoding scheme used in E-carrier systems. Rev HP Restricted 1 25

38 ProCurve WAN Technologies Data-Link Layer Protocols Data-link layer protocols are the third and final element of a basic WAN connection. Data-link layer protocols are found at layer two of the OSI model. They enable flow control, synchronization, integrity checking, and validation for data streams passing between the physical layer and the network layer (layer three in the OSI model). Module 2: Data-Link Layer Protocols explains data-link layer protocols in detail HP Restricted Rev. 5.21

39 Overview of WAN Connections Module 1 Summary In this module, you learned about the following: Three basic elements of a WAN connection: Physical transmission media Electrical signaling specifications Data-link layer protocols Local loops and the public carrier networks that provide them Three types of circuits used to create a WAN connection: Dedicated circuit Permanent virtual circuit Switched virtual circuit Electrical specifications and related technologies: Digital signal hierarchies: DSX, CEPT Digital Signal Hierarchy, and the Japanese Digital Signal Hierarchy Pulse code modulation Time division multiplexing Rev HP Restricted 1 27

40 ProCurve WAN Technologies Learning Check Module HP Restricted Rev. 5.21

41 Overview of WAN Connections 1. What are the three basic elements of a WAN connection? 2. Which type of circuit is used to create T-, E-, and J-carrier lines? a. Switched virtual circuit b. Permanent circuit c. Permanent virtual circuit d. Switched circuit 3. Which digital signaling hierarchy forms the basis of E-carrier lines? a. DSX b. JSX c. CEPT d. EPT 4. How many DS0s are multiplexed into a T1-carrier line? a. 16 b. 24 c. 20 d How many E0s are multiplexed into an E1-carrier line? a. 16 b. 24 c. 20 d How many E1 signals are multiplexed to create the E3 signal used in E3-carrier lines? a. 16 b. 24 c. 20 d. 32 Rev HP Restricted 1 29

42

43 Data-Link Layer Protocols Module 2 Objectives This module discusses two general-purpose data-link layer protocols High-level Data Link Control (HDLC) and Point-to-Point Protocol (PPP). These protocols can be used to control the transfer of data over a WAN connection that is created using the physical media and electrical signaling specifications described in Module 1. This module also describes a network-layer tunneling protocol called Generic Routing Encapsulation (GRE). After completing this module, you should be able to: Describe HDLC and its configuration options Describe the PPP suite and the configuration options associated with specific protocols within the suite Identify the phases of a PPP session Describe the purpose of link-aggregation protocols and configuration options associated with Multilink Point-to-Point Protocol (MP) Describe GRE Rev HP Restricted 2 1

44 ProCurve WAN Technologies Overview of the Data-Link Layer Layer two of the Open Systems Interconnection (OSI) model is called the data-link layer. In simplest terms, the data-link layer describes the procedures (called protocols) that control data transfer across the physical infrastructure at layer one. To control data transfer, protocols at this layer perform two important functions: Establish a link between the sending peer and the receiving peer. (Peers are the devices at either end of a point-to-point link.) Reliably transfer data across that link. Data-link layer WAN protocols establish point-to-point links, while data-link layer LAN protocols provide multipoint connections. In other words, only the two endpoints of a WAN connection (usually two WAN routers) communicate with one another, while all nodes in a LAN can communicate with all other nodes. 2 2 HP Restricted Rev. 5.21

45 Data Link Layer Protocols Data-Link Layer Protocols in the WAN As mentioned in Module 1: Overview of WAN Connections, all WAN connections consist of three basic elements: 1. The physical transmission media 2. Electrical signaling specifications for generating, transmitting, and receiving signals through various transmission media 3. Data-link layer protocols that provide logical flow control for moving data between peers in the WAN This course focuses on three technologies that provide the physical-layer elements of a WAN connection: Dedicated carrier lines Integrated Services Digital Network (ISDN) Digital Subscriber Line (DSL) For each of these WAN connections, a subscriber can choose among several datalink layer protocols. Rev HP Restricted 2 3

46 ProCurve WAN Technologies Most WAN routers prompt you to choose a data-link layer protocol by asking for your method of encapsulation and providing a list of supported data-link layer protocols. Encapsulation, in this sense, is the process of wrapping a network-layer protocol s packet (such as an IP packet) within a data-link layer protocol s frame. Encapsulating network-layer protocols enables their transfer across a point-topoint link. This module discusses two general-purpose data-link layer protocols: High-level Data Link Control (HDLC) and Point-to-Point Protocol (PPP). PPP is the default encapsulation for many routers and is discussed in depth in this module. However, much of this discussion is informative. Unless you require changes to PPP s default operation, configuring PPP is mostly automatic. In addition to HDLC and PPP, a number of data-link layer protocols such as Link Access Procedure for D-Channel (LAPD), Frame Relay, and Asynchronous Transfer Mode (ATM) protocols can encapsulate WAN traffic. LAPD is discussed in Module 4: ISDN WAN Connections, and the Frame Relay protocols are discussed in Module 6: Frame Relay. ATM technology is discussed in Module 5: DSL WAN Connections. This module also describes two protocols that enable you to aggregate lines: Multilink PPP (MP) and Multilink Frame Relay (MFR). It then introduces the concept of tunneling and describes a tunneling protocol called Generic Routing Encapsulation (GRE). GRE is a network-layer protocol that is generally associated with security in a Virtual Private Network (VPN). VPNs establish secure communications over public networks such as the Internet and are discussed in depth in Module 7: Virtual Private Networks. However, GRE can also be used in private WANs and in conjunction with datalink layer protocols as a solution to the following problems: To provide connectivity for legacy network-layer protocols To route multicast traffic through routers that are not configured for multicasting To connect LANs that use incompatible IP addresses 2 4 HP Restricted Rev. 5.21

47 Data Link Layer Protocols High-Level Data Link Control HDLC is one of the oldest data-link layer protocols for the WAN. In fact, it predates the PC and was originally developed for mainframe environments. Because of this, HDLC was originally designed for use with primary and secondary devices, such as a mainframe with dumb terminals. Although HDLC has been updated for use in the PC environment, you may encounter the following terms, which originate from its early use: Normal Response Mode (NRM) A secondary device can transmit only when the primary device specifically instructs it to do so. Asynchronous Response Mode (ARM) A secondary device can initiate a transmission; however, the primary device controls the establishment and termination of the link. Asynchronous Balanced Mode (ABM) Devices at both ends of a connection are configured to be both primary and secondary devices and can establish a link, transmit data without permission, and terminate a link. Rev HP Restricted 2 5

48 ProCurve WAN Technologies HDLC uses three different types of frames: Unnumbered frames establish a link. Supervisory frames carry error and flow control information. Information frames carry the network-layer packets across the WAN link. 2 6 HP Restricted Rev. 5.21

49 Data Link Layer Protocols Point-to-Point Protocol Suite Although PPP is the name of a single protocol, most often PPP refers to an entire suite of protocols that are related to PPP. Most of the PPP suite is shown above. Specific protocols are briefly mentioned in this section to give you an overview of PPP; these protocols are then described in more depth in later sections. Every PPP connection requires the peers to exchange frames from at least three protocols and to exchange them in a particular order: 1. Link Control Protocol (LCP) 2. One type of Network Control Protocol (NCP) the one appropriate to the data being delivered 3. PPP Link Control Protocol Other than PPP itself, LCP is probably the most important protocol in the PPP suite. LCP frames are used to establish, configure, and maintain the link between peers. LCP frames must establish a link between peers before a PPP frame can be transferred across that link. Rev HP Restricted 2 7

50 ProCurve WAN Technologies Network Control Protocols After LCP establishes a link, peers must exchange NCP frames before PPP frames can carry information over the link. Basically, NCPs carry information about how to control or manage other protocols, primarily network-layer protocols. The network-layer protocol used by the information in the PPP frame determines which type of NCP frames must be exchanged. For example, if the PPP frames are carrying IP packets, then IP Control Protocol (IPCP) frames must be exchanged before the PPP frames can be sent. Point-to-Point Protocol PPP frames carry the actual information being transferred over the link from the upper layers of the OSI model. In PPP terminology, this information is called a datagram. Optional Protocols in the Suite The remaining protocols in the PPP suite are optional. Examples of these optional protocols include: Encryption Control Protocol (ECP) is an NCP that can configure options for encrypting PPP datagrams. Link Quality Reporting (LQR) is a link configuration protocol that monitors how many frames are being dropped on the link. All authentication protocols provide different ways to authenticate passwords on links configured to require passwords. 2 8 HP Restricted Rev. 5.21

51 Data Link Layer Protocols Phases of a PPP Session As the figure shows, a PPP session is divided into phases during which the various protocols may exchange frames. A PPP session proceeds in the following way: 1. During the link dead phase, the physical layer is unavailable, and there is no activity. If a peer wants to begin a session, it signals the physical layer and waits for the physical layer to indicate that it is now up. The session then enters the link establishment phase. 2. Peers exchange LCP frames during the link establishment phase. If the peers successfully establish a link, the session enters the authentication phase. 3. During the authentication phase, peers exchange authentication protocol frames. (Although authentication is optional, the session passes through this phase whether or not authentication was chosen.) If the sending peer authenticates successfully or if no authentication is necessary, the session then enters the network-layer protocol phase. Rev HP Restricted 2 9

52 ProCurve WAN Technologies 4. During the network-layer protocol phase, peers exchange NCP frames and PPP frames. More than one protocol per session can be used during this phase. For example, peers might exchange IPCP frames, then send PPP frames with IP datagrams, then exchange AppleTalk Control Protocol (ATCP) frames, then send PPP frames with AppleTalk datagrams, and so on. 5. During the link termination phase, peers exchange LCP link-termination frames. The session is then terminated and returns to the link dead phase HP Restricted Rev. 5.21

53 Data Link Layer Protocols Configuration Options You can configure WAN routers (or other devices) to use optional protocols in the PPP suite. In addition, many protocols in the PPP suite, such as LCP, allow you to manually configure options. To choose a setting for an option, you may need to know a value assigned to the setting. For example, one of the authentication protocols discussed later in this module, the Challenge Handshake Authentication Protocol, allows you to choose among several authentication algorithms. To use the algorithm called MS-CHAP, you may need to know it has been assigned the value of 128 (although it is more likely that the router s software developers will provide a text option from which to choose). All values associated with PPP are controlled by the Internet Assigned Numbers Authority (IANA) and are updated at this URL: When one of the peers in a PPP session has been configured to use protocols or options that are not used by default, the peers negotiate these options. They do so by exchanging configuration frames for the protocol in question. The figure shows a simplification of this frame-exchange process. Rev HP Restricted 2 11

54 ProCurve WAN Technologies Most of the protocols in the PPP suite include the following (or similar) types of configuration frames: configure-request The configure-request frame contains information about desired changes to the default configurations. configure-ack If the peer that receives a configure-request recognizes and accepts all of the optional configurations, it returns a configure-ack. configure-nak If the peer recognizes all optional configurations but refuses any or all of them, it returns a configure-nak. The configure-nak frame includes information about which options are refused and which values of that option the receiving peer is unable to accept. configure-reject When a peer receives a configure-request that contains either unrecognizable configuration options or options that are non-negotiable, it returns a configure-reject HP Restricted Rev. 5.21

55 Data Link Layer Protocols Link Control Protocol Configuration Options LCP frames are encapsulated in the Information Field of the PPP frame. LCP has a set of configuration options, and two PPP peers will use the default settings for these options, unless one peer signals a request to change the default configuration. To request such a change, the peer sends an LCP configure-request frame, and this frame type is specified in the LCP Code field. The information about the configuration change is included in the LCP Data field. As shown here, the LCP Data field can contain information about multiple LCP configuration options. Configuration options that are not included in the configurerequest frame remain at their default settings. LCP configuration options include the following: Maximum-Receive-Unit When configuring a link, the peers must agree on how much data can be contained in the information field of PPP frames. The value that communicates this frame size is called the Maximum Receive Unit (MRU). The default value of the MRU is 1500 octets. To increase or decrease this value, the sending peer uses the maximum-receive-unit configuration option. Rev HP Restricted 2 13

56 ProCurve WAN Technologies Quality-Protocol The quality-protocol option indicates whether or not peers will use the Link Quality Report (LQR) protocol. LQR monitors the quality of a link by determining how much data is being dropped. Magic-Number The use of magic numbers enables the detection of looped-back links. When a link is looped back, frames are returned to the sending peer. Magic numbers are random numbers that the sending peer assigns to its frames. When the receiving peer replies, it augments the magic number in the reply frames. The sending peer can then detect the difference between sent frames and received frames. By default, peers insert a zero where a magic number would otherwise be inserted. If you use LCP echo-request, echo-reply, and discard-request frames to test a link, enabling the magic-number option is useful. Also, if you choose to enable LQR, you must enable the magic-number option. Protocol-Field-Compression The protocol-field-compression option allows peers to compress the information in the protocol field of PPP frames from the default two bytes to one byte. The IANA assigns a protocol field value for each protocol; typically, this value is less than 256. Because one byte is capable of representing the values 0 through 255, most protocol fields can be easily compressed to one byte. Address-and-Control-Field-Compression Enabling the address-and-control-field-compression option allows peers to compress address and control fields in the PPP frames. These fields have static values and thus are compressed easily. Authentication-Protocol The authentication-protocol option turns on authentication and enables you to choose among the three authentication protocols available in the PPP suite. These authentication protocols are described in the next section HP Restricted Rev. 5.21

57 Data Link Layer Protocols Authentication Protocols Authentication for the PPP suite is what most people think of as passwordprotection. In other words, the user must provide a password to set up the PPP link. The PPP protocol suite includes three authentication protocols: Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Extensible Authentication Protocol (EAP) For this discussion, the peer that requires authentication is called the authenticator. The peer that wants to establish a link with the authenticator is called simply the peer. For example, when you connect to the Internet from a home computer, your modem or broadband router is the peer. Your Internet service provider s router requires a password and is the authenticator. Rev HP Restricted 2 15

58 ProCurve WAN Technologies PAP PAP is the simplest possible authentication scheme. The peer is provided a password, and the authenticator knows what that password is. The peer sends its password to the authenticator. The authenticator acknowledges the password, and the link is established HP Restricted Rev. 5.21

59 Data Link Layer Protocols CHAP Passwords in PAP pass directly over the wire. Anyone capable of tapping into the wire can obtain the password. CHAP solves this security problem by using the following process: 1. The authenticator challenges the peer. 2. The peer combines its password with a string of text and then performs a calculation called hashing on the resulting string. Hashing results in an encryption, or hash value, that the peer sends to the authenticator. 3. The authenticator knows both the agreed-upon string of text and the peer s password. The authenticator performs the same hashing calculation and compares its hash value to the hash value it received from the peer. 4. If the hash values match, the authenticator acknowledges the authentication, and the authenticator and the peer can proceed with the link. If the hash values do not match, the authenticator continues to issue challenges until the peer returns a matching hash value or runs out of retry attempts. Rev HP Restricted 2 17

60 ProCurve WAN Technologies EAP CHAP is more secure than PAP, but it is not the most secure authentication protocol available today. EAP makes it possible for PPP to use authentication schemes that are not part of its own protocol suite. For example, the authenticator and the peer might use the authentication scheme defined by a network operating system. In this case, EAP encapsulates the authentication information from the network operating system and transmits it over the PPP link. Although EAP enables you to use authentication schemes, it is not actually an authentication protocol HP Restricted Rev. 5.21

61 Data Link Layer Protocols NCP PPP supports NCPs for many network-layer protocols, including IP, IPX, AppleTalk, and Systems Network Architecture (SNA). Each protocol in the NCP family has a unique set of configuration options. These options specify parameters required by the protocol that NCP is managing. For example, IPCP includes configuration options that communicate important IP addresses such as the addresses for the primary and secondary Domain Name Services (DNS) servers to the receiving peer before frames are sent. Most of the other network-layer NCPs include a configuration option that serves a similar purpose. IPCP also includes an IP-Compression-Protocol configuration option, which indicates a request to compress the IP datagram in the PPP frames. Most of the other network-layer NCPs include configuration options that similarly indicate requests to compress their respective network-layer protocol packets encapsulated in the PPP frames. For more information about IPCP and other network layer protocol configuration options, see Rev HP Restricted 2 19

62 ProCurve WAN Technologies Compression Control Protocol The PPP suite includes a protocol that enables data compression across the link: Compression Control Protocol (CCP). The CCP configuration options enable you to specify which type of data-compression algorithm is applied to the datagrams. CCP can support nearly any compression algorithm. The IANA has already assigned numbers to many of these compression algorithms, including those listed above. Developers of compression algorithms can apply to have the IANA assign a number to their algorithm. Some developers may not need to get an IANA-assigned number. Organizations that have purchased an Organization Unique Identifier (OUI) from the Institute of Electrical and Electronic Engineers (IEEE) can use their OUIs to identify proprietary blocks of code, including compression algorithms and encryption keys. (An OUI must be purchased by any organization that assigns MAC addresses to hardware; the OUI is the first 24 bits in a MAC address.) CCP includes the option to identify compression algorithms by an OUI HP Restricted Rev. 5.21

63 Data Link Layer Protocols Encryption Control Protocol The PPP suite includes a protocol that enables data encryption across the link: Encryption Control Protocol (ECP). To encrypt text, devices that support ECP apply a mathematical algorithm to the text, and this algorithm changes the text into nonsense. The algorithm includes an assigned variable known as the key. Only devices with the appropriate key can decrypt the encrypted text. The configuration options in ECP enable you to specify which type of encryption algorithm to apply to the datagrams. Like CCP, ECP includes the option to use proprietary encryption methods (indicated by their association with OUIs). The IANA has also assigned values to standard encryption methods, such as the Data Encryption Standard (DES) or the Triple Data Encryption Standard (3DES). (DES and 3DES are described in Module 7: Virtual Private Networks.) Rev HP Restricted 2 21

64 ProCurve WAN Technologies Overview of Link-Aggregation Protocols PPP and other data-link layer protocols, such as Frame Relay, establish a single point-to-point connection, which may not provide sufficient bandwidth to meet a business requirements. Link-aggregation protocols address this limitation. Theoretically, link aggregation is a simple idea: effectively double your available bandwidth by using two physical cables to connect your endpoints instead of only one, triple your bandwidth by using three cables, quadruple your bandwidth by using four cables, and so on. For example, you could aggregate two Mbps T1 connections into a virtual single network connection with an underlying bandwidth of Mbps. However, to take advantage of multiple physical cables, data-link layer protocols must be modified to fragment frames into smaller frames that can be passed simultaneously over separate cables and then reassembled by the receiving peer. Link-aggregation protocols, including Multilink PPP (MP) and Multilink Frame Relay (MFR), do exactly that. The following sections describe MP, as well as two protocols that can be used with MP: Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP) HP Restricted Rev. 5.21

65 Data Link Layer Protocols Multilink PPP As its name suggests, MP is an extension to PPP. There are only two differences between regular PPP and MP: MP introduces three additional configuration options for LCP. An MP header is added to the information field in the PPP frame format. This section discusses the additional LCP configuration options. Maximum Receive Reconstructed Unit The Maximum Receive Reconstructed Unit (MRRU) configuration option provides two important functions: The inclusion of the MRRU in an LCP configure-request frame indicates that the sending peer wants to use MP. If the receiving peer acknowledges the option, it must assume that all of the frames received on different cables from the same peer should be processed as part of the same point-to-point link. The MRRU is required if a peer wants to use MP. The MRRU replaces the MRU. The MRU specifies the size of the frame that can be sent over a link; the MRRU specifies the frame size once all fragments are reassembled. The default for the MRRU, like the default for the MRU, is 1500 octets. Rev HP Restricted 2 23

66 ProCurve WAN Technologies Short Sequence Number Header Format The sequence number assigns an order to frame fragments so they can be properly reassembled. The MP header can have a long sequence number or a short one. A short sequence number is 12-bits and enables a frame to be split into a little less than 5,000 fragments. The 24-bit long sequence number provides enough bits to create more than 16 million fragments. Unless you are bundling a large number of cables together, the short sequence number is probably sufficient. The long sequence number is the default, so if a peer wants to use the short number, it must request this option. Endpoint Discriminator Options When using MP, the receiving peer gets frame fragments from different cables. Because this is the case, the receiving peer must be able to distinguish between multiple sending peers. The receiving peer can distinguish between sending peers in one of three methods: Authentication Endpoint discriminator Manual configuration Authentication Using the normal PPP authentication option enables one peer to recognize fragments from the same authenticated peer. Endpoint Discriminator On links where authentication is not required, the endpoint discriminator option can be used instead. The endpoint discriminator enables a peer to distinguish frames from sending peers based on one of the following: A locally assigned network address An IP address A MAC address A PPP magic number A telephone number Authentication and an endpoint discriminator can also be used together to provide a more secure method of distinguishing between peers. Manual Configuration In a situation where a dedicated bundle is set up between endpoints, the links can be manually configured to accept all frames from the bundle as if they are coming from the same peer. (A bundle is a group of aggregated links.) 2 24 HP Restricted Rev. 5.21

67 Data Link Layer Protocols Bandwidth Allocation Protocol Bandwidth Allocation Protocol (BAP) is a link management protocol that can be used with MP to improve the management of multiple links. BAP configures, maintains, or terminates individual links in a bundle. MP can be used without BAP, but when using MP alone, peers do not coordinate the adding and dropping of individual links. Like PPP, MP uses LCP to set up the initial link and to terminate the final one. Without BAP, however, peers can add or drop individual links indiscriminately. If a peer tries to send frames over a link that another peer has dropped, those frames are dropped. Using BAP requires adding another configuration option to LCP the linkdiscriminator option. Negotiation of this option is required. It allows each link in a bundle to be numbered so that BAP can keep track of the individual links. Keep in mind that BAP doesn t replace LCP. LCP frames must still be used to configure the first link during the link configuration phase. (This includes configuring MRRU and other options added by MP, the link discriminator option required by BAP, and the authentication and other LCP options available to basic PPP.) Rev HP Restricted 2 25

68 ProCurve WAN Technologies When BAP is being used, peers must exchange the following frames: LCP frames that contain both the MRRU configuration option and a link discriminator option BACP frames, to configure options for BAP BAP frames, to configure the multiple links being used NCP frames, for the appropriate layer-3 protocol MP frames BACP is explained in a later section HP Restricted Rev. 5.21

69 Data Link Layer Protocols Bandwidth Allocation Protocol Frames BAP configurations are required in some types of frames but are optional in others. To understand when configuration options are required, you must understand BAP frame types. Request frames are described here. Each BAP request frame has a corresponding response frame, as shown above. Link Configuration Frames A peer sends a call-request frame to request that a new link be added. A peer can also send a callback-request, which requests that the other peer add the link by calling back on that link. Link Maintenance Frames Every time a link is added using either a call-request or a callback-request, a callstatus-indication frame must be sent to verify whether or not the new link was successfully added. Rev HP Restricted 2 27

70 ProCurve WAN Technologies Link Termination Frames If a peer determines that a link in a bundle is no longer needed, it can send a linkdrop-query-request. Unlike LCP terminate-requests, which must always be acknowledged, link-drop-query-requests can be refused. If a link-drop-queryrequest is acceptable, the peer sends an LCP frame to terminate that particular link HP Restricted Rev. 5.21

71 Data Link Layer Protocols BAP Configuration Options The table above summarizes which BAP configuration options are required and which are optional in different types of BAP frames. Link-Type Option The link-type option specifies the speed and the type of link. Peers are required to include the link-type option in call-request and callback-request frames. In call- or callback-response frames, peers are allowed (but not required) to include the linktype information. Phone-Delta Option The phone-delta option provides either an actual phone number or some other unique identifier for the port to which a link is connected. Peers must include this number in callback-request and call-response frames and are allowed to use this number in a call-status-indication frame. Rev HP Restricted 2 29

72 ProCurve WAN Technologies No-Phone-Number Option The no-phone-number option informs the receiving peer that the sending peer already has its phone number. A call-request frame can include the no-phonenumber option. If this option is included in the call-request frame, peers must not include the phone-delta option in the call-response frame. Link-Discriminator Option The link-discriminator option designates which link the peer wants to drop and refers to the link discriminator number that was set up by the LCP. This option is required in link-drop-query-request frames. Call-Status Option The call-status option is used only in call-status-indication frames. A value of 0 indicates that a call was successful. Other values can be assigned to indicate why a call failed. The call-status option also indicates whether or not a peer should retry adding a link. Reason Option The reason option contains an ASCII text string that describes the reason for a request or response. Peers can include the reason option in any BAP configuration frame HP Restricted Rev. 5.21

73 Data Link Layer Protocols Bandwidth Allocation Control Protocol BACP is an NCP that manages configuration options for BAP. Before peers can exchange BAP frames, they must exchange BACP frames to negotiate which peer will be favored in the event of a race. That is, when peers attempt to transmit BAP requests simultaneously, one of the peer s requests must be favored. The favored peer s BAP request frame will be used. BACP accomplishes this purpose through the use of configure-request frames that contain the favored-peer configuration option. Each peer is assigned a magic number. The peer with the lower number becomes the favored peer. (To review magic numbers, refer back to the Link Control Protocol Configuration Options: section in this module.) Rev HP Restricted 2 31

74 ProCurve WAN Technologies Tunneling Overview A tunnel is a virtual point-to-point link across a multipoint-access network, such as the Internet. In a sense, a tunnel emulates a WAN link. Most data-link layer protocols that are used in WAN connections: Encapsulate other protocols Set up a point-to-point link Tunnels can provide these same two services over the Internet or in an extranet. They can also be used in a private WAN if some traffic is incompatible with intermediate routers. Using tunnels over the Internet or in an extranet usually requires additional security to protect the data being exchanged. These additional security requirements are discussed in Module 7: Virtual Private Networks. This section focuses on how tunnels can be used to route incompatible traffic through intermediate routers. When incompatible traffic is encapsulated in a tunnel, that traffic travels unnoticed by routers other than those at the endpoints of the tunnel. A tunnel also creates a routing system that hides addresses from intermediate routers, which is useful if you need this level of security HP Restricted Rev. 5.21

