Wednesday 26 June 2013

How to configure NAT

How to configure NAT

Configuration of static NAT is very straight forward. In this example we have a web server connected with Router 1. Our web server is using the IP address 10.0.0.2. But due to various reasons discussed in previous article our company want to use 50.0.0.1 IP address for this server. Now our task is to configure NAT on Router 1 which translate 10.0.0.2 [ inside local web server address] to 50.0.0.1 [ inside global ip address ].

To configure static NAT follow this step by step guide

Either download this pre configured topology or create your own topology as shown in this figure

Static Nat
 
Configure ip address on PC and Server as given in figure

Now configure R1 exactly given here

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.1
R1(config)#ip nat inside source static 10.0.0.2 50.0.0.1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#

Now configure R0 exactly given here

Router>enable
Router#configure terminal
Router(config)#hostname R0
R0(config)#interface fastethernet 0/0
R0(config-if)#ip address 30.0.0.1 255.0.0.0
R0(config-if)#no shutdown
R0(config-if)#exit
R0(config)#interface serial 0/0/0
R0(config-if)#ip address 20.0.0.1 255.0.0.0
R0(config-if)#clock rate 64000
R0(config-if)#bandwidth 64
R0(config-if)#no shutdown
R0(config-if)#exit
R0(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2
R0(config)#
As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never know about it. They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and you will get replay.
Packet Tracer PC Command Line 1.0
PC>ping 50.0.0.1
Pinging 50.0.0.1 with 32 bytes of data:
Reply from 50.0.0.1: bytes=32 time=141ms TTL=126
Reply from 50.0.0.1: bytes=32 time=80ms TTL=126
Reply from 50.0.0.1: bytes=32 time=109ms TTL=126
Reply from 50.0.0.1: bytes=32 time=125ms TTL=126

Ping statistics for 50.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 80ms, Maximum = 141ms, Average = 113ms
Now ping from 10.0.0.2 and you will get destination host unreachable error.
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.

Ping statistics for 10.0.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
This demonstration show how the companies use NAT to hide their internal network from the outside of the world. Now open web browser from any PC in 30.0.0.0 network and brows the 50.0.0.1 site
Static Nat web responce
As you can see in image you can easily access the 50.0.0.1
I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake

Step by Step Configuration of Dynamic NAT

With dynamic NAT, you must manually define two sets of addresses on your address translation device. One set defines which inside addresses are allowed to be translated (the local addresses), and the other defines what these addresses are to be translated to (the global addresses).
For practice either download this pre created topology or create your own on packet tracer.
In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5 to use.Router1(1841 Router0) is going to be NAT device. Double click on Router1(1841 Router0) and configure it as given below
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool test
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#exit
Now double click on R2(1841 Router1) and configure it as given below
Router>enable
Router#configure terminal
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 30.0.0.2 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Router(config)#hostname R2
For testing of NAT go R1 and enable debug for NAT from privilege mode
 R1#debug ip nat 
Now go on pc and ping to 20.0.0.2
dayanmic NAT
When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will check NAT pools for free address to translate with this address. Which you can check in the output of debag command in R1
IP NAT debugging is on
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
As you can see in output 192.168.0.5 is translate with 50.0.0.1 before leaving the router.
Now check for web access from any client pc
In real life its best practices to turn off debug after testing so go on Router 1 and turn off debug mode.
 R1#no debug ip nat IP NAT debugging is off R1# 
I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake

Step by Step Configuration of PAT

In dynamics Nat translations is made IP to IP. so you need as much global IP address as you have inside local address. That's an issue if you have few global IP address and hundred of inside local address to translate. In such a situation you need to use PAT.
For demonstration we are going to configure the same topology which we used in dynamic NAT but this time we are using only one global IP address 50.0.0.1
Download this Pre created topology
daynamic NAT
IP address of PC are already configured double click on R1 and configured it as given here
Now configure to R2 as given below
Router>enable
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool test overload
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#
Now configure to R2 as given below
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 30.0.0.2 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname R2
R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Now go on pc and ping to 20.0.0.2 
dayanmic NAT
To verify PAT go on R1 and run show ip nat translations
R1#show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
icmp 50.0.0.1:1        192.168.0.7:1      20.0.0.2:1         20.0.0.2:1
icmp 50.0.0.1:2        192.168.0.7:2      20.0.0.2:2         20.0.0.2:2
icmp 50.0.0.1:3        192.168.0.7:3      20.0.0.2:3         20.0.0.2:3
icmp 50.0.0.1:4        192.168.0.7:4      20.0.0.2:4         20.0.0.2:4
As you can see this time address translation is done with port address instead of IP
I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake

NAT Network address Translation Static and Dynamic

NAT Network address Translation Static and Dynamic

When communicating to devices in a public network, your device needs to use a source address that is a public address. NAT device enables private IPv4 to connect to the Internet. NAT enable you to change an IP address in a packet to a different address. Usually, NAT connects two networks and translates the private (inside local) addresses into public addresses (inside global) before packets are forwarded to another network. In other word Address translation allows you to translate your internal private addresses to public addresses before these packets leave your network.

Situation where you should use NAT

  • Your ISP did not provide you sufficient public IP address
  • Your company is going to merge in a company which use same address space
  • Where you want to hide your internal IP address space from outside
  • You want to assign the same IP address to multiple machines

There are three types of NAT

  • Static
  • Dynamic
  • PAT

STATIC NAT

In static NAT manual translation is performed by an address translation device, translating one IP address to a different one. If you have 100 devices, you need to create 100 static entries in the address translation table. Typically, static translation is done for inside resources that outside people want to access.

Dynamic NAT

Dynamic NAT is mostly used when inside users needs to access outside resources. The global address assigned to the internal user isn't important, since outside devices don't directly connect to your internal users they just return traffic to them that the inside user requested.
Dynamic NAT is used when inside use wants to access external resource. When an inside user sends traffic through the address translation device, say a router, it examines the source IP address and compares it to the internal local address pool. If it finds a match, then it determines which inside global address pool it should use for the translation. It then dynamically picks an address in the global address pool that is not currently assigned to an inside device. The router adds this entry in its address translation table, the packet is translated, and the packet is then sent to the outside world. If no matching entry is found in the local address pool, the address is not translated and is forwarded to the outside world in its original state.
When returning traffic comes back into your network, the address translation device examines the destination IP addresses and checks them against the address translation table. Upon finding a matching entry, it converts the global inside address to the local inside address in the destination IP address field of the packet header and forwards the packet to the inside network

PAT

With PAT, all devices that go through the address translation device have the same global IP address assigned to them, so the source TCP or UDP port numbers are used to differentiate the different connections. If two devices have the same source port number, the translation device changes one of them to ensure uniqueness.
Major difference between NAT and PAT is In NAT Only IP addresses are translated (not port numbers).

Disadvantages of Address Translation

Three main disadvantage with address translation are:
  • Each connection has an added delay.
  • Troubleshooting is more difficult.
  • Not all applications work with address translation.

Address Translation Terms and Types

TermExplanation
Inside
Addresses located on the inside of your network
Outside
Addresses located outside of your network
Local
The IP address physically assigned to a device
Global
The public IP address physically or logically assigned to a device
Inside local IP address
The IPv4 address that is assigned to a host on the inside network
Inside global IP address
A legitimate IPv4 address assigned by the ISP that represents one or more inside local IPv4 addresses to the outside world
Outside global IP address
An outside device with a registered public IP address
Outside local IP address
An outside device with an assigned private IP address
Static NAT
A manual address translation is performed between two addresses and possibly port numbers.
Dynamic NAT
An address translation device automatically performs address translation between two addresses and possibly port numbers.
Port Address Translation (PAT)
Many inside IP addresses are translated to a single IP address, where each inside address is given a different TCP or UDP port number for uniqueness.

How to configure Frame Relay

How to configure Frame Relay

Configuring Frame Relay involves the following steps:

Change the encapsulation

Go in interface mode and select the Frame Relay encapsulation on the interface. There are two types of Frame Relay encapsulations: Cisco and IETF. Cisco is the default. Syntax to set your encapsulation is
 encapsulation frame-relay [ietf] 

Configure LMI type

The three LMI types are Cisco, Ansi, and Q933a. For IOS 11.2 and higher, the LMI type is automatically detected
 frame-relay lmi-type [cisco | ansi | 933a] 

Configure Frame Relay map

configuring a static Frame Relay map, is optional unless you are using subinterfaces. The Frame Relay map will map a Layer 3 address to a local DLCI. This step is optional because inverse-arp will automatically perform this map for you. The syntax for a Frame Relay map is as follows:
frame-relay map protocol address dlci [broadcast] [cisco | ietf]

