Skip to main content

NETWORK BASICS

Network A system of interconnected computers and computerized peripherals such as printers is called computer network. This interconnection among computers facilitates information sharing among them. Computers may connect to each other by either wired or wireless media. A computer network consists of a collection of computers, printers and other equipment that is connected together so that they can communicate with each other.  


Network application
A Network application is any application running on one host and provides a communication to another application running on a different host, the application may use an existing application layer protocols such as: HTTP(e.g. the Browser and web server), SMTP(e.g. the email-client). And may be the application does not use any existing protocols and depends on the socket programming to communicate to another application. So the web application is a type of the network applications. 
There are lots of advantages from build up a network, but the th…

Wide Area Networks

The following ICND2 exam topics are covered in this chapter :
1 IP Routing Technologies
IP Routing Technologies
■ Configure and verify operation status of a Serial interface
1 WAN Technologies
■Identify different WAN Technologies
■ Metro Ethernet
■ VSAT
Cellular 3G/4G
■ MPLS
■ T1/E1
■ ISDN
■ DSL
■ Frame relay
■ Cable
■ VPN
■ Configure and verify a basic WAN serial connection
■ Configure and verify a PPP connection between Cisco routers
■ Configure and verify Frame Relay on Cisco routers
■ Implement and troubleshoot PPPoE
1 Troubleshooting
■ Troubleshoot and resolve WAN implementation issues
Serial interfaces
■ PPP
■ Frame Relay

The Cisco IOS supports a ton of different wide area network 
(WAN) protocols that help you extend your local LANs to other 
LANs at remote sites. And I don’t think I have to tell you how 
essential information exchange between disparate sites is these days—it’s absolutely vital! But 
even so, it wouldn’t exactly be cost effective or efficient to install your own cable and connect 
all of your company’s remote locations yourself, would it? A much better way to get this done 
is to just lease the existing installations that service providers already have in place.
This is exactly why I’m going to devote most of this chapter to covering the various types 
of connections, technologies, and devices used in today’s WANs. We’ll also delve into how 
to implement and configure High-Level Data-Link Control (HDLC), Point-to-Point Protocol 
(PPP), and Frame Relay. I’ll describe Point-to-Point Protocol over Ethernet (PPPoE), cable, 
digital subscriber line (DSL), Multi-protocol Label Switching (MPLS), Metro Ethernet, plus 
last mile and long-range WAN technologies. I’ll also introduce you to WAN security concepts, tunneling, and virtual private network basics.
Just so you know, I’m not going to cover each and every type of Cisco WAN support 
here because the focus of this book is to equip you with everything you need to successfully 
meet the Cisco exam objectives. This chapter’s emphasis will be on cable, DSL, HDLC, 
PPP, PPPoE, Metro Ethernet, MPLS, and Frame Relay, but I’ll wrap it up by giving you a 
solid grounding in virtual private networks (VPNs) and how to create a tunnel using GRE 
(Generic Routing Encapsulation).
To find up-to-the-minute updates for this chapter, please see 
www.lammle.com/forum or the book’s web page at www.sybex.com.
Introduction to Wide Area Networks
Let’s begin exploring WAN basics by asking, What’s the difference between a wide area 
network (WAN) and a local area network (LAN)? Clearly there’s the distance factor, but 
modern wireless LANs can cover some serious turf, so there’s more to it than that. What 
about bandwidth? Here again, some really big pipes can be had for a price in many places, 
so that’s not it either. What’s the answer we’re looking for?
A major distinction between a WAN and a LAN is that while you generally own a LAN 
infrastructure, you usually lease a WAN infrastructure from a service provider. And to be 
honest, modern technologies even blur this characteristic somewhat, but it still fits neatly 
into the context of Cisco’s exam objectives!
Introduction to Wide Area Networks 899
I’ve already talked about the Data Link that you usually own when we covered Ethernet, 
so I’m going to focus on the type you usually don’t own—the kind you typically lease from 
a service provider. 
And as usual, the first key to understanding WAN technologies is to be familiar with 
the different WAN terms and connection types commonly used by service providers to join 
your LAN networks together. We’ll begin covering these topics now.
Defining WAN Terms
Before you run out and order a WAN service type from a provider, you really need to 
understand the following terms that service providers typically use. 
F ig u re 21.1 WAN terms
Provider
toll network
CO
Corporate
Local loop
CSU/DSU
Demarc
CPE
Customer premises equipment (CPE) Customer premises equipment (CPE) is equipment 
that’s typically owned by the subscriber and located on the subscriber’s premises.
Demarcation point The demarcation point (demarc for short) is the precise spot where 
the service provider’s responsibility ends and the CPE begins. It’s generally a device in a 
telecommunications closet owned and installed by the telecommunications company (telco). 
It’s your responsibility to cable (extended demarc) from this box to the CPE, which is usually a connection to a CSU/DSU, although more recently we see the provider giving us an 
Ethernet connection. Nice! 
Local loop The local loop connects the demarc to the closest switching office, referred to 
as the central office.
Central office (CO) This point connects the customer’s network to the provider’s switching network. Make a mental note that a central office (CO) is sometimes also referred to as 
a point of presence (POP).
Toll network The toll network is a trunk line inside a WAN provider’s network. This network is a collection of switches and facilities owned by the Internet service provider (ISP).
Definitely familiarize yourself with these terms, what they represent, and where they’re 
located, because they’re key to understanding WAN technologies.
 Chapter 21  Wide Area Networks
WAN Connection Bandwidth
Next, I want you to know these basic but very important bandwidth terms used when referring to WAN connections:
Digital Signal 0 (DS0) This is the basic digital signaling rate of 64 Kbps, equivalent to 
one channel. Europe uses the E0 and Japan uses the J0 to reference the same channel speed. 
Typical to T-carrier transmission, this is the generic term used by several multiplexed digital 
carrier systems and is also the smallest-capacity digital circuit. 1 DS0 = 1 voice/data line.
T1 Also referred to as a DS1, a T1 comprises 24 DS0 circuits bundled together for a total 
bandwidth of 1.544 Mbps.
E1 This is the European equivalent of a T1 and comprises 30 DS0 circuits bundled together 
for a bandwidth of 2.048 Mbps.
T3 Referred to as a DS3, a T3 comprises 28 DS1s bundled together, or 672 DS0s, for a 
bandwidth of 44.736 Mbps.
OC-3 Optical Carrier (OC) 3 uses fiber and is made up of three DS3s bundled together. 
It’s made up of 2,016 DS0s and avails a total bandwidth of 155.52 Mbps.
OC-12 Optical Carrier 12 is made up of four OC-3s bundled together and contains 
8,064 DS0s for a total bandwidth of 622.08 Mbps.
OC-48 Optical Carrier 48 is made up of four OC-12s bundled together and contains 
32,256 DS0s for a total bandwidth of 2488.32 Mbps.
WAN Connection Types
You’re probably aware that a WAN can use a number of different connection types available 
on the market today. Figure 21.2 shows the different WAN connection types that can be 
used to connect your LANs (made up of data terminal equipment, or DTE) together over the 
data communication equipment (DCE) network.
Let me explain the different WAN connection types in detail now:
Dedicated (leased lines) These are usually referred to as a point-to-point or dedicated 
connections. A leased line is a pre-established WAN communications path that goes from 
the CPE through the DCE switch, then over to the CPE of the remote site. The CPE enables 
DTE networks to communicate at any time with no cumbersome setup procedures to muddle through before transmitting data. When you’ve got plenty of cash, this is definitely the 
way to go because it uses synchronous serial lines up to 45 Mbps. HDLC and PPP encapsulations are frequently used on leased lines, and I’ll go over these with you soon.
Circuit switching When you hear the term circuit switching, think phone call. The big 
advantage is cost; most plain old telephone service (POTS) and ISDN dial-up connections 
are not flat rate, which is their advantage over dedicated lines. No data can transfer before 
an end-to-end connection is established. Circuit switching uses dial-up modems or ISDN and Introduction to Wide Area Networks is used for low-bandwidth data transfers. Okay, I know what you’re thinking: “Modems? 
Did he say modems? Aren’t those found only in museums now?” After all, with all the wireless technologies available, who would use a modem these days? Well, some people do have ISDN; it’s still viable and there are a few who still use a modem now and then. And circuit switching can be used in some of the newer WAN technologies as well.
F ig u re 21. 2 WAN connection types
Dedicated
Circuit-switched
Packet-switched
Telephone
company
Service
provider
Synchronous serial
Asynchronous serial, ISDN
Synchronous serial
Packet switching This is a WAN switching method that allows you to share bandwidth with other companies to save money, just like a super old party line, where homes 
shared the same phone number and line to save money. Packet switching can be thought 
of as a network that’s designed to look like a leased line yet it charges you more, like 
circuit switching does. As usual, you get what you pay for, and there’s definitely a serious downside to this technology. If you need to transfer data constantly, well, just forget 
about this option and get a leased line instead! Packet switching will only really work 
for you if your data transfers are bursty, not continuous; think of a highway, where you 
can only go as fast as the traffic—packet switching is the same thing. Frame Relay and 
X.25 are packet-switching technologies with speeds that can range from 56 Kbps up to 
T3 (45 Mbps).
Multi-protocol Label Switching (MPLS) uses a combination of both circuit 
switching and packet switching, but it’s not within the scope of topics 
this book covers. Still, because I would highly recommend checking 
into MPLS after you pass your Cisco exam exam, I’ll talk about it briefly 
in a minute. 
Chapter 21 u Wide Area Networks
WAN Support
Cisco supports many layer 2 WAN encapsulations on its serial interfaces, including HDLC, 
PPP, and Frame Relay, which map to the Cisco exam objectives. You can view them via the 
encapsulation ? command from any serial interface, but understand that the output you’ll 
get can vary based upon the specific IOS version you’re running:
Corp#config t
Corp(config)#int s0/0/0
Corp(config-if)#encapsulation ?
 atm-dxi ATM-DXI encapsulation
 frame-relay Frame Relay networks
 hdlc Serial HDLC synchronous
 lapb LAPB (X.25 Level 2)
 ppp Point-to-Point protocol
 smds Switched Megabit Data Service (SMDS)
 x25 X.25
I also want to point out that if I had other types of interfaces on my router, I would 
have a different set of encapsulation options. And never forget that you can’t configure an 
Ethernet encapsulation on a serial interface or vice versa!
Next, I’m going to define the most prominently known WAN protocols used in the latest 
Cisco exam objectives: Frame Relay, ISDN, HDLC, PPP, PPPoE, cable, DSL, MPLS, ATM, 
3G/4G, VSAT, and Metro Ethernet. Just so you know, the only WAN protocols you’ll usually 
find configured on a serial interface are HDLC, PPP, and Frame Relay, but who said you’re 
stuck with using only serial interfaces for wide area connections? Actually, we’re beginning 
to see fewer and fewer serial connections because they’re not as scalable or cost effective as a Fast Ethernet connection to your ISP.
Frame Relay A packet-switched technology that made its debut in the early 1990s, 
Frame Relay is a high-performance Data Link and Physical layer specification. It’s pretty 
much a successor to X.25, except that much of the technology in X.25 used to compensate for physical errors like noisy lines has been eliminated. An upside to Frame Relay is 
that it can be more cost effective than point-to-point links, plus it typically runs at speeds 
of 64 Kbps up to 45 Mbps (T3). Another Frame Relay benefit is that it provides features 
for dynamic bandwidth allocation and congestion control.
ISDN Integrated Services Digital Network (ISDN) is a set of digital services that transmit 
voice and data over existing phone lines. ISDN offers a cost-effective solution for remote 
users who need a higher-speed connection than analog POTS dial-up links can give them, 
and it’s also a good choice to use as a backup link for other types of links, such as Frame 
Relay or T1 connections.
HDLC High-Level Data-Link Control (HDLC) was derived from Synchronous Data Link 
Control (SDLC), which was created by IBM as a Data Link connection protocol. HDLC works 
Introduction to Wide Area Networks 
at the Data Link layer and creates very little overhead compared to Link Access Procedure, 
Balanced (LAPB).
Generic HDLC wasn’t intended to encapsulate multiple Network layer protocols across the 
same link—the HDLC header doesn’t contain any identification about the type of protocol 
being carried inside the HDLC encapsulation. Because of this, each vendor that uses HDLC 
has its own way of identifying the Network layer protocol, meaning each vendor’s HDLC is 
proprietary with regard to its specific equipment.
PPP Point-to-Point Protocol (PPP) is a pretty famous, industry-standard protocol. Because 
all multi-protocol versions of HDLC are proprietary, PPP can be used to create point-to-point 
links between different vendors’ equipment. It uses a Network Control Protocol field in the 
Data Link header to identify the Network layer protocol being carried and allows authentication and multi-link connections to be run over asynchronous and synchronous links.
PPPoE Point-to-Point Protocol over Ethernet encapsulates PPP frames in Ethernet frames 
and is usually used in conjunction with xDSL services. It gives you a lot of the familiar PPP 
features like authentication, encryption, and compression, but there’s a downside—it has 
a lower maximum transmission unit (MTU) than standard Ethernet does. If your firewall 
isn’t solidly configured, this little factor can really give you some grief!
Still somewhat popular in the United States, PPPoE’s main feature is that it adds a direct 
connection to Ethernet interfaces while also providing DSL support. It’s often used by many 
hosts on a shared Ethernet interface for opening PPP sessions to various destinations via at 
least one bridging modem.
Cable In a modern hybrid fiber-coaxial (HFC) network, typically 500 to 2,000 active data 
subscribers are connected to a certain cable network segment, all sharing the upstream and 
downstream bandwidth. HFC is a telecommunications industry term for a network that 
incorporates both optical fiber and coaxial cables to create a broadband network. The actual 
bandwidth for Internet service over a cable TV (CATV) line can be up to about 27 Mbps on 
the download path to the subscriber, with about 2.5 Mbps of bandwidth on the upload path. 
Typically users get an access speed from 256 Kbps to 6 Mbps. This data rate varies greatly 
throughout the United States and can be much, much higher today.
DSL Digital subscriber line is a technology used by traditional telephone companies to 
deliver advanced services such as high-speed data and sometimes video over twisted-pair 
copper telephone wires. It typically has lower data-carrying capacity than HFC networks, 
and data speeds can be limited in range by line lengths and quality. Digital subscriber 
line is not a complete end-to-end solution but rather a Physical layer transmission technology like dial-up, cable, or wireless. DSL connections are deployed in the last mile of a local telephone network—the local loop. The connection is set up between a pair of DSL 
modems on either end of a copper wire located between the customer premises equipment (CPE) and the Digital Subscriber Line Access Multiplexer (DSLAM). A DSLAM is 
the device located at the provider’s central office (CO) and concentrates connections from 
multiple DSL subscribers.
Chapter 21 u Wide Area Networks
MPLS Multi-protocol Label Switching (PLS) is a data-carrying mechanism that emulates 
some properties of a circuit-switched network over a packet-switched network. MPLS is a 
switching mechanism that imposes labels (numbers) to packets and then uses them to forward 
packets. The labels are assigned on the edge of the MPLS network, and forwarding inside 
the MPLS network is carried out solely based on the labels. The labels usually correspond to 
a path to layer 3 destination addresses, which is on par with IP destination-based routing. 
MPLS was designed to support the forwarding of protocols other than TCP/IP. Because of 
this, label switching within the network is achieved the same way irrespective of the layer 3 
protocol. In larger networks, the result of MPLS labeling is that only the edge routers perform a routing lookup. All the core routers forward packets based on the labels, which makes forwarding the packets through the service provider network faster. This is a big reason most companies have replaced their Frame Relay networks with MPLS service today. Last, you can use Ethernet with MPLS to connect a WAN, and this is called Ethernet over MPLS, or EoMPLS.
ATM Asynchronous Transfer Mode (ATM) was created for time-sensitive traffic, providing simultaneous transmission of voice, video, and data. ATM uses cells that are a fixed 
53-bytes long instead of packets. It also can use isochronous clocking (external clocking) to 
help the data move faster. Typically, if you’re running Frame Relay today, you will be running Frame Relay over ATM.
Cellular 3G/4G Having a wireless hot spot in your pocket is pretty normal these days. If 
you have a pretty current cellular phone, then you can probably can gain access through 
your phone to the Internet. You can even get a 3G/4G card for an ISR router that’s useful 
for a small remote office that’s in the coverage area. 
VSAT Very Small Aperture Terminal (VSAT) can be used if you have many locations 
geographically spread out in a large area. VSAT uses a two-way satellite ground station 
with dishes available through many companies like Dish Network or Hughes and connects to satellites in geosynchronous orbit. A good example of where VSATs are a useful, 
cost-effective solution would be companies that use satellite communications to VSATs, 
like gasoline stations that have hundreds or thousands of locations spread out over the 
entire country. How could you connect them otherwise? Using leased lines would be cost 
prohibitive and dial-ups would be way too slow and hard to manage. Instead, the signal 
from the satellite connects to many remote locations at once, which is much more cost 
effective and efficient!
Metro Ethernet Metropolitan-area Ethernet is a metropolitan area network (MAN) 
that’s based on Ethernet standards and can connect a customer to a larger network and 
the Internet. If available, businesses can use Metro Ethernet to connect their own offices 
together, which is another very cost-effective connection option. MPLS-based Metro Ethernet networks use MPLS in the ISP by providing an Ethernet or fiber cable to the customer as a connection. From the customer, it leaves the Ethernet cable, jumps onto MPLS, and then Ethernet again on the remote side. This is a smart and thrifty solution that’s very popular if you can get it in your area.  
Cable and DSL
Okay, before we get into talking about the principal serial encapsulation connections used 
on Cisco routers, like HDLC, PPP, and Frame Relay, I’m going to discuss cable modems 
and DSL, including ADSL and PPPoE, as solutions for connections to wide area networks. 
I think this approach will really help you understand the practical differences between DSL 
and cable modem networking.
DSL and cable Internet services actually do have a lot in common, but they still have 
some basic, essential differences that are important for you to understand:
Speed Most would say that cable is faster than DSL Internet, but cable doesn’t always win 
the race in real-world use.
Security DSL and cable are based on different network security models, and until recently, 
cable has been the reputed loser in this contest. But now, it’s pretty much a toss-up, and both offer adequate security that meets the needs of most users. But when I say adequate, I mean that there are still some very real security issues relating to both alternatives, no matter what your ISP says! Popularity Cable Internet is definitely “best in show” in the United States, but DSL is beginning to catch up.
Customer satisfaction Here, the reverse is true—in the United States, DSL is top dog. But 
still, do you know anyone who’s really totally satisfied with their ISP?
Figure 21.3 shows how a connection can terminate from modems to either a PC directly 
or to a router. Typically, your router would run DHCP on that interface as well as PPPoE. 
Both DSL and cable high-speed Internet services are available to millions of residential and 
business consumers worldwide, but in some areas, only one and sometimes even none of 
these services are available. Broadband access using cable or DSL
Always-on Voice, Video, and Data Services
Cable or DSL
Cable or DSL
Ethernet Underlying
network is
transparent
to the user.
Surprisingly, some of the differences between DSL and cable modem have nothing to do 
with the actual technologies—it comes down to the individual ISP. All other things being 
equal issues like cost, reliability, and quality of customer support for both installation and 
maintenance issues vary significantly from one provider to the next.

