FRAME RELAY

Frame Relay is a high-performance wide-area network (WAN) protocol that operates at the physical and data link layers of the Open System Interconnection (OSI) reference model.

Frame Relay was originally designed for use across Integrated Services Digital Network (ISDN) interfaces. Today, it is used over a variety of other network interfaces as well.

Frame Relay Features :

Frames Relay provides a data communications interface between user devices and network devices. This interface forms the basis for communication between user devices across a WAN.

Typical communication speeds for Frame Relay are between 56 Kbps and 2 Mbps (although lower and higher speeds are supported).

Frame Relay is considerably more efficient than X.25, the protocol for which it is often considered a replacement. Because it supports technological advances such as fibre-optic cabling and digital transmission, Frame Relay can eliminate time-consuming processes (such as error correction and flow control) that are necessary when using older, less reliable WAN media and protocols.

Frame Relay Standardisation

Internationally, Frame Relay was standardised by the International Telecommunications Union - Telecommunications Sector (ITU-T). In the United States, Frame Relay is an American National Standards Institute (ANSI) standard.

The Local Management Interface (LMI) specification, developed in 1990, further extends the functionality of Frame Relay.

Frame Relay Devices

Devices attached to a Frame Relay WAN fall into two general categories:
Data terminal equipment (DTE) -- DTE are customer-owned end node and internetworking devices. Examples of DTE devices are terminals, personal computers, routers, and bridges.

Data circuit-terminating equipment (DCE) -- DCE are carrier-owned internetworking devices. In most cases, these are packet switches (although routers or other devices can be configured as DCE as well).
DTE and DCE devices are logical entities. That is, DTE devices initiate a communications exchange, and DCE devices respond.

The following figure shows the relationship between the two categories of devices:



Frame Relay Virtual Circuits

Frame Relay provides connection-oriented data link layer communication. This service is implemented using virtual circuits.

A Frame Relay virtual circuit is a logical connection created between two data terminal equipment (DTE) devices across a Frame Relay packet-switched network (PSN).
Virtual circuits provide a bi-directional communications path from one DTE device to another. They are uniquely identified by a data link connection identifier (DLCI).
A virtual circuit can pass through any number of intermediate data circuit-terminating equipment (DCE) devices (switches) located within the Frame Relay PSN. A number of virtual circuits can be multiplexed into a single physical circuit for transmission across the network.

Frame Relay virtual circuits fall into two categories:
• Switched virtual circuit (SVC)
• Permanent virtual circuit (PVC)

Frame Relay Switched Virtual Circuits (SVCs)
A switched virtual circuit (SVC) is one of the two types of virtual circuits used in Frame Relay implementations. SVCs are temporary connections that are used when there is only sporadic data transfer between DTE devices across the Frame Relay network.
A communication session across an SVC consists of four operational states:
Call setup -- In this state, the virtual circuit between two Frame Relay DTE devices are established.
Data transfer -- In this state, data is being transmitted between the DTE devices over the virtual circuit.
Idle -- In this state, the connection between DTE devices is still active, but no data is being transferred.
Call termination -- In this state, the virtual circuit between DTE devices is terminated.
After the virtual circuit is terminated, the DTE devices must establish a new SVC if there is additional data to be exchanged.

Frame Relay Permanent Virtual Circuits (PVCs)

A permanent virtual circuit (PVC) is one of two types of virtual circuits used in Frame Relay implementations. PVCs are permanently established connections that are used when there is frequent and consistent data transfer between DTE devices across the Frame Relay network.

Communication across a PVC does not require the call setup and termination states that are used with SVCs.
PVCs are always in one of the following two operational states:

Data transfer -- In this state, data is being transmitted between the DTE devices over the virtual circuit.
Idle -- In this state, the connection between DTE devices is active, but no data is being transferred.
DTE devices can begin transferring data whenever they are ready because the circuit is permanently established.

Frame Relay Data Link Connection Identifier (DLCI)

Frame Relay virtual circuits are identified by data link connection identifiers (DLCIs). DLCI values are typically assigned by the Frame Relay service provider (for example, the Telephone Company).

Frame Relay DLCIs have local significance. That is, the values themselves are not unique in the Frame Relay WAN. Two DTE devices connected by a virtual circuit might use a different DLCI value to refer to the same connection.

The following figure shows how a single virtual circuit might be assigned a different DLCI value on each end of the connection:


Access Control Lists (ACLs)

Access Control Lists (ACLs)
Access Control List (ACL) are filters that enable you to control which routing updates or packets are permitted or denied in or out of a network. They are specifically used by network administrators to filter traffic and to provide extra security for their networks. This can be applied on routers (Cisco).

ACLs provide a powerful way to control traffic into and out of your network; this control can be as simple as permitting or denying network hosts or addresses. You can configure ACLs for all routed network protocols.
The most important reason to configure ACLs is to provide security for your network. However, ACLs can also be configured to control network traffic based on the TCP port being used.
How ACLs work

A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.
To simplify how ACL or a router uses packet filtering work, imagine a guard stationed at a locked door. The guard's instruction is to allow only people whose names appear on a quest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list.



When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
Why use ACLs

* Limits network traffic to increase network performance.
* ACLs provides traffic flow control by restricting the delivery of routing updates.
* It can be used as additional security.
* Controls which type of traffic are forwarded or blocked by the router.
* Ability to control which areas a client access.

Types of Access Control Lists



Standard access-list
Standard access lists create filters based on source addresses and are used for server based filtering. Address based access lists distinguish routes on a network you want to control by using network address number (IP). Address-based access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.


Example of the command syntax for configuring a standard numbered IP ACL:
R1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]


i. The first value {1-99} specifies the standard ACL number range.

ii. The second value specifies whether to permit or deny the configured source IP address traffic.

iii. The third value is the source IP address that must be matched.

iv. The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.


Extended access lists
Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering for packets that traverse the network.

Example of the command syntax for configuring an extended numbered IP ACL:
Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]


i. Like the standard ACLs, the first value {100-199 or 2000 - 2699} specifies the ACL number range.

ii. The next value specifies whether to permit or deny according to the criteria that follows.

iii. The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols). The source IP address and wildcard mask determine traffic source. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. When the destination IP address and mask are configured, the port number must be specified to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.


Standard and Extended access lists can be applied base on the use of ip access-list command.

Access lists use the deny or permit statement to define which packet is allowed or denied entry into a server or network.
Masks

Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 172.16.2.14 with a 255.255.255.0 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "no".

Note these ACL equivalents.

· The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".

· The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".

If you subtract 255.255.255.0 (normal mask) from 255.255.255.255, it yields 0.0.0.255.
Wildcards

The command below defines an ACL that permits this network 192.168.1.0 0.0.0.255.

access-list acl_permit permit ip 192.168.1.0 0.0.0.255

Inbound traffic to the router is compared to access lists entries based on the order that the entries occur in the router. The router looks through the entries until it has a match. If the router found no match when it reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. Single-entry access lists with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked.

Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

Inter VLAN Routing (part 1)

Network devices in different VLANs cannot communicate with one another without a router to route traffic between the VLANs. In most network environments, VLANs are associated with individual networks or subnetworks.

Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. However, when an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN communication is required. This communication is supported by interVLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN.



When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router.

When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface. The router checks the routing table, determines the correct outgoing interface, and forwards the packet out the VLAN 20 interface to Switch B. Switch B receives the packet and forwards it to Host C.