75 Data Link Layer Protocols Three tunneling protocols are briefly introduced here: Generic Routing Encapsulation (GRE) Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) GRE can encapsulate multiple network-layer, data-link layer, or multicast protocols into an IP packet. GRE then uses source routing to create a virtual pointto-point link through an IP network (such as the Internet). (GRE is described more fully in the next section.) PPTP is a proprietary tunneling protocol created by Microsoft. It encapsulates PPP and creates a tunnel for a PPP frame to travel through an IP network. In the PPTP tunneling system, PPP handles the encapsulation of network-layer or multicast traffic. L2TP is an Internet Engineering Task Force (IETF) standard based on PPTP and the proprietary Layer 2 Forwarding (L2F) protocol created by Cisco Systems Like PPTP, L2TP relies on PPP for encapsulation and then routes PPP through an IP network. The main difference between L2TP and PPTP is that L2TP can use IP Security (IPSec) for authentication and encryption, while PPTP uses proprietary or PPP-based authentication and encryption. (For more information concerning IPSec, see Module 7: Virtual Private Networks.) Rev HP Restricted 2 33

76 ProCurve WAN Technologies Generic Routing Encapsulation GRE can transmit a variety of protocols over an IP network. GRE uses the same protocol identifiers that Ethernet uses and can encapsulate any protocol Ethernet can. GRE encapsulates other protocol s packets within GRE packets, which, in turn, are encapsulated within IP packets. This section briefly describes several situations (other than security situations) where GRE can be useful. Legacy Protocol Connectivity In a network that is still using network-layer protocols such as AppleTalk, Microsoft s NETBios, or Novell IPX, GRE can be used to route these protocols through the WAN, even if intermediate routers don t support them or aren t configured to route them. With GRE, protocols such as these can also be routed across the Internet HP Restricted Rev. 5.21

77 Data Link Layer Protocols Multicast Routing Multicast routing can be set up at the network layer or the data-link layer. Within a single LAN, a data-link layer protocol such as Ethernet can easily handle multicast traffic. However, when WAN traffic is combined with traffic from multiple LANs, multicast routing protocols, which operate at layer 3, are more robust. Distance Vector Multicast Routing Protocol (DVMRP) and Multicast Open Shortest Path First (MOSPF) are examples of multicast routing protocols. Configuring protocols such as DVMRP and MOSPF at every router can be timeconsuming and inconvenient. Using GRE to hide multicast protocols from intermediate routers can make such configuration unnecessary. Incompatible IP-Address Connectivity If a corporation merges two LANs that have incompatible IP addresses, it can use GRE to route between those LANs without manually changing IP addresses at multiple stations. Rev HP Restricted 2 35

78 ProCurve WAN Technologies PPTP Although PPTP is a tunneling protocol, it was designed to provide users with secure dial-up access to their Internet service provider (ISP), creating a Virtual Private Network (VPN). (VPNs are discussed in-depth in Module 7: Virtual Private Networks.) As a result, it supports both encryption, and authentication. The two devices establishing a PPTP tunnel use PPP to create the initial connection. They then use a TCP session to exchange control and management information and use the PPP connection to establish a tunnel. With PPTP, the control connection is maintained separately from the tunnel. As this figure shows, PPTP uses GRE to encapsulate PPP data packets. It also adds an IP header and a media header. The media header defines how the packet is transmitted. For example, the packet could be transported over PPP, Frame Relay, or Ethernet. To secure the data being transmitted across the tunnel, PPTP can use Microsoft Point-to-Point Encryption (MPPE) or PPP s native encryption algorithms. PPTP also supports PPP s authentication mechanisms such as PAP, CHAP, and EAP HP Restricted Rev. 5.21

79 Data Link Layer Protocols L2TP Unlike PPTP, L2TP uses the same tunnel to exchange control messages and data packets. Combining the two channels makes it easier for companies to configure their firewall and manage access to their internal networks. Another difference between PPTP and L2TP is L2TP s use of UDP rather than TCP. UDP is considered to be more efficient than TCP, creating less overhead. The two devices establishing an L2TP tunnel exchange control messages to create the tunnel. Once this tunnel is established, the sending device encapsulates each packet in PPP and then in L2TP. Next, the sending device adds a UDP header and an IP header. Finally, the sending device adds the media header. For security, L2TP supports IP Security (IPSec), which is discussed in great detail in Module 7: Virtual Private Networks. Rev HP Restricted 2 37

80 ProCurve WAN Technologies Module 2 Summary In this module, you learned about the following: HDLC and its configuration options The PPP suite and the configuration options associated with specific protocols within the suite The phases of a PPP session The purpose of link-aggregation protocols and the configuration options associated with MP The purpose of tunneling protocols such as GRE, PPTP, and L2TP 2 38 HP Restricted Rev. 5.21

81 Data Link Layer Protocols Learning Check Module 2 Rev HP Restricted 2 39

82 ProCurve WAN Technologies 1. What are the two main differences between MP and PPP? 2. Which two functions must data-link layer protocols perform to control data transfer? 3. When a PPP connection is established, which three protocols must the peers exchange? (Select three.) a. PPP b. PAP c. LCP d. APP e. CHAP f. LAPD g. NCP 4. When does a peer that is configured to use PPP send a configure-nak frame? a. If the sending peer provides incorrect authentication information b. If the peer rejects some of the configuration options proposed by the sending peer c. If the configuration options are unrecognizable d. If the peer wants to acknowledge a communication 5. Which protocol enables you to use authentication protocols not defined by PPP? a. CHAP b. LCP c. PAP d. EAP 2 40 HP Restricted Rev. 5.21

83 Carrier Line WAN Connections Module 3 Objectives This module explains the characteristics and use of carrier lines used for WAN connections. It also describes fiber optic carrier networks and the standards being adopted for these networks. After completing this module, you should be able to: Explain the advantages and disadvantages of carrier line WAN connections Identify the specific characteristics of T1 and E1 WAN connections Identify the specific characteristics of T3 and E3 WAN connections Identify the physical infrastructure of T1 and E1 WAN connections Identify the physical infrastructure of T3 and E3 WAN connections Rev HP Restricted 3 1

84 ProCurve WAN Technologies Overview of Carrier Line WAN Connections Carrier lines provide dedicated, secure, point-to-point connections between two fixed subscriber locations. Carrier lines are reliable because the connection is always active. And they provide optimal performance because the full bandwidth of the connection is always available. The primary disadvantage of carrier lines is cost. They typically cost more than other types of WAN connections such as Integrated Services Digital Network (ISDN) and Digital Subscriber Line (DSL). Furthermore, the cost of a carrier line increases substantially if that line passes through more than one public carrier network, because each carrier charges for the dedicated circuit it provides. Carrier WAN connections are ideal for companies that must exchange a high volume of data and require constant access. For example, a company may need to share large files between a limited number of sites, and the information may be highly confidential, requiring a secure connection. Companies may also purchase a Carrier WAN connection if they need high bandwidth for Internet, intranet, and HP Restricted Rev. 5.21

85 T/E-Carrier WAN Connections A carrier WAN connection may also be required for: PBX applications that use a large number of channels and need drop/insert functionality Voice and data traffic carried on a single carrier line Government, military, and corporate secure information exchange Internet service provider (ISP) services Rev HP Restricted 3 3

86 ProCurve WAN Technologies Carrier Line WAN Connections The figure shows the general characteristics of an end-to-end, carrier line WAN connection. A carrier WAN connection provides a permanent, dedicated, point-to-point, fixedbandwidth link between two sites. Unless the service provider changes the path, the data sent between the two endpoints in a carrier line WAN connection always flows along the same physical path. However, having a dedicated path does not mean that the full capacity of each copper or fiber cable used in the physical path is reserved for that single connection. For example, traffic from multiple T1 connections might be multiplexed over one physical path on a higher-speed link. Nevertheless, the bandwidth for each connection is guaranteed across all parts of the path, because each connection is allocated dedicated time slots, end-to-end. If there is no traffic to transmit, the time slots for that connection go unused. T1 and T3 carrier lines are used primarily in Canada and the United States. In Europe and other Sector locations that follow the ITU Telecommunications Standardization (ITU-T) standards, the comparable dedicated, high-speed WAN connections are E1 and E3 carrier lines. J1 and J3 carrier lines were defined for use in Japan. 3 4 HP Restricted Rev. 5.21

87 T/E-Carrier WAN Connections Physical Infrastructure Common to Carrier Line Local Loops The figure shows the physical infrastructure that is common to the local loop in carrier line WAN connections. The infrastructure for all carrier line local loops requires the same basic components, although the components may differ slightly in form and design. It is important to have a good understanding of the local loop for a carrier line. This is where the subscriber s equipment is installed and configured. This section provides an overview of the components that comprise the local loop infrastructure. These components will be explained in more depth later in this module. Rev HP Restricted 3 5

88 ProCurve WAN Technologies The left side of the figure shows the subscriber s LAN, which is connected to a WAN router. The WAN router in the figure is connected to a device called a Channel Service Unit/Digital Service Unit (CSU/DSU). The CSU and DSU have separate purposes. Outgoing LAN traffic goes from the router to the DSU, which translates it from the signaling format used on the LAN into the format necessary for transmission across the WAN connection. T-carrier lines use the DSX signaling hierarchy; E-carrier lines use the CEPT signaling hierarchy; and J-carrier lines use the Japanese signaling hierarchy. (For more information about signaling hierarchies, see Module 1: Overview of WAN Connections.) After the DSU translates the signal, the CSU generates the signal (or regenerates it, in the case of incoming traffic). The CSU and DSU can be two separate, standalone devices, although they are sometimes integrated into a single CSU/DSU. In Europe, the Middle East and Africa (EMEA), the CSU is typically supplied by the service provider, and either the router has a built-in DSU or the customer provides the DSU. A CSU/DSU can be connected to a WAN router in the following ways: The WAN router can be connected to a standalone CSU/DSU with a cable built to use the V.35 or X.21 electrical interface. (This option is labeled A in the figure.) The cable is appropriately called a V.35 or an X.21 cable. The router may have a built-in CSU/DSU. (This option is labeled B in the figure.) The built-in CSU/DSU is connected to a T1 RJ-48 wall jack. From the CSU/DSU, the WAN connection leads to the demarcation point (demarc). To the right of the demarc is a Network Interface Unit (NIU), also known as a smart jack. In some cases, the demarc will be the smart jack itself; there will be no intervening cross-connect panel. Smart jacks automatically maintain the WAN connection. They also enable public carrier employees to perform some simple management tasks from a remote location. The smart jack is usually located outside the subscriber s premises so that public carrier employees can always access it. However, in some cases, such as a large, multi-tenant office building, the smart jack might be located inside the subscriber s premises. The next component shown in the figure is a repeater. Repeaters receive, amplify, and retransmit the digital signal. Repeaters ensure that signal attenuation never prevents the next repeater in the line from reading the signal. The distance between repeaters depends on the type of connection, including the transmission media being used. For example, on a T1 connection over unshielded twisted pair (UTP) wiring, the distance between repeaters is a mile or less. The last component shown in the figure is the Office Channel Unit (OCU) in the public carrier s nearest central office (CO). The OCU performs the same function at the public carrier s site that the CSU performs at the subscriber site. 3 6 HP Restricted Rev. 5.21

89 T/E-Carrier WAN Connections DSU As stated earlier, the DSU translates the signal, in both directions. The DSU converts signals from data terminal equipment (DTE) on the subscriber s LAN to the format required on the WAN connection, and forwards the formatted signal to the CSU. The DSU also converts formatted signals from the WAN connection (from the CSU) to LAN (DTE) signals and forwards them to the subscriber s WAN router. Finally, the DSU provides the capability to test the connection between itself and the LAN. Rev HP Restricted 3 7

90 ProCurve WAN Technologies CSU The WAN connection begins at the CSU. CSUs vary, but all CSUs provide at least the following basic functionality: The CSU contains the last signal regenerator on the public carrier network (in other words, the CSU acts as the final repeater from the WAN side). This signal regenerator presents the DSU with a clean WAN signal for conversion to the DTE signal format (and forwarding to the WAN router). The WAN signal used depends on the type of WAN connection. For example, T1 WAN connections use DS1; E1 WAN connections use E1; and J1 WAN connections use J1. (For more information about signaling hierarchies, see Module 1: Overview of WAN Connections.) The CSU also contains a mechanism for putting the physical line into loopback mode for line testing between itself and the public carrier s CO. In addition, the CSU enables configuration of line build out : you can control the waveform to compensate for signal attenuation on the line. Some repeaters and other equipment are built so that they expect a specific amount of signal attenuation; they will not work unless that level of attenuation is present. The CSU enables control of attenuation to ensure that all components on the end-to-end connection perform properly. 3 8 HP Restricted Rev. 5.21

91 T/E-Carrier WAN Connections The CSU monitors the signal from itself to the public carrier s CO to detect signal pattern violations and loss of signal. When problems do occur, the CSU might perform auto-correction or generate an alarm, depending on its capabilities and the problem detected. You need only be familiar with the general functions of the CSU/DSU. The public carrier normally configures it. If the public carrier does not configure it, the public carrier must provide the necessary configuration information, such as the number of decibels of attenuation required for proper line build out. Rev HP Restricted 3 9

92 ProCurve WAN Technologies Capabilities of WAN Routers WAN routers have two basic functions: First, WAN routers must determine whether traffic coming from any one of multiple sources on the connected LAN is intended for transmission across the WAN. Second, WAN routers must transmit this traffic. In addition to these basic functions, WAN routers must support one or more types of WAN connections, including carrier lines, ISDN, and Digital Subscriber Line (DSL). WAN routers must also support one or more data-link layer protocols, such as Point-to-Point Protocol (PPP), Multi-Link PPP (MP), Frame Relay, Multi- Link Frame Relay, and others. Today s WAN routers offer a number of other capabilities. For example, many WAN routers include a built-in multiplexer. A multiplexer collects data and frames it into channels according to the speed (number of channels) the subscriber purchased. The multiplexer combines any number of DS0, E0, or J0 channels into one serial data stream. WAN routers may also support add-drop multiplexing, enabling you to mix voice and data channels on nonconsecutive channels HP Restricted Rev. 5.21

93 T/E-Carrier WAN Connections WAN routers might also have a built-in CSU/DSU. Built-in CSU/DSUs are somewhat easier to manage than standalone CSU/DSUs. They are also cheaper. For example, V.35 and X.21 cables, which connect a standalone CSU/DSU to the WAN router, are expensive. On the other hand, standalone CSU/DSUs are usually easier to monitor and troubleshoot. WAN routers might include security capabilities such as Virtual Private Network (VPN) support; Virtual LAN (VLAN) support; support for tunneling protocols such as Generic Routing Encapsulation (GRE); support for the security components of tunneling protocols, such as Internet Protocol Security (IPSec); and even firewall capabilities. (These capabilities are treated in other modules in this course.) Typically, all of these capabilities are provided on interchangeable cards that are inserted into card slots in the WAN router. Many WAN routers also support Remote Monitoring (RMON), which enables you to monitor and control the WAN router regardless of your physical location. RMON defines a set of statistics and functions that are exchanged between RMON probes and RMON agents. RMON probes provide real-time information regarding the status of the device, network performance, network events, failure or error conditions, and other vital statistics. RMON agents (also called RMON consoles or RMON management consoles) present this information in a meaningful way for use in managing network operations. Rev HP Restricted 3 11

94 ProCurve WAN Technologies Characteristics of a T1 WAN Connection As discussed in Module 1: Overview of WAN Connections, T-carrier WAN connections are based on the American National Standards Institute (ANSI) T1.102 and T1.107 specifications. A T1 WAN connection provides twenty-four 64-Kbps DS0 channels for a total of Mbps in bandwidth. A full T1 connection uses all 24 DS0s. Fractional T1 connections, which use fewer than 24 DS0s, are also available. The channels in a T1 connection can be used for voice traffic, data traffic, or a combination of the two, but all traffic moving through the connection is in digital form. In North America, a subscriber s site is connected to the central office (CO) of a local exchange carrier (LEC) that provides the T1 WAN connection. T1 WAN connections can also be created through multiple LECs and interexchange carriers (IXCs), as needed, to link two subscribers premises together. As mentioned earlier, the connection between a subscriber s premises and the CO is called the local loop. Most T1 local loops use two pairs of Category-3 (CAT-3) or CAT-5 unshielded twisted pair (UTP) cable with 120-Ohm, 22-gauge wire. However, some older T1 installations use two pairs of CAT-2 UTP with 100-Ohm, 24-gauge wire, which is adequate for full T1 applications HP Restricted Rev. 5.21

95 T/E-Carrier WAN Connections A T1 WAN connection creates a point-to-point connection between two locations, and a CSU/DSU is required at each end of the connection. You must configure the CSU/DSU to use the same line-encoding scheme as the public carrier providing the T1 connection. As discussed in Module 1: Overview of WAN Connections, both Alternate Mark Inversion (AMI) and Bipolar 8-Zero Substitution (B8ZS) encoding schemes are used in T-carrier WAN connections. Prior to configuring the CSU/DSU, you will need to contact the public carrier providing the T1 connection to determine which encoding scheme is appropriate. You must also configure the WAN routers to use a data-link layer protocol that supports point-to-point connections. The default protocol is PPP. HDLC, MP, and Frame Relay can also be used. (PPP, HDLC, and MP are discussed in detail in Module 2: Data-Link Layer Protocols. Frame Relay is discussed in Module 6: Frame Relay.) Rev HP Restricted 3 13

96 ProCurve WAN Technologies T1 CSU/DSU Connections As the figure shows, a T1 CSU/DSU can be a standalone unit, or it can be built into a WAN router. The physical connections are different for each. A standalone CSU/DSU connects to the WAN router s V.35 serial interface with an external V.35 cable. It has an integrated RJ-48C jack for connecting to the T1 RJ-48X wall jack with CAT-3 or higher UTP. A CSU/DSU that is integrated into a WAN router still uses a V.35 serial interface to communicate with the router, but it does not require the external V.35 cable. The connection between the CSU/DSU and the T1 jack is identical to a standalone router: RJ-48C to RJ-48X with twisted pair cable. As the figure shows, T1 WAN connections are terminated with RJ-48X jacks. These jacks contain automatic cross-connect pins that provide automatic loopback. Automatic loopback keeps the T1 WAN connection operational on the public carrier s side of the circuit in the event the subscriber s end is disconnected HP Restricted Rev. 5.21

97 T/E-Carrier WAN Connections Characteristics of an E1 WAN Connection As discussed in Module 1: Overview of WAN Connections, E-carrier lines are based on the ITU-T G.703 specification. An E1 WAN connection provides thirtytwo 64-Kbps DS0 channels with Mbps in total bandwidth. The bandwidth of an E1 WAN connection is greater than that of a T1 WAN connection for two reasons: First, more channels (32 versus 24) are provisioned for an E1 WAN connection. Second, all framing and synchronization functions are performed exclusively in two E0 channels, making the full bandwidth of the remaining 30 E0 channels available for data transport. A full E1-carrier WAN connection uses all 30 E0s. Fractional E1-carrier WAN connections, which use fewer than 30 channels, are also available. The channels in an E1 WAN connection can be used for voice traffic, data traffic, or a combination of the two, but all traffic moving through the connection is in digital form. In regions that support the G.703 specification, a subscriber s site is connected directly to the PTT that provides the E1 WAN connection. Depending on the location of the subscriber, the local loop transmission media will be either two twisted pairs (CAT-3 or CAT-5 UTP with 120-Ohm, 22-gauge wire) or two unbalanced coaxial cables (75-Ohm, solid core RG-59). Rev HP Restricted 3 15

98 ProCurve WAN Technologies An E1 WAN connection creates a point-to-point connection between two locations, and a CSU/DSU is required at each end of the connection. With an E1 WAN connection, however, the CSU and DSU are usually separate devices. The CSU is owned and operated by the PTT and is installed on the PTT s side of the demarc. The DSU, on the other hand, is owned and operated by the subscriber and is part of the equipment on the subscriber s side of the demarc. You must configure the DSU to use the same line-encoding scheme as the PTT providing the E1 WAN connection. As discussed in Module 1: Overview of WAN Connections, AMI and HDB3 encoding schemes are both used in E1 WAN connections. Prior to configuring the DSU, you will need to contact the PTT to determine which line-encoding scheme is appropriate. You will also need to configure the WAN routers to use a data-link layer protocol that supports point-to-point connections. The default protocol is PPP. However, HDLC, MP, and Frame Relay can also be used. (PPP, HDLC, and MP are discussed in Module 2: Data-Link Layer Protocols. Frame Relay is discussed in Module 5: Frame Relay.) 3 16 HP Restricted Rev. 5.21

99 T/E-Carrier WAN Connections E1 DSU Connections In E1 WAN connections, the DSU can be a standalone device, or it can be built into a router. The physical connections are different for each. As the figure shows, a standalone DSU connects to the X.21 serial interface of a WAN router with an external X.21 cable. The DSU is then connected to the E1 RJ- 48 wall jack with CAT-3 or higher UTP. An integrated DSU does not require the external X.21 cable but uses the same CAT-3 UTP to connect to the E1 RJ-48 wall jack. The CSU is owned and operated by the PTT and is located on the PTT s side of the demarc. Rev HP Restricted 3 17

100 ProCurve WAN Technologies Characteristics of a J1 WAN Connection J-carrier WAN connections are a closely related variant of T-carrier WAN connections. Like T1 WAN connections, J1 WAN connections provide a transmission speed of Mbps and 24 channels. J1 WAN connections also perform all signaling and control functions in-band. However, J1 WAN connections use a slightly different framing format for signal transport than T1 WAN connections use. J1 WAN connections use the J1 signaling format, rather than DS1. PTTs in Japan use the J1 standard for voice, not data. For data, these PTTs use the T1 and, less frequently, the E1 standard. For example, Nippon Telegraph and Telephone (NTT), the largest PTT in Japan, offers a DS3 connection with a transmission speed of Mbps. (See service/speed.html.) Likewise, KVH, another PTT company in Japan, offers both a T1 and a DS3 option. (See datacom/ll_menu.html.) 3 18 HP Restricted Rev. 5.21

101 T/E-Carrier WAN Connections Many PTTs in Japan are using the T1 standard because they are delivering WAN connections over fiber optic networks that support the Synchronous Optical Network (SONET) standard. SONET is the standard adopted by the United States and Canada for fiber optic networks. Not surprisingly, SONET provides backward compatibility for T-carrier lines. (SONET is described in more depth later in this module.) In addition to offering T1 or T3 WAN connections, PTTs in Japan offer even faster connections over fiber optic networks. For example, KVH offers a 622 Mbps SONET-based connection and a 2.4 Gbps SONET-based connection. (The signaling hierarchy that forms the basis of these connections is explained later in this module.) PTTs in Japan also offer leased lines over Ethernet and Asynchronous Transfer Mode (ATM) networks. Rev HP Restricted 3 19

102 ProCurve WAN Technologies T1 WAN Connection over SONET (Japan) SONET-based fiber optic networks require different equipment than standard carrier lines. Instead of a CSU/DSU, an Add Drop Multiplexer (ADM) is used to establish the connection and the signaling between the customer s premises and the CO. In addition, a fiber termination box is required between the twisted pair cabling used on the customer s network and the fiber optic network. When a customer signs up for a leased line with the PTT, the agreement may include rental of a WAN router. However, the customer should be able to purchase and use any WAN router that supports the T1 standard; however, the customer should double-check with the PTT to ensure that WAN router is supported. Some WAN routers may also require a separate card that supports an external CSU/DSU, which is, in this case, an ADM HP Restricted Rev. 5.21

103 T/E-Carrier WAN Connections Characteristics of a T3 WAN Connection As discussed in Module 1: Overview of WAN Connections, T3-carrier lines are based on the ANSI T1.102 and T1.107 specifications and use the DSX-3 interface and DS3 signaling specifications defined by the DSX hierarchy. Public carriers deliver T3-carrier WAN connections as either a channelized or a non-channelized service. Channelized T3 delivers a total of 672 DS0 channels (28 DS1 channels) and provides Mbps in nominal bandwidth. Channelized T3 uses DS3 signaling, which is multiplexed in a two-step process. First, a total of 28 DS1 signals are multiplexed into seven DS2 signals, each of which contains four DS1 signals. Second, the seven DS2 signals are multiplexed into one DS3 signal. In channelized T3, the public carrier performs all multiplexing. In contrast, non-channelized T3 delivers a single DS3 with no DS0, DS1, or DS2 multiplexing. It provides 44.2 Mbps in available bandwidth; Mbps of the nominal T3 bandwidth is used for in-band framing control and signal synchronization in a process referred to as bit stuffing. In non-channelized T3, the subscriber is responsible for multiplexing if that subscriber wants to split the T3 into multiple channels. Rev HP Restricted 3 21

104 ProCurve WAN Technologies Both channelized T3 and non-channelized T3 require one of the following for the local loop: 75-Ohm, solid core RG-59 coaxial cable Single mode or multimode fiber optic cable T3 WAN connections use BNC connectors for coaxial cable and SC or ST connectors for fiber optic cable. T3 WAN connections also require a CSU/DSU at each subscriber s location. You must configure the CSU/DSU to use B8ZS line encoding. You will also need to configure the CSU/DSU for channelized or non-channelized T3, depending on which one you are implementing. In addition, you must configure the WAN routers to use a data-link layer protocol that supports point-to-point connections. The default protocol is PPP. However, HDLC, MP, and Frame Relay can also be used. (PPP, HDLC, and MP are discussed in Module 2: Data-Link Layer Protocols. Frame Relay is discussed in Module 6: Frame Relay.) 3 22 HP Restricted Rev. 5.21

105 T/E-Carrier WAN Connections T3 CSU/DSU Connections As the figure shows, a T3 CSU/DSU can be a standalone device, or it can be built into the router. The physical connections are different for each. A standalone T3 CSU/DSU is connected to the WAN router s High Speed Serial Interface (HSSI) with an external HSSI cable. HSSI uses a sub-miniature, 50-pin male connector that is identical to a Small Computer Systems Interface-2 (SCSI-2) connector. The HSSI signaling interface is a subset of the SCSI-2 specification. HSSI provides a synchronous serial transmission rate of 52 Mbps and supports both channelized and non-channelized T3. HSSI also supports the 52 Mbps transmission rate of optical carrier-1 (OC-1). OC-1 is the base multiple of Synchronous Optical Network (SONET) and the Synchronous Digital Hierarchy (SDH), which are discussed later in this module. Rev HP Restricted 3 23

106 ProCurve WAN Technologies A standalone T3 CSU/DSU can be connected to the T3 WAN connection in one of two ways: A 75-Ohm, solid core RG-59 coaxial cable with BNC connectors Two fiber optic cables with SC or ST connectors As the figure shows, T3 CSU/DSUs can be built into the WAN router. Built-in T3 CSU/DSUs use HSSI to interface with the WAN router, but they do not require an external HSSI cable or connector. The connection between the built-in CSU/DSU and the T3 wall jack is identical to a standalone router: either coaxial or fiber optic cable and connectors HP Restricted Rev. 5.21

