ONE

Using Cisco for Remote Access

In This Chapter As technology increases in importance to businesses, wide area network (WAN) connectivity becomes a pri- Overview of WAN mary factor in implementing business practices. WANs Connections are used to connect multiple sites together with a WAN Considerations medium that can carry data over longer distance than Product Selection is possible with local area network (LAN) technology. As businesses expand to new geographic regions, thereby becoming more competitive in the market- place, the types of connectivity through WANs can dif- fer greatly. In this chapter we will examine the differ- ent types of WANs that can be used and the consid- erations a business (or consultant) must make to effectively choose the right type.

Overview of WAN Connections

Although connecting all users to a LAN is ideal because of the high speed and low cost, it is impractical to do so across large distances. These distances can be as close as an office

1 2 Chapter 1 • Using Cisco for Remote Access

across the street or as far as an international branch office halfway around the world. These distances require us to examine the types of WANs that are available. For each type, we must keep in mind

• Availability: Is the technology available in the area? • Bandwidth: How much do we need, and how much do we get for that type of WAN connection? • Cost: Is there a cheaper connection type that still takes into account future growth? • Ease of management: Is the initial configuration as well as normal oper- ation easy or difficult to maintain? • Quality of Service (QoS): How critical is the actual data itself, and is there a way to ensure low or no data loss with this WAN type? • Security: What measures need to be in place to provide security of com- pany data, while still allowing users and customers to access the data they need? • Reliability: Is the WAN link a critical link, and do we need an addition- al link in the event of failure? • Application traffic: What is the primary type of data being sent across the WAN, and can this WAN handle that type?

Connection Types WAN connections can be broken down into three different types, depending on how they carry data: dedicated, circuit-switched, and packet-switched. We will examine each quickly and describe the different types of protocols that each type can provide. We will examine many of these protocols in detail throughout the rest of the book.

DEDICATED CONNECTIONS • The first type of connection is a dedicated con- nection that is used to provide full connectivity between two sites in a point- to-point fashion. Also known as a leased line, this type of connection is pur- chased from the telephone company (telco) and uses a permanent path through the telco’s infrastructure, from one site to another (Figure 1-1). There is no call setup and teardown, which means the circuit is always available. Since the company owns the line, it has full use of the bandwidth, whether it is used or not. The speed of the link can range up to a T3, which is approximately 45 Mbps. If the company is underutilizing that bandwidth, then the cost of the dedicated line is high. The cost of the line can also be too great, even if the bandwidth is being properly used, due to distance limita- tions. As the distance increases and the possibility of crossing geographic (and telco) boundaries appears, the price increases. Therefore, these lines tend to be best used in short distances with a higher volume of traffic or a steady flow of traffic. Overview of WAN Connectors 3

CSU/DSU CSU/DSU

FIGURE 1-1 Dedicated connection using CSU/DSU.

This type of connection is usually done with a synchronous serial type of connection. Cisco supports this type with virtually all of their routers, using one or more different types of synchronous serial connections, including

• EIA/TIA-232 • V.35 • X.21 • EIA/TIA-449 • X.21 • EIA-530 • HSSI

CIRCUIT-SWITCHED CONNECTIONS • There are two types of circuit-switched connections available: asynchronous and ISDN (Integrated Services Digital Network). In both cases the circuit, or dedicated path, is created when the call is initiated to the remote site and the circuit is destroyed when the call ends. The best example of a circuit-switched network is the Public Switched Telephone Network (PSTN) that we use every day in our lives. Asynchronous circuits for data transfer are accomplished through a modem and the use of the telephone network (Figure 1-2). Since telephones exist in virtually every city in the world, connecting to remote sites is always a possibility. While the cost of the telephone service is very cheap when com- pared to other types of WAN connections, the real limiting factor is the small bandwidth that is available. Depending on the setup of the connection, the best that can be accomplished is 56 Kbps. Because of this, this type of con- nection is best used when other WAN types are not available, small amounts of data are exchanged, or cost is a primary issue. ISDN has two flavors that are used for WAN connections. The first is Basic Rate Interface (BRI) and has a maximum bandwidth of 128 Kbps. This is at 4 Chapter 1 • Using Cisco for Remote Access

FIGURE 1-2 Circuit-switched through provider, using modems.

least twice as fast as a modem, and the call setup and teardown are much quicker. In addition, having a BRI connection not only allows for data transfer, but analog voice can be used at the same time to cut phone costs to remote sites. BRI tends to be more expensive than asynchronous calls and has limited availability, although ISDN is becoming more available throughout the U.S. The second type of ISDN is known as Primary Rate Interface (PRI) and can reach speeds up to 2 Mbps. This type of WAN connection is ideal for com- bining multiple BRI channels and asynchronous calls into the same router, using only one physical interface. There is one other potential use for both asynchronous and BRI net- works. In the event that a primary link fails, they may act as a backup link to ensure connectivity.

