Thursday 26 December 2013

What’s been added and removed from the new CCIE exam?

What’s been added and removed from the new CCIE exam?

So what topics were explicitly added, removed or moved from one CCIE exam to the other?
Topics explicitly moved from the version 4 CCIE Lab exam to the version 5 CCIE Written exam are as follows:
•Describe IPv6 Multicast
• Describe RIPv6 (RIPng)
• Describe IPv6 Tunneling Techniques
• Describe Device Security using IOS AAA with TACACS+ and RADIUS
• Describe 802.1x
• Describe Layer 2 QoS
• Identify Performance Routing (PfR)
Topics removed from version 5 of the CCIE Routing & Switching exam all together include the following:
• Flexlink, ISL, Layer 2 Protocol Tunneling
• Frame-Relay (LFI, FR Traffic Shaping)
• WCCP
• IOS Firewall and IPS
• RITE, RMON
• RGMP
• RSVP QoS, WRR/SRR
Topics added to version 5 of the CCIE Routing & Switching Written exam are as follows:
• Describe basic software architecture differences between IOS and IOS XE
• Identify Cisco Express Forwarding Concepts
• Explain General Network Challenges
• Explain IP, TCP and UDP Operations
• Describe Chassis Virtualization and Aggregation Technologies
• Explain PIM Snooping
• Describe WAN Rate-based Ethernet Circuits
• Describe BGP Fast Convergence Features
• ISIS (for IPv4 and IPv6)
• Describe Basic Layer 2 VPN - Wireline
• Describe Basic L2VPN - LAN Services
• Describe GET VPN
• Describe IPv6 Network Address Translation
Topics added to both the version 5 CCIE Routing & Switching Written and Lab Exams are as follows:
• Use IOS Troubleshooting Tools
• Apply Troubleshooting Methodologies
• Interpret Packet Capture
• Implement and Troubleshoot Bidirectional Forwarding Detection
• Implement EIGRP (multi-address) Named Mode
• Implement, Troubleshoot and Optimize EIGRP and OSPF Convergence and Scalability
• Implement and Troubleshoot DMVPN (single hub)
• Implement and Troubleshoot IPsec with pre-shared key
• Implement and Troubleshoot IPv6 First Hop Security

CCIE Exam Category Changes

CCIE Exam Category Changes

Version 4 of the CCIE exam had the following 11 categories:1. Implement Layer 2 Technologies
2. Implement IPv4
3. Implement IPv6
4. Implement MPLS Layer 3 VPNs
5. Implement IP Multicast
6. Implement Network Security
7. Implement Network Services
8. Implement Quality of Service
9. Troubleshooot a Network
10. Optimize a Network
11. Evaluate proposed changes to a Network (written only)

Version 5 of the CCIE exam not only consolidated some of the categories but also listed the percent of each category that is included in both the CCIE Written and the CCIE Lab exams. This is huge as you know going into the exam where the highest percentage of points are going to be.

Version 5 of the CCIE exam and their respective weight for the 6 categories is as follows:                                       % Written % Lab
1. Network Principles                  10       0
2. Layer 2 Technologies              15      20
3. Layer 3 Technologies              40      40
4. VPN Technologies                   15      20
5. Infrastructure Security            5        5
6. Infrastructure Services           15      15

