Building Cisco Remote Access Networks

BCRAN
Building Cisco
Remote Access
Networks
Version 2.1
Student Guide
Copyright
2004, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica
Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR •
Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The
Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia •
Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan •
Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright 2004 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Powered Network mark,
Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and
Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork
Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems
logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA,
the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,
RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The
Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems,
Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0401R)
Table of Contents
Volume 1
Course Introduction
1
Overview
1
Outline
Course Objectives
Course Activities
Cisco Certifications
Learner Skills and Knowledge
Learner Responsibilities
General Administration
Course Flow Diagram
Icons and Symbols
Learner Introductions
WAN Technologies and Components
Overview
Objectives
Outline
Defining WAN Connection Types
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
WAN Connection Characteristics
Common WAN Connection Types
Dedicated Circuit-Switched Connections
On-Demand Circuit-Switched Connections
ISDN Connections
Packet-Switched Virtual Connections
Broadband Access
Summary
Quiz
Quiz Answer Key
Defining WAN Encapsulation Protocols
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
1
2
4
5
6
7
8
9
10
11
1-1
1-1
1-1
1-1
1-3
1-3
1-3
1-3
1-3
1-4
1-5
1-7
1-8
1-10
1-12
1-13
1-15
1-16
1-17
1-19
1-21
1-21
1-21
1-21
1-21
1-22
WAN Encapsulation Protocols
PPP Encapsulation
Frame Relay Encapsulations
Summary
Quiz
1-23
1-25
1-27
1-28
1-29
Determining the WAN Type to Use
Overview
1-31
1-31
Quiz Answer Key
Relevance
Objectives
Learner Skills and Knowledge
Outline
WAN Connection Types
1-30
1-31
1-31
1-32
1-32
1-33
WAN Connection Speed Comparison
WAN Connection Summary
Site Requirements
Central Site Considerations
Central Site Router Equipment
Branch Office Considerations
Branch Office Router Equipment
SOHO Site Considerations
SOHO Site Router Equipment
Summary
Quiz
Quiz Answer Key
Selecting Cisco Products for Remote Connections
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
1-50
1-51
1-51
1-51
1-51
1-51
1-52
Cisco Remote Access Solutions
Interfaces: Fixed Interface
Interfaces: Modular Interface
Network Cabling and Assembly
Verification of Network Installation
Verification of Branch Office Installation
Verification of SOHO Installation
Products with Cisco Product Selection Tools
Summary
1-53
1-55
1-56
1-57
1-59
1-61
1-63
1-65
1-66
Quiz
1-67
Next Steps
Quiz Answer Key
Supporting Asynchronous Modems
Overview
Objectives
Outline
Connecting and Operating Modems
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Modem Connections and Operation
The DTE-DCE Interface
Modem Signaling—Data
Modem Signaling—Control
Modem Control Example
Modem Operation
DTE-to-DTE Wiring
RJ-45 Wiring and Cables
Working Connections
Error Control and Data Compression Standards
Modem Modulation and Standards
Modem Speed and Compression
Theoretical Speeds
ii
1-35
1-36
1-37
1-39
1-41
1-42
1-44
1-45
1-46
1-47
1-48
Building Cisco Remote Access Networks (BCRAN) v2.1
1-66
1-69
2-1
2-1
2-1
2-1
2-3
2-3
2-3
2-3
2-3
2-4
2-5
2-6
2-7
2-8
2-9
2-10
2-11
2-12
2-13
2-15
2-16
2-18
2-19
Copyright © 2004, Cisco Systems, Inc.
Summary
Quiz
2-20
2-21
Quiz Answer Key
2-24
Configuring Modems
Overview
2-25
2-25
Relevance
Objectives
Learner Skills and Knowledge
Outline
Modem Connections
EXEC Connection Commands
Sample Output for the show line Command
Line Types and Numbering
Interface Asynchronous and Line Configuration
Basic Modem Configuration
Standard Modem Commands
Nonstandard Modem Commands
Modem Initialization Strings
Summary
Quiz
Quiz Answer Key
Autoconfiguring Modems
Overview
2-25
2-25
2-25
2-26
2-27
2-29
2-31
2-33
2-34
2-35
2-37
2-38
2-39
2-40
2-41
2-43
2-45
2-45
Relevance
Objectives
Learner Skills and Knowledge
Outline
2-45
2-45
2-45
2-46
Modem Autoconfiguration
Automatic Modem Configuration
Modem Autodiscovery
Modem Autoconfiguration: Configuring
Modem Autodiscovery: Configuring
Known Modem Initialization String
Modemcap Database
Modemcap Database Management
Modemcap Entries: Viewing
Custom Modemcap Entry: Creating and Editing
Custom Modemcap Entry: Viewing
Summary
Quiz
2-47
2-48
2-49
2-51
2-52
2-53
2-54
2-55
2-56
2-57
2-58
2-59
2-60
Verifying and Debugging Modem Autoconfiguration
Overview
2-63
2-63
Quiz Answer Key
Relevance
Objectives
Learner Skills and Knowledge
Outline
2-63
2-63
2-63
2-64
Verification of Modem Autoconfiguration Operation
Modem Autoconfiguration Troubleshooting
Chat Scripts for Asynchronous Lines
Summary
2-65
2-66
2-67
2-69
Quiz
2-70
Next Steps
Quiz Answer Key
Copyright
2-62
2004, Cisco Systems, Inc.
2-69
2-71
Building Cisco Remote Access Networks (BCRAN) v2.1
iii
Configuring PPP Features
Overview
Objectives
Outline
Describing PPP Features
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Remote Node Connections
PPP Architecture
HDLC and PPP Frames
Summary
Quiz
Quiz Answer Key
Configuring Basic PPP
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
PPP: Enabling
PPP Session and EXEC Session
PPP and Asynchronous Interface: Enabling Commands
Autoselect
Asynchronous Interface Commands for Addressing
Summary
Quiz
Quiz Answer Key
Configuring LCP Options: Authentication with PAP and CHAP
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
PPP Authentication
PPP Using PAP Authentication
PAP Configuration Example
PPP Using CHAP Authentication
CHAP Configuration Example
CHAP and PAP Configuration Authentication
Summary
Quiz
Quiz Answer Key
Configuring LCP Options: Callback and Compression
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
PPP Callback Overview
Asynchronous Callback Operation Flowchart
iv
Building Cisco Remote Access Networks (BCRAN) v2.1
3-1
3-1
3-1
3-1
3-3
3-3
3-3
3-3
3-3
3-4
3-5
3-7
3-9
3-10
3-11
3-12
3-13
3-13
3-13
3-13
3-13
3-14
3-15
3-16
3-17
3-18
3-20
3-23
3-24
3-25
3-27
3-27
3-27
3-27
3-27
3-28
3-29
3-30
3-31
3-32
3-37
3-38
3-39
3-40
3-42
3-43
3-43
3-43
3-43
3-43
3-44
3-45
3-47
Copyright © 2004, Cisco Systems, Inc.
PPP Callback Operation
Asynchronous Callback Line and Interface Commands
PPP Callback Client Configuration
PPP Callback Server Configuration
Compression and PPP
Compression Configuration
Compression Verification
3-48
3-50
3-51
3-52
3-53
3-55
3-56
Summary
Quiz
3-58
3-59
Uncompressed Bytes
Throughput Ratio
Buffer Allocation
Bytes Transmitted
Bytes Received
Interpreting the show compress Command Output
Quiz Answer Key
3-61
Configuring LCP Options: Multilink PPP
Overview
3-63
3-63
Relevance
Objectives
Learner Skills and Knowledge
Outline
3-63
3-63
3-63
3-64
Multilink PPP Overview
Multilink PPP Operation and Configuration
Multilink PPP Example
Summary
Quiz
3-65
3-66
3-67
3-68
3-69
Quiz Answer Key
3-70
Verifying and Debugging PPP
Overview
3-71
3-71
Relevance
Objectives
Learner Skills and Knowledge
Outline
3-71
3-71
3-71
3-72
PPP Verification
show dialer Command Example
PPP Debugging
Multilink Verification
Summary
3-73
3-74
3-75
3-76
3-78
Quiz
3-79
Next Steps
3-78
Quiz Answer Key
3-80
Accessing Broadband
4-1
Overview
4-1
Objectives
Outline
4-1
4-1
Identifying Broadband Features
Overview
4-3
4-3
Relevance
Objectives
Learner Skills and Knowledge
Outline
4-3
4-3
4-3
4-4
Broadband Uses
Cable Options
Copyright
3-56
3-56
3-56
3-57
3-57
3-57
2004, Cisco Systems, Inc.
4-5
4-6
Building Cisco Remote Access Networks (BCRAN) v2.1
v
DSL Options
Satellite Options
Wireless Options
Summary
Quiz
Quiz Answer Key
Addressing Broadband with NAT
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
NAT Overview
NAT Concepts and Terminology
NAT Operation
Inside Source Address Translation
Inside Global Address Overload
Dynamic NAT Configuration
Inside Global Address Overload Configuration
NAT Verification and Troubleshooting
NAT Troubleshooting
NAT Entry Clearing
Summary
Quiz
Quiz Answer Key
Describing Cable Technology
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Cable Features
Data over Cable
Cable System Functionality
Cable System Components
Hybrid Fiber-Coaxial Architecture
Digital Signals over RF Channels
Cable Technology Terms
Cable Technology: Putting It All Together
Process for Provisioning a Cable Modem
Configuration of a Router with a Cable Modem
Summary
Quiz
Quiz Answer Key
Defining DSL Technology
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
DSL Features
DSL Types
DSL Limitations
ADSL
vi
Building Cisco Remote Access Networks (BCRAN) v2.1
4-7
4-8
4-9
4-11
4-12
4-14
4-15
4-15
4-15
4-15
4-15
4-16
4-17
4-18
4-20
4-21
4-23
4-24
4-26
4-27
4-29
4-31
4-32
4-33
4-35
4-37
4-37
4-37
4-37
4-37
4-38
4-39
4-40
4-41
4-43
4-44
4-45
4-48
4-52
4-53
4-54
4-56
4-57
4-59
4-61
4-61
4-61
4-61
4-61
4-62
4-63
4-64
4-66
4-67
Copyright © 2004, Cisco Systems, Inc.
ADSL and POTS Coexistence
ADSL Channels and Encoding
Data over ADSL: Bridging
Data over ADSL: PPPoE
Data over ADSL: PPPoA
Summary
Quiz
4-68
4-69
4-71
4-73
4-77
4-78
4-79
Quiz Answer Key
4-82
Configuring the CPE as the PPPoE Client
Overview
4-83
4-83
Relevance
Objectives
Learner Skills and Knowledge
Outline
Configuration of a Cisco 827 Router as the PPPoE Client
Configuration of PPPoE in a VPDN Group
Configuration of a PPPoE Client
Configuration of the PPPoE DSL Dialer Interface
Configuration of PAT
PAT Configuration Example
DHCP to Scale DSL
Configuration of a DHCP Server
Configuration of a Static Default Route
PPPoE Sample Configuration
Summary
Quiz
Quiz Answer Key
Configuring DSL with PPPoA
Overview
4-97
4-99
4-99
4-99
4-100
Configuration of a PPPoA DSL Connection
DSL Modulation Configuration
Configuration of the DSL ATM Interface
Configuration of the DSL Dialer Interface
Configuration of PAT
PAT Configuration Example
DHCP to Scale DSL
Configuration of a Static Default Route
PPPoA Sample Configuration
Summary
Quiz
4-101
4-102
4-103
4-104
4-105
4-106
4-107
4-108
4-109
4-110
4-111
Quiz Answer Key
4-112
Troubleshooting DSL
Overview
4-113
4-113
Relevance
Objectives
Learner Skills and Knowledge
Outline
Layer Troubleshooting
Layer 1 Issues
Administratively Down State for an ATM Interface
Correct Power Supply
2004, Cisco Systems, Inc.
4-85
4-86
4-87
4-88
4-89
4-90
4-91
4-92
4-93
4-94
4-95
4-96
4-99
4-99
Relevance
Objectives
Learner Skills and Knowledge
Outline
Copyright
4-83
4-83
4-84
4-84
Building Cisco Remote Access Networks (BCRAN) v2.1
4-113
4-113
4-113
4-114
4-115
4-116
4-118
4-119
vii
Correct DSL Operating Mode
Layer 2 Issues
Data Received from the ISP
Proper PPP Negotiation
Summary
4-120
4-121
4-122
4-123
4-124
Quiz
4-125
Next Steps
Quiz Answer Key
viii
Building Cisco Remote Access Networks (BCRAN) v2.1
4-124
4-126
Copyright © 2004, Cisco Systems, Inc.
Table of Contents
Volume 2
Virtual Private Networks
Overview
Objectives
Outline
Identifying VPN Features
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
5-1
5-1
5-1
5-1
5-3
5-3
5-3
5-3
5-3
5-4
VPN Features and Advantages
Tunneling and Encryption
VPN Usage Scenarios
VPN Technologies
VPN Protocols
5-5
5-8
5-9
5-14
5-16
VPN and IPSec Terms
Summary
5-19
5-22
Quiz
5-24
L2TP
GRE
IPSec
Selecting a VPN Technology
References
Quiz Answer Key
Identifying Cisco IOS Cryptosystem Features
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Cryptosystem Overview
Symmetric Encryption
Asymmetric Encryption
Key Exchange—Diffie-Hellman
Hashing
Summary
Quiz
Quiz Answer Key
Identifying IPSec Technologies
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
IPSec
Tunnel vs. Transport Mode
Security Associations
Five Steps to IPSec
IPSec and IKE Relationship
IKE and IPSec Flowchart
Tasks to Configure IPSec
Summary
5-16
5-17
5-17
5-18
5-23
5-26
5-27
5-27
5-27
5-27
5-27
5-28
5-29
5-30
5-32
5-33
5-34
5-35
5-36
5-37
5-39
5-39
5-39
5-39
5-40
5-40
5-41
5-43
5-44
5-46
5-47
5-49
5-50
5-52
Quiz
Quiz Answer Key
Task 1: Preparing for IKE and IPSec
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
IKE Creation and IPSec Security Policy
Step 1: Determine IKE (IKE Phase 1) Policy
IKE Phase 1 Policy Parameters
Step 2: Determine IPSec (IKE Phase 2) Policy
IPSec Transforms Supported in Cisco IOS Software
IPSec Policy Example
IPSec Peers
Step 3: Check Current Configuration
Step 4: Ensure That the Network Works
Step 5: Ensure That Access Lists Are Compatible with IPSec
Summary
Quiz
Quiz Answer Key
Task 2: Configuring IKE
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
IKE Configuration
Step 1: Enable or Disable IKE
Step 2: Create IKE Policies
IKE Policy Creation with the crypto isakmp Command
IKE Policy Negotiation
Step 3: Configure ISAKMP Identity
Step 4: Configure Preshared Keys
Step 5: Verify IKE Configuration
Summary
Quiz
Quiz Answer Key
Task 3: Configuring IPSec
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
5-55
5-57
5-57
5-57
5-57
5-58
5-58
5-59
5-60
5-62
5-64
5-65
5-67
5-68
5-69
5-71
5-72
5-74
5-75
5-77
5-79
5-79
5-79
5-79
5-79
5-80
5-81
5-82
5-83
5-84
5-86
5-87
5-89
5-91
5-92
5-93
5-95
5-97
5-97
5-97
5-97
5-98
5-98
IPSec Configuration
Step 1: Configure Transform Set Suites
5-99
5-100
Set Negotiation Transformation
Step 2: Configure Global IPSec Security Association Lifetimes
Crypto Access Lists Functionality
Step 3: Create Crypto ACLs Using Extended Access Lists
Symmetric Peer Crypto Access Lists Configuration
Crypto Maps Functionality
Crypto Map Parameters
5-102
5-103
5-104
5-105
5-107
5-108
5-109
Edit Transform Sets
ii
5-53
Building Cisco Remote Access Networks (BCRAN) v2.1
5-101
Copyright © 2004, Cisco Systems, Inc.
Step 4: Configure IPSec Crypto Maps
Crypto Map Commands Example
Step 5: Apply Crypto Maps to Interfaces
IPSec Configuration Examples
Summary
Quiz
5-110
5-112
5-114
5-115
5-117
5-118
Quiz Answer Key
5-120
Task 4: Testing and Verifying IPSec
Overview
5-121
5-121
Relevance
Objectives
Learner Skills and Knowledge
Outline
Task 4: Test and Verify IPSec
The show crypto isakmp policy Command
The show crypto ipsec transform-set Command
The show crypto ipsec sa Command
The show crypto map Command
The clear Commands
The debug crypto Commands
Crypto System Error Messages for ISAKMP
Summary
5-123
5-124
5-125
5-126
5-127
5-128
5-129
5-133
5-134
Quiz
5-135
Next Steps
Quiz Answer Key
Overview
6-1
6-1
Objectives
Outline
6-1
6-1
Configuring ISDN BRI
Overview
6-3
6-3
Relevance
Objectives
Learner Skills and Knowledge
Outline
6-3
6-3
6-3
6-4
ISDN Services
ISDN Protocols
ISDN Protocol Layers
ISDN Configuration Tasks
ISDN Configuration Commands
ISDN Switch Types
Interface Protocol Settings
SPID Setting If Necessary
Caller Identification Screening
Configuration of Caller ID Screening
Called-Party Number Verification
Rate Adaption
Summary
Quiz
6-5
6-6
6-8
6-9
6-10
6-11
6-13
6-14
6-16
6-17
6-18
6-20
6-21
6-22
Quiz Answer Key
2004, Cisco Systems, Inc.
5-134
5-137
Using ISDN and DDR to Enhance Remote Connectivity
Copyright
5-121
5-121
5-121
5-122
6-24
Building Cisco Remote Access Networks (BCRAN) v2.1
iii
Configuring ISDN PRI
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
ISDN Services
PRI Reference Points
Configuration Tasks for PRI
ISDN PRI Configuration
T1 and E1 Controller Parameters
Additional ISDN PRI Configuration Parameters
PRI Configuration Example
Summary
Quiz
Quiz Answer Key
Configuring DDR
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
6-25
6-25
6-25
6-26
6-27
6-29
6-30
6-31
6-33
6-35
6-37
6-38
6-39
6-40
6-41
6-41
6-41
6-41
6-41
6-42
DDR Operation
DDR and ISDN Usage
DDR Configuration Tasks
Interesting Traffic for DDR
Access Lists for DDR
Destination Parameters for DDR
Configuration of a Simple ISDN Call
Configuration Example: RouterA
Configuration Example: RouterB
Access List for DDR Example
Summary
Quiz
6-43
6-44
6-46
6-48
6-50
6-51
6-53
6-54
6-56
6-58
6-61
6-62
Verifying ISDN and DDR Configurations
Overview
6-65
6-65
Quiz Answer Key
Relevance
Objectives
Learner Skills and Knowledge
Outline
6-64
6-65
6-65
6-65
6-66
ISDN BRI Monitoring
ISDN Layer 2 debug Commands
ISDN Layer 3 debug Commands
ISDN BRI D Channel Monitoring
ISDN BRI B Channel Monitoring
PPP on BRI Monitoring
DDR Configuration Test
Summary
6-67
6-69
6-70
6-71
6-73
6-74
6-75
6-77
Quiz
6-78
Next Steps
Quiz Answer Key
iv
6-25
6-25
Building Cisco Remote Access Networks (BCRAN) v2.1
6-77
6-80
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-1
Overview
7-1
Objectives
Outline
7-1
7-1
Describing the Dialer Profile
Overview
7-3
7-3
Dialer Profile
Dialer Profile Features
Dialer Profile Elements
Dialer Map Classes
Summary
Quiz
7-5
7-7
7-9
7-10
7-11
7-12
Relevance
Objectives
Learner Skills and Knowledge
Outline
7-3
7-3
7-3
7-4
Quiz Answer Key
7-13
Configuring Dialer Profiles
Overview
7-15
7-15
Relevance
Objectives
Learner Skills and Knowledge
Outline
Dialer Profile Configuration Concepts and Commands
Typical Dialer Profile Application
Configuration of Dialer Interfaces
Configuration of Physical Interfaces
Dialer Profiles Configuration Example
Summary
Quiz
Quiz Answer Key
Verifying and Troubleshooting a Dialer Profile Configuration
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
7-17
7-18
7-19
7-22
7-24
7-25
7-26
7-27
7-29
7-29
7-29
7-29
7-29
7-30
Verification of Dialer Profiles
Outbound Dialing Issues
Outbound Binding Issues
Examples
Inbound Call Issues
Disconnect Issues
Summary
7-31
7-33
7-34
7-36
7-38
7-40
7-42
Quiz
7-43
Next Steps
7-42
Quiz Answer Key
Copyright
7-15
7-15
7-15
7-16
2004, Cisco Systems, Inc.
7-45
Building Cisco Remote Access Networks (BCRAN) v2.1
v
Table of Contents
Volume 3
Configuring Frame Relay with Traffic Shaping
Overview
Objectives
Outline
Reviewing Frame Relay
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
8-1
8-1
8-1
8-1
8-3
8-3
8-3
8-3
8-3
8-4
Frame Relay Overview
Frame Relay Operation
8-5
8-6
Frame Relay Signaling
8-8
Data-Link Connection Identifier
DLCI-to-Address Mappings
Local Management Interface
Summary
Quiz
Quiz Answer Key
Configuring Frame Relay
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Configuration of Basic Frame Relay
Dynamic Address Mapping
Configuration of Static Address Mapping
Different DLCIs at the Remote Routers
Hub-and-Spoke Topology
Spoke Router
Summary
Quiz
Quiz Answer Key
Verifying Frame Relay Configuration
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Verification of Frame Relay Operation
Summary
Quiz
Quiz Answer Key
Configuring Frame Relay Subinterfaces
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Reachability Issues with Routing Updates
Resolution of Reachability Issues
8-7
8-7
8-8
8-10
8-11
8-12
8-13
8-13
8-13
8-13
8-13
8-14
8-15
8-16
8-17
8-19
8-20
8-22
8-23
8-24
8-25
8-27
8-27
8-27
8-27
8-27
8-27
8-28
8-34
8-35
8-36
8-37
8-37
8-37
8-37
8-38
8-38
8-39
8-40
Subinterface Usages
Point-to-Point Subinterfaces
Multipoint Subinterfaces
Configuration of Subinterfaces
Subinterface Configuration Example
Summary
Quiz
Quiz Answer Key
Identifying Frame Relay Traffic Shaping Features
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Frame Relay Traffic Flow Terminology
Traffic Shaping Over Frame Relay
Summary
Quiz
Quiz Answer Key
Configuring Frame Relay Traffic Shaping
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
8-50
8-51
8-51
8-51
8-51
8-51
8-52
8-53
8-55
8-57
8-58
8-59
8-61
8-61
8-61
8-61
8-61
8-62
Step 1: Configuration of FRTS
Step 2: Configuration of FRTS
Steps 3-5: Configuration of FRTS
Traffic-Shaping Rate Enforcement
Traffic-Shaping Rate Enforcement Configuration Example
Traffic-Shaping BECN Support Example
Traffic-Shaping BECN Support Configuration Example
Traffic-Shaping Example
Verification of FRTS
show traffic-shape Command
show traffic-shape statistics Command
Summary
8-63
8-64
8-67
8-68
8-69
8-71
8-72
8-74
8-75
8-76
8-77
8-78
Quiz
8-79
Next Steps
Quiz Answer Key
Implementing DDR Backup
Overview
Objectives
Outline
Configuring Dial Backup
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Dial Backup Overview
Dial Backup for High Primary Line Usage
Activation of Backup Interfaces for Primary Line Failures
ii
8-41
8-42
8-43
8-44
8-46
8-48
8-49
Building Cisco Remote Access Networks (BCRAN) v2.1
8-78
8-81
9-1
9-1
9-1
9-1
9-3
9-3
9-3
9-3
9-4
9-4
9-5
9-6
9-7
Copyright © 2004, Cisco Systems, Inc.