Configure subinterfaces

If you are using a routing protocol in a hub-and-spoke topology, you will probably want to use subinterfaces to avoid the split-horizon problem. To configure a subinterface, remove the IP address off the main interface and put it under the subinterface. Configuring a subinterface involves assigning it a number and specifying the type. The following command creates point-to-point subinterface serial0/0.1
 Router(config)#interface serial0/0.1 point-to-point 
To create a multipoint subinterface, enter multipoint instead:
 Router(config)#interface serial0/0.1 multipoint 

Assign IP address to subinterface

After entering one of these commands you will be taken to the subinterface configuration mode where you can enter your IP address:
Router(config-subif)#ip address 10.0.0.2 255.0.0.0 
If you are using a multipoint subinterface, you will need to configure frame-relay maps and you cannot rely on inverse-arp.
If you are using a point-to-point subinterface, you will need to assign a DLCI to the subinterface. This is only for point-to-point subinterfaces; this is not needed on the main interface or on multipoint subinterfaces. To assign a DLCI to a point-to-point subinterface, enter the following command under the subinterface:
 frame-relay interface-dlci dlci 

Configuration of Frame Relay

Lets practically implement whatever you learn so far. Download this pre configured topology and load it in packet tracer.
Now first configure R1. Fast Ethernet port and hostname is already configured. Double click on R1 and configure serial port for frame relay encapsulation and further create sub interface for connecting R2, R3, R4. Configure also static route for connecting remaining network.

Configure R1

R1>enable
R1#configure terminal
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config-subif)#interface serial 0/0/0.102 point-to-point
R1(config-subif)#ip address 192.168.1.245 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.103 point-to-point
R1(config-subif)#ip address 192.168.1.249 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 103
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.104 point-to-point
R1(config-subif)#ip address 192.168.1.253 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 104
R1(config-subif)#exit
R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246
R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250
R1(config)#ip route 192.168.1.128 255.255.255.224 192.168.1.254
R1(config)#exit

configure R2

R2>enable
R2#configure terminal
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101 point-to-point
R2(config-subif)#ip address 192.168.1.246 255.255.255.252
R2(config-subif)#frame-relay interface-dlci 101
R2(config-subif)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.245

configure R3

R3>enable
R3#configure terminal
R3(config)#interface serial 0/0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 0/0/0.101 point-to-point
R3(config-subif)#ip address 192.168.1.250 255.255.255.252
R3(config-subif)#frame-relay interface-dlci 101
R3(config-subif)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249
R3(config)#

configure R4

R4>enable
R4#configure terminal
R4(config)#interface serial 0/0/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface serial 0/0/0.101 point-to-point
R4(config-subif)#ip address 192.168.1.254 255.255.255.252
R4(config-subif)#frame-relay interface-dlci 101
R4(config-subif)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253
R4(config)#
now verify by doing ping from pc0 to all pc. It should be ping successfully. I have uploaded a configured topology but use it as the final resort first try yourself to configure it.
Router(config)#interface serial 0/0/0
Enter in interface mode
Router(config-if)#encapsulation frame-relay
Turns on Frame Relay encapsulation with the default encapsulation type of cisco
Router(config-if)#frame-relay lmitype {ansi | cisco | q933a}
Depending on the option you select, this command sets the LMI type to the ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard.
Router(config-if)#frame-relay interface-dlci 110
Sets the DLCI number of 110 on the local interface and enters Frame Relay DLCI configuration mode
Router(config-fr-dlci)#exit
Returns to interface configuration mode
Router(config-if)#frame-relay map ip 192.168.100.1 110 broadcast
Maps the remote IP address (192.168.100.1) to the local DLCI number (110). The optional broadcast keyword specifies that broadcasts across IP should be forwarded to this address. This is necessary when using dynamic routing protocols.
Router(config-if)#no frame-relay inverse arp
Turns off Inverse ARP.
Router#show frame-relay map
Displays IP/DLCI map entries
Router#show frame-relay pvc
Displays the status of all PVCs configured
Router#show frame-relay lmi
Displays LMI statistics
Router#clear frame-relay counters
Clears and resets all Frame Relay counters
Router#clear frame-relay inarp
Clears all Inverse ARP entries from the map table
Router#debug frame-relay lmi
Used to help determine whether a router and Frame Relay switch are exchanging LMI packets properly

