Posts Tagged ‘layer2’
Computing voice bandwidth is usually required for scenarios where you provision LLQ queue based on the number of calls and VoIP codec used. You need to account for codec rate, Layer 3 overhead (IP, RTP and UDP headers) and Layer 2 overhead (Frame-Relay, Ethernet, HDLC etc. headers). Accounting for Layer 2 overhead is important, since the LLQ policer takes this overhead in account when enforcing maximum rate.
As I am sure you have already seen from the blog on setting up the security device as a Layer 2 device, there are many interesting changes that occur on a PIX or ASA when configured for transparent operations. This blog highlights the major changes and guidelines that you should keep in mind when you opt for this special mode of operation.
- Number of interfaces – perhaps on of the biggest things you will want to keep in mind is the fact that you are going to be limited on the number of traffic forwarding interfaces you can use when in Layer 2 mode. When you switch to transparent mode, you are limited to the use of two traffic forwarding interfaces. On some ASA models, you may also use your dedicated management interface, but of course, the use of this port is limited for management traffic. Remember also, when in multiple context mode, you cannot share interfaces between contexts like you can when in routed mode.
- IP addressing – here is another major difference of course. In Layer 2 mode, you will assign a single IP address to the device in Global Configuration mode. This address is for remote management purposes and is required before the device will forward traffic. Once the address is assigned, all interfaces start “listening” on this address to ensure the device is responsive to its administrator. This global IP addressed assigned to the device must be in the same subnet that the forwarding interfaces are participating in. Remember, the transparent firewall is not adding a new network (subnet) to your topology.
- Default gateway – for traffic sourced from the security device itself, you can configure a default gateway on the transparent device. You can do this with the route 0 0 command.
- IPv6 support - the transparent firewall does not support IPv6.
- Non-IP traffic – you can pass non-IP traffic through the Layer 2 Mode device. Note that this is not possible on a security appliance in its default Layer 3 mode.
- More unsupported features – the Layer 2 mode device does not support – Quality of Service (QoS) or Network Address Translation (NAT).
- Multicast – the transparent mode device does not offer multicast support, but you can configure Access Control Lists (ACLs) in order to pass multicast traffic through the device.
- Inspection – with the Layer 2 mode device you can inspect traffic at Layer 2 and above. With the classic routed mode configuration, you can only inspect at Layer 3 and above.
- VPN support – the transparent mode device does support a site to site VPN configuration, but only for its management traffic.
Can you please help me understand use of Frame-Relay Interface-dlci command. It’s getting mysterious for me day by day as I am studying FR. The reason being is I earlier thought that I should only use this command on FR point to point subinterface. As Point to Point subinterface don’t allow us to put Frame relay map statements. Also in such case Inverse arp should be turned off. But while I was going through Cisco’s FR documentation on website I saw that in almost all examples they used interface dlci command on interface not on sub interface and also without turning off inverse arp. So the question now is if inverse arp is turned on then as per my understanding we need not to put this command as it will discover dlci settings through lmi signals automatically.
Kindly explain Interface Dlci command to me…
When I saw this post, I got to thinking a little bit. Mostly about the fact that the interface-dlci appears to be a much more misunderstood command than I ever gave it credit for! (poor thing…)
The quick answer is that the “frame-relay inteface-dlci” command simply says “This DLCI goes here” to the router.
On a physical interface, this command is largely irrelevant (more in a minute) because ALL DLCIs are assigned to the physical interface by default. If you are ever interested, concerned or otherwise bored, just check out “show frame-relay pvc” and you will see where they are assigned.
So in the case of sub-interfaces, there is no automagical assignment of DLCI numbers. Even if your subinterface number and DLCI number are the same. That’s just a sign of being anal-retentive (or as we consultants call it, “good at documentation”) or a little OCD. But you can technically have DLCI 100 on subinterface Serial 0/0.223. Kinda strange, but perfectly workable!
So whenever you have a subinterface, you need to do SOMETHING to tell the router “this DLCI goes here”.
So now let’s look at the next portion: Mapping. Layer3 to Layer2 mapping in particular. We can learn about L3-L2 mapping via Inverse ARP. This is on by default, but frowned upon in the CCIE Realm! “Show frame-relay map” will let you know if you have learned any addresses dynamically or not.
So if we DID allow Inverse ARP, whether our subinterfaces were point-to-point or multipoint ones, we COULD just use the “frame-relay interface-dlci” command and nothing else. (Yes, I know inverse ARP requests are not sent by default on subinterfaces, but responses still are. Watch your debugs!)
So the Interface-DLCI command assigned the PVC to a subinterface. Inverse ARP then took care of the mapping. What if we aren’t allowed to use Inverse ARP? Like for the CCIE lab? Ok, what are our options? Well, the “frame-relay map” command is the most obvious and well known. That works very well. The “frame-relay map” command both assigned L3-L2 mapping AND says “this DLCI goes here” all in one command!
Unless of course you are on a point-to-point subinterface. As you pointed out, you can’t use the map command there! But that’s ok, it’s not needed anyway! Point-to-point links have a different way of thinking. They view the world as “If it’s not my address it must be yours” and sends things out.
So that covers our two primary issues with PVC operations in Frame Relay. #1 is assigning the DLCI to an interface (no magic). #2 is the L3-L2 mapping to make IP actually work!
The last part I want to add (re: my “more in a minute” above) was that the “frame-relay inteface-dlci” command also serves another purpose which sometimes gets confusing in terms of where we just got through with things!