Activation of Dial Backup
Dial Backup Activation Example
Configuration of Dial Backup for Excessive Traffic Load
Configuration Example of Dial Backup for Excessive Traffic Load
Backup Limitations with Physical Interfaces
Dial Backup with Dialer Profile
Configuration of a Backup Dialer Profile
Dialer Profile Backup Example
Summary
Quiz
Quiz Answer Key
Routing with the Load Backup Feature
Overview
9-24
9-25
9-25
Relevance
Objectives
Learner Skills and Knowledge
Outline
9-25
9-25
9-26
9-26
Load Sharing with OSPF and EIGRP
Verification of Dial Backup Configuration
Configuration of Floating Static Routes as Backup
Dialer Watch as Backup
Configuration of Dialer Watch
Summary
9-27
9-30
9-31
9-33
9-35
9-37
Quiz
9-38
Next Steps
Quiz Answer Key
10-1
Overview
10-1
Objectives
Outline
10-1
10-2
Identifying Quality of Service Models and Tools
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
Quality of Service Defined
Converged Networks: Quality Issues
QoS Considerations
QoS Application Requirements
QoS Models
QoS Mechanisms
QoS Mechanisms and Remote Access
Congestion Avoidance: Random Early Detection
Congestion Avoidance: Weighted Random Early Detection
Effective Use of Traffic Prioritization
Queuing Overview
Establishing a Queuing Policy
Cisco IOS Queuing Options
Link Efficiency Usage
Summary
Quiz
Quiz Answer Key
2004, Cisco Systems, Inc.
9-37
9-40
Using QoS in Wide-Area Networks
Copyright
9-9
9-10
9-11
9-13
9-14
9-15
9-16
9-19
9-20
9-21
Building Cisco Remote Access Networks (BCRAN) v2.1
10-3
10-3
10-3
10-3
10-3
10-4
10-5
10-6
10-8
10-9
10-10
10-11
10-12
10-13
10-14
10-16
10-17
10-18
10-20
10-22
10-23
10-24
10-26
iii
Configuring Congestion Management
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
WFQ Operation
Configuring WFQ
WFQ Example
CBWFQ Operation
CBWFQ vs. Flow-Based WFQ
Step 1: Configuring CBWFQ
Step 2a: Configuring CBWFQ with Tail Drop
Step 2b: Configuring CBWFQ with WRED
Step 2c: Configuring CBWFQ Default Class (Optional)
Step 3: Configuring CBWFQ
CBWFQ Example
LLQ Operation
Configuring LLQ
Summary
Quiz
Quiz Answer Key
10-27
10-27
10-28
10-28
10-29
10-33
10-34
10-35
10-36
10-37
10-39
10-40
10-42
10-43
10-44
10-46
10-47
10-49
10-50
10-52
Verifying Congestion Management
Overview
10-53
10-53
Verification of Queuing Operation
Queuing Comparison Summary
Summary
Quiz
10-55
10-58
10-59
10-60
Relevance
Objectives
Learner Skills and Knowledge
Outline
Quiz Answer Key
Implementing Link Efficiency
Overview
Relevance
Objectives
Learner Skills and Knowledge
Outline
10-53
10-53
10-53
10-54
10-61
10-63
10-63
10-63
10-63
10-63
10-64
Compression Overview
Link Compression over a Point-to-Point Connection
Payload Compression Implementation
TCP/IP Header Compression
Microsoft Point-to-Point Compression
Other Compression Considerations
Data Compression
Summary
10-65
10-66
10-67
10-68
10-69
10-70
10-71
10-72
Quiz
10-73
Next Steps
Quiz Answer Key
iv
10-27
10-27
Building Cisco Remote Access Networks (BCRAN) v2.1
10-72
10-75
Copyright © 2004, Cisco Systems, Inc.
Using AAA to Scale Access Control
11-1
Overview
11-1
Objectives
Outline
11-1
11-1
Identifying Cisco Access Control Solutions
Overview
11-3
11-3
Relevance
Objectives
Learner Skills and Knowledge
Outline
11-3
11-3
11-3
11-4
Cisco Access Control Solutions Overview
Basic Security Devices and Router Security
Cisco Security Options Overview
Cisco Secure ACS Overview
Cisco Secure ACS Components
Cisco Secure ACS Administrator GUI Client
Summary
Quiz
11-5
11-6
11-8
11-9
11-10
11-11
11-12
11-13
Quiz Answer Key
11-14
Defining and Configuring AAA
Overview
11-15
11-15
Relevance
Objectives
Learner Skills and Knowledge
Outline
11-15
11-15
11-15
11-16
AAA Definitions
AAA Overview and Configuration
Router Access Modes
AAA Protocols
AAA and the Cisco Secure ACS
AAA Authentication Commands
Character Mode Login Example
AAA Authorization Commands
Character Mode with Authorization
Packet Mode Example
AAA Accounting Commands
AAA Accounting Example
Summary
11-17
11-18
11-19
11-20
11-21
11-23
11-24
11-25
11-26
11-27
11-28
11-29
11-30
Quiz
11-31
Next Steps
11-30
Quiz Answer Key
11-33
Course Glossary
Copyright
2004, Cisco Systems, Inc.
1
Building Cisco Remote Access Networks (BCRAN) v2.1
v
BCRAN
Course Introduction
Overview
Building Cisco Remote Access Networks (BCRAN) v2.1 is an instructor-led course presented
by Cisco Systems training partners to end-user customers. This five-day course focuses on how
to use one or more of the available permanent or dialup WAN technologies to connect company
sites. In addition, network security and general security components are presented.
Outline
The Course Introduction includes these topics:
Course Objectives
Course Activities
Cisco Certifications
Learner Skills and Knowledge
Learner Responsibilities
General Administration
Course Flow Diagram
Icons and Symbols
Learner Introductions
Course Objectives
This topic lists the course objectives.
Course Objectives
Upon completing this course, you will be
able to:
• Interconnect network devices used for WANs
• Build a functional configuration to support
network requirements
• Verify the functionality of the network
• Determine network device operational status and
performance
BCRAN v2.1—3
© 2004 Cisco Systems, Inc. All rights reserved.
Course Objectives (Cont.)
Upon completing this course, you will be
able to:
• Manage device configuration files
• Configure access lists to meet requirements
• Use show commands to display network
operational performance
• Use debug commands to detect processes and
anomalies
© 2004 Cisco Systems, Inc. All rights reserved.
2
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—4
Copyright © 2004, Cisco Systems, Inc.
Upon completing this course, you will be able to meet these objectives:
Interconnect network devices as specified by a design and installation plan
Build a functional configuration to support specified network operational requirements
Verify the functionality of a network to ensure that it operates as specified
Verify network connectivity to non-Cisco devices
Accurately determine network device operational status and network performance using the
command-line interface
Manage device configuration files to reduce device downtime according to best practices
using Cisco IOS commands
Configure access lists to meet specified operational requirements using the command-line
interface
Display network operational parameters using the appropriate show commands so that you
can detect anomalies
Monitor network operational parameters using the appropriate debug commands so that
you can detect anomalies
Copyright © 2004, Cisco Systems, Inc.
Course Introduction
3
Course Activities
This topic discusses the enterprise WAN network that you will build in this course.
BCRAN Activity Network Topology
BCRAN v2.1—5
© 2004 Cisco Systems, Inc. All rights reserved.
During the lab exercises in this course, you will build the network depicted in the figure. To
accomplish this task, you will practice the following:
Assembling and cabling WAN components
Supporting asynchronous modems
Configuring PPP features
Accessing broadband
Using Virtual Private Networks (VPNs) with IP Security (IPSec)
Using ISDN and dial-on-demand routing (DDR) to enhance remote connectivity
Using DDR enhancements
Configuring a Frame Relay connection with traffic shaping
Implementing DDR backup
Using quality of service (QoS) in WANs
Using authentication, authorization, and accounting (AAA) to scale access control
4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Cisco Certifications
This topic discusses Cisco career certifications and paths.
Cisco Certifications
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6
Cisco provides three levels of general career certifications for IT professionals with several
different tracks to meet individual needs. Cisco also provides focused Cisco Qualified
Specialist (CQS) certifications for designated areas such as cable communications, voice, and
security.
There are many paths to Cisco certification, but only one requirement—passing one or more
exams demonstrating knowledge and skill. For details, go to
http://www.cisco.com/go/certifications.
Copyright © 2004, Cisco Systems, Inc.
Course Introduction
5
Learner Skills and Knowledge
This topic lists the course prerequisites.
Prerequisite Learner Skills
and Knowledge
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7
Before attending the BCRAN course, you must have basic knowledge of data networking
equivalent to the information in the Introduction to Cisco Networking Technologies (INTRO)
course and the Interconnecting Cisco Network Devices (ICND) course. Experience working in
a network environment is recommended.
6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Learner Responsibilities
This topic discusses the responsibilities of the learners.
Learner Responsibilities
• Complete
prerequisites
• Introduce
yourself
• Ask questions
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8
To take full advantage of the information presented in this course, you must have completed the
prerequisite requirements.
In class, you are expected to participate in all lesson exercises and assessments.
In addition, you are encouraged to ask any questions relevant to the course materials.
If you have pertinent information or questions concerning future Cisco product releases and
product features, please discuss these topics during breaks or after class. The instructor will
answer your questions or direct you to an appropriate information source.
Copyright © 2004, Cisco Systems, Inc.
Course Introduction
7
General Administration
This topic lists the administrative issues for the course.
General Administration
Class-Related
• Sign-in sheet
• Length and times
• Course materials
• Attire
Facilities-Related
• Break and lunch room
locations
• Site emergency procedures
• Rest rooms
• Telephones/faxes
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9
The instructor will discuss these administrative issues:
Sign-in process
Starting and anticipated ending times of each class day
Class breaks and lunch facilities
Appropriate attire during class
Materials that you can expect to receive during class
What to do in the event of an emergency
Location of the rest rooms
How to send and receive telephone and fax messages
8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Course Flow Diagram
This topic covers the suggested flow of the course materials.
Course Flow Diagram
Day 1
Course
Introduction
A
M
Module 1: WAN
Technologies and
Components
Module 2:
Supporting
Asynchronous
Modems
Day 2
Day 3
Day 4
Day 5
Module 3:
Configuring PPP
Features (cont.)
Module 5: Virtual
Private Networks
(cont.)
Module 7: Using
DDR Enhancements
(cont.)
Module 10: Using
QoS in Wide-Area
Networks
Module 4:
Accessing
Broadband
Module 6: Using
ISDN and DDR
to Enhance Remote
Connectivity
Lunch
P
M
Module 2:
Supporting
Asynchronous
Modems (cont.)
Module 3:
Configuring PPP
Features
© 2004 Cisco Systems, Inc. All rights reserved.
Module 4:
Accessing
Broadband
Module 5: Virtual
Private Networks
Module 6: Using
ISDN and DDR
to Enhance Remote
Connectivity
(cont.)
Module 7: Using
DDR Enhancements
Module 8:
Configuring Frame
Relay with Traffic
Shaping
Module 8:
Configuring Frame
Relay with Traffic
Shaping (cont.)
Module 11: Using
AAA to Scale
Access Control
Module 9:
Implementing DDR
Backup
Super Lab
BCRAN v2.1—10
The schedule reflects the recommended structure for this course. This structure allows enough
time for the instructor to present the course information and for you to work through the lab
exercises. The exact timing of the subject materials and labs depends on the pace of your
specific class.
Copyright © 2004, Cisco Systems, Inc.
Course Introduction
9
Icons and Symbols
This topic shows the Cisco icons and symbols used in this course.
Cisco Icons and Symbols
© 2004 Cisco Systems, Inc. All rights reserved.
10
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—11
Copyright © 2004, Cisco Systems, Inc.
Learner Introductions
This is the point in the course where you introduce yourself.
Learner Introductions
• Your name
• Your
company
• Skills and
knowledge
• Brief history
• Objective
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—12
Prepare to share the following information:
Your name
Your company
If you have most or all of the prerequisite skills
A profile of your experience
What you would like to learn from this course
Copyright © 2004, Cisco Systems, Inc.
Course Introduction
11
12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Module 1
WAN Technologies and
Components
Overview
This module discusses various remote access technologies and considerations for an enterprise
that is building its corporate network. This module also addresses Cisco Systems product
selection information.
Objectives
Upon completing this module, you will be able to:
Explain the advantages and disadvantages of a variety of WAN connection types
Select the appropriate WAN connection types
Select Cisco equipment that will suit the specific needs of each site
Use Cisco tools to select the proper equipment
Outline
The module contains these lessons:
Defining WAN Connection Types
Defining WAN Encapsulation Protocols
Determining the WAN Type to Use
Selecting Cisco Products for Remote Connections
1-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Defining WAN Connection
Types
Overview
This lesson provides an overview of WAN connection types and explains some advantages and
disadvantages of each.
Relevance
It is important to understand how to select the appropriate WAN connection type that best
meets the needs and budget of the customer.
Objectives
Upon completing this lesson, you will be able to:
Describe the characteristics of WAN connections
Identify the types of WAN connections
Describe dedicated circuit-switched WAN connections
Describe on-demand circuit-switched WAN connections
Identify packet-switched WAN connections
Describe selected broadband access connections
Describe various DSL connections
Describe cable connections
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
WAN Connection Characteristics
Common WAN Connection Types
Dedicated Circuit-Switched Connections
On-Demand Circuit-Switched Connections
ISDN Connections
Packet-Switched Virtual Connections
Broadband Access
Summary
Quiz
1-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
WAN Connection Characteristics
This topic describes various WAN connection types.
WAN Connection Characteristics
BCRAN v2.1—1-2
© 2004 Cisco Systems, Inc. All rights reserved.
Many significant WAN connection characteristics can be grouped into these categories:
Connection duration
—
Dedicated
Always on
Cost typically related to bandwidth and distance
—
On demand
Connected on demand
Cost related to time of usage, bandwidth, and distance
Switching
—
Circuit-switched
End-to-end bandwidth allocation and control
Provisioned permanently or on demand
—
Packet-switched
Asynchronous transport network
Statistical bandwidth allocation in transport network
Cost typically related to bandwidth guarantee and other quality of service (QoS)
parameters
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-5
Synchronization mechanism
—
External
Clocking determined by separate conductor in the media
Thicker cable with more conductors per connection
—
Embedded
Clocking determined by bit times within the data stream
Fewer conductors per connection
Data rate
—
Narrowband
Rates up to and including 128 kbps.
—
Broadband
Data rates greater than narrowband rate. Exact dividing line is more marketing
than technology. Greater than ISDN BRI and equal to or less than T1.
Termination
—
End-to-end circuits
Bit synchronization and data-link termination managed at ends of circuit.
Appearance of increased control. Service provider transparent.
—
Transport network
Intermediate network terminates bit synchronization, content carried
asynchronously across transport network. Includes packet switching (Frame
Relay and ATM) and broadband access technologies.
Transmission media
—
Copper: Cheaper for lower data rates and shorter distances
Twisted pair
Coaxial cable
—
Fiber: More expensive for high data rates and longer distances
Multimode
Single-mode
1-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Common WAN Connection Types
This topic describes the more common types of WAN connections.
Common WAN Connection Types
• Dedicated Circuit-Switched
• On-Demand Circuit-Switched
• Packet-Switched Virtual Circuit
• Broadband Access
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-3
For the purposes of this discussion, WAN connections have been grouped into four general
categories that reflect generally available WAN services:
Dedicated circuit-switched
On-demand circuit-switched
Packet-switched virtual circuit
Broadband access
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-7
Dedicated Circuit-Switched Connections
This topic describes dedicated circuit-switched WAN connections.
Dedicated Circuit-Switched Connections
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-4
Leased-line serial connections typically connect to a transport service provider through a DCE
device, which provides clocking and transforms the signal to the channelized format that is
used in the service provider network. These point-to-point dedicated links provide a single,
preestablished WAN communications path from the customer circuit-switched premises,
through a carrier network, to a remote network. Dedicated lines through T3/E3 rates are
frequently described as leased lines. The established path is permanent and fixed for each
remote network that is reached through the carrier facilities. The service provider reserves the
full-time private use of the customer circuits through the transport network.
Synchronization of timing and data-link control is preserved end to end. These dedicated
connections are made using the synchronous serial ports on the router with bandwidth of up to
34 Mbps over a service provider E3 transport link and 45 Mbps over T3. Different
encapsulation methods at the data-link layer provide flexibility and reliability for user traffic.
Typical connections on a dedicated network WAN connection employ 56-kbps, 64-kbps, T1,
E1, T3, and E3 data rates.
These synchronous serial standards are supported on Cisco routers through serial interfaces:
EIA/TIA-232
EIA/TIA-449
V.35
EIA/TIA-530
1-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
In North America, the connecting device is called a CSU/DSU. The CSU connects to the
service provider network, while the DSU connects to the network device serial interface. The
CSU/DSU is a device (or sometimes two separate digital devices) that adapts the media format
from a serial DTE device, such as a router, to the media format of the service provider
equipment, such as a WAN switch, in a switched carrier network. The CSU/DSU also provides
signal clocking for synchronization between these devices. The figure shows the placement of
the CSU/DSU.
It is increasingly common to have direct connections to the carrier transport network using
fractional or complete T1/E1 circuits. In this case, a CSU provides demarcation and logical
termination between the service provider network and the customer network. Direct T3/E3 and
Synchronous Digital Hierarchy/SONET (SDH/SONET) connectivity may also be available for
organizations requiring higher data rates.
The private nature of a dedicated connection allows better control over the WAN connection.
Dedicated connections also offer high speeds beyond T3/E3 levels using SDH/SONET.
Dedicated connections are ideal for high-volume environments with steady-rate traffic patterns
or high-peak demands of critical traffic. However, because the line is not shared, dedicated
connections tend to be more costly.
As a general rule, dedicated connections are most cost-effective in these situations:
Long connect times
Short distances
Critical traffic requirements that must be guaranteed
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-9
On-Demand Circuit-Switched Connections
This topic describes various switched connections.
On-Demand Circuit-Switched
• Requires call setup and call teardown
• Usually provided by telephone carrier
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-5
On-demand circuit switching is a WAN transport method in which a dedicated physical circuit
is established, maintained, and terminated through a public switched telephone network (PSTN)
for each communication session. Initial signaling at the setup stage determines the endpoints
and the connection between the two endpoints.
Typical circuit-switched connections are:
Asynchronous modem
ISDN BRI and ISDN PRI
Advantages of on-demand connection types include dynamic selection of the circuit endpoint
and the accumulation of charges for transport only while connections are active. Costs are
directly related to connection time and distance for each plain old telephone service (POTS)
line or ISDN bearer (B) channel. As traffic between endpoints increases in volume, the duration
of the connection increases.
Asynchronous modem connections require minimal equipment cost and use the existing
telephone network. Users can easily access a central site from any location that has a telephone
connection into a telephone network.
The nature of asynchronous connections allows you to configure the connection to be
enabled—only when you need the service—by using dial-on-demand routing (DDR) through
the modem using an asynchronous serial interface. DDR is ideal when you need short-term
access only.
1-10
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
You should enable DDR on your asynchronous interface when:
Traffic volume is low or traffic is periodic: Calls are placed and connections are
established when only the router detects traffic marked as “interesting.” Periodic
broadcasts, such as routing protocol updates, should be prevented from triggering a call.
You need a backup connection for redundancy or load sharing: DDR can be used to
provide backup load sharing and interface failure backup.
A router acts as an access server, which is a concentration point for dial-in and dial-out calls.
Mobile users, for example, can call into an access server at a central site to access their e-mail
messages.
Asynchronous connections are useful in these situations:
A backup connection required
Small site
Short-term on-demand access
Periods of lower network traffic and fewer users
Asynchronous connections through the PSTN require modems at each end of the connection to
convert digital data signals to analog signals that can be transported over the telephone
network. Modem speeds typically vary from 19.2 kbps to 56 kbps, depending on line quality.
The slower bandwidth speeds limit the amount of traffic you may want to send over an
asynchronous line. To place or receive an asynchronous serial call, equip a Cisco router with an
asynchronous serial interface. The serial standard to attach to an external modem is the
EIA/TIA-232 standard. The interface to the telephone company varies by country. Within the
United States, a standard RJ-11 adapter connects the modem to the telephone outlet.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-11
ISDN Connections
This topic describes ISDN circuit-switched connections.
ISDN Connections
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-6
ISDN connections are typically switched connections that, like asynchronous connections,
provide WAN access when needed rather than through a dedicated link. ISDN offers increased
bandwidth over a typical dialup connection, faster setup, and is intended to carry data, voice,
and other traffic across a telephone network.
To place an ISDN BRI call, you should equip your router with a BRI interface. You may also
need an ISDN terminal adapter, which is a device that is used to connect ISDN BRI
connections to other interfaces, such as EIA/TIA-232. A terminal adapter is essentially an
ISDN modem. You should also consult your telephone company for information specific to
your connection.
Note
Generally, in Europe, the service provider supplies the Network Termination 1 (NT-1). In
North America, the customer supplies the NT-1.
ISDN PRI is configured over connections such as T1 and E1 technologies. To place an ISDN
call, equip your router with the proper connection. T1 is used in the United States, and E1 is
common in other countries.
As with asynchronous connections, you can also configure DDR to control access for specific
periods of time.
1-12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Packet-Switched Virtual Connections
This topic describes packet-switched virtual connections.
Packet-Switched Connections
• Virtual circuits are established.
• Packet-switched networks generally share
bandwidth statistically.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-7
Packet switching is a method in which a network device uses a single point-to-point link to a
service provider to transport packets intended for one or more destinations across a carrier
network. Packet switching is a networking technology that is based on the transmission of data
in packets. Dividing a continuous stream of data into small units (packets) enables data from
one or more sources to one or more destinations to share the communication channels within
the transport network.
Packet-switched networks use virtual circuits that provide end-to-end connectivity. Statically
programmed switching devices accomplish physical connections. Packet headers identify the
circuit and may change on each network link that is traversed. Packet switching requires the use
of precise switching information throughout the transport network.
Packet-switched networks can be either privately or publicly managed. The underlying
switching fabric is transparent to the network user, and the switches are responsible for the
internal delivery of data across the packet-switched network only. Packet switching is
implemented at the data-link layer of the Open System Interconnection (OSI) reference model.
Packet-switched networks offer an administrator less control than a point-to-point connection,
and the bandwidth is shared statistically. However, the cost is generally less than for a leased
line. With WAN speeds comparable to those of leased lines, packet-switched networks are
generally suitable for links between two large sites that require high-link utilization or present
high peaks of critical traffic.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-13
As a general rule, packet-switched connections are most cost-effective in networks with these
characteristics:
Long connect times
Large geographic distances
High-link utilization
High peaks of critical traffic
1-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Broadband Access
This topic describes two broadband access technologies.
Broadband Access
• Use existing infrastructure
• Provide broadband access
• Terminate at service provider POP
Internet transport
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-8
Internet access is moving from dialup modems and slow connections to broadband access,
using a variety of technologies. The technology takes advantage of existing telephone and cable
television distribution infrastructures to provide broadband access to the Internet. While there is
no universal definition of broadband, the Federal Communications Commission (FCC)
considers advanced telecom or high speed to be defined as 200 kbps or greater. Generally, a
speed of 128 kbps is adequate for most users. Broadband can allow remote office staff and
small office, home office (SOHO) users to connect to the central site at higher data rates than
are available with traditional on-demand technologies.
High-speed broadband access to the Internet through a broadband point of presence (POP) and
then to corporate networks using secure Virtual Private Networks (VPNs) is a reality for many
users in the networked world today. This broadband access has the potential to directly improve
employee productivity and to provide a foundation for new voice and video business services
over the Internet.
Many corporations and educational institutions have instituted broadband solutions for access
by suppliers, customers, and staff. The use of the Internet for secure site-to-site connectivity
using VPNs is increasing, especially for less critical traffic.
Broadband access options, in addition to the legacy dedicated circuit-switching and packetswitching technologies, include digital subscriber line (DSL) and cable modems. The most
common problem in offering these broadband services to remote users is the lack of coverage
because of infrastructure deficiencies.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-15
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• WAN connection types are dedicated, circuitswitched, packet-switched, and broadband.
• A WAN can be characterized by connection
duration, type of switching, form of
synchronization, data rate, termination, and
media type.
• Dedicated serial connections are continuously
available, typically using a CSU/DSU to connect to
service provider TDM network.
• Asynchronous circuit-switched connections use a
process like DDR when there is a backup
connection needed.
BCRAN v2.1—1-9
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• Circuit-switched ISDN connections use Link
Access Procedure on the D channel for BRI
signaling and use T1/E1 facilities for PRI
connections.
• Packet-switched connections establish virtual
circuits using packet headers to identify network
destinations.
• Broadband allows increased bandwidth and new
services such as VPN while using existing
infrastructure via DSL or cable modem.
© 2004 Cisco Systems, Inc. All rights reserved.
1-16
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—1-10
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Which major WAN connection characteristic includes consideration of the elapsed
connection time?
A)
data rate
B)
termination
C)
transmission media
D)
connection duration
Dedicated lines are also known as _____?
A)
honor lines
B)
committed lines
C)
leased lines
D)
agreed lines
Which type of router interface port is used to make dedicated permanent connections?
