1. WAN concepts Point-to-Point connection Branch connection Access Control Lists
Chapter 1,2,3,4

2. WAN concepts
Chapter 1

3. What is a WAN: A WAN interconnects LANs over long distances.
Although the Internet is a WAN, not all WANs are part of the Internet.
WANs may be public or private, and not all of them provide access to the Internet.
A VPN, not a WAN, provides secure remote network access to a LAN.

4. Why a WAN:
Without WANs, LANs would be a series of isolated networks. LANs provide both speed and cost-efficiency for transmitting data over relatively small geographic areas. However, as organizations expand, businesses require communication among geographically separated sites.

5. Who owned the WAN:
A WAN is owned by a service provider. An organization must pay a fee to use the provider’s network services to connect remote sites.
WAN service providers include: carriers, such as a telephone network, cable company, or satellite service.
In contrast, LANs are typically owned by a specific organization.
The primary difference between a WAN and LAN is that an organization must subscribe to an outside service provider to use WAN carrier network services.

6. WAN Topology:
Interconnecting multiple sites across WANs can involve a variety of service provider technologies and WAN topologies. Common WAN topologies are:
Point-to-Point
Hub-and-Spoke
Full Mesh
Dual-Homed

7. WANs in the OSI Model
WAN operations focus primarily on the physical and data link layer of the OSI Model.
Layer 1 protocols describe how to provide electrical, mechanical, operational, and functional connects to the services of a communications service provider.
Layer 2 protocols define how data is encapsulated and the mechanisms for transferring the resulting frames.

8. Common WAN Terminology:
Customer Premises Equipment (CPE): the devices and wiring located on the enterprise edge and owned by the customer or leased from the service provider. Data Communications Equipment (DCE): devices that provide an interface for a customer to put data on the local loop to the WAN provider. Data Terminal Equipment (DTE): devices that pass data from the customer network through the DCE to the WAN.

9. Common WAN Terminology:
Demarcation Point: the place where the responsibility of the connection changes from the service provider to the customer. Local Loop: the actual copper or fiber wiring that connects the customer premises equipment to the service provider central office. Central Office (CO): the local service provider building that connects the customers to the service provider network Toll Network: long-haul fiber-optic communication lines and networking equipment inside the service provider network.

10. WAN Devices
Dialup Modem: a legacy device that converts digital computer signals into analog signals that traverse the public telephone network.
Broadband Modem: a digital modem using high-speed DSL or cable Internet service.
Access server: Legacy technology where the server controls and coordinates dialup modem, dial-in and dial-out user communications. 
CSU/DSU: The CSU terminates the digital signal and provides error correction and line monitoring. The DSU converts the data into frames understood by the LAN.

11. WAN Devices
WAN Switch: a multiport service provider networking device used to switch traffic at Layer 2.
Router: Provides internetworking and WAN access interface ports that are used to connect to the service provider.
Core router/Multilayer switch: A router or multilayer switch that resides within the middle or backbone of the WAN.

12. Circuit Switching:
It is a dedicated circuit (Or channel) used to forward voice or data between a sender and a receiver.
Communication can't start until the connection is established through the service provider network.
Dialing a number to make a call is an example of circuit switching technology.
The two most common types of circuit- switched WAN technologies are the public switched telephone network (PSTN) and the Integrated Services Digital Network (ISDN).

13. Packet Switching:
In contrast to circuit switching, packet switching splits traffic data into packets that are routed over a shared network no need to establish a circuit (or channel).
Packet switching costs less than circuit switching, however, latency and jitter are greater in packet-switching networks.

14. Circuit Switching vs. Packet Switching:
Packet-switched networks have higher delays (latency) than circuit-switched networks.
The cost of a packet-switched network is lower than circuit-switched networks.
Flexibility is an advantage of a packet-switched network.
Circuit-switched networks have a fixed capacity.

15. WAN Link Connection Options:
There are two ways an enterprise can obtain WAN access:
Private WAN infrastructure : Service providers may offer dedicated point-to-point leased lines, VSAT coverage in remote areas, circuit-switched links such as PSTN or ISDN, and packet-switched links such as Ethernet WAN, ATM, or Frame Relay.
Public WAN infrastructure : Service providers may offer broadband Internet access via digital subscriber line (DSL), cable, and 3G/4G cellular access.

