Best Institute For CCNA Course in Delhi, India

About Rooman Technologies

Best Institute For CCNA Course in Delhi, India

Rooman is a premier IT Training company, which has been voted as India ‘s No.1 in Networking and Internet Security. Countless international tie-ups and world class training facilities have set us apart and established our stand of being the best training institute for Hardware, Networking and Internet Security. With Rooman’s wide network of branches in India and abroad, internationally certified faculty, proven instructional methodology and a well connected placement cell, one is sure to soar into great career heights.

Course Outlet

Cisco certification ensures high standards of technical expertise. You will develop a complete understanding of Wide Area Networking and how different network topologies work together to form a network. This is beneficial to every networking job and is the reason Cisco certification is in such high demand, even at companies with few Cisco devices. Achieving Cisco certification—at any level—means joining the ranks of skilled network professionals who have earned recognition and respect in the industry. The CCNA certification is the first in the new line of Cisco certifications and is a precursor to all current Cisco certifications.

Audience : Those who are taking their first steps into WAN Admin and want to learn how to administer Cisco Routers and Switches.

Prerequisite : Working knowledge of Local Area Network.

Duration of the course : Part Time : 30 Sessions (2 hrs/day)
Full Time  : 7 Sessions (8 hrs/day)

Key Benefits : By the end of the course, students will be able to Plan IP Addressing, Install and configure Cisco Router in an Internetwork, secure Network by access-list and Manage Virtual LAN & WAN.

Rooman Technologies Vikaspuri Pvt Ltd.

Center :                        Rooman, Vikaspuri
Contact Person(s) :     Sandeep Barsaiyan
Address :                     C-9,New Krishna Park, Near west Janakpuri Metro Station
Phone :                         011- 41582663, +919891093219
Email :                          infovp@rooman.net
Web Blog:                   www.roomanvp.blogspot.com

 

How To Configure Standard Access Control List with Simple Steps

Because a standard access list filters only traffic based on source traffic, all you need is the IP address of the host or subnet you want to permit or deny. ACLs are created in global configuration mode and then applied on an interface. The syntax for creating a standard ACL is
access-list {1-99 | 1300-1999} {permit | deny} source-address
[wildcard mask] 
 

In this article we will configure standard access list. If you want read the feature and characteristic of access list reads this previous article.

In this article we will use a RIP running topology. Which we created in RIP routing practical.

Download this RIP routing topology and open it in packet tracer
 

Three basic steps to configure Standard Access List

  • Use the access-list global configuration command to create an entry in a standard ACL.
  • Use the interface configuration command to select an interface to which to apply the ACL.
  • Use the ip access-group interface configuration command to activate the existing ACL on an interface.

With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be able to do following:

  1. Match a specific host,
  2. Match an entire subnet,
  3. Match an IP range, or
  4. Match Everyone and anyone

Match specific hosts

Task
You have given a task to block 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must be able to communicate with networks. Other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0.

Decide where to apply ACL and in which directions.
Our host must be able to communicate with other host except 40.0.0.0 so we will place this access list on FastEthernet 0/1 of R2 (2811) connected to the network of 40.0.0.0. Direction will be outside as packet will be filter while its leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will not be able to communicate with any other hosts including 40.0.0.0.

To configure R2 double click on it and select CLI (Choose only one method result will be same)

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out

OR

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out

To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay.