PACKET-SWITCHED CONNECTIONS • Packet-switching (Figure 1-3) is a method where two or more sites are connected through a shared network, typically called a cloud. By shared network, we mean that more than one company has access to the cloud. Remote sites are connected via a virtual circuit (VC) that allows data to traverse the cloud and arrive at the correct location. Within the cloud, each packet can take a different path to reach the final destination. Because the data travels through a shared cloud, the cost tends to be lower than the same bandwidth used for a dedicated line. Packet switching can be considered the common ground between ded- icated lines and circuit-switched. Although usually more expensive and not as freely available as circuit-switched networks, the additional bandwidth (up to T1 speeds) makes it an attractive alternative. Also, it is cheaper over longer distances than dedicated lines, which again makes it a nice alternative. Overview of WAN Connectors 5

FIGURE 1-3 Packet switching using provider cloud such as Frame relay.

Protocols Used on WANs There are many different types of protocols used throughout the world, depending on location, type of WAN, and administrator knowledge. These protocols all operate at layer 2 (at least) of the OSI model (data-link layer). We will briefly review them here, and other chapters will dedicate more dis- cussion to the more common of them.

POINT-TO-POINT PROTOCOL (PPP) • PPP is used with both dedicated lines and circuit-switched networks. It is a standard protocol that vendors can use to interoperate their equipment with other vendors. In addition, PPP supports multiple network layer protocols such as TCP/IP and IPX/SPX, as well as authentication and compression mechanisms. Because PPP is such a versatile protocol, we will examine it more thoroughly in later chapters.

SERIAL LINE INTERNET PROTOCOL (SLIP) • One of the earliest protocols used in point-to-point connections, SLIP is being phased out due to some of its seri- ous drawbacks. These drawbacks include support only for TCP/IP and lack of security. SLIP can be used over dedicated and circuit-switched networks. We will not examine SLIP in this book.

HIGH-LEVEL DATA LINK CONTROL (HDLC) • Although HDLC is a standard, the limiting factor of that standard is the support for only a single protocol. Because of this, Cisco has modified it to support multiple protocols over point-to-point links. This is the default encapsulation protocol on serial links with Cisco routers. Because of this modification, though, Cisco products may not interoperate with other vendors’ equipment. In this situation, PPP is the better protocol. HDLC is supported over dedicated lines, but not over circuit- switched or packet-switched networks. HDLC is a simple protocol, and there- fore we will not examine it in much more detail in this book. 6 Chapter 1 • Using Cisco for Remote Access

FRAME RELAY (FR) • Frame Relay was a protocol derived from ISDN speci- fications and has evolved to become the dominant layer 2 protocol over packet-switched networks. As a standard, it has become widely available throughout the United States and many other parts of the world. Frame Relay is a protocol that should be thoroughly understood, and so we will examine it in later chapters. X.25 • X.25 protocol is an older protocol that can still be found throughout the world. It is also a protocol that is used over packet-switched networks. The primary difference between X.25 and Frame Relay is the overhead of error correction built into X.25. This overhead was a necessary feature of the older, less reliable networks and networks still found in more remote parts of the world. Although it is an older protocol, it does have a large install base worldwide, and therefore we will examine it in more detail in a later chapter.

FUTURE NETWORKS • Asynchronous Transfer Mode (ATM) networks are cell- switched instead of packet-switched. This smaller, fixed cell size of 53 bytes allows multiplexing data such as voice and video with more control. ATM is designed for very high speeds of data transfer, such as OC-192 (10 Gbps!). Digital Subscriber Line (DSL) and cable modem technologies are other types of WAN connections that are being brought to the public’s attention. Their primary role so far has been to connect more people to the Internet using faster speeds than is capable with a modem.