16. WAN services:
Service provider networks are complex and consist mostly of high-bandwidth fiber-optic media, A newer fiber-optic media development for long-range communications is called dense wavelength division multiplexing (DWDM).
Some DWDM features are:
It enables bidirectional communications over one strand of fiber.
It assigns incoming optical signals to specific wavelengths of light (i.e., frequencies).
It supports Synchronous Optical Networking (SONET) or Synchronous Digital Hierarchy (SDH) standard.
Its circuits are used in all modern submarine communications cable systems and other long- range communications.

17. Private WAN Infrastructures:
Leased Line: A customer pays a monthly lease fee to a service provider to use a permanent, dedicated connection from the customer premise to the provider network. Integrated Services Digital Network (ISDN): a circuit-switching technology that allows the local loop of a PSTN to carry digital signals, resulting in higher capacity connections than dialup allows. There are two types of ISDN Interfaces: Basic Rate Interface (BRI) and Primary Rate Interface (PRI) . Frame Relay: a Layer 2 technology that uses virtual circuits (VCs) to carry voice and data traffic between enterprise LANs. Asynchronous Transfer Mode (ATM): an extremely scalable technology that uses fixed length cells of 53 bytes and can send data at fast speeds but is less efficient than frame relay.

18. Private WAN Infrastructures:
Ethernet WAN: a high-bandwidth Layer 2 WAN service using fiber optic cabling to provide connections in metropolitan areas.
Multiprotocol Label Switching (MPLS): a high-performance WAN technology that directs data from one router to the next, based on short path labels rather than IP network addresses. MPLS has the ability to carry multiple payloads including IPv4, IPv6, Ethernet, ATM, DSL, and Frame Relay traffic.
Very Small Aperture Terminal (VAST): a long distance private WAN using a satellite communication that connects out 22,236 miles and back

19. Public WAN Infrastructure
DSL: an always-on WAN connection technology that uses existing twisted-pair telephone lines to transport high-bandwidth data, and provides IP services to subscribers.
Cable: an always-on WAN connection technology that uses connections from a cable television provider to provide network access.
Municipal Wi-Fi: wireless networks setup for public usage or for specific city employees and first responders.
WiMAX: a more recent wireless technology that provides high-speed broadband wireless access up to 30 miles from a single tower.
Satellite Internet: a rural wireless service that is commonly used when cable or DSL are not available and provides speeds about 10 times faster than dialup.
3G/4G Cellular: is another wireless WAN technology being used to connect users and remote locations where no other WAN access technology is available. The best form moving customers.

20. VPN Technology:
virtual private network (VPN): a secure encrypted connection between private networks separated by a public network, such as the Internet.
There are several benefits to using VPNs:
Cost savings 
Security
Scalability
Compatibility with broadband technology 
There are two types of VPN access:
Site-to-site VPNs – Connects entire networks to each other; for example, they can connect a branch office network to a company headquarters network.  
Remote-access VPNs – Enables telecommuters, mobile users, and extranet consumers to access a company network securely over the Internet.

21. VPN Technology: VPN requirements: VPN gateway VPN appliance
VPN concentrator
VPN client software

22. Point-to-Point connection
Chapter 2

23. Serial Communications
Point-to-point connections connect LANs to service provider WANs and connect LAN segments.
A LAN-to-WAN point-to-point connection is also referred to as a serial connection or leased-line connection.
Point-to-point connections Used when permanent dedicated connections are required.
Point-to-point connections not limited to connections that cross land (undersea fiber-optics)
Usually more expensive than shared services.

24. Serial and Parallel Ports
Serial Communication
Method of data transmissions in which the bits are transmitted sequentially over a single channel.
Parallel communications
Bits can be transmitted simultaneously over multiple wires.
Sends a byte (eight bits) in the time that a serial connection sends a single bit.