PC>ping 40.0.0.3

Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 40.0.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>ping 30.0.0.3

Pinging 30.0.0.3 with 32 bytes of data:

Request timed out.
Reply from 30.0.0.3: bytes=32 time=140ms TTL=126
Reply from 30.0.0.3: bytes=32 time=156ms TTL=126
Reply from 30.0.0.3: bytes=32 time=112ms TTL=126

Ping statistics for 30.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 112ms, Maximum = 156ms, Average = 136ms

As we applied access list only on specific host so other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. To test do ping from 10.0.0.2 to 40.0.0.3

PC>ipconfig

IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1

PC>ping 40.0.0.3

Pinging 40.0.0.3 with 32 bytes of data:

Request timed out.
Reply from 40.0.0.3: bytes=32 time=141ms TTL=126
Reply from 40.0.0.3: bytes=32 time=140ms TTL=126
Reply from 40.0.0.3: bytes=32 time=125ms TTL=126

Ping statistics for 40.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 141ms, Average = 135ms

Match an entire subnet

Task

You have given a task to the network of 10.0.0.0 from gaining access on 40.0.0.0. While 10.0.0.0 must be able to communicate with networks .

Wildcards

Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks.

Formula to calculate wild card mask for access list

The key to matching an entire subnet is to use the following formula for the wildcard mask. It goes as follows:
Wildcard mask = 255.255.255.255 – subnet
So for example if my current subnet was 255.0.0.0, the mask would be 0.255.255.255.

255.255.255.255
255 .0 .0 .0 -
----------------
0. 255 .255.255
----------------

Once you have calculated the wild card mask rest is same as we did in pervious example

R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#

To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay.
Now do ping from 10.0.0.2 to 40.0.0.3 an
d further 30.0.0.2 result should be same as the packet is filtering on network based

Match an IP range

You are a network administrator at ComputerNetworkingNotes.com. You task is to block an ip range of 10.3.16.0 – 10.3.31.255 from gaining access to the network of 40.0.0.0

Solutions

Our range is 10.3.16.0 – 10.3.31.255. In order to find the mask, take the higher IP and subtract from it the lower IP.

10.3.31.255
10.3.16.0 -
--------------
0.0.15.255
--------------

In this case the wildcard mask for this range is 0.0.15.255.
To permit access to this range, you would use the following:

R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.3.16.0 0.0.15.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#

One thing to note is that each non-zero value in the mask must be one less than a power of 2, i.e. 0, 1, 3, 7, 15, 31, 63, 127, 255.

Match Everyone and Anyone

This is the easiest of Access-Lists to create, just use the following:
access-list 1 permit any
or
access-list 1 permit 0.0.0.0 255.255.255.255
 

Secure telnet session via standard ACL

This is among the highly tested topic in CCNA exam. We could use extended ACL to secure telnet session but if you did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well to a large router with dozens, even hundreds, of interfaces.Here’s a much better solution:
Use a standard IP access list to control access to the VTY lines themselves.
To perform this function, follow these steps:

  1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
  2. Apply the access list to the VTY line with the access-class command

Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other telnet session should be denied

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 3 permit host 20.0.0.2
R2(config)#line vty 0 4
R2(config-line)#password vinita
R2(config-line)#login
R2(config-line)#access-class 3 in

To test do telnet from 20.0.0.2 first is should be successful.

PC>ipconfig

IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1

PC>telnet 50.0.0.2
Trying 50.0.0.2 ...

User Access Verification

Password:
R2>

Now telnet it from any other pc apart from 20.0.0.2. it must be filter and denied

PC>ipconfig

IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1

PC>telnet 50.0.0.2
Trying 50.0.0.2 ...

% Connection refused by remote host
PC>

Network Security Reconnaissance Attack Password attack methods

 Reconnaissance Attack
A reconnaissance attack occurs when an adversary tries to learn information about your network Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities.
Reconnaissance is also known as information gathering and, in most cases, precedes an actual access or DoS attack. First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive. Then the intruder determines which services or ports are active on the live IP addresses. From this information, the intruder queries the ports to determine the type and version of the application and operating system running on the target host.
Reconnaissance is somewhat analogous to a thief investigating a neighborhood for vulnerable homes, such as an unoccupied residence or a house with an easy-to-open door or window. In many cases, intruders look for vulnerable services that they can exploit later when less likelihood that anyone is looking exists.