A)
Ethernet ports
B)
synchronous serial ports
C)
console ports
D)
ISDN BRI B channels
Which of the following conditions is appropriate for asynchronous serial connections?
A)
Your network would use them as its primary WAN connections for sending
huge amounts of data traffic.
B)
Your network needs a very reliable high-speed connection.
C)
Your network is a small remote site and does not require a high-speed WAN
connection.
D)
Your network has five users and they send large files to a central site that is
located more than 35 miles away.
Which of the following is considered an on-demand connection?
A)
100-Mbps LAN connection
B)
broadband connection
C)
T1 synchronous serial connection
D)
ISDN BRI connection
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-17
Q6)
Q7)
Q8)
1-18
What physical connection is used for high-speed ISDN access in the United States?
A)
a 23B + 1D channelized T1 line
B)
a 2B + 1D channelized BRI
C)
a 30B + 1D channelized E1 line
D)
an ISDN network terminal adapter
What form does the transmission of data take in packet switching?
A)
indices
B)
time slices
C)
bit streams
D)
small units
What is the most common problem a remote user typically encounters in obtaining
broadband access service?
A)
lack of area coverage by broadband providers
B)
large initial connection fee charged by broadband providers
C)
high cost of connections compared to other dedicated WAN services
D)
reduced bandwidth compared to on-demand WAN services
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
D
Relates to: WAN Connection Characteristics
Q2)
C
Relates to: Dedicated Circuit-Switched Connections
Q3)
B
Relates to: Dedicated Circuit-Switched Connections
Q4)
C
Relates to: On-Demand Circuit-Switched Connections
Q5)
D
Relates to: ISDN Connections
Q6)
A
Relates to: ISDN Connections
Q7)
D
Relates to: Packet-Switched Virtual Connections
Q8)
A
Relates to: Broadband Access
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-19
1-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Defining WAN Encapsulation
Protocols
Overview
This lesson describes the various WAN encapsulations and explains the advantages and
disadvantages of each.
Relevance
It is important to understand how to select the appropriate WAN encapsulation type to provide
the correct access and security level for the customer.
Objectives
Upon completing this lesson, you will be able to:
Explain the various WAN encapsulation types that are available
Describe the advantages of PPP encapsulation
Describe the advantages of Frame Relay encapsulation
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
WAN Encapsulation Protocols
PPP Encapsulation
Frame Relay Encapsulations
Summary
Quiz
1-22
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
WAN Encapsulation Protocols
This topic describes various WAN encapsulation protocols.
Typical WAN Protocols
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-2
Each WAN connection uses an encapsulation protocol to encapsulate traffic while it is crossing
the WAN link. To ensure that you use the correct encapsulation protocol, you must configure
the Layer 2 encapsulation type to use. The choice of encapsulation protocol depends on the
WAN technology and the communicating equipment. Typical WAN protocols include:
PPP: PPP originally emerged as an encapsulation protocol for transporting IP traffic over
point-to-point links. PPP also established a standard for the assignment and management of
IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation,
network protocol multiplexing, link configuration, link quality testing, and error detection.
In addition, PPP established option negotiation for such capabilities as network-layer
address negotiation and data-compression negotiation. PPP supports these functions by
providing an extensible link control protocol (LCP) and a family of Network Control
Protocols (NCPs) to negotiate optional configuration parameters and facilities. The
broadband connection type that is used will determine the use of Point-to-Point Protocol
over Ethernet (PPPoE) or Point-to-Point Protocol over ATM (PPPoA).
High-Level Data Link Control (HDLC): HDLC is the default encapsulation type for
Cisco routers on point-to-point dedicated links. It is a bit-oriented synchronous data-link
layer protocol. HDLC specifies a data encapsulation method on synchronous serial links
using frame characters and checksums. HDLC is a standard that is open for interpretation.
As a result, there are different versions of HDLC. If you are communicating with a device
from another vendor, synchronous PPP is a more viable option.
Frame Relay: Frame Relay is a high-performance packet-switched WAN protocol that
operates at the physical and data-link layers of the OSI reference model. Frame Relay was
originally designed for use across ISDN interfaces. Today, it is used over a variety of other
network interfaces and typically operates over WAN facilities that offer more reliable
connection services and a higher degree of reliability.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-23
ATM: ATM is the international standard for cell relay in which multiple service types
(such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length
cells allow processing to occur in hardware, thereby reducing transit delays. ATM is
designed to take advantage of high-speed transmission media such as E3, SONET, and T3.
1-24
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Encapsulation
This topic describes PPP encapsulation.
PPP Encapsulation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-3
PPP is an international standard encapsulation that is used for these types of connections:
Asynchronous serial
ISDN
Synchronous serial
Broadband
PPP (RFC 1331) provides a standard method of encapsulating higher-layer protocols across
point-to-point connections. PPP extends the HDLC packet structure with a 16-bit protocol
identifier that contains information on the content of the packet.
Because it is standardized, PPP supports vendor interoperability. PPP uses its NCP component
to encapsulate multiple protocols.
PPP uses another of its major components, the LCP, to negotiate and set up control options on
the WAN data link. Some of the PPP LCP features covered in this course are:
Authentication
Compression
Multilink
PPPoE provides the ability to connect a network of hosts to an access concentrator over a
simple bridging access device. With this model, a host uses its own PPP stack, and the user is
presented with a familiar user interface. Access control, billing, and type of service can be done
on a per-user, rather than a per-site, basis.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-25
PPPoA was primarily implemented as part of asymmetric DSL (ADSL) technology. It relies on
RFC 1483 (now RFC 2686), operating in either logical link control/Subnetwork Access
Protocol (LLC/SNAP) or virtual circuit multiplexing (VC mux) mode. Customer premises
equipment (CPE) will encapsulate a PPP session based on this RFC for transport across the
ADSL loop and the digital subscriber line access multiplexer (DSLAM).
In these architectures, IP address allocation is based on IP Control Protocol (IPCP) negotiation,
which follows the same principle as PPP in dial mode.
In PPPoE, the source of IP address allocation depends on the type of service to which the
subscriber has subscribed and where the PPP sessions are terminated. PPPoE makes use of the
dial-up networking feature of Microsoft Windows, and the IP address assigned is reflected
within the PPP adapter. PPPoE can be used on existing CPE (that cannot be upgraded to PPP or
that cannot run PPPoA), extending the PPP session over the bridged Ethernet LAN to the PC.
PPPoE can also be configured on the CPE to terminate the PPP session and use Network
Address Translation (NAT) for workstation access to the Internet.
Although PPPoA does not require host-based software, it does require that each CPE device
have a username and password for authentication to a central site. The PPP sessions initiated by
the subscriber are terminated at the service provider that authenticates users via a local database
on the router or through a RADIUS server. The PPPoA session authentication is based on
Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol
(CHAP). The service provider must assign only one IP address for the CPE, and the CPE can
be configured for NAT.
1-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Frame Relay Encapsulations
This topic describes Frame Relay encapsulations.
Frame Relay Encapsulations
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-4
Frame Relay is an industry-standard data-link layer protocol that is commonly used in packetswitched networks. Frame Relay supports technological advances such as fiber-optic cabling
and digital transmission. Frame Relay can eliminate time-consuming processes (such as error
correction and flow control) that are necessary when using older, less reliable WAN media and
protocols.
When purchasing bandwidth, customers buy a committed information rate (CIR) from the
carrier to ensure that their minimum bandwidth requirements will be met. Adding an additional
channel or data-link connection identifier (DLCI) will provision a new virtual circuit and set of
connection characteristics. Adding more channels to an existing DLCI, where the physical
facilities support it, adds bandwidth. Channels can be added easily in this manner to meet
growth requirements.
Because a public network is being used, a service provider must be consulted to obtain
information specific to a link.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-27
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Each WAN connection uses an encapsulation
protocol to encapsulate traffic while it is crossing
the WAN link.
• PPP is an international standard encapsulation
used for asynchronous serial, ISDN, synchronous
serial, and broadband connections.
• Frame Relay is an industry-standard data-link layer
protocol commonly used in packet-switched
networks.
© 2004 Cisco Systems, Inc. All rights reserved.
1-28
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—1-5
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
What is the fixed length of an ATM cell?
A)
128 bytes
B)
56 bytes
C)
53 bytes
D)
64 bytes
Which component does PPP use to negotiate and set up control options on the WAN
data link?
A)
NCP
B)
LCP
C)
FTP
D)
TFTP
In Frame Relay, what is a DLCI?
A)
data-link control identifier
B)
data-level control identifier
C)
data-link connection identifier
D)
data-level connection identifier
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-29
Quiz Answer Key
Q1)
C
Relates to: WAN Encapsulation Protocols
Q2)
B
Relates to: PPP Encapsulation
Q3)
C
Relates to: Frame Relay Encapsulations
1-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Determining the WAN Type to
Use
Overview
This lesson describes how to select the appropriate WAN connection for a given situation.
Relevance
When you design internetworks, you must make several key decisions concerning connectivity
among different users or groups in your WAN environment.
Objectives
Upon completing this lesson, you will be able to:
Describe the various aspects of selecting the correct WAN connection
Distinguish among various WAN connections by speed and cost
Describe the requirements of a central site
Describe the requirements of a branch office site
Describe the requirements of a SOHO site
Select the appropriate WAN equipment for a CO site
Select the appropriate WAN equipment for a branch office site
Select the appropriate WAN equipment for a SOHO site
Identify the appropriate interfaces that will support your WAN connection
Verify that the router components are installed and functioning properly
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
WAN Connection Types
WAN Connection Speed Comparison
WAN Connection Summary
Site Requirements
Central Site Considerations
Central Site Router Equipment
Branch Office Considerations
Branch Office Router Equipment
SOHO Site Considerations
SOHO Site Router Equipment
Summary
Quiz
1-32
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
WAN Connection Types
This topic describes how to select a WAN connection.
Connection Selection Considerations
• Availability
• Bandwidth
• Cost
• Ease of management
• Application traffic
• QoS and reliability
• Access control
BCRAN v2.1—1-2
© 2004 Cisco Systems, Inc. All rights reserved.
When you design internetworks, you must make several key decisions concerning connectivity
among different users or groups of users in your WAN environment.
When selecting a WAN connection, you should consider these factors:
Availability: Each method of connectivity has limits to its availability that is inherent in its
design, usage, and implementation. For example, Frame Relay is not available in all
geographic regions.
Bandwidth: WAN bandwidth is expensive, and organizations do not want to pay for more
bandwidth than they need. Determining usage over the WAN is a necessary step in
evaluating the most cost-effective WAN services for your needs.
Cost: WAN usage costs are typically 80 percent of the entire information services budget.
Cost is a major consideration when different WAN services and different service providers
are being evaluated. If, for example, you use the line for only 1 hour a day, you may want
to select a DDR connection such as an asynchronous or ISDN connection.
Ease of management: Network designers are often concerned about the degree of
difficulty associated with managing connections. Connection management refers to both
the initial configuration at startup and the ongoing configuration tasks of normal operation.
Traffic management is the ability of the connection to adjust to different rates of traffic,
regardless of whether the traffic is steady or bursty in nature. Dedicated lines are often
easier to manage than shared lines.
Application traffic: The application traffic may be many small packets, such as a terminal
session, or very large packets, such as a file transfer.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-33
Quality of service (QoS) and reliability: How critical is the traffic that is intended to
travel over the link? A backup connection may be necessary.
Access control: A dedicated connection may help control access, but electronic commerce
cannot occur on a wide scale unless consumers can access some portion of your network.
1-34
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
WAN Connection Speed Comparison
This topic describes various WAN speeds.
WAN Connection Speed Comparison
BCRAN v2.1—1-3
© 2004 Cisco Systems, Inc. All rights reserved.
The figure illustrates the WAN speeds for typical technologies. Network administrators must
select a WAN option based on the required bandwidth.
The speeds, costs, and availability of WANs vary internationally. For example, in North
America, high-bandwidth speeds such as T1 are easily available at reasonable prices. Europe
offers comparable speeds, such as E1, but prices tend to be higher. Other parts of the world
offer limited WAN services with lower speeds, typically up to 64 kbps, and the costs are
higher.
Broadband options include DSL and high-speed cable modems.
Broadband is generally defined as any sustained speed above 128 kbps. However, that
definition may soon change. Broadband access can allow remote office staff and small office,
home office (SOHO) users to connect to the central office LAN at high speeds.
A cable modem can provide up to 90 times the speed (4 Mbps) for remote access.
DSL is a technology that operates over unused bandwidth on a regular telephone line to deliver
fast digital data transmission up to 25 times the speed (approximately 1 Mbps) without
affecting the analog telephone service that is used.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-35
WAN Connection Summary
This topic discusses a summary of WAN connections.
WAN Connection Summary
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-4
The figure compares the attributes of various types of WAN connections. Each WAN
connection has advantages and disadvantages. For example, setting up a dialup asynchronous
connection will offer limited bandwidth only. However, a user can call into the office from
anywhere over the existing telephone network.
1-36
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Site Requirements
This topic describes the factors that a network administrator must evaluate for central site,
branch office, and SOHO WAN connections.
Company Site
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-5
A company with multiple sites that vary in size will need a remote network to connect the
various locations. Typical locations include these sites:
Central site: The central site is a large site that is often the corporate headquarters or a
major office. Regional offices and SOHOs may need to connect to this site for data and
information. Because users may access this site via multiple WAN technologies, it is
important that the central site accommodate many types of WAN connections from remote
locations. The central site is often referred to as headquarters, the enterprise, or corporate.
Remote site: The remote site is a smaller office that generally accommodates employees
who have a compelling reason to be located away from the central site, such as a regional
salesperson. Remote site users must be able to connect to the central site to access company
information. Remote sites are sometimes called branch offices, remote offices, or sales
offices. Small and medium-size businesses can benefit from high-speed Internet access,
VPN connectivity to corporate intranets, telecommuting capabilities for work-at-home
employees, interactive television, and economical PSTN-quality voice and fax calls over
the managed IP networks. Employees of large and small businesses who work from their
homes need secure high-speed remote access to the corporate intranet and need access to
the Internet for e-mail communication with customers and suppliers.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-37
SOHO site: This SOHO site is a small office with one to several employees or the home
office of a telecommuter. Telecommuters may also be mobile users, that is, users who need
access while traveling or who do not work at a fixed company site. Depending on the
amount of use and the WAN services available, telecommuters working from home tend to
use dialup and broadband services. Mobile users tend to access the company network via
an asynchronous dialup connection through the telephone company or may access the
corporate intranet using VPN client software on their laptops. Telecommuters working
from home may also use a VPN tunnel gateway router for encrypted data and voice traffic
from the company intranet. These solutions provide simple and safe access for branch
offices or SOHOs to the corporate network site, according to the needs of the users at the
sites.
1-38
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Central Site Considerations
This topic describes central site considerations.
Central Site Considerations
• Must provide access to multiple users and control network costs
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-6
The central site WAN connection is a critical focal point for a company. Because many other
sites and users access this site in a variety of ways, it is important that your central site solution
have a modular design that can accommodate many types of WAN connections from remote
locations.
The architecture of a WAN that is used to connect company campuses must optimize
bandwidth, minimize costs, and maximize the effective service to end users. Considerations to
keep in mind for a central site WAN include:
Multiple access connections: Users will connect to the central site using various media.
Central site WANs must allow for multiple media options and simultaneous access by
multiple users.
Cost: Keep costs low while maintaining a satisfactory level of service. For example, some
WAN charges are based on usage, such as ISDN. Features such as DDR and compression
ensure that WAN costs are kept to a minimum. As another example, leased lines are
generally charged at a fixed rate, so you may want to consider this service only if the line
will sustain high use. Broadband connections such as cable and DSL offer a low-cost, highspeed solution.
Access control: Company information must be restricted, allowing users access only to the
areas in the network for which they are authorized. Access lists can prevent unauthorized
data flow between offices. For PPP network links, PAP or the superior CHAP can identify
the remote entity to prevent unauthorized network connection. SOHO and branch office
users can gain access to secure sites through the use of VPN technologies.
QoS: It is important to set priorities for traffic over the link and manage traffic flow so that
bursty traffic does not slow mission-critical traffic.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-39
Redundancy and backup: Because a link may fail or usage may be high at certain peak
times during the day, the connection to the central office should be backed up. Avoid
backing up links using the same service provider.
Scalability: The network must be able to grow with the company.
1-40
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Central Site Router Equipment
This topic introduces Cisco central site router equipment.
Central Site Router Equipment
BCRAN v2.1—1-7
© 2004 Cisco Systems, Inc. All rights reserved.
Choose the router that supports the WAN protocols that you will use. As illustrated in the
figure, the router and network modules will support the interfaces in the network topology that
are used in this course.
These routers are typical Cisco Systems equipment for a central site:
Cisco 2600 Series
Cisco 3600 Series
Cisco 3700 Series
Cisco 7200/7500 Series
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-41
Branch Office Considerations
This topic describes branch office considerations.
Branch Office Considerations
• Must be able to access the central site
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-8
A remote site or branch office typically has fewer users than the central site, and therefore
needs a smaller WAN connection.
Remote sites connect to the central site and to some other remote sites. Telecommuters may
also require access to the remote site. A remote site can use the same or different media.
Remote site traffic can vary, but is typically sporadic. The network designer must determine
whether it is more cost-effective to offer a permanent or dialup solution.
The remote site must have a variety of equipment, but does not require as much as the central
site. Typical WAN technologies connecting a remote site to the central site include:
Leased line
Frame Relay
ISDN
Broadband services (cable or DSL)
1-42
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Typical considerations for setting up a remote site WAN connection are:
Multiple access connections: Users will connect to the branch site using various media.
Branch site WANs must allow for multiple media options and simultaneous access by
multiple users. It must also have the connectivity to the Central or SOHO site.
Cost: Sometimes called path cost, cost is an arbitrary value that is typically based on hop
count, media bandwidth, or other measures. Cost is assigned by a network administrator to
compare various paths through an internetwork environment. Cost values are used by
routing protocols to determine the most favorable path to a particular destination; the lower
the cost, the better the path.
Access control: To prevent unauthorized traffic, routers and firewalls use a set of rules that
permit or deny certain traffic. Access control is commonly applied to router interfaces and
can be configured to control which data sessions can pass and which can fail. Users can
gain secure access by using VPN solutions to connect to corporate intranets.
Redundancy: In internetworking, duplicate devices, services, or connections can perform
the work of original devices, services, or connections in the event of a failure.
Authentication: The remote site must be able to authenticate itself to the central site.
Availability: Service providers may not offer certain WAN services in some regions. This
consideration generally becomes more critical as sites are set up in more remote locations.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-43
Branch Office Router Equipment
This topic introduces Cisco branch office router equipment.
Branch Office Router Equipment
BCRAN v2.1—1-9
© 2004 Cisco Systems, Inc. All rights reserved.
Choose a router that supports the WAN protocols and interfaces that you will use. The Cisco
1700 Series router and the WAN interface cards shown in the figure will support the interfaces
that are required for a branch office in the network topology used in this course.
The following routers are typical Cisco equipment for a branch office:
Cisco 1600 Series
Cisco 1700 Series
Cisco 2500 Series
Cisco 2600 Series
1-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
SOHO Site Considerations
This topic describes telecommuter site considerations.
SOHO Site Considerations
• Must access company information on demand from various remote locations
BCRAN v2.1—1-10
© 2004 Cisco Systems, Inc. All rights reserved.
Improvements in WAN technologies allow many employees to do their jobs almost anywhere.
The growth in the number of SOHO and small company sites has exploded. As with central and
remote sites, WANs for SOHO sites must balance cost and bandwidth requirements.
An asynchronous dialup solution using the existing telephony network and an analog modem is
often the solution for SOHOs because it is easy to set up and the telephone facilities are already
installed. As usage and bandwidth requirements increase, other remote access technologies
should be considered.
The needs of mobile users make an asynchronous dialup connection a good remote solution.
Employees on the road can use their PCs with modems and the existing telephone network to
connect to the company.
The typical WAN connections employed at SOHO sites are:
Asynchronous dialup
ISDN BRI
Broadband
Frame Relay
The typical considerations for a remote site WAN connection are:
Cost
Authentication
Availability
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-45
SOHO Site Router Equipment
This topic describes Cisco SOHO site router equipment.
SOHO Site Router Equipment
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-11
Choose the router that supports the WAN protocols and interfaces that you will use. As
illustrated in the figure, the Cisco 800 Series router is an example of a SOHO site router that
will support the interfaces required in the network topology that is used in this course.
The following routers are typical Cisco Systems equipment for a SOHO site:
Cisco 800 Series
Cisco 1700 Series
1-46
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Selecting a WAN connection involves considering
such things as availability, bandwidth, cost, and
management ease.
• Each WAN connection has advantages and
disadvantages.
• The central site should be designed to
accommodate many different types of WAN
connections from remote locations.
• The type of equipment used will depend upon the
needs of a particular site.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—1-12
WAN Technologies and Components
1-47
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
1-48
What percentage of the information services budget do WAN costs typically
constitute?
A)
10 percent
B)
25 percent
C)
50 percent
D)
80 percent
Which of the following is an advantage of using an asynchronous dialup connection?
A)
its high speed
B)
the ability to connect to the WAN from any active telephone line
C)
its always-on state
D)
the ability to use the telephone connection for voice calls at the same time
Which of the following sites will most users connect to for data and information?
A)
branch site
B)
SOHO site
C)
central site
Which of the following technologies would be used by SOHO and branch office users
to gain access to a very secure central site?
A)
VPN technologies
B)
standard password authentication protection technologies
C)
unsecured high-speed broadband connection technologies
D)
slower-speed asynchronous dialup technologies
Which of the following is most typically used to permit or deny traffic on a network?
A)
access control lists
B)
password authentication
C)
accounting software
D)
record management software
Which Cisco Systems router would be typical for a central site?
A)
Cisco 1700 Series
B)
Cisco 1600 Series
C)
Cisco 2600 Series
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q7)
Q8)
Q9)
Q10)
Which of these technologies can be used at a remote site to connect to the central site?
A)
leased line
B)
Frame Relay
C)
ISDN
D)
broadband services (cable or DSL)
E)
all of the above
Which Cisco routers are typically used for a branch office?
A)
Cisco 7000 Series
B)
Cisco 4000 Series
C)
Cisco 3600 Series
D)
Cisco 2600 Series
Which is the most typical WAN connection type for a SOHO user who will require
connectivity from a different site to a central site every day?
A)
dedicated serial connection
B)
circuit-switched connection
C)
broadband connection
D)
asynchronous dialup connection
Which Cisco routers are typical for a SOHO site?
A)
Cisco 7000 Series
B)
Cisco 4000 Series
C)
Cisco 2600 Series
D)
Cisco 800 Series
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-49
Quiz Answer Key
Q1)
D
Relates to: WAN Connection Types
Q2)
B
Relates to: WAN Connection Speed Comparison
Q3)
C
Relates to: WAN Connection Summary
Q4)
A
Relates to: Site Requirements
Q5)
A
Relates to: Central Site Considerations
Q6)
C
Relates to: Central Site Router Equipment
Q7)
E
Relates to: Branch Office Considerations
Q8)
D
Relates to: Branch Office Router Equipment
Q9)
D
Relates to: SOHO Site Considerations
Q10)
D
Relates to: SOHO Site Router Equipment
1-50
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Selecting Cisco Products for
Remote Connections
Overview
Cisco offers many different routing platforms, interface modules, and cables to provide remote
access. This lesson introduces the Cisco WAN solutions that are used to connect various
company sites.
Relevance
Selecting appropriate equipment is critical to creating an internetwork.
Objectives
Upon completing this lesson, you will be able to
Select appropriate equipment
Select appropriate fixed and modular interfaces
Select appropriate cables to build an internetwork
Interpret the meaning of various LED indicators on a Cisco router
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Cisco Remote Access Solutions
Interfaces: Fixed Interface
Interfaces: Modular Interface
Network Cabling and Assembly
Verification of Network Installation
Verification of Branch Office Installation
Verification of SOHO Installation
Products with Cisco Product Selection Tools
Summary
Quiz
1-52
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Cisco Remote Access Solutions
This topic describes Cisco devices and their possible use.
Cisco Remote Access Solutions
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-2
Cisco Systems offers access servers, routers, and other equipment that allows connection to the
WAN service. The figure highlights some of the products that are best suited for various
company sites.
The Cisco 800 Series routers are the lowest-priced Cisco routers, using a nonmodular fixed
configuration, but based on Cisco IOS software. The Cisco 800 Series access routers provide
big-business networking benefits to small offices and corporate telecommuters. The Cisco 800
Series offers secure, manageable, high-performance solutions for Internet and corporate LAN
access.
