Friday, January 29, 2010

Playing on PPP

Hi all,
today I'm playing on PPP using Dynamips and a simple topology:



Let's start from basics, configure R0 - R1 link using simple encapsulation ppp, then look at the debug ppp output:

!---- on R0
R0#sh run int ser 1/0 | beg int
interface Serial1/0
ip address 10.10.0.1 255.255.255.252
encapsulation ppp
serial restart-delay 0
clock rate 128000
end

!--- on R1 we first enable debug ppp negotiation...
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int ser 1/0
R1(config-if)#shutdown
R1(config-if)#encapsulation ppp
*Jan 29 00:04:33.711: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
R1(config-if)#ip address 10.10.0.2 255.255.255.252
R1(config-if)#do debug ppp negotiation
PPP protocol negotiation debugging is on
R1(config-if)#no shutdown
R1(config-if)#
*Jan 29 00:04:56.675: Se1/0 PPP: Outbound cdp packet dropped
*Jan 29 00:04:58.667: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Jan 29 00:04:58.687: Se1/0 PPP: Using default call direction
*Jan 29 00:04:58.687: Se1/0 PPP: Treating connection as a dedicated line
*Jan 29 00:04:58.687: Se1/0 PPP: Session handle[48000002] Session id[1]
*Jan 29 00:04:58.687: Se1/0 PPP: Phase is ESTABLISHING, Active Open
*Jan 29 00:04:58.687: Se1/0 LCP: O CONFREQ [Closed] id 1 len 10
*Jan 29 00:04:58.691: Se1/0 LCP: MagicNumber 0x011EC7EA (0x0506011EC7EA)
*Jan 29 00:04:58.711: Se1/0 LCP: I CONFREQ [REQsent] id 31 len 10
*Jan 29 00:04:58.715: Se1/0 LCP: MagicNumber 0x001E7A7E (0x0506001E7A7E)
*Jan 29 00:04:58.719: Se1/0 LCP: O CONFACK [REQsent] id 31 len 10
*Jan 29 00:04:58.719: Se1/0 LCP: MagicNumber 0x001E7A7E (0x0506001E7A7E)
*Jan 29 00:04:58.719: Se1/0 LCP: I CONFACK [ACKsent] id 1 len 10
*Jan 29 00:04:58.719: Se1/0 LCP: MagicNumber 0x011EC7EA (0x0506011EC7EA)
*Jan 29 00:04:58.719: Se1/0 LCP: State is Open
*Jan 29 00:04:58.735: Se1/0 PPP: Phase is FORWARDING, Attempting Forward
*Jan 29 00:04:58.735: Se1/0 PPP: Phase is ESTABLISHING, Finish LCP
*Jan 29 00:04:58.735: Se1/0 PPP: Phase is UP
*Jan 29 00:04:58.735: Se1/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Jan 29 00:04:58.735: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 00:04:58.735: Se1/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Jan 29 00:04:58.735: Se1/0 PPP: Process pending ncp packets
*Jan 29 00:04:58.743: Se1/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Jan 29 00:04:58.747: Se1/0 IPCP: Address 10.10.0.1 (0x03060A0A0001)
*Jan 29 00:04:58.747: Se1/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Jan 29 00:04:58.751: Se1/0 IPCP: Address 10.10.0.1 (0x03060A0A0001)
*Jan 29 00:04:58.755: Se1/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
*Jan 29 00:04:58.755: Se1/0 CDPCP: O CONFACK [REQsent] id 1 len 4
*Jan 29 00:04:58.767: Se1/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Jan 29 00:04:58.771: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 00:04:58.771: Se1/0 IPCP: State is Open
*Jan 29 00:04:58.771: Se1/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
*Jan 29 00:04:58.771: Se1/0 CDPCP: State is Open
*Jan 29 00:04:58.771: Se1/0 IPCP: Install route to 10.10.0.1
*Jan 29 00:04:59.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R1(config-if)#
R1(config-if)#do undebug all
All possible debugging has been turned off
R1(config-if)#


Well, that relatively verbose debug output tell us the two phases of PPP negotiation: LCP and IPCP.
LCP, formerly Link Control Protocol, as specified on RFC 1661 is used to setup the link, exchanging setup frames and agreeing on configuration options, such as authentication protocols, compression, error detection and multilink.
Note the "Magic" numbers exchanged, they are use to detect if the link is looped somewhere, comparing the sent magic number with the received one.
Magic number is also used to detect misconfigurations, just in case you have different PPP peers on a shared media, like is possible with PPPoE, the CONFREQ sent magic number must match with the CONFACK received one, otherwise, a misconfig is assumed...

the second phase, IPCP, formerly Internet Protocol Control Protocol, as specified on RFC 1332, is used, if your interface is running IP protocol, to setup and configure the ip protocol over a PPP link.
Options negotiated with IPCP are compression (no compression by default) and IP address.