Wednesday 25 December 2013

CCIE R&S Version 5 Updates

CCIE R&S Version 5 Updates


Cisco posted their official announcement on the upcoming changes for CCIE Routing & Switching Version 5.  The majority of the announcement is along the same lines as previously rumored changes, except for the official launch date, which is now scheduled for June 4th 2014.  This should bring a great sigh of relief to you if you’re currently nearing the end of your CCIE R&S v4 preparation, as you now have a 6 month window to pass the v4 lab exam before the change to v5 occurs.
Specifically the announcement details changes to technical topics covered both in the written and lab exams, the equipment used, as well as the exam format, as follows:
Technical Topic Changes
New Lab Topics:
  • Interpreting Packet Captures
  • Bidirectional Forwarding Detection (BFD)
  • Multi Address Family (AF) EIGRP
  • Dynamic Multipoint VPN (DMVPN)
  • IPsec
  • IPv6 First Hop Security
Of the new topics announced, the big ones are DMVPN and IPsec.  These are specifically listed as DMVPN Single Hub and IPsec with Pre-Shared Keys, so the scope is not nearly as large as the CCIE Security.  
Topics moved from the Lab to the Written:
  • IPv6 Multicast
  • RIPng
  • IPv6 Tunneling
  • IOS AAA with TACACS+ and RADIUS
  • 802.1x
  • Layer 2 QoS
  • Performance Routing (PfR)
Topics completely removed:
  • Flexlinks
  • ISL
  • Layer 2 Protocol Tunneling
  • Frame-Relay
  • WCCP
  • IOS Firewall
  • IOS IPS
  • RITE
  • RMON
  • RGMP
  • RSVP QoS
  • WRR/SRR
For topics removed, there are three killer areas here: Frame Relay, PfR, and Layer 2 QoS.  Frame Relay’s removal is no surprise, as Ethernet based last mile access solutions such as Metro Ethernet and Virtual Private LAN Services (VPLS) have exploded in the past few years and have eclipsed legacy methods such as DS3 Frame Relay.  From a technology design point of view though, a lot of the Frame Relay theory transfers directly over to DMVPN, as DMVPN could be thought of as a way to emulate legacy hub-and-spoke network designs over a public transport.
Equipment Changes
As previously rumored, the new CCIE R&S v5 equipment is going all virtual.  As CCIE R&S v4 had already been using virtual IOS for the troubleshooting section of the exam, this should come as no surprise. The biggest implication of this change is that the size of the topology is now arbitrary.  I wouldn’t be surprised going into the exam and seeing a configuration section with 20+ routers in the topology.
The other implication of this change is that certain features can no longer be tested on, as they’re not supported in the virtual IOS.  Those topics that can’t be tested, such as Layer 2 QoS or Flexlinks, are now explicitly excluded from the topic scope of the exam.
Format Changes
Last but not least, a new testing section has been introduced into the R&S v5 lab exam format.  While the written exam format stays the same, the lab now includes a “diagnostic” section, which focuses on the diagnosis and resolution of network issues from a more high level point of view.
This new section won’t use equipment, but instead will present the candidate with information such as network diagrams, CLI outputs, log outputs, traffic captures, and email exchanges, based on which they will be expected to diagnose a presented network problem.  Based on the description in the announcement, I would assume that this format is going to be similar to the CCDE Practical Exam testing format, which tests analytical skills without the need of access to actual devices CLI.
Another minor change to the exam is how the timing of sections works.  In the v4 format, candidates had a maximum of 2 hours to complete the troubleshooting section, and a minimum of 6 hours for the configuration section.  If the candidate used less than 2 hours in troubleshooting, the extra time rolled over to the configuration section.  In the v5 format this changes along with the addition of the diagnostic section.
In v5, candidates will have a maximum of 2.5 hours to complete troubleshooting, a fixed 30 minutes for the diagnostic section, and the rest to complete configuration.  Any time less than 2.5 hours used in troubleshooting will be credited towards configuration.  For example if a candidate uses only 1.5 hours in troubleshooting then the configuration section would be 6 hours, which along with the .5 hour of diagnostic adds up to a total of 8 hours for the exam.



Wednesday 26 June 2013

How to configure NAT

How to configure NAT

Configuration of static NAT is very straight forward. In this example we have a web server connected with Router 1. Our web server is using the IP address 10.0.0.2. But due to various reasons discussed in previous article our company want to use 50.0.0.1 IP address for this server. Now our task is to configure NAT on Router 1 which translate 10.0.0.2 [ inside local web server address] to 50.0.0.1 [ inside global ip address ].

To configure static NAT follow this step by step guide

Either download this pre configured topology or create your own topology as shown in this figure

Static Nat
 
Configure ip address on PC and Server as given in figure

Now configure R1 exactly given here

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.1
R1(config)#ip nat inside source static 10.0.0.2 50.0.0.1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#

Now configure R0 exactly given here

Router>enable
Router#configure terminal
Router(config)#hostname R0
R0(config)#interface fastethernet 0/0
R0(config-if)#ip address 30.0.0.1 255.0.0.0
R0(config-if)#no shutdown
R0(config-if)#exit
R0(config)#interface serial 0/0/0
R0(config-if)#ip address 20.0.0.1 255.0.0.0
R0(config-if)#clock rate 64000
R0(config-if)#bandwidth 64
R0(config-if)#no shutdown
R0(config-if)#exit
R0(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2
R0(config)#
As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never know about it. They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and you will get replay.
Packet Tracer PC Command Line 1.0
PC>ping 50.0.0.1
Pinging 50.0.0.1 with 32 bytes of data:
Reply from 50.0.0.1: bytes=32 time=141ms TTL=126
Reply from 50.0.0.1: bytes=32 time=80ms TTL=126
Reply from 50.0.0.1: bytes=32 time=109ms TTL=126
Reply from 50.0.0.1: bytes=32 time=125ms TTL=126

Ping statistics for 50.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 80ms, Maximum = 141ms, Average = 113ms
Now ping from 10.0.0.2 and you will get destination host unreachable error.
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.