Access Attacks

An access attack occurs when someone tries to gain unauthorized access to a component, tries to gain unauthorized access to information on a component, or increases their privileges on a network component. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.

DoS Attacks

DoS attacks involve an adversary reducing the level of operation or service, preventing access to, or completely crashing a network component or service.

Password Attacks

A password attack usually refers to repeated attempts to identify a user account, password, or both. These repeated attempts are called brute-force attacks. Password attacks are implemented using other methods, too, including Trojan horse programs, IP spoofing, and packet sniffers.

Password attack threat-mitigation methods

A security risk lies in the fact that passwords are stored as plaintext. You need to encrypt passwords to overcome risks. On most systems, passwords are processed through an encryption algorithm that generates a one-way hash on passwords. You cannot reverse a one-way hash back to its original text. Most systems do not decrypt the stored password during authentication; they store the one-way hash. During the login process, you supply an account and password, and the password encryption algorithm generates a one-way hash. The algorithm compares this hash to the hash stored on the system. If the hashes are the same, the algorithm assumes that the user supplied the proper password.
Remember that passing the password through an algorithm results in a password hash. The hash is not the encrypted password, but rather a result of the algorithm. The strength of the hash is that the hash value can be recreated only with the original user and password information and that retrieving the original information from the hash is impossible. This strength makes hashes perfect for encoding passwords for storage. In granting authorization, the hashes, rather than the plain password, are calculated and compared.
Password attack threat-mitigation methods include these guidelines:

  • Do not allow users to have the same password on multiple systems. Most users have the same password for each system they access, as well as for their personal systems.
  • Disable accounts after a specific number of unsuccessful logins. This practice helps to prevent continuous password attempts.
  • Do not use plaintext passwords. Use either a one-time password (OTP) or an encrypted password.
  • Use strong passwords. Strong passwords are at least eight characters long and contain uppercase letters, lowercase letters, numbers, and special characters. Many systems now provide strong password support and can restrict users to strong passwords only.
The standard authentication protocols used by various network services, such as RAS and VPN, for authentication include the following:

Password Authentication Protocol

Password Authentication Protocol (PAP) The Password Authentication Protocol sends the user’s username and password in plain text. It is very insecure because someone can analyze and interpret the logon traffic. This is the authentication protocol used by the basic authentication method mentioned previously.

Challenge Handshake Authentication Protocol

Challenge Handshake Authentication Protocol (CHAP) With the Challenge Handshake Authentication Protocol, the server sends a client a challenge (a key), which is combined with the user’s password. Both the user’s password and the challenge are run through the MD5 hashing algorithm (a formula), which generates a hash value, or mathematical answer, and that hash value is sent to the server for authentication. The server uses the same key to create a hash value with the password stored on the server and then compares the resulting value with the hash value sent by the client. If the two hash values are the same, the client has supplied the correct password. The benefit is that the user’s credentials have not been passed on the wire at all.

Microsoft Challenge Handshake Authentication Protocol MS-CHAP

Microsoft Challenge Handshake Authentication Protocol MS-CHAP uses the Microsoft Point-to-Point Encryption (MPPE) protocol along with MS-CHAP to encrypt all traffic from the client to the server. MS-CHAP is a distinction of the CHAP authentication protocol and uses MD4 as the hashing algorithm versus MD5 used by CHAP.

MS-CHAPv2

MS-CHAPv2 With MS-CHAP version 2 the authentication method has been extended to authenticate both the client and the server. MS-CHAPv2 also uses stronger encryption keys than CHAP and MS-CHAP.

Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) The Extensible Authentication Protocol allows for multiple logon methods such as smartcard logon, certificates, Kerberos, and public-key authentication. EAP is also frequently used with RADIUS, which is a central authentication service that can be used by RAS, wireless, or VPN solutions.