25. Serial Bandwidth
Refers to the rate at which data is transferred over the communication link.
Carrier technology will dictate how much bandwidth is available.
Examples:
Most fundamental line speed is 64 kb/s, or DS0.
24 DS0s can be bundled to get a DS1 line (T1 line).
28 DS1s can be bundled to get a DS3 line (T3 line).

26. WAN Encapsulation Protocols
HDLC - Default encapsulation on point-to-point connections, dedicated links, and circuit-switched connections when the link uses two Cisco devices.
PPP - Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. Has built-in security mechanisms such as PAP and CHAP.
Use Cisco HDLC as a point-to-point protocol on leased lines between two Cisco devices.
If connecting non-Cisco devices, use synchronous PPP.

27. Configuring HDLC Encapsulation

28. PPP Encapsulation PPP contains three main components:
HDLC-like framing for transporting multiprotocol packets over point-to-point links.
Extensible Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. After the link is established, PPP also uses LCP to agree automatically on encapsulation formats such as authentication, compression, and error detection.
Network Control Protocols (NCPs) for establishing and configuring different network layer protocols (IPv4 and IPv6 Control Protocol). For every network layer protocol used, PPP uses a separate NCP. It also negotiates other Layer 3 options

29. Advantages of PPP PPP includes many features not available in HDLC:
The link quality management feature (LQM) monitors the quality of the link.
LQM can be configured with the interface command ppp quality percentage. If the error percentage falls below the configured threshold, the link is taken down and packets are rerouted or dropped.
PPP supports PAP and CHAP authentication. 

30. PPP Configuration Options
Authentication using either PAP or CHAP
Compression using either Stacker or Predictor
Multilink that combines two or more channels to increase the WAN bandwidth Multilink PPP provides load balancing of PPP traffic by spreading the traffic to a single destination across multiple physical WAN links.

31. PPP Basic Configuration Command

32. PPP Compression Commands

33. PPP Link Quality Monitoring Command

34. PPP Multilink Commands

35. Verifying PPP Configuration

36. PPP Authentication Protocols
Password Authentication Protocol (PAP): is a very basic two-way process with no encryption. The username and password are sent in plaintext. If it is accepted, the connection is allowed. PAP is not a strong authentication protocol. There is no protection from playback or repeated trial-and-error attacks. 
Challenge Handshake Authentication Protocol (CHAP): is more secure than PAP. It involves a three-way exchange of a shared secret. CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. In PPP CHAP authentication, the username must match the hostname of the other side and the two passwords must match. CHAP provides playback protection, repeated challenges, and a three-way handshake to establish a session. It also transmits data in encrypted format.

37. PPP Authentication Command

38. PPP Authentication Command

39. Branch connection
Chapter 3

40. Remote Access Connections
Cable
DSL
Wireless

41. Cable system
Cable system uses a coaxial cable that carries radio frequency (RF) signals across the network.
Cable systems provide high-speed Internet access, digital cable television, and residential telephone service.

42. DSL
Digital Subscriber Line (DSL) is a means of providing high-speed connections over installed copper wires.
Asymmetric DSL (ADSL) provides higher downstream bandwidth to the user than upload bandwidth.
Symmetric DSL (SDSL) provides the same capacity in both directions.

43. Wireless Connection Three main broadband wireless technologies:
Municipal Wi-Fi - Most municipal wireless networks use a mesh of interconnected access points.
Cellular/mobile - Mobile phones use radio waves to communicate through nearby cell towers. Cellular speeds continue to increase. LTE is a 4G, or fourth generation, wireless broadband technology. GSM and CDMA are considered second generation (2G) and UTMS as third generation (3G) technologies.
Satellite Internet - Used in locations where land-based Internet access is not available. Primary installation requirement is for the antenna to have a clear view toward the equator.

44. Comparing Broadband Solutions
Factors to consider in selecting a broadband solution:
Cable - Bandwidth shared by many users, slow data rates during high-usage hours. It is the least expensive.
DSL - Limited bandwidth that is distance sensitive (in relation to the ISP’s central office).
Fiber-to-the-Home - Requires fiber installation directly to the home.
Cellular/Mobile - Coverage is often an issue.
Wi-Fi Mesh - Most municipalities do not have a mesh network deployed.
Satellite - Expensive, limited capacity per subscriberc

45. PPPoE Concepts
PPP can be used on all serial links. Ethernet links do not natively support PPP. It can not be use for DSL.
PPPoE: a protocol that allows the sending of PPP frames encapsulated inside Ethernet frames. It creates a PPP tunnel over an Ethernet connection. Then DSL can use PPP.