Ping statistics for 10.0.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
This demonstration show how the companies use NAT to hide their internal network from the outside of the world. Now open web browser from any PC in 30.0.0.0 network and brows the 50.0.0.1 site
Static Nat web responce
As you can see in image you can easily access the 50.0.0.1
I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake

Step by Step Configuration of Dynamic NAT

With dynamic NAT, you must manually define two sets of addresses on your address translation device. One set defines which inside addresses are allowed to be translated (the local addresses), and the other defines what these addresses are to be translated to (the global addresses).
For practice either download this pre created topology or create your own on packet tracer.
In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5 to use.Router1(1841 Router0) is going to be NAT device. Double click on Router1(1841 Router0) and configure it as given below
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool test
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#exit
Now double click on R2(1841 Router1) and configure it as given below
Router>enable
Router#configure terminal
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 30.0.0.2 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Router(config)#hostname R2
For testing of NAT go R1 and enable debug for NAT from privilege mode
 R1#debug ip nat 
Now go on pc and ping to 20.0.0.2
dayanmic NAT
When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will check NAT pools for free address to translate with this address. Which you can check in the output of debag command in R1
IP NAT debugging is on
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
As you can see in output 192.168.0.5 is translate with 50.0.0.1 before leaving the router.
Now check for web access from any client pc
In real life its best practices to turn off debug after testing so go on Router 1 and turn off debug mode.
 R1#no debug ip nat IP NAT debugging is off R1# 
I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake

Step by Step Configuration of PAT

In dynamics Nat translations is made IP to IP. so you need as much global IP address as you have inside local address. That's an issue if you have few global IP address and hundred of inside local address to translate. In such a situation you need to use PAT.
For demonstration we are going to configure the same topology which we used in dynamic NAT but this time we are using only one global IP address 50.0.0.1
Download this Pre created topology
daynamic NAT
IP address of PC are already configured double click on R1 and configured it as given here
Now configure to R2 as given below
Router>enable
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool test overload
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#
Now configure to R2 as given below
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 30.0.0.2 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname R2
R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Now go on pc and ping to 20.0.0.2 
dayanmic NAT
To verify PAT go on R1 and run show ip nat translations
R1#show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
icmp 50.0.0.1:1        192.168.0.7:1      20.0.0.2:1         20.0.0.2:1
icmp 50.0.0.1:2        192.168.0.7:2      20.0.0.2:2         20.0.0.2:2
icmp 50.0.0.1:3        192.168.0.7:3      20.0.0.2:3         20.0.0.2:3
icmp 50.0.0.1:4        192.168.0.7:4      20.0.0.2:4         20.0.0.2:4
As you can see this time address translation is done with port address instead of IP
I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake

NAT Network address Translation Static and Dynamic

NAT Network address Translation Static and Dynamic

When communicating to devices in a public network, your device needs to use a source address that is a public address. NAT device enables private IPv4 to connect to the Internet. NAT enable you to change an IP address in a packet to a different address. Usually, NAT connects two networks and translates the private (inside local) addresses into public addresses (inside global) before packets are forwarded to another network. In other word Address translation allows you to translate your internal private addresses to public addresses before these packets leave your network.

Situation where you should use NAT

  • Your ISP did not provide you sufficient public IP address
  • Your company is going to merge in a company which use same address space
  • Where you want to hide your internal IP address space from outside
  • You want to assign the same IP address to multiple machines

There are three types of NAT

  • Static
  • Dynamic
  • PAT

STATIC NAT

In static NAT manual translation is performed by an address translation device, translating one IP address to a different one. If you have 100 devices, you need to create 100 static entries in the address translation table. Typically, static translation is done for inside resources that outside people want to access.