How to Configure Switch Port Security Ethereal Channel

In this article I will show you that how can you

  • Configuring the IP address and subnet mask
  • Setting the IP default gateway
  • Enable telnet session for switch
  • Enable Ethereal Channel
  • Enable port security

To perform this activity download this lab topology and load in packet tracer or create your own topology as shown in figure

Configure IP address subnet mask and default gateway

IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential configurations you have connect with switch via console cable each time. That’s very tedious as you have to go near to switch each time.

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.0.10 255.0.0.0
S1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1

Enable Telnet and password protect the line

You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions, noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty 0 4.

S1(config)#line console 0
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#

Enable Switch port security

this feature set allows you (among several other options) to disable a port if more than one MAC address is detected as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security violation shutdown
S2(config-if)#exit
S2(config)#

You can verify port security.

  • Click on the red x button on the right hand portion of the PT window. This will allow you to delete a connection in the topology. Place the x over the connection between Server and S2 and click. The connection should disappear.
  • Select the lightening bolt button on the bottom left-hand corner of the PT window to pull up connection types. Click the “copper straight-through” connection. Click the TestPC device and select the fastethernet port. Next, click on S2 and select port Fa0/1.
  • From the command prompt of TestPC type the command ping 10.0.0.4. The ping should fail.
  • On S3, enter the command show port-security interface fa0/1.

Port security is enabled, port-status is secure-shutdown, security violation count is 1.

Configure Ethereal channel

Ethereal Channel allows you to combine switch ports to increase more bandwidth. If you connect switch ports without Ethereal Channel configurations STP switch’s in built function will shutdown one of these port to avoid loop. You can download this example topology for practice of Ethereal Channel .

  • To enable EtherChannel on DLS1, enter the interface range mode for ports F0/11 and F0/12 on with the command interface range f0/11 - 12.
  • Enter the command switchport mode trunk.
  • Enter the command channel-group 1 mode desirable.
  • Repeat steps a through c on DLS2.
DLS1>enable
DLS1#configure terminal
DLS1(config)#interface range fastEthernet 0/11 - 12
DLS1(config-if-range)#switchport mode trunk
DLS1(config-if-range)#channel-group 1 mode desirable
DLS1(config-if-range)#exit
DLS1(config)#exit
DLS1#

Frame Relay Network Operation

A Frame Relay (FR) network is shown in the figure below. An FR network may be considered as a FR cloud that consists of FR switches, and customer nodes. A FR switch acts as DCE and the customer equipment works as DTE. A virtual circuit is established between the DTE and corresponding DCE. As mentioned earlier, a virtual circuit is identified by a DLCI (Data Link Connection Identifier) number. DLCIs have local significance. It means that on a given physical channel, there can not be two DLCIs which are identical.

Frame Relay is essentially a packet switched network, and can be compared with an X.25 network. Though both Frame Relay and X.25 use same basic protocol HDLC, there are several differences between the two. Some of the important differences between a Frame Relay network and and X.25 network are given below:

Feature X.25 Frame Relay
Basic frame protocol used HDLC HDLC
Typical Speed (bandwidth) Low High
Interactive sessions Barely suitable Suitable
LAN connectivity for fast file transfers Not suitable Suitable
Protocol Overhead High Minimal
Protocol complexity High Low
Voice support Poor Good
Error Correction Very good Not supported
Comments 1. X.25 is a very old protocol, and widely implemented. However, it is hard to find any new implementations.

2. X.25 implements node-to-node error correction, and very suitable for noisy circuits. A severe drawback is high overhead, and transmission delays.

1. Frame Relay is widely implemented these days. Frame Relay does not support any node-to-node error correction. With the advent of highly reliable physical channels, node-to-node error correction (offered by X.25) is considered to be out-of-date, and not essential.