The Cisco 1600 Series routers have a slot that accepts a WAN interface card (WIC). These
cards are shared with the Cisco 1700, 2600, and 3600 Series routers and will be shared in future
modular branch office products.
The Cisco 1700 Series access routers deliver optimized security, integration, and flexibility in a
desktop form factor for small and medium-size businesses and small branch offices that want to
deploy Internet/intranet access or VPNs. The Cisco 1721 access router features two modular
WAN slots that support WICs (as is common in other 1600, 2600, and 3600 Series access
routers) and an autosensing 10/100-Mbps Fast Ethernet LAN port to provide investment
protection and flexibility for growth.
The Cisco 2600 Series routers feature single or dual fixed LAN interfaces. A network module
slot and two WIC slots are available for WAN connections.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-53
The Cisco 3700 Series multiservice access routers also offer an integrated solution for dialup
and permanent connectivity over asynchronous, synchronous, and ISDN lines. Up to four
network module slots are available for LAN and WAN requirements.
The Cisco 7200 Series routers are also very high-performance, modular, central-site routers that
support a variety of LAN and WAN technologies. The Cisco 7200 Series is targeted at large
regional offices that require high-density solutions.
The table highlights some of the features and WAN options for each series of routers.
Cisco
Routers
Features
800 Series
ISDN BRI, serial connections, basic telephone service ports, broadband port, entrylevel Cisco IOS software
1600 Series
ISDN BRI, one WIC slot
1700 Series
Two WIC slots
2600 Series
Various fixed LAN interface configurations, one network module slot, two WIC slots
3700 Series
Two slots (the 3725) or four slots (the 3745)
AS5000
Series
Access server with multiple T1/E1 ISDN PRI and modem capabilities
7200 Series
Supports a wide range of WAN services, with the high port density necessary for a
scalable enterprise WAN
Note
1-54
A “power branch” is a branch office that offers enhanced capabilities, such as those included
in the Cisco 3700 Series routers. Because of their expandability, the Cisco 3700 Series
routers are common today in branch offices. Refer to Cisco.com for the most up-to-date
information on Cisco equipment.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Interfaces: Fixed Interface
This topic describes various fixed WAN connection types. When selecting interfaces to support
a WAN, you can choose between fixed interfaces and modular interfaces.
Determining the Appropriate Interfaces—
Fixed Interfaces
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-3
The router that you select for your WAN connection must offer the interfaces that will support
your WAN connection.
Typical interfaces that are found on a Cisco router (along with the typical WAN connections)
support the following:
Asynchronous serial: Used with a modem, supports asynchronous dialup connections
Synchronous serial: Supports connections such as leased lines and Frame Relay
Ethernet: Supports Broadband connections
BRI: Supports ISDN BRI connections
Channelized T1 or E1: Supports connections such as leased lines, dialup, ISDN PRI, and
Frame Relay
Fixed-configuration routers are available with predetermined fixed LAN and WAN interface
options. Fixed-configuration routers do not require additional WICs or network modules.
However, after they are purchased, the interfaces available are limited to only those that were
factory installed.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-55
Interfaces: Modular Interface
This topic describes various modular WAN connection types. When selecting interfaces to
support a WAN, you can choose between fixed interfaces and modular interfaces.
Determining Appropriate Modular
Interfaces
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-4
If you select a fixed-configuration router, you receive the router with the interfaces already
installed on the box. However, you cannot add or change interfaces on a fixed-configuration
router.
Modular routers and access servers such as the Cisco 3600 Series are built with one or more
slots that allow you to customize the box. You can determine the types of interfaces on the
router by selecting various feature cards, network modules, or WICs to install. Although
modular routers require adding equipment to the physical router, they are more scalable as your
network grows and your needs change.
1-56
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Network Cabling and Assembly
This topic describes the cables that are used to connect the network components.
Assembling the Network
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-5
The figure illustrates the cable connections that are available for various WAN types. These
include:
1. Asynchronous connections: Asynchronous connections require RJ-11 cables attached
from the modem line port to the telephone company jack. If you are using an external
modem attached to a Cisco router, you must also use a Cisco EIA/TIA-232 cable to attach
the modem to the serial interface of the router. The DB-60 end of the cable connects to the
router. The DB-25 end attaches to the modem.
2. ISDN BRI: ISDN BRI connection interfaces require RJ-45 cables to connect the BRI
interface to the ISDN network. The BRI modules and BRI WICs are available with either
an S or T interface that requires an external NT-1 or a U interface with a built-in NT-1.
3. ISDN PRI (North America): Channelized T1 (CT1)/PRI modules are available with or
without a built-in CSU. If you use an external CSU, attach a female DB-15 cable to the
interface of the router. The other end of the straight-through cable will attach to the CSU,
which in turn attaches to the ISDN network. Routers with internal CSU modules attach
directly to the ISDN network with a standard RJ-48 connector.
4. ISDN PRI (Europe): Channelized E1 (CE1)/PRI modules are available with balanced and
unbalanced interfaces. CE1/PRI-balanced modules provide a 120-ohm E1 interface for
network connections. The unbalanced modules provide a 75-ohm E1 interface for network
connections. Four serial cables are available from Cisco for the CE1/PRI module. All four
cables have DB-15 connectors on the router end and DNC, DB-15, twinaxial, or RJ-45
connectors on the network end.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-57
5. Frame Relay: If you establish a Frame Relay serial connection, Cisco routers support the
following signaling standards: EIA/TIA-232, EIA/TIA-449, V.35, X.21, and EIA-530.
Cisco supplies a DB-60 shielded serial transition cable with the appropriate connector for
the standard that you specify. The router end of the shielded serial transition cable has a
DB-60 connector, which connects to the DB-60 port on the serial interface of the router.
The other end of the serial transition cable varies according to the standard that you
specify.
6. Broadband: Broadband connections will generally require an Ethernet interface port and
service provider equipment. Data service is generally provided through equipment from the
provider and converted to RJ-45 by the customer.
Note
1-58
You can use the RJ-48 and DB-15 cables for Frame Relay connections. They can be
plugged into a T1 carrier interface. After a channel group is configured, Frame Relay
encapsulation can be run over the connection.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verification of Network Installation
This topic demonstrates how to use the LEDs on your Cisco equipment to verify proper
installation.
Verifying Central Site Installation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-6
Each central site router has LED displays that allow you to verify that the router components
are installed and functioning properly.
Note
For LED information specific to your router, refer to the installation and configuration guide
that accompanied your router.
On the Cisco 3600 Series router, the LEDs on the front of the router enable you to determine
router performance and operation. The READY LED indicates that a functional module has
been installed in the indicated slot. If the LED is off, the slot is empty or the module is not
functional. The ACTIVE LED blinks to indicate network activity on the module that is
installed in the indicated slot.
All network modules have an ENABLE (EN) LED. The ENABLE LED indicates that the
module has passed its self-tests and is available to the router.
Each Ethernet port has two LEDs. The ACTIVITY (ACT) LED indicates that the router is
sending or receiving Ethernet transmissions. The LINK LED indicates that the Ethernet port is
receiving the link integrity signal from the hub (10BASE-T only).
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-59
Each PRI network module has four LEDs in addition to the enable LED. These LEDs are:
REMOTE ALARM: Designates a remote alarm condition
LOCAL ALARM: Designates a local alarm condition
LOOPBACK: Designates a loopback condition
CARRIER DETECT: Specifies that you received the carrier on the telephone company
link
Digital modem modules have five LEDs in addition to the ENABLE LED, one for each Modem
ISDN channel aggregation (MICA) technologies module bank. The LEDs blink during
initialization. After the ENABLE LED comes on, the MICA module LEDs indicate that the
corresponding MICA module is functioning. If a MICA module fails its diagnostics, or if no
MICA module is installed in a position, its LED remains off.
Each port on the serial network module has additional LEDs. These LEDs are:
CN/LP: Connect when green, loopback when yellow
RXC: Receive clock
RXD: Receive activity
TXC: Transmit clock
TXD: Transmit activity
1-60
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verification of Branch Office Installation
This topic discusses the meaning of various LEDs on a Cisco router. Indicator LEDs on a router
enable you to verify that the components are installed and functioning correctly.
Verifying Branch Office Site Installation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-7
Each branch office and telecommuter router has LED displays that allow you to verify that the
router components are installed and functioning properly.
Note
For LED information specific to your router, refer to the installation and configuration guide
that accompanied your router.
On Cisco 1721 routers, you can use the LEDs on the front of the router to determine router
performance and operation. The LEDs are as follows:
PWR: The green system POWER LED indicates the router is turned on and DC power is
being supplied.
System OK: The green system OK LED indicates the router has successfully booted. This
LED blinks while in the boot cycle.
ETH ACT: The green LAN ACTIVITY LED indicates that data is being sent to or
received from the local Ethernet LAN.
ETH COL: A flashing yellow LAN COLLISION LED indicates frame collisions on the
local Ethernet LAN.
WIC0 ACT/CH0: The green WIC CONNECTION LED indicates an active connection on
this WIC port.
WIC0 ACT/CH1: The green WIC CONNECTION LED indicates an active connection on
this WIC port.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-61
WIC1 ACT/CH0: The green WIC CONNECTION LED indicates an active connection on
this WIC port.
WIC1 ACT/CH1: The green WIC CONNECTION LED indicates an active connection on
this WIC port.
The serial WIC has several LEDs that indicate data is being sent over the WIC serial ports.
The ISDN BRI U interface card has several LEDs that indicate data is being sent over the
WAN ISDN port.
1-62
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verification of SOHO Installation
This topic discusses the meaning of various lights on Cisco 800 Series routers. Indicator LEDs
on a router enable you to verify that the components are installed and functioning correctly.
Verifying SOHO Site Installation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-8
Each SOHO router has LED displays that allow you to verify that the router components are
installed and functioning properly.
Note
For LED information specific to your router, refer to the installation and configuration guide
that accompanied your router.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-63
On the Cisco 800 Series routers, you can use the LEDs on the back of the router to determine
router performance and operation. The LEDs are shown in the table.
LED Function of 800 Series Router
LED
Color
Function
OK
Green
On when power is supplied to the router and when the router completes
the self-test procedure and begins operating.
NT-1
Green
Not applicable for Cisco 801 and 803 routers.
On when the internal NT-1 and the ISDN switch are synchronized.
Blinks when the internal NT-1 and the ISDN switch are attempting to
synchronize.
LINE
Green
On when the ISDN interface and the ISDN terminal device are
synchronized.
LAN
Green
On when packets are sent to or received from an Ethernet port.
LAN RXD
Green
Blinks when an Ethernet port receives a packet.
LAN TXD
Green
Blinks when an Ethernet port sends a packet.
LKØ, LK1,
LK2, LK3
Green
Cisco 803 and 804 routers only.
On when the Ethernet device is connected.
Off when the Ethernet device is not connected.
Blinks when the connection has a problem.
ETHERNET
1, 2, 3, 4
Green
Cisco 804 IDSL routers only.
On when the Ethernet device is connected.
Off when the Ethernet device is not connected.
Blinks when the connection has a problem.
CH1
Orange
Blinks when placing or receiving a call on the first ISDN B channel.
On when a call is connected on the first ISDN B channel.
For IDSL routers, see the note following this table.
CH1 RXD
Orange
Blinks when packets are received from the first ISDN B channel.
CH1 TXD
Orange
Blinks when packets are sent from the first ISDN B channel.
CH2
Orange
Blinks when placing or receiving a call on the second ISDN B channel.
On when a call is connected on the second ISDN B channel.
For IDSL routers, see the note following this table.
CH2 RXD
Orange
Blinks when packets are received from the second ISDN B channel.
CH2 TXD
Orange
Blinks when packets are sent from the second ISDN B channel.
PH1, PH2
Green
Cisco 803 and 804 routers only.
On when basic telephone service is in use.
LINK
Green
On back panel of the Cisco 801, 802, and 802 IDSL routers only.
On when Ethernet device is connected.
Blinks when the connection has a problem.
Note
1-64
On Cisco 802 IDSL and Cisco 804 IDSL routers, either CH1 or CH2 is on if the router has an
active data connection and the line speed is 64 kbps. CH1 and CH2 are both on if the router
has an active data connection and the line speed is 128 or 144 kbps.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Products with Cisco Product Selection Tools
This topic discusses the Cisco tools for use in selecting Cisco products.
Selecting Products with Cisco Product
Selection Tools
For up-to-date information, use the online tools at
http://www.cisco.com/en/US/products/hw/routers/index.html
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-9
To assist you with product selection, Cisco has extensive documentation and product
specifications on its website at http://www.cisco.com/en/US/products/hw/routers/index.html.
You will also find product selection and configuration tools on the site. These tools are
designed to help you determine the router that best meets your requirements and how to
configure it.
Because technology and product offerings change frequently, access this website for the most
up-to-date product information.
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-65
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The type of Cisco Systems router used will vary
depending on where it will be used.
• Select the appropriate fixed and modular
interfaces.
• Select the appropriate cables to build an
internetwork.
• Each router has LED displays that allow you to
verify that the router components are installed and
functioning properly.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—1-10
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab 1-1: Using the BCRAN Lab Equipment
1-66
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Which of these Cisco routers can offer the highest port density?
A)
Cisco 1700 Series
B)
Cisco 7200 Series
C)
Cisco 2600 Series
D)
Cisco 3600 Series
Which of these router interfaces support the Frame Relay connection?
A)
synchronous serial
B)
Ethernet
C)
BRI
D)
asynchronous serial
What is an advantage of a fixed-configuration router?
A)
You can purchase additional interfaces to expand this router.
B)
You receive the router with the interfaces you requested.
C)
You will be able to change the configuration in the future when your needs
change.
D)
Your fixed-configuration router can easily be upgraded in the future.
Asynchronous modem connections require which of these cables?
A)
RJ-11 cable
B)
RJ-45 cable
C)
DB-15 cable
D)
fiber-optic cable
How many indicator LEDs does each Ethernet port typically have?
A)
1
B)
2
C)
3
D)
4
Which indicator LED on a router typically indicates that the router is turned on?
A)
The green system POWER LED
B)
The green LAN ACTIVITY LED
C)
The green system OK LED
D)
A flashing yellow LAN COLLISION LED
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-67
Q7)
1-68
What does it typically mean when the CH1 RXD indicator LED is orange and
blinking?
A)
the connection has a problem
B)
packets are being received from the first ISDN B channel
C)
packets are being received from the second ISDN B channel
D)
packets are being received from the third ISDN B channel
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
B
Relates to: Cisco Remote Access Solutions
Q2)
A
Relates to: Interfaces: Fixed Interface
Q3)
B
Relates to: Interfaces: Modular Interface
Q4)
A
Relates to: Network Cabling and Assembly
Q5)
B
Relates to: Verification of Network Installation
Q6)
A
Relates to: Verification of Branch Office Installation
Q7)
B
Relates to: Verification of SOHO Installation
Copyright © 2004, Cisco Systems, Inc.
WAN Technologies and Components
1-69
1-70
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 2
Supporting Asynchronous
Modems
Overview
On completion of this module, you will have configured remote connections via asynchronous
modems.
Objectives
Upon completing this module, you will be able to
Configure an access server for modem connectivity
Configure a modem manually for basic asynchronous operations via a reverse Telnet
Configure a router to discover the modem type automatically and configure it
Configure the router auxiliary port and modem to support remote privileged EXEC access
for configuration and remote diagnostics
Outline
The module contains these lessons:
Connecting and Operating Modems
Configuring Modems
Autoconfiguring Modems
Verifying and Debugging Modem Autoconfiguration
2-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Connecting and Operating
Modems
Overview
Modem connections can provide dialup connectivity to a router for out-of-band administration
and troubleshooting. This feature allows for a remote connection to a router in the event of
primary connection failure. This connection can also be used for dial-out networking and for
site-to-site communication. This lesson provides an overview of modem connections and their
operation.
Relevance
Using modems is an excellent option for out-of-band management of Cisco Systems routers or
dial-in connectivity. You should understand modem operation before you configure these
services.
Objectives
Upon completing this lesson, you will be able to:
Describe the modulation and demodulation process of transmitting and sending data
Select the appropriate cable for DTE and DCE connections
List and describe modem modulation standards both proprietary and public
Troubleshoot speed mismatch in modem communication
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Modem Connections and Operation
The DTE-DCE Interface
Modem Signaling—Data
Modem Signaling—Control
Modem Control Example
Modem Operation
DTE-to-DTE Wiring
RJ-45 Wiring and Cables
Working Connections
Error Control and Data Compression Standards
Modem Modulation and Standards
Modem Speed and Compression
Theoretical Speeds
Summary
Quiz
2-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Connections and Operation
This topic describes modulation and demodulation.
A Typical Modem Connection
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-2
A modem converts (modulates) outgoing digital signals from a computer to analog signals for a
conventional copper twisted-pair telephone line. When the signal reaches its destination, the
destination modem reconverts (demodulates) the incoming analog signal to a digital signal.
The outgoing analog signal generated by the modem is propagated over telephone lines until it
reaches a switch at the telco office. A device called a codec converts (codes) the analog signal
into a digital format called pulse code modulation (PCM). This signal is then routed over the
digital networks of the telco until the signal reaches the destination telco switch, where another
codec reconverts (decodes) the digital signal to analog.
The advantage of using analog lines is that no special lines or equipment are required.
However, the public switched telephone network (PSTN) local loops are all analog and are
prone to line noise and lower data rates.
Each analog-to-digital conversion introduces noise into the signal. Amplifying the signal over
long distances would also amplify any noise in the signal. Amplifying digital signals simply
means recreating the on or off state of the signal, which drastically reduces line noise. For this
reason, telco providers choose to carry data in a digital format. In telecommunications
terminology, a digital amplifier is called a regenerative repeater or simply a repeater.
Maximum data rate is usually limited to between 28.8 and 56 kbps. However, the maximum 56
kbps rate is never achieved because of current regulations and analog links.
Note
In North America, current regulations limit modem speeds to 53 kbps.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-5
The DTE-DCE Interface
This topic describes DTE and DCE.
The DTE-DCE Interface
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-3
End devices, such as PCs, workstations, mainframe computers, and routers, are referred to as
data terminal equipment. DTEs communicate with each other through data communications
equipment such as modems, CSUs, and DSUs. (The EIA defines DCE as data communications
equipment. The International Telecommunication Union-Telecommunication Standardization
Sector [ITU-T, formerly known as CCITT] defines DCE as data circuit-terminating equipment.)
The EIA/TIA-232 standard defines the interface between DTE and DCE.
The end-to-end communication path between two DTEs consists of three segments (refer to the
figure shown): DTE-DCE, DCE-DCE, and DCE-DTE. You must administer a set of cabling
and configuration elements for each segment.
Note
2-6
The EIA/TIA-232-C (formerly known as RS-232-C) standard is the most commonly used
asynchronous interface for data communications in North America. The RS-232 standard
was first issued in 1962, and its third revision, RS-232-C, was issued in August 1969.
Although the ubiquitous D-shaped 25-pin connector (DB-25) has become the market
standard for EIA/TIA-232-C interfaces, it was not specified in the original RS-232-C
standard. Many EIA/TIA-232-C devices use other connectors, such as the DB-9 or
RJ-11/RJ-45 modular connectors. X.21 is a European standard that defines the DCE-DTE
interface. For more information on these and other standards, refer to Cisco.com or any
reliable data communications reference text.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Signaling—Data
This topic describes modem signaling to transmit data.
Modem Signaling—Data
BCRAN v2.1—2-4
© 2004 Cisco Systems, Inc. All rights reserved.
Although a DB-25 serial connector has 25 pins, only 8 pins are actually used for connecting an
access server (DTE) to a modem (DCE). The other 17 signals are not interesting, and are
ignored. You can group the eight interesting signals into three categories according to their
functionality:
Data transfer
Hardware flow control
Modem control
The figure shows the data transfer group:
TxD: Transmit data. The DTE transmits data to the DCE.
RxD: Receive data. The DTE receives data from the DCE.
GRD: Ground (pin 7). This pin provides the ground reference for voltage measurements.
Note
The signals and pins shown are for the EIA/TIA -232 specifications.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-7
Modem Signaling—Control
This topic discusses the modem signaling control group.
Modem Signaling—Control
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-5
Modem control consists of several signals between the DTE and DCE that are used to initiate,
terminate, and monitor the status of the connection.
The figure shows the remaining two groups of interesting signals between a DTE device and a
DCE device:
Hardware flow control
—
RTS: Request To Send. The DTE has buffers that are available to receive from the
DCE.
—
CTS: Clear To Send. The DCE has buffers that are available to take data from the
DTE.
Modem control
2-8
—
DTR: Data terminal ready. The DTE indicates to the DCE that it can accept an
incoming call.
—
CD: Carrier Detect (also referred to as data carrier detect [DCD]). The DCE has
established a carrier signal with the remote DCE.
—
DSR: Data set ready (pin 6). The DCE is ready for use. This pin is not used on
modem connections.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Control Example
This topic describes how to terminate a modem connection.
Terminating a Modem Connection
DTE-Initiated
• Router drops DTR.
• Modem must be programmed to terminate
connection on loss of DTR and restore to saved
settings.
DCE-Initiated
• Router detects Carrier Detect (CD) low and
terminates connection.
• Modem must be programmed so that CD reflects
the state of the carrier.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-6
The figure highlights the modem control function for terminating a connection. Either the DTE
device or the DCE device may signal for the connection to be terminated. The signals that are
used for this function are DTR from the DTE or the modem recognizing the loss of the CD
signal.
When modem control is not configured properly, the following symptoms may occur:
“The modem will not hang up when I quit my session.” DTR is not dropped or recognized.
“I end up in a session belonging to someone else.” CD is not dropped or recognized.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-9
Modem Operation
This topic describes basic modem operations.
Modem Operation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-7
Modems perform their basic operations in one direction:
Outgoing data from an originating DTE comes into the sending modem via the TxD pin.
If the sending the modem buffer is nearly full, the modem can control flow (via hardware)
by lowering the CTS signal, thereby instructing the DTE not to use TxD.
The data is compressed using a proper algorithm (Microcom Networking Protocol-5
[MNP-5] or V.42bis), which was mutually agreed upon between the two communicating
modems when they connected initially.
The data is then packetized, where windowing, checksum, error control (using MNP-4 or
Link Access Procedure for Modems [LAPM]), and retransmission are performed.
Note
In this context, the term packetized does not refer to an IP packet or Layer 3 protocol data
unit (PDU). Packetization and compression are options.
The digital data is modulated into analog signals and sent out through the telephone
network.
When the data reaches the receiving modem, it goes through the same steps in reverse
order. The signal is demodulated, and the data is depacketized, decompressed, and
delivered to the destination DTE. The DTE can use RTS to indicate that it is unable to
receive data on the RxD pin.
2-10
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
DTE-to-DTE Wiring
This topic describes the pinout of a null modem cable.
DTE-to-DTE Wiring
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-8
When two DTE devices, such as an access server and a terminal, are near each other, connect
them directly without going through a telephone network and two modems. An ordinary
EIA/TIA-232 cable will not work in this case, because both DTE devices transmit on the TxD
lead (pin 2), and both expect input on the RxD lead (pin 3). A null modem cable is required for
the DTE-to-DTE connection.
Null modems crisscross DB-25 pins 2 and 3 and other corresponding pins (as shown in the
figure) so that the two DTE devices can communicate. You can configure some devices to
operate either as a DTE or a DCE. Configuring a device as a DCE usually means that it
receives data on pin 2 and transmits data on pin 3. For example, many serial printers are
configured as DCE devices so that you can connect them directly to a DTE (a PC or a terminal
server) with an ordinary EIA/TIA-232 cable. This practice eliminates the need for a null
modem connection.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-11
RJ-45 Wiring and Cables
This topic describes the Cisco implementation of using RJ-45 ports for various connections.
RJ-45 Wiring and Cables
BCRAN v2.1—2-9
© 2004 Cisco Systems, Inc. All rights reserved.
Cisco uses RJ-45 ports and connectors for console, auxiliary, and asynchronous port
connections. The specific pinouts to be used on an RJ-45 interface for EIA-232 are not defined
by any standards. Cisco defines the RJ-45 pinouts (shown in the figure) as DTE.
Cabling from the access server port (RJ-45) to an external device, such as a modem or terminal,
requires the use of two cabling components:
RJ-45-to-RJ-45 cable: Can be either a rollover cable (reverse pins 1-8, 2-7, 3-6, 4-5) or a
straight-through cable (1-1, 2-2, and so forth). To check whether a cable is straight-through
or rolled, hold the two connectors (the two ends of the cable) side by side. With the keys at
the back and the pins up, compare them by inspecting the color-coded wires inside the
connector. If the wires use the same colors on the same pins, it is a straight-through cable.