46. To create the PPP tunnel a dialer interface is configured.
Use interface dialer number command
The PPP CHAP is then configured. Use ppp chap hostname name and ppp chap password password.
The physical Ethernet interface connected to the DSL modem is enabled with the command pppoe enable interface configuration command.
Dialer interface is linked to the Ethernet interface with the dialer pool and pppoe- client interface configuration commands.
The MTU should be set to 1492 to accommodate PPPoE headers.
PPPoE Configuration

47. PPPoE Verification
Use the following commands to verify PPPoE:
show ip interface brief - verify the IPv4 address automatically assigned.
show interface dialer - verifies the MTU and PPP encapsulation.
show pppoe session - displays information about currently active PPPoE sessions.

48. Virtual Private Networking (VPN):
A VPN is a private network created via tunneling over a public network, usually the Internet.
The benefits of a VPN include the following:
Cost savings - VPNs enable organizations to use cost-effective, high-bandwidth technologies, such as DSL to connect remote offices and remote users to the main site.
Scalability - Organizations are able to add large amounts of capacity without adding significant infrastructure.
Compatibility with broadband technology - Allow mobile workers and telecommuters to take advantage of high-speed, broadband connectivity.
Security - VPNs can use advanced encryption and authentication protocols.

49. Types of VPN: Site-to-Site VPN:
connect entire networks to each other, for example, connecting a branch office network to a company headquarters network.
In a site-to-site VPN, end hosts send and receive normal TCP/IP traffic through a VPN “gateway”.
The VPN gateway is responsible for encapsulating and encrypting outbound traffic.

50. Types of VPN: Remote Access VPN:
A remote-access VPN supports the needs of telecommuters, mobile users, and extranet traffic.
Allows for dynamically changing information, and can be enabled and disabled.
Used to connect individual hosts that must access their company network securely over the Internet.
VPN client software may need to be installed on the mobile user’s end device.

51. Types of VPN: Dynamic Multipoint VPN (DMVPN) :
is a Cisco software solution for building multiple VPNs.
DMVPN is built using the following technologies:
Next Hop Resolution Protocol (NHRP) - NHRP creates a distributed mapping database of public IP addresses for all tunnel spokes.
Multipoint Generic Routing Encapsulation (mGRE) tunnels - An mGRE tunnel interface allows a single GRE interface to support multiple IPsec tunnels.
IP Security (IPsec) encryption - provides secure transport of private information over public networks.

52. Generic Routing Encapsulation (GRE)
(GRE) is a non-secure, site-to-site VPN tunneling protocol.
GRE manages the transportation of multiprotocol and IP multicast traffic between two or more sites
It is a tunneling protocol that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels, but it does not support encryption
A tunnel interface supports a header for each of the following:
A passenger protocol, such as IPv4, IPv6.
A carrier protocol, such as GRE.
A transport delivery protocol, such as IP.

53. Configure GRE Five steps to configuring a GRE tunnel:
Step 1. Create a tunnel interface using the interface tunnel number command.
Step 2. Configure an IP address for the tunnel interface. (Usually a private address)
Step3. Specify the tunnel source IP address.
Step 4. Specify the tunnel destination IP address.
Step 5. (Optional) Specify GRE tunnel mode as the tunnel interface mode.

54. Verify GRE
Use the show ip interface brief command to verify that the tunnel interface is up.
Use the show interface tunnel command to verify the state of the tunnel.
Use the show ip ospf neighbor command to verify that an OSPF adjacency has been established over the tunnel interface.