Basic Concept of Frame Relay

Basic Concept of Frame Relay

Frame Relay is a scalable WAN solution that is often used as an alternative to leased lines when leased lines prove to be cost unaffordable. With Frame Relay, you can have a single serial interface on a router connecting into multiple remote sites through virtual circuits.
Basic concept of Frame Relay
For exam prospective You should be familiar with terms

Virtual Circuits (VCs)

A VC is a logical connection between two devices; therefore, many of these VCs can exist on the same physical connection. The advantage that VCs have over leased lines is that they can provide full connectivity at a much lower price. VCs are also full-duplex: you can simultaneously send and receive on the same VC.
There are two types of VCs: permanent VCs (PVCs) and switched or semipermanent VCs (SVCs).
PVC is similar to a leased line: it is configured up front by the carrier and remains up as long as there is a physical circuit path from the source to the destination.
SVC are similar to telephone circuit-switched connections: whenever you need to send data to a connection, an SVC is dynamically built and then torn down once your data has been sent.
Disadvantage of PVCs is that they require a lot of manual configuration up front to establish the VC. Another disadvantage is that they aren't very flexible: if the PVC fails, there is no dynamic rebuilding of the PVC around the failure.

LMI

Three different standards are defined for LMI:-
  1. ANSI's Annex D standard, T1.617
  2. ITU-T's Q.933 Annex A standard
  3. The Gang of Four
Because LMI is locally significant, each Frame Relay DTE in your network does not have to use the same LMI type The main function of LMI is to allow the Frame Relay DTE and DCE to exchange status information about the VCs and themselves Cisco has default timers for their status enquiry and full status update messages. Status enquiry messages are sent every ten seconds, by default. Every sixth message is a full status update message.
The three possible states that your PVC can be in are
  • Active— Active is good. Active means that everything is up and operational.
  • Inactive— Inactive is bad. Inactive means that you are connected to your Frame Relay provider, but there is a problem with the far-end connection. The problem is most likely between the far-end router and its connection to the Frame Relay provider. You should contact your provider to troubleshoot the issue.
  • Deleted— Deleted is also bad. Deleted means that there is a problem between your router and the Frame Relay provider's equipment. You should contact your provider to troubleshoot this issue.

DLCI

Each VC has a unique local address, called a DLCI. Circuits are identified by data-link connection identifiers (DLCI). DLCIs are assigned by your provider and are used between your router and the Frame Relay provider. In other words, DLCIs are locally significant. This means that as a VC traverses various segments in a WAN, the DLCI numbers can be different for each segment. DLCIs are locally significant. The carrier’s switches take care of mapping DLCI numbers for a VC between DTEs and DCEs.

Nonbroadcast Multiaccess

Nonbroadcast multiaccess (NBMA) is a term used to describe WAN networks that use VCs for connectivity Frame Relay is a nonbroadcast multi-access (NBMA) medium, which means that broadcast traffic is not allowed to traverse Frame Relay traffic.

Split Horizon Issues

The main problem of NBMA environments arises when the network is partially meshed for a subnet. This can create problems with routing protocols that support split horizon.

Solutions to Split Horizon Problems

Given the preceding problem with routing protocols that use split horizon, there are solutions that you can use to overcome this issue:
  • Use static routes instead of dynamic routing protocols. This is not a scalable solution.
  • Disable split horizon with the no ip split-horizon command.This could create a loop, If you are not careful
  • Have a fully meshed topology where every router has a PVC to every other router. This can get expensive.
  • Use subinterfaces. This is your best option.

Subinterfaces

A subinterface is a subset of an existing physical interface. As far as the router is concerned, the subinterface is a separate interface. By creating subinterfaces, each circuit can be on its own subnet. There are two types of subinterfaces:
  • Point-to-point— This maps a single IP subnet to a single subinterface and DLCI.
  • Multipoint— This maps a single IP subnet to multiple DLCIs on a subinterface.

Inverse-Arp

Frame Relay needs a mechanism to map Layer 3 addresses withLayer 2 Frame Relay DLCIs. This can be done through a static map command (shown later in the configuration section) or through inverse-arp. Just like Ethernet ARP, inverse-arp is used to map a Layer 3 address to a Layer 2 address. However, Ethernet ARP maps an IP address to a MAC address and inverse-arp works to map an IP address (or other protocol) to a DLCI.