 Wide Area Networks

Cable
Cable is a great cost-effective connection for a small office or home office that’s commonly 
referred to as SOHO—yes, there really is an acronym for everything! And even in larger 
organizations, cable or even DSL can be great to have as a backup link.
Here are a few cable network terms:
Headend This is where all cable signals are received, processed, and formatted. The signals are then transmitted over the distribution network from the headend.
Distribution network These are relatively small service areas that usually range in size 
from 100 to 2,000 customers. They’re typically made up of a mixed, fiber-coaxial, or HFC 
architecture, with optical fiber substituting for the distribution network’s trunk portion. 
The fiber forms both the connection from the headend and an optical node that changes 
light to radio frequency (RF) signals that are then distributed through a coaxial cable 
throughout the specific area being serviced.
Data Over Cable Service Interface Specification (DOCSIS) All cable modems and like 
devices have to measure up to this standard.
Figure 21.4 shows where you would find the various types of networks and how most of 
the terms I just listed would be used in a network diagram.
F ig u re 21. 4 Cable network and terms
Headend
HFC
DOCSIS standard
Coaxial cable serving area
Fiber
Node
Let me explain the tangle here: ISPs often use a fiber-optic network that extends from 
the cable operator’s master headend, sometimes even to regional headends, and proceeds 
out to a neighborhood’s hub site before finally arriving at a fiber-optic node, which serves 
anywhere from 25 to 2,000 or more homes. Not exactly an elegant process, but don’t get me 
wrong, all types of links have their own, specific problems—I’m not just picking on cable!
As if that wasn’t enough, here’s another issue: if you have cable, open your PC’s command 
prompt and type ipconfig and then check out your subnet mask. It’s probably a /20 or /21 
Class B address. Oh my! You already know that means there are either 4,094 or 2,046 hosts 
per cable network connection, right? This level of population density makes Manhattan look 
rural and empty!
When we say “cable,” we’re really referring to the act of using coax (coaxial) cable for 
transmission. And CATV, or community antenna television, is now used as a means to 
offer cost-effective broadcasting to subscribers. So cable can provide voice and data, plus 
analog and digital video, all without devouring your whole paycheck. 
Cable and DSL 907
Your average cable connection gives you a maximum download speed of 20 Mbps or more. 
And remember—you have to share that bandwidth with all those other subscribers. As if that 
weren’t enough, there are other things like overloaded web servers and plain old Net congestion that factor in as well. But your email-checking neighbors really aren’t making that much 
of a difference. So who or what is? Well, if you’re an online gamer, you would likely notice a 
bit more lag during peak periods, which can be a matter of virtual life and death! And if somebody in your neighborhood is uploading a large amount of data like, say, an entire collection 
of Star Wars movies, well, that could definitely max out the entire connection, bringing everyone’s browser to a crawl.
Cable modem access may or may not be faster or easier to install than DSL, and your 
mileage will vary, depending on where you live plus a variety of other factors. But it’s usually 
more available and a tad less pricey, making it a winner by a nose. But no worries, if cable 
access isn’t available in your neighborhood, DSL is okay—anything is better than dial-up!
Digital Subscriber Line (DSL)
Coming in second in our subscriber-based popularity contest is digital subscriber line (DSL), 
a technology that uses your garden-variety copper phone wires to give you high-speed data 
transmission. DSL requires a phone line, a DSL modem that’s usually included with the service, either an Ethernet card or a router that has an Ethernet connection, and someone that 
can provide service wherever you happen to be located.
The acronym DSL originally meant “digital subscriber loop,” but now its meaning has 
morphed to “line.” DSL group types fall into two categories based upon upstream or downstream speed connections:
Symmetrical DSL The speed for both downstream and upstream connections are equal, 
or symmetrical. SDSL has a service distance of 12,000 feet at high speeds.
Asymmetrical DSL Different transmission speeds occur between two ends of a network—
downstream speed is always faster. ADSL has a service distance of 18,000 feet at high speeds.
Figure 21.5 shows an average home user with xDSL, which is a transmission technology 
that moves data over copper pairs.
F ig u re 21.5 xDSL connection from home user to central office. All types of DSL 
are layer 1 technologies. 
Subscriber
End User
ATU-R
ATU-R = ASDL Transmission Unit – Remote
ATU-C = ASDL Transmission Unit – Central
Copper loop
Local loop
ATM
Ethernet
xDSL
ATU-C
CO
 Wide Area Networks
The term xDSL covers a number of DSL variations, such as Asymmetrical DSL (ADSL), 
high-bit-rate DSL (HDSL), Rate Adaptive DSL (RADSL), Synchronous DSL (SDSL), ISDN 
DSL (IDSL), and very-high-data-rate DSL (VDSL).
DSL flavors that don’t use the voice frequencies band, like ADSL and VDSL, allow DSL 
lines to carry both data and voice signals simultaneously. Others, like SDSL and IDSL, which 
occupy the complete frequency range, can carry only data. And by the way, the data service 
that the DSL connection gives you is always on.
The speed that DSL service can offer depends on how far you are from the central office 
(CO)—the closer the better. In fact, you can blaze at rates up to around 6.1 Mbps if you’re 
physically close enough!
ADSL
Asymmetrical DSL (ADSL) supports both voice and data at the same time, but it was created to allot more bandwidth downstream than upstream because it’s best for residential 
subscribers who usually need more downstream bandwidth for activities like downloading 
video, movies, music, online gaming, general surfing, and getting emails—some of which 
include size-able attachments. ADSL will give you a downstream rate from 256 Kbps to 
8 Mbps, but anything going upstream is only going to reach around 1.5 Mbps max.
Plain old telephone service (POTS) provides a channel for analog voice transmission 
and can transmit without a problem with ADSL over the same twisted-pair telephone line. 
Actually, depending on the type of ADSL, not just two but three information channels commonly utilize the same wiring simultaneously. This is why people can use a phone line and 
an ADSL connection at the same time and not affect either service.
ATM is the Data Link layer protocol typically used over the DSL layer 1 connection 
from the CPE and is terminated at what’s known as the DSLAM—an ATM switch that 
contains DSL interface cards, or ATU-Cs. After ADSL connections meet their end at the 
DSLAM, it switches the data over an ATM network to something called an aggregation 
router—a layer 3 device where the subscriber’s IP connection then expires.
You know by now how important encapsulation is, so as you’ve probably guessed, any 
IP packets over an ATM and DSL connection must provide it. This happens in one of three 
ways, depending on your interface type and the service provider’s switch:
PPPoE I’ll discuss this in detail in the next section.
RFC1483 routing RFC1483 describes two different methods for carrying connection-less 
network traffic over an ATM network: routed protocols and bridged protocols.
PPPoA Point-to-Point Protocol (PPP) over ATM is used to encapsulate PPP frames in ATM 
AAL5 (ATM Adaptation Layer 5). It’s typically used with cable modems, DSL, and ADSL 
services and offers the usual PPP features of authentication, encryption, and compression. It 
actually has less overhead compared to PPPoE.
PPPoE
Used with ADSL services, PPPoE (Point-to-Point Protocol over Ethernet) encapsulates PPP 
frames in Ethernet frames and uses common PPP features like authentication, encryption, 
Cable and DSL 909
and compression. But as I said earlier, it’s trouble if you’ve got a badly configured firewall. 
This is a tunneling protocol that layers IP and other protocols that run over PPP with the 
attributes of a PPP link so they can then be used to contact other Ethernet devices and initiate a point-to-point connection to transport IP packets.
Figure 21.6 displays typical usage of PPPoE over ADSL. As you can see, a PPP session 
is connected from the PC of the end user to the router and the subscriber PC IP address is 
assigned by the router via IPCP.
F ig u re 21.6 PPPoE with ADSL
CPE
(bridging) DSLAM
ATM
Aggregation
router
ISP/Corp
router
AAA
OC3 ATM IP
PPPoE is used to equip custom PPP-based software with the ability to deal with a connection that’s not using a serial line and to be at home in a packet-oriented network environment 
like Ethernet. It also allows for a custom connection with login and password for Internet 
connection accounting. Another factor is that the opposite side of the link’s IP address is 
given to it and it’s available only for the specific period that the PPPoE connection is open. 
This means that reusing IP addresses is dynamically permitted. 
PPPoE has a discovery stage and a PPP session stage (see RFC 2516) that works like this: 
First, a host begins a PPPoE session, during which it has to execute a discovery process so 
it can choose the best server to meet the needs of the client machine’s request. After that, it 
has to discover the Ethernet MAC address of the peer device and create a PPPoE session 
ID. So even though PPP delimits a peer-to-peer relationship, the discovery part is innately 
a client-server relationship.
Okay, before getting into serial connections, there’s one last thing I want to cover—
Cisco LRE.
Cisco Long Range Ethernet (LRE)
The Cisco Long Range Ethernet solution employs VDSL (very-high-data-rate digital subscriber line) technology to significantly expand Ethernet service capacity. And LRE can 
achieve impressive speeds from 5 to 15 Mbps (full-duplex) at distances up to 5,000 feet, 
traveling over existing twisted-pair wiring!
910 Chapter 21 u Wide Area Networks
So basically, Cisco LRE technology can give us broadband service on POTS, digital 
telephone, and ISDN traffic lines, and it can also operate in modes compatible with ADSL 
technologies. This flexibility is important because it makes it possible for service providers 
to make LRE available in structures and/or buildings that have broadband services already 
in place but need it enhanced—very cool indeed!
Cabling the Serial Wide Area Network
As you can imagine, there are a few things that you need to know before connecting your 
WAN to ensure that everything goes well. For starters, you have to understand the kind 
of WAN Physical layer implementation that Cisco provides and be familiar with the various types of WAN serial connectors involved.
The good news is that Cisco serial connections support almost any type of WAN service. 
Your typical WAN connection is a dedicated leased line using HDLC, PPP, and Frame Relay 
with speeds that can kick it up to 45 Mbps (T3).
HDLC, PPP, and Frame Relay can use the same Physical layer specifications. I’ll go over 
the various types of connections and then move on to tell you all about the WAN protocols 
specified in the Cisco exam objectives. 
Serial Transmission
WAN serial connectors use serial transmission, something that takes place 1 bit at a time 
over a single channel.
Older Cisco routers have used a proprietary 60-pin serial connector that you have to 
get from Cisco or a provider of Cisco equipment. Cisco also has a new, smaller proprietary 
serial connection that’s about one-tenth the size of the 60-pin basic serial cable called the 
smart-serial. You have to verify that you have the right type of interface in your router 
before using this cable connector.
The type of connector you have on the other end of the cable depends on your service 
provider and its particular end-device requirements. There are several different types of 
ends you’ll run into:
uu EIA/TIA-232—Allowed speed up to 64 Kbps on 24-pin connector
uu EIA/TIA-449
uu V.35—Standard used to connect to a CSU/DSU, with speeds up to 2.048 Mbps using a 
34-pin rectangular connector
uu EIA-530
Make sure you’re clear on these things: serial links are described in frequency, or 
cycles per second (hertz). The amount of data that can be carried within these frequencies 
is called bandwidth. Bandwidth is the amount of data in bits per second that the serial 
channel can carry.
Cabling the Serial Wide Area Network 911
Data Terminal Equipment and Data 
Communication Equipment
By default, router interfaces are typically data terminal equipment (DTE), and they connect into data communication equipment (DCE) like a channel service unit/data service 
unit (CSU/DSU) using a V.35 connector. CSU/DSU then plugs into a demarcation location 
(demarc) and is the service provider’s last responsibility. Most of the time, the demarc is a jack 
that has an RJ45 (8-pin modular) female connector located in a telecommunications closet.
Actually, you may already have heard of demarcs. If you’ve ever had the glorious experience of reporting a problem to your service provider, they’ll usually tell you everything tests 
out fine up to the demarc, so the problem must be the CPE, or customer premises equipment. 
In other words, it’s your problem, not theirs!
Figure 21.7 shows a typical DTE-DCE-DTE connection and the devices used in the network.
F ig u re 21.7 DTE-DCE-DTE WAN connection: Clocking is typically provided by 
the DCE network to routers. In non-production environments, a DCE network is not 
always present.
DTE
DTE
DCE
CSU/DSU CSU/DSU
The idea behind a WAN is to be able to connect two DTE networks through a DCE network. The DCE network includes the CSU/DSU, through the provider’s wiring and switches, 
all the way to the CSU/DSU at the other end. The network’s DCE device (CSU/DSU) provides 
clocking to the DTE-connected interface (the router’s serial interface).
As mentioned, the DCE network provides clocking to the router; this is the CSU/DSU. If 
you have a nonproduction network and you’re using a WAN crossover type of cable and do 
not have a CSU/DSU, then you need to provide clocking on the DCE end of the cable by using 
the clock rate command. To find out which interface needs the clock rate command, use 
the show controllers int command:
Corp#sh controllers s0/0/0
Interface Serial0/0/0
912 Chapter 21 u Wide Area Networks
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 2000000
The preceding output shows a DCE interface that has the clock rate set to 2000000, 
which is the default for ISR routers. This next output shows a DTE connector, so you don’t 
need enter the clock rate command on this interface:
SF#sh controllers s0/0/0
Interface Serial0/0/0
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
Terms such as EIA/TIA-232, V.35, X.21, and HSSI (High-Speed Serial 
Interface) describe the Physical layer between the DTE (router) and DCE 
device (CSU/DSU). 
High-Level Data-Link Control 
(HDLC) Protocol
The High-Level Data-Link Control (HDLC) protocol is a popular ISO-standard, bit-oriented, 
Data Link layer protocol. It specifies an encapsulation method for data on synchronous serial 
data links using frame characters and checksums. HDLC is a point-to-point protocol used on 
leased lines. No authentication is provided by HDLC.
In byte-oriented protocols, control information is encoded using entire bytes. On the other 
hand, bit-oriented protocols use single bits to represent the control information. Some common bit-oriented protocols are SDLC and HDLC; TCP and IP are byte-oriented protocols.
HDLC is the default encapsulation used by Cisco routers over synchronous serial links. 
And Cisco’s HDLC is proprietary, meaning it won’t communicate with any other vendor’s 
HDLC implementation. But don’t give Cisco grief for it—everyone’s HDLC implementation is proprietary. Figure 21.8 shows the Cisco HDLC format.
The reason every vendor has a proprietary HDLC encapsulation method is that each 
vendor has a different way for the HDLC protocol to encapsulate multiple Network layer 
protocols. If the vendors didn’t have a way for HDLC to communicate the different layer 
3 protocols, then HDLC would be able to operate in only a single layer 3 protocol environment. This proprietary header is placed in the data field of the HDLC encapsulation.
It’s pretty simple to configure a serial interface if you’re just going to connect two 
Cisco routers across a T1, for example. Figure 21.9 shows a point-to-point connection 
between two cities.
High-Level Data-Link Control (HDLC) Protocol 913
F ig u re 21. 8 Cisco’s HDLC frame format: Each vendor’s HDLC has a proprietary 
data field to support multiprotocol environments. 
Cisco HDLC
Flag Address Control Proprietary Data FCS Flag
Supports only single-protocol environments
HDLC
Flag Address Control Data FCS Flag
F ig u re 21. 9 Configuring Cisco’s HDLC proprietary WAN encapsulation
DCE
Clocking provided by CSU/DSU to DTE device
Corp S0/0
CSU/DSU CSU/DSU
CSU/DSU CSU/DSU SF
We can easily configure the routers with a basic IP address and then enable the interface. 
Assuming the link to the ISP is up, the routers will start communicating using the default 
HDLC encapsulation. Let’s take a look at the Corp router configuration so you can see just 
how easy this can be:
Corp(config)#int s0/0
Corp(config-if)#ip address 172.16.10.1 255.255.255.252
Corp(config-if)#no shut
Corp#sh int s0/0
Serial0/0 is up, line protocol is up
 Hardware is PowerQUICC Serial
 Internet address is 172.16.10.1/30
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation HDLC, loopback not set
 Keepalive set (10 sec)
914 Chapter 21 u Wide Area Networks
Corp#sh run | begin interface Serial0/0
interface Serial0/0
 ip address 172.16.10.1 255.255.255.252
!
Note that all I did was add an IP address before I then enabled the interface—pretty simple! 
Now, as long as the SF router is running the default serial encapsulation, this link will come 
up. Notice in the preceding output that the show interface command does show the encapsulation type of HDLC, but the output of show running-config does not. This is important—
remember that if you don’t see an encapsulation type listed under a serial interface in the active 
configuration file, you know it’s running the default encapsulation of HDLC.
So let’s say you have only one Cisco router and you need to connect to a non-Cisco router 
because your other Cisco router is on order or something. What would you do? You couldn’t 
use the default HDLC serial encapsulation because it wouldn’t work. Instead, you would need 
to go with an option like PPP, an ISO-standard way of identifying the upper-layer protocols. 
Now is a great time to get into more detail about PPP as well as how to connect to routers 
using the PPP encapsulation. You can check out RFC 1661 for more information on the origins 
and standards of PPP.
Point-to-Point Protocol (PPP)
Point-to-Point Protocol (PPP) is a Data Link layer protocol that can be used over either 
asynchronous serial (dial-up) or synchronous serial (ISDN) media. It relies on Link Control 
Protocol (LCP) to build and maintain data-link connections. Network Control Protocol 
(NCP) enables multiple Network layer protocols (routed protocols) to be used on a point-to-point connection.