107 T/E-Carrier WAN Connections Characteristics of an E3 WAN Connection E3 WAN connections are based on the ITU-T G.703 specification and use the E3 signaling specification defined by the CEPT hierarchy. Public carriers deliver E3 WAN connections as either a channelized or a non-channelized service. Channelized E3 delivers a total of 512 E0 channels (16 E1 channels) and provides Mbps in nominal bandwidth. Channelized E3 uses E3 signaling, which is multiplexed in a two-step process. First, a total of 16 E1 signals are multiplexed into four E2 signals, each of which contains four E1 signals. Second, the four E2 signals are multiplexed into a single E3 signal. In channelized E3, the public carrier performs all multiplexing. In contrast, non-channelized E3 delivers a single E3 with no E0, E1, or E2 multiplexing. It provides Mbps in available bandwidth. In non-channelized E3, the subscriber is responsible for multiplexing if an application requires it. For example, a subscriber may want to multiplex an E3 WAN connection to create individual channels for a PBX and multiple point-to-point WAN connections between branch offices and a main office. Rev HP Restricted 3 25

108 ProCurve WAN Technologies Both channelized E3 and non-channelized E3 require either 75-Ohm, solid core RG-59 coaxial cable (the same cable that is used for linear bus Ethernet) or fiber optic cable (the same cable that is used for Gigabit Ethernet) for the local loop. The public carrier provides a BNC connection for coaxial cable or an SC or ST connector for fiber optic cable. An E3 WAN connection requires a CSU/DSU on the subscriber s end of the connection. The CSU is owned and operated by the PTT and is located on the PTT s side of the demarc. The DSU is owned by the subscriber and is installed at the subscriber s premises. You must configure the DSU to use HDB3 line encoding, which is discussed in Module 1: Overview of WAN Connections. You must also configure the DSU for channelized or non-channelized E3, depending on which one you are implementing. In addition to configuring the DSU, you must configure the WAN routers to use a data-link layer protocol that supports point-to-point connections. The default protocol is PPP. However, HDLC, MP, and Frame Relay can also be used. (PPP, HDLC, and MP are discussed in Module 2: Data-Link Layer Protocols. Frame Relay is discussed in Module 6: Frame Relay.) 3 26 HP Restricted Rev. 5.21

109 T/E-Carrier WAN Connections E3 DSU Connections As the figure shows, an E3 DSU can be a standalone device, or it can be built into the WAN router. The physical connections are different for each. A standalone E3 DSU connects to the WAN router s High Speed Serial Interface (HSSI) with an external HSSI or HSSI/V.35 cable. As discussed earlier, HSSI uses a sub-miniature, 50-pin connector and provides a synchronous transmission rate of 52 Mbps for both coaxial and fiber-based E3 WAN connections. Built-in E3 DSUs also use HSSI to interface with the WAN router, but they do not require an external HSSI cable or connector. Whether the DSU is a standalone device or built-in to the WAN router, the connection between the DSU and the E3 wall jack remains the same: a coaxial cable with a BNC connector or a fiber cable with SC or ST modular connectors. Rev HP Restricted 3 27

110 ProCurve WAN Technologies Characteristics of a DS3 WAN Connection (Japan) The DS3 WAN connection offered by Japanese PTTs is a channelized T3 connection. Based on the ANSI T1.102 and T1.107 specifications, it uses the DSX-3 interface and DS3 signaling specifications defined by the DSX hierarchy. The DS3 WAN connection provides Mbps in nominal bandwidth. The DS3 WAN connection requires one of the following for the local loop: 75-Ohm, solid core RG-59 coaxial cable Single mode or multimode fiber optic cable The DS3 WAN connection use BNC connectors for coaxial cable and SC or ST connectors for fiber optic cable. The default protocol for the DS3 WAN connection is PPP. However, HDLC, MP, and Frame Relay can also be used. (PPP, HDLC, and MP are discussed in Module 2: Data-Link Layer Protocols. Frame Relay is discussed in Module 6: Frame Relay.) 3 28 HP Restricted Rev. 5.21

111 T/E-Carrier WAN Connections DS3 WAN Connection over SONET (Japan) Like the T1 WAN connection over SONET, the DS3 WAN connection requires an ADM. The ADM establishes the connection and the signaling between the customer s premises and the CO. In addition, a fiber termination box is required between the coaxial or fiber optic cabling used on the customer s network and the SONET network. When a customer signs up for a leased line with the PTT, the agreement may include rental of a WAN router. However, the customer should be able to purchase and use any WAN router that supports the DS3 standard; however, the customer should double-check with the PTT to ensure that WAN router is supported. Some WAN routers may also require a separate card that supports an external CSU/DSU, which is, in this case, an ADM. Rev HP Restricted 3 29

112 ProCurve WAN Technologies Fiber Optic Carrier Networks Fiber optic offers substantially higher bandwidth than copper and uses pulses of light rather than electrical signals to transmit digital WAN traffic. Fiber optic is rapidly replacing copper as the transmission medium for bandwidth-intensive applications. Although fiber infrastructure is more expensive to install, it provides significant advantages to the public carrier in terms of internetworking operations, administration, maintenance, and provisioning (OAM&P). Fiber optic also provides significant advantages for subscribers: In addition to providing higher transmission speeds, fiber optic is more reliable than twisted pair copper and provides superior redundancy features. Because of these advantages, fiber optic is now the transmission media of choice for T3, E3, and other highspeed WAN connections. Fiber optic is used on both the local loop and the public carrier network. For the purposes of this course, public carrier networks that use fiber optic are called fiber optic carrier networks HP Restricted Rev. 5.21

113 T/E-Carrier WAN Connections SONET and SDH Digital Hierarchies There are myriad standards and proposed standards for fiber optic carrier networks. Public carriers have widely accepted some standards, but not others. The table above shows the most common standards in use today: ANSI Synchronous Optical Network (SONET) standards North American and Japan use SONET standards ANSI T1.105 and T1.119 specifications. (These regions also use Telecordia GR 253 CORE: Common Generic Criteria for SONET Transport Systems.) ITU-T Synchronous Digital Hierarchy (SDH) standards ITU-T and ANSI cooperatively developed SDH to ensure compatibility and to enable SONET and SDH carrier networks to exchange data. Regions outside the North American and Japan use the ITU-T G.707, 781, 782, 783, and 803 standards. Rev HP Restricted 3 31

114 ProCurve WAN Technologies SONET SDH SONET uses the Synchronous Transport Signal (STS) specification to convert copper-carrier electrical signals into optical signals. STS-1 serves as the base multiple for all STS signal levels in the SONET hierarchy. After an STS-1 electrical signal is converted into an optical signal, it becomes an Optical Carrier-1 (OC-1). OC-1 serves as the base multiple in the Optical Carrier X (OSX) hierarchy for SONET-based carrier networks. As the table shows, OC-1 provisions a Mbps channel with Mbps in available bandwidth. As is the case with DS0 in copper-based carriers, OC-1 is the common channel used to multiplex higher bandwidth carriers in the OCX hierarchy. Like SONET, SDH uses OC-1 as the base multiple in the SDH hierarchy. SDH uses Synchronous Transmission Mode (STM) designators rather than OCX designators to describe its optical signal hierarchy. STM-1 specifies the electrical and optical signaling specifications for an SDH carrier that is equivalent to SONET OC-3. Unlike SONET, SDH does not use STS, nor does it define any electrical-to-optical signal conversion specifications (interfaces) beyond STM-1 carriers. In other words, all SDH carriers above STM-1 are pure optical carriers. SONET and SDH Channel Provisioning Both SONET and SDH are capable of delivering channelized and unchannelized carrier services. Channelized SONET and SDH carriers are provisioned and use OC-1 as the base multiple for higher bandwidth signal levels. For example, channelized OC-3 and STM-1 both contain 3 OC-1 channels. In unchannelized, or concatenated, SONET and SDH carriers, the entire line rate is available for payload transport, and all OAM&P functions are performed out of band. In unchannelized SONET and SDH, the public carrier does not provide any multiplexing to the subscriber. T- and E-Carrier Aggregation As discussed in Module 1: Overview of WAN Connections, T- and E-carrier systems use a master clock signal to synchronize signal transport between the end nodes of a WAN connection. This creates issues during aggregation because public carriers may use different master clock signals. These slight variances, or phase shifts, must be removed prior to aggregation and transport in optical carriers. To accomplish this, SONET and SDH carriers use an asynchronous signaling method based on the Plesiochronous Digital Hierarchy (PDH). PDH provides backwards compatibility between SONET and SDH fiber carriers and existing copper-based T- and E-carrier lines HP Restricted Rev. 5.21

115 T/E-Carrier WAN Connections PDH aggregates T- and E-carrier lines onto SONET and SDH carriers in T1 and E1 base multiples, respectively. PDH uses bit stuffing to compensate for phase shifts among multiple synchronous input signals and provides synchronous-like signal transport without using a master clock signal. To accomplish this, SONET and SDH carriers operate at slightly higher transmission rates than the composite multiplexed T- and E-carrier signals they carry. The additional bandwidth provides dummy bits that are used to compensate for timing differences between the T- and E-carrier tributaries. Rev HP Restricted 3 33

116 ProCurve WAN Technologies Fiber Optic Media and Connectors Fiber optic WAN router connections use the same media and connectors that are used in Gigabit Ethernet applications. These include: Multimode fiber (50 micron and 62.5 micron) Single mode fiber (8.3 micron) SC and ST connectors As the figure shows, a single-strand fiber optic cable consists of a fiber strand surrounded by a gel buffer that prevents signal loss. A strength member surrounds the gel buffer and protects the fiber strand against breakage and a protective jacket encases the entire assembly and provides further protection against breakage. As the figure shows, two single-strand fiber optic cables (transmit and receive) are terminated with an SC or ST connector that completes the assembly and provides the physical connection to fiber optic equipment. The optical interface on the equipment being installed determines which type of fiber cable (single mode or multimode), and the diameter of multimode (50 micron or 62.5 micron) cable that can be used. Multimode and single mode fiber media are described below HP Restricted Rev. 5.21

117 T/E-Carrier WAN Connections Multimode Fiber Multimode fibers are made of thin glass strands that carry light signals simultaneously in two specific windows, or nanometer wavelength sizes, measured in nanometers (nm). The most common multimode fiber used in optical data networks is 62.5 micron, which carries signals in 850 nm and 1300 nm windows, both of which provide 500 Mbps in bandwidth. Therefore, a multimode fiber strand provides 1 Gbps in total bandwidth. Multimode fiber is commonly used in Gigabit Ethernet and WAN router installations because its relatively large diameter makes connector attachments (termination) easier than single mode fiber. However, the relatively large diameter of multimode fiber causes signal dispersion, which limits its transmission distance to 1 kilometer (3280 feet). Single Mode Fiber To reduce signal dispersion, single mode fiber is made of extremely thin glass strands measuring only 8 microns in diameter. Single mode also has two signaling windows: 1300 nm and 1550 nm. Single mode fiber provides multi-gigabit bandwidth capacity, with the actual bandwidth determined by the equipment used. For example, current high-end carrier backbone installations run in the 40 Gbps range, but tests have shown that single mode can carry data at 100 Gbps. Single mode fiber is so small that you cannot see it without a microscope. Therefore, it is more expensive to work with and much more difficult to terminate than multimode fiber. However, single mode fiber provides a signal transmission range of 3,000 miles and beyond because of its vastly reduced signal dispersion characteristics. Fiber Connectors Fiber optic WAN connections use the same ST and SC fiber connectors that are used for Gigabit Ethernet. ST and SC connectors are available in epoxy and crimp varieties. Rev HP Restricted 3 35

118 ProCurve WAN Technologies Module 3 Summary In this module, you learned the following: T-, E-, and J-carrier lines provide: Point-to-point connections Permanent physical path Fixed bandwidth The local loop for carrier lines includes: CSU/DSU Network interface unit (smart jack) Repeaters WAN routers offer capabilities such as: Built-in multiplexer Built-in CSU/DSU Security RMON 3 36 HP Restricted Rev. 5.21

119 T/E-Carrier WAN Connections Examples of the different types of T-, E-, and J-carrier WAN connections available include: United States and Canada T1 with a transmission rate of Mbps and T3 with a transmission rate of Mbps Europe, Australia, and Asia (except Japan) E1 with a transmission rate of Mbps and E3 with a transmission rate of Mbps Japan T1 WAN connection over SONET with a transmission speed of Mbps and DS3 WAN connection over SONET with a transmission speed of Mbps Fiber optic networks provide substantially higher bandwidth. They use optical signaling and multimode and single-mode fiber optic cables. Rev HP Restricted 3 37

120 ProCurve WAN Technologies Learning Check Module HP Restricted Rev. 5.21

121 T/E-Carrier WAN Connections 1. Which two functions does the DSU provide? (Select two.) a. Converts signals from LAN to the format required on the WAN connection and vice versa b. Monitors the signal on the line c. Keeps the WAN connection alive when there is no data stream d. Provides loopback testing between itself and the LAN e. Determines the data-link layer protocols supported on the WAN link 2. Which two functions does the smart jack provide? (Select two.) a. Provides the time clock for the connection b. Maintains the connection c. Terminates the connection d. Enables public carriers to perform management tasks e. Amplifies the signal across the connection 3. Which electrical specification does a T1 WAN connection use? a. DSX-1 b. AMI c. CEPT d. G Which transmission rate does an E1 WAN connection provide? a Mbps b Mbps c Mbps d Mbps Rev HP Restricted 3 39

122

123 ISDN WAN Connections Module 4 Objectives This module describes how Integrated Services Digital Network (ISDN) can be used as a primary WAN connection and as a backup for a carrier line WAN connection. After completing this module, you should be able to: Describe the two types of ISDN services and the transmission rates each service provides Describe the transmission media, electrical specifications, and possible datalink layer protocols used for an ISDN connection List the ISDN equipment required at the subscriber s premises and describe how this equipment is used Describe the type of information you need to order ISDN service from a public carrier Rev HP Restricted 4 1

124 ProCurve WAN Technologies ISDN Overview ISDN is a dial-up WAN connection that supports voice, data, fax, and video services over standard telephone lines. Although ISDN is a multipurpose WAN solution, its core strength is the ability to handle both voice and data transmissions. For example, it is an ideal WAN solution for large call centers, allowing them to manage hundreds of incoming and outgoing phone extensions. In fact, ISDN is well-suited for any voice-related application. For the most part, however, ISDN appears to have a dwindling role as a primary WAN connection. Many public carriers are promoting Digital Subscriber Line (DSL) connections, rather than ISDN. There are at least two reasons for this trend: First, DSL transmits data faster than ISDN does. Second, DSL does not overload the switches that handle voice traffic through the public carrier network. Instead, public carriers use data switches and routers to transmit DSL data. (For more information about DSL, see Module 5: DSL WAN Connections.) However, there is one region where ISDN is still frequently used as a primary WAN connection. In Europe, many public carriers actively sell ISDN as a primary WAN connection. Because these public carriers have replaced their analog switches with digital switches, they have the capacity to provide ISDN. 4 2 HP Restricted Rev. 5.21

125 ISDN WAN Connections Advantages Disadvantages In most regions, however, companies are implementing ISDN as a cost-effective backup to a carrier line WAN connection. If the carrier line WAN connection is unavailable, the WAN router can use the ISDN WAN connection to send data. In addition to these traditional implementations, some public carriers are offering a special ISDN implementation for retail business that need to get approval on customers credit cards. This special implementation is discussed in more depth in later in this module. The following lists the advantages and disadvantages of ISDN: ISDN takes advantage of existing copper wiring, and setup requirements are not extensive or expensive. ISDN can be used for both voice and data transmissions, and bandwidth can be regulated according to your needs. Because ISDN is a dial-up service, you do not pay for idle connection time. Paying only when the line is in use is beneficial for infrequent calls. There is a lack of interoperability between ISDN devices from different vendors. Because you pay for ISDN when the line is in use, it can be costly if the connection is maintained for long periods of time Rev HP Restricted 4 3

126 ProCurve WAN Technologies ISDN WAN Connection ISDN provides an end-to-end digital connection between the source device and the destination device. Because ISDN is a digital connection, it is not limited to the 54 Kbps maximum dial-up speed of an analog connection. Instead, ISDN provides transmission speeds of 64 Kbps and above. The exact transmission speed depends on the type of ISDN service and the region in which the service is delivered. Public carriers offer two ISDN services: Basic Rate Interface (BRI) Primary Rate Interface (PRI) BRI ISDN provides a transmission rate of 64 Kbps or 128 Kbps, while PRI ISDN provides a transmission rate of Mbps or Mbps. (The next sections describe these services in more depth.) BRI ISDN is provided across the twisted-pair cable that is used for ordinary telephones. PRI is provided as a T1 connection in North America and Japan, or as an E1 connection in Europe and Asia. 4 4 HP Restricted Rev. 5.21

127 ISDN WAN Connections On the local loop, ISDN requires at least Category-3 (CAT-3) unshielded twisted pair (UTP). The number of wires required depends on the ISDN service that you purchase: BRI ISDN requires two wires, or one twisted pair. PRI ISDN requires four wires, or two twisted pairs. When ISDN is implemented, the local loop is set up for BRI or PRI service. At the public carrier s central office (CO), the office channel unit (OCU) multiplexes and de-multiplexes channels on the twisted pair wiring of the local loop. Like the channels for carrier lines, ISDN channels are based on DS0 or E0 and created through time division multiplexing (TDM). With BRI ISDN, the OCU multiplexes three channels. With PRI ISDN, the OCU multiplexes 24 or 32 channels, depending on the region. Because ISDN is a dial-up connection, it establishes a switched virtual circuit (SVC) when the subscriber initiates or receives a call. For the duration of the call, the physical path through the public carrier network is fixed. However, when the call is terminated and a new call is made, ISDN establishes another physical path through the public carrier network. BRI ISDN and PRI ISDN use different local loop transmission schemes. To provide higher transmission rates on ordinary telephone wire, BRI ISDN uses a compressed encoding sheme, which is called 2B1Q. Essentially, this transmission sheme provides four signal levels by encoding two bits into one quaternary symbol (which is represented by 1Q). Because 2B1Q has four signal levels, it operates at a lower frequency range than T1/E1 encoding and sustains fewer losses. Consequently, 2B1Q can be transmitted over longer distances without requiring a repeater. For example, 2B1Q can be transmitted up to 5.49 km (18,000 feet) without a repeater, while T1 encoding requires a repeater approximately every 1.6 km (1 mile or 5,280 feet). In addition, 2B1Q operates in full duplex mode, allowing data to be transmitted simultaneously in both directions on the local loop. PRI ISDN, on the other hand, uses the dominant transmission scheme for T1-carrier lines Bipolar 8-Zero Substitution (B8ZS). B8ZS is described in Module 1: Overview of WAN Connections. Rev HP Restricted 4 5

128 ProCurve WAN Technologies Basic Rate Interface BRI ISDN provides three channels: Two bearer (B) channels One data (D) channel As a result, BRI is sometimes referred to as 2B + D. The B channels carry digital information such as computer data, digitized voice, or video. The D channel carries signaling and call control for the connection. Each of the B channels has a transmission speed of 64 Kbps. The D channel has a transmission speed of 16 Kbps. Because the B channels are treated independently, they can be used for simultaneous voice and data; in other words, you can talk on the phone and surf the Web at the same time. If you prefer, you can us both channels for data only, or you can use each channel to connect to a different remote office. 4 6 HP Restricted Rev. 5.21

129 ISDN WAN Connections As mentioned earlier, some public carriers offer a specialized BRI ISDN service for retail businesses. Because point-of-sales devices require little bandwidth, public carriers offer an ISDN service with a D channel but no B channel. This service, which is sometimes called 0+D, offers distinct advantages over a simple dial-up service. First, the specialized ISDN service speeds up the credit-card approval process. Because the D channel is always on, it does not require the retailer to start a dial-up connection. When a retail business uses this ISDN service, it saves tens of seconds for each credit-card approval because the salesperson does not have to wait for a call to be dialed and connected. Second, the specialized ISDN service allows retailers to use one ISDN line for multiple checkout points. All the checkout points are simply connected to a router, which is connected to the ISDN network. (The equipment required at the subscriber s premises is described later in this module.) Rev HP Restricted 4 7

130 ProCurve WAN Technologies Primary Rate Interface Because PRI ISDN is designed for businesses, it offers more channels, providing more flexibility and higher transmission rates. The number of channels and the transmission speeds vary from region to region. In North America and Japan, PRI ISDN consists of 23 B channels and one D channel. In Europe and Asia (with the exception of Japan), PRI ISDN consists of 30 B channels and one D channel. One channel is still used to maintain synchronization on the line, for a total of 32 channels. As with BRI, PRI uses the B channels to transmit data and voice and the D channel to handle signaling. Depending on the region, PRI ISDN is sometimes referred to as 23B + D or 30B + D. Although the PRI ISDN connection in Europe and Asia has a total of 32 channels, the channel used for synchronization is disregarded in this shorthand description. 4 8 HP Restricted Rev. 5.21

131 ISDN WAN Connections PRI ISDN provides transmission rates that are comparable to those offered by T1- and E1-carrier lines. Each channel including each D channel provides a transmission rate of 64 Kbps. In North America and Japan, PRI ISDN provides a total transmission rate of Mbps. In Europe, Australia, and Asia (with the exception of Japan), PRI ISDN provides a total transmission rate of Mbps. These transmission rates do not reflect the actual payload of PRI ISDN. Like T1/E1-carrier lines, PRI ISDN requires some bandwidth for control and synchronization of the local loop. PRI ISDN in North America and Japan requires 8 Kbps for framing bits. PRI ISDN in other areas requires one E0, or 64 Kbps. Although this overhead is not generally discussed, you may see transmission rates of Mbps for PRI ISDN in North American and Japan and Mbps for PRI ISDN in other areas. Rev HP Restricted 4 9

132 ProCurve WAN Technologies Options for Higher Transmission Speeds ISDN provides two options for higher transmission speeds: channel aggregation and high-speed (H) channels. Channel aggregation is available for both BRI and PRI ISDN. However, H channels are available only for PRI ISDN. Channel Aggregation Although each B channel is limited to 64 Kbps, you can aggregate channels to create higher transmission rates. This process is sometimes called inverse multiplexing or reverse multiplexing. You can aggregate the two channels in a BRI ISDN for a total transmission rate of 128 Kbps. In a PRI ISDN implementation, you can aggregate two or more channels. You can even aggregate channels from different BRI and PRI implementations. The subscriber s ISDN equipment aggregates the channels, using one of the following: Bonding, which is defined by the Bandwidth on Demand Interoperability Group Multilink Point-to-Point (MP) protocol Multilink Frame Relay protocol 4 10 HP Restricted Rev. 5.21

133 ISDN WAN Connections Even though ISDN channels are aggregated, each channel has a different physical path, or circuit, through the public carrier network. As a result, each channel has a different propagation delay. Bits sent over one channel may arrive at the destination point before bits sent over another channel. The aggregation method you use compensates for the difference in propagation delays among the channels and reassembles the bits in the proper order that is, the order in which the bits were sent. H Channels H channels were developed to provide higher transmission speeds without the time delays required to gather and reassemble bits. H channels are ideal for bandwidthintensive applications such as streaming video that are sensitive to time delay. Public carriers create H channels by combining the bandwidth of PRI channels into one large channel. Although creating H channels sounds like aggregating channels, it is not actually the same process. With H channels, the public carrier s ISDN switch concatenates contiguous channels at both ends of the ISDN WAN connection, creating in essence a non-channelized T- or E-carrier line. The ISDN switch then ensures that all of the channels have the same physical path through the public carrier network and remain on that path. As a result, the bits are sent and received in the same order. Several types of H channels are available, and each one has a set transmission speed. The following lists some of the H channels that have been defined: H 0 is available in North America, Japan, Europe, and Latin America. It provides 384 Kbps. H 1 designates a group of H channels that are based on the bandwidth of one DS0 or E0 64 Kbps. Several H channels have been defined within the H 1 group. H 10 is available in United States, Canada, and Japan. It provides Mbps, which is the total bandwidth of the 23 B channels available in these areas. One channel is still used for the D channel. H 11 is also available in United States, Canada, and Japan. It provides Mbps, which is the total bandwidth of the 24 channels available in these areas, except for the 8 Kbps used for framing. Signaling can be sent over a channel from another ISDN implementation. H 12 is available in Europe, Latin America, and other areas that use E1- carrier lines. It provides Mbps, which is the total bandwidth of the 30 B channels available in these areas. Rev HP Restricted 4 11

134 ProCurve WAN Technologies H 2 designates a group of H channels that are based on the bandwidth of DS3, which is Mbps in the United States, Canada, and Japan and Mbps in Europe, Latin America, and Asia (except Japan). Several H channels have been defined within the H 2 group. H 21 is available in areas that use E1-carrier lines. It provides Mbps. H 22 is available in areas that use T1-carrier lines. It provides between Mbps and Mbps, depending on whether or not the public carrier network requires overhead for framing HP Restricted Rev. 5.21

135 ISDN WAN Connections ISDN Equipment at the Subscriber s Premises The equipment required on the subscriber s side of the loop varies, depending on the region and the public carrier that is providing the ISDN service. This section explains the equipment that is generally used in an ISDN network. Network Termination 1 On the subscriber s side of the local loop, the Network Termination 1 (NT1) provides the physical and electrical termination for the ISDN line. The NT1 monitors the line, maintains timing, and provides power to the ISDN line. In Europe and Asia, the public carriers supply the NT1 device. In North America, however, the subscriber provides the NT1 device. Many vendors are now building the NT1 directly into ISDN equipment such as routers. PRI ISDN also requires a Network Termination 2 (NT2) device. NT2 provides switching functions and data concentration for managing traffic across the multiple B-channels. In many regions, NT1 and NT2 are combined into a single device. In ISDN terminology, the device that combines these functions is called an NT12 (NT-onetwo) or just NT. Rev HP Restricted 4 13

136 ProCurve WAN Technologies Terminal Equipment Any device such as a telephone, fax machine, or router that connects to an ISDN line is called terminal equipment. Two types of terminal equipment are associated with an ISDN connection: Terminal equipment 1 (TE1) Terminal equipment 2 (TE2) TE1 devices are ISDN ready and can be connected directly to the NT1 or the NT2. TE1 devices include routers, digital phones, and digital fax machines. TE2 devices do not natively support ISDN and cannot connect directly to an ISDN network. TE2 devices require a terminal adapter (TA) to convert the analog signals produced by the TE2 device into digital signals that can be transmitted over an ISDN connection. TE2 devices include analog telephones and analog fax machines HP Restricted Rev. 5.21