Dynamic NAT

Dynamic NAT is mostly used when inside users needs to access outside resources. The global address assigned to the internal user isn't important, since outside devices don't directly connect to your internal users they just return traffic to them that the inside user requested.
Dynamic NAT is used when inside use wants to access external resource. When an inside user sends traffic through the address translation device, say a router, it examines the source IP address and compares it to the internal local address pool. If it finds a match, then it determines which inside global address pool it should use for the translation. It then dynamically picks an address in the global address pool that is not currently assigned to an inside device. The router adds this entry in its address translation table, the packet is translated, and the packet is then sent to the outside world. If no matching entry is found in the local address pool, the address is not translated and is forwarded to the outside world in its original state.
When returning traffic comes back into your network, the address translation device examines the destination IP addresses and checks them against the address translation table. Upon finding a matching entry, it converts the global inside address to the local inside address in the destination IP address field of the packet header and forwards the packet to the inside network

PAT

With PAT, all devices that go through the address translation device have the same global IP address assigned to them, so the source TCP or UDP port numbers are used to differentiate the different connections. If two devices have the same source port number, the translation device changes one of them to ensure uniqueness.
Major difference between NAT and PAT is In NAT Only IP addresses are translated (not port numbers).

Disadvantages of Address Translation

Three main disadvantage with address translation are:
  • Each connection has an added delay.
  • Troubleshooting is more difficult.
  • Not all applications work with address translation.

Address Translation Terms and Types

TermExplanation
Inside
Addresses located on the inside of your network
Outside
Addresses located outside of your network
Local
The IP address physically assigned to a device
Global
The public IP address physically or logically assigned to a device
Inside local IP address
The IPv4 address that is assigned to a host on the inside network
Inside global IP address
A legitimate IPv4 address assigned by the ISP that represents one or more inside local IPv4 addresses to the outside world
Outside global IP address
An outside device with a registered public IP address
Outside local IP address
An outside device with an assigned private IP address
Static NAT
A manual address translation is performed between two addresses and possibly port numbers.
Dynamic NAT
An address translation device automatically performs address translation between two addresses and possibly port numbers.
Port Address Translation (PAT)
Many inside IP addresses are translated to a single IP address, where each inside address is given a different TCP or UDP port number for uniqueness.

How to configure Frame Relay

How to configure Frame Relay

Configuring Frame Relay involves the following steps:

Change the encapsulation

Go in interface mode and select the Frame Relay encapsulation on the interface. There are two types of Frame Relay encapsulations: Cisco and IETF. Cisco is the default. Syntax to set your encapsulation is
 encapsulation frame-relay [ietf] 

Configure LMI type

The three LMI types are Cisco, Ansi, and Q933a. For IOS 11.2 and higher, the LMI type is automatically detected
 frame-relay lmi-type [cisco | ansi | 933a] 

Configure Frame Relay map

configuring a static Frame Relay map, is optional unless you are using subinterfaces. The Frame Relay map will map a Layer 3 address to a local DLCI. This step is optional because inverse-arp will automatically perform this map for you. The syntax for a Frame Relay map is as follows:
frame-relay map protocol address dlci [broadcast] [cisco | ietf]

Configure subinterfaces

If you are using a routing protocol in a hub-and-spoke topology, you will probably want to use subinterfaces to avoid the split-horizon problem. To configure a subinterface, remove the IP address off the main interface and put it under the subinterface. Configuring a subinterface involves assigning it a number and specifying the type. The following command creates point-to-point subinterface serial0/0.1
 Router(config)#interface serial0/0.1 point-to-point 
To create a multipoint subinterface, enter multipoint instead:
 Router(config)#interface serial0/0.1 multipoint 

Assign IP address to subinterface

After entering one of these commands you will be taken to the subinterface configuration mode where you can enter your IP address:
Router(config-subif)#ip address 10.0.0.2 255.0.0.0 
If you are using a multipoint subinterface, you will need to configure frame-relay maps and you cannot rely on inverse-arp.
If you are using a point-to-point subinterface, you will need to assign a DLCI to the subinterface. This is only for point-to-point subinterfaces; this is not needed on the main interface or on multipoint subinterfaces. To assign a DLCI to a point-to-point subinterface, enter the following command under the subinterface:
 frame-relay interface-dlci dlci 

Configuration of Frame Relay

Lets practically implement whatever you learn so far. Download this pre configured topology and load it in packet tracer.
Now first configure R1. Fast Ethernet port and hostname is already configured. Double click on R1 and configure serial port for frame relay encapsulation and further create sub interface for connecting R2, R3, R4. Configure also static route for connecting remaining network.