In order to speed up the PPP negotiation convergence time, there are two commands introduced with the IOS 12.2(4)T :
ppp lcp predictive
ppp ipcp predictive

those two are used to send ACK in early sequence during the LCP and IPCP phases, optimizing the convergence time (see: "Optimize PPP Negotiation" for further details)

Note also that by default IPCP installs a /32 route with the ip of the other end:

*Jan 29 00:04:58.771: Se1/0 IPCP: Install route to 10.10.0.1

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.0.0/30 is directly connected, Serial1/0
C 10.10.0.1/32 is directly connected, Serial1/0
C 10.10.0.4/30 is directly connected, Serial1/1
C 10.1.1.1/32 is directly connected, Loopback0
R1#

To disable this peer route installation, simply use:

R1#sh run int ser 1/0 | beg int
interface Serial1/0
description R1 - R0
ip address 10.10.0.2 255.255.255.252
encapsulation ppp
shutdown
no fair-queue
serial restart-delay 0
no cdp enable
end

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int ser 1/0
R1(config-if)#no peer neighbor-route
R1(config-if)#no shutdown
R1(config-if)#end
R1#
*Jan 29 16:00:46.370: %SYS-5-CONFIG_I: Configured from console by console
*Jan 29 16:00:47.158: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Jan 29 16:00:47.166: %ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State Down
*Jan 29 16:00:48.210: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.0.0/30 is directly connected, Serial1/0
C 10.10.0.4/30 is directly connected, Serial1/1
C 10.1.1.1/32 is directly connected, Loopback0
R1# ping 10.10.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/48 ms
R1#

The neighbor still reachable, but without the /32 peer route installed.

Well, let's talk about authentication, we have to remind that authentication on PPP links is unidirectional, so we can use different authentication methods on the same link, just to have more fun. There are three authentication methods: CHAP, PAP and EAP.

In our topology we have 3 serial links.... so we can try to configure authentication only on clockwise direction, starting from R0 and using chap, pap and eap respectively.

CHAP, R0 authenticates to R1:
!---- on R0 side I send username and password:
R0#sh run int ser 1/0 | beg int
interface Serial1/0
description R0 - R1
ip address 10.10.0.1 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp lcp predictive
ppp chap hostname R0
ppp chap password 0 cisco

ppp ipcp predictive
end

!---- on R1 side, I request authentication and create the username/pass:
R1#sh run | inc username R0
username R0 password 0 cisco

R1#sh run int ser 1/0 | beg int
interface Serial1/0
description R1 - R0
ip address 10.10.0.2 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp lcp predictive
ppp authentication chap
ppp ipcp predictive
end



!--- let's verify it on R0:
R0#debug ppp authentication
PPP authentication debugging is on
R0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#int ser 1/0
R0(config-if)#shutdown
*Jan 29 19:28:16.339: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
*Jan 29 19:28:17.339: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R0(config-if)#no shutdown
*Jan 29 19:28:20.751: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Jan 29 19:28:20.763: Se1/0 PPP: Using default call direction
*Jan 29 19:28:20.763: Se1/0 PPP: Treating connection as a dedicated line
*Jan 29 19:28:20.763: Se1/0 PPP: Session handle[86000015] Session id[21]
*Jan 29 19:28:20.763: Se1/0 PPP: Authorization required
*Jan 29 19:28:20.779: Se1/0 PPP: No authorization without authentication
*Jan 29 19:28:20.795: Se1/0 CHAP: I CHALLENGE id 20 len 23 from "R1"
*Jan 29 19:28:20.807: Se1/0 CHAP: Using hostname from interface CHAP
*Jan 29 19:28:20.811: Se1/0 CHAP: Using password from interface CHAP
*Jan 29 19:28:20.811: Se1/0 CHAP: O RESPONSE id 20 len 23 from "R0"
*Jan 29 19:28:20.823: Se1/0 CHAP: I SUCCESS id 20 len 4
*Jan 29 19:28:21.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up


PAP, R1 authenticates to R2:
!--- on R1 side, I send username and password
R1#sh run int ser 1/1 | beg int
interface Serial1/1
description R1 - R2
ip address 10.10.0.5 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp lcp predictive
ppp pap sent-username R1 password 0 cisco
ppp ipcp predictive
end

!--- same story on R2, I configure pap authentication and R1 user/pass:
R2#sh run | inc username R1
username R1 password 0 cisco

R2#sh run int ser 1/0 | beg int
interface Serial1/0
description R2 - R1
ip address 10.10.0.6 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp lcp predictive
ppp authentication pap
ppp ipcp predictive
end