2. Revised specifications for Frame Relay network support LMI extensions. These include: global addressing, virtual circuit status messages, and multicasting

Frame Relay Protocols Overview

Before going ahead with Frame Relay protocol, and its operation, we discuss virtual circuits. Remember that a circuit provides connection between end nodes by means of an electrical connection. In data circuits, the term virtual circuit is also used in similar sense. A virtual circuit provides a logical connection between end nodes for the flow of information. There are two types of virtual circuits:

  • Permanent Virtual Circuit (PVC), and
  • Switched Virtual Circuits (SVC)

Permanent Virtual Circuit (PVC): PVC is a permanent connection between the end nodes (DTEs) within a Frame Relay network. The virtual circuit is always available irrespective of whether any data is being transmitted or not. This type of connection (PVC) is used when it is required to consistently transfer data between the end nodes. A PVC can have two operational states as given below:

  • Data transfer state: Data is transmitted between the end nodes over the virtual circuit.
  • Idle state: No data is transferred between the end nodes. Note that PVC does not terminate the virtual circuit even when there is no data being transferred between the end nodes.

Switched Virtual Circuit(SVC): A switched virtual circuits (SVC) provide temporary connection between end nodes (DTEs) across a Frame Relay network. An SVC communication session has four states:

  • Call setup: The virtual circuit between two Frame Relay end nodes is established.
  • Data transfer: Data is transmitted between the end nodes over the virtual circuit.
  • Idle: The connection between end nodes is still active, but no data is transferred. An SVC call is terminated after a certain period of idle time
  • Call termination: The virtual circuit between end nodes is terminated.

If there is some more data to be transmitted at a later time, an SVC is negotiated again. SVCs are advantageous when you have burst traffic, and you don’t want to block the network bandwidth for a given virtual circuit 24hours a day.

Unlike SVC, there is no call setup, and call termination procedures in PVC. This results in simple link management procedures, and more efficient data transfers.

Frame Relay Protocol: FR is an HDLC protocol based network. We have discussed HDLC in earlier sections, and the HDLC frame is given below. Other protocols that use HDLC frames include SDLC, Frame Relay, and X.25. They primarily differ in how the address and control bits in HDLC frame are used.

The different fields are explained below with respect to Frame Relay:

Flag (both opening and closing flags): 8 bits (01111110 or 7E hex)
Address (Also known as Frame Relay Header): It is a 16-bit field as given below.

Data Link Connection Identifier (DLCI): The DLCI is 10-bit wide. DLCI identifies the virtual connection between the end node (a DTE device) and the switch (a DCE device).

C/R: The C/R bit says whether the frame is a command or response.

Forward Explicit Congestion Notification (FECN): This is a single-bit field that can be set to either 0 or 1 by a switch. Normally, FECN is zero. A value of 1 indicates network congestion in the direction of source to destination, known as Forward Explicit Congestion Notification.

Backward Explicit Congestion Notification (BECN): This is a single-bit field that can be set to either 0 or 1 by a switch in the FR network. Normally, BECN is zero. A value of 1 indicates that the FR network has experienced congestion in the direction of destination to source.

By using FECN and BECN, upper layer protocols can control the communication for efficient utilization of FR network.

Discard Eligibility (DE): This is set by the DTE device to indicate that the marked frame may be discarded in the event of network congestion. Discard Eligible frames are discarded first before removing frames that do not have DE bit set, in the event of network congestion.

Note that all FECN, BECN, and DE enable FR network congestion control by regulating the communication, and prioritizing traffic.

Extended Address (EA): The eighth bit of each byte of the Address field (header) is used to indicate the EA. If the EA value is 1, then the current byte is determined to be the last octet of the DLCI.

Data: This field contains encapsulated upper-layer protocol data. It has variable length up to 16,000 octets.

FCS (Frame Check Sequence) or CRC (Cyclic Redundancy Code): It is either 16 bits, or 32 bits wide. Frame Check Sequence is used to verify the data integrity. If the FCS fails, the frame is discarded.

ISDN Protocols Overview

Integrated Services Digital Network (ISDN), as the name implies, provides integrated services that consist of telephony, data, and video transmission over ISDN.