Configure R1

R1>enable
R1#configure terminal
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config-subif)#interface serial 0/0/0.102 point-to-point
R1(config-subif)#ip address 192.168.1.245 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.103 point-to-point
R1(config-subif)#ip address 192.168.1.249 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 103
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.104 point-to-point
R1(config-subif)#ip address 192.168.1.253 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 104
R1(config-subif)#exit
R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246
R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250
R1(config)#ip route 192.168.1.128 255.255.255.224 192.168.1.254
R1(config)#exit

configure R2

R2>enable
R2#configure terminal
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101 point-to-point
R2(config-subif)#ip address 192.168.1.246 255.255.255.252
R2(config-subif)#frame-relay interface-dlci 101
R2(config-subif)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.245

configure R3

R3>enable
R3#configure terminal
R3(config)#interface serial 0/0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 0/0/0.101 point-to-point
R3(config-subif)#ip address 192.168.1.250 255.255.255.252
R3(config-subif)#frame-relay interface-dlci 101
R3(config-subif)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249
R3(config)#

configure R4

R4>enable
R4#configure terminal
R4(config)#interface serial 0/0/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface serial 0/0/0.101 point-to-point
R4(config-subif)#ip address 192.168.1.254 255.255.255.252
R4(config-subif)#frame-relay interface-dlci 101
R4(config-subif)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253
R4(config)#
now verify by doing ping from pc0 to all pc. It should be ping successfully. I have uploaded a configured topology but use it as the final resort first try yourself to configure it.
Router(config)#interface serial 0/0/0
Enter in interface mode
Router(config-if)#encapsulation frame-relay
Turns on Frame Relay encapsulation with the default encapsulation type of cisco
Router(config-if)#frame-relay lmitype {ansi | cisco | q933a}
Depending on the option you select, this command sets the LMI type to the ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard.
Router(config-if)#frame-relay interface-dlci 110
Sets the DLCI number of 110 on the local interface and enters Frame Relay DLCI configuration mode
Router(config-fr-dlci)#exit
Returns to interface configuration mode
Router(config-if)#frame-relay map ip 192.168.100.1 110 broadcast
Maps the remote IP address (192.168.100.1) to the local DLCI number (110). The optional broadcast keyword specifies that broadcasts across IP should be forwarded to this address. This is necessary when using dynamic routing protocols.
Router(config-if)#no frame-relay inverse arp
Turns off Inverse ARP.
Router#show frame-relay map
Displays IP/DLCI map entries
Router#show frame-relay pvc
Displays the status of all PVCs configured
Router#show frame-relay lmi
Displays LMI statistics
Router#clear frame-relay counters
Clears and resets all Frame Relay counters
Router#clear frame-relay inarp
Clears all Inverse ARP entries from the map table
Router#debug frame-relay lmi
Used to help determine whether a router and Frame Relay switch are exchanging LMI packets properly

Basic Concept of Frame Relay

Basic Concept of Frame Relay

Frame Relay is a scalable WAN solution that is often used as an alternative to leased lines when leased lines prove to be cost unaffordable. With Frame Relay, you can have a single serial interface on a router connecting into multiple remote sites through virtual circuits.
Basic concept of Frame Relay
For exam prospective You should be familiar with terms

Virtual Circuits (VCs)

A VC is a logical connection between two devices; therefore, many of these VCs can exist on the same physical connection. The advantage that VCs have over leased lines is that they can provide full connectivity at a much lower price. VCs are also full-duplex: you can simultaneously send and receive on the same VC.
There are two types of VCs: permanent VCs (PVCs) and switched or semipermanent VCs (SVCs).
PVC is similar to a leased line: it is configured up front by the carrier and remains up as long as there is a physical circuit path from the source to the destination.
SVC are similar to telephone circuit-switched connections: whenever you need to send data to a connection, an SVC is dynamically built and then torn down once your data has been sent.
Disadvantage of PVCs is that they require a lot of manual configuration up front to establish the VC. Another disadvantage is that they aren't very flexible: if the PVC fails, there is no dynamic rebuilding of the PVC around the failure.