!--- Verify on R1:
R1#debug ppp authentication
PPP authentication debugging is on
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int ser 1/1
R1(config-if)#shutdown
*Jan 29 21:34:08.035: %LINK-5-CHANGED: Interface Serial1/1, changed state to administratively down
*Jan 29 21:34:08.039: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/1 Physical Port Administrative State Down
*Jan 29 21:34:09.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down
R1(config-if)#no shutdown
R1(config-if)#
*Jan 29 21:35:48.195: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Jan 29 21:35:48.211: Se1/1 PPP: Using default call direction
*Jan 29 21:35:48.215: Se1/1 PPP: Treating connection as a dedicated line
*Jan 29 21:35:48.215: Se1/1 PPP: Session handle[67000023] Session id[217]
*Jan 29 21:35:48.215: Se1/1 PPP: Authorization required
*Jan 29 21:35:48.235: Se1/1 PPP: No authorization without authentication
*Jan 29 21:35:48.235: Se1/1 PAP: Using hostname from interface PAP
*Jan 29 21:35:48.239: Se1/1 PAP: Using password from interface PAP
*Jan 29 21:35:48.239: Se1/1 PAP: O AUTH-REQ id 213 len 13 from "R1"
*Jan 29 21:35:48.271: Se1/1 PAP: I AUTH-ACK id 213 len 5
*Jan 29 21:35:49.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up


EAP is really similar, here we finish with R2 authentication to R0:
!--- on R2 I send usename (eap calls "identity") and pass
R2#sh run int ser 1/1 | beg int
interface Serial1/1
description R2 - R0
ip address 10.10.0.10 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp lcp predictive
ppp eap identity R2
ppp eap password 0 cisco

ppp ipcp predictive
end

!--on R0 I configure username/pass and the authentication eap
!--eap uses local user database instead of radius
R0#sh run | inc username R2
username R2 password 0 cisco

R0#sh run int ser 1/1 | beg int
interface Serial1/1
description R0 - R2
ip address 10.10.0.9 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp lcp predictive
ppp authentication eap
ppp eap local

ppp ipcp predictive
end

!-- verfy on R2:
R2#debug ppp authentication
PPP authentication debugging is on
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int ser 1/1
R2(config-if)#shutdown
*Jan 29 21:47:21.347: %LINK-5-CHANGED: Interface Serial1/1, changed state to administratively down
*Jan 29 21:47:22.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down
R2(config-if)#no shutdown
*Jan 29 21:42:15.855: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Jan 29 21:42:15.867: Se1/1 PPP: Using default call direction
*Jan 29 21:42:15.871: Se1/1 PPP: Treating connection as a dedicated line
*Jan 29 21:42:15.875: Se1/1 PPP: Session handle[240000D8] Session id[218]
*Jan 29 21:42:15.875: Se1/1 PPP: Authorization required
*Jan 29 21:42:15.895: Se1/1 PPP: No authorization without authentication
*Jan 29 21:42:15.907: Se1/1 EAP: I REQUEST IDENTITY id 3 len 5
*Jan 29 21:42:15.911: Se1/1 EAP: O RESPONSE IDENTITY id 3 len 7 from "R2"
*Jan 29 21:42:15.955: Se1/1 EAP: I REQUEST MD5 id 4 len 24 from "R0"
*Jan 29 21:42:15.963: Se1/1 EAP: Using hostname from interface EAP
*Jan 29 21:42:15.963: Se1/1 EAP: Using password from interface EAP
*Jan 29 21:42:15.963: Se1/1 EAP: O RESPONSE MD5 id 4 len 24 from "R2"
*Jan 29 21:42:15.975: Se1/1 EAP: I SUCCESS id 4 len 4
*Jan 29 21:42:16.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up

Note that EAP uses md5 to autenticate.
As required we can use a two way authentication with the same or a different protocol.

Another interesting thing to know about PPP is the possibility to assign an ip address to the neighbor peer. The ip address can be originated directly by ipcp, or by a dhcp or a local pool.

!--- R1 requests for an address
R1#sh run int ser 1/0 | beg int
interface Serial1/0
description R1 - R0
ip address negotiated
encapsulation ppp
no peer neighbor-route
serial restart-delay 0
ppp lcp predictive
ppp authentication chap
ppp ipcp predictive
end

!--- R0 assigns an ip address to the peer


R0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#int ser 1/0
R0(config-if)#peer default ip address ?
A.B.C.D Default IP address for remote end of this interface
dhcp Use DHCP proxy client mechanism to allocate a peer IP address
dhcp-pool Use local DHCP pools to allocate a peer IP address
pool Use IP pool mechanism to allocate a peer IP address


R0(config-if)#peer default ip address 10.10.0.2
R0(config-if)#do sh run int ser 1/0 | beg int
interface Serial1/0
description R0 - R1
ip address 10.10.0.1 255.255.255.252
encapsulation ppp
no peer neighbor-route
peer default ip address 10.10.0.2
serial restart-delay 0
ppp lcp predictive
ppp chap hostname R0
ppp chap password 0 cisco
ppp ipcp predictive
end