137 ISDN WAN Connections ISDN Interfaces You can add equipment at four interface points on the subscriber s side of an ISDN WAN connection: U interface T interface S interface R interface These interfaces define the mechanical connectors, the electrical signals, and the protocols used for connections between the ISDN equipment. U Interface The U interface provides the connection between the local loop and NT1. For BRI ISDN, the U interface is one twisted pair. For PRI ISDN, the U interface is two twisted pairs. Because public carriers in Europe and Asia provide the NT1, these regions do not use the U interface. In regions that support the U interface, there can be only one U interface on the ISDN network. Rev HP Restricted 4 15

138 ProCurve WAN Technologies T Interface The T interface is used to connect the NT1 to the NT2. This interface is a fourwire connection, or two twisted pair. Each pair handles the traffic sent in one direction (see the figure above). In the United States and Canada, the T interface along with the NT1 and NT2 is frequently built into a circuit board in an ISDN device such as a router. In other regions, the T interface is the first interface at the subscriber s premises. S Interface The S interface is used to connect the NT2 to the TE1 or TA. This interface is also a four-wire connection, or two twisted pair. On a BRI ISDN, the S interface is essentially a passive bus, allowing you to connect multiple TEs and TAs to the ISDN WAN connection. If you use a passive bus configuration, that bus is a shared medium. The TEs or TAs connected to the passive bus must take turns transmitting, and they must be able to detect collisions. PRI ISDN does not support multiple TEs at the S interface. The S and T interfaces are often combined as the S/T interface. R Interface The R interface is used to connect TE2 to the TA. Because there are no standards for the R interface, the vendor providing the TA determines how the TA connects and interacts with the TE2. Connectors The public carrier typically installs an RJ-45 jack to connect the subscriber s premises to the local loop. ISDN supports RJ-11 connectors, but an RJ-45 connector is recommended HP Restricted Rev. 5.21

139 ISDN WAN Connections Protocols for ISDN As mentioned earlier, the signaling information used to create and maintain ISDN connections is transmitted over the D channel. The ITU Telecommunications Standardization Sector (ITU-T) has specified two protocols for ISDN signaling. These protocols operate at layers two and three of the OSI model: Q.921, which is also called Link Access Procedure for D channel (LAPD) Q.931 LAPD is the data-link layer protocol that establishes the ISDN connection between two endpoints. The LAPD frame provides the addressing for the dial-up call, including the service access point identifier (SAPI) and the terminal endpoint identifier (TEI). SAPI identifies the ISDN service associated with the signaling frame, and TEI identifies the TE on the subscriber s ISDN line. In addition, LAPD provides error checking and call control. Q.931 is a network-layer protocol that establishes, controls, and terminates an ISDN call. Q.931 packets are encapsulated in the LAPD frame. Specifically, the Q.931 packet is contained in the information elements of the LAPD frame. Rev HP Restricted 4 17

140 ProCurve WAN Technologies ISDN also supports the following data-link-protocols: High-Level Data Link Control (HDLC) Point-to-Point (PPP) Frame Relay For more information about HDLC and PPP, see Module 2: Data-Link Layer Protocols. Frame Relay will be explained in-depth in Module 6: Frame Relay HP Restricted Rev. 5.21

141 ISDN WAN Connections Standards Although ISDN is a mature technology dating back to the 1970s it has suffered from a lack of cohesive standards. The Consultative Committee for International Telegraph and Telephone (CCITT) began the standardization process, which was continued by the ITU-T. However, the specifications that the ITU-T developed were not widely adopted. Incompatibilities between ISDN equipment at the subscriber s premises and the ISDN switch were common. In the late 1980s, the European Commission pushed standardization by creating specifications for European countries. To ensure that equipment manufactured in one country is supported by all other countries in Europe, these specifications define common technical requirements (CTR) for equipment. The specifications include the following: Normes Européennes de Télécommunication 3 (NET3) for BRI ISDN NET5 for PRI ISDN NET7 for terminal adapters NET33 for ISDN telephones CTR approval is valid for all countries that belong to the European Commission. In addition, a country s public carrier may test and approve ISDN equipment. Rev HP Restricted 4 19

142 ProCurve WAN Technologies For the United States, standardization was slower. In the mid 1990s, the National Institute of Standards and Technology (NIS) and Bellcore (now called Telcordia) outlined a phased approach to supporting the complete ITU-T standards. National ISDN-1 was the first step. This standard defined a set of common options that the public carrier and the ISDN manufacturers would provide for subscribers. For example, National ISDN-1 specifies the number of TE devices that can be attached to an S interface. National ISDN-2 built upon the foundation of National ISDN-1, providing additional options and functionality. ISDN equipment that supports National ISDN-2 should be backward compatible with National ISDN-1. When you purchase ISDN in the United States, you should ask the public carrier which National ISDN version it supports. Not only will this determine the capabilities that the public carrier offers, it will affect the type of ISDN equipment that you use. If the public carrier s ISDN switch supports National ISDN-2, you should ensure that your ISDN equipment supports this standard. In addition, you will have to select National ISDN-1 or National ISDN-2 when you set up your ISDN line HP Restricted Rev. 5.21

143 ISDN WAN Connections Ordering ISDN In the past, simply determining what ISDN services the public carrier offered and ordering the services you needed could be a lengthy and even frustrating process. Standardization has simplified this task considerably. Most public carriers now use standard packages or ordering codes to sell ISDN services. These packages and ordering codes determine options such as the following: How many TE devices the ISDN connection supports What type of traffic each B channel supports (such as voice only, data only, or both) Whether or not options such as calling line identification, call forwarding, and conference calling are supported How the D channel can be used When ordering ISDN, you can ask your public carrier for a list of packages or ordering codes and use these to identify the services your company needs. If you are using ISDN for a specific application, you can also ask the public carrier to help you identify the package or ordering code that provides the services needed for that application. Rev HP Restricted 4 21

144 ProCurve WAN Technologies To ensure that the equipment you purchase is compatible with the equipment at the public carrier, you also need to determine what standards the public carrier supports. If you are in Europe, for example, you must find out if the public carrier supports all CTR approved equipment. The public carrier may also recommend that you purchase certain equipment. In the United States and Canada, you should ask the public carrier if its switch supports National ISDN-1 or National ISDN-2. You can then ensure that the equipment you purchase is compatible with the public carrier s equipment HP Restricted Rev. 5.21

145 ISDN WAN Connections Recording Information About the ISDN Service After you purchase your ISDN service, the public carrier should provide you with the information you need to configure your WAN router for ISDN service. In addition to recording and filing this configuration information, you should document other details about your ISDN service. When you configure your WAN router, you must specify the following: Switch type Channel usage Assigned telephone numbers Service Profile IDs (SPIDs), if required Termination endpoint identifier (TEI), if required Rev HP Restricted 4 23

146 ProCurve WAN Technologies Switch Type The type of switch determines the type of services that the public carrier offers. For example, some switches support only two devices per ISDN connection. Other switches support eight devices. The following is a list of switches used at public carriers in various countries. 1TR6 switch type for Germany AT&T 5ESS switch type for the US/Canada Northern DMS-100 switch type for US/Canada NET3 and NET5 switch types for Europe National ISDN switch type TS013 switch type for Australia NTT switch type for Japan VN3 and VN4 switch types for France NET3 for New Zealand Channel Usage Channel usage determines if the channel can be used for voice and data, voice only, or data only. The channel usage is determined when you purchase the ISDN line. Depending on the router, you may enter a parameter that corresponds to the ISDN ordering code or package that you purchased. Assigned Telephone Number The public carrier can assign a telephone number to each ISDN channel, or it can assign one telephone number to the entire ISDN line. Some ISDN switches allow only one telephone number for each BRI ISDN line. If the public carrier assigns more than one telephone number to the ISDN line, it identifies a primary telephone number. The telephone number may also be called a directory number (DN). Service Profile Identifier (SPID) Some ISDN switches require a SPID to identify each TE on the subscriber s premises and to determine the types of services that the TE can access. If a TE has multiple ports such as a voice port and a data port each port may need a SPID. The SPID is often the telephone number or directory number assigned to the ISDN channel and a two-digit or four-digit number. If the public carrier s switch requires a SPID, you must specify it when you set up your ISDN equipment. Termination Endpoint Identifier (TEI) TEIs are used to identify each TE on an ISDN S/T bus. TEIs can be assigned statically or dynamically HP Restricted Rev. 5.21

147 ISDN WAN Connections Information You Should Record In addition, you should record information for troubleshooting if you experience problems with the ISDN WAN connection. For example, you may want to record the following: Public carrier circuit number Line information: speed, build-out information, encoding either 2B1Q or B8ZS ESF One-way or two-way transmission (for PRI ISDN) Interoffice trunk speed selection Rev HP Restricted 4 25

148 ProCurve WAN Technologies Module 4 Summary In this module, you learned the following: ISDN provides a point-to-point, dial-up connection. ISDN supports both voice and data. Two types of ISDN are available: BRI ISDN and PRI ISDN. BRI ISDN includes two B channels for data and voice and one D channel for signaling. BRI ISDN provides a transmission rate of 64 Kbps or 128 Kbps. In North America and Japan, PRI ISDN includes 23 B channels and 1 D channel and provides a transmission rate of Mbps. In Europe and Asia (except Japan), PRI ISDN includes 30 B channels and 2 D channels and provides a transmission rate of Mbps. ISDN requires special equipment at the subscriber s premises: network termination 1 and 2, terminal adapter, and terminal equipment. ISDN specifications also define interfaces where the equipment can be added HP Restricted Rev. 5.21

149 ISDN WAN Connections Learning Check Module 4 Rev HP Restricted 4 27

150 ProCurve WAN Technologies 1. What is the function of the D channel? 2. Which item can you connect at the S interface? a. Network termination 1 b. Smart jack c. Network adapter d. Terminal equipment 3. In Japan, how many channels does PRI ISDN provide? a. 30 B channels and 1 D channel b. 23 B channels and 1 D channel c. 32 B channels and 1 D channel d. 24 B channels and 1 D channel 4. What monitors the ISDN line, maintains timing, and provides power? a. Network termination 1 b. Network adapter c. Terminal equipment d. Terminal adapter 5. Which data-link layer protocol is used to establish the ISDN connection between two endpoints? a. PPP b. LAPD c. Frame Relay d. HDLC 4 28 HP Restricted Rev. 5.21

151 DSL WAN Connections Module 5 Objectives This module provides an overview of Digital Subscriber Line (DSL) WAN connections and briefly describes the main types of DSL technologies available today. It then focuses on Asymmetric DSL (ADSL), providing in-depth information about ADSL components, architecture, modulation techniques, and related standards. After completing this module, you should be able to: Describe the characteristics of DSL WAN connections Describe the advantages and disadvantages of DSL WAN connections Explain the difference between symmetric and asymmetric DSL and provide several examples of each Describe the equipment needed to create an ADSL WAN connection Describe how data is transmitted over an ADSL WAN connection from the customer s premises to the broadband network Describe how data is transmitted on an ADSL WAN connection from the customer s premises to the Internet Explain the enhancements provided by ADSL2 and ADSL2+ Rev HP Restricted 5 1

152 WAN Technologies Overview of DSL WAN Connections Characteristics DSL provides high-speed WAN connections over existing local loops. To increase the amount of data that can be transmitted over the local loop (which is typically comprised of plain copper wires), DSL uses advanced modulation techniques. DSL was developed to alleviate a critical problem facing public carriers congestion in the public carrier network. With the increasing popularity of the Internet, more and more businesses and residential users began to connect to the Internet through the public carrier network. Because the public carrier network was designed to handle random, short-term phone calls, carrying the traffic created by numerous, lengthy Internet connections began to overwhelm the voice switches in the public carrier network. DSL solves this problem because DSL traffic is not routed through the voice switches in the public carrier network. Instead DSL traffic is sent over the local loop to a DSL Access Multiplexer (DSLAM) and then routed over the regional broadband network, which is connected to the Internet. (The DSLAM and the regional broadband network will be described in more depth later in this module.) 5 2 HP Restricted Rev. 5.21

153 DSL WAN Connections Types of DSL As DSL has matured, different types of DSL technologies have been developed, and these technologies are collectively referred to as x-type DSL, or xdsl. The x is replaced with a letter that represents a particular type of DSL, such as ADSL (Asymmetric DSL), HDSL (High bit rate DSL), and Very high bit rate DSL (VDSL). The various types of xdsl provide different speeds, and the speed necessarily determines how each type of xdsl is used. In general, however, xdsl is used for the following: Internet access Remote LAN access, including Virtual Private Networks (VPNs) IP telephony and video telephony Voice over IP (VoIP) T1- or E1-line speeds on the local loop Video-on-demand Multimedia High-definition television (HDTV) Rev HP Restricted 5 3

154 WAN Technologies Advantages and Disadvantages of xdsl Advantages Because xdsl works over existing local loops, it is a cost-effective WAN technology for both public carriers and customers. By performing minimal adjustments to the existing copper lines that are used for most local loops, public carriers can offer customers a high-speed broadband connection. In addition, xdsl does not require repeaters, so it is less costly to implement than other local loop technologies. (For more information about repeaters, see Module 3: Carrier Line WAN Connections.) xdsl is also an attractive solution for a wide range of customers, from residential users to large corporations. Customers, on the other hand, get a high-speed connection at a relatively low cost. For example, xdsl is less costly than T1- or E1-carrier lines, but some types of xdsl provide the same transmission speeds. With xdsl, the connection is always on. For customers who have used dial-up connections, this is a distinct advantage saving time because there is no dial-up process and eliminating the frustrations (such as busy signals and disconnections) often associated with dial-up connections. 5 4 HP Restricted Rev. 5.21

155 DSL WAN Connections Disadvantages xdsl has some disadvantages, however. For example, in the early development stages of xdsl, standards developed slowly, and vendors did not always agree on which standards to use. Equipment was often proprietary and did not interoperate. This is changing as standards groups draft specifications for various types of xdsl. In addition, xdsl is not available in all areas because it is a distance-sensitive technology. If a company or home is too far away from the public carrier s central office (CO), xdsl is not an option. The distance between the company or home and the CO also dictates xdsl transmission rates. The greater the distance, the slower the rate. Rev HP Restricted 5 5

156 WAN Technologies xdsl Adoption: Number of xdsl Lines Point Topic, a United Kingdom company that provides information about the broadband industry, reports on the number xdsl lines in 70 countries. Point Topic estimates that in June 2004, there were more than 123 million xdsl lines worldwide a 23 percent increase since December 31, (See World Broadband Statistics: Q2 2004, 23 Sept at According to Point Topic, the following countries have the most xdsl lines: China Japan United States South Korea Germany France Italy Taiwan United Kingdom Canada 5 6 HP Restricted Rev. 5.21

157 DSL WAN Connections As this chart suggests, Asia has the biggest installed base of xdsl lines. In China alone, the number of xdsl lines increased by 27 percent in the first half of According to Point Topic, most of these xdsl lines are ADSL and ADSL2+. However, Point Topic notes two exceptions: VDSL lines, of which Korea Telecom and Hanaro [both located in Seoul, South Korea] are the biggest reporting suppliers. Symmetrical DSL lines offered mainly by CLECs [competitive local exchange carriers] such as Covad in the United States and their counterparts in other countries. (World Broadband Statistics: Q2 2004, p. 6.) ADSL2, ADSL2+, VDSL, and symmetrical DSL are described later in this module. Rev HP Restricted 5 7

158 WAN Technologies Broadband Density In addition to reporting the number of xdsl lines installed, Point Topic measures broadband density the number of broadband lines (including both xdsl and cable) per 100 people. Somewhat surprisingly, South Korea leads the world in broadband density, with approximately 24 broadband lines per 100 people. Hong Kong has 20 broadband lines per 100 people. Other leaders in broadband density include Denmark, with 17 lines per 100 people; Canada, with 16 lines per 100 people; and the Netherlands, with 15 lines per 100 people. (See World Broadband Statistics: Q ) 5 8 HP Restricted Rev. 5.21

159 DSL WAN Connections xdsl WAN Connection xdsl provides an end-to-end digital connection between the source device and the destination device. Like a T1- or E1-carrier line, xdsl is a leased private line, providing a permanent physical path through the regional broadband network. In addition, xdsl provides fixed bandwidth. The xdsl WAN connection is Asynchronous Transfer Mode (ATM) cellswitched or packet switched, depending on the architecture of the regional broadband network and the way in which the public carrier connects to that network. (Both of these factors are discussed in more depth later in this module.) Rev HP Restricted 5 9

160 WAN Technologies Two Groups of xdsl xdsl WAN connections can be either symmetric or asymmetric, depending on how data is transmitted upstream and downstream. Downstream refers to the traffic being sent from the service provider or public carrier to the customer s premises. Upstream refers to the traffic being sent from the customer s premises to the service provider or public carrier. If an xdsl technology is symmetric, data is transmitted at the same speed both upstream and downstream. This is sometimes called duplexed xdsl. To avoid confusion with the more mainstream use of duplexing (bidirectional transmissions), the term duplexed xdsl is not used in this course. Companies should select a symmetric DSL solution for environments such as the following: The DSL WAN connection is linking two office sites and equal amounts of data are transmitted to each site. Companies need to provide high-speed access to their network or Web servers. In this case, the upstream transmission speed would affect users ability to access and download information from the companies servers HP Restricted Rev. 5.21

161 DSL WAN Connections If an xdsl technology is asymmetric, it provides different transmission speeds for upstream and downstream. The transmission speed for downstream is higher than the transmission speed for upstream. This makes asymmetric xdsl ideal for Internet use because users typically download more data from the Internet then they upload. Asymmetric xdsl is also a good option for video-on-demand or HDTV. Rev HP Restricted 5 11

162 WAN Technologies Symmetric xdsl The following are the main types of symmetric xdsl available: ISDN DSL (IDSL) Blending Integrated Services Digital Network (ISDN) and DSL enables public carriers to route digital data, voice, and streaming video simultaneously over the local loop without installing expensive ISDN switches at the CO. IDSL also provides backward compatibility for customers who have purchased ISDN equipment and want to continue to use that equipment. With IDSL, the public carrier aggregates the two B channels and the D channel provided by ISDN Basic Rate Interface (BRI) for a total of 144 Kbps. The IDSL traffic is then routed over the local loop to the DSLAM at the public carrier s CO. Unlike pure ISDN, IDSL is not a dial-up connection. Although the D channel still carries signaling messages, these messages are not used to set up the connection or to control the transmission; the signaling messages are simply disregarded HP Restricted Rev. 5.21

163 DSL WAN Connections High Bit Rate DSL (HDSL) Often used to provision the local loop for a T1- or E1-carrier line, HDSL provides transmission rates of Mbps in countries that use T1-carrier lines and Mbps in countries that use E1- carrier lines. Although customers who purchase a T1- or E1-carrier line are usually unaware that HDSL is used on the local loop, it provides a significant advantage for public carriers. For example, HDSL eliminates the need for repeaters, providing T1- or E1-carrier line speeds on wire up to 4.57 km, or 15,000 feet, in length. For comparison, a T1-carrier line requires repeaters approximately every mile, or 5,280 feet. Eliminating repeaters not only saves money but also removes a point of failure the repeater and reduces the time it takes to set up the T1- or E1-carrier line. In addition to using HDSL to provision local loops for a T1- or E1-carrier line, public carriers may also offer HDSL as a high-speed DSL connection. Because this option obviously affects the ability to charge higher prices for T1- or E1-carrier lines, most public carriers have been slow to offer HDSL as a separate option. Although HDSL offers many advantages, it has three significant disadvantages: First, it requires two pairs of wire. To support E1 transmission speeds, HDSL sometimes requires even three pairs of wire. This requirement limits its availability because some areas have a shortage of wire pairs. Second, the HDSL specifications are not detailed or specific. Consequently, vendors have created proprietary HDSL solutions, which may not be interoperable. Third, HDSL does not support analog voice a characteristic that could affect its adoption by small companies and residential users. HDSL2 HDSL2 is designed to eliminate the problems associated with HDSL. HDSL2 provides T1 or E1 transmission rates on a single pair of wires. Because HDSL2 standards are focused on solving interoperability issues, HDSL2 solutions are not proprietary. However, HDSL2 does not address one deficiency of HDSL: Like HDSL, HDSL2 does not support analog voice. Symmetric DSL (SDSL) Rather than wait for HDSL2 standards to be defined and released, vendors and public carriers in North America created their own single-pair implementations of HDSL SDSL (which is sometimes called single-pair DSL). As you would expect from such development efforts, SDSL implementations differ widely and are not interoperable. For example, some public carriers provision SDSL splitting the amount of bandwidth among several customers. By sacrificing distance for speed and vice versa, public carriers and vendors tailor their implementations of SDSL to provide the solutions their customers need. Rev HP Restricted 5 13

164 WAN Technologies Vendors also use power to boost the signal, increasing the speeds offered over longer distances of wire. However, increasing the power creates a negative byproduct: Some SDSL implementations create interference on other pairs of wire in the same cable bundle. This interference is sometimes severe enough to cause problems on the other wires. Not surprisingly, even the threat of this interference has hindered the adoption of SDSL. SDSL has little presence outside North America. SHDSL (Single wire HDSL) SHDSL, or G.SHDSL, provides a higher transmission speed than either HDSL2 or SDSL and delivers this transmission speed over longer distances. In addition, SHDSL is rate adaptive; when it is initialized, it determines the highest transmission speed possible for the line conditions. SHDSL is also based on standards. ITU Telecommunications Standardization Sector (ITU-T) developed the global standard, and in Europe, the European Telecommunications Standards Institute (ETSI) created a compatible standard under the name SDSL. This has caused some confusion with the SDSL developed in North America although the two standards are completely different. Very High Bit Rate DSL (VDSL) As the name suggests, VDSL provides extremely high-speed WAN connections. In fact, VDSL supports fiber optic networks and digital loop carriers (DLCs). VDSL is designed for new and future business offices and residential developments. The standards groups for VDSL expect that in these new developments, only 6,500 feet of local loops will be composed of copper wire; the remaining wire will be fiber optic. Because VDSL is designed to compete with cable television, it supports voice, video, and data simultaneously. It is ideal for multimedia, broadband services such as HDTV, and Moving Picture Experts Group (MPEG)- encoded video channels. VDSL can be either symmetric or asymmetric. Currently, seven symmetric transmission rates and eight asymmetric transmission rates are defined for VDSL. Four standards groups are creating specifications for VDSL: ETSI in Europe ( American National Standards Institute (ANSI) T1 committee in the United States ( ITU-T ( Full Service Access Network (FSAN) group, which is composed of the leading telecommunications companies in Europe and the United States ( HP Restricted Rev. 5.21

165 DSL WAN Connections Asymmetric xdsl Most of the xdsl technologies listed on this table are variations of ADSL. The remainder of this module focuses on ADSL and these variations namely, ADSL Lite, RADSL, ADSL2, and ADSL2+. (VDSL is described on the previous page.) Rev HP Restricted 5 15

166 WAN Technologies ADSL Overview ADSL was designed to eliminate the problems associated with HDSL and SDSL, both of which were developed before ADSL. Like SDSL, ADSL runs on one pair of wires avoiding one of the primary deficiencies of HDSL. Unlike SDSL, however, ADSL does not create interference on the wire. ADSL also addresses two deficiencies of both HDSL and SDSL: lack of standards and no support for analog voice. ADSL is arguably the most standardized type of xdsl available. ADSL also supports analog voice on the local loop. This gives ADSL a clear advantage over HDSL and SDSL because customers do not need a separate pair of wires to transmit analog voice. Their existing telephone equipment can continue to send voice traffic over the same pair of wires that carry ADSL traffic. In the ADSL standards, support for analog voice is called ADSL over Plain Old Telephone Service (POTS), or ADSL Annex A. In addition to supporting analog voice, ADSL supports ISDN traffic. Customers who have ISDN equipment such as telephones and fax machines can continue using this equipment while moving their Internet or WAN connection to ADSL. Support for ISDN is called ADSL over ISDN, or ADSL Annex B, and is common in countries such as Germany where ISDN is widely implemented HP Restricted Rev. 5.21

167 DSL WAN Connections ADSL also supports Japan s implementation of ISDN, which employs Time Compression Multiplexing (TCM). Because this implementation of ISDN typically produces higher levels of crosstalk, the ADSL standards group created a separate ADSL specification for Japan Annex C. To provide high-quality connections, ADSL Annex C uses sophisticated synchronization methods and noise-margin calculations. When purchasing an ADSL modem or router, customers should ensure that it supports the specification (Annex A, B, or C) that they need. With its generous downstream transmission rates, ADSL is well suited for Internet access and video-on-demand. This makes ADSL a popular solution for residential users, small businesses, and remote LAN access. Rev HP Restricted 5 17

168 WAN Technologies ADSL Modulation Techniques To provide high transmission speeds over local loops, ADSL and other types of xdsl use modulation. The sending xdsl modem uses a modulating signal to change the high-frequency carrier signal, creating a modulated wave that can carry a large amount of data. When the wave reaches its destination, the receiving modem demodulates the wave and retrieves the data. Two modulation techniques are used for ADSL: carrierless amplitude/phase (CAP) and discrete multitone (DMT). Although CAP is easier to implement, DMT provides more flexibility. It is important to know which modulation technique the ADSL equipment uses because the two are not compatible HP Restricted Rev. 5.21

169 DSL WAN Connections CAP Modulation CAP is carrierless because the sending device suppresses the carrier signal before transmitting the data. When the data reaches the receiving device, it reconstructs the carrier signal. If CAP is used, the available bandwidth is divided into three channels: Analog voice 0 to 4 khz Upstream channel 25 to 160 khz Downstream channel 240 khz to a maximum of 1.5 MHz The maximum available bandwidth for the downstream channel depends on the line conditions, such as length and noise, and the number of ADSL installations that the DSLAM handles. By creating three widely separated channels, CAP minimizes interference between: The channels on one line Different lines Rev HP Restricted 5 19

170 WAN Technologies DMT Modulation DMT is currently the standard modulation technique used for ADSL. With DMT, the bandwidth is divided into 256 separate subchannels, or bins. Each subchannel is approximately 4 khz. Subchannels 0 and 256 cannot be used to transmit analog voice or data. In ADSL Annex A, subchannels 1 to 6 are used for analog voice; in ADSL Annex B, subchannels 1-30 are used for ISDN traffic. The remaining channels are used for ADSL data. The WAN router or DSL modem at the customer s premises and the DSLAM at the public carrier monitor each subchannel, and if the quality becomes degraded, they shift the data to another subchannel. Although monitoring and shifting the data to the best available subchannel is complicated, these capabilities make DMT more flexible and reliable than CAP. (For more information about the difference between DMT and CAP, see Discrete Multitone [DMT] vs. Carrierless Amplitude/Phase [CAP] Line Codes, ZDNet United Kingdom at HP Restricted Rev. 5.21