ISDN is of two types:

  • Basic Rate ISDN (BRI), and

  • Primary Rate ISDN (PRI)

Basic Rate ISDN consists of two 64kbps B-channels (B for Bearer) and one D-channel (2B+1D). B-Channels are used for transmitting user information (voice, data, or video), and D-Channel is used for transmitting control information. B-Channel offers a bandwidth of 64kbps, and D-Channel has a bandwidth of 16kbps. With 2B channels, BRI provides up to 128kbps uncompressed bandwidth. Note that the total bandwidth used by ISDN BRI is 192kbps. The remaining bandwidth [192 – (2B+D)] or 48kbps is used for framing.

Primary Rate ISDN consists of 23 B-channels and one D-channel (23B+1D) for US or 30 B-channels and one D-channel (30B+1D) for Europe, Australia, India, and some other countries. The ISDN standard followed by Europe is also known as Euro ISDN, and standardized by ETSI (European Telecommunications Standard Institute). The PRI D-Channel offers 64kbps bandwidth.

There are several constituent standards that define ISDN.

I.430 Standard: It describes the Physical layer and part of the Data Link layer for BRI.

Q.920 and Q.921 Standards: Together, they provide the Data Link protocol used over the D channel.

Q 930, and Q.931 Standards: Documents the Network layer user-to-user and user-to-network interface. The functionalities offered include call setup and breakdown, channel allocation, and other optional services.

G.711 Standard: It describes the standard 64 kbps audio encoding used by telcos.

ISDN Reference Points:

ISDN standards specify several reference points that functionally separate the ISDN network. The ISDN devices need to comply with applicable reference point specifications. For example, a TE1 device such as an ISDN phone or a computer need to comply with reference point ‘S’ specifications. Various reference points specified in ISDN are given in the figure below:

R: This is the reference point between non-ISDN equipment and a Terminal Adapter (TA).

S: This is the reference point between user terminals and Network Termination Type2 (NT2).

T: This is the reference point between NT1 and NT2 devices.

U: This is the reference point between NT1 devices and line termination equipment of the Telco

PPP and SLIP Protocols Overview

Serial Line Internet Protocol (SLIP):

This is a packet-framing protocol and defines a sequence of bytes that frame IP packets on a serial line. It is commonly used for point-to-point serial connections running TCP/IP.

Point-to-Point Protocol (PPP):

PPP is basically an encapsulation protocol that is used to transport datagrams over serial point-to-point links. Network address assignment, link configuration management, error detection, multi protocol support are some of the most prominent features of PPP protocol. PPP supports these features by using LCP (Link Control Protocol), and NCP (Network Control Protocol).

LCP responsible for initiating, negotiating, configuring, maintaining, and terminating the serial link point-to-point connection.

You can transport multiple protocols like IP, IPX, DECnet using PPP.

Protocol frame configuration: As mentioned earlier, the protocol frame is a version of HDLC protocol. It contains six fields as shown in the diagram.

Flag (both opening and closing flags): 8 bits (01111110 or 7E hex)
Address: PPP does not use node addresses. It is a single byte of 11111111, representing a broadcast address.
Control: The field is 8 bits, wide and indicates whether the frame is a Control or Data frame.
Protocol: 16 bits wide, and identify the protocol encapsulated in the DATA field of the frame.
Data
(Payload): This is the information that is carried from node to node. The default maximum length of the Data field is 1500 bytes.
FCS (Frame Check Sequence) : It is either 16 bits, or 32 bits wide. Frame Check Sequence is used to verify the data integrity. If the FCS fails, the frame is discarded. FCS is implement by using Cyclic Redundancy Code (CRC).

Operation of PPP:

PPP operates over different phases consisting of

  • Link establishment and configuration negotiation
  • Link quality determination phase (Optional)
  • Network layer protocol configuration negotiation
  • Link termination

Initially, PPP negotiates a link between the two point to point interfaces. These are normally a DTE and a DCE interfaces such as RS-232C, V.35, RS-422, and RS-423. PPP by itself does not impose any limitation on achievable speed. The physical interfaces, and the media normally limits the available link speeds.