!-- Let's verify:
R1#debug ppp negotiation
PPP protocol negotiation debugging is on
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int ser 1/0
R1(config-if)#shutdown

*Jan 29 22:11:43.979: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down

R1(config-if)#no shutdown
*Jan 29 22:11:53.547: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Jan 29 22:11:53.559: Se1/0 PPP: Using default call direction
*Jan 29 22:11:53.559: Se1/0 PPP: Treating connection as a dedicated line
*Jan 29 22:11:53.559: Se1/0 PPP: Session handle[EB000025] Session id[221]
*Jan 29 22:11:53.559: Se1/0 PPP: Phase is ESTABLISHING, Active Open
*Jan 29 22:11:53.559: Se1/0 LCP: O CONFREQ [Closed] id 6 len 15
*Jan 29 22:11:53.559: Se1/0 LCP: AuthProto CHAP (0x0305C22305)
*Jan 29 22:11:53.563: Se1/0 LCP: MagicNumber 0x015AA11C (0x0506015AA11C)
*Jan 29 22:11:53.567: Se1/0 LCP: I CONFREQ [REQsent] id 176 len 10
*Jan 29 22:11:53.571: Se1/0 LCP: MagicNumber 0x005A535F (0x0506005A535F)
*Jan 29 22:11:53.575: Se1/0 LCP: O CONFACK [REQsent] id 176 len 10
*Jan 29 22:11:53.575: Se1/0 LCP: MagicNumber 0x005A535F (0x0506005A535F)
*Jan 29 22:11:53.575: Se1/0 LCP: State is Open
*Jan 29 22:11:53.575: Se1/0 PPP: Phase is AUTHENTICATING, by this end
*Jan 29 22:11:53.575: Se1/0 CHAP: O CHALLENGE id 5 len 23 from "R1"
*Jan 29 22:11:53.575: Se1/0 LCP: I CONFACK [Open] id 6 len 15
*Jan 29 22:11:53.575: Se1/0 LCP: AuthProto CHAP (0x0305C22305)
*Jan 29 22:11:53.575: Se1/0 LCP: MagicNumber 0x015AA11C (0x0506015AA11C)
*Jan 29 22:11:53.595: Se1/0 CHAP: I RESPONSE id 5 len 23 from "R0"
*Jan 29 22:11:53.599: Se1/0 PPP: Phase is FORWARDING, Attempting Forward
*Jan 29 22:11:53.611: Se1/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 29 22:11:53.631: Se1/0 PPP: Phase is FORWARDING, Attempting Forward
*Jan 29 22:11:53.631: Se1/0 PPP: Phase is AUTHENTICATING, Authenticated User
*Jan 29 22:11:53.635: Se1/0 CHAP: O SUCCESS id 5 len 4
*Jan 29 22:11:53.635: Se1/0 PPP: Phase is UP
*Jan 29 22:11:53.635: Se1/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Jan 29 22:11:53.639: Se1/0 IPCP: Address 0.0.0.0 (0x030600000000)
*Jan 29 22:11:53.639: Se1/0 PPP: Process pending ncp packets
*Jan 29 22:11:53.639: Se1/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Jan 29 22:11:53.643: Se1/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Jan 29 22:11:53.647: Se1/0 IPCP: Address 10.10.0.1 (0x03060A0A0001)
*Jan 29 22:11:53.651: Se1/0 AAA/AUTHOR/IPCP: Start. Her address 10.10.0.1, we want 0.0.0.0
*Jan 29 22:11:53.651: Se1/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
*Jan 29 22:11:53.651: Se1/0 CDPCP: O CONFACK [REQsent] id 1 len 4
*Jan 29 22:11:53.651: Se1/0 AAA/AUTHOR/IPCP: Reject 10.10.0.1, using 0.0.0.0
*Jan 29 22:11:53.651: Se1/0 AAA/AUTHOR/IPCP: Done. Her address 10.10.0.1, we want 0.0.0.0
*Jan 29 22:11:53.651: Se1/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Jan 29 22:11:53.651: Se1/0 IPCP: Address 10.10.0.1 (0x03060A0A0001)
*Jan 29 22:11:53.659: Se1/0 IPCP: I CONFNAK [ACKsent] id 1 len 10
*Jan 29 22:11:53.659: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 22:11:53.659: Se1/0 IPCP: O CONFREQ [ACKsent] id 2 len 10
*Jan 29 22:11:53.659: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 22:11:53.659: Se1/0 IPCP: I CONFACK [ACKsent] id 2 len 10
*Jan 29 22:11:53.659: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 22:11:53.659: Se1/0 IPCP: State is Open
*Jan 29 22:11:53.659: Se1/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
*Jan 29 22:11:53.659: Se1/0 CDPCP: State is Open
*Jan 29 22:11:53.659: Se1/0 IPCP: Install negotiated IP interface address 10.10.0.2
*Jan 29 22:11:53.683: Se1/0 IPCP: I CONFREQ [Open] id 2 len 10
*Jan 29 22:11:53.687: Se1/0 IPCP: Address 10.10.0.1 (0x03060A0A0001)
*Jan 29 22:11:53.691: Se1/0 AAA/AUTHOR/IPCP: Start. Her address 10.10.0.1, we want 10.10.0.1
*Jan 29 22:11:53.703: Se1/0 IPCP: Remove route to 10.10.0.1
*Jan 29 22:11:53.703: Se1/0 AAA/AUTHOR/IPCP: Reject 10.10.0.1, using 10.10.0.1
*Jan 29 22:11:53.703: Se1/0 AAA/AUTHOR/IPCP: Done. Her address 10.10.0.1, we want 10.10.0.1
*Jan 29 22:11:53.703: Se1/0 IPCP: O CONFREQ [Open] id 3 len 10
*Jan 29 22:11:53.703: Se1/0 IPCP: Address 0.0.0.0 (0x030600000000)
*Jan 29 22:11:53.703: Se1/0 IPCP: O CONFACK [Open] id 2 len 10
*Jan 29 22:11:53.703: Se1/0 IPCP: Address 10.10.0.1 (0x03060A0A0001)
*Jan 29 22:11:53.711: Se1/0 IPCP: I CONFNAK [ACKsent] id 3 len 10
*Jan 29 22:11:53.715: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 22:11:53.719: Se1/0 IPCP: O CONFREQ [ACKsent] id 4 len 10
*Jan 29 22:11:53.719: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 22:11:53.727: Se1/0 IPCP: I CONFACK [ACKsent] id 4 len 10
*Jan 29 22:11:53.727: Se1/0 IPCP: Address 10.10.0.2 (0x03060A0A0002)
*Jan 29 22:11:53.727: Se1/0 IPCP: State is Open
*Jan 29 22:11:53.727: Se1/0 IPCP: Install negotiated IP interface address 10.10.0.2
*Jan 29 22:11:54.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R1(config-if)#