Because HDLC is the default serial encapsulation on Cisco serial links and it works 
great, why in the world would you choose to use PPP? Well, the basic purpose of PPP is to 
transport layer 3 packets across a Data Link layer point-to-point link, and it’s nonproprietary. So unless you have all Cisco routers, you need PPP on your serial interfaces because 
the HDLC encapsulation is Cisco proprietary, remember? Plus, since PPP can encapsulate 
several layer 3 routed protocols and provide authentication, dynamic addressing, and callback, PPP could actually be the best encapsulation solution for you over HDLC anyway.
Figure 21.10 shows the PPP protocol stack compared to the OSI reference model.
PPP contains four main components:
EIA/TIA-232-C, V.24, V.35, and ISDN A Physical layer international standard for serial 
communication.
HDLC A method for encapsulating datagrams over serial links.
LCP A method of establishing, configuring, maintaining, and terminating the point-to￾point connection. It also provides features such as authentication. I’ll give you a complete 
list of these features in the next section.
Point-to-Point Protocol (PPP) 915
F ig u re 21.10 Point-to-Point Protocol stack
OSI layer
3
2
1
Upper-layer protocols
(such as IP and IPv6)
Network Control Protocol (NCP)
(specific to each Network layer protocol)
Link Control Protocol (LCP)
High-Level Data Link Control (HDLC)
Physical layer
(such as EIA/TIA-232, V.24, V.35, ISDN)
NCP A method of establishing and configuring different Network layer protocols for 
transport across the PPP link. NCP is designed to allow the simultaneous use of multiple 
Network layer protocols. Two examples of protocols here are Internet Protocol Control 
Protocol (IPCP) and Cisco Discovery Protocol Control Protocol (CDPCP).
Burn it into your mind that the PPP protocol stack is specified at the Physical and Data 
Link layers only. NCP is used to allow communication of multiple Network layer protocols 
by identifying and encapsulating the protocols across a PPP data link.
Remember that if you have a Cisco router and a non-Cisco router connected 
with a serial connection, you must configure PPP or another encapsulation 
method like Frame Relay because the HDLC default just won’t work!
Next, we’ll cover the options for LCP and PPP session establishment.
Link Control Protocol (LCP) Configuration Options
Link Control Protocol (LCP) offers different PPP encapsulation options, including the 
following:
Authentication This option tells the calling side of the link to send information that can 
identify the user. The two methods for this task are PAP and CHAP.
Compression This is used to increase the throughput of PPP connections by compressing the 
data or payload prior to transmission. PPP decompresses the data frame on the receiving end.
Error detection PPP uses Quality and Magic Number options to ensure a reliable, loopfree data link.
916 Chapter 21 u Wide Area Networks
Multilink Starting with IOS version 11.1, multilink is supported on PPP links with Cisco 
routers. This option makes several separate physical paths appear to be one logical path at 
layer 3. For example, two T1s running multilink PPP would show up as a single 3 Mbps 
path to a layer 3 routing protocol.
PPP callback On a dial-up connection, PPP can be configured to call back after successful 
authentication. PPP callback can be a very good thing because it allows us to keep track of 
usage based upon access charges for accounting records and a bunch of other reasons. With 
callback enabled, a calling router (client) will contact a remote router (server) and authenticate. 
Predictably, both routers have to be configured for the callback feature for this to work. Once 
authentication is completed, the remote router will terminate the connection and then reinitiate a connection to the calling router from the remote router.
PPP Session Establishment
When PPP connections are started, the links go through three phases of session establishment, as shown in Figure 21.11:
F ig u re 21.11 PPP session establishment
PPP Session Establishment
1. Link establishment phase
2. Authentication phase (optional)
3. Network layer protocol phase
PPP
Link-establishment phase LCP packets are sent by each PPP device to configure and test 
the link. These packets contain a field called Configuration Option that allows each device 
to see the size of the data, the compression, and authentication. If no Configuration Option 
field is present, then the default configurations will be used.
Authentication phase If required, either CHAP or PAP can be used to authenticate a link. 
Authentication takes place before Network layer protocol information is read, and it’s also 
possible that link-quality determination will occur simultaneously.
Network layer protocol phase PPP uses the Network Control Protocol (NCP) to allow 
multiple Network layer protocols to be encapsulated and sent over a PPP data link. Each 
Network layer protocol (e.g., IP, IPv6, which are routed protocols) establishes a service 
with NCP.
Point-to-Point Protocol (PPP) 917
PPP Authentication Methods
There are two methods of authentication that can be used with PPP links:
Password Authentication Protocol (PAP) The Password Authentication Protocol (PAP) 
is the less secure of the two methods. Passwords are sent in clear text and PAP is performed 
only upon the initial link establishment. When the PPP link is first established, the remote 
node sends the username and password back to the originating target router until authentication is acknowledged. Not exactly Fort Knox!
Challenge Handshake Authentication Protocol (CHAP) The Challenge Handshake 
Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic 
checkups on the link to ensure that the router is still communicating with the same host.
After PPP finishes its initial link-establishment phase, the local router sends a challenge 
request to the remote device. The remote device sends a value calculated using a one-way 
hash function called MD5. The local router checks this hash value to make sure it matches. 
If the values don’t match, the link is immediately terminated.
CHAP authenticates at the beginning of the session and periodically 
throughout the session.
Configuring PPP on Cisco Routers
Configuring PPP encapsulation on an interface is really pretty straightforward. To configure 
it from the CLI, use these simple router commands:
Router#config t
Router(config)#int s0
Router(config-if)#encapsulation ppp
Router(config-if)#^Z
Router#
Of course, PPP encapsulation has to be enabled on both interfaces connected to a serial 
line in order to work and there are several additional configuration options available to you 
via the ppp ? command.
Configuring PPP Authentication
After you configure your serial interface to support PPP encapsulation, you can then configure 
authentication using PPP between routers. But first, you must set the hostname of the router if 
918 Chapter 21 u Wide Area Networks
it hasn’t been set already. After that, you set the username and password for the remote router 
that will be connecting to your router, like this:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#username RouterB password cisco
When using the username command, remember that the username is the hostname of 
the remote router that’s connecting to your router. And it’s case sensitive too. Also, the 
password on both routers must be the same. It’s a plain-text password that you can see 
with a show run command, and you can encrypt the password by using the command 
service password-encryption. You must have a username and password configured for 
each remote system you plan to connect to. The remote routers must also be similarly 
configured with usernames and passwords.
Now, after you’ve set the hostname, usernames, and passwords, choose either CHAP or 
PAP as the authentication method:
RouterA#config t
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap pap
RouterA(config-if)#^Z
RouterA#
If both methods are configured on the same line as I’ve demonstrated here, then only the 
first method will be used during link negotiation. The second acts as a backup just in case 
the first method fails.
Verifying and Troubleshooting Serial Links
Okay—now that PPP encapsulation is enabled, you need to verify that it’s up and running. 
First, let’s take a look at a figure of a sample nonproduction network serial link. Figure 21.12 
shows two routers connected with a point-to-point serial connection, with the DCE side on 
the Pod1R1 router.
F ig u re 21.12 PPP authentication example
Pod1R1 Pod1R2
hostname Pod1R1
username Pod1R2 password cisco
interface serial 0
ip address 10.0.1.1 255.255.255.0
encapsulation ppp
clock rate 64000
bandwidth 512
ppp authentication chap
hostname Pod1R2
username Pod1R1 password cisco
interface serial 0
ip address 10.0.1.2 255.255.255.0
encapsulation ppp
bandwidth 512
ppp authentication chap
Point-to-Point Protocol (PPP) 919
You can start verifying the configuration with the show interface command like this:
Pod1R1#sh int s0/0
Serial0/0 is up, line protocol is up
 Hardware is PowerQUICC Serial
 Internet address is 10.0.1.1/24
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
 reliability 239/255, txload 1/255, rxload 1/255
 Encapsulation PPP
 loopback not set
 Keepalive set (10 sec)
 LCP Open
 Open: IPCP, CDPCP
[output cut]
The first line of output is important because it tells us that serial 0/0 is up/up. Notice 
that the interface encapsulation is PPP and that LCP is open. This means that it has negotiated the session establishment and all is well. The last line tells us that NCP is listening for 
the protocols IP and CDP, shown with the NCP headers IPCP and CDPCP. 
But what would you see if everything isn’t so perfect? I’m going to type in the configuration shown in Figure 21.13 to find out.
F ig u re 21.13 Failed PPP authentication
Pod1R1 Pod1R2
hostname Pod1R1
username Pod1R2 password Cisco
interface serial 0
ip address 10.0.1.1 255.255.255.0
clock rate 64000
bandwidth 512
encapsulation ppp
ppp authentication chap
hostname Pod1R2
username Pod1R1 password cisco
interface serial 0
ip address 10.0.1.2 255.255.255.0
bandwidth 512
encapsulation ppp
ppp authentication chap
Okay—what’s wrong here? Take a look at the usernames and passwords. Do you see the 
problem now? That’s right, the C is capitalized on the Pod1R2 username command found in 
the configuration of router Pod1R1. This is wrong because the usernames and passwords are 
case sensitive. Now let’s take a look at the show interface command and see what happens:
Pod1R1#sh int s0/0
Serial0/0 is up, line protocol is down
 Hardware is PowerQUICC Serial
 Internet address is 10.0.1.1/24
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
920 Chapter 21 u Wide Area Networks
 reliability 243/255, txload 1/255, rxload 1/255
 Encapsulation PPP, loopback not set
 Keepalive set (10 sec)
 LCP Closed
 Closed: IPCP, CDPCP
First, notice that the first line of output shows us that Serial0/0 is up and line 
protocol is down. This is because there are no keepalives coming from the remote 
router. The next thing I want you to notice is that the LCP and NCP are closed because 
the authentication failed.
Debugging PPP Authentication
To display the CHAP authentication process as it occurs between two routers in the network, 
just use the command debug ppp authentication.
If your PPP encapsulation and authentication are set up correctly on both routers and 
your usernames and passwords are all good, then the debug ppp authentication command 
will display an output that looks like the following output, which is called the three-way 
handshake:
d16h: Se0/0 PPP: Using default call direction
1d16h: Se0/0 PPP: Treating connection as a dedicated line
1d16h: Se0/0 CHAP: O CHALLENGE id 219 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I CHALLENGE id 208 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O RESPONSE id 208 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I RESPONSE id 219 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O SUCCESS id 219 len 4
1d16h: Se0/0 CHAP: I SUCCESS id 208 len 4
But if you have the password wrong as they were previously in the PPP authentication 
failure example back in Figure 21.13, the output would look something like this:
1d16h: Se0/0 PPP: Using default call direction
1d16h: Se0/0 PPP: Treating connection as a dedicated line
1d16h: %SYS-5-CONFIG_I: Configured from console by console
1d16h: Se0/0 CHAP: O CHALLENGE id 220 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I CHALLENGE id 209 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O RESPONSE id 209 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I RESPONSE id 220 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O FAILURE id 220 len 25 msg is "MD/DES compare failed"
PPP with CHAP authentication is a three-way authentication, and if the username and 
passwords aren’t configured exactly the way they should be, then the authentication will 
fail and the link will go down.
Point-to-Point Protocol (PPP) 921
Mismatched WAN Encapsulations
If you have a point-to-point link but the encapsulations aren’t the same, the link will never 
come up. Figure 21.14 shows one link with PPP and one with HDLC.
F ig u re 21.14 Mismatched WAN encapsulations
Pod1R1 Pod1R2
hostname Pod1R1
username Pod1R2 password cisco
interface serial 0
ip address 10.0.1.1 255.255.255.0
clock rate 64000
bandwidth 512
encapsulation ppp
hostname Pod1R2
username Pod1R1 password cisco
interface serial 0
ip address 10.0.1.2 255.255.255.0
bandwidth 512
encapsulation hdlc
Look at router Pod1R1 in this output:
Pod1R1#sh int s0/0
Serial0/0 is up, line protocol is down
 Hardware is PowerQUICC Serial
 Internet address is 10.0.1.1/24
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
 reliability 254/255, txload 1/255, rxload 1/255
 Encapsulation PPP, loopback not set
 Keepalive set (10 sec)
 LCP REQsent
Closed: IPCP, CDPCP
The serial interface is up/down and LCP is sending requests but will never receive any 
responses because router Pod1R2 is using the HDLC encapsulation. To fix this problem, 
you would have to go to router Pod1R2 and configure the PPP encapsulation on the serial 
interface. One more thing: Even though the usernames are configured incorrectly, it doesn’t 
matter because the command ppp authentication chap isn’t used under the serial interface configuration. This means that the username command isn’t relevant in this example.
You can set a Cisco serial interface back to the default of HDLC with the no 
encapsulation command like this:
Router(config)#int s0/0
Router(config-if)#no encapsulation
*Feb 7 16:00:18.678:%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, 
changed state to up
 Wide Area Networks
Notice the link came up because it now matches the encapsulation on the other end of 
the link!
Always remember that you just can’t have PPP on one side and HDLC on 
the other—they don’t get along!
Mismatched IP Addresses
A tricky problem to spot is if you have HDLC or PPP configured on your serial interface 
but your IP addresses are wrong. Things seem to be just fine because the interfaces will 
show that they are up. Take a look at Figure 21.15 and see if you can see what I mean—the 
two routers are connected with different subnets—router Pod1R1 with 10.0.1.1/24 and 
router Pod1R2 with 10.2.1.2/24.
F ig u re 21.15 Mismatched IP addresses
Pod1R1 Pod1R2
hostname Pod1R1
username Pod1R2 password cisco
interface serial 0
ip address 10.0.1.1 255.255.255.0
clock rate 64000
bandwidth 512
encapsulation ppp
ppp authentication chap
hostname Pod1R2
username Pod1R1 password cisco
interface serial 0
ip address 10.2.1.2 255.255.255.0
bandwidth 512
encapsulation ppp
ppp authentication chap
This will never work. Let’s take a look at the output:
Pod1R1#sh int s0/0
Serial0/0 is up, line protocol is up
 Hardware is PowerQUICC Serial
 Internet address is 10.0.1.1/24
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation PPP, loopback not set
 Keepalive set (10 sec)
 LCP Open
 Open: IPCP, CDPCP
See that? The IP addresses between the routers are wrong but the link appears to be work￾ing just fine. This is because PPP, like HDLC and Frame Relay, is a layer 2 WAN encapsula￾tion, so it doesn’t care about IP addresses at all. So yes, the link is up, but you can’t use IP 
Frame Relay 923
across this link since it’s misconfigured, or can you? Well, yes and no. If you try to ping you’ll 
see that this actually works! This is a feature of PPP, but not HDLC or Frame Relay. But just 
because you can ping to an IP address that’s not in the same subnet doesn’t mean your net￾work traffic and routing protocols will work. So be careful with this issue, especially when 
troubleshooting PPP links!
Take a look at the routing table of Pod1R1 and see if you can find the mismatched 
IP address problem:
[output cut]
 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.2.1.2/32 is directly connected, Serial0/0
C 10.0.1.0/24 is directly connected, Serial0/0
Interesting! We can see our serial interface S0/0 address of 10.0.1.0/24, but what is 
that other address on interface S0/0— 10.2.1.2/32? That’s our remote router’s interface IP 
address! PPP determines and places the neighbor’s IP address in the routing table as a con￾nected interface, which then allows you to ping it even though it’s actually configured on a 
separate IP subnet.
For the Cisco objectives, you need to be able to troubleshoot PPP from the 
routing table as I just described.
To find and fix this problem, you can also use the show running-config, show 
interfaces, or show ip interfaces brief commands on each router, or you can use 
the show cdp neighbors detail command:
Pod1R1#sh cdp neighbors detail
-------------------------
Device ID: Pod1R2
Entry address(es):
 IP address: 10.2.1.2
Since the layer 1 Physical and layer 2 Data Link is up/up, you can view and verify the 
directly connected neighbor’s IP address and then solve your problem.
Frame Relay
Frame Relay was one of the most popular WAN services deployed over the past two decades, 
and there’s a good reason for this—cost. And it’s a rare network design or designer that has 
the privilege to ignore that all-important cost factor!
By default, Frame Relay is classified as a non-broadcast multi-access (NBMA) network, 
meaning it doesn’t send any broadcasts such as RIP updates across the network.
924 Chapter 21 u Wide Area Networks
In addition, Frame Relay is considerably more complex than the simple leased-line networks 
you learned about when we covered the HDLC and PPP protocols. The leased-line networks 
are easy to conceptualize, but not so much when it comes to Frame Relay. But with complexity 
comes versatility, which is why it’s often represented as a “cloud” in networking graphics. I’ll 
get to that more in a minute—for right now, I’m going to introduce Frame Relay in concept 
and explain how it differs from simpler leased-line technologies.
I’m going to begin your introduction to this technology by giving you a solid reference of 
all the new terms you’ll need to really grasp the basics of Frame Relay. After that, I’ll guide 
you through some simple Frame Relay implementations.
Introduction to Frame Relay Technology
As a Cisco exam, you’ll be expected to understand the basics of the Frame Relay technology 
and also to be able to configure it in simple scenarios. First, understand that Frame Relay 
is a packet-switched technology. From everything you’ve learned so far, just telling you this 
should make you immediately realize several things about it:
uu You won’t be using the encapsulation hdlc or encapsulation ppp command to 
configure it.
uu Frame Relay doesn’t work like a point-to-point leased line even though it can be made 
to look and act like one.
uu Frame Relay is usually less expensive than leased lines are, but there are some sacrifices 
required to net that savings.
So why do we use Frame Relay? Figure 21.16 will help you form a snapshot of what a 
network looked like before Frame Relay as a first step to answering this question.
F ig u re 21.16 Before Frame Relay
Dedicated/leased lines
to each location
$$$
Now check out Figure 21.17. You can see that there’s now only one connection between 
the Corporate router and the Frame Relay switch. That right there saves some major cash!
Let’s say you needed to add seven remote sites to be accessed from the corporate office 
but you only have one free serial port on your router—it’s Frame Relay to the rescue! Of 
Frame Relay 925
course, this also means that you now have a single point of failure, which is not so good. 
But Frame Relay was typically used to save money, not to make a network more resilient.
Coming up, I’m going to cover the Frame Relay technology information you need to 
effectively meet the Cisco objectives.
F ig u re 21.17 After Frame Relay
Statistically multiplexing
multiple logical circuits over a
single physical connection
Frame Relay
Committed Information Rate (CIR)
Frame Relay provides a packet-switched network to lots of different customers at the same 
time, which is good because it spreads out the cost of the switches among many customers. 
But remember, Frame Relay is based on the assumption that those dependent on it will never 
need to transmit data constantly or simultaneously.
Frame Relay works by providing a portion of dedicated bandwidth to each user, and it 
also allows the user to exceed their guaranteed bandwidth if resources on the telco network 
happen to be available. So basically, Frame Relay providers allow customers to buy a lower 
amount of bandwidth than what they really use. There are two separate bandwidth specifications with Frame Relay:
Access rate The maximum speed at which the Frame Relay interface can transmit.
CIR The maximum bandwidth of data guaranteed to be delivered. It’s the average amount 
that the service provider will allow you to transmit.
If these two values are equal, the Frame Relay connection will operate pretty much as a 
leased line would. But these values can also be set differently. To clarify this, suppose I’ve 
bought a T1 access rate, giving me 1.544 Mbps and a CIR of 256 Kbps. With this option, 
the first 256 Kbps of traffic I send is guaranteed to be delivered. Anything beyond that is 
called a “burst”—a transmission that exceeds my guaranteed 256 Kbps rate, which can be 
any amount up to my contracted T1 access rate. But what would happen if I were to send 
a combined committed burst that exceeds the MBR, or maximum burst rate? Most likely, 
my excess traffic will be dropped, but whether or not it’s to be toast really depends on the 
subscription level of my particular service provider.
926 Chapter 21 u Wide Area Networks
Of course, in a perfect world, this always works beautifully. But remember that little word 
guaranteed—as in guaranteed rate of 256 Kbps, to be exact? This means that any burst of 
data you send that exceeds your guaranteed 256 Kbps rate will be delivered on something 
called a “best effort” basis of delivery. Or maybe it won’t—if your telco’s equipment doesn’t 
have the capacity to deliver it at the time you transmitted, then your frames will be discarded 
and the DTE will be notified. Timing is everything—you can scream data out at six times 
your guaranteed rate of 256 Kbps (T1) only if your telco has the capacity available on its 
equipment at the exact time you try to send. This is “over-subscription” in action!
The CIR is the rate, in bits per second, at which the Frame Relay switch 
agrees to transfer data.
Frame Relay Encapsulation Types
When configuring Frame Relay on Cisco routers, you need to specify it as an encapsulation 
on serial interfaces. And as I said earlier, you can’t use HDLC or PPP with Frame Relay. 
When you configure Frame Relay, you must choose one of two encapsulation types—Cisco 
and IETF (Internet Engineering Task Force), as shown in the following output:
RouterA(config)#int s0
RouterA(config-if)#encapsulation frame-relay ?
 ietf Use RFC1490 encapsulation
 <cr>
Unless you manually type in ietf, the default encapsulation option is Cisco, and predictably, it’s what you want to go with when connecting two Cisco devices. You’d opt for the 
IETF-type encapsulation if you needed to connect a Cisco device to a non-Cisco device with 
Frame Relay. Whichever you choose, make sure the Frame Relay encapsulation is the same 
on both ends.
Virtual Circuits
Frame Relay operates using virtual circuits as opposed to the physical circuits that leased 
lines use. These virtual circuits are what link together the thousands of devices connected 
to the provider’s “cloud.” Frame Relay provides a virtual circuit between your two DTE 
devices, which makes them appear to be connected via an actual circuit. In reality, they’re 
dumping their frames into a large, shared infrastructure. You never see the complexity of 
what’s actually happening inside the cloud because you only have a virtual circuit.
And on top of all that, there are two types of virtual circuits—permanent and switched. 
Permanent virtual circuits (PVCs) are by far the most common type in use today. What 
“permanent” means here is that the telco creates the mappings inside its gear, and as long 
as you pay the bill, they’ll remain in place.
Switched virtual circuits (SVCs) are more like a phone call. The virtual circuit is established when data needs to be transmitted. The virtual circuit is dismantled when the data 
transfer is complete.
Frame Relay 927
Data Link Connection Identifiers (DLCIs)
Frame Relay PVCs are identified to DTE end devices by Data Link Connection Identifiers 
(DLCIs). A Frame Relay service provider typically assigns DLCI values, which are used on 
Frame Relay interfaces to distinguish between different virtual circuits. Because many virtual 
circuits can be terminated on one multipoint Frame Relay interface, many DLCIs are often 
affiliated with it.
To clarify this, let’s say you have a central HQ with three branch offices. If you were to 
connect each branch office to HQ using a T1, you would need three serial interfaces on your 
router at HQ, one for each T1. Simple, right? But suppose you use Frame Relay PVCs instead. 
You could have a T1 at each branch connected to a service provider and only a single T1 at 
HQ. There would be three PVCs on the single T1 at HQ, one going to each branch. And even 
though there’s only a single interface and a single CSU/DSU, the three PVCs function as three 
separate circuits. Remember what I said about saving money? How much for two additional 
T1 interfaces and a pair of CSU/DSUs? Answer: A lot! So, why not just go ahead and ask for 
a percentage of the savings in your bonus?
Okay, before we go on, I want to define Inverse ARP (IARP) and discuss how it’s used 
with DLCIs in a Frame Relay network. Yes, it is somewhat similar to ARP in the fact that it 
maps a DLCI to an IP address—kind of like ARP does with MAC addresses to IP addresses. 
And even though you can’t configure IARP, you can disable it. It runs on a Frame Relay 
router and maps the DLCI to an IP address for Frame Relay so it knows how to get to the 
IP address at the other end of the PVC. You can see IP-to-DLCI mappings with the show 
frame-relay map command.
But if you have a non-Cisco router living in your network and it doesn’t support IARP, then 
you’re stuck with having to statically provide IP-to-DLCI mappings with the frame-relay map
command—something I’ll demonstrate in a bit.
Inverse ARP (IARP) is used to map a known DLCI to an IP address. 
Let’s talk about DLCIs a bit more. They’re locally significant—global significance requires 
the entire network to use the Local Management Interface (LMI) extensions that offer global 
significance. This is why you’ll mostly find global DLCIs only in private networks.
But the DLCI doesn’t have to be globally significant for it to be functional in getting a 
frame across the network. Let me explain: when RouterA wants to send a frame to RouterB, 
it looks up the IARP or manual mapping of the DLCI to the IP address it’s trying to get to. 
Equipped with the DLCI, it then sends the frame out with the DLCI value it found in the 
DLCI field of the FR header. The provider’s ingress switch gets this frame and does a lookup 
on the DLCI/physical-port combination it observes. Associated with that combination, it 
finds a new “locally significant” (meaning, between itself and the next-hop switch) DLCI to 
use in the header, and in the same entry in its table, it finds an outgoing physical port. This 
happens repeatedly all the way to RouterB. So basically, you could actually say that the DLCI 
for RouterA uses the entire virtual circuit to RouterB, even though each DLCI between every 
pair of devices could be completely different. The big point here is that RouterA is unaware of 
these differences. That’s what makes the DLCI locally significant. So make a mental note that 
DLCIs really are used by the telco to “find” the other end of your PVC.
928 Chapter 21 u Wide Area Networks
For a picture of why DLCIs are considered locally significant, take a look at Figure 21.18. 
In the figure, DLCI 100 is considered locally significant to RouterA and identifies the circuit 
to RouterB between RouterA and its ingress Frame Relay switch. DLCI 200 would identify 
this same circuit to RouterA between RouterB and its ingress Frame Relay switch.
F ig u re 21.18 DLCIs are local to your router. RouterA uses DLCI 100 to send data 
to RouterB.
RouterA DLCI 100 DLCI 200 RouterB
To get to RouterB use DLCI 100. To get to RouterA use DLCI 200.
DLCI numbers that are used to identify a PVC are typically assigned by the provider and 
start at 16.
You configure a DLCI number to be applied to a subinterface like this:
RouterA(config-if)#frame-relay interface-dlci ?
 <16-1007> Define a DLCI as part of the current subinterface
RouterA(config-if)#frame-relay interface-dlci 16
DLCIs identify the logical circuit between the local router and a Frame 
Relay switch.
Local Management Interface (LMI)
Local Management Interface (LMI) is a signaling standard used between your router and 
the first Frame Relay switch it’s connected to. It allows for passing information about the 
operation and status of the virtual circuit between the provider’s network and the DTE 
(your router). It communicates information about the following:
Keepalives These verify that data is flowing.
Multi-casting This is an optional extension of the LMI specification that permits the efficient distribution of routing information and ARP requests over a Frame Relay network. 
Multicasting uses the reserved DLCIs from 1019 through 1022.
Global addressing This provides global significance to DLCIs, allowing the Frame 
Relay cloud to work exactly like a LAN. This has never been run in a production network to this day.
Status of virtual circuits This provides DLCI status. The status inquiries and messages are 
used as keepalives when there is no regular LMI traffic to send.
Frame Relay 929
But remember, LMI is not communication between your routers; it’s communication 
between your router and the nearest Frame Relay switch. So it’s entirely possible that the 
router on one end of a PVC is actively receiving LMI while the router on the other end of 
the PVC is not. And of course, PVCs won’t work with one end down, which clarifies the 
local nature of LMI communications.
There are three different types of LMI message formats: Cisco, ANSI, and Q.933A. The 
different kinds in use depend on both the type and configuration of the telco’s switching 
gear, so it’s imperative that you configure your router for the correct format, which should 
be provided by the telco.
Beginning with IOS version 11.2, the LMI type is autosensed. This enables 
the interface to determine the LMI type supported by the switch. If you’re 
not going to use the autosense feature, you’ll need to check with your 
Frame Relay provider to find out which type to use instead.
On Cisco equipment, the default type is, surprise, Cisco, but you still might have to change 
to ANSI or Q.933A, depending on what your service provider tells you. The three different 
LMI types are shown in the following router output:
RouterA(config-if)#frame-relay lmi-type ?
 cisco
 ansi
 q933a
As seen in the output, all three standard LMI signaling formats are supported. Here’s a 
description of each one:
Cisco LMI defined by the Gang of Four (default). The Local Management Interface (LMI) 
was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital 
Equipment Corporation and became known as the Gang-of-Four LMI, or Cisco LMI.
ANSI Annex D included with ANSI standard T1.617.
ITU-T (Q.933A) Annex A included in the ITU-T standard, defined by using the q933a
command keyword. 
Routers receive LMI information from the service provider’s Frame Relay switch on a 
frame-relay encapsulated interface and update the virtual circuit status to one of three dif￾ferent states:
Active state Everything is up, and routers can exchange information.
Inactive state The router’s interface is up and working with a connection to the switching 
office, but the remote router isn’t up.
Deleted state No LMI information is being received on the interface from the switch, which 
could be due to a mapping problem or a line failure.
930 Chapter 21 u Wide Area Networks
Frame Relay Congestion Control
Remember back to our talk about CIR? From that, it should be obvious that the lower your 
CIR is set, the greater the risk that your data will be lost. This can be easily avoided if you 
have just one key piece of information—the most optimal time to transmit that huge burst! 
This begs the question: Is there any way for us to find out when our telco’s shared infrastructure is free and clear and when it’s crammed and jammed, just as we check the freeway before 
we leave work? And if so, how do we find out? Well, that’s exactly what I’m going to talk 
about next—how the Frame Relay switch notifies the DTE of congestion problems!
Here are the three congestion bits and their meanings, as shown in the show framerelay map output:
R1#sh frame map
[output cut]
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
Discard Eligibility (DE) As you know, when you transmit a burst of packets beyond the 
CIR of a given PVC, any packets exceeding the CIR could very well be discarded if the provider’s network is congested at the time. Because of this, the excessive bits are marked with 
a Discard Eligibility (DE) bit in the Frame Relay header. And if the provider’s network 
happens to be congested, the Frame Relay switch will discard the packets with the first DE 
bit set. So if your bandwidth is configured with a CIR of zero, the DE will always be on.
Forward Explicit Congestion Notification (FECN) When the Frame Relay network 
recognizes congestion in the cloud, the switch will set the Forward Explicit Congestion 
Notification (FECN) bit to 1 in a Frame Relay packet header. This will indicate to the 
destination DTE that the path the frame just traversed is congested.
Backward Explicit Congestion Notification (BECN) When the switch detects congestion in 
the Frame Relay network, it’ll set the Backward Explicit Congestion Notification (BECN)
bit in a Frame Relay frame that’s destined for the source router. This notifies the originating 
router that congestion is ahead. But Cisco routers won’t take action on this congestion information unless you tell them to!
If your in FECN count is incrementing, the local PVC is congested. If your 
in BECN count is increasing, then the remote PVC is congested.
Troubleshooting Using Frame Relay Congestion Control
Now let’s say all your users are whining about the fact that their Frame Relay connection 
to the corporate site is super slow. Because you strongly suspect that the link is overloaded, 
Frame Relay 931
you verify the Frame Relay congestion control information with the show frame-relay pvc
command and get this output:
RouterA#sh frame-relay pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
 Active Inactive Deleted Static
 Local 1 0 0 0
 Switched 0 0 0 0
 Unused 0 0 0 0
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0
 input pkts 1300 output pkts 1270 in bytes 21212000
 out bytes 21802000 dropped pkts 4 in pkts dropped 147
 out pkts dropped 0 out bytes dropped 0 in FECN pkts 147
 in BECN pkts 192 out FECN pkts 147
 out BECN pkts 259 in DE pkts 0 out DE pkts 214
 out bcast pkts 0 out bcast bytes 0
 pvc create time 00:00:06, last time pvc status changed 00:00:06
Pod1R1#
What you want to look for in this output is the in BECN pkts 192 output because this is 
what’s telling the local router that traffic sent to the corporate site is experiencing congestion. 
BECN means that the path that a frame took to get back to you is congested.
Frame Relay Implementation and Monitoring
As I’ve said, there are a ton of Frame Relay commands and configuration options, but I’m 
going to zero in on the ones you really need to know when studying for the Cisco exam 
exam objectives. I’m going to start with one of the simplest configuration options—two 
routers with a single PVC between them. Next, I’ll show you a more complex configuration using subinterfaces and demonstrate some of the monitoring commands available to 
verify the configuration.
Single Interface
Let’s get started by looking at a simple example where we just want to connect two routers 
with a single PVC. Here’s how that configuration would look:
RouterA#config t
RouterA(config)#int s0/0
RouterA(config-if)#encapsulation frame-relay
RouterA(config-if)#ip address 172.16.20.1 255.255.255.0
RouterA(config-if)#frame-relay lmi-type ansi
Visit ccna 
.gg/ch21/a
for a 
companion 
MicroNugget 
from CBT 
Nuggets.
932 Chapter 21 u Wide Area Networks
RouterA(config-if)#frame-relay interface-dlci 101
RouterA(config-if)#^Z
RouterA#
The first step is to specify the encapsulation as Frame Relay. Notice that since I didn’t 
specify a particular encapsulation type—either Cisco or IETF—the Cisco default type was 
used. If the other router were non-Cisco, I would’ve specified IETF. Next, I assigned an IP 
address to the interface and then specified the LMI type of ANSI based on information provided by the telecommunications provider. Again, the default is Cisco. Finally, I added the 
DLCI of 101, which indicates the PVC we want to use and has been given to me by my ISP, 
assuming there’s only one PVC on this physical interface.
That’s all there is to it—if both sides are configured correctly, and the switch is working, 
the circuit will come up.
Check out Hands-on Lab 7.3 for a complete example of this type of configuration, including instructions on creating your own Frame Relay 
switch from a router. 
Subinterfaces
As I mentioned earlier, you can have multiple virtual circuits on a single serial interface and 
yet treat each as a separate interface. We can make this happen by creating subinterfaces. 
Think of a subinterface as a logical interface that’s defined by the IOS software. Several subinterfaces will share a single hardware interface, yet for configuration purposes, they operate 
as if they were separate physical interfaces. This is known as multiplexing.