The second phase is link quality determination. This phase is optional.

Once the Link level configuration is made, and the link is established, then the network level configuration is made.

The link is terminated by LCP as and when required.

Advantages of PPP over SLIP:

1. Address notification: It enables a server machine to inform a dial-up client of its IP address for that link. SLIP requires that the user manually configure this information.

2. Authentication: PPP supports Password Authentication Protocol (PAP), and Challenge Handshake Authentication Protocol (CHAP) protocols. PAP transmits password in plain text, whereas CHAP uses encryption for authentication.

3. Multiple Protocol Support: PPP can support Multiple Protocols to operate on the same link. For example, both IP and IPX traffic can use same PPP link.

4. Link Monitoring: Offers link monitoring to help diagnose any link failures.

HDLC Protocol Overview

HDLC (High-level Data Link Control) is a group of protocols documented in ISO 3309 for transmitting synchronous data between serial links (Point-to-Point nodes). HDLC organizes data into a frame before transmission. HDLC protocol operates within Layer 2 (data link layer) of the OSI model.

HDLC Frame Structure:

The HDLC frame consists of Flag, Address, Control, Data, and CRC fields as shown. The bit length of each field is given below:

Flag (both opening and closing flags): 8 bits (01111110 or 7E hex)
Address: It is normally 8 or 16 bits in length. A leading ‘zero’ bit (MSB) indicates a unicast message; the remaining bits provide the destination node address. A leading ‘one’ bit (MSB) location indicates multicast message, the remaining bits provide the group address.
Control: The field is 8 bits, or 16 bits wide and indicates whether the frame is a Control or Data frame. The field contains sequence number (hdlc frames are numbered to ensure delivery), poll (you need to reply) and final (indicating that this is the last frame) bits.

Data (Payload): This is the information that is carried from node to node. This is a variable field. Sometimes padded with extra bits to provide fixed length.
FCS (Frame Check Sequence) or CRC (Cyclic Redundancy Code): It is normally 16 bits wide. Frame Check Sequence is used to verify the data integrity. If the FCS fails, the frame is discarded.

The polynomial used for 16 bit FCS:
FCS [16 bits] = X16 + X12 + X5 + 1

Closing Flag: It is same as Opening Flag.

If no prior care is taken, it is possible that flag character (01111110) is present in data field. If present, then it will wrongly be interpreted as end of frame. To avoid this ambiguity, a transmitter will force a ‘0’ bit after encountering 5 continuous 1s. At the receiving end, the receiver drops the ‘0’ bit when encountered with 5 continuous 1s, and continues with the next bit. This way, the flag pattern (01111110) is avoided in the data field.

Normally, synchronous links transmit all the time. But, useful information may not be present at all times. Idle flags [11111111] may be sent to fill the gap between useful frames. Alternatively, a series of flags [01111110] may be transmitted to fill gaps between frames instead of transmitting idle flags [11111111]. Continuous transmission of signals is required to keep both the transmitting and receiving nodes synchronized.

Ex.: frameflag…flag…flagframe..flag..flag..frameframe

PPP and SLIP use a subnet of HDLC protocol. ISDN’s D channel uses a modified version of HDLC. Also, note that Cisco routers’ uses HDLC as default serial link encapsulation protocol.

HDLC Frame Types

The control field in HDLC is also used to indicate the frame type. There are three types of frames supported by HDLC. These are:

I Frames: These are information frames, and contain user data
S Frames: These are supervisory frames, and contain contain commands and responses
U Frames: These are un-numbered frames, and typically contain commands and responses.

I Frames are sequentially numbered, carry user data, poll and final bits, and message acknowledgements.

S Frames performs any retransmission requests, and other supervisory controls.

U Frames can be used to initialize secondaries.