The authentication phase begins immediatly after LCP, then comes the turn of IPCP, so the ip address is obtained only if authentication succeeds.

Well, enough PPP for today, in this weekend and for the next week I'll play with eigrp.. so stay tuned, always :-)

Marco

Sunday, January 24, 2010

RIPv2 route filtering

Hi all,
this weekend I'm studying RIPv2.
With RIPv2 there are several methods to filter routes received and advertised to other neighbors.
Here a brief explaination of the different ways, I have considered as filters all the tricks that allows to control how to install prefixes in the routing tables, including:

-Filtering using passive interface
-Filtering using prefix-lists
-Filtering using Standard access-lists
-Filtering using Extended access-lists
-Filtering using Administrative Distance
-Filtering using Offset Lists

the topology I used to test all those features is simple:



Here the .net file I used on Dynagen ;-) and the initial configs:



############## rip.net file ###############à
[10.3.3.2:7200]
udp = 10000
workingdir = /tmp
[[7200]]
image = /opt/c7200-adventerprisek9-mz.124-11.T.bin
npe = npe-400
ram = 160
[[ROUTER R1]]
console = 20001
s1/0 = R2 s1/0
[[ROUTER R2]]
console = 20002
s1/1 = R3 s1/1

[10.3.3.2:7201]
udp = 15000
workingdir = /tmp
[[7200]]
image = /opt/c7200-adventerprisek9-mz.124-11.T.bin
npe = npe-400
ram = 160
[[ROUTER R3]]
console = 20003
################## end rip.net file ######################

!--- R1 initial config
hostname R1

no ip domain-look
line con 0
logging sync
no exec-tim

int ser 1/0
desc R1 <-> R2
ip address 10.12.12.1 255.255.255.192
no shut

int lo 0
ip address 192.168.1.1 255.255.255.0
exit

router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!--- END R1 initial config

!--- R2 initial config
hostname R2

no ip domain-look
line con 0
logging sync
no exec-tim

int ser 1/0
desc R1 <-> R2
ip address 10.12.12.2 255.255.255.192
no shut

int ser 1/1
desc R2 <-> R3
ip address 10.23.23.2 255.255.255.192
no shut

int lo 0
ip address 192.168.2.1 255.255.255.0
exit

router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!--- END R2 initial config

!--- R3 initial config
hostname R3

no ip domain-look
line con 0
logging sync
no exec-tim

int ser 1/1
desc R3 <-> R2
ip address 10.23.23.3 255.255.255.192
no shut

int lo 0
ip address 192.168.3.1 255.255.255.0

router rip
version 2
network 10.0.0.0
network 192.168.3.0
no auto-summary
!--- END R3 initial config