FECN (Forward explicit congestion notification)

This value in the Frame Relay frame header is set by the carrier switch (typically) to indicate congestion inside the carrier network to the destination device at the end of the VC; the carrier may be doing this to your traffic as it is on its way to its destination.

BECN (backward explicit congestion notification)

This value is set by the destination DTE (Frame Relay device) in the header of the Frame Relay frame to indicate congestion (from the source to the destination) to the source of the Frame Relay frames (the source DTE, the router). Sometimes the carrier switches can generate BECN frames in the backward direction to the source to speed up the congestion notification process. The source can then adapt its rate on the VC appropriately.

Access rate

This is the speed of the physical connection (such as a T1) between your router and the Frame Relay switch.

CIR (committed information rate)

This is the average data rate, measured over a fixed period of time, that the carrier guarantees for a VC.

BC (committed burst rate)

This is the average data rate (over a period of a smaller fixed time than CIR) that a provider guarantees for a VC; in other words, it implies a smaller time period but a higher average than the CIR to allow for small bursts in traffic.

BE (excessive burst rate)

This is the fastest data rate at which the provider will ever service the VC. Some carriers allow you to set this value to match the access rate.

DE (discard eligibility)

This is used to mark a frame as low priority. You can do this manually, or the carrier will do this for a frame that is nonconforming to your traffic contract (exceeding CIR/BC values).

Oversubscription

When you add up all of the CIRs of your VCs on an interface, they exceed the access rate of the interface: you are betting that all of your VCs will not run, simultaneously, at their traffic-contracted rates.

Configure WAN Protocol

How to configure HDLC and PPP step by step guide and example

In this article I will demonstrate how can you configure wan encapsulation protocols. HDLC is the default encapsulation for synchronous serial links on Cisco routers. You should only use the encapsulation hdlc command to return the link to its default state.
For practical example of HDLC PPP create a simple topology as shown in figure or download this pre configured topology and load it in packet tracer.
Double click on R1 and check the default encapsulation
Router>
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
    [output is omited]
As you can verify that default encapsulation on router is HDLC. A wan link work only when it detects same protocols on same sides. To check it change the default encapsulation to PPP.
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation ppp
Router(config)#exit
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is down (disabled)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
 [output is omited]
as you can see that line protocols is disable. To enable it set the encapsulation back to HDLC and restart the port with shut down command
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation hdlc
Router(config-if)#shutdown
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
    [output is omited]

Configuration of PPP

Now we will configure PPP encapsulations on both router. We will also authenticate it with CHAP. Hostname of Router are R1 and R2 and password is vinita.
Double Click on R1 and configure it
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#username R2 password vinita
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap
R1(config-if)#exit
R1(config)#
Now configure R2 for PPP
Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#username R1 password vinita
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
R2(config)#

HDLC PPP command reference sheet

Router(config)#interface serial 0/0/0
Moves to interface configuration mode
Router(config-if)#encapsulation hdlc
Sets the encapsulation mode for this interface to HDLC
Router(config)#interface serial 0/0/0
Moves to interface configuration mode
Router(config-if)#encapsulation ppp
Changes encapsulation from default HDLC to PPP
Router(config)#username R1 password vinita
Sets a username of R1 and a password of vinita for authentication from the other side of the PPP serial link. This is used by the local router to authenticate the PPP peer
Router(config)#interface serial 0/0/0
Moves to interface configuration mode.
Router(config-if)#ppp authentication pap
Turns on Password Authentication Protocol (PAP) authentication only
Router(config-if)#ppp authentication chap
Turns on Challenge Handshake Authentication Protocol (CHAP) authentication only.
Router(config-if)#ppp authentication pap chap
Defines that the link will use PAP authentication, but will try CHAP if PAP fails or is rejected by other side.
Router(config-if)#ppp authentication chap pap
Defines that the link will use CHAP authentication, but will try PAP if CHAP fails or is rejected by other side.
Router(config-if)#ppp pap sentusername R1 password vinita
This command must be set if using PAP in Cisco IOS Software Release 11.1 or later
Router#show interfaces serial x
Lists information for serial interface x
Router#show controllers serial x
Tells you what type of cable (DCE/DTE) is plugged into your interface and whether a clock rate has been set
Router#debug serial interface
Displays whether serial keepalive counters are incrementing
Router#debug ppp
Displays any traffic related to PPP
Router#debug ppp packet
Displays PPP packets that are being sent and received
Router#debug ppp negotiation
Displays PPP packets related to the negotiation of the PPP link