To configure a router in a Frame Relay network so it will avoid split horizon issues that 
will not permit certain routing updates, just configure a separate subinterface for each PVC 
with a unique DLCI and subnet assigned to the subinterface.
You define subinterfaces using a command like int s0/0.subinterface number. First, 
you have to set the encapsulation on the physical serial interface, and then you can define the 
subinterfaces—generally one subinterface per PVC. Here’s an example, using Figure 21.19:
F ig u re 21.19 Configuring subinterfaces
To NY use DLCI 103
To SF use DLCI 102
Frame Relay
DLCI 200
DLCI 400
Corp
SF
NY
Frame Relay 933
Corp(config)#int s0/0
Corp(config-if)#no shut
Corp(config-if)#encapsulation frame-relay
Corp(config-if)#int s0/0.?
 <0-4294967295> Serial interface number
Corp(config-if)#int s0/0.102 ?
 multipoint Treat as a multipoint link
 point-to-point Treat as a point-to-point link
Corp(config-if)#int s0/0.102 point-to-point
Corp(config-subif)#ip address 10.1.12.1 255.255.255.0
Corp(config-subif)#frame-relay interface-dlci 102
Corp(config-subif)#int s0/0.103
Corp(config-subif)#ip address 10.1.13.1 255.255.255.0
Corp(config-subif)#frame-relay interface-dlci 103
Make sure you don’t have an IP address under the physical interface if you 
have configured subinterfaces!
You can define a legion of subinterfaces on any given physical interface, but keep in mind 
that there are only about a thousand available DLCIs. In the preceding example, I chose to 
use subinterface 102 and 103 because they represent the DLCI number assigned to that PVC 
by the carrier. There are two types of subinterfaces:
Point-to-point Used when a single virtual circuit connects one router to another. Each 
point-to-point subinterface requires its own subnet.
A point-to-point subinterface maps a single IP subnet per DLCI and addresses 
and resolves NBMA split horizon issues.
Multipoint This is when the router is the center of a star of virtual circuits that are using 
a single subnet for all routers’ serial interfaces connected to the Frame Relay cloud. You’ll 
usually find this implemented with the hub router in this mode with the spoke routers in 
physical interface (always point-to-point) or point-to-point subinterface mode.
In the following output, notice that the subinterface number matches the DLCI number—
not a requirement, but it seriously helps you administer the interfaces:
interface Serial0/0
 no ip address (notice there is no IP address on the physical interface!)
 no ip directed-broadcast
 encapsulation frame-relay
!
interface Serial0/0.102 point-to-point
934 Chapter 21 u Wide Area Networks
 ip address 10.1.12.1 255.255.255.0
 no ip directed-broadcast
frame-relay interface-dlci 102
!
interface Serial0/0.103 point-to-point
 ip address 10.1.13.1 255.255.255.0
 no ip directed-broadcast
frame-relay interface-dlci 103
!
Notice that there’s no LMI type defined. This means that the routers are either running 
the Cisco default or using autodetect if you’re running Cisco IOS version 11.2 or newer. I 
also want to point out that each interface maps to a single DLCI and is defined as a separate 
subnet. And remember—point-to-point subinterfaces solve split horizon issues as well!
Monitoring Frame Relay
Several commands are used frequently to check the status of your interfaces and PVCs once 
you have Frame Relay encapsulation set up and running. To list them, use the show frame 
? command, as seen here:
Corp>sho frame ?
end-to-end Frame-relay end-to-end VC information
fragment show frame relay fragmentation information
ip show frame relay IP statistics
lapf show frame relay lapf status/statistics
lmi show frame relay lmi statistics
map Frame-Relay map table
pvc show frame relay pvc statistics
qos-autosense show frame relay qos-autosense information
route show frame relay route
svc show frame relay SVC stuff
traffic Frame-Relay protocol statistics
vofr Show frame-relay VoFR statistics
The most common parameters that you view with the show frame-relay command are 
lmi, pvc, and map.
Now, let’s take a look at the most frequently used commands and the information they 
provide.
The show frame-relay lmi Command
The show frame-relay lmi command will give you the LMI traffic statistics exchanged 
between the local router and the Frame Relay switch. Here’s an example:
Corp#sh frame lmi
Frame Relay 935
LMI Statistics for interface Serial0/0 (Frame Relay DTE)LMI TYPE = CISCO
 Invalid Unnumbered info 0 Invalid Prot Disc 0
 Invalid dummy Call Ref 0 Invalid Msg Type 0
 Invalid Status Message 0 Invalid Lock Shift 0
 Invalid Information ID 0 Invalid Report IE Len 0
 Invalid Report Request 0 Invalid Keep IE Len 0
 Num Status Enq. Sent 61 Num Status msgs Rcvd 0
 Num Update Status Rcvd 0 Num Status Timeouts 60
The router output from the show frame-relay lmi command shows you any LMI errors, 
plus the LMI type. So, I have a question based on the output of the command. Is this Frame￾Relay network working? The answer is no because the router has sent 60 inquiries and has 
not received even one reply from the Frame Relay switch. If you see this, you need to call the 
provider because this is a Frame Relay switch configuration issue.
The show frame pvc Command
The show frame pvc command will present you with a list of all configured PVCs and 
DLCI numbers. It provides the status of each PVC connection and traffic statistics too. It 
will also give you the number of BECN, FECN, and DE packets sent and received on the 
router per PVC.
Here is an example:
Corp#sho frame pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 102,DLCI USAGE = LOCAL,PVC STATUS =ACTIVE,
INTERFACE = Serial0/0.102
 input pkts 50977876 output pkts 41822892
 in bytes 3137403144
 out bytes 3408047602 dropped pkts 5
 in FECN pkts 0
 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
 in DE pkts 9393 out DE pkts 0
 pvc create time 7w3d, last time pvc status changed 7w3d
DLCI = 103,DLCI USAGE =LOCAL,PVC STATUS =ACTIVE,
INTERFACE = Serial0/0.103
 input pkts 30572401 output pkts 31139837
 in bytes 1797291100
 out bytes 3227181474 dropped pkts 5
 in FECN pkts 0
936 Chapter 21 u Wide Area Networks
 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
 in DE pkts 28 out DE pkts 0
 pvc create time 7w3d, last time pvc status changed 7w3d
If you want to see information about only PVC 102, you can type the command show 
frame-relay pvc 102. Let’s take a closer look at the output of this one line:
DLCI = 102,DLCI USAGE = LOCAL,PVC STATUS =ACTIVE,
INTERFACE = Serial0/0.102
The PVC status field in the output of the show frame-relay pvc command reports the status of the PVC between the router and the Frame-Relay switch. The switch (DCE) reports the 
status to the router (DTE) using the LMI protocol. There are three types of reported statuses:
ACTIVE The switch is correctly programmed with the DLCI and there is a successful 
DTE-to-DTE circuit (router to router).
INACTIVE The router is connected to the switch (DTE to DCE), but there’s not a connection to the far-end router (DTE). This can be a router or switch configuration issue.
DELETED The router (DTE) is configured for a DLCI that the switch (DCE) does not 
recognize or is not configured correctly.
The three LMI reported statuses are Cisco exam objectives! Understand 
why you’d see each status.
The show interface Command
You can use the show interface command to check for LMI traffic. The show interface
command displays information about the encapsulation as well as layer 2 and layer 3 information. It also displays line, protocol, DLCI, and LMI information. Check it out:
Corp#sho int s0/0
Serial0/0 is up, line protocol is up
 Hardware is HD64570
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely
 255/255, load 2/255
 Encapsulation FRAME-RELAY, loopback not set, keepalive
 set (10 sec)
 LMI enq sent 451751,LMI stat recvd 451750,LMI upd recvd
 164,DTE LMI up
 LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
 LMI DLCI 1023 LMI type is CISCO frame relay DTE
 Broadcast queue 0/64, broadcasts sent/dropped 0/0,
 interface broadcasts 839294
Frame Relay 937
The LMI DLCI is used to define the type of LMI being used. If it happens to be 1023, 
it’s the default LMI type for Cisco routers. If the LMI DLCI is zero, then it’s the ANSI 
LMI type (Q.933A uses 0 as well). If the LMI DLCI is anything other than 0 or 1023, it’s 
a 911—call your provider; they’ve got major issues!
The show frame map Command
The show frame map command displays the mappings from the Network layer to DLCI. 
Here’s how that looks, using Figure 21.19:
Corp#show frame map
Serial0/0.102 (up): ip 10.1.12.2 dlci 102(0x66,0x400),
 dynamic, broadcast,, status defined, active
Serial0/0.103 (up): ip 10.1.13.2 dlci 103(0x67,0x410),
 dynamic, broadcast,, status defined, active
Notice that the Network layer addresses are marked dynamic, which means they were 
resolved with the dynamic protocol Inverse ARP (IARP). After the DLCI number is listed, 
you can see some numbers in parentheses. The first one is 0x66, which is the hex equivalent 
for the DLCI number 102, used on serial 0/0.102. And the 0x67 is the hex for DLCI 103 
used on serial 0/0.103. The second numbers, 0x400 and 0x410, are the DLCI numbers con￾figured in the Frame Relay frame. They’re different because of the way the bits are spread 
out in the frame.
Again, looking at Figure 21.19, the preceding output is telling the Corp router that to get 
SF using 10.1.12.2, use DLCI 102. To get to the NY router with IP address 10.1.13.2, use 
DLCI 103. The Corp router would never use a remote DLCI. 
You must be able to find the DLCI number used to get to a remote site by 
using the show frame-relay map command.
The debug frame lmi Command
The debug frame lmi command will show real-time output on the router consoles by default 
(as with any debug command). The information this command gives you will enable you to 
verify and troubleshoot the Frame Relay connection by helping you determine whether the 
router and switch are exchanging the correct LMI information. Here’s an example:
Corp#debug frame-relay lmi
Serial3/1(in): Status, myseq 214
RT IE 1, length 1, type 0
KA IE 3, length 2, yourseq 214, myseq 214
PVC IE 0x7 , length 0x6 , dlci 130, status 0x2 , bw 0
Serial3/1(out): StEnq, myseq 215, yourseen 214, DTE up
datagramstart = 0x1959DF4, datagramsize = 13
938 Chapter 21 u Wide Area Networks
FR encap = 0xFCF10309
00 75 01 01 01 03 02 D7 D6
Serial3/1(in): Status, myseq 215
RT IE 1, length 1, type 1
KA IE 3, length 2, yourseq 215, myseq 215
Serial3/1(out): StEnq, myseq 216, yourseen 215, DTE up
datagramstart = 0x1959DF4, datagramsize = 13
FR encap = 0xFCF10309
00 75 01 01 01 03 02 D8 D7
Troubleshooting Frame Relay Networks
Troubleshooting Frame Relay networks isn’t any harder than troubleshooting any other 
type of network as long as you know what to look for, which is what I’m going to cover 
now. I’ll go over some basic problems that commonly occur in Frame Relay configuration 
and how to solve them.
First on the list are serial encapsulation problems. As you learned recently, there are two 
Frame Relay encapsulations: Cisco and IETF. Cisco is the default, and it means that you have 
a Cisco router on each end of the Frame Relay network. Using Figure 21.20, if you don’t 
have a Cisco router on the remote end of your Frame Relay network, then you need to run 
the IETF encapsulation as shown here:
RouterA(config)#int s0
RouterA(config-if)#encapsulation frame-relay ?
 ietf Use RFC1490 encapsulation
 <cr>
RouterA(config-if)#encapsulation frame-relay ietf
Once you verify that you’re using the correct encapsulation, you then need to check out 
your Frame Relay mappings. For an example, take a look at Figure 21.20.
F ig u re 21.20 Frame Relay mappings
RouterA DLCI 100 DLCI 200 RouterB
RouterA#show running-config
interface s0/0
ip address 172.168.100.2 255.255.0.0
encapsulation frame-relay
frame-relay map ip 172.16.100.1 200 broadcast
Frame Relay
Visit ccna 
.gg/ch21/b
for a 
companion 
MicroNugget 
from CBT 
Nuggets.
Frame Relay 939
So why can’t RouterA talk to RouterB across the Frame Relay network in Figure 21.20? 
To find that out, take a close look at the frame-relay map statement. See the problem now? 
You cannot use a remote DLCI to communicate to the Frame Relay switch; you must use 
your DLCI number! The mapping should have included DLCI 100 instead of DLCI 200.
Now that you know how to ensure that you have the correct Frame Relay encapsulation, 
and that DLCIs are only locally significant, let’s look into some routing protocol problems 
that are often associated with Frame Relay. See if you can find a problem with the two configurations in Figure 21.21.
F ig u re 21.21 Frame Relay routing problems
RouterA DLCI 100 DLCI 200 RouterB
RouterA#show running-config
interface s0/0
ip address 172.16.100.2 255.255.0.0
encapsulation frame-relay
frame-relay map ip 172.16.100.1 100
router rip
network 172.16.0.0
RouterB#show running-config
interface s0/0
ip address 172.16.100.1 255.255.0.0
encapsulation frame-relay
frame-relay map ip 172.16.100.2 200
router rip
network 172.16.0.0
Frame Relay
Hmmmm, the configs look pretty good. Actually, they look great, so what’s the problem? 
Well, remember that Frame Relay is a nonbroadcast multi-access (NBMA) network by default, 
meaning that it doesn’t allow any broadcasts across the PVC. So, because the mapping statements do not have the broadcast argument at the end of the line, broadcasts such as RIP 
updates or multicasts to neighbors such as Hello packets, won’t be sent across the PVC. The 
correct line for RouterA would look like this:
frame-relay map ip 172.16.100.1 100 broadcast
But wait, do we even use RIP in our internetworks today? Maybe there are problems 
with the routing protocols EIGRP and OSPF over Frame Relay as well? Let’s take a look 
at Figure 21.22 and see if you can spot a problem with the OSPF configuration. After this, 
we’ll move on to troubleshooting EIGRP.
Since Frame Relay NBMA networks won’t allow broadcasts or multicasts, an OSPF router 
will not attempt to dynamically discover any OSPF neighbors on the Frame Relay interface. 
Also, since this means that elections won’t be allowed, you’d have to statically configure OSPF 
neighbors, plus the Corp router would need to be configured as a DR. Even though these are 
serial links, an NBMA network behaves like Ethernet and a DR is needed to exchange routing information. Only the Corp router can act as a DR because it would have the PVCs for all 
other routers. But the easiest way to fix this problem is to use the command ip ospf network 
point-to-multipoint on all router Frame Relay interfaces—not just the Corp router, but all 
branches too!
940 Chapter 21 u Wide Area Networks
F ig u re 21.22 Frame Relay OSPF routing problems
Frame Relay
DLCI 200
Corp
SF
To SF use DLCI 101
Corp#show running-config
interface s0/0
ip address 172.16.100.2 255.255.0.0
encapsulation frame-relay
frame-relay interface-dlci 101
frame-relay map ip 172.16.100.1 101
router ospf 1
network 172.16.0.0 0.0.255.255 area 0
SF#show running-config
interface s0/0
ip address 172.16.100.1 255.255.0.0
encapsulation frame-relay
frame-relay map ip 172.16.100.2 200
router ospf 1
network 172.16.0.0 0.0.255.255 area 0
Okay, this would solve the problem if you’re running OSPF, but what if you’re running 
EIGRP? In Figure 21.23 you can see three remote connection sites to the Corp router with 
all routers running EIGRP. The hosts behind the Corp router can communicate to all hosts 
in all remote networks, but hosts in SF, LA, and NY cannot communicate to each other.
F ig u re 21.23 Frame Relay EIGRP routing problems
Frame Relay
EIGRP 100
DLCI 200
Corp
SF
DLCI 400
DLCI 300
To NY use DLCI 103
To SF use DLCI 101
To LA use DLCI 102
LA
NY
Frame Relay 941
Let’s take a look at the configuration of the Corp router now:
interface Serial0/0
 ip address 192.168.10.1 255.255.255.0
 encapsulation frame-relay
frame-relay interface-dlci 101
frame-relay interface-dlci 102
frame-relay interface-dlci 103
!
The Frame Relay network is all on one subnet, and the configuration looks good, so why 
can’t hosts on the remote networks communicate to each other? Here’s your answer: The SF 
router sends an EIGRP route update to the Corp router and the Corp router updates the local 
routing table with a route to SF’s network. LA and NY do the same thing and then each site’s 
remote networks can communicate to the hosts behind the Corp router. However, when the 
Corp router sends route updates to the SF, LA, and NY routers, the updates never included 
each other’s remote network because of the split horizon rule. This rules says you cannot 
advertise a network back out the same interface you received it on, which is the default configuration of all Cisco serial interfaces. This prevents the threat of network loops from occurring.
We can solve this problem with subinterfaces. Take a look at the Corp router’s new configuration with subinterfaces, which solves the split horizon issues. Here are the steps to take:
1. Remove the IP address and interface-dlci commands from under the physical interface. 
2. Create a subinterface (logical interface) for each PVC.
3. Design and implement a separate subnet (address space) for each subinterface.
4. Add the command frame-relay interface-dlci dlci under each subinterface.
interface Serial0/0
 no ip address (notice there is no IP address on the physical interface!)
 encapsulation frame-relay
!
interface Serial0/0.101 point-to-point
 ip address 192.168.10.1 255.255.255.252
frame-relay interface-dlci 101
!
interface Serial0/0.102 point-to-point
 ip address 192.168.10.5 255.255.255.252
frame-relay interface-dlci 102
!
interface Serial0/0.103 point-to-point
ip address 192.168.10.9 255.255.255.252
frame-relay interface-dlci 103
!
942 Chapter 21 u Wide Area Networks
Notice that there is no IP address under the physical interface, that each subinterface is a 
separate subnet or address space, and that I needed to add the frame-relay interface-dlci
command under each subinterface. Our split horizon issue is now resolved.
Virtual Private Networks
I’d be pretty willing to bet you’ve heard the term VPN more than once before. Maybe you 
even know what one is, but just in case, a virtual private network (VPN) allows the creation 
of private networks across the Internet, enabling privacy and tunneling of non-TCP/IP pro￾tocols. VPNs are used daily to give remote users and disjointed networks connectivity over a 
public medium like the Internet instead of using more expensive permanent means.
No worries—VPNs aren’t really that hard to understand. A VPN fits somewhere between 
a LAN and WAN, with the WAN often simulating a LAN link because your computer, on 
one LAN, connects to a different, remote LAN and uses its resources remotely. The key 
drawback to using VPNs is a big one—security! So the definition of connecting a LAN (or 
VLAN) to a WAN may sound the same as using a VPN, but a VPN is actually much more. 
Here’s the difference: A typical WAN connects two or more remote LANs together using 
a router and someone else’s network, like, say, your Internet service provider (ISP). Your local 
host and router see these networks as remote networks and not as local networks or local 
resources. This would be a WAN in its most general definition. A VPN actually makes your 
local host part of the remote network by using the WAN link that connects you to the remote 
LAN. The VPN will make your host appear as though it’s actually local on the remote network. This means that we now have access to the remote LAN’s resources, and that access is 