PASSIVE INTERFACE:
In RIP and RIPv2 the passive interface acts in a different way than the other routing protocols. In fact, with ospf and eigrp a passive interface doesn't send hellos and doesn't form any type of adjacency with neighbors.
Well, as RIP doesn't form a two way neighbor relationship, so the passive interface tells to the RIP process something like "don't send updates out this interface" but doesn't prevent to receive updates and process it.
In our topology, if you want to prevent R2 to receive R1's Lo0 route, simply configure R1 serial1/0 as passive interface. R1 will receive and install updates, but won't send anything out Ser 1/0.
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:09, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:09, Serial1/0
R 192.168.3.0/24 [120/2] via 10.12.12.2, 00:00:09, Serial1/0
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router rip
R1(config-router)#passive-int ser 1/0
R1(config-router)#end

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:06, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:06, Serial1/0
R 192.168.3.0/24 [120/2] via 10.12.12.2, 00:00:06, Serial1/0
R1#

R1 still have all the routes, so he's processing the received updates, but R2, after a little while...

R2#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
C 10.23.23.0 is directly connected, Serial1/1
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.2.0/24 is directly connected, Loopback0
R 192.168.3.0/24 [120/1] via 10.23.23.3, 00:00:04, Serial1/1
R2#

It doesn't have the R1 Loopback0...
This is a drastic way to do route filtering... but it works ;-)

PREFIX LISTS:
Let's remove the previous configuration and try to do filtering using a prefix-list. Remember that RIP uses prefix lists nad access-lists to filter the received or sent updates, under the router rip process.
So, first place to go is the rip process and doing a question mark, just to look around :

R1(config)#router rip
R1(config-router)#distribute-list ?
<1-199> IP access list number
<1300-2699> IP expanded access list number
WORD Access-list name
gateway Filtering incoming updates based on gateway
prefix Filter prefixes in routing updates

If we want to use a prefix-list, we have to use the work "prefix" before the prefix-list name, or it will be considered as a named access-list (that's my usual mistake).
well, let's prepare the prefix-list, mybe we don't want to receive the 192.168.3.0/24 prefix on R1:

R1(config)#ip prefix-list no-R3-lo0 deny 192.168.3.0/24 !---deny the unwanted prefixes
R1(config)#ip prefix-list no-R3-lo0 permit 0.0.0.0/0 le 32 !---permit all the remaining
R1(config)#router rip
R1(config-router)#distribute-list prefix no-R3-lo0 in !--- this is too much general...
R1(config-router)#distribute-list prefix no-R3-lo0 in ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
XTagATM Extended Tag ATM interface


R1(config-router)#distribute-list prefix no-R3-lo0 in serial 1/0
R1(config-router)#end

R1#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is (prefix-list) no-R3-lo0
Serial1/0 filtered by (prefix-list) no-R3-lo0
Sending updates every 30 seconds, next due in 22 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.12.12.2 120 00:00:05
Distance: (default is 120)

!-- after a little while (holddown) or after a clear ip route *
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:13, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:13, Serial1/0
R1#

So here we have filtered only the updates received from Ser1/0 with our prefix-list, that's pretty clean ;-)
Here the logic is "DENY the unwanted prefixes".

STANDARD ACCESS-LISTS:
we can archive the previous goal with standard access-lists too, with some small differences:
R1#sh run | sec access-list
access-list 1 deny 192.168.3.0 0.0.0.255
access-list 1 permit any

R1#sh run | sec router
router rip
version 2
network 10.0.0.0
network 192.168.1.0
distribute-list 1 in
no auto-summary

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:04, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:04, Serial1/0
R1#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 1
Sending updates every 30 seconds, next due in 23 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.12.12.2 120 00:00:09
Distance: (default is 120)

here we used a standard access-list, again the logic is "DENY unwanted prefixes", here we have to remember to put a permit any as last statement.
The "classic" use of access-lists is to filter odd/even prefixes ;-) we will talk about it in more depht this week.

EXTENDED ACCESS-LISTS

If we try to use extended access-lists, the logic is a little bit different: the "source" in the access-list is the ip of the advertising router, the "destination" is the prefix to permit or deny.
So let's try to configure an extended access-list on R3 to permit 192.168.1.0/24 only from R2:

R3#sh run | sec access-list
access-list 101 permit ip host 10.23.23.2 192.168.1.0 0.0.0.255

R3#sh run | sec router
router rip
version 2
network 10.0.0.0
network 192.168.3.0
distribute-list 101 in
no auto-summary

R3#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 1 subnets
C 10.23.23.0 is directly connected, Serial1/1
R 192.168.1.0/24 [120/2] via 10.23.23.2, 00:00:17, Serial1/1
C 192.168.3.0/24 is directly connected, Loopback0
R3#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 101
Sending updates every 30 seconds, next due in 28 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/1 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.3.0
Routing Information Sources:
Gateway Distance Last Update
10.23.23.2 120 00:00:22
Distance: (default is 120)

R3#

Ok it worked, here we don't have multiple sources for the same prefix, so we can't appreciate the difference between standard and extended access-lists for filtering.