So where we left things with “frame-relay interface-dlci” commands:
1. Definitely used on point-to-point subinterfaces
2. Can be used on multipoint subinterfaces if Inverse ARP works
3. Not used on physical interfaces because all DLCIs belong there by default.
Now, just to mess with that logic a bit. When studying frame-relay, and particularly by the time you get into QoS configurations you will become familiar with frame-relay map-classes. Map classes can be assigned to an interface or subinterface without any problem. When this occurs, the information in the map-class gets appled to EVERY DLCI on that interface or subinterface.
So what happens if you have different QoS parameters for different PVCs that just happen to be on the same interface/subinterface? Hmmmm… Well, in comes the “frame-relay inteface-dlci” command again! See, it really IS a cool command!
The “frame-relay map” command does not have any parameter for adding a map-class. After you hit enter on your “frame-relay interface-dlci” command though, you’ll get a new sub-command prompt. Try using “?” here. You’ll see that you have the opportunity to specify a separate map-class for each and every DLCI that you have.
So if you see “frame-relay interface-dlci” commands on a physical interface. Or if you see them AND a “frame-relay map” command under a multipoint subinterface, this is the reason why. If you use the “frame-relay inteface-dlci” command AND the “frame-relay map” command for the same PVC, you will need to make sure the “frame-relay map” command comes first. Otherwise the router will express its displeasure!
So there are some very simple, but also some very powerful things the little “frame-relay interface-dlci” command does. Hopefully that will help you take some of the mystery out of things!
Within the scope of Metro Ethernet services, it is often beneficial to provide customers “point-to-point” VLAN service, where VLAN (multipoint service in essence) is effectively set up to emulate ethernet “pseudowire”, by disabling MAC-address learning. The benefit comes from saving metro switches CAM tables address space, thus improving overall scalability (which is far from perfect with Ethernet). There is special command, mac address-table learning available on Cisco Metro swtiches (e.g. ME 3400) which allows to disable MAC-address learning per specific VLAN. However, many commonly used switches does not have this feature implemented. Still, there is a way to disable MAC-address learning on a group of ports, by using RSPAN VLAN feature. By it’s functional design, RSPAN VLAN does not learn MAC addresses. However, we are not allowed to assign this type of VLAN directy to switch access ports. Still, we may overcome this issue by configuring switchports as trunk with a single allowed VLAN (RSPAN VLAN) which is also configured as native:
vtp mode transparent ! vlan 555 remote-span ! interface range Fa 0/1 - 3 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 555 switchport trunk native vlan 555
This configuration is applicable to any switch that supports RSPAN functionality. Specifically, it was verified on Catalyst 3550 series.
Hello Brian,Can you explain how PPP over Frame Relay works? Also what are the advantages and disadvantages of using it over normal Frame Relay configuration?Thanks and regards,
Frame Relay does not natively support features such as authentication, link quality monitoring, and reliable transmission. Based on this it is sometimes advantageous to encapsulate an additional PPP header between the normal layer 2 Frame Relay encapsulation and the layer 3 protocol. By running PPP over Frame Relay (PPPoFR) we can then implement authentication of Frame Relay PVCs, or even bind multiple PVCs together using PPP Multilink.
PPPoFR is configure in Cisco IOS through the usage of a Virtual-Template interface. A Virtual-Template is a PPP encapsulated interface that is designed to spawn a “template” of configuration down to multiple member interfaces. The traditional usage of this interface has been on dial-in access servers, such as the AS5200, to support multiple PPP dialin clients terminating their connection on a single interface running IP.
The first step in configuring PPPoFR is to create the Virtual-Template interface. This interface is where all logical options, such as IP address and PPP authentication will be configured. The syntax is as follows:
interface Virtual-Template1 ip address 188.8.131.52 255.255.255.0 ppp chap hostname ROUTER6 ppp chap password 0 CISCO
Note the lack of the “encapsulation ppp” command on the Virtual-Template. This command is not needed as a Virtual-Template is always running PPP. This can be seen by looking at the “show interface virtual-template1” output in the IOS. Additionally in this particular case the remote end of this connection will be challenging the router to authenticate via PPP CHAP. The “ppp chap” subcommands have instructed the router to reply with the username ROUTER6 and an MD5 hash value of the PPP magic number and the password CISCO.
Our next step is to configure the physical Frame Relay interface, and to bind the Virtual-Template to the Frame Relay PVC. This is accomplished as follows:
interface Serial0/0 encapsulation frame-relay frame-relay interface-dlci 201 ppp Virtual-Template1
Note that the “no frame-relay inverse-arp” command is not used on this interface. Since our IP address is located on the Virtual-Template interface the Frame Relay process doesn’t actually see IP running over the link. Instead it simply sees a PPP header being encapsulated on the link, while the IPCP protocol of PPP takes care of all the IP negotiation for us. Note that the order that these steps are performed in is significant. If a Virtual-Template interface is applied to a Frame Relay PVC before it is actually created you may see difficulties with getting the link to become active.
Also when using a Virtual-Template interface it’s important to understand that a Virtual-Access “member” interface is cloned from the Virtual-Template interface when the PPP connection comes up. Therefore the Virtual-Template interface itself will always be in the down/down state. This can affect certain network designs such as using the backup interface command on a Virtual-Template. In our particular case we can see from the below output this effect:
R6#show ip interface brief | include 184.108.40.206 Virtual-Access1 220.127.116.11 YES TFTP up up Virtual-Template1 18.104.22.168 YES manual down down
Aside from this there is no other configuration that directly relates to Frame Relay for PPP. Other options such as authentication, reliability, and multilink would be configured under the Virtual-Template interface.