If the wires are a mirror image of each other, it is a rolled cable. The octal cable that is used
to connect to the asynchronous ports is the equivalent of a rolled cable.
RJ-45-to-DB-25 adapter: Also straight-through or rolled.
2-12
—
Male DTE (MDTE) or female DTE (FDTE) adapter. Straight-through.
—
Male DCE (MDCE) or female DCE (FDCE) adapter. Rolled.
—
MMOD (male modem-style) adapter. Rolled. This adapter supports only modems
that are modified from MDCE connectors by wiring DB-25 pin 8 to DSR, instead of
pin 6.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Working Connections
This topic describes how to connect devices to a Cisco router.
Working Connections
BCRAN v2.1—2-10
© 2004 Cisco Systems, Inc. All rights reserved.
This figure displays the working connections between an access server and various types of end
devices.
The auxiliary and console ports are configured as DTE devices on Cisco access servers.
Terminals are also DTE devices. As noted earlier, two DTE devices cannot be directly
connected unless the signals are rolled exactly one time. You must, therefore, roll the pins in
either the cable or the DB-25 adapters, but not both. The “formula for success” is as follows:
DTE + rolled RJ-45 cable + straight DB-25 adapter + DTE = OK
DTE + straight RJ-45 cable + rolled DB-25 adapter + DTE = OK
When connecting a DTE to a DCE, however, you should have either no rolls or two rolls in the
cable and the connector. The “formula for success” is as follows:
DTE + rolled RJ-45 cable + rolled DB-25 adapter + DCE = OK
DTE + straight RJ-45 cable + straight DB-25 adapter + DCE = OK
The part number for the rolled RJ-45-to-RJ-45 cable is CAB-500RJ.
When you order access servers with asynchronous ports, you must order the corresponding
cable accessories. Order one CAB-OCTAL-KIT (an 8-lead octal cable and eight male DB-25
modem connectors) for each 68-pin asynchronous connector on the access server. If the modem
uses an RJ-45 connector, order one CAB-OCTAL-ASYNC (a rolled 8-lead octal cable with RJ45 connectors). Special adapters might be required.
Note
Connecting a modem to the console port of a router is a security risk because it initially has
no protection or security features enabled.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-13
Cisco routers typically ship with a console and auxiliary port cabling kit that may include the
following components:
RJ-45-to RJ-45 rollover cable
RJ-45-to-DB-9 FDTE adapter (labeled TERMINAL)—primarily used to connect to a PC
being used as a console terminal
RJ-45-to-DB-25 FDTE adapter (labeled TERMINAL)—can be used to connect a computer
terminal or an older computer to the console or auxiliary port
RJ-45-to-DB-25 MDCE adapter (labeled MODEM)—used to connect the auxiliary port to
a modem.
The table presents the port types for console and auxiliary ports on Cisco routers.
DB-25
RJ-45
Console port
DCE
DTE*
Auxiliary port
DTE
DTE
*DCE in the Cisco 1700 Series
2-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Error Control and Data Compression Standards
This topic describes error control and data compression.
Error Control and Data Compression
Standards
Error Detection/Correction
• Microcom Networking
Protocol (MNP)
– MNP 2–4 in public domain
– MNP 10 for cellular
Data Compression
• MNP-5:
2:1 ratio
• V.42bis:
4:1 ratio
• V.44:
6:1 ratio
• CCITT V.42
– LAPM
– MNP 4
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-11
Error detection and correction methods have been developed to ensure data integrity at any
speed. Some widely used methods include MNP and LAPM.
Compression algorithms typically require error-correction algorithms. So compression under
V.42bis and MNP-5 is usually run over LAPM or MNP-4. V.42 and V.42bis are not limited to
V.32 and V.34 modems. They can also be implemented in lower-speed equipment. The 4:1
compression ratio provided by V.42bis is theoretical and rarely achieved.
V.44 is the newest compression standard that is designed to be used by V.90. V.44 offers up to
a 6:1 compression ratio, compared to the 4:1 maximum compression from V.42bis. This 20-to60 percent increase in throughput is due to a new compression algorithm that is optimized for
typical web content.
The modern data compression technique is analogous to the video-compression or disk-packing
algorithms that are used in computers. The compression efficiency is highly dependent on data
content. Some data (such as ASCII files) compresses readily; other data compresses very little.
Some application software supports data compression. However, it is usually better to let the
modem compress transmitted data. Data compression algorithms that operate in modem
hardware are faster than those performed by host software. If two modems have agreed on
V.42bis compression, you must disable the compression capability of the application. This
modem-provided compression means transferring data at a higher speed on the interface
between the DTE and the DCE.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-15
Modem Modulation and Standards
This topic describes modem modulation standards.
Modem Modulation Standards
ITU standards:
• V.22: 1200 bps
Proprietary methods:
• V.32 terbo: 19.2 kbps
• V.22bis: 2400 bps
• V.fast: 28.8 kbps
• V.32: 9600 bps
• V.FC: 28.8 kbps
• V.32bis: 14.4 kbps
• K56Flex: 56 kbps
• V.34: 28.8 kbps
• X2: 56 kbps
• V.34: annex 1201H: 33.6 kbps
• V.90: 56 kbps downstream, 33.6 kbps upstream
• V.92: 56 kbps downstream, 48 kbps upstream
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-12
The function of a modem is to convert digital signals (DTE to DCE) into analog signals (DCE
to DCE), and vice versa. The ITU-T has defined and introduced several modem modulation
standards over the years. However, various modem manufacturers have also marketed their
own proprietary versions of modems. Interoperability among various types of modems can be a
challenge, sometimes even for modems from the same vendor.
Some of the more commonly used standards are:
The V.32bis standard supports 14.4-kbps transmit (downstream) and receive (upstream)
connections. It was finalized in July 1991.
The V.34 standard supports 28.8-kbps transmit and receive connections. It was finalized in
June 1994.
The V.34 annex 12 standard supports 33.6-kbps transmit and receive operation. If
compression is used, up to 133.8 kbps is possible if the DTE-to-DCE connection can
support this speed.
The V.90 standard support connections with 56-kbps transmit and up to 33.6-kbps receive.
Most modem manufacturers have a V.90 product, even though the actual maximum data
rate allowed by government regulating bodies is usually 53 kbps.
The V.92 standard support connections with 56-kbps transmit and up to 48-kbps receive. It
offers improved features such as Quick Connect, which dramatically improves the speed at
which users can connect with an Internet service provider (ISP), and Modem on Hold,
which enables users to suspend and reactivate their dialup modem connection to either
receive or initiate a telephone call. V.92 and its companion compression standard, V.44,
were officially adopted by the ITU in July 2000.
2-16
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
With proper configuration, V.90 modems can intelligently adapt to line conditions during a
transition. Two communicating modems will initially attempt to set up a call at 56.6 kbps. If
line conditions do not allow a transmission at this speed, the modems fall back to the nexthighest speed in steps of 2.4 kbps (possibly down to 2.4 kbps if necessary). Alternatively, if
line conditions improve, the modems can increase the speed.
If you are using two V.90 modems between two routers, the maximum speed will be no greater
than 33.6 kbps. Modems operating at 33.6 kbps function under the assumption that the
connection between the user and the ISP is totally analog. Modems operating at 56 kbps treat
the telephone network as a partially digital connection. In fact, the connection between the
PSTN and the ISP must be digital to support a data transfer rate greater than 33.6 kbps.
The codec located at the PSTN converts analog signals into digital pulses and vice versa. These
digital pulses, or PCM, are transmitted at a rate of 64 kbps. A 56-kbps modem transmits and
receives data asymmetrically. The upstream is limited to 33.6 kbps. The downstream is limited
to 53333 bps in the United States by the U.S. Federal Communications Commission (FCC).
Downstream data flow is the advantage of 56 kbps and PCM. The conversion from digital to
analog causes less complication for a PCM modem (a 56-kbps modem) than the conversion
from analog to digital. A 56-kbps modem cannot establish a transfer rate greater than 33.6 kbps
downstream if more than one conversion exists on the telephone network between the ISP and
user.
Older modems negotiate a fixed transmission rate during handshaking, but after that,
communications continue at the same speed. If line quality deteriorates below a certain
threshold, the connection is lost. Older modems cannot take advantage of any increased
bandwidth later, when the line quality improves.
The access server is unaware of modulations because it is directly involved with only DTE-toDCE communication. However, the access server-to-modem speed must account for
modulation speed and compression ratio for optimal end-to-end performance.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-17
Modem Speed and Compression
This topic describes how to calculate true modem speed with compression.
Modem Speeds and Compression
The speeds and compression rations shown
assume ideal conditions.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-13
The difference between the DCE-to-DCE modulation speed and DTE-to-DCE speed is often a
source of confusion. The former represents how fast the modems communicate with each other
across the telephone network. The latter represents how fast your computer communicates with
the attached modem.
In an ideal situation, to gain full benefits from compression, the DTE (for example, a PC) must
send to the DCE (a modem) at speeds matching the potential compression ratio. However, the
EIA/TIA-232 serial interface commonly found on PCs and some Macintosh computers (the
COM port) might operate considerably more slowly than the full potential speed of V.34. The
problem is that some PCs and Macs use the EIA/TIA-232 serial interface with a combination of
Universal Asynchronous Receiver/Transmitters (UARTs) and character-oriented
communications software packages, which are not reliable at higher data rates. In a PC, DTE
should be set to clock the modem at its fastest rate to take advantage of compression.
An improperly configured modem might automatically adjust DTE-to-DCE speeds to match the
established DCE-to-DCE speeds. This state is often called speed mismatch. To avoid speed
mismatch, you must lock the DTE-to-DCE speed so that it remains constant, as originally
configured. This speed-locking mechanism is called speed conversion (also known as port-rate
adjustment or buffered mode).
2-18
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Theoretical Speeds
This topic describes various theoretical modem speeds.
Theoretical Speeds
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-14
This figure displays the maximum theoretical speeds possible for selected modem modulation
standards. Also displayed are the possible speeds if V.42bis compression is used with the same
standards.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-19
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Modem connections can provide dialup
connectivity to a router for out-of-band
administration and troubleshooting.
• Modems convert outgoing digital signals to
analog, and convert incoming analog signals back
to digital.
• Cisco uses RJ-45 ports and connectors for
console, auxiliary, and asynchronous port
connections.
• Various modem standards are used, such as V.34
and V.90.
© 2004 Cisco Systems, Inc. All rights reserved.
2-20
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—2-15
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
The process of converting an analog signal into a digital format is known as_____.
A)
codec
B)
PCM
C)
modulation
D)
amplification
Which device is an example of data terminal equipment?
A)
switch
B)
PC
C)
TSU
D)
modem
Which pin provides the ground reference for modem communication?
A)
1
B)
2
C)
3
D)
7
Which DTE pin indicates to the DCE that it can accept an incoming call?
A)
4
B)
6
C)
8
D)
20
If you dial into an access server and end up in a session initiated by someone else, what
is the most likely cause?
A)
DTR not being dropped
B)
CD not implemented
C)
DST not being raised
D)
ground fault occurring in the circuit
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-21
Q6)
Q7)
Q8)
Q9)
Q10)
Q11)
2-22
If the sending modem buffer is nearly full, the modem can control flow by lowering
which signal?
A)
RTS
B)
CD
C)
CTS
D)
Rx
Which type of cable is used to connect two DTE devices?
A)
null modem
B)
rolled
C)
straight-through
D)
modem
If you are going to connect a PC to a router auxiliary port, which type of cable should
you use?
A)
null modem
B)
straight-through
C)
modem
D)
rolled
Which type of cable is used to connect a modem to the auxiliary port of a Cisco router?
A)
null modem
B)
straight-through
C)
modem
D)
rolled
Which type of file achieves the greatest modem compression?
A)
JPEG
B)
MP3
C)
text
D)
ZIP
Which ITU modem standard can successfully negotiate a lower speed if line conditions
deteriorate?
A)
V.92
B)
X2
C)
56Flex
D)
V.94
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q12)
Q13)
What DTE speed must you set to take advantage of compression?
A)
four times the modem speed
B)
the modem speed
C)
half of the modem speed
D)
the highest possible speed that the DTE will support
What is the maximum possible speed with the V.90 standard and V.42bis compression?
A)
224000
B)
115200
C)
56000
D)
38400
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-23
Quiz Answer Key
Q1)
C
Relates to: Modem Connections and Operation
Q2)
B
Relates to: The DTE-DCE Interface
Q3)
D
Relates to: Modem Signaling—Data
Q4)
D
Relates to: Modem Signaling—Control
Q5)
B
Relates to: Modem Control Example
Q6)
C
Relates to: Modem Operation
Q7)
A
Relates to: DTE-to-DTE Wiring
Q8)
D
Relates to: Working Connections
Q9)
B
Relates to: RJ-45 Wiring and Cables
Q10)
C
Relates to: Error Control and Data Compression Standards
Q11)
A
Relates to: Modem Modulation and Standards
Q12)
D
Relates to: Modem Speed and Compression
Q13)
C
Relates to: Theoretical Speeds
2-24
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Modems
Overview
This lesson contains descriptions of modem configuration methods and commands.
Relevance
Modem configuration is considered to be complex and error prone. If you use modems for dialin, or out-of-band access, this lesson will show you the basics of how to configure your Cisco
device and modem for that purpose.
Objectives
Upon completing this lesson, you will be able to:
Connect to a modem from a router using reverse Telnet
Utilize commands to determine line numbering on a Cisco router
Configure a modem using standard initialization strings
Configure a modem using nonstandard initialization strings
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Modem Connections
EXEC Connection Commands
Sample Output for the show line Command
Line Types and Numbering
Interface Asynchronous and Line Configuration
Basic Modem Configuration
Standard Modem Commands
Nonstandard Modem Commands
Modem Initialization Strings
Summary
Quiz
2-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Connections
This topic describes how to connect from a router to a modem.
Connecting to the Modem
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-2
Cisco routers support both incoming asynchronous line connections (forward connections) and
outgoing asynchronous line connections (reverse connections). For example, a remote terminal
user dialing into the router through an asynchronous line makes a forward connection. In a
reverse connection, a user connects through a router to an attached modem to configure the
modem.
A host can make reverse Telnet connections to various types of devices that are attached to a
Cisco router. Different port numbers (20xx, 40xx, and 60xx) are used because different data
type and protocol negotiations will take place for different types of devices that are attached to
the router.
The remote host must specify a particular TCP port on the router to connect with individual
lines or to a rotary group. In the lower part of the figure, the remote host makes a reverse Telnet
connection to the modem using port address 2007. Note that TCP port number 2007 specifies a
Telnet protocol connection (TCP port 2000) to line 7. The individual line number is added to
the end of the port number type.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-27
The table displays services provided and TCP port numbers for individual lines and rotary
groups.
TCP Port Services
Services Provided
Base TCP Port for
Individual Lines
Base TCP Port for
Rotary Groups
Telnet protocol
2000
3000
Raw TCP protocol (no Telnet)
4000
5000
Telnet protocol, binary mode
6000
7000
XRemote protocol
9000
10000
Use the transport input command to specify which protocol to allow for connections. For
example, the transport input all command allows all of the following protocols to be used for
the connection:
lat | mop | nasi | none | pad | rlogin | telnet | v120
Each of these command options can also be specified individually.
2-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
EXEC Connection Commands
This topic illustrates an example of the commands that are needed to make a reverse Telnet
connection from a router to a modem.
EXEC Connection Commands
᫬»®âý¬»´²»¬Å¸±-¬ÃÅ°±®¬Ã
• Makes a connection with the Telnet protocol
᫬»®â¼·-½±²²»½¬ Å-»--·±²ó²«³¾»®Ã
• Disconnects the specified session or all sessions
᫬»®â½¬®´ó-¸·º¬óê ¨
• Suspends a session
BCRAN v2.1—2-3
© 2004 Cisco Systems, Inc. All rights reserved.
Use the EXEC commands shown in the figure and the table to initiate and control a reverse
Telnet terminal session to a modem.
Telnet-Related Commands
Command
Description
telnet [host] [port]
[/debug]
Makes a Telnet connection to a host (and optionally to a certain port). You can
specify the target host either by a host name or an IP address. The optional
debug switch provides useful information about the connection by displaying the
informational level of logging messages. Additionally, you can simply type the
name of the host to which you wish to make the connection, and by default, an
attempt to establish a Telnet session is started. The interface through which the
connection is made provides the source IP address for that connection.
disconnect
[session-number]
Disconnects the specified connection or the most recent connection if not
specified.
Ctrl-Shift-6 x
To suspend the current session, simultaneously press the Ctrl, Shift, and 6
keys, followed by the x key.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-29
Some additional commands that are useful for controlling and using remote connections
include those shown in this table.
Additional Telnet-Related EXEC Commands
2-30
Command
Description
show session
Displays the current connections (sessions) for this user. The older version of this
command was the where command.
show users
Displays all current users and their ports.
clear line
[number]
Resets a line/port to an idle state and disconnects any sessions associated with
that line.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Sample Output for the show line Command
This topic describes the appropriate commands to use to determine line numbering on various
Cisco routers.
Sample Output for show line
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-4
You can use the show line command to display all types of lines and the status of each line.
The command also provides useful information about modem control and asynchronous port
configuration. The show line line-number command displays detailed information on the
specified line, which includes some useful data such as baud rate, modem state, and modem
hardware state.
The columns in the display are interpreted as follows:
Line state:
—
A: Active.
—
I: Inactive.
—
*: Line is currently in use.
TTY: Line number. In this case, 17.
Typ: Type of line. In this case, VTY indicates a vty that is active, in asynchronous mode,
denoted by the preceding A. Other possible values are CTY (console), AUX (auxiliary
port), TTY (asynchronous terminal port), and LPT (parallel printer).
Tx/Rx: Transmit rate/receive rate of the line.
A: Indicates whether autobaud is configured for the line. A value of F indicates that
autobaud is configured; a hyphen indicates that it is not configured.
Modem: Type of modem signal that has been configured for the line. Possible values
include: callin, callout, cts-req, DTR-Act, inout, and RIisCD.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-31
Roty: Rotary group configured for the line.
AccO, AccI: Output or input access list number configured for the line.
Uses: Number of connections established to or from the line since the system was restarted.
Noise: Number of times noise has been detected on the line since the system was restarted.
Overruns: Hardware (UART) overruns or software buffer overflows, both defined as the
number of overruns or overflows that have occurred on the specified line since the system
was restarted. Hardware overruns are buffer overruns indicating that the UART chip has
received bits from the software faster than it can process them. A software overflow occurs
when the software has received bits from the hardware faster than it can process them.
2-32
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Line Types and Numbering
This topic describes the concept of line numbering for reverse Telnet among various router
platforms.
Line Types and Numbering
BCRAN v2.1—2-5
© 2004 Cisco Systems, Inc. All rights reserved.
Line numbering varies among router platforms. TTY lines correspond to asynchronous
interfaces on a one-to-one basis; vty lines are virtual lines that are dynamically assigned to the
synchronous interfaces. Usually, vty lines are associated with incoming Telnet sessions.
In the figure shown, m refers to the number of the vty lines. For example, the vty 0 line
corresponds to line 10 on a router with eight TTY ports (con = line 0, tty = lines 1 through 8,
aux = line 9, vty = lines 10 through 14).
Connections to an individual line are most useful when a dial-out modem, parallel printer, or
serial printer is attached to that router line. To connect to an individual line, the remote host or
terminal must specify a particular TCP port on the router. If the Telnet protocol is used, that
port is 2000 plus the line number. For example:
¬»´²»¬ ïíïòïðèòíðòìð îððï
This command initiates a Telnet connection to line 1 (2000 + 1).
The following line types are used:
CON: Console port (available on all Cisco routers)
TTY: Asynchronous port.
AUX: Auxiliary port (available on most Cisco routers except the Cisco 600, 700, 800,
1000, and 1600 platforms).
VTY: Virtual terminal (for incoming Telnet, local-area transport [LAT], or X.25 packet
assembler/disassembler [PAD] connections).
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-33
Interface Asynchronous and Line Configuration
This topic describes line configuration and asynchronous interface configuration.
Interface Asynchronous and Line
Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-6
There is often confusion about the difference between the interface async and line commands.
The major difference is that the interface async command lets you configure the protocol
(logical) aspects of an asynchronous port, while the line command lets you configure the
physical aspects of the same port. The async commands are internal, while the line commands
configure external characteristics of the configuration.
For example, you configure the basic modem-related parameters on a router using the line
command. However, you configure the protocol encapsulation and authentication schemes with
the interface async command.
2-34
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Basic Modem Configuration
This topic describes the basic modem configuration on a Cisco router.
Basic Modem Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-7
To make a successful asynchronous connection, you must configure the modem and the router
properly.
A modem must be configured to do the following:
Perform hardware flow control.
Lock DTE speed to ensure that the modem will always communicate with the router at the
specified speed (in this case, 115.2 kbps). The router speed command sets both transmit
and receive speeds.
Hang up when you quit a session.
Have the CD signal reflect the carrier state truthfully.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-35
On the router, use the commands in the table to configure the line to which the modem is
attached.
Line Commands
Command
Description
exec
Allows the EXEC process on this line.
login
Sets a login password on this line. Without the password, no connection is
allowed.
password
Sets the password to be used when logging in to this line.
flowcontrol
hardware
Uses RTS/CTS for flow control.
speed 115200
Sets the maximum speed (in bits per second) between the modem and the router.
The speed command sets both the transmit and receive speed.
transport input all
Allows all protocols to be passed to the router through this line.
stopbits
Sets the number of stop bits transmitted per byte.
modem inout
Uses the modem for both incoming and outgoing calls.
modem dialin
Uses the modem for incoming calls only (the default).
Note
2-36
Software flow control (xon and xoff characters) is not recommended with modems and Cisco
routers.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Standard Modem Commands
This topic describes how to configure the most common modem commands.
Standard Modem Commands
BCRAN v2.1—2-8
© 2004 Cisco Systems, Inc. All rights reserved.
Attention commands for the modem have an AT prefix. In general, each modem vendor has its
own modem command set that differs from other vendor command sets.
However, some modem commands are common among most vendors, as described in the table.
Common Modem Commands
Command
Description
AT&F
Loads the factory default settings (read only).
ATS0=1
Sets the modem to answer all incoming calls automatically on the first ring
(recommended to be set to 2 for lines with caller ID).
AT&C1&D3
Sets up modem control (CD and DTR).
ATS2=255
Ignore the +++ command. The +++ characters set the modem to command mode. You
may need to configure the far-end modem to ignore +++ because the +++ command
issued to the near-end modem will be transmitted to the far-end modem. The far-end
modem may interpret it and cause the connection to hang. This is a bug in the far-end
modem. Many modems are affected.
ATE0
When echo off is set, the modem will not echo keystrokes.
ATM0
Turns off the external audio output from the modem.
AT&W
Saves the modem configuration into nonvolatile memory.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-37
Nonstandard Modem Commands
This topic describes the nonstandard modem commands for proper modem operation.
Nonstandard Modem Commands
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-9
Many modem commands are not standardized and vary from one vendor to another. The
following modem configurations and commands are essential for modems that are attached to
Cisco routers:
Hardware flow control: Use CTS and RTS.
Lock DTE speed: Sets the serial port of the modem to a fixed data transfer rate. Locking
the speed between the modem and DTE device prevents the speed from being negotiated
down during the initial call setup.
Error correction: Sets error control.
Compression: Uses the best compression algorithm that can be negotiated between the two
communicating modems.
Show configuration: Shows current modem settings.
Getting help: Shows all of the AT commands for your specific modem.
Saving the configuration: Saves the configuration you just entered in the NVRAM of the
modem.
For nonstandard modem commands, refer to the vendor user manual that comes with each
modem you have purchased.
2-38
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Initialization Strings
This topic describes modem initialization strings for proper modem operation.
Modem Initialization Strings
U.S. Robotics (USR) Courier
at&fs0=1&c1&d3&h1&r2&b1&m4&k1&w
Hayes Optima/Accura
at&fs0=1&c1&d2&k3&q9&w
Microcom QX4232 series
at&fs0=1&c1&d2\q3\j0\n6%c1&w
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-10
Initialization strings are used to send commands to modems before they dial out. The figure
displays some examples of modem initialization strings.
Command strings differ from vendor to vendor, model to model, and even from one firmware
version to another. Always refer to the user manual from your modem vendor for the proper
modem commands to use.