55. BGP Overview:
Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP). It is a widely used exterior gateway remote- access VPNs protocol (EGP) used for the exchange of routing information between autonomous systems
Every AS is assigned a unique 16-bit or 32-bit AS number which uniquely identifies it on the Internet.
External BGP (eBGP) – External BGP is the routing protocol used between routers in different autonomous systems.
Internal BGP (iBGP) - Internal BGP is the routing protocol used between routers in the same AS.
Two routers exchanging BGP routing information are known as BGP peers

56. BGP Design Considerations
When to use BGP?
BGP is used when an AS has connections to multiple autonomous systems. This is known as multi-homed.
When not to use BGP?
There is a single connection to the Internet or another AS. Known as single-homed.
When there is a limited understanding of BGP.
Three common ways an organization can implement BGP in a multi-homed environment:
Default Route Only
Default Route and ISP Routes
All Internet Routes (this would include routes to over 550,000 networks)

57. BGP Configuration
The router bgp as-number global configuration command enables BGP and identifies the AS number.
The neighbor ip-address remote-as as-number router configuration command identifies the BGP peer and its AS number.
The network network-address [mask network- mask] router configuration command enters the network-address into the local BGP table.
Note: The network-address used in the network command does not have to be a directly connected network.
Company-A(config)#router bgp 65000
Company-A(config-router)#neighbor remote-as 65001
Company-A(config-router)#network mask

58. Access Control Lists
Chapter 4

59. ACL Operation Overview:
An ACL contains a sequential list of permit or deny statements, known as access control entries (ACEs).
You can configure:
One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
Extended ACLs can filter traffic by examining TCP port numbers.

60. ACL Operation Overview:
To help explain how an ACL operates, refer to the decision path used to filter web traffic.
An ACL has been configured to:
Permit web access to users from Network A but deny all other services to Network A users.
Deny HTTP access to users from Network B, but permit network B users to have all other access.

61. Types of ACL:
Standard ACLs filter packets based on the source address only.
Extended ACLs filter packets based on:
Protocol type / Protocol number (e.g., IP, ICMP, UDP, TCP, …)
Source and destination IP addresses
Source and Destination TCP and UDP ports
Provide more precise filtering.
Extended ACLs are used more often than standard ACLs because they provide a greater degree of control.
Standard and extended ACLs can be created using either a number or a name to identify the ACL and its list of statements.

62. Types of ACL: Extended ACLs Standard ACLs
should be located as close as possible to the source of the traffic to be filtered.
should be located as close to the destination as possible.

63. Configure Extended IPv4 ACLs
The full syntax of the extended ACL command is as follows:
access-list
ACL-#
{deny | permit}
TCP
{source
source-wildcard] eq
[port-number | port-name]
access-list
ACL-#
{deny | permit}
TCP
{source
source-wildcard]
{destination
destination-wildcard] eq
[port-number | port-name]
For example:
ACL 103 allows requests to port 80 and 443.

64. Configure Extended IPv4 ACLs
Named extended ACLs are created in the same way that named standard ACLs are created.
In this example, two named ACLs are created.
SURFING permits users on the /24 network to exit going to ports 80 and 443.

65. Verifying Extended IPv4 ACLs
The output and sequence numbers displayed in the show access-lists command output is the order in which the statements were entered.
Unlike standard ACLs, extended ACLs do not implement the same internal logic and hashing function.
Host entries are not automatically listed prior to range entries.
The show ip interface command is used to verify the ACL on the interface and the direction in which it was applied.
The output from this command includes the number or name of the access list and the direction in which the ACL was applied

66. Editing Extended IPv4 ACLs
An extended ACL can be edited:
The ACL is copied and pasted into where the changes are made.
The current access list is removed using the no access-list command.
The modified ACL is then pasted back into the configuration.

67. IPv6 ACL Creation
IPv6 ACLs are similar to IPv4 ACLs in both operation and configuration.
With IPv6, there is only one type of ACL, which is equivalent to an IPv4 extended named ACL and there are no numbered ACLs in IPv6.
There are three significant differences between IPv4 and IPv6 ACLs:
The command used to apply an IPv6 ACL to an interface is ipv6 traffic-filter command.
IPv6 ACLs do not use wildcard masks but instead specifies the prefix-length to indicate how much of an IPv6 source or destination address should be matched.
An IPv6 ACL adds two implicit permit statements at the end of each IPv6 access list to allow IPv6 to MAC address resolution.
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any statement