171 DSL WAN Connections ADSL Components xdsl service is usually provided through a partnership between an Internet service provider (ISP) and a public carrier. (The public carrier is frequently called the DSL service provider.) The ISP provides the connection to the Internet, and the public carrier provides the xdsl connection to the customer. In some areas, the public carrier provides both the Internet connection and the xdsl connection. It is also possible for an ISP to purchase xdsl equipment and provide the entire xdsl connection, end-to-end. However, the ISP would need to negotiate the use of the local loop with the appropriate public carrier. This delivery model is rare. ADSL and most types of xdsl require the following components: The customer premises equipment (CPE) includes the LAN or the PC that requires a WAN or Internet connection. The customer is, of course, responsible for purchasing and maintaining this equipment. Rev HP Restricted 5 21

172 WAN Technologies Network termination at the CPE is provided by the DSL transceiver, or modem. The DSL transceiver is sometimes included with other functionality in a WAN router. In addition to terminating the DSL connection, the DSL transceiver corrects errors caused by line conditions and attenuation. The public carrier is responsible for everything between the DSL transceiver and the CO, including the local loop. The customer is responsible for all equipment on the other side of the DSL transceiver. The access node is the DSLAM, which establishes the DSL connection at the public carrier s CO. The DSLAM can support multiple modulation schemes and a variety of protocols. The public carrier is responsible for the DSLAM. The DSL transceiver, the DSLAM, and all the equipment in between these two devices are referred to collectively as the DSL network. The regional broadband network provides two important connections: It connects the DSLAMs from multiple public carriers, and it connects the DSLAM to the ISP s network. Typically, the regional broadband network is an ATM network. However, other implementations are possible. For example, some public carriers (such as public carriers in Japan) are creating Ethernet-aggregation networks. The ISP network includes a router that provides the connection to the Internet. As you might expect, the ISP is responsible for the ISP network HP Restricted Rev. 5.21

173 DSL WAN Connections Physical Infrastructure of ADSL WAN Connection This figure illustrates a company s ADSL WAN connection. The WAN router functions as an ADSL transceiver, performing the modulation required to send data at ADSL speeds across the local loop to the public carrier s CO. At the CO, the DSLAM aggregates ADSL connections from multiple customers and creates one high-capacity connection to the regional broadband network. This regional broadband network provides the backbone to connect DSLAMs from multiple public carriers and connects each DSLAM to the Internet. Because ADSL supports analog voice or ISDN traffic, the local loop is a shared medium. In an ADSL Annex A environment, telephones send analog voice over the local loop, and the WAN router sends digital data. At the CO, the analog voice must be transmitted to the voice switch and then routed over the public carrier network. The digital data, on the other hand, must be transmitted to the DSLAM and then routed over the regional broadband network. At the customer s premises, the analog voice must be sent to the telephones, and the digital data must be sent to the WAN router. To separate the analog voice from the ADSL data, a POTS splitter is installed at both the customer s premises and the public carrier s CO. The POTS splitter filters the traffic at both ends of the local loop and ensures that the analog voice and the ADSL traffic are sent to the appropriate device at each location. Rev HP Restricted 5 23

174 WAN Technologies In an ADSL Annex B or Annex C environment, ISDN equipment and the WAN router transmit data over the local loop. At the CO, the ISDN traffic must be transmitted to the ISDN switch and then routed over the public carrier network. The ADSL data must be transmitted to the DSLAM and then routed over the regional broadband network. At the customer s premises, the ISDN data must be sent to the ISDN equipment, and the ADSL data must be sent to the WAN router. To separate the ISDN data from the ADSL data, an ISDN splitter is installed at both the customer s premises and the CO. This splitter ensures that each type of traffic is transmitted to the appropriate device at each location HP Restricted Rev. 5.21

175 DSL WAN Connections ADSL Internet Connection As mentioned earlier, ADSL is ideal for Internet access. To enable this Internet access, the regional broadband network must be connected to the Internet. In this figure, the DSLAM connects directly to a broadband switch, which is connected directly to a broadband access server. The broadband access server then connects directly to a core Internet router. As the name suggests, the broadband access server authenticates users accessing the Internet through the broadband access network. This figure shows one possible way to connect the DSLAM to the Internet. The exact configuration varies, depending on factors such as the following: The capabilities provided by the DSLAM The broadband network equipment that the public carrier owns The technology used to create the broadband network In addition to aggregating multiple xdsl connections, new DSLAMs provide advanced capabilities such as ATM switching. In this case, the DSLAM may be connected directly to the broadband access server or even to a core Internet router. The DSLAM may also be connected directly to the core Internet switch if the public carrier owns that switch. Rev HP Restricted 5 25

176 WAN Technologies Finally, the public carrier must configure the DSLAM to support the technology used to create the broadband network. Because DSL was originally developed for use with ATM-based broadband networks, this is still the most common architecture. In fact, when ADSL Lite is implemented without splitters, ATM is required: ATM cells must be included within the ADSL Lite frames. Despite this ATM legacy, some public carriers and DSL vendors are investigating and implementing other technologies for the broadband network. For example, the broadband network could be an Ethernet-aggregation network linked together by a group of high-capacity switches. Ethernet-aggregation networks promise benefits such as lower costs, enhanced scalability, enhanced support for services such as multimedia, more quality of service (QoS) features, and greater resilience. Public carriers in Asia have already implemented Ethernet-aggregation networks on a large scale. Even if a majority of public carriers begin to migrate their broadband networks to Ethernet-aggregation networks, ATM will have a role in DSL networks for some time. There is a large installed base of ATM-based broadband networks, and because DSL was designed to work with ATM, ATM protocols are often exchanged between the DSL transceiver and the DSLAM HP Restricted Rev. 5.21

177 DSL WAN Connections Protocols for ADSL ADSL supports a variety of protocols, including ATM, Ethernet, PPP, PPP over Ethernet (PPPoE), PPP over ATM (PPPoA), and Frame Relay. The ADSL WAN connection is created through several different networks, which use different protocols. The regional broadband network is typically using ATM. At the customer s premises, LANs and PCs use IP over Ethernet. The Internet also uses IP over a variety of protocols such as Fiber Distributed Data Interface (FDDI), Ethernet, or ATM. With this mix of protocols, how do public carriers and ISPs create a connection from the customer s premises to the Internet? One option is to use Ethernet from the customer s premises to the DSLAM. Unfortunately, using only Ethernet does not provide the capability to authenticate users, which creates a high security risk. Consequently, this option is not really viable for most customers. As explained in Module 2: Data-Link Layer Protocols, PPP supports authentication, making it more suitable for ADSL connections. PPPoE provides another advantage, supporting Ethernet from the WAN router (or ADSL modem) to the LAN and over the Internet as well. PPPoE is the most common solution used to create ADSL connections. Rev HP Restricted 5 27

178 WAN Technologies With PPPoE, the WAN router encapsulates the IP packets first into PPP packets and then into PPPoE packets. (If the customer is using an ADSL modem, the PC encapsulates the IP packets. The capability to encapsulate packets is installed when customers run the PC setup program for the ADSL modem.) The WAN router also adds two headers: the Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) header and the ATM Adaptation Layer 5 (AAL5) header. The WAN router sends the resulting ATM cells to the DSLAM, which forwards them to the ATM switch on the regional broadband network. The ATM switch, in turn, sends the cells to the core Internet router, which peels off the ATM, PPPoE, and PPP headers and transmits the IP packets over the Internet HP Restricted Rev. 5.21

179 DSL WAN Connections ADSL Lite and RADSL ADSL Lite As the name suggests, ADSL Lite, or G.lite, does not offer all of the features of ADSL. The main difference is lower transmission rates: Instead of the Mbps downstream transmission rate of ADSL, ADSL Lite provides just 1 Mbps downstream. The upstream rate is only 512 Kbps, rather than the Mbps offered by ADSL. For residential customers, however, ADSL Lite provides some significant advantages: No Splitter No splitter is required at the customer s premises. Instead, ADSL Lite uses a microfilter, which is easy to install. For example, the microfilter could be a small device that is attached on the wire that connects the DSL modem to the wall jack at the customer s premises. Easy Installation With ADSL Lite, no modifications need to be made to the local loop, so the customer does not have to wait for a service call from the local carrier. After the DSL modem and the microfilter are plugged in, the installation is complete. Rev HP Restricted 5 29

180 WAN Technologies Support for Analog The customer does not need to make any adjustments to existing telephone equipment; analog voice can still be sent over the local loop. Low Cost The cost of ADSL Lite is competitive with the cost of a dial-up connection. R-ADSL Rate-adaptive DSL (RADSL) was developed to enhance ADSL by providing the capability to handle line conditions, which affect the maximum transmission rate that ADSL can achieve. By using DMT modulation, RADSL can adapt to changing line conditions, such as rain and temperature, and maximize the transmission speed on a particular line. Although ADSL did not at first offer this capability, it does now. Consequently, there is currently little or no difference between ADSL and RADSL HP Restricted Rev. 5.21

181 DSL WAN Connections ADSL2 ADSL2 enhances ADSL by improving modulation, signal processing, and initialization. As a result, ADSL2 offers faster downstream transmission rates and supports longer distances on the local loop. The new initialization process also improves interoperability between ADSL equipment and offers a fast startup mode, decreasing startup time from approximately 10 seconds to 3 seconds. In addition, ADSL2 provides enhanced performance-monitoring capabilities. Public carriers can check line conditions to determine if the line will support other types of DSL that have faster transmission rates, and they can monitor line conditions over time and identify and correct any problems that may occur. To increase transmission rates, ADSL2 provides a digital-only mode, which enables the DSL transceiver to transmit data in the frequency range reserved for analog voice. If companies have separate lines for their telephone network, the digital-only mode enables them to use all of the available bandwidth for ADSL transmissions. ADSL2 also reduces the amount of power required for ADSL connections and can run on existing ADSL equipment. Rev HP Restricted 5 31

182 WAN Technologies The most interesting ADSL2 feature may be its support for Channelized Voice over DSL (CVoDSL). CVoDSL eliminates the need to encapsulate voice in higher-layer protocols such as IP or ATM. Instead, CVoDSL is transported at the physical layer. ADSL2 reserves 64 kbps of bandwidth for CVoDSL, which is transported as DS0s. (For more information about PCM and DS0s, see Module 1: Overview of WAN Connections.) Like analog voice, CVoDSL is transmitted to the voice switch at the public carrier s CO. CVoDSL has several advantages over Voice over IP or Voice over ATM: CVoDSL typically provides better sound quality because it has lower latency. CVoDSL also has less overhead because it does not require encapsulation. This means it uses less bandwidth and requires less equipment. Because CVoDSL is less complex to implement, it is also easier to manage and maintain HP Restricted Rev. 5.21

183 DSL WAN Connections ADSL2+ ADSL2+ significantly increases downstream transmission rates from 12 Mbps to 25 Mbps while supporting local loops as long as 5,000 feet. ADSL2+ also provides an option for companies that require higher upstream transmission rates: By using this option, companies can double the upstream transmission rate. If crosstalk is a problem, ADSL2+ provides some flexibility in the frequencies that are used for downstream transmissions. ADSL2+ can mask the downstream frequencies below 1.1 MHz and use the frequencies between 1.1 and 2.2 MHz. This eliminates the crosstalk, while maintaining downstream transmission rates. Rev HP Restricted 5 33

184 WAN Technologies ADSL Standards The ITU-T has published standards for ADSL, ADSL Lite, ADSL2, and ADSL2+. (For more information about ITU-T, visit In addition, ESTI has published ADSL standards that take into account the unique requirements of Europe, and the ANSI committee has published standards for North America. (For more information about ESTI and ANSI, visit and respectively.) The DSL Forum has published numerous technical reports, explaining how to implement ADSL and other xdsl technologies. (For more information, visit HP Restricted Rev. 5.21

185 DSL WAN Connections Module 5 Summary In this module, you learned the following: xdsl provides a point-to-point connection on a permanent physical path with fixed bandwidth. There are two groups of xdsl technologies: symmetric and asymmetric. ADSL is the most widely implemented type of xdsl. ADSL Annex A supports analog voice and ADSL traffic on the same local loop. ADSL Annex B and Annex C support ISDN traffic and ADSL traffic on the same local loop. The physical infrastructure of an ADSL WAN connection includes splitters, DSLAM, and the regional broadband network. ADSL2 and ADSL2+ provide enhancements such as higher transmission rates and new capabilities such as CVoDSL. Rev HP Restricted 5 35

186 WAN Technologies Learning Check Module HP Restricted Rev. 5.21

187 DSL WAN Connections 1. What is the difference between symmetric xdsl technologies and asymmetric xdsl technologies? 2. Which xdsl technology is sometimes used to provision the local loop for a T1-carrier line? a. ADSL2+ b. VDSL c. RADSL d. HDSL 3. Which description applies to DMT? a. Divides the available bandwidth into three channels b. Divides the available bandwidth into one upstream channel and one downstream channel c. Divides the available bandwidth into a variable amount of channels, depending on the amount of traffic being received d. Divides the available channels into 256 subchannels 4. Which ADSL standard supports analog voice? a. Annex A b. Annex B c. Annex C d. Annex D 5. Which device aggregates DSL lines from multiple subscribers? a. Broadband access server b. Broadband switch c. Voice switch d. DSLAM Rev HP Restricted 5 37

188

189 Frame Relay Module 6 Objectives This module explains the relationship between Frame Relay and WAN connections. This module also describes the equipment necessary to create a Frame Relay network and the options offered by various Frame Relay carriers. After completing this module, you should be able to: Describe the advantages and disadvantages of Frame Relay Explain how data travels through a Frame Relay network Describe Committed Information Rate (CIR) Describe the options to consider when choosing a Frame Relay carrier Rev HP Restricted 6 1

190 ProCurve WAN Technologies Overview of Frame Relay Frame Relay is a high-performance, packet-switching WAN technology. It can provide an economical alternative to T- and E- carrier lines for companies that need a high-speed, permanent connection especially if those companies can tolerate slower transmission speeds during peak usage hours. Frame Relay can carry voice and video traffic, but it is not an ideal WAN solution for time-sensitive applications. Frame Relay was designed for delay-tolerant, bursty traffic, and public carriers usually offer limited Quality of Service. A subscriber with data-only traffic is likely to be more satisfied with Frame Relay service than a subscriber who needs to transmit voice or video. Incidentally, Frame Relay is usually less expensive in the United States than in other locations. 6 2 HP Restricted Rev. 5.21

191 Frame Relay Advantages Frame Relay packet switching enables Frame Relay carriers to allocate network resources to active users. Unlike Time Division Multiplexed (TDM) technologies, such as dedicated carrier lines and ISDN, packet-switching technologies do not ensure a constant bandwidth. However, LAN and WAN traffic is typically bursty, meaning large amounts of data are often transmitted at once, after which there may be no traffic whatsoever for a period of time. Thus with TDM, when the network is not transmitting, bandwidth is wasted; with packet-switching, when one network is not transmitting, another network can use the bandwidth. As a result, Frame Relay is more cost-effective for Frame Relay carriers, making it less expensive in many regions than dedicated carrier lines. Frame Relay is also extremely flexible. Data in a Frame Relay network generally flows along the same physical path. However, that physical path is controlled simply by software in a switch, rather than any physical configurations. As a result, it is generally much easier to reroute traffic in the event of a switch or line failure. Disadvantages Although sharing resources among many circuits in a Frame Relay network provides many advantages, it also has one major drawback: Network throughput will be lower during peak hours if the Frame Relay network becomes congested. Rev HP Restricted 6 3

192 ProCurve WAN Technologies Frame Relay WAN Connection Frame Relay is a WAN technology that provides an alternate set of data-link layer protocols for controlling the flow of data between peers. As mentioned in Module 1: Overview of WAN Connections, all WAN connections consist of three basic elements: 1. The physical transmission media 2. Electrical signaling specifications for generating, transmitting, and receiving signals through various transmission media 3. Data-link layer protocols that provide logical flow control for moving data between peers in the WAN Frame Relay can run over carrier lines, ISDN, or DSL. These WAN technologies provide the physical transmission media and signaling specifications necessary for the connection. 6 4 HP Restricted Rev. 5.21

193 Frame Relay With Frame Relay, a router at the subscriber s premises is configured to communicate only with another endpoint router in a point-to-point connection. This connection is called a Virtual Circuit (VC). It can be either a Permanent Virtual Circuit (PVC) or a Switched Virtual Circuit (SVC). PVCs are established by using a carrier line WAN connection or another form of permanent connection. SVCs are formed by using dialup connections. (To review these technologies, see Module 1: Overview of WAN Connections.) Like carrier lines, Frame Relay is most frequently implemented through a public carrier network. You simply purchase a connection to a public carrier that provides Frame Relay service. The public carrier owns all of the Frame Relay equipment and the WAN infrastructure in the Frame Relay cloud. When you purchase Frame Relay service, you negotiate a Service Level Agreement (SLA) that specifies the amount of bandwidth you will receive. This bandwidth is called a Committed Information Rate (CIR). The CIR can be considered a guaranteed amount of bandwidth. It is, however, contractually guaranteed, rather than physically guaranteed as it is with dedicated T- and E- carrier lines that use TDM. Because Frame Relay carriers can be fined if they do not provide the CIR commitment, they are generally careful to meet it. (CIR is further explained in a later section.) Rev HP Restricted 6 5

194 ProCurve WAN Technologies Frame Relay Physical Access Options To provide Frame Relay service, the public carrier network requires Frame Relay switches. If a Frame Relay carrier connects to other carriers, additional equipment such as a network-to-network interface (NNI) or extra routers may be required. Devices for connecting multiple Frame Relay networks are beyond the scope of this course. At the subscriber s premises, equipment that is required to create carrier lines or ISDN is also required to connect to a Frame Relay network. For example, if you are running Frame Relay over carrier lines, you will need a CSU/DSU. If you are running Frame Relay over ISDN, you will need equipment such as Network Termination 1 (NT1) and Terminal Equipment (TE). In addition, connecting to a Frame Relay network requires an intelligent device that can encapsulate network traffic into Frame Relay frames. Several different devices can provide Frame Relay encapsulation at the subscriber s premises: A standalone Frame Relay assembler/disassembler (FRAD) A WAN router with a built-in FRAD A FRAD built in to a mainframe, minicomputer, or PC network interface card (NIC) 6 6 HP Restricted Rev. 5.21

195 Frame Relay In addition to performing encapsulation, these Frame-Relay access devices may also provide multiplexing, congestion control, or error correction, although such features are optional. Physical access devices other than WAN routers are briefly mentioned in this section. However, this is a course on WAN routing, and subsequent sections will focus on accessing Frame Relay through a router. Standalone FRADs A FRAD is a device specifically designed to provide access to Frame Relay networks. FRADs sometimes include better quality of service options (such as congestion control and traffic prioritization) than routers because they are dedicated Frame Relay devices. However, FRADs generally don t provide routing or multiplexing functions. A WAN that uses a FRAD to connect to Frame Relay requires a separate router and multiplexer. WAN Routers Most WAN routers on the market today have built-in FRADs and include Frame Relay as a standard choice of data-link layer protocols. Because many WAN routers now provide features such as multiplexing, a built-in CSU/DSU, and a built-in FRAD, a WAN router is becoming the most popular way of accessing Frame Relay networks. Computers with Built-In FRADs Mainframes and minicomputers can also include built-in FRADs, enabling them to connect directly to a Frame Relay network. Frame Relay NICs are also available for PCs, enabling them to route and encapsulate traffic for a Frame Relay network. However, such implementations are uncommon. Rev HP Restricted 6 7

196 ProCurve WAN Technologies Data Link Connection Identifier (DLCI) The addressing scheme used by Frame Relay relies on the Data-Link Connection Identifier (DLCI, pronounced del-see). Unlike the process used in most addressing schemes, the DLCI is not assigned to a particular node on the network instead, the DLCI identifies the VC. The DLCI has only local significance and is changed at each switch when a frame is forwarded to the next node. As the figure shows, a frame that is sent from the main office to branch office B would be routed as follows: 1. The router at the main office addresses the frame with DLCI 17 and sends it out. 2. The frame arrives at port A on the Frame Relay switch. 3. The Frame Relay switch changes the address on all frames. When it receives frames from DLCI 17 on port A, it changes the DLCI to The Frame Relay switch is configured to send these frames out on port C, which is the port connected to branch office B. 6 8 HP Restricted Rev. 5.21

197 Frame Relay A frame that is sent from the main office to a branch office A would be routed as follows: 1. The router at the main office addresses the frame with DLCI 16 and sends it out. 2. The frame arrives at port A on the Frame Relay switch. 3. The Frame Relay switch changes the address on all frames. When it receives frames from DLCI 16 on port A, it changes the DLCI to The Frame Relay switch is configured to send these frames out on port B, which is the port connected to branch office A. You must manually configure the WAN routers at all sites with a DLCI. In most cases, the Frame Relay carrier will tell you which DLCIs to use. DLCIs can be numbered from 0 to However, a range of numbers 16 to 991 is reserved for subscribers to assign to a VC. DLCI 0 and DLCI 1023 are reserved for use by Frame Relay management protocols. All other DLCIs are reserved either for future use or for Frame Relay carriers to assign to VCs between switches. Rev HP Restricted 6 9

198 ProCurve WAN Technologies Committed Information Rate As stated earlier, the Frame Relay carrier will guarantee the subscriber a specific amount of bandwidth, which is called the CIR. Determining how much bandwidth needs to be dedicated to a WAN connection is crucial to designing any WAN. To make this decision for a Frame Relay network, you need to understand CIR. CIRs are generally offered in multiples of 8 Kbps up to 64 Kbps and then in multiples of 64. The CIR can be as low as zero. The figure shows an example of what could be a typical CIR on a T1 line in the United States or Canada. The port speed at the carrier s Frame Relay switch is Mbps (T1 speed). The subscriber purchased a CIR of 64 Kbps. If the carrier sells 24 CIRs at 64 Kbps, the CIRs would equal the line speed (24 x 64 = 1536). In this case, the line would be 100 percent subscribed HP Restricted Rev. 5.21

199 Frame Relay A TDM technology, such as dedicated carrier lines, can be only 100 percent subscribed. However, researchers from MCI Internet Telephony Consortium estimate the average carrier line utilization to be only 34 per cent. Frame Relay is cost-effective, in part, because Frame Relay ports can be oversubscribed. The statistical probability that all subscribers will attempt to transmit at once is low. For one T1-speed port, a Frame Relay carrier is likely to sell approximately 36 CIRs that guarantee 64 Kbps a 150 percent oversubscription. To make better use of resources, the Frame Relay carrier takes the odds into account and then gambles against all subscribers transmitting at once. Although the CIR is guaranteed in an SLA, and it is unlikely that the CIR will not be met, it is theoretically possible. Despite this possibility, the important consideration when choosing a CIR is how much bandwidth is needed. It is unlikely that a Frame Relay carrier will fail to meet the CIR, and if it were to happen, the subscriber would be reimbursed for it. Rev HP Restricted 6 11

200 ProCurve WAN Technologies Excess Information Rate In addition to guaranteeing a CIR, Frame Relay carriers promise that when the network is not congested, a VC will be able to transmit data at a faster rate. Depending on the Frame Relay carrier and the contract, this faster rate, called the Excess Information Rate (EIR), may be negotiable, or it may simply equal the speed of the port. The public carrier doesn t guarantee delivery at the faster rate, however. EIR frames are delivered on a best-effort basis. The EIR can be looked upon as a bonus but cannot be counted on. Therefore, most subscribers purchase crucial bandwidth as part of the CIR HP Restricted Rev. 5.21

201 Frame Relay Congestion Management: DE Bit The Frame Relay frame header contains the discard eligibility (DE) bit, which Frame Relay carriers use to maintain multiple CIRs. The subscriber can also set this bit if some traffic transported over the Frame Relay network is more important than other traffic. If the network is beginning to experience congestion, Frame Relay switches begin analyzing which circuits are exceeding their CIR. Frames that exceed the CIR have the DE bit set. Setting the DE bit to 1 marks a frame as more eligible for discard than other frames. If the switch is forced to discard frames, it first discards the frames with the DE bit set. Frames that exceed a subscriber s EIR are discarded whether or not the network is experiencing congestion. Although a subscriber can also set the DE bit, the DE bit is not a good mechanism for prioritizing traffic. It has no built-in failsafes to ensure that lower priority traffic is eventually delivered. In general practice, it is better to leave the DE bit to the Frame Relay carrier and employ a more robust quality of service mechanism at the subscriber s premises. (For more information about quality of service, see Module 9: Quality of Service and Advanced WAN Routing.) Rev HP Restricted 6 13

202 ProCurve WAN Technologies Congestion Management: FECN and BECN Explicit Congestion Notification Frame Relay has explicit congestion notification built into its format, although its usefulness is extremely limited. The Frame Relay header contains a Forward Explicit Congestion Notification (FECN) bit and a Backward Explicit Congestion Notification (BECN) bit. If the FECN bit is set to 1, it signals the router at the receiving end of a VC that the VC was congested. The receiver can do nothing about congestion: it cannot slow down incoming traffic, and Frame Relay has no built-in mechanism by which the receiver can signal the sender that the circuit is congested. The usefulness of the FECN is limited to analyzing whether or not the VC may need a higher CIR if frames are frequently received with the FECN bit set. If the BECN bit is set, it signals the router at the sending end of a VC that the VC is congested. A sending router that is built to respond to a BECN can attempt to slow down the flow of traffic by buffering frames. Because router memory is generally limited, however, this is not an effective means of congestion management HP Restricted Rev. 5.21

203 Frame Relay Implicit Congestion Notification Implicit congestion notification is not actually handled by Frame Relay at all. When higher layer protocols, such as TCP, determine that packets are being dropped, the cause is assumed to be network congestion. Those protocols have built-in flow control, and a receiver can signal the sender to slow the flow of data. Unlike these higher layer protocols, Frame Relay does not include built-in flow control. Rev HP Restricted 6 15