Note
A good exercise is to decode the initialization strings in the figure to see exactly what is and
what is not turned on, and to see how the command strings differ from vendor to vendor.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-39
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Configuring a modem is complex task.
• Several commands can be used to determine line
numbering on a Cisco router.
• Initialization strings can differ from vendor to
vendor and model to model.
© 2004 Cisco Systems, Inc. All rights reserved.
2-40
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—2-11
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Which type of connection does a remote terminal user make when dialing into the
router through an asynchronous line?
A)
forward connection
B)
reverse connection
C)
moving connection
D)
stopped connection
Which command displays all current users and their ports?
A)
show people
B)
show session
C)
show users
D)
show staples
Which command displays more detailed information on the specified line?
A)
show line detailed
B)
show line line-number
C)
show line information detailed
D)
show detailed line
What is a vty line?
A)
virtual line dynamically assigned to the synchronous interface
B)
permanent connection between two switches
C)
very tight yellow line used for RJ-45 cables
D)
a high-speed broadband connection cable
Which command lets you configure the protocol (logical) aspects of an asynchronous
port?
A)
line
B)
enable password
C)
enable secret port
D)
interface async
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-41
Q6)
Q7)
Q8)
Q9)
2-42
When in (config-line)# mode, what does the router speed command set?
A)
the boot time of the router
B)
the data speed of the Ethernet port
C)
transmit and receive speeds
D)
the amount of bandwidth that you are requesting from your service provider at
peak usage periods
What does AT stand for in modem commands?
A)
at time commands
B)
async T1 commands
C)
autotransmit commands
D)
attention commands
Which command signals are involved in hardware flow control?
A)
DTE and DCE
B)
VTP and FTP
C)
CTS and RTS
D)
OPP and POP
What do modem initialization strings do?
A)
send commands to modems before they dial out
B)
send e-mail attachments to modems before they dial out
C)
send printer requests to the video monitor so that the modem will process them
first
D)
secure a modem to the back of a computer properly
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
A
Relates to: Modem Connections
Q2)
C
Relates to: EXEC Connection Commands
Q3)
B
Relates to: Sample Output for the show line Command
Q4)
A
Relates to: Line Types and Numbering
Q5)
D
Relates to: Interface Asynchronous and Line Configuration
Q6)
C
Relates to: Basic Modem Configuration
Q7)
D
Relates to: Standard Modem Commands
Q8)
C
Relates to: Nonstandard Modem Commands
Q9)
A
Relates to: Modem Initialization Strings
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-43
2-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Autoconfiguring Modems
Overview
Modem autoconfiguration simplifies the process of adding a modem for out-of-band
management or remote dial-in connectivity. This lesson contains descriptions of modem
autoconfiguration methods and commands to reduce the complexity of modem initialization.
Relevance
This lesson describes the process of modem autoconfiguration. Modem autoconfiguration
eliminates the process of manually issuing the initialization strings on a modem.
Objectives
Upon completing this lesson, you will be able to:
Configure modem autoconfiguration with a generic modem type
Configure modem autoconfiguration with a specified modem type
Verify the modemcap database
Configure the modemcap database with a custom modemcap
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Cisco Interconnecting Cisco Network Devices (ICND)
course
Outline
This lesson includes these topics:
Overview
Modem Autoconfiguration
Automatic Modem Configuration
Modem Autodiscovery
Modem Autoconfiguration: Configuring
Modem Autodiscovery: Configuring
Known Modem Initialization String
Modemcap Database
Modemcap Database Management
Modemcap Entries: Viewing
Custom Modemcap Entry: Creating and Editing
Custom Modemcap Entry: Viewing
Summary
Quiz
2-46
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Autoconfiguration
This topic describes modem autoconfiguration.
Using Modem Autoconfiguration
Autoconfiguration is used to:
• Configure modems without using modem
configuration commands
• Autodiscover modems
Operational areas:
• Automatic modem configuration
• Modem autodiscovery
• Modemcap database management
BCRAN v2.1—2-2
© 2004 Cisco Systems, Inc. All rights reserved.
Modem autoconfiguration facilitates the configuration of modems on routers. To set up a
modem using modem autoconfiguration, connect the phone line and power cable to the modem,
and use the modem autoconfigure command on the line with the modem. No other setup
function is required for most modems.
You can use the modem autoconfiguration feature when you want to:
Configure a modem without sending modem configuration commands directly to the
modem
Use the asynchronous interface to autodiscover the modem type
To better understand modem autoconfiguration, consider its properties and characteristics:
Automatic modem configuration: You can configure a line to use a specified modem
type.
Modem autodiscovery: You can configure a line to automatically attempt to discover the
type of modem on the line and to use that modem configuration.
Modem capability database (modemcap file in Cisco IOS software): A modemcap is a
database of modems and their modem configuration command strings.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-47
Automatic Modem Configuration
This topic describes the process of modem autoconfiguration.
Automatic Modem Configuration
With modem autoconfiguration,
modems:
• Are reconfigured each time the line is reset
(AT commands are sent)
• Can use a customized line configuration
• Are configured to match current line settings
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-3
With automatic modem configuration, each time a modem is reset, a chat script is executed that
sends a string of modem configuration commands (AT commands) to the modem. This modem
configuration command string is generated automatically whenever the modem is recycled.
For example, an IP dial-in modem configured with flow control would receive this command
sequence:
Return to factory defaults
Use hardware flow control
Other modem configuration commands
In addition, the line configuration may be changed if the speed specified for the modem DTE
differs from the current configuration on the line.
2-48
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Autodiscovery
This topic discusses modem autodiscovery in determining a specific modem model.
Modem Autodiscovery
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-4
You can configure a line to expect a specific modem mode. If no modem is specified, the router
attempts to autodiscover the type of modem to which it is attached. The router determines the
type of modem by sending AT commands to the modem and evaluating the response. The
router includes a modemcap database with information on the following modems:
Codex 3260: codex_3260
U.S. Robotics Courier: usr_courier
U.S. Robotics Sportster: usr_sportster
Hayes Optima: hayes_optima
Global Village: global_village
Viva: viva
Telebit t3000: telebit_t3000
Microcom: microcom_hdms, microcom_server
NEC: nec_v34, nec_v11, nec_piafs
Cisco Systems: mica, cisco_v110
The specific modemcap entries found on a particular system will be determined by the
hardware and Cisco IOS software version that is installed.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-49
Note
Whenever possible, configure the modem to eliminate the overhead of modem
autodiscovery.
Any modems that are not currently supported in the list can be manually added to the list to be
autodiscovered in future communication.
Here is a sample debug of how a router establishes synchronization with a modem:
ÎÌßý
ê¼ïç¸æ ÌÌÇïæ Ô·²» ®»-»¬ ¾§ þÊ·®¬«¿´ Û¨»½þ
ê¼ïç¸æ ÌÌÇïæ Ó±¼»³æ ×ÜÔÛóâØßÒÙËÐ
ê¼ïç¸æ ÌÌÇïæ ¼»-¬®±§ ¬·³»® ¬§°» ð
ê¼ïç¸æ ÌÌÇïæ ¼»-¬®±§ ¬·³»® ¬§°» ï
ê¼ïç¸æ ÌÌÇïæ ¼»-¬®±§ ¬·³»® ¬§°» í
ê¼ïç¸æ ÌÌÇïæ ¼»-¬®±§ ¬·³»® ¬§°» ì
ê¼ïç¸æ ÌÌÇïæ ¼»-¬®±§ ¬·³»® ¬§°» î
ê¼ïç¸æ ÌÌÇïæ ¼®±°°·²¹ ÜÌÎô ¸¿²¹·²¹ «°
ê¼ïç¸æ ÌÌÇïæ Í»¬ ÜÌÎ ¬± ð
ê¼ïç¸æ ¬¬§ïæ Ó±¼»³æ ØßÒÙËÐóâ×ÜÔÛ
ê¼ïç¸æ ÌÌÇïæ ®»-¬±®·²¹ ÜÌÎ
ê¼ïç¸æ ÌÌÇïæ Í»¬ ÜÌÎ ¬± ï
ê¼ïç¸æ ÌÌÇïæ ¿«¬±½±²º·¹«®» °®±¾» -¬¿®¬»¼
ê¼ïç¸æ ÌÌÇïæ Ó±¼»³ ½±³³¿²¼æ
óóßÌúÚúÝïúÜîÍðãïØðóó
ê¼ïç¸æ ÌÌÇïæ Ó±¼»³ ½±²º·¹«®¿¬·±² -«½½»»¼»¼
ê¼ïç¸æ ÌÌÇïæ Ü»¬»½¬»¼ ³±¼»³ -°»»¼ íèìðð
ê¼ïç¸æ ÌÌÇïæ ܱ²» ©·¬¸ ³±¼»³ ½±²º·¹«®¿¬·±²
2-50
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modem Autoconfiguration: Configuring
This topic describes the process of configuring modem autoconfiguration.
Configuring Modem
Autoconfiguration
Configuration may include:
• Configuring modem autodiscovery
or
• Specifying a specific modem type
• Managing the modemcap database
BCRAN v2.1—2-5
© 2004 Cisco Systems, Inc. All rights reserved.
Modem autoconfiguration includes the following tasks:
Configuring modem autodiscovery: You can configure the line to detect the type of
modem connected to the line.
Specifying a modem to be used on the line: Whenever the line resets, the line
automatically sends the correct initialization command string to the modem.
Managing the modemcap database, including:
—
Viewing the types of modems that are in the modemcap database.
—
Displaying and modifying modemcap entry command strings.
—
Creating and viewing a variant modemcap entry.
—
Use the show modemcap command to view the types of modems that are in the
modemcap file. The show modemcap modem-type command allows you to view
the initialization string for the specific modem type entered.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-51
Modem Autodiscovery: Configuring
This topic describes the commands that are used to implement modem autodiscovery.
Configuring Modem
Autodiscovery
BCRAN v2.1—2-6
© 2004 Cisco Systems, Inc. All rights reserved.
As shown in the figure, the modem autoconfigure discovery command configures modem
autodiscovery.
This command instructs the router to do the following on lines 1 through 16:
Send the AT string at various baud rates until it receives an OK
Send a variety of AT commands, attempting to receive a complete identification of the
modem identified in the router modemcap
The default modem entry is used if the router cannot determine the modem type.
If you know that your modem can be configured using an initialization string from one of these
scripts, you can issue the modem autoconfigure type type command, where type is one of the
strings in the modemcap list. Initialization proceeds more quickly if you list a specific modem
type.
Note
To eliminate the overhead of modem autodiscovery and to avoid modem configuration
ambiguity that is caused by modem autodiscovery, configure the modem type using the
autoconfigure type command whenever possible.
It may be necessary to manually configure the modem or change the modemcap database if
none of the strings properly initialize the modem.
2-52
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Known Modem Initialization String
This topic describes the commands that are used to configure modem autodiscovery with a
specified modem model.
Specifying a Known Modem
Initialization String
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-7
In the figure shown, the router is configured to send an initialization string for a U.S. Robotics
Sportster modem on line 1.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-53
Modemcap Database
This topic describes the purpose of a modemcap database on a Cisco router.
Modemcap Database
You can:
• View the modemcap database
• Add entries to the modemcap database
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-8
The modemcap is a list of modems with a known set of AT configuration commands for setting
the attributes for each modem type. For example, many modems use the string AT&F to reset
the modem to its factory default attributes.
Modem attributes have a full name and a two- or three-letter abbreviation. Factory default, for
example, is also referred to as FD. For normal operation, you do not need to know these
abbreviations. If you are familiar with the modem abbreviations, you can add entries to the
modemcap database.
2-54
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Modemcap Database Management
This topic describes the commands for managing the modemcap database.
Managing the Modemcap Database
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-9
The modemcap database contains entries for supported modems. Complete these tasks to
manage a modemcap database entry:
View modem entries in the modemcap database with the show modemcap command, as
shown in the figure.
View the contents of a modem modemcap entry.
Modify a modem modemcap entry.
Create a modem database entry.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-55
Modemcap Entries: Viewing
This topic describes the concepts and commands for viewing modemcap entries.
Viewing Modemcap Modem Entries
• AT commands for a specific modem
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-10
The show modemcap command displays the modems in the modemcap database. In addition,
with the modem type specified, the command shows a complete list of the specified modem
modemcap entry that includes these fields:
Command description
Command abbreviation (with colon separator)
Command string
The figure shows the AT command string attributes and their values for the Codex 3260
modem.
The default modem type has modemcap values for a few of the most common attributes. It does
not contain strings for attributes that vary widely by modem type, such as locking speeds,
setting hardware flow control, or dealing with compression and error correction.
You can use the modemcap entry modem-name command or the show modemcap modemname command to see the contents of a modem modemcap entry. The modemcap entry
modem-name command displays modemcap values in a truncated form.
You can also create variant modemcap entries to add new modems or extend the functionality
of a modem in the modemcap database. How these entries are created is discussed in
subsequent topics in this lesson.
2-56
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Custom Modemcap Entry: Creating and Editing
This topic describes the commands that are necessary to create and edit a modemcap entry.
Creating and Editing a Custom Modemcap
Entry
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-11
Use the modemcap edit new-modem-name command to complete these tasks:
Add a new entry to the modemcap database. Note that in performing this task, you must
specify an attribute for the new modem entry; otherwise, use modemcap entry newmodem-name without attributes.
Add new attributes to an existing modem entry in the modemcap database.
The figure displays the following uses of the modemcap edit usr_new command:
1. This command creates the usr_new entry in the modemcap database and sets the caller-id
for the usr_new modem to *U1.
2. This command locks the DTE speed on this modem.
3. This command points to another modemcap entry to be used as a template. As a result, any
value not found in the current modemcap entry is set by the template modemcap entry. In
this example, the usr_courier modemcap entry is the template. You can have up to four
layers of templates.
You can use these additional commands when creating variant modem cap entries:
Use the modemcap edit command to edit user-created modemcap entries only.
Use the show modemcap command to verify the new router modemcap entry.
Use the no modemcap entry modem-name command to remove the specified modem
from the modemcap database.
Use the no modemcap entry modem-name attribute command to remove a modem
attribute from a modem modemcap entry.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-57
Custom Modemcap Entry: Viewing
This topic contains concepts and commands for viewing a modemcap entry.
Viewing a Custom Modemcap Entry
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-12
After configuring a modemcap entry with the modemcap edit command, use the show
modemcap modem-name command to verify the new modemcap attribute values.
The figure shows the output for the new modemcap created in the previous topic. The numbers
in the figure correspond to the numbers that are used in the previous topic with each
modemcap edit command.
Specifically, the «-®Á²»© modemcap shown in the figure is identical to the «-®Á½±«®·»® entry
with the following exceptions:
The DTE speed lock
The caller ID field
The template
If you used the show running-config command, the «-®Á²»© information for the configuration
on the previous page would appear as a line in the configuration:
³±¼»³½¿° »²¬®§ «-®Á²»© ÍÐÜãúÞïæÝ×ÜãöËïæÌÐÔã«-®Á½±«®·»®
2-58
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Modem autoconfiguration simplifies the process of
adding a modem for out-of-band management or
remote dial-in connectivity.
• Automatic modem configuration executes a chat
script that sends a string of configuration
commands to the modem.
• The modem capability database is a list of modems
with a known set of configuration commands for
setting each modem type attribute.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—2-13
Supporting Asynchronous Modems
2-59
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
2-60
What is a modem chat script?
A)
instructions for a modem to self-destruct
B)
a string of text that defines the handshaking that occurs between two DTE
devices
C)
a set of commands that enable any modem to achieve a doubling of its
maximum bandwidth speed
D)
a session involving the video monitor, keyboard, and printer
What is a database of modems and their modem configuration command strings called
in Cisco IOS software?
A)
modeminfo
B)
modemcap
C)
modemdata
D)
modemconfigs
How does the router determine the type of modem used?
A)
The router sends AT commands to the modem and evaluates the response.
B)
The router detects the specific modem cable used.
C)
The router does not need to know the modem type.
D)
The phone number dialed has a special code for the modem.
Which command is used to view the types of modems that are in the modemcap file?
A)
show modem all
B)
show modem types
C)
show modemcap
D)
show modemfile
Which command do you issue if you know that your modem can be configured using
an initialization string from one of the modemcap scripts?
A)
modem autoconfigure type type
B)
modem configure
C)
modem configureauto
D)
modem type auto
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q6)
Q7)
Q8)
Q9)
Q10)
Q11)
Which router configuration mode is used in configuring a modem?
A)
router#
B)
router(config)#
C)
router(config-line)#
D)
router(config-if)#
Which modem string is typically used to reset the modem to its factory default
attributes?
A)
AT&D
B)
AT&K
C)
AT&H
D)
AT&F
What does the modemcap database contain?
A)
entries for supported printers
B)
entries for supported modems
C)
entries for supported switches
D)
entries for supported video monitors
How do you add new modems or extend the functionality of a modem in the
modemcap database?
A)
by purchasing older slower modems for your network
B)
by creating variant modemcap entries
C)
by using different modem cables
D)
by using a printer cable for a modem cable
Which command is used to add a new entry to the modemcap database?
A)
router# show modemcap
B)
router# config line modemcap
C)
router# line modemcap
D)
router# modemcap entry usr_new
After configuring a modemcap entry with the modemcap edit command, which of the
following commands should be used to verify the new modemcap attribute values?
A)
show modembase modem-name
B)
show modemcap modem-name
C)
show modemdata modem-name
D)
show modeminfo modem-name
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-61
Quiz Answer Key
Q1)
B
Relates to: Modem Autoconfiguration
Q2)
B
Relates to: Automatic Modem Configuration
Q3)
A
Relates to: Modem Autodiscovery
Q4)
C
Relates to: Modem Autoconfiguration: Configuring
Q5)
A
Relates to: Modem Autodiscovery: Configuring
Q6)
C
Relates to: Known Modem Initialization String
Q7)
D
Relates to: Modemcap Database
Q8)
B
Relates to: Modemcap Database Management
Q9)
B
Relates to: Modemcap Entries: Viewing
Q10)
D
Relates to: Custom Modemcap Entry: Creating and Editing
Q11)
B
Relates to: Custom Modemcap Entry: Viewing
2-62
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying and Debugging
Modem Autoconfiguration
Overview
After you connect the modem hardware, you may experience issues with modem
autoconfiguration. This lesson explains how to verify and debug modem autoconfiguration.
Relevance
After you configure modem autoconfiguration, it is helpful to know how to troubleshoot and
verify the proper operation in the context of dial-in and dial-out services.
Objectives
Upon completing this lesson, you will be able to:
Issue commands to debug modem autoconfiguration
Troubleshoot modem autoconfiguration
Create a chat script for modem initialization
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Verification of Modem Autoconfiguration Operation
Modem Autoconfiguration Troubleshooting
Chat Scripts for Asynchronous Lines
Summary
Quiz
2-64
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verification of Modem Autoconfiguration
Operation
This topic describes the commands that are used to debug modem autoconfiguration.
Verifying Modem
Autoconfiguration Operation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-2
The debug confmodem command displays the modem configuration process. For example, the
figure shows a router modem configuration process on line 97 with a U.S. Robotics Sportster
modem attached.
You can also use these commands to verify operation:
The show line command shows the type of modem configured on a line.
The clear line command returns a line to its idle state. Normally this command returns the
line to its conventional function as a terminal line, with the interface left in a down state.
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-65
Modem Autoconfiguration Troubleshooting
This topic describes the commands that are used to troubleshoot modem autoconfiguration.
Troubleshooting Modem
Autoconfiguration
Common problems with modem autoconfiguration:
• The modem does not respond.
• The modem is not recognized by modem
autodiscovery.
• There is an original modemcap entry problem.
BCRAN v2.1—2-3
© 2004 Cisco Systems, Inc. All rights reserved.
To troubleshoot modem autoconfiguration, consider the following conditions and solutions:
Modem not responding
—
Is the modem power supply connected and turned on?
—
Is the power-up configuration set to factory default?
—
Can you connect using reverse Telnet?
—
Do you have dial tone at the phone jack?
Modem not recognized by modem autoconfigure discovery
—
Use the show line command to verify the modem configuration that the line is using.
—
Check to see if the Cisco router recognizes the modem.
—
Use the modem autoconfigure type modem-name command.
Note
Use the show modemcap command to verify modemcap support for this modem.
Original modemcap entry problem
—
If you configured your own modemcap entry, and reconfiguration appears to
function, verify that the DTR attribute is not set to &D3.
Remember that you can also check the manual supplied by the modem manufacturer.
2-66
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Chat Scripts for Asynchronous Lines
This topic describes the concepts and commands that are needed to create a chat script.
Chat Scripts for Async Lines
᫬»®ø½±²º·¹÷ý½¸¿¬ó-½®·°¬ -½®·°¬ó²¿³» »¨°»½¬ó-¬®·²¹ -»²¼ó-¬®·²¹
• Modem configuration
• Dialing and remote login commands
• Failure detection
᫬»®ø½±²º·¹÷ý½¸¿¬ó-½®·°¬ Ý»²¬®¿´ ßÞÑÎÌ ÛÎÎÑÎ ßÞÑÎÌ ÞËÍÇ
•Œ •ßÌÆŒ ÑÕ •ßÌÜÌ ÄÌŒ Ì×ÓÛÑËÌ íð ÝÑÒÒÛÝÌ Ä½
• Sample chat script
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-4
The Cisco IOS software autoconfigure feature is sufficient for most modem connections.
Occasionally, however, custom chat scripts may have to be written to perform certain tasks.
A chat script provides a way to customize how the DTE interacts with the DCE. It is a string of
text that defines the handshaking that occurs between two DTE devices or between a DTE and
its directly attached DCE. The chat script consists of expect-send pairs that define the string the
local DTE system expects to see from the remote DCE device and that specify which reply the
local system should send.
For example, you can configure chat scripts for these tasks:
Initializing the directly attached modem
Instructing the modem to dial out
Logging in to a remote system
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-67
The sample chat script command in the figure is described in the table.
Chat Script Commands
Command
Description
Central
Defines the name of this chat script as Central.
ABORT ERROR
Stops the chat script if an error is encountered.
ABORT BUSY
Stops the chat script if a busy signal is encountered.
“”
Expects a null string. Therefore, expect no input string.
“ATZ”
Without expecting an input string, sends the AT command to reset the modem to its
stored profile.
OK “ATDT \T”
When the input string OK is seen, sends the AT command to instruct the modem to
dial the telephone number in the dialer string or start-chat command.
TIMEOUT 30
CONNECT
Waits up to 30 seconds for the input string CONNECT.
\c
Indicates the end of the chat script.
You can use the start-chat command to manually test a chat script on any asynchronous line
that is not currently active.
Chat scripts can also be activated by any of the following five events, each corresponding to a
different version of the script command:
Line activation: Starts a chat script on a line when the line is activated (every time a
command EXEC is started on the line).
Connection: Starts a chat script on a line when a network connection is made to the line:
triggered by outgoing traffic (reverse Telnet).
Startup: Triggered when the system starts up.
Dialer: Triggered by dial-on-demand routing (DDR).
Line reset: Triggered by asynchronous line reset.
Refer to Cisco.com for more information on chat scripts and the script command.
2-68
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The debug confmodem command displays the
modem configuration process.
• Use the show line command to verify the modem
configuration that the line is using.
• A chat script provides a way to customize how the
DTE interacts with the DCE.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—2-5
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 2-1: Configuring Asynchronous Connections with Modems
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-69
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
2-70
Which of the following commands displays the modem configuration process?
A)
show line
B)
clear line
C)
show modem process
D)
debug confmodem
What can a network administrator do as a last resort when troubleshooting modem
autoconfiguration?
A)
check the manual supplied by the router manufacturer
B)
check the manual supplied by the modem manufacturer
C)
check the manual supplied by the hub manufacturer
D)
check the manual supplied by the switch manufacturer
A chat script provides a way to customize how the _____.
A)
DTE interacts with the DTE
B)
DTE interacts with the DCE
C)
DCE interacts with the DTE
D)
DCE interacts with the DCE
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
D
Relates to: Verification of Modem Autoconfiguration Operation
Q2)
B
Relates to: Modem Autoconfiguration Troubleshooting
Q3)
B
Relates to: Chat Scripts for Asynchronous Lines
Copyright © 2004, Cisco Systems, Inc.
Supporting Asynchronous Modems
2-71
2-72
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 3
Configuring PPP Features
Overview
This module reviews PPP and provides additional information on link control protocol (LCP)
options of authentication, callback, compression, and Multilink PPP (MLP).