LMI

Three different standards are defined for LMI:-
  1. ANSI's Annex D standard, T1.617
  2. ITU-T's Q.933 Annex A standard
  3. The Gang of Four
Because LMI is locally significant, each Frame Relay DTE in your network does not have to use the same LMI type The main function of LMI is to allow the Frame Relay DTE and DCE to exchange status information about the VCs and themselves Cisco has default timers for their status enquiry and full status update messages. Status enquiry messages are sent every ten seconds, by default. Every sixth message is a full status update message.
The three possible states that your PVC can be in are
  • Active— Active is good. Active means that everything is up and operational.
  • Inactive— Inactive is bad. Inactive means that you are connected to your Frame Relay provider, but there is a problem with the far-end connection. The problem is most likely between the far-end router and its connection to the Frame Relay provider. You should contact your provider to troubleshoot the issue.
  • Deleted— Deleted is also bad. Deleted means that there is a problem between your router and the Frame Relay provider's equipment. You should contact your provider to troubleshoot this issue.

DLCI

Each VC has a unique local address, called a DLCI. Circuits are identified by data-link connection identifiers (DLCI). DLCIs are assigned by your provider and are used between your router and the Frame Relay provider. In other words, DLCIs are locally significant. This means that as a VC traverses various segments in a WAN, the DLCI numbers can be different for each segment. DLCIs are locally significant. The carrier’s switches take care of mapping DLCI numbers for a VC between DTEs and DCEs.

Nonbroadcast Multiaccess

Nonbroadcast multiaccess (NBMA) is a term used to describe WAN networks that use VCs for connectivity Frame Relay is a nonbroadcast multi-access (NBMA) medium, which means that broadcast traffic is not allowed to traverse Frame Relay traffic.

Split Horizon Issues

The main problem of NBMA environments arises when the network is partially meshed for a subnet. This can create problems with routing protocols that support split horizon.

Solutions to Split Horizon Problems

Given the preceding problem with routing protocols that use split horizon, there are solutions that you can use to overcome this issue:
  • Use static routes instead of dynamic routing protocols. This is not a scalable solution.
  • Disable split horizon with the no ip split-horizon command.This could create a loop, If you are not careful
  • Have a fully meshed topology where every router has a PVC to every other router. This can get expensive.
  • Use subinterfaces. This is your best option.

Subinterfaces

A subinterface is a subset of an existing physical interface. As far as the router is concerned, the subinterface is a separate interface. By creating subinterfaces, each circuit can be on its own subnet. There are two types of subinterfaces:
  • Point-to-point— This maps a single IP subnet to a single subinterface and DLCI.
  • Multipoint— This maps a single IP subnet to multiple DLCIs on a subinterface.

Inverse-Arp

Frame Relay needs a mechanism to map Layer 3 addresses withLayer 2 Frame Relay DLCIs. This can be done through a static map command (shown later in the configuration section) or through inverse-arp. Just like Ethernet ARP, inverse-arp is used to map a Layer 3 address to a Layer 2 address. However, Ethernet ARP maps an IP address to a MAC address and inverse-arp works to map an IP address (or other protocol) to a DLCI.

FECN (Forward explicit congestion notification)

This value in the Frame Relay frame header is set by the carrier switch (typically) to indicate congestion inside the carrier network to the destination device at the end of the VC; the carrier may be doing this to your traffic as it is on its way to its destination.

BECN (backward explicit congestion notification)

This value is set by the destination DTE (Frame Relay device) in the header of the Frame Relay frame to indicate congestion (from the source to the destination) to the source of the Frame Relay frames (the source DTE, the router). Sometimes the carrier switches can generate BECN frames in the backward direction to the source to speed up the congestion notification process. The source can then adapt its rate on the VC appropriately.

Access rate

This is the speed of the physical connection (such as a T1) between your router and the Frame Relay switch.

CIR (committed information rate)

This is the average data rate, measured over a fixed period of time, that the carrier guarantees for a VC.

BC (committed burst rate)

This is the average data rate (over a period of a smaller fixed time than CIR) that a provider guarantees for a VC; in other words, it implies a smaller time period but a higher average than the CIR to allow for small bursts in traffic.

BE (excessive burst rate)

This is the fastest data rate at which the provider will ever service the VC. Some carriers allow you to set this value to match the access rate.

DE (discard eligibility)

This is used to mark a frame as low priority. You can do this manually, or the carrier will do this for a frame that is nonconforming to your traffic contract (exceeding CIR/BC values).

Oversubscription

When you add up all of the CIRs of your VCs on an interface, they exceed the access rate of the interface: you are betting that all of your VCs will not run, simultaneously, at their traffic-contracted rates.