204 ProCurve WAN Technologies Frame Relay Standards This section provides a brief overview of the standards bodies that govern Frame Relay protocols, as well as the various protocols and protocol-extensions available. Both the ITU Telecommunications Standardization Sector (ITU-T) and the American National Standards Institute (ANSI) have published a large number of standards documents related to Frame Relay. Core aspects of the frame relay protocol, such as frame formats, are defined in ANSI T1.618 and ITU-T Q.922. Q.922 is generally called Link Access Procedures for Frame Mode Bearer Services (LAPF) and is based on the LAPD protocol (Q.921) used in ISDN. LAPF performs the basic data-link layer data transfer and link management functions. In addition to the ITU-T and the ANSI standards bodies, a standards body known as the Frame Relay Forum (FRF) produced many implementation agreements that add functionality to Frame Relay. In 2003, the FRF merged with the Multi- Protocol Label Switching Forum (MPLS) to form the MPLS and Frame Relay Alliance HP Restricted Rev. 5.21

205 Frame Relay Following is a small example of functions governed by FRF implementation agreements: Multiprotocol encapsulation (FRF.3.2) Definitions in an SLA (FRF.13) Link aggregation in Multilink Frame Relay (FRF.15 and FRF.16.1) Rev HP Restricted 6 17

206 ProCurve WAN Technologies Frame Relay Signaling Protocols PVC signaling protocols periodically send status messages to verify the integrity of the Frame Relay link. Three signaling protocols are available. The Frame Relay carrier tells the subscriber which signaling protocol to use, and the subscriber configures the WAN router to use it. Local Management Interface (LMI) Although LMI is not defined by a standards body, it was the first signaling protocol designed for Frame Relay and is still commonly used. Because Cisco Systems was one of the companies that helped develop LMI, this signaling protocol is called Cisco in Cisco router software. ITU-T Q.933 Annex A The ITU-T protocol is often referred to simply as Annex A. This signaling protocol is based on the Q.931 signaling protocol for ISDN. ANSI T1.617 Annex D The ANSI protocol is often referred to simply as Annex D. This signaling protocol is similar to Annex A HP Restricted Rev. 5.21

207 Frame Relay Service Level Agreements The functionality of a Frame Relay network depends largely on the carrier, and pricing schemes vary widely from one carrier to another. In most cases, the Frame Relay carrier negotiates a Service Level Agreement (SLA) with the subscriber. An SLA package can include network management, consulting and design, disaster recovery, and quality of service. Because some Frame Relay carriers offer all of these services and other carriers offer only a portion of these services, they are important considerations when choosing a carrier. Network Management Options Many Frame Relay carriers offer the following options for better managing a Frame Relay network: Simple Network Management Protocol (SNMP) support Performance reports In addition, some Frame Relay carriers offer full management support, meaning they will actually manage equipment on the subscriber s premises. Rev HP Restricted 6 19

208 ProCurve WAN Technologies Consulting and Design Options For complex networks, it might be helpful to find a Frame Relay carrier that will help design the network, including helping to select and install hardware at the subscriber s premises. Disaster Recovery Options Frame Relay carriers may offer redundant connections for the following components: Local loop lines Port connections VC rerouting Quality of Service Options Frame Relay carriers that have up-to-date latest Frame Relay switches support traffic prioritization for time-sensitive traffic such as voice or Systems Network Architecture (SNA) traffic HP Restricted Rev. 5.21

209 Frame Relay Module 6 Summary In this module, you learned the following: Characteristics of Frame Relay: Point-to-point connection Permanent or temporary physical path Packet-switched Variable bandwidth WAN connections that support Frame Relay: Carrier lines ISDN DSL Rev HP Restricted 6 21

210 ProCurve WAN Technologies Frame Relay technologies: FRAD, which provides encapsulation at the subscriber s premises DLCI, which is the Frame Relay address that identifies the VC CIR, which is the guaranteed amount of bandwidth the customer receives EIR, which defines a faster rate the customer may receive if the network is not congested DE bit, which is used to identify frames from networks that are exceeding their CIR FECN, which signals the router at the receiving end of a VC that the VC is congested BECN, which signals the router at the sending end of a VC that the VC is congested Protocols LMI, Annex A, or Annex D SLA, which is the agreement between the public carrier and the customer that controls the Frame Relay connection 6 22 HP Restricted Rev. 5.21

211 Frame Relay Learning Check Module 6 Rev HP Restricted 6 23

212 ProCurve WAN Technologies 1. Which function does the FRAD perform? a. Provides the network address for the WAN router b. Monitors the connection to ensure that the network does not exceed the bandwidth agreed upon in the SLA c. Encapsulates packets into Frame Relay d. Defines the amount of bandwidth that the subscriber can use 2. What is used to signal a router at the receiving end that the VC is congested? a. DE Bit b. FECN c. BECN d. LMI 3. What defines a faster transmission that the subscriber can use if extra bandwidth is available on the Frame Relay network? a. CIR b. BE Bit c. EIR d. Annex D 6 24 HP Restricted Rev. 5.21

213 Virtual Private Networks Module 7 Objectives This module introduces another method of connecting two sites Virtual Private Networks (VPNs). It explains how VPNs create secure, private communication across an existing public network and then describes how Internet Protocol Security (IPSec) can be used to connect private networks or remote users to a corporate network. After completing this module, you will be able to: Define a VPN Describe the functions of the IPSec headers Explain how IPSec performs tunneling Describe the authentication features in IPSec Explain how IPSec s Internet Key Management (IKE) tool manages keys Describe the encryption features in IPSec Rev HP Restricted 7 1

214 ProCurve WAN Technologies Defining VPNs A VPN is a secure, private communication across an existing public network (for this course, the Internet). A VPN can connect two or more private networks typically a corporate headquarters and branch offices or it can connect remote users to the corporate network. VPNs are as safe to use as WAN connections (such as carrier lines, Integrated Services Digital Network connections, or Digital Subscriber Lines) that run entirely over private leased lines. Packets tunneled through a VPN are encrypted with a cryptographic algorithm and keys and are then encapsulated. VPNs also authenticate identity and provide additional security features. Why would you use a VPN in lieu of a traditional WAN connection? VPNs are typically less expensive to implement. The cost of a VPN depends on several factors: The VPN solution your company chooses The number of sites and users your company wants to connect The location of sites and users After you determine the cost of implementing a VPN, you can compare it with the cost of a traditional WAN to see if your company will save money by using a VPN. 7 2 HP Restricted Rev. 5.21

215 Virtual Private Networks Types of VPNs Depending on the type of access you need for your company and its users, you can implement the following types of VPNs: Site-to-site VPN: You use a site-to-site VPN to connect multiple, physically distributed, fixed sites over the Internet. This type of VPN provides most of the benefits of a private WAN. For example, branch offices can access files and applications on the corporate network without compromising security. Client-to-site VPN: You use a client-to-site VPN when you have remote users who need to access the internal network. As with a modem bank or a remote access server on the corporate network, remote users connecting to the network through a client-to-site VPN can access files and applications without compromising security. Using a third-party service provider, users dial a toll-free number to connect with the router. The users must have VPN client software installed on their computer to access the internal network. Rev HP Restricted 7 3

216 ProCurve WAN Technologies IPSec Versus PPTP When implementing a VPN, you must select one of the following infrastructures: Internet Protocol Security (IPSec), Point-to-Point Tunneling Protocol (PPTP) Both IPSec and PPTP encrypt and encapsulate data and protocol information within IP packets. The Internet Engineering Task Force (IETF) created IPSec to provide a flexible and secure VPN framework. Microsoft collaborated with several other companies to create PPTP. Although PPTP was originally designed to run with private Microsoft networks, it has become a standard for VPN tunneling. It is less expensive than IPSec and relatively easy to use. However, it does not provide the same level of security that IPSec provides. This module focuses on IPSec and then briefly describes PPTP. 7 4 HP Restricted Rev. 5.21

217 Virtual Private Networks IPSec Standard The de facto VPN standard, IPSec provides security services at the IP layer (which resides at the network layer of the OSI model). IPSec is designed to be flexible, providing an open framework for implementing industry-standard algorithms and cryptographic keys. As a result, a system can select the security protocols, algorithms, and cryptographic keys used to establish and maintain a VPN. An IPSec VPN enables: Tunneling Key management Authentication Encryption This module defines IPSec components and explains how these components are combined to create an IPSec VPN. Rev HP Restricted 7 5

218 ProCurve WAN Technologies IPSec Security Protocols IPSec includes two security protocols that provide authentication and encryption: Authentication header (AH) Encapsulating security payload (ESP) These protocols are also sometimes called IPSec headers because they add a header to the IP packets transported through the VPN tunnel. (Only the two IPSec hosts, one at each end of the tunnel, will need to deal with these headers.) AH is used for authentication. It verifies the identity of the sender and the integrity of packet contents. It can also provide an anti-replay service, which ensures that the message cannot be reused or replayed. AH does not, however, provide encryption. ESP provides confidentiality by encrypting packets before transmission. ESP can also provide authentication and anti-replay service, but its authentication capabilities are more limited than those of AH. AH and ESP can be used independently or together; for most applications, just one of these protocols is sufficient. 7 6 HP Restricted Rev. 5.21

219 Virtual Private Networks Security Associations When an IPSec connection is created, the two hosts must establish a Security Association (SA), which defines the connection, including the exact set of security services that will be used to protect the traffic transmitted across that connection. That is, the SA specifies the tunneling, key management, authentication, and encryption used for that connection. SAs are directly related to the IPSec protocols. After a protocol is selected, an SA is established. If two peers are using both AH and ESP for a particular connection, the two protocols cannot share an SA. Each protocol must have at least one SA. If the security policy requires a combination of security services that cannot be defined in one SA, more than one SA may be required for each protocol. (For more information, see Internet Engineering Task Force [IETF], Request for Comments [RFC] 2401.) The process of establishing an SA between peers is discussed in more depth later in this module. Rev HP Restricted 7 7

220 ProCurve WAN Technologies IPSec Modes The SA defines one of the following modes: Tunnel mode Transport mode (also a tunnel) IPSec tunnel mode is useful for protecting traffic between networks or between a computer and a network. Tunnel mode is required if one of the tunnel endpoints is a security gateway that is, if the traffic either originates from or is destined for a node other than a tunnel endpoint. IPSec tunnel mode operates in pure IPSec mode: no other tunneling protocols are involved. IPSec transport mode is ideal for delivering authenticity and encryption end to end: the traffic source and the ultimate destination are in fact the tunnel endpoints. IPSec in transport mode is typically used in conjunction with other tunneling protocols, such as Layer 2 Tunneling Protocol (L2TP) and Generic Routing Encapsulation (GRE). 7 8 HP Restricted Rev. 5.21

221 Virtual Private Networks Tunnel Mode Authentication You can use AH and ESP either or both in IPSec tunnel mode. AH and ESP handle authentication differently: AH authenticates the entire IP packet, including the additional IP header, while ESP authenticates only from the payload of the ESP encapsulation. Encryption In IPSec tunnel mode, encryption is optional. If encryption is used, the entire IP datagram header and payload is encrypted and transmitted between the two tunnel devices. The receiving device decrypts the packet and forwards the original datagram to the destination host. If you use IPSec tunnel mode to implement IPSec security, no changes are required to the source and destination devices. The original IP packet is encapsulated with the AH or ESP header and an additional IP header. Because the source and destination addresses are hidden, a hacker cannot use a protocol analyzer to read the original packet information. The new IP header does expand the size of the packet by 20 bytes, however, which affects performance. (Twenty bytes is the minimum size of an IP header.) Rev HP Restricted 7 9

222 ProCurve WAN Technologies Transport Mode Authentication You can use AH and ESP either or both in IPSec transport mode. As with tunnel mode, AH authenticates all fields in the packet, while ESP authenticates from the payload of the ESP encapsulation. Encryption IPSec transport mode is used only between VPN hosts. It encapsulates and encrypts only the data portion (payload) of each IP packet and leaves the header untouched. Overhead is therefore minimal, which improves throughput. Because the packet header is not encrypted, transport mode is not as secure as tunnel mode. If a hacker intercepts a packet, he or she will be able to read the packet s source and destination addresses. In addition, because the entire packet is not encapsulated, the network-layer IPSec must work in tandem with other tunneling protocols, such as GRE and L2TP, to transport any non-ip protocols through its tunnel. In the figure above, for example, GRE is used to encapsulate the original data packet. IPSec is then used to protect the GRE tunnel packets. IPSec places a header between the packet s IP header and the header of the GRE tunnel HP Restricted Rev. 5.21

223 Virtual Private Networks IPSec Standard Key Management Process IPSec authentication and encryption rely foremost upon the strength of both the selected method and the management of key exchange. Key management is essentially the distribution, authentication, and handling of encryption algorithms and keys. Key management is an ongoing process. For optimal security, VPN hosts must change keys regularly to avoid their unauthorized interception. When configuring your VPN, you must decide whether you want to use manual or automatic key management. You should choose manual key management only if you have a small and static environment, because you must manually configure each system with its own and other communicating parties keys. Managing keys automatically simplifies the following processes: Negotiating with other devices on which protocols, encryption algorithms, and keys to use Exchanging keys (which includes rotating keys often and ensuring they are not similar in construction) Keeping track of all agreements IPSec was designed to use automatic key management and Internet Key Exchange (IKE) to perform these functions. Rev HP Restricted 7 11

224 ProCurve WAN Technologies IKE VPN hosts use IKE to create an SA for a particular connection. When a host attempts to communicate with another host, IPSec assumes that an SA is already in place and checks its database for this SA. If the SA exists, the host simply applies the specified algorithms and keys and inserts a number called the security parameter index (SPI), which identifies to the receiving host which SA the sending host is using to protect the packet. If an SA does not exist, the two hosts use IKE to establish an SA. IKE enables the hosts to establish a temporary SA, which is called the IKE SA. The two hosts can then create a preparatory IKE tunnel so that they can communicate and negotiate the actual SA or SAs that will control the connection. To create IKE SAs and the IKE tunnel, the hosts perform the following steps: 1. The initiating computer (Initiator) first sends a message to the recipient computer (Responder) proposing several security parameter options for communication. Each of the proposed parameters includes an authentication method, an encryption algorithm, and a hash algorithm. The Responder accepts one of these parameters, provided one is listed in the Responder s accepted list, and sends it back to the Initiator. This exchange sets the security policy for the next exchange of messages. 2. Both the Initiator and the Responder send each other values in order to establish a shared secret, which will be used to create keys. 3. The last message exchange is encrypted and authenticates each user to ensure identity. The keys that will encrypt data in the new secure tunnel are determined at this point of the exchange. The process of exchanging keys is tightly coupled with both authentication and encryption HP Restricted Rev. 5.21

225 Virtual Private Networks IPSec Standard Authentication Process As mentioned earlier, both AH and ESP provide authentication for IPSec VPNs. Specifically, the two protocols provide several overlapping data authentication functions: Integrity check value (ICV) a digital signature that authenticates the entire packet except the authentication field. The length depends on the authentication algorithm used. Security parameter index (SPI) a number that specifies the security details (including algorithms, keys, and length of validity for those keys) the hosts agreed upon prior to data transmission. Sequence number a counter that increases each time a packet is sent to the same address using the same SPI. It therefore tells you how many packets have been sent with the same security parameters. It also identifies in which order packets should be reassembled. Rev HP Restricted 7 13

226 ProCurve WAN Technologies Key Management and Authentication Digital Certificates To provide more scalability and to simplify key management, IPSec supports digital certificates. These digital documents enable the secure exchange of keys and vouch for the identity of an individual, a computer system (or a specific server running on that system), or an organization. Without digital certificate support, IPSec VPNs would not be able to scale to the Internet. A trusted third party known as a Certificate Authority (CA) is responsible for generating, distributing, and revoking digital certificates. A CA can be an external company, such as VeriSign, or an internal organization, such as a corporate IS department. The CA keeps a record for a particular user and verifies that user s identity based on that information. A digital certificate s format for use on the Internet is based on the X.509 version 3 standard. The certificate has three parts: Identifying information Signature algorithm (hash) Digital signature of the CA 7 14 HP Restricted Rev. 5.21

227 Virtual Private Networks Identifying Information The identifying information in a digital certificate includes the following data: Version number Serial number Issuer name Subject name Start and end date of certificate (validity period) Public key (algorithm, key) Signature Algorithm The digital certificate is passed through a mathematical function known as a hash. The hash provides a summary of the data: a fixed-length string of digits known as a message digest. Much like a fingerprint, this summary is unique for every message. The CA then uses its private key to encrypt the message digest. (Public and private encryption keys are discussed later in this module.) The hash reduces the amount of data that must be signed and thus does not affect performance. Digital Signature The encrypted message digest becomes the sender s digital signature. This signature is appended to the digital certificate, and the certificate is then sent to the recipient along with the sender s message or packet. The recipient separates the sender s signature from the certificate and then uses the CA s public key to decrypt the sender s digital signature. The message digest is revealed. The recipient also gets the sender s public key from the digital certificate, which is normally used to secure the exchange of symmetric keys. These symmetric keys are then used to encrypt communications between the recipient and the sender. The hash function that originally created the message digest is also included in the digital certificate. The recipient passes the digital certificate through this same hash function. The result is a second message digest. The two message digests will be identical only if the information was not modified in transit. If the two digests are equal, the recipient can be sure that the data was not corrupted and that the claimed sender actually did send the packet. Rev HP Restricted 7 15

228 ProCurve WAN Technologies Extended Authentication RADIUS Server In addition to providing data authentication functions, IPSec supports the use of authentication servers, which require users to provide information to verify their identity. By centralizing authentication services on a company s enterprise network, these services can simplify user administration and enhance overall security. For example, the RADIUS client/server architecture allows all security information to be located in a single, central database, instead of scattered around the network in several different devices. All user information is kept in the RADIUS server, which also manages the authentication of the user and access to services. The client sends the information from the user trying to authenticate to the RADIUS server. The RADIUS server receives user connection requests, authenticates the user, and returns any necessary authorization information using UDP. The client then acts on the response that the RADIUS server provides about the authenticated user. Because any device that supports RADIUS can be a RADIUS client, a remote user will gain access to the same services from any communications server that contacts the RADIUS server. It can be a good choice in a heterogeneous network environment because of its widespread support HP Restricted Rev. 5.21

229 Virtual Private Networks Extended Authentication TACACS+ Server TACACS+ is also a client/server protocol. It transports data using TCP. The client sends a START message, which includes the requested type of authentication and some other authentication information, to the TACACS+ server. The START message is only the first message in the session. The server then sends a REPLY message. This message either asks for additional information or states that authentication is complete. After the client finds any requested additional information, it sends that information back to the server in a CONTINUE message. The client and server send these messages to each other until authentication is complete. Rev HP Restricted 7 17

230 ProCurve WAN Technologies IPSec Standard Encryption Process To protect data exchanged across the VPN, hosts combine input data, known as clear text, with the agreed-upon encryption key to generate an encrypted output known as cipher text. A packet s data is translated from clear text using an algorithm. An algorithm is a specific mathematical formula that allows you to encrypt and decrypt data. Algorithms are available and used by many organizations, so it is not actually the algorithm that keeps the data secure. Rather, the algorithm modifies the clear text so it is unreadable to anyone without the key. The key contains a secret value for deciphering the data. Longer keys are more secure, but are also more expensive and may affect performance. IPSec s ESP handles packet encryption. The ESP header encapsulates both the packet data and the original header and then adds padding to this data. The padding ensures that the size of the packet equals the required bit sizes of symmetric key algorithms for encryption. This padding is also helpful in misleading attackers who try to determine the size of the packet in an attempt to map your network. ESP includes a data-to-padding ratio in its pad-length field. ESP then adds another header on to the packet, which includes the type of data and the protocol it is using HP Restricted Rev. 5.21

231 Virtual Private Networks Symmetric and Asymmetric Encryption There are two types of key encryption: symmetric and asymmetric. Symmetric key encryption uses the same key for both encryption and decryption; asymmetric key encryption uses separate keys. Asymmetric key encryption can be more secure but is not as fast. Symmetric and asymmetric key encryption is covered in detail in the next sections. You can select either symmetric or asymmetric key encryption for the preparatory IKE tunnel communication. Symmetric key encryption is the only method you can use in the IPSec tunnel. However, you can select the type of symmetric key encryption IPSec employs. You can even set your preferences to use a different type of symmetric key encryption for each party with whom you communicate. Remember that IPSec is only as strong as the algorithms chosen for its implementation. Rev HP Restricted 7 19

232 ProCurve WAN Technologies Symmetric Key Encryption Symmetric encryption uses a common key (code) and the same algorithm to encrypt and decrypt a packet. The sender and receiver need to agree on the algorithm as well as the common key. Symmetric encryption is typically faster and easier to use than asymmetric encryption. However, because only one key is used, symmetric encryption may be less secure. The lone key must be kept secret, so be wary of potential attacks when you establish a connection to exchange the key. Attackers have used man-in-themiddle and brute-force attacks to break symmetric key encryption. How Symmetric Key Encryption Works When Jack and Jill want to communicate securely using symmetric key encryption, the following steps occur: 1. Jack and Jill agree on the same algorithm. 2. Jack and Jill agree on a common key (secret key) to use with their selected algorithm. 3. Jack encrypts a message with the common key and sends the message to Jill. 4. Jill receives the message and decrypts the message using the common key. Jill reads the message HP Restricted Rev. 5.21

233 Virtual Private Networks Types of Symmetric Encryption Algorithms IPSec supports most symmetric encryption algorithms, including its default standard Data Encryption Standard (DES), the former standard encryption algorithm for the U.S. government. DES uses a 56-bit key, breaks the text into 64-bit blocks, and encrypts them. DES used to be the most widely used encryption algorithm; however, due to advances in cryptanalysis, it is now extremely vulnerable to breaks. IPSec supports many other symmetric encryption algorithms. When selecting a symmetric encryption algorithm, you may want to factor in whether it is a block cipher or a stream cipher. As the name suggests, block ciphers encrypt a given number of bits of clear text (a block) into a block of cipher text of the same size. Thus, all block ciphers have a natural block size: the number of bits they encrypt in a single operation. Stream ciphers, on the other hand, encrypt one bit at a time. IPSec supports the following symmetric encryption algorithms: Triple DES (3DES) Advanced Encryption Standard (AES, or Rijndael) Blowfish Carlisle Adams and Stafford Tavares (CAST)-128 International Data Encryption Algorithm (IDEA) Rivest Cipher (RC) 5 Alternative RC Four (ARCFour) 3DES 3DES is a variation of the DES algorithm that uses one, two, or three keys. If 3DES uses only one key, it is basically the DES standard. When using three keys, 3DES takes a 64-bit data block and encrypts it three times, for an overall key length of 192 bits. The clear text is encrypted first by one key, then by a second, different key, and finally by yet another key. Although significantly more secure than DES, performance is three times slower because 3DES encrypts the same data three times. AES The U.S. government recently adopted AES as its standard encryption method. AES uses 128-, 192-, and 256-bit key sizes broken into 128-, 192-, and 256-bit blocks for encryption. You can use all nine combinations of key length and block length with AES. AES works at multiple network layers simultaneously. Blowfish Blowfish runs many times faster than DES and offers several different key lengths: 32, 48, 56, 128, and 448. Each version runs at the same speed. The various key lengths are generally required for compliance with export-control laws. Rev HP Restricted 7 21

234 ProCurve WAN Technologies CAST-128 The CAST-128 block cipher is designed to use a key size that can vary from 40 bits to a maximum of 128 bits. CAST is considered by many to be as strong as 3DES and faster in its 128-bit form. IDEA IDEA is also a fast, 3DES-equivalent block cipher. RC5 RC5 is a variable key-length stream cipher that many consider to be as strong as its key length, which can be up to 256 bits. ARCFour ARCFour is also a stream cipher. It supports keys from 8 bits up to 2048 bits. While it is a fast cipher, the key setup of ARCFour is quite weak. If you have keys that don't look like random bit strings and you want to use ARCFour, always hash the key before feeding it to the algorithm HP Restricted Rev. 5.21

235 Virtual Private Networks Asymmetric Key Encryption Asymmetric key encryption allows you to use the same algorithm or different, complementary algorithms for encryption and decryption. You must use different keys, however: one public and one private. The communicating parties use the public key to encrypt data and the private key to decrypt it. Each user must have his or her own public/private key pair. How Asymmetric Key Encryption Works When Jack and Jill want to communicate securely using asymmetric key encryption, the following steps occur: 1. Jack and Jill create individual public/private key pairs. 2. Jack and Jill exchange only their public keys. 3. Jack encrypts a message using Jill s public key. 4. Jill receives the message and decrypts it using her private key. She reads the message. 5. When Jill replies to the message, she encrypts her reply using Jack s public key. 6. Jack receives her message and decrypts it using his private key. Jack reads the reply message. Rev HP Restricted 7 23

236 ProCurve WAN Technologies How IPSec Sends a Packet So how do all these IPSec processes work together to create a VPN? Consider how Jack securely sends a packet to Jill: 1. The outgoing packet travels through Jack s router. The router checks its security policy and knows it must encrypt the packet. It checks for an existing IPSec or IKE SA with Jill s computer. In this case, no IKE or IPSec SAs were established previously. 2. Jack and Jill s routers exchange digital certificates to verify each computer s identity. A CA has signed the digital certificates. 3. Jack and Jill establish an IKE SA, which allows them to create an IKE tunnel. Jack and Jill s IKE SA includes an authentication method, an encryption algorithm, and a hash algorithm. 4. The computers also establish a shared secret, which is then used to create keys. 5. From the IKE tunnel, Jack and Jill s computers establish the IPSec SA. The IPSec SA includes the negotiated encryption and authentication algorithms, as well as a shared session key HP Restricted Rev. 5.21

237 Virtual Private Networks 6. Jack s router encrypts Jack s IP packet, places it into an IPSec packet, and sends it to Jill s router. 7. When Jill s router receives the packet, it looks for the IPSec SA that was previously established. Jill s router de-encapsulates and decrypts the packet. It then sends the original data over to Jill s computer. Rev HP Restricted 7 25

238 ProCurve WAN Technologies PPTP The PPTP consortium, which includes Microsoft, Ascend, and several other companies, created PPTP to establish secure communication channels between Windows clients. Because PPTP is included in the delivery of Windows NT, 2000, and XP, it is immediately available for users of these platforms without additional software. Microsoft also offers a free PPTP upgrade for Windows 95/98. MSDUN Ver1.3 is required for Win95. Microsoft, however, now supports running IPSec in transport mode through an L2TP tunnel as opposed to using PPTP. The Microsoft L2TP/IPSec client allows Win98, Win98SE, WinME, and Windows NT 4.0 Workstation computers to use L2TP/IPSec to connect to Windows 2000 and other VPN servers. Thus, many people believe that PPTP will soon become only a legacy standard for VPNs. (The Microsoft L2TP/IPSec client, however, does not support Windows 95.) 7 26 HP Restricted Rev. 5.21