Objectives
Upon completing this module, you will be able to:
Configure PPP features at a central site and a branch office to allow exchange of data
between the sites
Configure PAP or CHAP authentication to allow access to a secure site
Configure and verify callback and compression
Configure and verify MLP
Verify and troubleshoot an incorrect configuration so data travels as intended across the
PPP link
Outline
The module contains these lessons:
Describing PPP Features
Configuring Basic PPP
Configuring LCP Options: Authentication with PAP and CHAP
Configuring LCP Options: Callback and Compression
Configuring LCP Options: Multilink PPP
Verifying and Debugging PPP
3-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Describing PPP Features
Overview
PPP is an RFC standard that provides interoperability among WAN devices of multiple
vendors. This WAN protocol operates at the physical and data-link layers of the Open System
Interconnection (OSI) model. This lesson describes PPP operation.
Relevance
PPP is a key WAN protocol implemented at many sites. You should understand how PPP
operates before you configure its services.
Objectives
Upon completing this lesson, you will be able to:
Describe how remote nodes can connect using PPP
Describe the properties of PPP
Compare and contrast HDLC and PPP
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Remote Node Connections
PPP Architecture
HDLC and PPP Frames
Summary
Quiz
3-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Remote Node Connections
This topic describes how remote node connections can be made using PPP.
Remote Node Connections
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-2
Remote access is an integral part of the corporate mission. Traveling salespeople, executives,
remote office staff, and small office, home office (SOHO) users all need to communicate by
connecting to the central office LAN. The proliferation of laptops in the workplace has
increased the need to remotely access electronic information.
To support remote connections, remote node users will use network application software (FTP,
Telnet), protocol stacks (TCP/IP), and link-layer drivers (PPP) installed on their own remote
devices. The higher-layer protocols are encapsulated in the link-layer protocols (such as PPP)
when transmitted across the dialup line.
Point-to-point links between LANs, hosts, terminals, and routers can provide sufficient physical
connectivity in many application environments. Many regional and commercial network
services provide access to the Internet and point-to-point links, which provide an efficient way
to access the service provider locally.
The Internet community has adopted schemes for the transmission of IP datagrams over serial
point-to-point lines. One of the schemes, PPP, is a modern transmission method that provides
router-to-router and host-to-network connections over synchronous and asynchronous circuits.
Although PPP was designed with IP in mind, you can use PPP for other network-layer
protocols such as Internetwork Packet Exchange (IPX) and AppleTalk. Moreover, PPP supports
essential features such as dynamic address allocation, Password Authentication Protocol (PAP)
authentication, Challenge Handshake Authentication Protocol (CHAP) authentication, and
Multilink PPP (MLP).
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-5
Note
The AppleTalk Remote Access Protocol (ARA Protocol) and Serial Line Internet Protocol
(SLIP) are not used very frequently in current network configurations, and, as such, they are
not covered in this course. For additional configuration information, refer to the Cisco
Documentation CD-ROM or Cisco.com.
High-Level Data Link Control (HDLC) is the default encapsulation for ISDN and serial
interfaces on a Cisco Systems router. Although HDLC is a default encapsulation, Cisco HDLC
is not necessarily compatible with the HDLC implementations of other vendors because it
contains a network-layer protocol identifier field. PPP implementations follow open standards
and should always be compatible. Therefore, PPP is the protocol of choice when configuring
serial links in a multivendor environment.
It is important to note that PPP actually uses HDLC as a basis for encapsulating datagrams.
However, PPP is more robust than HDLC because it adds extensions (features) to the link layer.
3-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Architecture
This topic describes the PPP architecture at Layer 2 of the OSI model. PPP is an RFC standard
protocol.
PPP Architecture
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-3
PPP is a nonproprietary protocol that is defined by a series of open Internet standards called
RFC standards. For this reason, PPP is referred to as a standards-based protocol.
PPP also describes mechanisms for the following features:
Network-protocol multiplexing
Link configuration
Link-quality testing
Authentication
Header compression
Error detection
Link-option negotiation
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-7
PPP also includes these functional components:
Method for encapsulating datagrams over serial links, based on the International
Organization for Standardization (ISO) HDLC protocol (not Cisco HDLC)
Link control protocol (LCP) for establishing, configuring, and testing the data-link
connection
PPP IP Control Protocol (IPCP), for managing TCP header compression and IP address
negotiation
Authentication
Network Control Protocols (NCPs) for establishing and configuring various network-layer
protocols such as IP, IPX, and AppleTalk (for example, IPCP is the NCP for IP)
Note
Authentication level for access control is optional.
The following is a partial list of RFCs of interest for access products:
RFC 1220: “Point-to-Point Protocol Extensions for Bridging”
RFC 1332: “PPP IP Control Protocol (IPCP)”
RFC 1378: “PPP AppleTalk Control Protocol (ATCP)”
RFC 1492: “Access Control Protocol or TACACS+”
RFC 1549: “PPP in HDLC Framing”
RFC 1552: “The PPP Internetwork Packet Exchange Control Protocol (IPXCP)”
RFC 1570: “PPP LCP Extensions”
RFC 1661: “The Point-to-Point Protocol (PPP)”
RFC 1990: (Replaces RFC 1717): “The PPP Multilink Protocol (MP)”
3-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
HDLC and PPP Frames
This topic describes the similarities and differences between HDLC and PPP frames.
Comparing HDLC and PPP Frames
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-4
As mentioned earlier, the PPP frame format is based on the HDLC frame format put forth by
the ISO. But unlike the ISO HDLC frame, the PPP frame defines two additional fields. The
protocol and LCP fields are the keys to the features of PPP.
PPP can negotiate link options dynamically and can support multiple Layer 3 protocols, such as
IP, IPX, and AppleTalk. PPP accomplishes these two tasks by encapsulating Layer 3 datagrams
with a specialized frame.
The protocol field is used to identify various Layer 3 protocols, such as IP or IPX. The LCP
field allows for such features as authentication, callback, compression, and MLP. The address
field consists of a broadcast address (all ones), because there is no station address in PPP.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-9
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Point-to-point links between LANs, hosts,
terminals, and routers can provide sufficient
connectivity in many application environments.
• PPP is a nonproprietary protocol that is defined by
a series of open Internet standards.
• PPP can negotiate link options dynamically and
can support multiple Layer 3 protocols.
© 2004 Cisco Systems, Inc. All rights reserved.
3-10
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—3-5
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Which upper-level protocols are supported by PPP?
A)
IP
B)
IPX
C)
AppleTalk
D)
all of the above
Which of the following protocols is referred to as a “standards-based protocol”?
A)
HDLC
B)
SLIP
C)
ARA Protocol
D)
PPP
Which field of the PPP frame identifies various Layer 3 protocols?
A)
flag
B)
address
C)
control
D)
protocol
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-11
Quiz Answer Key
Q1)
D
Relates to: Remote Node Connections
Q2)
D
Relates to: PPP Architecture
Q3)
D
Relates to: HDLC and PPP Frames
3-12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Basic PPP
Overview
You can use PPP to connect your LAN to the WAN of your service provider. This lesson
describes how to use this protocol to encapsulate both data-link layer and network layer
information over serial links and how to configure PPP.
Relevance
You may have PPP connections within your network or between your network and a service
provider. You should know how to configure the serial ports for PPP encapsulation.
Objectives
Upon completing this lesson, you will be able to:
Use the Cisco IOS software commands to configure serial interfaces using PPP
encapsulation for leased-line connections
Enable autoselection of PPP encapsulation on an asynchronous interface
Configure Layer 3 addressing on a serial interface
Describe the various LCP options for PPP
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
PPP: Enabling
PPP Session and EXEC Session
PPP and Asynchronous Interface: Enabling Commands
Autoselect
Asynchronous Interface Commands for Addressing
Summary
Quiz
3-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP: Enabling
This topic describes the commands to enable PPP encapsulation.
Enabling PPP
᫬»®ø½±²º·¹ó·º÷ý »²½¿°-«´¿¬·±² °°°
• Defines encapsulation type
BCRAN v2.1—3-2
© 2004 Cisco Systems, Inc. All rights reserved.
PPP can be enabled on various types of interfaces, including synchronous, asynchronous, serial,
ISDN BRI, and ISDN PRI interfaces. The syntax to enable PPP is the same, regardless of
interface.
An example of configuring PPP on a synchronous interface would be:
᫬»®ø½±²º·¹÷ý ·²¬»®º¿½» -»®·¿´ ð
᫬»®ø½±²º·¹ó·º÷ý »²½¿°-«´¿¬·±² °°°
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-15
PPP Session and EXEC Session
This topic describes the concepts of initiating PPP via an in-band PPP session and an out-of
band EXEC session.
PPP Session and EXEC Session
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-3
You can use asynchronous connections as either an in-band PPP session or an out-of-band
EXEC session.
An in-band PPP session is the most common type of connection because it provides users
access to network resources such as web servers and mail servers. You can configure PPP inband as a dedicated session (dedicated mode) or an interactive session (interactive mode). In
dedicated mode, an interface is automatically configured for PPP connections. In interactive
mode, the user can choose between an in-band and an out-of-band session.
Generally, you will want to restrict the ability of remote users to start EXEC sessions with your
router. Typical end users do not require access to the router interface. Instead, they need a
Layer 3 protocol (IP and so on) connection to the corporate network or the Internet. In most
cases, you should force the asynchronous interface to use PPP and not allow an EXEC
connection.
To ensure that the dial-in user must run PPP on the specified line, use the async mode
dedicated command:
᫬»®ø½±²º·¹ó·º÷ý ¿-§²½ ³±¼» ¼»¼·½¿¬»¼
An out-of-band EXEC session is typically configured to allow administrators and power users
to access the router command-line interface (CLI). This feature allows remote users to log in to
the router and issue commands as if the user were connected to the console port. IP addressing
or PPP encapsulation is not necessary for this type of connection. Data is sent as asynchronous
characters.
3-16
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP and Asynchronous Interface: Enabling
Commands
This topic describes the steps that are necessary to correctly enable PPP on an asynchronous
interface.
Enabling PPP and Async
Interface Commands
᫬»®ø½±²º·¹ó·º÷ý »²½¿°-«´¿¬·±² °°°
• Defines encapsulation type
᫬»®ø½±²º·¹ó·º÷ý ¿-§²½ ³±¼» ¼»¼·½¿¬»¼
• Places the line in dedicated PPP mode
OR
᫬»®ø½±²º·¹ó·º÷ý ¿-§²½ ³±¼» ·²¬»®¿½¬·ª»
• Places the interface in interactive mode
(allows an EXEC process)
BCRAN v2.1—3-4
© 2004 Cisco Systems, Inc. All rights reserved.
To provide some flexibility to the dial-in user to start either a PPP session or an EXEC session,
use the async mode interactive command:
᫬»®ø½±²º·¹ó·º÷ý ¿-§²½ ³±¼» ·²¬»®¿½¬·ª»
The async mode interactive command configures the router so that it will allow the remote
host to choose either a PPP session or an EXEC session.
Enabling this feature requires two steps:
Step 1
You must configure the interface with the async mode interactive command.
Step 2
You must configure the corresponding terminal line with the autoselect command.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-17
Autoselect
This topic describes autoselection when using multiple session types on an interface.
Autoselect
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-5
After configuring the async mode interactive command, the second step is to configure the
corresponding terminal line or lines with the autoselect ppp command:
᫬»®ø½±²º·¹÷ý ´·²» ï
᫬»®ø½±²º·¹ó´·²»÷ý ¿«¬±-»´»½¬ °°° ¼«®·²¹ó´±¹·²
The PPP autoselect feature configures an access server terminal line to provide either a PPP
session or an EXEC session, based on input from the remote host. Essentially, this feature
allows the remote host to determine the session type. The access server automatically detects
which type of session is being requested, and responds accordingly.
The autoselect command permits the access server to allow an appropriate process to start
automatically when a starting character is received:
If the start character is a Return character, then the access server starts an EXEC session.
Therefore, users who want to begin an EXEC session typically must press the Return key
after establishing a dialup connection.
If the access server recognizes the start character as PPP, it will begin a session for
whichever protocol it detects. Therefore, if an end user is using a program that sends a PPP
frame, the access server will automatically start a PPP session.
Note
3-18
PPP frames always start with a flag character having the value 7E in hexadecimal (or
01111110 in binary) format.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The during-login optional parameter of the autoselect command causes the username and
password prompt to display in the remote host terminal window without the user having to
press the Return key.
After a host has established an EXEC session, the remote user can switch to a PPP session at
any time by issuing the ppp command from privileged EXEC mode router prompt.
Note
With synchronous connections, there is no differentiation between an EXEC session and a
PPP session. Normally, the user would use the synchronous PPP connection the same as
an asynchronous PPP session. A user who needed to start an EXEC session on the router
would use Telnet to access the router CLI.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-19
Asynchronous Interface Commands for
Addressing
This topic describes how to configure Layer 3 addressing on an asynchronous interface.
Asynchronous Interface Commands for
Addressing
᫬»®ø½±²º·¹ó·º÷ý·²¬»®º¿½» ¿-§²½ ï
᫬»®ø½±²º·¹ó·º÷ý·° ¿¼¼®»-- ·°ó¿¼¼®»-- ³¿-µ
• Assigns an IP address to a network interface
᫬»®ø½±²º·¹ó·º÷ý·° «²²«³¾»®»¼ ¬§°» ²«³¾»®
• Configures the asynchronous interface to be
unnumbered
BCRAN v2.1—3-6
© 2004 Cisco Systems, Inc. All rights reserved.
Most dialup PPP sessions are established for the purpose of sending and receiving TCP/IP
packets. Asynchronous PPP connections allow remote users to dial up and access the corporate
IP network or the Internet.
However, to participate in a TCP/IP network, the router interface must have an IP address. The
remote nodes must also be assigned an IP address.
To assign an IP address to an access server asynchronous interface, use the standard ip address
command. The following example configures the IP address of interface async 1:
᫬»®ø½±²º·¹÷ý ·²¬»®º¿½» ¿-§²½ ï
᫬»®ø½±²º·¹ó·º÷ý ·° ¿¼¼®»-- ïðòïòïòï îëëòîëëòîëëòð
Access servers can have literally hundreds of asynchronous interfaces. It is also unlikely that all
interfaces will be in use at the same time. For this reason, the IP unnumbered feature may be
used to help conserve IP addresses. Multiple asynchronous interfaces on the same router can
share the same IP address, including an address assigned by the ip unnumbered command.
When a serial or asynchronous interface is configured with the ip unnumbered command, it
does not have an IP address. Packets generated by that interface “borrow” the address of
another interface and use that as the source address. You can use the IP unnumbered feature
with point-to-point configurations only. The syntax for the ip unnumbered command is:
᫬»®ø½±²º·¹ó·º÷ý ·° «²²«³¾»®»¼ ¬§°» ²«³¾»®
3-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
With this command, the type and number of the interface to borrow the IP address from
(ethernet 0, loopback 0, and so on) must be specified. A loopback interface is the ideal line to
use as the reference to the ip unnumbered command, because it is a virtual interface that never
goes down.
The following commands illustrate how to configure an asynchronous interface for IP
unnumbered using a loopback interface:
᫬»®ø½±²º·¹÷ý ·²¬»®º¿½» ´±±°¾¿½µ ð
᫬»®ø½±²º·¹ó·º÷ý ·° ¿¼¼®»-- ïðòïòïòï îëëòîëëòîëëòð
᫬»®ø½±²º·¹ó·º÷ý »¨·¬
᫬»®ø½±²º·¹÷ý ·²¬»®º¿½» ¿-§²½ ï
᫬»®ø½±²º·¹ó·º÷ý ·° «²²«³¾»®»¼ ´±±°¾¿½µ ð
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-21
Asynchronous Interface Commands for
Addressing (Cont.)
᫬»®ø½±²º·¹ó·º÷ý °»»® ¼»º¿«´¬ ·° ¿¼¼®»-¥¿¼¼®»-- ¤ °±±´ °±±´ó²¿³» ¤ ¼¸½°£
• Assigns an IP address to a remote node
᫬»®ø½±²º·¹ó·º÷ý ¿-§²½ ¼§²¿³·½ ¿¼¼®»--
• Allows a remote user to specify the IP address
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-7
After the router interface is assigned a valid IP address, remote dial-in users must also be
assigned a valid IP address. Fortunately, PPP allows for the automatic assignment of IP
addresses using a specific address, a pool of addresses, or Dynamic Host Configuration
Protocol (DHCP). Alternatively, the access server can be configured to allow the remote host to
choose an address.
To assign a default (predefined) IP address to the remote dial-in host, use the peer default ip
address command. Additionally, the pool and dhcp arguments allow address allocation from a
local pool of addresses or a DHCP server. This example shows how to configure an
asynchronous interface to assign a specific IP address to the dial-in host:
᫬»®ø½±²º·¹÷ý ·²¬»®º¿½» ¿-§²½ ï
᫬»®ø½±²º·¹ó·º÷ý °»»® ¼»º¿«´¬ ·° ¿¼¼®»-- ïðòïòïòî
In contrast, the next example displays how to configure a group of asynchronous interfaces
(rotary group) to assign IP addresses from a locally defined pool:
᫬»®ø½±²º·¹÷ý ·° ´±½¿´ °±±´ Ü×ßÔó×Ò ïðòïòïòî ïðòïòïòîëì
᫬»®ø½±²º·¹÷ý ·²¬»®º¿½» ¹®±«°ó¿-§²½ ï
᫬»®ø½±²º·¹ó·º÷ý °»»® ¼»º¿«´¬ ·° ¿¼¼®»-- °±±´ Ü×ßÔó×Ò
3-22
Note
The pool and dhcp options to the peer default ip address command require a global
command to create the pool of addresses. For example, ip local pool pool-name startingaddress end-address.
Note
A dialer rotary group eases configuration by allowing one logical interface configuration to
apply to multiple physical interfaces. Dialer rotary groups are not covered in this course.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dynamic addressing allows a user to specify the address at the EXEC level when making the
connection. If you specify dynamic addressing, the router must be configured with the async
mode interactive mode. The user will enter the address at the EXEC level.
For example, after the remote user enters the ppp EXEC command, the access server will
prompt the user for an IP address or logical host name.
To enable this dynamic addressing feature, use the async dynamic address command in
interface configuration mode:
᫬»®ø½±²º·¹ó·º÷ý ¿-§²½ ¼§²¿³·½ ¿¼¼®»--
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-23
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Cisco IOS software commands can be used to
configure serial interfaces using PPP
encapsulation for leased-line connections.
• Asynchronous connections can be used as either
an in-band PPP session or an out-of-band EXEC
session.
• The autoselect command permits the access
server to allow an appropriate process to start
automatically when a starting character is
received.
© 2004 Cisco Systems, Inc. All rights reserved.
3-24
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—3-8
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Which of the following commands will enable PPP encapsulation on a serial interface
of a Cisco router?
A)
router(config)# encapsulation ppp
B)
router(config-if)# encapsulation ppp
C)
router(config-line)# encapsulation ppp
D)
router# encapsulation ppp
Which of the following command modes is used to ensure that the dial-in user runs
PPP on the specified line?
A)
router(config-if)# async mode dedicated
B)
router(config-if)# sync mode dedicated
C)
router(config-if)# dedicated mode sync
D)
router(config-if)# ppp mode dedicated
Which of the following router command modes allows remote users to log into the
router and issue commands as if the user were connected to the console port?
A)
router(config-line)# interface async 1
B)
router(config-if)# encapsulation ppp
C)
router(config-if)# async mode interactive
D)
router(config-if)# interface async 1
When you are configuring PPP, which command permits the access server router to
allow an appropriate process to start automatically as soon as a starting character is
received?
A)
autoselect
B)
autoconfig
C)
selectauto
D)
configauto
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-25
Quiz Answer Key
Q1)
B
Relates to: PPP: Enabling
Q2)
A
Relates to: PPP Session and EXEC Session
Q3)
C
Relates to: PPP and Asynchronous Interface: Enabling Commands
Q4)
A
Relates to: Autoselect
3-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring LCP Options:
Authentication with PAP and
CHAP
Overview
To enhance network security, two password protocols are available with PPP. This topic covers
the concepts and configuration commands for optional PAP and CHAP authentication with
PPP.
Relevance
You can select PAP or CHAP when configuring PPP authentication. In general, CHAP is the
preferred protocol. You should know how to enable these two protocols for added network
security.
Objectives
Upon completing this lesson, you will be able to:
Describe the PPP authentication process
Enable PAP authentication with PPP
Enable CHAP authentication with PPP
Enable both CHAP and PAP authentication with PPP
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
PPP Authentication
PPP Using PAP Authentication
PAP Configuration Example
PPP Using CHAP Authentication
CHAP Configuration Example
CHAP and PAP Configuration Authentication
Summary
Quiz
3-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Authentication
This topic describes the PPP authentication process.
PPP Authentication
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-2
This flowchart in the figure displays the PPP authentication process with PAP or CHAP
security as follows:
1. When a user enters the ppp command, the system determines the type of authentication
configured. If no authentication is configured, the PPP process starts immediately.
2. If the system determines the authentication method to be used, it does one of the following:
—
It checks the local database (established with the username and password
commands) to determine if the given username and password pair matches the pair
in the local database (CHAP or PAP).
—
It sends an authentication request to the security server (TACACS+ or RADIUS).
3. The system checks the authentication response sent back from the security server or local
database. If the response is positive, the PPP process is started. If it is negative, the user is
rejected immediately.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-29
PPP Using PAP Authentication
This topic describes the PAP authentication process. PAP authentication sends passwords in
plaintext.
PPP Negotiating PAP Authentication
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-3
If you have decided to use an authentication protocol, it will likely be PAP or CHAP. PAP is a
one-way authentication between a host and a router or a two-way authentication between
routers. With PAP, this process provides an insecure authentication method.
When using PAP, the remote host is in control of the frequency and timing of login requests.
This situation is undesirable because the router or access server must respond to all login
requests, even the repeated attempts of a hacker to guess a username and password
combination. (This is known as a brute force attack.) PAP also sends passwords as cleartext
over the media, which means that a strategically placed packet sniffer could capture and easily
decode the password.
For more secure access control, use CHAP instead of PAP as the authentication method. You
should use PAP only when you find that hosts running legacy software may not support CHAP.
In this case, PAP is your only authentication option.
Always configure asynchronous lines to require authentication. PPP gives you the option of
requiring that callers authenticate using one of two authentication protocols, PAP or CHAP.
However, if you are using PPP over a point-to-point leased line, authentication is unnecessary
and should not be configured.
Note
3-30
Most Internet service providers (ISPs) use PAP and CHAP because of the relative
management ease and the reduced number of support calls.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PAP Configuration Example
This topic describes how to configure PAP authentication on a Cisco router.
PAP Configuration Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-4
In the figure shown, two routers, RouterA and RouterB, are connected across a network.
Perform the following steps to configure PAP authentication:
Step 1
On each of the interfaces, specify encapsulation ppp.
Step 2
Enable the use of PAP authentication with the ppp authentication pap command.
Step 3
Configure the router with a local username and password database, using the global
configuration command username username password password, or point it to a
network host that has that information (such as a TACACS+ server). The username
and password must match the username and password in the remote router ppp pap
sent-username command.
Step 4
Configure the router with the ppp pap sent-username command, which must match
the username username password password statement on the remote host or router.
Note that in the RouterA configuration, the ppp pap sent-username command is
used to specify the username and password information to send in the event that it
dials RouterB and is asked to authenticate. RouterB is also configured to send a
username and password for PAP, if challenged. The name included with the
username and dialer map commands is case sensitive. If the remote host name is
RouterA and you create a username entry for rta instead, authentication will fail.
Step 5
Configure IP addresses on the interfaces.
Step 6
To ensure that both systems can communicate properly, configure the dialer-map
command lines for each router. If each router is configured with a dialer-map
command, each system will know what to do with authentication issues because the
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-31
systems will have prior knowledge of each other. The dialer-map command also
contains the telephone number to dial to reach the specified router.
3-32
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Using CHAP Authentication
This topic describes the CHAP authentication process. CHAP authentication does not send
passwords in plaintext.
PPP Using CHAP Authentication
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-5
When using CHAP, the router sends a challenge message to the remote node after the PPP link
is established. The remote node responds with a value calculated by using a one-way hash
function, typically message digest algorithm 5 (MD5). The router checks the response against
its own calculation of the expected hash value. If the values match, the authentication is
acknowledged. Otherwise, the connection is immediately terminated. Thus, the actual username
and password are not sent over the media.
CHAP provides protection against a playback attack through the use of a variable challenge
value that is unique and unpredictable. The use of repeated challenges every 2 minutes during
any CHAP session is intended to limit the time of exposure to any single attack. The router (or
authentication server, such as TACACS+) controls the frequency and timing of the challenges.