This section on future networks is not covered in the exam (yet). Because of this, these topics will not be covered in this n o t e book. It is advised, however, to learn more about these technologies. The ultimate goal of the CCIE certification means con- stant learning and keeping up with new technologies. These are good starting points.

WAN Considerations

In the previous section we briefly mentioned some of the considerations nec- essary for selecting the correct WAN technology. There are many decisions that must be made before being able to select the appropriate WAN type. Potentially the biggest is the availability of any given WAN type. While it is nice to have a business in a well-developed urban region, remote sites (especially international sites) may severely restrict the possibilities. In gener- al, asynchronous connections are almost always available. It would be wise to find out what types are available before considering any of the other factors. Bandwidth limitations may also be a factor. If the requirements for a WAN are for small amounts of data or short connection times, then a circuit- switched network would be ideal. But if more data, such as video, voice, or WAN Considerations 7

large numbers of file downloads, will be transiting the WAN, then circuit- switched may not be good enough. In this case, packet switching such as Frame Relay becomes a better option. If the amount of bandwidth consumed is fairly constant and used over a short distance, then dedicated lines may make more sense. Closely related to the bandwidth is the cost of the WAN link. While asynchronous connections and even ISDN are fairly cheap, the cost of a ded- icated line may be too much for a business to absorb. Also, long distance charges may make these types of links too expensive. Unfortunately, this is an often- overlooked cost during initial designs. A good middle ground is a packet- switched network. Keep in mind that if the distance is short and the band- width is constant, dedicated lines may actually be cheaper than Frame Relay. On the other hand, many remote sites would be very expensive to set up each with a dedicated line. This is an ideal situation for Frame Relay, if the cost can be justified. Ease of management can be an often-overlooked consideration of selecting the correct WAN type. The management features of a WAN link con- sist of the initial configuration as well as maintaining the link during normal operations. Dedicated lines tend to be easier to configure and maintain than the other types. However, with any of these link types, if connectivity to the remote site is lost, management of that site and that link becomes difficult, often requiring support staff on both ends (or a lot of travel for the network engineer). Quality of Service (QoS), in this discussion, deals with the importance of a link to a remote site. Is the data being sent across the link so valuable that delay or loss of data will cost the business money, or the business itself could not weather a loss or delay? If this is the case, then a backup link may be required. Asynchronous connections tend to be unreliable in this sense but may act as the backup link to a Frame Relay or dedicated connection. Closely matched with QoS is the reliability of the link in reference to the hardware. If the link is extremely important, then it might be prudent to carry spare parts, such as CSU/DSUs, modems, and even routers. There may also be an instance where two links are established so that no delay occurs if a single link fails. The type of application traffic that may be needed to traverse the WAN link can dictate the type of WAN link required. Are the packets being deliv- ered small, bursty traffic such as email, or are they predominantly sustained larger packets such as file transfers? This works in conjunction with the band- width requirements, but can also define the upper-layer protocols that may be needed. IPX/SPX and TCP/IP may both be necessary, and thus SLIP would not be a suitable protocol. Although HDLC might work in this instance, are both routers Cisco routers? If not, then PPP becomes the best solution. Security is becoming a major concern with our networks as more peo- ple are connected to the Internet. Most people think about security with regard to hackers and crackers, but in truth security should also be concerned 8 Chapter 1 • Using Cisco for Remote Access

with inadvertent access by employees causing unintentional damage. Routers can be set up with access lists or filters to prevent access, but what about requiring authentication from your users across those WAN links? It may be necessary to implement an authentication server such as Radius or TACACS+. Preventing unauthorized viewing of data between sites or between users and sites can be accomplished with technologies such as virtual private networks (VPNs). Security concerns should always be addressed when deciding on the type of WAN link. Dedicated lines tend to be inherently more secure from pry- ing eyes than using modems for accessing the Internet.

Product Selections

If we were to examine the entire line of products that Cisco produced, we could become overwhelmed rather quickly by all the selections. Deciding on the correct product for use today as well as for the future can often be a daunting task. In this section we will examine the types of routers that can be used for remote access and where each of those routers are positioned best.