also very secure!
This may sound a lot like a VLAN definition, and really, the concept is the same: 
“Take my host and make it appear local to the remote resources.” Just remember this key 
distinction: For networks that are physically local, using VLANs is a good solution, but 
for physically remote networks that span a WAN, opt for using VPNs instead.
For a simple VPN example, let’s use my home office in Boulder, Colorado. Here, I 
have my personal host, but I want it to appear as if it’s on a LAN in my corporate office 
in Dallas, Texas, so I can get to my remote servers. VPN is the solution I would opt for 
to achieve my goal. 
Figure 21.24 shows this example of my host using a VPN connection from Boulder to 
Dallas, which allows me to access the remote network services and servers as if my host 
were right there on the same VLAN as my servers.
Why is this so important? If you answered, “Because my servers in Dallas are secure, and 
only the hosts on the same VLAN are allowed to connect to them and use the resources of 
these servers,” you nailed it! A VPN allows me to connect to these resources by locally attaching to the VLAN through a VPN across the WAN. The other option is to open up my network 
and servers to everyone on the Internet or another WAN service, in which case my security 
goes “poof.” So clearly, it’s imperative I have a VPN!
Virtual Private Networks 943
F ig u re 21.24 Example of using a VPN
My host in Colorado
My host appears
local to the servers.
Secure VLAN at
Dallas corporate office
Secure server room
Benefits of VPNs
There are many benefits to using VPNs on your corporate and even home network. The 
benefits covered in the Cisco exam objectives are as follows: 
Security VPNs can provide very good security by using advanced encryption and authentication protocols, which will help protect your network from unauthorized access. IPsec 
and SSL fall into this category. Secure Sockets Layer (SSL) is an encryption technology used 
with web browsers, which has native SSL encryption, and is known as Web VPN. You can 
also use the Cisco AnyConnect SSL VPN client installed on your PC to provide an SSL VPN 
solution, as well as the Clientless Cisco SSL VPN. 
Cost Savings By connecting the corporate remote offices to their closest Internet provider, 
and then creating a VPN tunnel with encryption and authentication, I gain a huge savings 
over opting for traditional leased point-to-point lines. This also permits higher bandwidth 
links and security, all for far less money than traditional connections.
Scalability VPNs scale very well to quickly bring up new offices or have mobile users 
connect securely while traveling or when connecting from home.
Compatibility with broadband technology For remote and traveling users and remote 
offices, any Internet access can provide a connection to the corporate VPN. This allows 
users to take advantage of the high-speed Internet access of DSL or cable modems.
VPNs are categorized based upon the role they play in a business. There are three different 
categories of VPNs:
Remote access VPNs allow remote users such as telecommuters to securely access the 
corporate network wherever and whenever they need to.
944 Chapter 21 u Wide Area Networks
Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the 
corporate backbone securely over a public medium like the Internet instead of requir￾ing more expensive WAN connections like Frame Relay.
Extranet VPNs allow an organization’s suppliers, partners, and customers to be 
connected to the corporate network in a limited way for business-to-business (B2B) 
communications.
Now you’re interested, huh? And since VPNs are inexpensive and secure, I’m guessing 
you just can’t wait to find out how to create VPNs now! There’s more than one way to bring 
a VPN into being. The first approach uses IPsec to create authentication and encryption ser￾vices between endpoints on an IP network. The second way is via tunneling protocols, which 
allow you to establish a tunnel between endpoints on a network. And understand that the 
tunnel itself is a means for data or protocols to be encapsulated inside another protocol—
pretty clean!
I’m going to go over IPsec in a minute, but first I really want to describe four of the most 
common tunneling protocols in use today:
Layer 2 Forwarding (L2F) is a Cisco-proprietary tunneling protocol, and it was Cisco’s 
first tunneling protocol created for virtual private dial-up networks (VPDNs). A VPDN 
allows a device to use a dial-up connection to create a secure connection to a corporate 
network. L2F was later replaced by L2TP, which is backward compatible with L2F.
Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft and others to 
allow the secure transfer of data from remote networks to the corporate network.
Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace 
L2F and PPTP. L2TP merged the capabilities of both L2F and PPTP into one tunnel￾ing protocol.
Generic Routing Encapsulation (GRE) is another Cisco-proprietary tunneling pro￾tocol. It forms virtual point-to-point links, allowing for a variety of protocols to be 
encapsulated in IP tunnels. I’ll cover GRE in more detail, including how to configure 
it, at the end of this chapter.
Okay—now that you’re clear on both exactly what a VPN is and the various types of 
VPNs available, it’s time to dive into IPsec.
Introduction to Cisco IOS IPsec
Simply put, IPsec is an industry-wide standard framework of protocols and algorithms that 
allows for secure data transmission over an IP-based network and functions at the layer 3 
Network layer of the OSI model. 
Did you notice I said IP-based network? That’s really important because by itself, IPsec 
can’t be used to encrypt non-IP traffic. This means that if you run into a situation where 
you have to encrypt non-IP traffic, you’ll need to create a Generic Routing Encapsulation 
(GRE) tunnel for it (which I explain later) and then use IPsec to encrypt that tunnel!
Virtual Private Networks 945
IPsec Transforms
An IPsec transform specifies a single security protocol with its corresponding security algo￾rithm; without these transforms, IPsec wouldn’t be able to give us its glory. It’s important to be 
familiar with these technologies, so let me take a second to define the security protocols and 
briefly introduce the supporting encryption and hashing algorithms that IPsec relies upon.
Security Protocols
The two primary security protocols used by IPsec are Authentication Header (AH) and 
Encapsulating Security Payload (ESP).
Authentication Header (AH)
The AH protocol provides authentication for the data and the IP header of a packet using a 
one-way hash for packet authentication. It works like this: The sender generates a one-way 
hash; then the receiver generates the same one-way hash. If the packet has changed in any way, 
it won’t be authenticated and will be dropped. So basically, IPsec relies upon AH to guarantee 
authenticity. AH checks the entire packet, but it doesn’t offer any encryption services.
This is unlike ESP, which only provides an integrity check on the data of a packet.
Encapsulating Security Payload (ESP)
It won’t tell you when or how the NASDAQ’s gonna bounce up and down like a superball, 
but ESP will provide confidentiality, data origin authentication, connectionless integrity, 
anti-replay service, and limited traffic-flow confidentiality by defeating traffic flow analysis—
which is almost as good! Anyway, there are five components of ESP: 
Confidentiality (encryption) This allows the sending device to encrypt the packets before 
transmitting in order to prevent eavesdropping. Confidentiality is provided through the 
use of symmetric encryption algorithms like DES or 3DES. Confidentiality can be selected 
separately from all other services, but the confidentiality selected must be the same on both 
endpoints of your VPN.
Data integrity Data integrity allows the receiver to verify that the data received was not 
altered in any way along the way. IPsec uses checksums as a simple check of the data.
Authentication Authentication ensures that the connection is made with the correct part￾ner. The receiver can authenticate the source of the packet by guaranteeing and certifying 
the source of the information.
Anti-replay service Anti-replay election is based upon the receiver, meaning the service 
is effective only if the receiver checks the sequence number. In case you were wondering, a 
replay attack is when a hacker nicks a copy of an authenticated packet and later transmits 
it to the intended destination. When the duplicate, authenticated IP packet gets to the destination, it can disrupt services and generally wreak havoc. The Sequence Number field is 
designed to foil this type of attack.
946 Chapter 21 u Wide Area Networks
Traffic flow For traffic flow confidentiality to work, you have to have at least tunnel 
mode selected. It’s most effective if it’s implemented at a security gateway where tons 
of traffic amasses because it’s precisely the kind of environment that can mask the true 
source-destination patterns to bad guys who are trying to breach your network’s security.
Encryption
VPNs create a private network over a public network infrastructure, but to maintain 
confidentiality and security, we really need to use IPsec with our VPNs. IPsec uses various types of protocols to perform encryption. The types of encryption algorithms used 
today are as follows:
Symmetric encryption This encryption requires a shared secret to encrypt and decrypt. 
Each computer encrypts the data before sending info across the network, with this same 
key being used to both encrypt and decrypt the data. Examples of symmetric key encryption are Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption 
Standard (AES).
Asymmetric encryption Devices that use asymmetric encryption use different keys for 
encryption than they do for decryption. These keys are called private and public keys.
Private keys encrypt a hash from the message to create a digital signature, which is then verified via decryption using the public key. Public keys encrypt a symmetric key for secure distri￾bution to the receiving host, which then decrypts that symmetric key using its exclusively held 
private key. It’s not possible to encrypt and decrypt using the same key. This is a variant of 
public key encryption that uses a combination of both a public and private keys. An example 
of an asymmetric encryption is Rivest, Shamir, and Adleman (RSA).
As you can see from the amount of information I’ve thrown at you so far, establishing a 
VPN connection between two sites takes study, time, and practice. And I am just scratching 
the surface here! I know it can be difficult at times, and it can take quite a bit of patience. 
Cisco does have some GUI interfaces to help with this process, and they can be very helpful 
for configuring VPNs with IPsec. Though highly useful and very interesting, they are just 
beyond the scope of this book, so I’m not going to delve further into this topic here.
To read about the latest buzz on encryption techniques, take a look at this Cisco URL: 
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
GRE Tunnels
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate many protocols inside IP tunnels. Some examples would be routing protocols such as EIGRP and OSFP 
and the routed protocol IPv6. Figure 21.25 shows the different pieces of a GRE header.
A GRE tunnel interface supports a header for each of the following:
uu A passenger protocol or encapsulated protocols like IP or IPv6, which is the protocol 
being encapsulated by GRE
GRE Tunnels 947
uu GRE encapsulation protocol
uu A Transport delivery protocol, typically IP 
GRE tunnels have the following characteristics:
uu GRE uses a protocol-type field in the GRE header so any layer 3 protocol can be used 
through the tunnel.
uu GRE is stateless and has no flow control.
uu GRE offers no security.
uu GRE creates additional overhead for tunneled packets—at least 24 bytes.
Now let’s take a look at how to configure a GRE tunnel. It’s actually pretty simple.
F ig u re 21.25 Generic Routing Encapsulation (GRE) tunnel structure
IP Network
(Transportation Protocol)
GRE tunnel
(Carrier Protocol)
IP VPN
site
(passenger protocol)
IP VPN
site
(passenger protocol)
Transport
IP header
GRE
header Passenger (IP) packet
Configuring GRE Tunnels
Before you attempt to configure a GRE tunnel, you need to create an implementation plan. 
Here’s a checklist for what you need to configure and implement a GRE:
uu Use IP addressing.
uu Create the logical tunnel interfaces.
uu Specify that you’re using GRE tunnel mode under the tunnel interface (this is optional 
since this is the default tunnel mode).
uu Specify the tunnel source and destination IP addresses.
uu Configure an IP address for the tunnel interface.
Let’s take a look at how to bring up a simple GRE tunnel. Figure 21.26 shows the network with two routers.
First, we need to make the logical tunnel with the interface tunnel number command. 
We can use any number up to 2.14 billion. 
Corp(config)#int s0/0/0
Corp(config-if)#ip address 63.1.1.1 255.255.255.252
948 Chapter 21 u Wide Area Networks
Corp(config)#int tunnel ?
 <0-2147483647> Tunnel interface number
Corp(config)#int tunnel 0
*Jan 5 16:58:22.719:%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, 
changed state to down
F ig u re 21.26 Example of GRE configuration
Internet
GRE tunnel 192.168.10.1/24
Tunnel 0
S0/0/0
63.1.1.2/30
S0/0
63.1.1.1/30
Corp
192.168.10.2/24
Tunnel 0
SF
Once we have configured our interface and created the logical tunnel, we need to config￾ure the mode and then transport protocol.
Corp(config-if)#tunnel mode ?
 aurp AURP TunnelTalk AppleTalk encapsulation
 cayman Cayman TunnelTalk AppleTalk encapsulation
 dvmrp DVMRP multicast tunnel
 eon EON compatible CLNS tunnel
 gre generic route encapsulation protocol
 ipip IP over IP encapsulation
 ipsec IPSec tunnel encapsulation
 iptalk Apple IPTalk encapsulation
 ipv6 Generic packet tunneling in IPv6
 ipv6ip IPv6 over IP encapsulation
 nos IP over IP encapsulation (KA9Q/NOS compatible)
 rbscp RBSCP in IP tunnel
Corp(config-if)#tunnel mode gre ?
 ip over IP
 ipv6 over IPv6
 multipoint over IP (multipoint)
Corp(config-if)#tunnel mode gre ip
Okay, now that we’ve created the tunnel interface, the type, and the transport protocol, 
we must configure our IP addresses for use inside of the tunnel. Of course, you need to use 
your actual physical interface IP for the tunnel to send traffic across the Internet, but you 
also need to configure the tunnel source and tunnel destination addresses.
Corp(config-if)#ip address 192.168.10.1 255.255.255.0
Corp(config-if)#tunnel source 63.1.1.1
GRE Tunnels 949
Corp(config-if)#tunnel destination 63.1.1.2
Corp#sho run interface tunnel 0
Building configuration...
Current configuration : 117 bytes
!
interface Tunnel0
 ip address 192.168.10.1 255.255.255.0
 tunnel source 63.1.1.1
 tunnel destination 63.1.1.2
end
Now let’s configure the other end of the serial link and watch the tunnel pop up!
SF(config)#int s0/0/0
SF(config-if)#ip address 63.1.1.2 255.255.255.252
SF(config-if)#int t0
SF(config-if)#ip address 192.168.10.2 255.255.255.0
SF(config-if)#tunnel source 63.1.1.2
SF(config-if)#tun destination 63.1.1.1
*May 19 22:46:37.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, 
changed state to up
Oops—did I forget to set my tunnel mode and transport to GRE and IP on the SF 
router? No, I didn’t need to because it’s the default tunnel mode on Cisco IOS. Nice! 
So, first I set the physical interface IP address (which used a global address even though 
I didn’t have to), then I created the tunnel interface and set the IP address of the tunnel 
interface. It’s really important that you remember to configure the tunnel interface with 
the actual source and destination IP addresses to use or the tunnel won’t come up. In my 
example, the 63.1.1.2 was the source and 63.1.1.1 was the destination.
Verifying GRP Tunnels
As usual I’ll start with my favorite troubleshooting command, show ip interface brief.
Corp#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.5 YES manual up up
Serial0/0 63.1.1.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Tunnel0 192.168.10.1 YES manual up up
950 Chapter 21 u Wide Area Networks
In this output, you can see that the tunnel interface is now showing as an interface on 
my router. You can see the IP address of the tunnel interface, and the Physical and Data 
Link status show as up/up. So far so good, let’s take a look at the interface with the show 
interfaces tunnel 0 command.
Corp#sh int tun 0
Tunnel0 is up, line protocol is up
 Hardware is Tunnel
 Internet address is 192.168.10.1/24
 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel source 63.1.1.1, destination 63.1.1.2
 Tunnel protocol/transport GRE/IP
 Key disabled, sequencing disabled
 Checksumming of packets disabled
 Tunnel TTL 255
 Fast tunneling enabled
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
The show interfaces command shows the configuration settings and the interface status 
as well as the IP address, tunnel source, and destination address. The output also shows the 
tunnel protocol, which is GRE/IP. Last, let’s take a look at the routing table with the show 
ip route command.
Corp#sh ip route
[output cut]
 192.168.10.0/24 is subnetted, 2 subnets
C 192.168.10.0/24 is directly connected, Tunnel0
L 192.168.10.1/32 is directly connected, Tunnel0
 63.0.0.0/30 is subnetted, 2 subnets
C 63.1.1.0 is directly connected, Serial0/0
L 63.1.1.1/32 is directly connected, Serial0/0
The tunnel0 interface shows up as a directly connected interface, and although it’s 
a logical interface, the router treats it as a physical interface, just like serial 0/0 in the 
routing table. 
Corp#ping 192.168.10.2
Exam Essentials 951
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)
Did you notice that I just pinged 192.168.10.2 across the Internet?
Summary
In this chapter, you learned the difference between the following WAN services: cable, DSL, 
HDLC, PPP, PPPoE, and Frame Relay. You also learned that you can use a VPN once any of 
those services are up and running, as well as, create and verify a tunnel interface.
It’s so important for you to understand High-Level Data-Link Control (HDLC) and how 
to verify with the show interface command that HDLC is enabled! You’ve been provided 
with some really important HDLC information as well as information on how the Point-to-Point Protocol (PPP) is used if you need more features than HDLC offers or if you’re using 
two different brands of routers. You now know that this is because various versions of 
HDLC are proprietary and won’t work between two different vendors’ routers.
When we went through the section on PPP, I discussed the various LCP options as well 
as the two types of authentication that can be used: PAP and CHAP.
And we talked about Frame Relay and the two different encapsulation methods used 
with it in detail. We also discussed LMI options, Frame Relay maps, and subinterface con￾figurations. In addition to the Frame Relay terms and features we covered, I demonstrated 
Frame Relay configuration and verification in depth.
We finished up the chapter with a discussion on virtual private networks, IPsec, and 
encryption, and I explained GRE and how to configure the tunnel and then verify it.
Exam Essentials
Remember the default serial encapsulation on Cisco routers. Cisco routers use a proprietary 
High-Level Data-Link Control (HDLC) encapsulation on all their serial links by default.