OFFSET LISTS:
Another way to avoid the installation of prefixes in the routing table is playing with offset-lists, by the way applying a inaccessible metric to our unwanted prefixes (remember, inaccessible means 16 hops away for RIP).
Se let's try to filter out the 192.168.3.0/24 prefix on R1 without using distribute lists and without touching the R1 config.... woops, tricky one...


R2#sh run | sec access-list
access-list 1 permit 192.168.3.0 0.0.0.255
R2#sh run | sec router
router rip
version 2
offset-list 1 out 16 Serial1/0
network 10.0.0.0
network 192.168.2.0
no auto-summary
R2#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Outgoing routes in Serial1/0 will have 16 added to metric if on list 1
Sending updates every 30 seconds, next due in 22 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Serial1/1 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.2.0
Routing Information Sources:
Gateway Distance Last Update
10.23.23.3 120 00:00:19
10.12.12.1 120 00:00:01
Distance: (default is 120)

!--- check on R1
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:13, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:13, Serial1/0

R1#debug ip rip
RIP protocol debugging is on
R1#
*Jan 25 12:38:21.347: RIP: received v2 update from 10.12.12.2 on Serial1/0
*Jan 25 12:38:21.351: 10.23.23.0/26 via 0.0.0.0 in 1 hops
*Jan 25 12:38:21.355: 192.168.2.0/24 via 0.0.0.0 in 1 hops
*Jan 25 12:38:21.359: 192.168.3.0/24 via 0.0.0.0 in 16 hops (inaccessible)

ok it worked, R1 has received the correct update and isn't installing the 192.168.3.0/24 prefix because it's marked as inaccessible.

ADMINISTRATIVE DISTANCE:

Administrative distance is useful to filter out routes too, it works mainly setting the AD to 255 and avoiding to install a prefix in the routing table. Also keep in mind that rip doesn't advertise prefixes that aren't in the routing table...
Let's try with our R1, eg filtering out the 192.168.3.0/24 prefix.


R1#sh run | sec access-list
access-list 1 permit 192.168.3.0 0.0.0.255

R1#sh run | sec router
router rip
version 2
passive-interface default
network 10.0.0.0
network 192.168.1.0
distance 255 0.0.0.0 255.255.255.255 1
no auto-summary

R1#debug ip rip
RIP protocol debugging is on
R1#
*Jan 25 16:24:23.131: RIP: received v2 update from 10.12.12.2 on Serial1/0
*Jan 25 16:24:23.131: 10.23.23.0/26 via 0.0.0.0 in 1 hops
*Jan 25 16:24:23.135: 192.168.2.0/24 via 0.0.0.0 in 1 hops
*Jan 25 16:24:23.139: 192.168.3.0/24 via 0.0.0.0 in 2 hops

R1#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 4 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.12.12.2 255 00:00:03
Distance: (default is 120)
Address Wild mask Distance List
0.0.0.0 255.255.255.255 255 1

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:20, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:20, Serial1/0

R1#sh ip rip database 192.168.3.0 255.255.255.0
%Route not in database
R1#sh ip rip database 192.168.2.0 255.255.255.0
192.168.2.0/24
[1] via 10.12.12.2, 00:00:16, Serial1/0
R1#

Note: when you use the "distance" command under rip process, you have to specifiy the source of the prefix to filter and an acl standard or extended for the prefixes.
So the "distance 255 0.0.0.0 255.255.255.255 1" means:
distance 255 <- set the route as unreachable/out of the maximum admin distance
0.0.0.0 255.255.255.255 <- is the route source, here means "any source"
1 <- is the acl number (or you can use named acls...)


for the readers, here is an extra exercise (but no solution provided) ;-)



main goal here: without configure filtering on R1 and R5, the traffic from R1 to R5 loopbacks and from R5 to R1 loopbacks must flow through R3 to reach Loopback3, through R2 to reach Lo2 and through R4 to reach Lo4.
If one of R2-3-4 fails, all loopbacks have to be reachable through an alternate path, it's acceptable that in normal condition R2 uses suboptimal paths to reach the various Loopbacks.
Have Phun ;-)
Marco

Saturday, January 23, 2010

I'm alive

hi all,
long time passed since my last post, I'm still alive, doing a world famous exercise workbook.