Central Site Selection The central site is usually the headquarters but it can also be a primary desti- nation for most remote sites. This site may use multiple WAN types terminat- ed at various remote sites and therefore the router (or routers) must be able to grow with the demand. The central site must be designed with many of the WAN considerations. Choosing the right WAN type must be based on cost and bandwidth. Keeping the cost low while still maintaining a solid flow of traffic defines the role of the remote access router. The central site must also maintain security. Since the role of this router is to allow remote access to the corporate LAN, unintentional or unauthorized access must be restricted. This can be accomplished with PPP authentication, AAA servers, VPNs, and access lists. Finally, if downtime must be kept minimal, then reliability and fault tol- erance must be taken into account. There may need to be backup links in the event of a primary link failure, or even a standby router running the Hot Standby Routing Protocol (HSRP). The Cisco 7000 series routers are high-performance routers that can scale well to future needs. This model has a high port density, which means that many WAN connections can be added to support a large number of remote sites. This port density is accomplished with modular interfaces that can be added as needed. It has the speed to process demanding traffic pat- terns that a central office might require. Product Selections 9

The Cisco AS5000 series routers are a step down from the 7000. One of the best features of this model of router is the integration of routing, switch- ing, channel services (CSU), and modems. Internet Service Providers (ISPs) often use this model of router to provide services to customers. Stepping down from the AS5000 are the 4000 series routers. This series of routers, including the 4500 and 4700, offer remote access capabilities using two 16-port asynchronous modules for modems. The routers can also offer, instead, two T1/E1 PRI modules. The final router that can be used for the central site is the 3600 series router. These are also modular routers that support a large array of LAN and WAN interfaces. For example, the 3640 supports four network modules, which can consist of T1 ports, asynchronous ports, digital modems, Ethernet, Token Ring, and many combinations of these interfaces. In fact, more modules are being released to support an ever-growing demand in the WAN connectivity.

Architecture for Voice, Video, and Integrated Data (AVVID) is a new architecture that Cisco is offering for complete business n o t e connectivity. It encompasses operating systems, application software, telephony, and many other pieces of an enterprise that are essential. The products that Cisco offers are being presented as one step to this converged solution. For more infor- mation examine the Cisco Web site for AVVID.

Branch Office Selection Also known as remote sites, these are the sites that connect to the central site for access to the enterprise servers. There are fewer users at these sites than at the central site, but there can be 5, 50, 100, or more users. The number of users can affect the bandwidth requirements and therefore the WAN type. Because of this, choosing the correct router for connection to the central site can be a complicated task. Devices that offer fixed interfaces are cheaper to implement but cannot be upgraded for future demands. Devices with modular interfaces are typically more expensive, but can allow for that future growth. Designs of the branch office must keep in mind total bandwidth need- ed, availability of the WAN connection types, security mechanisms to prevent unauthorized access, and possibly even redundancy. Designers must decide if the cost of an “always-on” link is justified, or if a “dial-on-demand” link should be used. The Cisco 2600 series router is a good candidate for future growth that provides many of the options necessary for different types of LAN and WAN connectivity. This router comes equipped with a single network module slot and two WAN Interface Card (WIC) slots. Most of the modules that work with the 3600 series router will work with the 2600. Each router has either a single LAN connection or dual LAN connections consisting of Ethernet, Fast Ethernet, and/or Token Ring. 10 Chapter 1 • Using Cisco for Remote Access

The 2500 series router, long considered the staple (and stable!) product, consists of fixed ports with at least one LAN interface and two high-speed ser- ial ports for T1s. There are many different models of this router, available with asynchronous ports, ISDN, hubs, Ethernet, and Token Ring interfaces. While cheaper than the 2600 because of the fixed interfaces, future growth can require a complete replacement. The 1720 router is a router that is used when VPNs are necessary. Providing support for two WIC slots using some of the same modules avail- able for the 3600/2600, this router is able to use various WAN connectivity types. It also comes with a built-in 10/100 autosensing interface. The 1600 series routers are a combination of fixed and modular routers. The router contains a single slot for WIC cards. These cards are some of the same used for the 3600/2600/1700 series routers. This provides connectivity using a single WAN type. If another connection is desired at a later date, such as to another remote site as well as the central site, a new router must be pur- chased.