Understand the different Frame Relay encapsulations. Cisco uses two different Frame 
Relay encapsulation methods on its routers: Cisco and IETF. If you are using the Cisco 
encapsulation method, you are telling your router that a Cisco router is installed on the 
other side of the PVC. If you are using the IETF encapsulation, you are telling your router 
that a non-Cisco router is installed on the other side of the PVC.
Remember what the CIR is in Frame Relay. The CIR is the average rate, in bits per second, 
at which the Frame Relay switch agrees to transfer data.
952 Chapter 21 u Wide Area Networks
Remember the commands for verifying and troubleshooting Frame Relay. The show 
frame-relay lmi command will give you the LMI traffic statistics regarding LMI traf￾fic exchanged between the local router and the Frame Relay switch. The show frame pvc
command will list all configured PVCs and DLCI numbers.
Remember the PPP Data Link layer protocols. The three Data Link layer protocols are 
Network Control Protocol (NCP), which defines the Network layer protocols; Link Control 
Protocol (LCP), a method of establishing, configuring, maintaining, and terminating the 
point-to-point connection; and High-Level Data-Link Control (HDLC), the MAC layer 
protocol that encapsulates the packets.
Be able to troubleshoot a PPP link. Understand that a PPP link between two routers will 
show up and a ping would even work between the router if the layer 3 addresses are wrong.
Remember the various types of serial WAN connections. The serial WAN connections 
that are most widely used are HDLC, PPP, and Frame Relay.
Understand the term virtual private network. You need to understand why and how to 
use a VPN between two sites and the purpose that IPsec serves with VPNs.
Understand how to configure and verify a GRE tunnel. To configure GRE, first configure 
the logical tunnel with the interface tunnel number command. Configure the mode and 
transport, if needed, with the tunnel mode mode protocol command, then configure the 
IP addresses on the tunnel interfaces, the tunnel source and tunnel destination addresses, 
and your physical interfaces with global addresses. Verify with the show interface tunnel 
command as well as the ping protocol.
Hands-on Labs 953
Written Lab 7
The answers to this lab can be found in Appendix A, “Answers to Written Labs.”
Write the answers to the following WAN questions:
1. Write the command to see the encapsulation method on serial 0/0 of a Cisco router.
2. Write the commands to configure s0/0 to PPP encapsulation.
3. Write the commands to configure a username of todd and password of cisco that is 
used on a Cisco router for PPP authentication.
4. Write the commands to enable CHAP authentication on a Cisco serial interface. 
(Assume PPP is the encapsulation type.)
5. Write the commands to configure the DLCI numbers for two serial interfaces, 0/0 and 
0/1. Use 16 for s0/0 and 17 for s0/1.
6. Write the commands to configure a remote office using a point-to-point subinterface. 
Use DLCI 16 and IP address 172.16.60.1/24.
7. What protocol would you use if you were running xDSL and needed authentication?
8. What are the three protocols specified in PPP?
9. To provide security in your VPN tunnel, what protocol suite would you use?
10. What are the typical three different categories of VPNs?
Hands-on Labs
In this section, you will configure Cisco routers in three different WAN labs using the fig￾ure supplied in each lab. (These labs are included for use with real Cisco routers but work 
perfectly with the LammleSim IOS simulator and with Cisco’s Packet Tracer program.)
Lab 7.1: Configuring PPP Encapsulation and Authentication
Lab 7.2: Configuring and Monitoring HDLC
Lab 7.3: Configuring Frame Relay and Subinterfaces
Lab 7.4: Configuring a GRE Tunnel
Hands-on Lab 7.1: Configuring PPP Encapsulation 
and Authentication
By default, Cisco routers use High-Level Data-Link Control (HDLC) as a point-to-point 
encapsulation method on serial links. If you are connecting to non-Cisco equipment, then 
you can use the PPP encapsulation method to communicate.
954 Chapter 21 u Wide Area Networks
Labs 7.1 and 7.2 will have you configure the following diagram.
S0/1
DCE
RouterA RouterB S0/0
Fa0/0 Fa0/0
S0/0
DCE
RouterC
Fa0/0
S0/0
1. Type sh int s0/0 on RouterA and RouterB to see the encapsulation method.
2. Make sure each router has the hostname assigned.
RouterA#config t
RouterA(config)#hostname RouterA
RouterB#config t
RouterB(config)#hostname RouterB
3. To change the default HDLC encapsulation method to PPP on both routers, use the 
encapsulation command at interface configuration. Both ends of the link must run 
the same encapsulation method.
RouterA#Config t
RouterA(config)#int s0
RouterA(config-if)#encap ppp
4. Now go to RouterB and set serial 0/0 to PPP encapsulation.
RouterB#config t
RouterB(config)#int s0
RouterB(config-if)#encap ppp
5. Verify the configuration by typing sh int s0/0 on both routers.
6. Notice the IPCP and CDPCP (assuming the interface is up). This is the information 
used to transmit the upper-layer (Network layer) information across the HDLC at the 
MAC sublayer.
Hands-on Labs 955
7. Define a username and password on each router. Notice that the username is the name 
of the remote router. Also, the password must be the same.
RouterA#config t
RouterA(config)#username RouterB password todd
RouterB#config t
RouterB(config)#username RouterA password todd
8. Enable CHAP or PAP authentication on each interface.
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap
RouterB(config)#int s0
RouterB(config-if)#ppp authentication chap
9. Verify the PPP configuration on each router by using these commands.
RouterB(config-if)#shut
RouterB(config-if)#debug ppp authentication
RouterB(config-if)#no shut
Hands-on Lab 7.2: Configuring and Monitoring HDLC
There really is no configuration required for HDLC (as it is the default configuration on 
Cisco serial interfaces), but if you completed Lab 7.1, then the PPP encapsulation would be 
set on both routers. This is why I put the PPP lab first. This lab allows you to actually con￾figure HDLC encapsulation on a router.
For this second lab, you will use the same configuration you used for Lab 7.1.
1. Set the encapsulation for each serial interface by using the encapsulation hdlc 
command.
RouterA#config t
RouterA(config)#int s0
RouterA(config-if)#encapsulation hdlc
956 Chapter 21 u Wide Area Networks
RouterB#config t
RouterB(config)#int s0
RouterB(config-if)#encapsulation hdlc
2. Verify the HDLC encapsulation by using the show interface s0 command on 
each router.
Hands-on Lab 7.3: Configuring Frame Relay 
and Subinterfaces
In this lab, you will use the following diagram to configure Frame Relay, which can easily 
be created in LammleSim as well as Packet Tracer.
S0/0
Lab_A DLCI 100 DLCI 200
S0/0
Lab_C
Lab_B
S0/0 S0/1
You will configure the Lab_B router to be a Frame Relay switch (this information was not 
covered in this chapter and is not included in the exam objectives; it will be preconfigured 
in LammleSim). You will then configure the Lab_A and Lab_C routers to use the switch to 
bring up the PVC.
1. Set the hostname, using the frame-relay switching command, and the encapsulation 
of each serial interface on the Frame Relay switch.
Router#config t
Router(config)#hostname Lab_B
Lab_B(config)#frame-relay switching [makes the router an
FR switch]
Lab_B(config)#int s0/0
Lab_B(config-if)#encapsulation frame-relay
Lab_B(config-if)#int s0/1
Lab_B(config-if)#encapsulation frame-relay
2. Configure the Frame Relay mappings on each interface. You do not have to have IP 
addresses on these interfaces because they are only switching one interface to another 
with Frame Relay frames.
Lab_B(config-if)#int s0/0
Lab_B(config-if)#frame intf-type dce
[The above command makes this an FR DCE interface, which
is different than a router's interface being DCE]
Hands-on Labs 957
Lab_B(config-if)#frame-relay route 100 interface
 Serial0/1 200
Lab_B(config-if)#clock rate 64000
[The above command is used if you have this as DCE, which
is different than an FR DCE]
Lab_B(config-if)#int s0/1
Lab_B(config-if)#frame intf-type dce
Lab_B(config-if)#frame-relay route 200 interface
 Serial0/0 100
Lab_B(config-if)#clock rate 64000 [if you have this as DCE]
This is not as hard as it looks. The route command just says that if you receive frames 
from PVC 102, send them out int s0/1 using PVC 201. The second mapping on serial 
0/1 is just the opposite. Anything that comes in int s0/1 is routed out serial0/0 using 
PVC 102.
3. Configure Lab_A with a point-to-point subinterface.
Router#config t
Router(config)#hostname Lab_A
Lab_A(config)#int s0/0
Lab_A(config-if)#encapsulation frame-relay
Lab_A(config-if)#int s0/0.102 point-to-point
Lab_A(config-if)#ip address 172.16.10.1
 255.255.255.0
Lab_A(config-if)#frame-relay interface-dlci 102
4. Configure Lab_C with a point-to-point subinterface.
Router#config t
Router(config)#hostname Lab_C
Lab_C(config)#int s0/0
Lab_C(config-if)#encapsulation frame-relay
Lab_C(config-if)#int s0/0.201 point-to-point
Lab_C(config-if)#ip address 172.16.10.2
 255.255.255.0
Lab_C(config-if)#frame-relay interface-dlci 201
5. Verify your configurations with the following highlighted commands.
Lab_A>sho frame ?
 ip show frame relay IP statistics
 lmi show frame relay lmi statistics
 map Frame-Relay map table
958 Chapter 21 u Wide Area Networks
 pvc show frame relay pvc statistics
 route show frame relay route
 traffic Frame-Relay protocol statistics
6. Also, use Ping and Telnet to verify connectivity.
Hands-on Lab 7.4: Configuring a GRE Tunnel
In this lab you will configure two point-to-point routers with a simple IP GRE tunnel. You 
can use a real router, LammleSim, or Packet Tracer to do this lab.
1. First, configure the logical tunnel with the interface tunnel number command. 
Corp(config)#int s0/0/0
Corp(config-if)#ip address 63.1.1.2 255.255.255.252
Corp(config)#int tunnel ?
 <0-2147483647> Tunnel interface number
Corp(config)#int tunnel 0
*Jan 5 16:58:22.719: %LINEPROTO-5-UPDOWN: Line protocol 
on Interface Tunnel0, changed state to down
2. Once you have configured your interface and created the logical tunnel, you need to 
configure the mode and then the transport protocol.
Corp(config-if)#tunnel mode ?
 aurp AURP TunnelTalk AppleTalk encapsulation
 cayman Cayman TunnelTalk AppleTalk encapsulation
 dvmrp DVMRP multicast tunnel
 eon EON compatible CLNS tunnel
 gre generic route encapsulation protocol
 ipip IP over IP encapsulation
 ipsec IPSec tunnel encapsulation
 iptalk Apple IPTalk encapsulation
 ipv6 Generic packet tunneling in IPv6
 ipv6ip IPv6 over IP encapsulation
 nos IP over IP encapsulation (KA9Q/NOS compatible)
 rbscp RBSCP in IP tunnel
Corp(config-if)#tunnel mode gre ?
 ip over IP
 ipv6 over IPv6
 multipoint over IP (multipoint)
Corp(config-if)#tunnel mode gre ip
Hands-on Labs 959
3. Okay, now that you have created the tunnel interface, the type, and the transport pro￾tocol, you need to configure your IP addresses. Of course, you need to use your actual 
interface IP for the tunnel, but you also need to configure the tunnel source and tunnel 
destination addresses.
Corp(config-if)#int t0
Corp(config-if)#ip address 192.168.10.1 255.255.255.0
Corp(config-if)#tunnel source 63.1.1.1
Corp(config-if)#tunnel destination 63.1.1.2
Corp#sho run interface tunnel 0
Building configuration...
Current configuration : 117 bytes
!
interface Tunnel0
 ip address 192.168.10.1 255.255.255.0
 tunnel source 63.1.1.1
 tunnel destination 63.1.1.2
end
4. Now configure the other end of the serial link and watch the tunnel pop up!
SF(config)#int s0/0/0
SF(config-if)#ip address 63.1.1.2 255.255.255.252
SF(config-if)#int t0
SF(config-if)#ip address 192.168.10.2 255.255.255.0
SF(config-if)#tunnel source 63.1.1.2
SF(config-if)#tun destination 63.1.1.1
*May 19 22:46:37.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Tunnel0, changed state to up
Remember, you don’t need to configure your tunnel mode and transport protocol because 
GRE and IP are the defaults. It’s really important that you remember to configure the tun￾nel interface with the actual source and destination IP addresses to use or the tunnel won’t 
come up. In my example, 63.1.1.2 was the source and 63.1.1.1 was the destination.
5. Verify with the following commands:
Corp#sh ip int brief
960 Chapter 21 u Wide Area Networks
You should see that the tunnel interface is now showing as an interface on your 
router. The IP address of the tunnel interface and the physical and data link status 
shows as up/up.
Corp#sh int tun 0
The show interfaces command shows the configuration settings and the interface 
status as well as the IP address and tunnel source and destination address.
Corp#sh ip route
The tunnel0 interface shows up as a directly connected interface, and although it’s 
a logical interface, the router treats it as a physical interface just like serial0/0 in the 
routing table.
Review Questions 961
Review Questions
The following questions are designed to test your understanding of this 
chapter’s material. For more information on how to get additional questions, 
please see this book’s introduction.
The answers to these questions can be found in Appendix B, “Answers to Chapter 
Review Questions.”
1. Which command will display the CHAP authentication process as it occurs between 
two routers in the network?
A. show chap authentication
B. show interface serial 0
C. debug ppp authentication
D. debug chap authentication
2. Which command is required for connectivity in a Frame Relay network if Inverse ARP 
is not operational?
A. frame-relay arp
B. frame-relay map
C. frame-relay interface-dci
D. frame-relay lmi-type
3. Suppose you have a customer who has a central HQ and six branch offices. The cus￾tomer anticipates adding six more branches in the near future. It wishes to implement a 
WAN technology that will allow the branches to economically connect to HQ and you 
have no free ports on the HQ router. Which of the following would you recommend?
A. PPP
B. HDLC
C. Frame Relay
D. ISDN
4. Which of the following command options are displayed when you use the Router#show 
frame-relay ? command? (Choose three.)
A. dlci
B. neighbors
C. lmi
D. pvc
E. map
962 Chapter 21 u Wide Area Networks
5. How should a router that is being used in a Frame Relay network be configured to 
keep split horizon issues from preventing routing updates?
A. Configure a separate subinterface for each PVC with a unique DLCI and subnet 
assigned to the subinterface.
B. Combine multiple Frame Relay circuits as a point-to-point line to support multi￾cast and broadcast traffic.
C. Configure many subinterfaces in the same subnet.
D. Configure a single subinterface to establish multiple PVC connections to multiple 
remote router interfaces.
6. Which encapsulations can be configured on a serial interface? (Choose three.)
A. Ethernet
B. Token Ring
C. HDLC
D. Frame Relay
E. PPP
7. When setting up Frame Relay for point-to-point subinterfaces, which of the following 
must not be configured?
A. The Frame Relay encapsulation on the physical interface
B. The local DLCI on each subinterface
C. An IP address on the physical interface
D. The subinterface type as point-to-point
8. When a router is connected to a Frame Relay WAN link using a serial DTE interface, 
how is the clock rate determined?
A. By the CSU/DSU 
B. By the far end router
C. By the clock rate command
D. By the Physical layer bit stream timing
9. A default Frame Relay WAN is classified as what type of physical network?
A. Point-to-point
B. Broadcast multi-access
C. Nonbroadcast multi-access
D. Nonbroadcast multipoint
Review Questions 963
10. Which of the following encapsulates PPP frames in Ethernet frames and uses common 
PPP features like authentication, encryption, and compression?
A. PPP
B. PPPoA
C. PPPoE
D. Token Ring
11. You need to configure a router for a Frame Relay connection to a non-Cisco router. 
Which of the following commands will prepare the WAN interface of the router for 
this connection?
A. Router(config-if)#encapsulation frame-relay q933a
B. Router(config-if)#encapsulation frame-relay ansi
C. Router(config-if)#encapsulation frame-relay ietf
D. Router(config-if)#encapsulation frame-relay cisco
12. You have configured a serial interface with GRE IP commands on a corporate router 
with a point-to-point link to a remote office. What command will show you the IP 
addresses and tunnel source and destination addresses of the interfaces?
A. show int serial 0/0
B. show ip int brief
C. show interface tunnel 0
D. show tunnel ip status
E. debug ip interface tunnel
13. Which of the following is true regarding WAN technologies? (Choose three.)
A. You must use PPP on a link connecting two routers using a point-to-point lease line.
B. You can use a T1 to connect a customer site to the ISP.
C. You can use a T1 to connect a Frame Relay connection to the ISP.
D. You can use Ethernet as a WAN service by using EoMPLS.
E. When using an Ethernet WAN, you must configure the DLCI.
14. You want to allow remote users to send protected packets to the corporate site, but you 
don’t want to install software on the remote client machines. What is the best solution 
that you could implement?
A. GRE tunnel
B. Web VPN
C. VPN Anywhere
D. IPsec
964 Chapter 21 u Wide Area Networks
15. Why won’t the serial link between the Corp router and the Remote router come up?
Corp#sh int s0/0
Serial0/0 is up, line protocol is down
 Hardware is PowerQUICC Serial
 Internet address is 10.0.1.1/24
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
 reliability 254/255, txload 1/255, rxload 1/255
 Encapsulation PPP, loopback not set
Remote#sh int s0/0
Serial0/0 is up, line protocol is down
 Hardware is PowerQUICC Serial
 Internet address is 10.0.1.2/24
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
 reliability 254/255, txload 1/255, rxload 1/255
 Encapsulation HDLC, loopback not set
A. The serial cable is faulty.
B. The IP addresses are not in the same subnet.
C. The subnet masks are not correct.
D. The keepalive settings are not correct.
E. The layer 2 frame types are not compatible.
16. Which of the following are benefits of using a VPN in your internetwork? (Choose three)
A. Security
B. Private high-bandwidth links
C. Cost savings
D. Incompatibility with broadband technologies
E. Scalability
Review Questions 965
17. A remote site has just been connected to the central office, named Lab_A. However, 
remote users cannot access applications at the central office. The remote router can be 
pinged from the Lab_A office router. After reviewing the following command output, 
which do you think is the most likely reason for the problem?
S0/0
Lab_A
Lab_B
DLCI 100 DLCI 200
S0/0
Lab_C
S0/0 S0/1
Lab A#show running-config
!
interface Serial 0/0
 ip address 10.0.8.1 255.255.248.0
 encapsulation frame-relay
 frame-relay map ip 10.0.15.2 200
!
Router rip
Network 10.0.0.0
Lab C#show running-config
!
interface Serial 0/0
 ip address 10.0.15.2 255.255.248.0
 encapsulation frame-relay
 frame-relay map ip 10.0.8.1 100
!
Router rip
Network 10.0.0.0
A. The Frame Relay PVC is down.
B. The IP addressing on the central/remote router link is incorrect.
C. RIP routing information is not being forwarded.
D. Frame Relay Inverse ARP is not properly configured.
18. Which of the following is an industry-wide standard suite of protocols and algorithms 
that allows for secure data transmission over an IP-based network that functions at the 
layer 3 Network layer of the OSI model?
A. HDLC