239 Virtual Private Networks If you choose to implement PPTP, you must rely on a separate tunneling protocol for actual data transfer. PPTP is built on top of Point-to-Point Protocol (PPP). PPTP handles the same four processes as IPSec in the following ways: Tunneling PPTP uses a GRE tunnel for transporting data. Key management More recent versions of Microsoft Windows servers (2000 and 2003) support PPTP s use of public key infrastructure (PKI). Through PKI, PPTP can use a third-party CA. Encryption PPTP supports Microsoft s own encryption algorithms, including Microsoft Point-to-Point Encryption (MPPE), as well as PPP s native encryption algorithms. Authentication PPTP uses PPP user authentication, including CHAP and PAP. You can also use PPP s open framework Extensible Authentication Protocol (EAP), and thus other authentication mechanisms, such as smart cards or security tokens. Rev HP Restricted 7 27

240 ProCurve WAN Technologies Module 7 Summary In this module, you learned the following: VPNs provide secure, private communications across public networks such as the Internet. IPSec provides a framework for enabling tunneling, key management, authentication, and encryption. IPSec security protocols, AH and ESP, provide authentication and encryption functions. SAs define the security services the tunneling, key management, authentication, and encryption applied to the data that is transmitted across the VPN. Tunnel mode is ideal for providing secure communications between two networks or between a host and a network. Transport mode is well-suited for providing secure communications between two VPN hosts. IKE establishes the communication between the VPN hosts, enabling them to negotiate the necessary SAs for the VPN HP Restricted Rev. 5.21

241 Virtual Private Networks IPSec supports digital certificates and authentication servers. IPSec supports the following encryption algorithms: DES, 3DES, AES, Blowfish, CAST-128, IDEA, RC5, and ARCFour. PPTP also enables tunneling, key management, authentication, and encryption. However, PPTP is generally considered less secure than IPSec. Rev HP Restricted 7 29

242 ProCurve WAN Technologies Learning Check Module HP Restricted Rev. 5.21

243 Virtual Private Networks 1. What is the main difference between the way ESP authenticates packets and the way AH authenticates packets? 2. Which IPSec mode can be used with other tunneling protocols such as GRE and L2TP? 3. What is defined in the SA? a. Security protocol used b. Tunneling mode used c. IKE d. The transmission speed negotiated between VPN hosts 4. If you were concerned about hackers intercepting communication between two VPN hosts, which option would you use? a. Transport mode with asymmetric encryption b. Tunnel mode with DES encryption c. Transport mode with RC5 encryption d. Tunnel mode with blowfish encryption Rev HP Restricted 7 31

244

245 Firewalls Module 8 Objectives This module explains how firewalls can be used to protect a trusted network from an untrusted network such as the Internet. It describes the firewall architectures that you can use to protect your network and explains how different types of firewalls work. After completing this module, you will be able to: Describe the firewall architectures that provide security for a company s internal network Explain the four types of firewalls and describe the advantages of each Explain how Network Address Translation (NAT) technologies work Describe which traffic and ports to block to prevent attacks Rev HP Restricted 8 1

246 ProCurve WAN Technologies Defining Firewalls A firewall is a collection of components configured to enforce a specific access control policy between your internal (trusted) network and any other (untrusted) network. As the above figure shows, a firewall protects your company s internal network from the Internet. A firewall filters incoming and outgoing packets to ensure only authorized packets pass. You must set up a clearly defined security policy that delineates authorized traffic. For example, you can configure rules in which the firewall drops packets from specific untrusted servers that you identify by IP address. Essentially, you can use one of two principles when implementing rules for your company s firewall: Deny everything except that which is explicitly permitted Permit everything except that which is explicitly denied Note that rules based on the first principle could be more of an inconvenience for your users. They will also incur greater administrative costs. On the other hand, rules based on the second principle could create a firewall that allows more traffic through and is therefore somewhat vulnerable to attack. 8 2 HP Restricted Rev. 5.21

247 Firewalls You can implement a firewall as software on a PC or integrated into hardware such as a router. Router firewalls have the following advantages: They typically contain a proprietary operating system; software firewalls use a Windows or other mainstream operating system. These other operating systems are more vulnerable to targeted attacks and sporadic lock-ups, which can take down your firewall and leave your network unprotected. They protect your network entry points: you can stop threats before they get through the router. They are less expensive: you can buy a router with firewall capabilities instead of buying additional software or hardware. Given a large user base, software firewalls incur per-user and additional administrative costs. Rev HP Restricted 8 3

248 ProCurve WAN Technologies Firewall Architecture You have many options when deciding where or how to implement your firewall. The configuration typically includes a combination of routers, gateways, and servers on the edge of a trusted network. Firewalls can be configured in (but are not limited to) the following architectures: Dual-homed host Screened host Screened subnet 8 4 HP Restricted Rev. 5.21

249 Firewalls Dual-Homed Host Firewall Architecture As the above figure shows, a dual-homed host firewall sits between the trusted network and untrusted networks. It includes different interfaces for each network: one routes traffic on the trusted network, the other on the untrusted network. Each network communicates only with the dual-homed host: IP packets from one network are never directly routed to the other. Instead, the dual-homed host copies the original packet and sends it on to the destination address. Rev HP Restricted 8 5

250 ProCurve WAN Technologies Screened Host Firewall Architecture A screened host firewall is attached to the trusted network. As the figure shows, a packet-filtering router guards the screened host and ultimately the trusted network. The router filters packets from the unprotected network and then forwards them to the screened host. The screened host examines the packets and forwards them to the destination on the trusted network. Unlike dual-homed host firewalls, a screened host firewall allows traffic to travel directly from the untrusted to the trusted network. Because a filter first screens the data, this method is typically more secure. If an attacker does manage to get through the filter to the screened host, however, you can do very little to protect the trusted network. First, the screened host firewall architecture does not offer any defense beyond the router. In addition, because the screened host has a direct connection to other computers on the network, an attacker who gains access to the firewall has the ability to compromise your trusted network. 8 6 HP Restricted Rev. 5.21

251 Firewalls Screened Subnet Firewall Architecture A screened subnet firewall is a subnetwork of computers that logs, filters, and forwards data sitting between two routers. One router (the choke router) sits between the subnetwork and the trusted network, while the other (the access router) sits between the subnetwork and the untrusted network. This configuration creates a demilitarized zone (DMZ) between the internal network and external network, as the above figure shows. As data flows in from the untrusted network, the access router filters traffic to protect the hosts inside the subnetwork. The choke router protects the trusted network from both the untrusted network and the subnetwork, while also filtering outgoing packets. If an attacker is able to break into the subnetwork, the choke router secures the trusted network. Rev HP Restricted 8 7

252 ProCurve WAN Technologies Types of Firewalls Firewalls fall into one or more of the following categories: Packet-filtering firewalls Circuit-level gateways Application-level gateways Stateful-inspection firewalls Few firewalls belong in only one of these categories, and fewer still exactly match the definition for any one category. These categories, however, do reflect the key capabilities that differentiate one firewall from another. In a specific firewall implementation, the various types can be combined to create complex, sophisticated solutions. For example, a dual-homed host can be either a circuit-level gateway or an application-level gateway. A screened subnet includes at least two packet-filtering firewalls. 8 8 HP Restricted Rev. 5.21

253 Firewalls Packet-Filtering Firewalls A packet-filtering firewall is a router or computer running firewall software that has been configured to screen incoming and outgoing packets. Operating at the network layer of the Open Systems Interconnection (OSI) model, a packet-filtering firewall accepts or denies packets based on information contained in the packet s TCP and IP headers. You must establish a predefined table of rules against which a packet-filtering firewall compares the full association of the packets. A packet s full association includes the following information: Source address Destination address Application or protocol Source port number Destination port number Rev HP Restricted 8 9

254 ProCurve WAN Technologies When you define rules for the table, you specify which packets should be accepted and which denied. You can create rules that will drop packets from specific untrusted servers, which you identify by IP address. You can also create rules that permit particular types of connections (such as FTP connections) only if they are using the appropriate trusted servers (such as the FTP server). The rules are fairly complex to create. Advantages of Packet-Filtering Firewalls Packet-filtering firewalls are usually supported by routers that do not require additional software or hardware. Client computers also do not need to be specifically configured. Thus, packet-filtering firewalls can provide protection for a relatively low cost. In addition, because they perform limited evaluations, they also cause little to no delay in network performance. Disadvantages of Packet-Filtering Firewalls Because a packet-filtering firewall checks information only in IP packet headers, this type of firewall may not be enough security for your company s needs. If an attacker creates packet headers that satisfy the firewall s rules for permitting packets, the packets will be allowed. Beyond that, a packet-filtering firewall cannot detect the contents of a packet. Packet-filtering firewalls can be expensive to maintain and administer, especially for large networks. You must update the firewall rules table when your network s topology changes HP Restricted Rev. 5.21

255 Firewalls Circuit-Level Gateways Operating at the OSI session layer, a circuit-level gateway monitors TCP handshakes between packets from trusted clients or servers to untrusted hosts, and vice versa, to determine whether or not a requested session is legitimate. A circuitlevel gateway determines that a requested session is legitimate only if the SYN (synchronize) flags, ACK (acknowledge) flags, and sequence numbers involved in the TCP handshake are logical. In addition, the client must meet basic filtering criteria before the gateway accepts the session request. For example, Domain Name System (DNS) must be able to locate the client s IP address and associated address. The circuit-level gateway establishes a connection between the trusted clients and untrusted hosts it authorizes to participate in a TCP session. It acts as a proxy server to establish a circuit with the internal computers. This proxy server performs all communications with the Internet, and external computers do not communicate directly with the trusted clients. All outgoing packets from the trusted clients appear to have the proxy server s source IP address (see the Network Address Translation (NAT) section that follows). After a connection is established, the circuit-level gateway simply copies and forwards packets back and forth without filtering them further. Rev HP Restricted 8 11

256 ProCurve WAN Technologies Advantages of Circuit-Level Gateways Circuit-level gateways perform fewer evaluations than application-level gateways and therefore are generally faster. Circuit-level gateways can also prohibit connections between specific Internet sources and internal computers, which helps to protect the entire network. In addition, circuit-level gateways perform NAT. Disadvantages of Circuit-Level Gateways One of a circuit-level gateway s main limitations is that it only restricts access to and understands TCP protocols, which prevents it from offering other features such as URL filtering and authentication. This limitation also prevents circuit-level gateways from performing security checks on high-level protocols. Circuit-level gateways also contain only limited audit capabilities HP Restricted Rev. 5.21

257 Firewalls Application-Level Gateways Like a circuit-level gateway, an application-level gateway acts as a proxy server between a trusted client and an untrusted host. The application-level proxies, however, filter packets at the OSI application layer. That is, they only accept packets generated by services they are designed to copy, forward, and filter. For example, only a telnet proxy can copy, forward, and filter telnet traffic. The proxy server reads each packet and filters particular commands or information relating to applicable application protocols. Advantages of Application-Level Gateways An application-level gateway logs activities and notes significant events, which can alert you to potential intruders. Because application-level gateways understand high-level protocols, they provide services such as HTTP object caching, URL filtering, and user authentication. Application-level gateways can deny access to some network services, while providing access to others. In addition, an application-level gateway s transparency gives users the impression they are actually communicating with an external server instead of a firewall. Rev HP Restricted 8 13

258 ProCurve WAN Technologies Disadvantages of Application-Level Gateways Application-level gateways affect performance because inbound data must be processed twice and a new proxy must be written for each protocol passing through the firewall. Also, application-level gateways cannot provide proxies for UDP, RPC, and other services from common protocol families HP Restricted Rev. 5.21

259 Firewalls Stateful-Inspection Firewalls A stateful-inspection firewall combines aspects of a packet-filtering firewall, a circuit-level gateway, and an application-level gateway. It examines packet contents at a number of OSI layers. Like a packet-filtering firewall, for example, a stateful-inspection firewall operates at the network layer, filtering all incoming and outgoing packets based on source and destination IP addresses and port numbers. It also functions as a circuit-level gateway, ensuring the packets in a session are appropriate. This is an OSI session layer function. Finally, a stateful-inspection firewall evaluates the contents of each packet up through the application layer and ensures that these contents match the rules in your company s network security policy. For example, you can configure the firewall to drop packets that contain specific commands (FTP packets containing a Put or Get command). However, to analyze application-layer data, a statefulinspection firewall does not require two separate connections (from the trusted network to the gateway and from the gateway to the trusted network) that may affect performance. Instead, it allows a direct connection between a trusted network and an untrusted network. It relies on algorithms to recognize and process application-layer data. These algorithms compare packets against known bit patterns of authorized packets. Rev HP Restricted 8 15

260 ProCurve WAN Technologies Advantages of Stateful-Inspection Firewalls Stateful-inspection firewalls are fast, flexible, and arguably the most secure type of firewall. They are transparent to users, scrutinize data at the highest OSI layer, and do not require you to modify clients or run a separate proxy for each service that runs over the firewall. Disadvantages of Stateful-Inspection Firewalls Because stateful-inspection firewalls allow a direct connection between the trusted and untrusted network, trusted networks may be exposed to packet-based attacks HP Restricted Rev. 5.21

261 Firewalls Network Address Translation (NAT) Network Address Translation (NAT) was originally created as a solution to the limited number of public IP addresses. Internet Protocol version 4 (IPv4) uses four octets (32 bits) of address space which does not provide enough IP addresses for the current demand and IPv6 is not yet widely implemented. NAT can provide an alternative to obtaining a large block of registered addresses. With NAT implemented on the network, a company does not need a public IP address for each of its computers. NAT uses a device (a router, firewall, or computer) as an agent between the trusted network and the untrusted network. When a packet destined for the untrusted network reaches this device, the sender s private IP address is translated into either the company s one public IP address or one of a limited range of such addresses assigned to that company. Rev HP Restricted 8 17

262 ProCurve WAN Technologies NAT also provides security: you give away nothing about your company s internal network if you use NAT when communicating with untrusted networks. The NATenabled device adds an entry to its address translation table that maps the internal address it replaced with the new public IP address. When the destination computer sends a reply packet back through the router, the router uses the table to identify the original internal IP address and sends the reply back to the appropriate computer on the trusted network. The following sections discuss the various types of NAT technology available. These include single IP address translation, static NAT, dynamic NAT, Port Address Translation (PAT), and NAT Traversal (NAT T) HP Restricted Rev. 5.21

263 Firewalls Single IP Address Translation Single IP address translation allows one public IP address to be used by a full IP network. In this version of NAT, the available port numbers of the NAT-enabled gateway (router) are assigned to different private IP addresses. This allows multiple simultaneous TCP/IP sessions to occur using only the router s public IP address. How It Works When an internal computer sends a packet (containing the source IP address, source port, destination IP address, and destination port), the packet must travel through the NAT-enabled router. At this point, the router rewrites the packet header so that it contains the router s public IP address instead of the source IP address. The router then encapsulates the package to send to its destination. When the router rewrites the packet, it adds an entry into the address translation table that maps the internal address it replaced with its own public IP address. When the destination computer sends a reply packet back through the router, the router identifies its original internal IP address from the address translation table and sends the reply back to the appropriate computer. The above figure illustrates this process. Rev HP Restricted 8 19

264 ProCurve WAN Technologies Static and Dynamic NAT Static NAT maps an internal IP address to a public IP address on a one-to-one basis. That is, static NAT will always assign a particular computer the same public IP address. For example, it will always assign the computer with IP address the public IP address Dynamic NAT maps an internal IP address to a public IP address from a range of public addresses assigned to that company. A computer on the trusted network is dynamically assigned a random IP address depending on which addresses are available at a given time. For example, NAT can assign a computer public IP address one time and then assign that same computer IP address the next time that computer tries to send a packet to the untrusted network. Static NAT is particularly useful when a device needs to be accessible from outside the network. Conversely, implementing dynamic NAT automatically creates a firewall of sorts between a company s internal network and untrusted networks: NAT only allows connections that originate from the trusted network. Essentially, this means that a computer in an untrusted network cannot connect to a computer in the trusted network unless the trusted host initiates contact first HP Restricted Rev. 5.21

265 Firewalls Port Address Translation (PAT) Often, a company s global address pool does not contain enough public IP addresses to ensure all hosts in the trusted network can be mapped to an Internet address when they need to be. In this situation, the company should implement Port Address Translation (PAT). PAT maps each host in the trusted network to a global IP address and also to a unique TCP or UDP port number on the NATenabled router. In this way, PAT can map the same global IP address to a number of private IP addresses; it uses the unique port number to distinguish between them. The router stores the original IP address and port against the new IP address and port in the address translation table. When the destination computer on the untrusted network sends a reply packet back through the router, the router identifies the recipient on the trusted network using the address translation table and routes the packet appropriately. Rev HP Restricted 8 21

266 ProCurve WAN Technologies NAT Traversal (NAT T) NAT Traversal (NAT T) provides address and port translation for a packet traveling through an Internet Protocol Security (IPSec) VPN. When a packet passes through a NAT device, the device changes the packet s IP address. As a result, this packet will fail IPSec s integrity check. IPSec can only use NAT if it modifies the packet before the packet is encrypted. While this situation is plausible for site-to-site VPNs, in client-to-site VPNs the IPSec client typically encrypts the packet before it travels to the NAT device. NAT T enables a process called UDP encapsulation. UDP encapsulation wraps an IPSec packet inside a UDP/IP header and allows a NAT device to change IP or port addresses without changing the IPSec packet. As the above figure shows, VPN devices perform the following steps: 1. They exchange a pre-determined, known value that determines if they support NAT T. 2. If so, the VPN devices send NAT Discovery (NAT-D) packets that include hashes of the source and destination IP addresses and ports. If these hashes do not match which indicates that the IP addresses and ports are not the same the devices know that NAT occurs on the communication path HP Restricted Rev. 5.21

267 Firewalls 3. If NAT is discovered between VPN devices, the communicating endpoint must include a one-byte UDP packet that prevents mid-session re-mapping between endpoints. This UDP packet is required to keep the same NAT assignment intact for the duration of the VPN tunnel. NAT T communications must occur over UDP port 500. This port is already open for IPSec s Internet Key Exchange (IKE) component; you do not need to open any new holes in your corporate firewall. NAT T may affect performance, however, because it adds 200 bytes in the IKE security association negotiations and 20 bytes to each IPSec packet. When a packet undergoes encryption and tunneling through a VPN, IPSec must use Encapsulating Security Payload (ESP) rather than Authentication Header (AH) to encapsulate the packet inside a UDP/IP header. (For more information about IPSec, see Module 7: Virtual Private Networks.) Rev HP Restricted 8 23

268 ProCurve WAN Technologies What to Block Building a solid rule base is a critical if not the most critical step in implementing a successful and secure firewall. A U.S. $50,000 firewall cannot protect an organization from risk if even one rule is improperly configured. Regardless of the type of firewall you use, the basic concepts of rule-base design remain the same. The most important concept: Keep your rule base simple. Many subscribe to the idea that firewalls should first be set to deny all access, and then rules can be added to open up ports as needed. This approach is a valid one, but it can make the rules table unmanageable. The more rules you have, the more likely you are to make a mistake and expose your network to attack. More likely, you will have specific blocking rules and allow most other things HP Restricted Rev. 5.21

269 Firewalls From the outset, you should plan a comprehensive but manageable set of rules that is tailored to your business. Think about the applications, services, and users that you want to allow. For example, if remote employees need access to file and print sharing, these services should be tunneled through a VPN rather than made available through the firewall. In high risk environments such as universities, you can block access to IP addresses in countries with which you don t do business. Similarly, you can protect your network by restricting access to the Internet from internal devices. Trojans running on blocked devices cannot send stolen passwords or broadcast backdoors. Blocking or controlling internal devices access to the Internet has another benefit: It can prevent employees from wasting time online and possibly even surfing inappropriate Web sites that could lead to legal complications for your company. You may want to restrict access even on devices providing needed Web services to users. For example, the server should only need to reply to clients that initiate connections and should only establish connections to other servers (port 25). If you configure your firewall in this way, someone breaking into it can only attack other machines on a single port. You can reduce your exposure and increase the chances of detecting a security incident. Blocking Attacks Known attacks are particularly helpful in determining what traffic to block. A ping sweep, for example, is a network scanning method that tells an attacker which range of IP addresses map to live hosts. To avoid ping sweeps, you can block ICMP ECHO requests from outside sources. You may also want to block ICMP TIMESTAMP and Address Mask Requests, because these can be used in a similar manner. Note, however, that this approach does not protect ports from disgruntled employees or hackers who gained access through other means. A warning is also in order: Blocking some ports may disable needed services. Please consider the potential effects before implementing blocking. Checking Logs After configuring the rules, monitor any alerts that come up and check firewall logs frequently. Checking logs can help you determine if your rule base is effective. Look for probes to ports that have no application services running on them. Before hackers install backdoor Trojans, they usually check to see if you're using the requisite ports. You can compare the port number against well-known hacker programs to see if there is an associated Trojan. You should also examine unsuccessful logins to your firewall or to other missioncritical servers that it protects. If you see many such logins from the same domain, you can write a rule to drop all connections from that domain or IP address. Make certain, however, that the address is not being spoofed. Rev HP Restricted 8 25

270 ProCurve WAN Technologies Finally, look for suspicious outbound connections. Outbound connections coming from your public Web server, for example, could be an indication that an intruder is using your network to launch an attack against someone else. Similarly, you should watch for source-routed packets: packets that have a source address internal to your network but actually originate from the outside. New attack methods are developed all the time, so your firewall hardware or software should be regularly updated. Port Knocking Open ports are a necessary vulnerability: they allow connections to applications. Port knocking, however, enables trusted users to transmit information across closed ports using a series of connection attempts. A device on your network monitors firewall logs, looking for the "secret knock for example, failed connection attempts to a number of ports in a specific sequence. It then automatically alters the firewall rules to open a designated port and allow remote access to the user supplying the correct knock sequence. Remember that any system that manipulates firewall rules in an automated fashion requires careful implementation. If the listening device fails to interpret the knocks correctly, it becomes impossible to connect remotely to the host. In addition, hackers are also implementing port knocking to open backdoors into a system. A Trojan is planted to monitor the network traffic. After the knock is intercepted, the malware opens the pre-determined backdoor port, allowing the attacker access to the system HP Restricted Rev. 5.21

271 Firewalls Module 8 Summary In this module, you learned the following: Firewall architectures dual-homed, screened host, and screened subnet Types of firewalls packet-filtering, circuit-level, application-level, and stateful inspection NAT single-address translation, static and dynamic, PAT, and NAT T Security rules for blocking traffic Rev HP Restricted 8 27

272 ProCurve WAN Technologies Learning Check Module HP Restricted Rev. 5.21

273 Firewalls 1. What is the screened subnet firewall architecture? a. A packet-filtering firewall guards the screened host and trusted network. b. The host copies packets from sending network and sends the copied packets to the destination. c. A demilitarized zone (DMZ) is created between the internal and external network. d. The host must have a different interface for each network. 2. Which two types of firewalls can block or allow traffic based on the source and destination ports? (Select two.) a. Circuit-level gateway b. Packet-filtering firewall c. Application-level gateway d. Stateful-inspection firewall e. Network-layer firewall 3. What would you use if you do not have enough public IP addresses for all hosts to be mapped to an Internet address? a. PAT b. NAT T c. Dynamic NAT d. Static NAT 4. What provides address and port translation for IP Security (IPSec)? a. PAT b. NAT T c. Dynamic NAT d. Static NAT Rev HP Restricted 8 29

274

275 Quality of Service and Advanced WAN Routing Module 9 Objectives This module defines Quality of Service (QoS) and describes some QoS mechanisms that you can use to manage traffic across a WAN link. It also explains why WAN routers should support Virtual LAN (VLAN) tagging and describes how you can use Virtual Redundancy Routing Protocol (VRRP) to provide failover capabilities for a WAN router. Finally, this module describes exterior routing protocols. After completing this module, you will be able to: Explain what QoS means and describe four methods of enforcing QoS: classifying traffic, policing traffic, shaping traffic, and managing congestion. Describe how VRRP provides fail-over capabilities for routers. Explain why you need a WAN router that supports VLAN tagging. Explain the purpose of exterior routing protocols and describe the way they work. Rev HP Restricted 9 1

276 ProCurve WAN Technologies Traffic Congestion Quality of Service Networks handle traffic for a variety of applications, which have different bandwidth requirements and different sensitivities to time delays and interference. Unless you impose controls to regulate this traffic, all this traffic must contend for the same bandwidth. Delay-sensitive, mission-critical traffic must struggle for space that is all too easily consumed by bandwidth-intensive, nonessential traffic. On your LAN, you may be able to solve this problem by simply adding more bandwidth. On a WAN, however, adding bandwidth may be both costly and impractical. Rather than incur this additional cost, you can use Quality of Service (QoS) mechanisms to regulate and manage the traffic traveling across the WAN link. In a general sense, QoS describes the ability to provide a consistent level of service to the user. More specifically, QoS enables you to manage and control traffic by: Classifying traffic and giving some traffic preferential treatment over other traffic Avoiding traffic congestion Policing traffic Shaping traffic 9 2 HP Restricted Rev. 5.21

277 Quality of Service and Advanced WAN Routing Quality of Service Mechanisms Classifying Traffic QoS mechanisms provide many ways to classify traffic. You can classify traffic based on the user or the application that sent the traffic, on the user receiving the traffic, on Virtual LAN (VLAN) tagging, or on the type of traffic itself. For example, you could create a class for Voice over IP (VoIP) traffic, and you could create another class for HTTP traffic. After you differentiate the traffic by creating classes, you can configure the WAN router to give some traffic preferential treatment over other traffic. For example, you can configure the WAN router to always process a certain traffic class first. You can also use other QoS mechanisms to limit the amount of bandwidth each traffic class can use and to slow the transmission of traffic classes. Avoiding Traffic Congestion QoS mechanisms that avoid congestion enable you to prevent critical overflows in a WAN router s queue. When traffic becomes heavy, a WAN router begins to fill its queue to manage the traffic. If the queue overflows, the WAN router may drop large numbers of packets, and performance may be affected. Rev HP Restricted 9 3