Telecommuter/Small Office Home Office Selection This type of site is for a single user or a couple of users at most. Telecommuters, for example, dial in from either home or from hotels. These types of routers are often set up with some type of asynchronous or ISDN connection, although support for other types of WANs do exist. These sites are designed based primarily on cost, both the local cost and the cost of connec- tion to the central site. Also, authentication may be a design issue. The Cisco 1000 series routers are fixed interface routers that can provide additional WAN types beyond modems and ISDN. All of the routers that have been discussed so far, and the Cisco 800 series, use the standard Cisco IOS for configuration. The 800 series router is the lowest cost of all the IOS-based routers. Most of these routers provide ISDN service with LAN connections. The final router that can be used for the Telecommuter/SOHO is the Cisco 700 series router. This is the cheapest router and does not use the Cisco IOS. While saying this is the cheapest router, we must remember the support time needed to learn and maintain a different syntax. This can actually cause the price to be more than the couple hundred dollars difference between this router and the 800 series routers. This router is also an ISDN router and sup- ports multiple protocols, such as TCP/IP and IPX/SPX.

Product Selection Tool To aid designers in choosing the correct network device, Cisco has released a Product Selection Tool that allows the designer to select the features neces- sary. Based on that information, the tool will return the product lines that fit those needs. Product Selections 11

This product is also available on Cisco’s Web site (Figure 1-4). It is a Perl script that imitates the executable that can be found on Cisco’s CD-ROMs. Visit http://www.cisco.com/pcgi-bin/front.x/corona/prodtool/select.pl.

FIGURE 1-4 Finding a Cisco Router product on the Web. Summary

WAN connections consist of three types: circuit-switched such as modems and ISDN, dedicated or leased lines, and packet-switched such as ATM and Frame Relay. Choosing the correct LAN type depends on many factors, including bandwidth required, cost of that type, and availability of that type. To choose the correct Cisco device, the site must be identified. If it is a central site where the headquarters reside, then Cisco products to be used include the 7000 series, the AS5000 series, the 4000 series, and the 3600 series. If the site is a branch office with fewer users, the products that can be used include the 2600, 2500, 1720, and 1600 series routers. Finally, for sites that are identified as telecommuter or SOHO sites, routers can include the 1000, 800, and 700 series. Identifying the correct device must be done while keeping future growth requirements in mind.

12 Exam Objective Checklist

• Specify and/or identify the Cisco products that best meet the WAN connection requirements for perma- nent or dial-up access connections. • Explain and/or identify the advantages and disadvan- tages of WAN connection types. • Select the appropriate WAN connection types that address specific site connection considerations. • Select Cisco equipment that will suit the specific needs of a WAN topology.

13 Practice Questions

1. Which one of the following are not WAN considera- tions? a. Availability b. Quality of Service c. Compression d. Reliability

2. The Public Telephone Network is an example of what WAN connection type? a. Asynchronous b. Dedicated c. Packet-switched d. Circuit-switched

3. Frame Relay is an example of what WAN connection type? a. Asynchronous b. Dedicated c. Packet-switched d. Circuit-switched

14 Practice Questions 15

4. Which of the following gives the most bandwidth and costs the least over longer distances? a. Asynchronous b. Dedicated c. Packet-switched d. Circuit-switched

5. Which of the following can be used as a backup link method? a. Asynchronous b. Dedicated c. Packet-switched d. Circuit-switched

6. Which of the following encapsulation protocols can be used on asyn- chronous connections? a. HDLC b. Frame Relay c. X.25 d. PPP

7. Which of the following encapsulation protocols has higher overhead due to the error correction built into it? a. HDLC b. Frame Relay c. X.25 d. PPP

8. Which type of WAN connection tends to be easier to manage? a. Asynchronous b. Dedicated c. Packet-switched d. Circuit-switched

9. Which product integrates routing, switching, CSUs, and modems? a. Cisco 7000 Series b. Cisco AS5000 Series c. Cisco 4500 Series d. Cisco 3600 Series 16 Chapter 1 • Using Cisco for Remote Access

10. Which of the following routers are designed to be used at central sites? a. Cisco 4500 Series b. Cisco 2600 Series c. Cisco 1600 Series d. Cisco 800 Series

11. Which router has a single network module slot, two WIC slots, and a fixed LAN interface? a. Cisco 3600 Series b. Cisco 2600 Series c. Cisco 1600 Series d. Cisco 800 Series

12. Which router is the cheapest IOS-based router Cisco offers? a. Cisco 1000 Series b. Cisco 800 Series c. Cisco 700 Series d. Cisco 600 Series

13. What type of WAN supports BRI? a. Asynchronous b. Dedicated c. Circuit-switched d. Packet-switched