B. Cable

C. VPN
D. IPsec
E. xDSL
966 Chapter 21 u Wide Area Networks
19. Which of the following describes the creation of private networks across the Internet, 
enabling privacy and tunneling of TCP/IP protocols?
A. HDLC
B. Cable
C. VPN
D. IPsec
E. xDSL
20. Referring to the following diagram, what functions does the Frame Relay DLCI provide 
with respect to router Lab_A?
S0/0
Lab_A DLCI 100 DLCI 200
S0/0
Lab_C
Lab_B
S0/0 S0/1
A. Identifies the signaling standard between Lab_A and the frame switch 
B. Identifies a portion of the virtual circuit between Lab_A and the frame switch
C. Identifies the encapsulation used between Lab_A and Lab_B

D. Defines the signaling standard between Lab_B and the frame switch

Comments

Popular posts from this blog

What if Analysis

What-If Analysis What-If Analysis in Excel allows you to try out different values (scenarios) for formulas. The following example helps you master what-if analysis quickly and easily.  Use scenarios to consider many different variables  A scenario is a set of values that Excel saves and can substitute automatically in cells on a worksheet. You can create and save different groups of values on a worksheet and then switch to any of these new scenarios to view different results. 
Create Different Scenarios 
Note: You can simply type in a different revenue and Cost into cell B2 and B3 respectively to see the corresponding result of a scenario in cell B4. However, what-if analysis enables you to easily compare the results of different scenarios.  
I. On the Data tab, click What-If Analysis and select Scenario Manager from the list. The Scenario Manager Dialog box appears  II. Add a scenario by clicking on Add.  III. Type a name (e.g. “First Case”), select cell B2 and B3 (represents “Revenue” and “…

PROFESSIONAL ENGLISH

Asking For and Giving Opinions on Likes and Dislikes

Words Meaning Sample Sentence Opinion A statement or judgment formed about some matter. Bhoomika gave her final opinion on the company’s matter. Dialogue A conversation between two or more people. Her dialogue stated her opinion about the company’s matter. Expression The action of making known one’s thought or feelings. Her expression was sad at the meeting. Frank An open, honest, and direct speech or writing Bhoomika is very frank with her friends. Recover Return to normal state of health, mind or strength. The company’s economic crisis will be recovered soon. Turmoil A state of great disturbance. The company is facing financial turmoil. Economics The branch of knowledge concerned with the production, consumption, and transfer of wealth. Bhoomika studied Economics at the State University. Betrayed Expose to danger by treacherously giving information to an enemy.

DAILY LIFE VOCABULARY

Apology Etiquette and Office Vocabulary 

Chapter Vocabulary

Word Meaning Sample Sentence Stressed A state of any mental or emotional tension. Ram seems much stressed after his poor exam. Launch An act of instance of starting something. The government launched a new scheme for the poor people. Error A mistake Ravi found a grammatical error in his new grammar book. Scold Blaming someone for any wrong doing Bhuvan scolded his employees for their poor performance. Accuse Claiming that someone has done something wrong. Bharati accuses her friend Chaya for stealing her necklace. Fair Good and honest Ravi got promoted for doing a fair job. Ashamed Embarrassed or guilty because of one’s action. <