278 ProCurve WAN Technologies You can use a congestion avoidance mechanism to monitor queues and to selectively or randomly drop packets if a queue begins to fill up. Dropping packets signals that the sending devices should slow their transmission rate. Because the router takes action before a critical overflow occurs, only a few packets are dropped, and overall performance should not be affected. Policing Traffic QoS mechanisms that police traffic enable you to limit the amount of bandwidth that each traffic class uses. For example, you may want to limit HTTP traffic on your network. To do so, you would use a policing mechanism to set a rate limit for the HTTP traffic class. Most policing mechanisms allow traffic bursts within the limits you specify. You can configure both an average traffic rate and a burst traffic rate. Policing mechanisms also enforce the traffic limits. If the traffic exceeds the limit, the policing mechanisms take the action that you specify. For example, you may want to drop the packets that exceed the limit. Typically, policing is implemented at the edge of the network to control the rate at which traffic is sent or received on the network. Shaping Traffic QoS mechanisms that shape traffic also enable you to control the amount of bandwidth that each traffic class uses. These mechanisms are said to shape traffic because they smooth the traffic flow reducing or eliminating traffic bursts. If a traffic class exceeds the setting you configure, the traffic shaper buffers the packets and schedules them to be transmitted later. The packets are then transmitted over time as bandwidth for that class becomes available. In this way, the shaper slows the flow of traffic and controls traffic bursts, ensuring that it conforms to the settings that you have configured. Because traffic shapers buffer packets, they can add time delays. Consequently, you may not want to use traffic shapers to control traffic that is sensitive to time delays. QoS Mechanisms This module provides some examples of each type of QoS mechanism: Classifying traffic Differentiated Services (DiffServ) Avoiding congestion Class-Based Queuing (CBQ) and Weighted Random Early Discard (WRED) Policing traffic Committed Access Rate (CAR) Shaping traffic Generic Traffic Shaping (GTS) and Frame Relay Traffic Shaping (FRTS) 9 4 HP Restricted Rev. 5.21

279 Quality of Service and Advanced WAN Routing DiffServ Packet Marking Differentiated Services (DiffServ) outlines QoS for IP. DiffServ provides two basic components as the foundation for QoS: Packet Marking using the IPv4 Type of Service (ToS) field Per Hop Behaviors (PHBs), or forwarding behavior Packet Marking To implement packet marking for IP, DiffServ redefines the ToS field in the IPv4 header as the Differentiated Services (DS) Field. The 8-bit DS field includes the Differentiated Services Code Point (DSCP), which supports up to 64 different traffic classes. When packets enter a network, a DiffServ-compliant device uses the policies that you create to mark packets, placing them in a traffic class. The device that marks packets as they enter the network is called the ingress node. Likewise, a device that forwards the packet to another network (in a sense, the exit point) is called an egress node. A WAN router can be both an ingress node and an egress node. In addition to identifying the traffic class to which a packet belongs, the DS field specifies the type of service that a packet should receive. The type of service is PHB. Rev HP Restricted 9 5

280 ProCurve WAN Technologies Per Hop Behaviors By default, most routers provide best-effort service for all traffic. That is, the router treats all traffic equally, handling it on a first-in, first-out (FIFO) basis. You can use PHB to control how routers forward different classes of traffic across the network. PHB includes packet scheduling, queuing, policing, or shaping behavior. You can specify four types of PHBs: Default PHB Class-Selector PHBs Expedited Forwarding PHBs Assured Forwarding PHBs 9 6 HP Restricted Rev. 5.21

281 Quality of Service and Advanced WAN Routing DiffServ Per Hop Behaviors Default PHB If a packet is configured for the Default PHB, the router uses best-effort service to process and forward that packet. If a packet does not contain a PHB setting, it is automatically given the Default PHB. Class-Selector PHB The Class-Selector PHB provides backward compatibility with IP Precedence QoS. IP Precedence is defined in the original ToS field in IPv4 packet. This 3-bit field allows you to create only six classes of traffic. If the DSCP indicates an IPprecedence value, the router uses the IP-precedence priority to forward the packet. Expedited Forwarding PHB The Expedited Forwarding PHB ensures that the packet receives guaranteed bandwidth and the best level of service. This PHB ensures that the traffic has low latency, low-jitter (delay variation), and low loss. You should reserve the Expedited Forwarding PHB for mission-critical applications. Using the PHB for a majority or all of the traffic defeats the purpose of QoS. Rev HP Restricted 9 7

282 ProCurve WAN Technologies Assured Forwarding PHB The Assured Forwarding PHB allows you to create four traffic classes AF1, AF2, AF3, and AF4 and assign different forwarding priorities to those classes. For each class, you can configure the following: Buffer space Bandwidth Drop precedence For example, you could create three classes of traffic AF1 for , AF2 for Voice over IP (VoIP), and AF3 for HTTP traffic. You could then allocate 20 percent of bandwidth for AF1, 50 percent of bandwidth for AF2, and 30 percent of bandwidth for AF3. You could also configure the drop precedence values to protect AF2 traffic (VoIP) if congestion occurs. For example, if the AF1 traffic (HTTP) exceeds its limits, the router would drop those packets, rather than packets from other traffic classes especially VoIP. If the VoIP traffic spikes, the router would drop packets and HTTP packets before dropping VoIP traffic. 9 8 HP Restricted Rev. 5.21

283 Quality of Service and Advanced WAN Routing Class-Based Queuing By managing queues in routers, you can minimize the number of dropped packets. Class-Based Queuing (CBQ) is an open packet-scheduling algorithm that enables you to create different queues for different traffic classes. When a router receives a packet, CBQ uses your traffic prioritization rules to determine which queue to place that packet in and which queue to process first. You can also use CBQ to guarantee data rates for each traffic class. For example, if you allocate 56 Kbps to a high-priority traffic class, CBQ ensures that the traffic always gets 56 Kbps. In addition, you can configure CBQ to allow traffic classes to burst above the guaranteed data rates when necessary. Rev HP Restricted 9 9

284 ProCurve WAN Technologies Weighted Random Early Discard (WRED) Weighted Random Early Discard (WRED) is a congestion avoidance mechanism. To prevent congestion, WRED slows down traffic before the router becomes overloaded. WRED monitors queues and discards packets when the traffic reaches a specified threshold. WRED begins to discard packets before the queue reaches full capacity. WRED discards packets to slow TCP traffic. In TCP/IP traffic, TCP handles congestion control. When TCP detects that packets are being dropped, it automatically slows its own transmission rate. Slowing TCP traffic prevents congestion at the router. If the traffic did not slow and the queues became full, the router would drop a high number of packets. WRED does not randomly discard packets. Based on the traffic classes you create and the priorities that you assign them, WRED discards the packets with the lowest priority HP Restricted Rev. 5.21

285 Quality of Service and Advanced WAN Routing Committed Access Rate (CAR) The Committed Access Rate (CAR) is used to police traffic. Using CAR, you can: Classify packets Limit bandwidth rates for traffic classes Determine how traffic is handled when it matches or exceeds the rate limits that you set For example, you may create a class that includes all HTTP traffic and then limit the HTTP traffic to 40 percent of your WAN connection. By using CAR to limit HTTP traffic, you can ensure that this traffic does not consume all of the bandwidth on your WAN connection. The remaining 60 percent of the bandwidth on your WAN connection is available for other types of traffic, such as traffic generated by VoIP, online trading, or ecommerce applications. When configuring CAR, you must specify the following: Packet direction You must specify if the rate limit applies to incoming or outgoing traffic. Average rate The average rate is based on the transmission rates over a long period of time. That is, the router monitors traffic over time to determine if the average rate adheres to your setting. Rev HP Restricted 9 11

286 ProCurve WAN Technologies Normal burst size The normal burst size permits occasional traffic spikes. The normal burst size determines how much traffic is allowed during a specific time interval. Excess burst size The excess burst size prevents extreme traffic spikes. It determines when traffic bursts are so large that all traffic exceeds the rate limit. Again, the traffic is measured for a specific time interval. You must also specify the action that the router takes if the traffic matches or exceeds the rate limit that you set. You can select one of the following: Transmit The router forwards the packet to its destination. Drop The router drops the packet. Set precedence and transmit The router rewrites the IP precedence bits in the packet header and then forwards the packet to its destination. Set QoS group and transmit The router assigns the packet to a QoS group and then forwards it to its destination. Set precedence and continue The router rewrites the IP precedence bits in the packet header and then uses the next-rate policy to evaluate the packet. If there is not another rate policy, the router forwards the packet to its destination. Set QoS group and continue The router assigns the packet to a QoS group and uses the next rate policy to evaluate the packet. If there is not another rate policy, the router forwards the packet to its destination. You can use CAR on input interfaces, output interfaces, or subinterfaces, such as Frame Relay HP Restricted Rev. 5.21

287 Quality of Service and Advanced WAN Routing Generic Traffic Shaping and Frame Relay Traffic Shaping Like CAR, Generic Traffic Shaping (GTS) and Frame Relay Traffic Shaping (FRTS) allow you to limit the rate of traffic. Unlike CAR, however, GTS and FRTS do not enforce this rate limit by dropping packets. As true traffic shapers, GTS and FRTS smooth traffic by storing traffic above the configured rate in a queue. GTS and FRTS then delay transmission until bandwidth becomes available. For both GTS and FRTS, you can configure a mean rate, a burst rate, and an excess burst rate. Once again, these rates are measured for a specific time interval. Generic Traffic Shaping You can configure GTS for each interface in the router. GTS supports data-link layer protocols such as Ethernet, Switched Multimegabit Data Service (SMDS), and Frame Relay. GTS uses a Weighted Fair Queue (WFQ). With WFQ, you create multiple queues for different traffic classes and assign a weight value to each queue in proportion to its priority level. You weigh queues to ensure that higher priority queues get a larger percentage of available bandwidth than lower priority queues get. The exact amount of bandwidth each queue receives depends on the number of queues that are sharing bandwidth. Rev HP Restricted 9 13

288 ProCurve WAN Technologies Frame Relay Traffic Shaping Traffic shaping is especially critical in Frame Relay because data is transmitted at the same rate regardless of whether or not congestion occurs. The transmission rate for Frame Relay is determined by the clock speed of the line. For example, if you have a 64 Kbps line, the router transmits data at 64 Kbps no matter what. If a receiving device cannot handle the transmission rate, it will begin discarding packets. If you configure FRTS, however, the router slows traffic by placing it in queues and processing the traffic according to the priorities you configure. You can configure FRTS for each DLCI. FRTS uses a priority queuing or custom queuing. With priority queuing, you create multiple queues and assign each queue a priority value. When processing traffic, the router assigns traffic to queues based on your configuration settings. The router then transmits traffic in high-priority queues before transmitting traffic in lower-priority queues. Priority queuing has one major drawback: It gives the queue being serviced all of the available bandwidth. When used alone, priority queuing can starve lowerpriority traffic by always servicing traffic in high-priority queues. With custom queuing, you can assign traffic classes to a numbered queue, and you can specify how much data is sent each time the routers services a queue. The router services the queues in a round robin manner HP Restricted Rev. 5.21

289 Quality of Service and Advanced WAN Routing Evaluating Traffic for QoS Implementing QoS in a haphazard fashion can wreak havoc on your network. Before you begin to implement QoS, you should carefully evaluate each application that generates traffic. You should consider the following: Usage Bandwidth requirements Sensitivity to delay, jitter, and packet loss To identify the mission-critical applications for your company, rank the importance of each application. You may want to use the questions outlined above to begin the evaluation process. In ranking Voice over IP (VoIP) and HTTP traffic, for example, you would evaluate how your company is using the applications that generate each type of traffic. You would also evaluate the needs of both types of traffic. Because your company relies on VoIP for phone service and because VoIP is sensitive to time delays, you would probably give VoIP preferential treatment over HTTP traffic. Rev HP Restricted 9 15

290 ProCurve WAN Technologies VLAN Support Based on the 802.1Q standard, VLANs allow you to group switch ports logically, rather than physically. Each switch port can be a member of multiple tagged VLANs but a member of only one untagged VLAN. By creating VLANs, companies can manage users and devices independently of their physical location. If two switches support layer 3 routing capabilities, they can exchange traffic from multiple VLANs over a single point-to-point link. VLANs can then span switches, creating virtual broadcast domains. If a company s switches support only layer 2 capabilities, however, the VLANs are confined to each switch, and the company cannot take full advantage of VLAN tagging. Companies have another option if their router supports VLAN tagging: The router can recognize and route VLAN-tagged packets through its Ethernet ports. As shown here, the VLANs are defined on the switches, and the router forwards VLAN traffic between the two switches HP Restricted Rev. 5.21

291 Quality of Service and Advanced WAN Routing Virtual Router Redundancy Protocol (VRRP) As the name suggests, Virtual Router Redundancy Protocol (VRRP) provides failover capabilities for routers. With VRRP, a group of routers work together to ensure that hosts always have a default gateway. When you configure a group of VRRP routers, you define a virtual router for the entire group and assign it an IP address. This is the IP address you use to configure the default gateway for local hosts. In any group of VRRP routers, one router is the master VRRP router. The master router functions as the default gateway for local hosts. If the master router goes down, the routers in the VRRP group identify a new master router, and that new master router begins to function as the default gateway for hosts without requiring you to reconfigure the default gateway IP address on all the hosts that relied on the original router. In this way, VRRP eliminates a single point of failure on the network. The process of determining the master router varies, depending on how you configure VRRP on the routers. The IP address you assign the virtual router may determine which router is the master VRRP router. For example, suppose you configure Router A, Router B, and Router C as VRRP routers and assign the virtual router the IP address that is used by Router A. In this case, Router A would check its internal IP address, discover that it owned the IP address for the virtual Rev HP Restricted 9 17

292 ProCurve WAN Technologies router, and determine it was the master VRRP router. Router A would then notify all the other routers in the VRRP group that it was the master VRRP router. However, you do not have to assign the virtual router the IP address of any existing router. You can assign the virtual router any valid IP address for the network on which the routers reside. In this case, the VRRP routers would compare the priorities that you have assigned to them and use this information to determine which router is the master. If the routers have the same priorities, the VRRP routers compare IP addresses. The router with the highest IP address becomes the master VRRP router HP Restricted Rev. 5.21

293 Quality of Service and Advanced WAN Routing Exterior Routing Protocols LAN routers use interior routing protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) to exchange routing information within an autonomous system. (An autonomous system is a network, including the routers, that is under a single administration.) Likewise, WAN routers use exterior routing protocols to exchange routing information called reachability information between autonomous systems. Because the Internet is essentially a collection of autonomous systems, Internet routers use exterior routing protocols. For example, routers deployed at Internet Service Providers (ISPs) use exterior routing protocols to exchange routing information. There are two exterior routing protocols: Exterior Gateway Protocol (EGP) Border Gateway Protocol (BGP) Rev HP Restricted 9 19

294 ProCurve WAN Technologies Exterior Gateway Protocol The Exterior Gateway Protocol (EGP) was the original exterior routing protocol. In fact, EGP was designed to exchange routing information on the Advanced Research Projects Agency Network (ARPANET), the precursor to the Internet. EGP is concerned primarily with reachability information that is, which routers are neighbors and what routing information do these routers possess? EGP has three basic functions: Identify neighbors and share reachability information Poll neighbors to ensure they are still available Advertise information about the autonomous system on which the router resides Although EGP is a dynamic routing protocol, it does not provide the capabilities needed to make intelligent routing decisions. EGP enables routers to record distance information, but it does not enable routers to evaluate that information. As a result, a router cannot use EGP to determine the best path to any destination HP Restricted Rev. 5.21

295 Quality of Service and Advanced WAN Routing This limitation stems from EGP s original implementation. In ARPANET, a group of trusted, core gateways made routing decisions for the entire network. These core gateways gathered routing information, evaluated this information, and created routing tables that included the best path to destinations. The core gateways then sent these routing tables to the WAN routers for each known autonomous system. The Internet, however, has a distributed architecture; no central authority controls it. A group of core gateways cannot make routing decisions for the entire Internet. Instead, routers on autonomous systems gather, process, and distribute routing information. This distributed architecture requires an exterior routing protocol that routers can use to make intelligent routing decisions. Consequently, EGP has been replaced by BGP, which enables routers to make intelligent routing decisions. Rev HP Restricted 9 21

296 ProCurve WAN Technologies Border Gateway Protocol Border Gateway Protocol (BGP) was developed to correct the limitations of EGP and is now the most common exterior routing protocol used on the Internet. Internet routers give BGP routing messages the highest priority over all other traffic. After all, if the routing information is not correct, packets cannot be routed or delivered. Each BGP router maintains a Routing Information Base (RIB), which contains three types of information: Adj-RIBs-In contains the unedited routing information that neighboring routers send. Loc-RIB contains the routing information that the router actually uses. The router uses the Adj-RIBs-In to create this routing information. Adj-RIBs-Out contains the information that the router sends to neighboring routers HP Restricted Rev. 5.21

297 Quality of Service and Advanced WAN Routing Message Types Like the RIP, BGP outlines a process for routers to exchange routing information. BGP routers use four types of messages to exchange routing information: Open This message establishes a connection with a neighboring BGP router. Update This message contains routing information such as paths and expired routes. Paths provide a new preferred route for an IP address, and expired routes include the IP addresses of devices that a BGP router can no longer reach. Notification This message reports errors, such as unreadable messages. Keepalive This message informs other routers that the BGP router is still functioning. You can configure how often the BGP router sends a Keepalive message. The range for this setting is 3 seconds to 30 seconds. If a BGP router does not send a keepalive message within a set amount of time, the neighboring BGP routers remove it from their Routing Information Base. Exchange of Information When a BGP router is booted and enters the Internet for the first time, it sends an Open message on port 179 to establish a connection with its neighboring routers. The neighboring routers then use update messages to send the new BGP router their complete Routing Information Base. From then on, the BGP routers exchange only incremental updates, rather than the entire Routing Information Base. When a BGP router receives an update message, it uses an algorithm to evaluate the message and compare the information in the message to its existing Routing Information Base. If the update message provides new routing information for an IP address, the BGP router updates the Loc-RIB portion of the Routing Information Base to reflect the change. If the update message contains information about a new device, the BGP router runs a decision-making process to determine which router in its Routing Information Base contains the best route to the new device (based on its IP address). If this information changes the best path to this or other devices, the BGP router updates the Loc-RIB portion of the Routing Information Base and sends an update messages to neighboring BGP routers. Rev HP Restricted 9 23

298 ProCurve WAN Technologies Module 9 Summary In this module, you learned the following: Quality of service mechanisms that classify traffic, manage congestion, police traffic, or shape traffic: DiffServ Class-based queuing WRED CAR GTS FRTS The advantage of VLAN support in WAN routers VRRP for redundancy in routing Exterior routing protocols, which are used by Internet routers: EGP BGP 9 24 HP Restricted Rev. 5.21

299 Quality of Service and Advanced WAN Routing Learning Check Module 9 Rev HP Restricted 9 25

300 ProCurve WAN Technologies 1. What is the difference between QoS mechanisms that police traffic and QoS mechanisms that shape traffic? 2. Which item is a congestion avoidance QoS mechanism that will drop packets to signal the sending devices to slow traffic flow? a. DiffServ b. WFQ c. WRED d. VRRP 3. What would you use to shape traffic, reducing traffic bursts on the network? a. Class-based queuing b. EGB c. WRED d. GTS 4. What would you use to ensure that VoIP traffic received priority handling and guaranteed bandwidth across the network? a. VRRP b. WRED c. GTS d. DiffServ 5. What advantage does BGP provide over EGB? 9 26 HP Restricted Rev. 5.21

301 Answers to Learning Checks Appendix A Module 1 1. What are the three basic elements of a WAN connection? Physical transmission media, electrical signaling specifications, and datalink layer protocols 2. Which of the following type of circuit is used to create T-, E-, and J-carrier lines? a. Switched virtual circuit b. Permanent circuit c. Permanent virtual circuit d. Switched circuit 3. Which digital signaling hierarchy forms the basis of E-carrier lines? a. DSX b. JSX c. CEPT d. EPT 4. How many DSOs are multiplexed into a T1- or J1-carrier line? a. 16 b. 24 c. 20 d How many DSOs are multiplexed into an E1-carrier line? a. 16 b. 24 c. 20 d How many E1 signals are multiplexed to create the E3 signal used in E3 carrier lines? a. 16 b. 24 c. 20 d. 32 Rev HP Restricted A 1

302 WAN Technologies Module 2 1. What are the two main differences between Multilink PPP (MP) and PPP? 1. MP introduces three configuration options for LCP: maximum receive reconstructed unit, short sequence number, and endpoint discriminator options. 2. An MP header is added to the information header in the PPP frame. 2. Which two functions must data-link layer protocols perform to control data transfer? 1. Establish a link between a sending peer and receiving peer. 2. Reliably transfer data across the link. 3. When a PPP connection is established, which three protocols must the peers exchange? (Select three.) a. PPP b. PAP c. LCP d. APP e. CHAP f. LAPD g. NCP 4. When does a peer that is configured to use PPP send a configure-nak frame? a. If the sending peer provides incorrect authentication information b. If the peer rejects some of the configuration options proposed by the sending peer c. If the configuration options are unrecognizable d. If the peer wants to acknowledge a communication 5. Which protocol enables you to use authentication protocols not defined by PPP? a. CHAP b. LCP c. PAP d. EAP A 2 HP Restricted Rev. 5.21

303 Answers to Learning ChecksAnswers to Learning Checks Module 3 1. Which two functions does the DSU provide? (Select two.) a. Converts signals from LAN to the format required on the WAN connection and vice versa b. Monitors the signal on the line c. Keeps the WAN connection alive when there is no data stream d. Provides loopback testing between itself and the LAN e. Determines the data-link layer protocols supported 2. Which two functions does the smart jack provide? (Select two.) a. Provides the time clock for the connection b. Maintains the connection c. Terminates the connection d. Enables public carriers to perform management tasks e. Amplifies the signal across the connection 3. Which electrical specification does a T1 WAN connection use? a. DSX-1 b. AMI c. CEPT d. G Which transmission rate does an E1 WAN connection provide? a Mbps b Mbps c Mbps d Mbps 5. What is the difference between a T1 WAN connection and a J1 WAN connection? a. They provide different transmission speeds. b. They use different signaling formats. c. They require different types of cabling. d. They have different default data-link layer protocols. Rev HP Restricted A 3

304 WAN Technologies Module 4 1. What is the function of the D channel? Handle signaling and call control for the ISDN connection 2. Which item can you connect at the S interface? a. Network termination 1 b. Smart jack c. Network adapter d. Terminal equipment 3. In Japan, how many channels does PRI ISDN provide? a. 30 B channels and 1 D channel b. 23 B channels and 1 D channel c. 32 B channels and 1 D channel d. 24 B channels and 1 D channel 4. What monitors the ISDN line, maintains timing, and provides power? a. Network termination 1 b. Network adapter c. Terminal equipment d. Terminal adapter 5. Which data-link layer protocol is used to establish the ISDN line between two endpoints? a. PPP b. LAPD c. Frame Relay d. HDLC Module 5 1. What is the difference between symmetric xdsl technologies and asymmetric xdsl technologies? Symmetric xdsl technologies have the same transmission speeds for upstream and downstream. Asymmetric xdsl technologies have a higher transmission speed for downstream than for upstream. A 4 HP Restricted Rev. 5.21

305 Answers to Learning ChecksAnswers to Learning Checks 2. Which xdsl technology is sometimes used to provision the local loop for a T1-carrier line? a. ADSL2+ b. VDSL c. RADSL d. HDSL 3. Which description applies to DMT? a. Divides the available bandwidth into three channels b. Divides the available bandwidth into one upstream channel and one downstream channel c. Divides the available bandwidth into a variable amount of channels, depending on the amount of traffic being received d. Divides the available channels into 256 subchannels 4. Which ADSL standard supports analog voice? a. Annex A b. Annex B c. Annex C d. Annex D 5. Which device aggregates DSL lines from multiple subscribers? a. Broadband access server b. Broadband switch c. Voice switch d. DSLAM Module 6 1. What function does the FRAD perform? a. Provides the network address for the WAN router b. Monitors the connection to ensure that the network does not exceed the bandwidth agreed upon in the SLA c. Encapsulates packets into Frame Relay d. Defines the amount of bandwidth that the subscriber can use Rev HP Restricted A 5

306 WAN Technologies 2. What is used to signal a router at the receiving end that the VC is congested? a. DE Bit b. FECN c. BECN d. LMI 3. What defines that amount of bandwidth that the subscriber can use if extra bandwidth is available on the Frame Relay network? a. CIR b. BE Bit c. EIR d. Annex D Module 7 1. What is the main difference between the way ESP authenticates packets and the way AH authenticates packets? ESP authenticates from the payload of the packet; AH authenticates all the fields in the packet. 2. Which IPSec mode can be used with other tunneling protocols such as GRE and L2TP? Transport protocol 3. What is defined in the SA? a. Security protocol used b. Tunneling mode used c. IKE d. The transmission speed negotiated between VPN hosts 4. If you were concerned about hackers intercepting communication between two VPN hosts, which option would you use? a. Transport mode with asymmetric encryption b. Tunnel mode with DES encryption c. Transport mode with RC5 encryption d. Tunnel mode with blowfish encryption A 6 HP Restricted Rev. 5.21

307 Answers to Learning ChecksAnswers to Learning Checks Module 8 1. What is the screened subnet firewall architecture? a. A packet-filtering firewall guards the screened host and trusted network. b. The host copies packets from the sending network and sends the copied packets to the destination. c. A demilitarized zone (DMZ) is created between the internal and external network. d. The host must have a different interface for each network. 2. Which two types of firewalls can block or allow traffic based on the source and destination ports? (Select two.) a. Circuit-level gateway b. Packet-filtering firewall c. Application-level gateway d. Stateful-inspection firewall e. Network-layer firewall 3. What would you use if you did not have enough public IP addresses for all hosts to be mapped to an Internet address? a. PAT b. NAT T c. Dynamic NAT d. Static NAT 4. What provides address and port translation for IP Security (IPSec)? a. PAT b. NAT T c. Dynamic NAT d. Static NAT Rev HP Restricted A 7

308 WAN Technologies Module 9 1. What is the difference between QoS mechanisms that police traffic and QoS mechanisms that shape traffic? QoS mechanisms that police traffic allow traffic bursts within the limits you specify. QoS mechanisms that shape traffic buffer packets to smooth the traffic flow, eliminating or reducing traffic bursts. 2. Which item is a congestion avoidance QoS mechanism that will drop packets to signal the sending devices to slow traffic flow? a. DiffServ b. WFQ c. WRED d. VRRP 3. What would you use to shape traffic, reducing traffic bursts on the network? a. Class-based queuing b. EGB c. WRED d. GTS 4. What would you use to ensure that VoIP traffic received priority handling and guaranteed bandwidth across the network? a. VRRP b. WRED c. GTS d. DiffServ 5. What advantage does BGP provide over EGB? BGP can make intelligent routing decisions. A 8 HP Restricted Rev. 5.21

309

310 For further information, please visit our Web site at: Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.