Args tested on lab:
-Frame Relay
-Spanning Tree and switching in general
-RIP (hope I'll finish it this we)


As final lab of my RIP preparation, I'll do the great Narbik free RIP lab (as posted on GroupStudy.com)


This week I have also tested "live" the Junos SRX-650, It looks like a great firewall, I'll play on it (well, sometimes I get tired of the web interface... it's defintly too slow! I need to aquire mode confidence with the junos cli...).

Marco

Monday, January 11, 2010

Frame Relay, last call

Hi all,

I realized that I have to speed up a lot my lab preparation to fit my calendarized intentions.... so here is one of the topology that I realized to play with FR.

No time to describe it too much, but just figure out what you can do with this one ;-)
You can do it with GNS3 or with phisical routers, the main difficult thing here was for me to configure the frame-relay switches correctly. I was puzzled a half day looking for active/inactive dlcis ;-(


Topics studied but not well understood: -end to end keepalives on FR dlci or on FR interface... how to recover from a "DOWN"? shut/no shut of the interface doesn't appear smart... ;-)


Now I'll write a little less on my blog, and try to study really more !

Next topic: switching

Marco

Saturday, January 2, 2010

Frame Relay Part 3: interface types

Third part of my frame-relay tour, here we will talk about interface types.

Topology still unchanged from the previous parts, here the picture:



There are several interface types on frame-relay, according on how you configure your serial interface and on what is the purpose you will archive:

1) physical interface
2) subinterface multipoint
3) subinterface point-to-point

Let's talk about each type..

1) Physical interfaces
-are threated as multipoint
-all DLCIs declared by lmi are assigned to physical interfaces
From a L3 point of view, all the neighbors are expected in the same subnet and you can use a static L3 to L2 mapping or inverse arp, as previously seen.
Note also that by default, on frame-relay physical interfaces the SPLIT ORIZON is disabled, useful to solve distance-vector routing protocol issues.

Example:
R4#sh run int ser 0/3/0 | beg int
interface Serial0/3/0
description R4 - (R1|R2) without intverse-arp
ip address 10.0.0.4 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.0.0.2 402 broadcast
frame-relay map ip 10.0.0.1 401 broadcast
no frame-relay inverse-arp
end

R4#sh frame-relay map
Serial0/3/0 (up): ip 10.0.0.1 dlci 401(0x191,0x6410), static,
broadcast,
CISCO, status defined, active
Serial0/3/0 (up): ip 10.0.0.2 dlci 402(0x192,0x6420), static,
broadcast,
CISCO, status defined, active

R4#show ip interface ser 0/3/0
Serial0/3/0 is up, line protocol is up
Internet address is 10.0.0.4/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled



Subinterfaces Multipoint
-DLCIs must manually assigned to the subinterface if inverse arp is used
-ip/ipv6 must be manually mapped if inverse arp is disabled
With subinterfaces multipoint, split orizon is enabled by default, as shown in the following example:

R4#sh run int ser 0/3/0.1  | beg int
interface Serial0/3/0.1 multipoint
description R4 - (R1|R2) with inverse-arp
ip address 10.0.0.4 255.255.255.0
snmp trap link-status
frame-relay interface-dlci 401
frame-relay interface-dlci 402
end

R4#sh frame-relay pvc | inc DLCI
DLCI = 401, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/3/0.1
DLCI = 402, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/3/0.1
DLCI = 403, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial0/3/0

R4#sh ip interface serial 0/3/0.1
Serial0/3/0.1 is up, line protocol is up
Internet address is 10.0.0.4/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
R4#



Subinterfaces Point-to-point
-a single DLCI can be specified with the "frame-relay interface-dlci " command
-don't send out inverse-arp queries, but still respond to the received inarp queries.
This type of interface assumes that the whole subnet is reachable through the only DLCI, so no need of L3 to L2 resolution and it's nice to have Split Orizon enabled for distance-vector routing protocols (otherwise you will maybe have routing l00ps)

Example:
R2#sh run | beg Serial0/2/0
interface Serial0/2/0:1
no ip address
encapsulation frame-relay
!
interface Serial0/2/0:1.1 point-to-point
description R2 - R4
ip address 10.0.0.2 255.255.255.0
snmp trap link-status
frame-relay interface-dlci 204
!
interface Serial0/2/0:1.2 point-to-point
description R2 - R3
ip address 10.0.1.2 255.255.255.0
snmp trap link-status
frame-relay interface-dlci 203

R2#sh frame-relay map
Serial0/2/0:1.2 (up): point-to-point dlci, dlci 203(0xCB,0x30B0), broadcast
status defined, active
Serial0/2/0:1.1 (up): point-to-point dlci, dlci 204(0xCC,0x30C0), broadcast
status defined, active

R2#sh ip interface ser 0/2/0:1.2
Serial0/2/0:1.2 is up, line protocol is up
Internet address is 10.0.1.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled


!-- END of part 3: next part will hopefully follow soon, with dirty tricks and routing examples