A major advantage of the constantly changing challenge string is that the line cannot be sniffed
and played back later to gain unauthorized access to the network.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-33
CHAP in Action—Challenge
BCRAN v2.1—3-6
© 2004 Cisco Systems, Inc. All rights reserved.
This figure illustrates the following steps in the CHAP authentication process between the two
routers:
1. The call arrives on an interface configured for the ppp authentication chap command.
Therefore, a CHAP challenge from RouterA to the calling router RouterB is required on
this call.
2. A CHAP challenge packet is built with the following characteristics:
—
“01” = challenge packet type identifier
—
“id” = sequential number that identifies the challenge
—
“random” = a reasonably random number
—
“RouterA” = the authentication name of the challenger
3. The “id” and “random” values are kept on the access server.
4. The challenge packet is sent to the caller.
5. A list of outstanding challenges is maintained.
3-34
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
CHAP in Action—Response
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-7
This figure illustrates the receipt and MD5 processing of the challenge packet from the server.
The calling router processes the CHAP challenge packet in the following manner:
1. The “id” value and “random” value are fed into the MD5 hash generator.
2. The name “RouterA” is used to look up the password.
3. The password is fed into the MD5 hash generator.
The one-way hash result is then used to form a response packet containing the following:
“02” = CHAP response packet type identifier
“id” = number copied from the challenge packet
“hash” = the output from the MD5 hash generator (the hashed information from the
challenge packet)
“RouterB” = the authentication name of this caller
The result is a one-way MD5-hashed CHAP challenge that will be sent back in the CHAP
response.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-35
CHAP in Action—Verification
BCRAN v2.1—3-8
© 2004 Cisco Systems, Inc. All rights reserved.
This figure shows the response packet processing that occurs on the challenger.
The CHAP response packet is processed in the following manner:
1. The “id” value is used to find the original challenge packet.
2. The “id” value is fed into the MD5 hash generator.
3. The original challenge “random” value is fed into the MD5 hash generator.
4. The name “RouterB” is used to look up the password (this name can be used to identify this
session) from the local database, TACACS server, or RADIUS server.
5. The password is fed into the MD5 hash generator.
6. The hash value received in the response packet is then compared to the calculated MD5
hash value.
CHAP authentication succeeds if the calculated and the received hash values are equal.
3-36
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
CHAP in Action—Result
BCRAN v2.1—3-9
© 2004 Cisco Systems, Inc. All rights reserved.
The figure illustrates the success message being sent to the calling router.
If authentication is successful, a CHAP success packet is built from the following components:
“03” = CHAP success message type
“id” = number copied from the response packet
“Welcome in” is simply a text message of some kind, meant to be a user-readable
explanation
If authentication fails, a CHAP failure packet is built from the following components:
“04” = CHAP failure message type
“id” = number copied from the response packet
“Authentication failure” or some such text message, meant to be a
user-readable explanation
The success or failure packet is then sent to the caller.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-37
CHAP Configuration Example
This topic describes how to configure CHAP authentication on a Cisco router.
Configuring CHAP Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-10
Configuring CHAP is straightforward. As with the PAP example, RouterA and RouterB are
connected across a network. Use the following steps as a guide to configuring CHAP
authentication:
Step 1
On each of the interfaces, specify the encapsulation ppp command.
Step 2
Enable the use of CHAP authentication with the ppp authentication chap
command.
Step 3
You must also configure the usernames and passwords. Use the command username
username password password, where username is the hostname of the peer.
The passwords must be identical at both ends.
The router name and password are case sensitive.
᫬»®ø½±²º·¹÷ý «-»®²¿³» «-»®²¿³» °¿--©±®¼ °¿--©±®¼
Step 4
Configure the router with a local username/password database, using the global
configuration command username username password password, or point it to a
network host that has that information (such as a TACACS+ server). By default, the
router uses its hostname to identify itself to the peer. Therefore, the username must
match the remote host hostname.
However, if you want the router to send a different username and password, you have the
option of specifying this username and password with the commands:
᫬»®ø½±²º·¹ó·º÷ý °°° ½¸¿° ¸±-¬²¿³» ²¿³»
᫬»®ø½±²º·¹ó·º÷ý °°° ½¸¿° °¿--©±®¼ °¿--©±®¼
Step 5
3-38
Configure IP addresses on the interfaces.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
CHAP and PAP Configuration Authentication
This topic describes how to configure both CHAP and PAP authentication on a Cisco router.
Configuring CHAP and PAP Authentication
᫬»®ø½±²º·¹ó·º÷ý °°° ¿«¬¸»²¬·½¿¬·±² °¿° ½¸¿°
• Enables both CHAP and PAP, and performs PAP
authentication before CHAP
or
᫬»®ø½±²º·¹ó·º÷ý °°° ¿«¬¸»²¬·½¿¬·±² ½¸¿° °¿°
• Enables both CHAP and PAP, and performs
CHAP authentication before PAP
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-11
Both PAP and CHAP authentication can be configured on an interface. The first method
specified is requested during link negotiation. If the peer suggests using the second method or
simply refuses the first method, then the second method will be tried. This command can be
useful because some remote devices support only CHAP and others only PAP.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-39
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• PAP authentication sends password in plaintext.
• CHAP authentication sends passwords in
encrypted text.
• Both PAP and CHAP authentication can be
configured on an interface.
© 2004 Cisco Systems, Inc. All rights reserved.
3-40
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—3-12
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
During the PPP authentication process, and after the system checks the authentication
response sent back from the security server or local database, what happens if the
response is positive?
A)
The user is rejected immediately.
B)
Nothing occurs.
C)
The PPP process is started.
D)
The user is prompted for a credit card authorization code.
Which authentication protocol would be used if you have decided to use an
authentication protocol on your router?
A)
POP
B)
CHAP
C)
TFTP
D)
ICMP
Which command is used to enable the use of PAP authentication on a Cisco router?
A)
pap authentication ppp
B)
chap authentication ppp
C)
ppp authentication chap
D)
ppp authentication pap
Which Cisco router authentication protocol provides protection against a playback
attack through the use of a variable challenge value that is unique and unpredictable?
A)
PAP
B)
TFTP
C)
CHAP
D)
ICMP
Which two information items in the local database are essential in configuring the
CHAP authentication protocol?
A)
username and user password
B)
username and user phone number
C)
username and user birthday
D)
username and user hire date
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-41
Q6)
3-42
Which of the following commands enables both PAP and CHAP authentication on an
interface, but performs CHAP authentication before PAP authentication?
A)
router(config-if)# ppp authentication pap chap
B)
router(config-if)# pap authentication chap ppp
C)
router(config-if)# ppp authentication chap pap
D)
router(config-if)# chap authentication pap ppp
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
C
Relates to: PPP Authentication
Q2)
B
Relates to: PPP Using PAP Authentication
Q3)
D
Relates to: PAP Configuration Example
Q4)
C
Relates to: PPP Using CHAP Authentication
Q5)
A
Relates to: CHAP Configuration Example
Q6)
C
Relates to: CHAP and PAP Configuration Authentication
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-43
3-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring LCP Options:
Callback and Compression
Overview
When you can create PPP connections, you may want to take advantage of other PPP LCP
options. These options include PPP callback and several types of compression. This lesson
explains how to configure a PPP callback server and a PPP callback client, and how to enable
various types of compression.
Relevance
The callback feature can be useful to control access and toll costs between hosts because only
the two authenticated hosts will participate in the WAN connection. Compression is valuable
for maximizing limited capacity on a WAN link.
Objectives
Upon completing this lesson, you will be able to:
Describe how to implement and configure PPP callback
Configure a PPP callback server using Cisco IOS commands
Configure a PPP callback client using Cisco IOS commands
List and describe the various compression schemes supported by Cisco routers
Configure compression using Cisco IOS commands
Identify that compression is occurring use show commands
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
PPP Callback Overview
Asynchronous Callback Operation Flowchart
PPP Callback Operation
Asynchronous Callback Line and Interface Commands
PPP Callback Client Configuration
PPP Callback Server Configuration
Compression and PPP
Compression Configuration
Compression Verification
Summary
Quiz
3-46
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Callback Overview
This topic describes the PPP callback configuration.
PPP Callback Implementation
Considerations
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-2
PPP callback is an LCP option used over dialup links. PPP callback provides a client/server
relationship between the endpoints of a point-to-point connection. PPP callback allows a dialup
client to request that a dialup server call back. The callback feature can be used to control
access and toll costs between hosts.
When PPP callback is configured on two routers, the calling router (the callback client) passes
authentication information to the remote router (the callback server), which uses the host name
and dial string authentication information to determine whether or not to place a return call. If
the authentication is successful, the callback server disconnects, and then places a return call.
The remote username of the return call is used to associate it with the initial call so that the
packets can be transmitted.
Both routers on a point-to-point link must be configured for PPP callback. One router must
function as a callback client; the other router must be configured as a callback server. The
callback client must be configured to initiate PPP callback requests. The callback server must
be configured to accept PPP callback requests and place return calls.
When the client router dials the initial call, the router hold-queue timer is started. Calls to this
destination will not be made again until the hold-queue timer expires. The timer is stopped if
PPP LCP negotiation is successful or if the call fails.
Note the following regarding rotary groups including ISDN:
If the enable time is too long and another user dials into the last interface before the enable
timer expires, the return call will never be made.
If an interesting packet arrives at the server during the enable time, the dialer may use the
last interface for the interesting packet and the return call will never be made.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-47
When planning to implement PPP callback, consider the following:
Authentication is required for callback to be successful.
The dialer enable-timeout command specifies the time in seconds that the Cisco IOS
software waits before the next call can occur on the specific interface. This value must be
greater than the serial pulse interval for the interface that is set using the pulse-time
command. Acceptable values are positive, nonzero integers.
The dialer hold-queue timeout command determines how long to wait before the client
can make another call to the same destination. The server must make the return call before
the client hold-queue timer expires to prevent the client from trying again and possibly
preventing the return call from being connected.
The hold timer on the callback client should be approximately four times longer than the server
hold-queue timer.
Note
3-48
The dialer redial command could also be used to customize the number of redial attempts
and the interval between redial attempts.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Asynchronous Callback Operation Flowchart
This topic describes the general steps that occur during a typical PPP callback exchange.
Asynchronous Callback
Operation Flowchart
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-3
The asynchronous callback feature supports EXEC, PPP, and ARA Protocol sessions. The main
motivation for callback is telephone bill consolidation and dialup cost savings. Although
asynchronous callback is not positioned as a security feature, it enforces security by making
callbacks only to telephone numbers assigned in the authentication database. The incoming
calls go through the normal login process and must pass authentication before callback can
occur.
The callback feature employs a two-pass process:
On the first pass the callback engine determines which target line to use for callback to the
remote user and then hangs up on the incoming line. Then the callback engine dials back to
the remote user through the target line using the dial string provided.
On the second pass the callback engine proceeds normally as if there is no callback.
Note
To make callback work properly, you must make sure that callback is configured for each
autoselect protocol (PPP, SLIP, or ARA Protocol) that is defined for any given remote user.
Otherwise, the remote dial-in autoselect process may work, but no callback will occur.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-49
PPP Callback Operation
This topic describes the steps that occur during a typical PPP callback exchange.
PPP Callback Operation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-4
PPP callback operation consists of the following steps:
Step 1
The callback client initiates the call. The client requests callback using the callback
option during the PPP LCP negotiation phase.
Step 2
The callback server acknowledges the callback request and checks its configuration
to verify that callback is enabled.
Step 3
The callback client and server authenticate using either CHAP or PAP
authentication. The username identifies the dial string for the return call.
Step 4
After successful initial authentication, the callback server router identifies the
callback dial string. The callback server compares the username of the authentication
to the host name in a dialer map table. The dial string can be identified by a mapping
table or by the Callback Option Message field during PPP LCP negotiations. The
Callback Option Message field is defined in RFC 1570.
If the commands dialer callback-secure, ppp callback accept, and ppp
authenticate pap or ppp authenticate chap are enabled on an interface, all
calls answered on that interface are disconnected after authentication, and the
callback server proceeds with Steps 5 through 8.
If the dialer callback-secure command is not enabled, the callback server will
maintain the initial call if the authenticated username is not configured for
callback.
Step 5
3-50
The callback server rejects the initiating call. Therefore, there is no cost to the
calling party.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 6
The callback server uses the dial string to initiate the callback. If the return call fails,
no additional calls are attempted. Callback is not negotiated on the return call.
Step 7
If the return call succeeds, authentication occurs.
Step 8
The connection is established, and data is exchanged.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-51
Asynchronous Callback Line and Interface
Commands
This topic describes the commands that are used for enabling asynchronous PPP callback on
the callback server.
Asynchronous Callback
Line/Interface Commands
᫬»®ø½±²º·¹ó·º÷ý °°° ½¿´´¾¿½µ ¿½½»°¬
᫬»®ø½±²º·¹ó·º÷ý °°° ½¿´´¾¿½µ ·²·¬·¿¬»
᫬»®ø½±²º·¹÷ý ´·²» ´·²»ó²«³¾»®
᫬»®ø½±²º·¹ó´·²»÷ý ½¿´´¾¿½µ º±®½»¼ó©¿·¬ -»½±²¼Î±«¬»®ø½±²º·¹ó´·²»÷ý -½®·°¬ ½¿´´¾¿½µ -½®·°¬ó²¿³»
• On the callback server
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-5
The asynchronous line configurations or asynchronous interface commands for PPP callback
are shown in the table.
PPP Callback Commands
3-52
Command
Description
ppp callback
accept
This interface command allows the specified interface to accept a callback request
initiated from a remote node (per RFC 1570).
ppp callback
initiate
This interface command allows the router to initiate a callback to a remote node
when the remote node is capable of putting itself in an answer mode for callback.
callback forcedwait seconds
This line command allows an additional wait (in seconds) before the callback chat
script is applied to the outgoing target line. This option accommodates modems
that require a longer “resting” period before any input can be accepted again.
script callback
script-name
This line command specifies a chat script to issue AT commands to the modem
during a callback attempt made to the target asynchronous line. This command is
used for EXEC and PPP callbacks.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Callback Client Configuration
This topic describes the commands that enable PPP callback on the callback client.
PPP Callback Client Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-6
To configure client PPP callback so that all calls over this interface will request callback,
perform the following tasks:
Step 1
Configure PPP on the serial or ISDN interface.
Step 2
Set up a dialer map with the dialer map ip and dialer-group commands. Be sure
that the dialer map command has a name field with the correct name of the server.
In this example, the server is named RouterB.
Step 3
Configure the router interface as the callback client using the ppp callback request
command.
Step 4
Set the authentication to CHAP using the ppp authentication chap command.
Note
You can use the optional dialer hold-queue timeout or dialer redial commands to specify
the number of seconds that the callback client waits for a return call from the callback server.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-53
PPP Callback Server Configuration
This topic describes the commands that are used to configure PPP callback on the callback
server.
PPP Callback Server Configuration
BCRAN v2.1—3-7
© 2004 Cisco Systems, Inc. All rights reserved.
To configure PPP callback for a server, perform the following steps:
Step 1
Configure IP on the dial-in line.
Step 2
Use the dialer callback-secure command to disconnect calls that are not properly
configured for callback. If the username specified in the dialer map command is not
authorized for callback, the call will be disconnected. If the dialer callback-secure
command is not configured, it will allow both callback and noncallback clients.
Step 3
Configure the dialer map including a map class “DialMeBack” to establish PPP
callback.
Step 4
Use the ppp callback accept command to enable callback.
Step 5
Define the PPP authentication method with the ppp authentication chap command.
Step 6
Configure the dialer callback-server username command in a dialer map class to
identify the name used in the dialer map as a valid callback client.
When the callback client router dials in and is authenticated, the call will be disconnected. For
example, in the figure, a return call will be made to 555-5678 as configured by the dialer map
command. The dialer map command identifies the map class to be used for this connection.
3-54
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Compression and PPP
This topic describes the various compression schemes that are available on Cisco routers.
Supported Compression Algorithms
• Predictor
• Stacker
• MPPC
• TCP header
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-8
Cisco routers can also maximize performance using data compression, enabling higher data
throughput across the link, especially for low-speed links.
Cisco compression schemes are as follows:
Predictor: Determines if the data is already compressed. If the data is compressed, the data
is sent. No time is wasted trying to compress data that is already compressed.
Stacker: A Lempel-Ziv (LZ)-based compression algorithm looks at the data and sends
each data type only once. The data type includes information about where the type occurs
within the data stream. The receiving side uses this information to reassemble the data
stream.
MPPC: MPPC Protocol (RFC 2118) allows Cisco routers to exchange compressed data
with Microsoft clients. MPPC uses an LZ-based compression algorithm.
TCP header compression: This type of compression, also known as Van Jacobson
compression, is used to compress only the TCP headers.
Compression is an option that is negotiated by LCP. Therefore, if the remote party that is being
called is not configured for compression, no compression will take place.
The highest compression ratio is usually reached with highly compressible text files.
Compressed files such as Joint Photographic Experts Group (JPEG) graphics or Motion Picture
Experts Group (MPEG) files, or files that were compressed with software such as PKZIP or
StuffIt, will be compressed only 1:1 or less.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-55
If you frequently transfer already-compressed data, such as graphics and video, you must
consider global compression. Trying to further compress already-compressed data can take
longer than transferring the data without any compression at all. Ideally, you can attain 2:1 or
3:1 compression for information that has not already been compressed. Expect an average of
1.6:1 compression for mixed compressed and uncompressed source data.
Typically, you should configure compression only on low-speed links because the router
compresses data using software, which requires router CPU time and memory. Some
algorithms are more memory intensive, while others are more CPU intensive. For example:
More CPU intensive: Stacker, MPPC
More memory intensive: Predictor
Memory-intensive algorithms require an extra memory allowance. CPU-intensive algorithms
require more CPU cycles. In either case, the ability of the router to route packets is impaired by
the drain on its resources.
You should take memory and CPU usage into consideration when you are implementing
compression on a specific router. Some routers with slow CPUs or inadequate memory can be
overloaded when configured to compress traffic. If you are using a Cisco 2500 Series or faster
processor router, either of these methods should be acceptable if you have sufficient memory in
the router. Use caution with smaller systems that have less memory and slower CPUs, and
ensure that you are not overloading the router.
Cisco recommends that you disable compression if the CPU load exceeds 65 percent. To
display the CPU load, use the show process cpu command.
Predictor compression is recommended when a bottleneck is caused by a high load on the
router. Stacker compression is recommended when the bottleneck is caused by bandwidth
limitations on a line.
3-56
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Compression Configuration
This topic discusses the commands that enable compression on a Cisco router.
Compression Configuration
᫬»®ø½±²º·¹÷ý ·²¬ -»®·¿´î
᫬»®ø½±²º·¹ó·º÷ý ½±³°®»-- ¥°®»¼·½¬±® ¤ -¬¿½ ¤ ³°°½£
Interface Compression Algorithms
᫬»®ø½±²º·¹÷ý ·²¬ ¿-§²½ î
᫬»®ø½±²º·¹ó·²¬÷ý ·° ¬½° ¸»¿¼»®ó½±³°®»--·±²
᫬»®ø½±²º·¹÷ý ·²¬ ¿-§²½ î
᫬»®ø½±²º·¹ó·²¬÷ý ·° ¬½° ¸»¿¼»®ó½±³°®»--·±² °¿--·ª»
• TCP Header
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-9
Configuring for compression is simple. From the interface, issue the compress predictor,
compress stac, compress mppc, or ip tcp header-compression command on both sides of the
link.
TCP header compression is an option negotiated by LCP. The TCP header compression
technique is described in RFC 1144.
TCP header compression is supported on serial lines that use HDLC, PPP, or SLIP
encapsulation. You must enable TCP header compression on both ends of the connections for it
to work. Only TCP headers are compressed. User Datagram Protocol (UDP) headers are not
affected. Header compression is useful on networks with a large percentage of small packets,
such as those supporting many Telnet connections.
Configure TCP header compression by using the ip tcp header-compression command. The
optional ip tcp header-compression passive command specifies that TCP header compression
is not required but will be used if the router receives compressed headers from its link partner.
Note
Cisco IOS software includes the PPP commands ppp compression predictor and ppp
compression stacker. Using these commands has exactly the same effect as using the
compress predictor and compress stac commands, respectively. For example, if you
enter the ppp compression stacker command, it will appear as compress stac in the
configuration file.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-57
Compression Verification
This topic describes the commands that are used to verify compression activity.
Using the show compress Command
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-10
Verify compression by using the show compress command in privileged EXEC mode to view
compression statistics. This example shows report statistics for an interface that is configured
with Stacker compression. The report includes the number of compressed bytes that are
received and transmitted by the interface.
Uncompressed Bytes
This line provides an uncompressed byte count of compressed data. It does not include packets
that cannot be compressed.
«²½±³°®»--»¼ ¾§¬»- ¨³¬ñ®½ª èïçëïñèëëðð
Throughput Ratio
The next section of output is a ratio of the data throughput gained or lost in the compression
routine. Any number less than one (1) indicates that the compression is actually slowing down
the data throughput. It does not reflect the data compressibility.
ï ³·² ¿ª¹ ®¿¬·± ¨³¬ñ®½ª ðòéèçñðòèíé
ë ³·² ¿ª¹ ®¿¬·± ¨³¬ñ®½ª ðòéèçñðòèíé
ïð ³·² ¿ª¹ ®¿¬·± ¨³¬ñ®½ª ðòéèçñðòèíé
3-58
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Buffer Allocation
This line indicates the number of times the compression routine was not able to allocate a
buffer to compress or decompress a packet:
²± ¾«º- ¨³¬ ð ²± ¾«º- ®½ª ð
Bytes Transmitted
The uncompressed value is the amount of data that could not be compressed and that the router
sent in an uncompressed format. The compressed value is the byte count of the data after
compression. The sum of these two values represents the actual number of bytes that are
transmitted on the interface, minus the Layer 2 encapsulation overhead.
Ì®¿²-³·¬ ¾§¬»-æ ˲½±³°®»--»¼ ã îèðìç ݱ³°®»--»¼ã êëéìë
Bytes Received
The compressed value is the byte count of the compressed data received. The uncompressed
value is the amount of data received in uncompressed format. The sum of these two values
represents the actual byte count received on the interface, minus the Layer 2 encapsulation
overhead.
λ½»·ª»¼ ¾§¬»-æ ݱ³°®»--»¼ ã éìéíè ˲½±³°®»--»¼ã ð
Interpreting the show compress Command Output
From this output, the following calculations can be made:
Total amount of data to be transmitted before applying the compression routine: 81,951 +
28,049 = 110,000
Total amount of data to be transmitted after compression: 28,049 + 65,745 = 93,794
Overall data compression: 110,000 / 93,794 = 1.17
Compression ratio of the compressed packets: 81,951 / 28,049 = 2.92
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-59
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The callback feature can be used to control access
and toll costs between hosts.
• PPP callback is an LCP option used over dialup
links.
• The asynchronous callback feature supports EXEC
and PPP.
• Cisco routers can also maximize performance
using data compression, which enables higher
data throughput across the link.
• To verify compression, use the show compress
command in privileged EXEC mode.
© 2004 Cisco Systems, Inc. All rights reserved.
3-60
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—3-11
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Which LCP option feature does a Cisco router use over dialup links?
A)
PAP callback
B)
NCP callback
C)
PPP callback
D)
LCP callback
Which of the following session types is supported by the asynchronous callback
feature?
A)
EXEC, PPP, and ARA Protocol
B)
TTT, IPC, and OPX
C)
ASC, CB, and FS
D)
AUX, CON, and TTP
Which party initiates the call in the PPP callback process?
A)
callback server
B)
callback client
C)
caller ID
D)
three-way calling service
Which interface command allows the router to initiate a callback to a remote node
when the remote node is capable of putting itself in an answer mode for callback?
A)
callback forced-wait seconds
B)
ppp callback initiate
C)
ppp callback accept
D)
script callback script-name
Which command configures the router interface as the PPP callback client?
A)
ppp authentication pap
B)
ppp dialer map id
C)
ppp callback request
D)
ppp authentication chap
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-61
Q6)
Q7)
Q8)
Q9)
3-62
Which command is used to disconnect calls that are not properly configured for PPP
callback?
A)
dialer map
B)
dialer callback-secure
C)
dialer group
D)
dialer hold
Which of the Cisco compression algorithms determines whether the data is already
compressed before sending the compressed data?
A)
MPPC
B)
Predictor
C)
Stacker
D)
TCP header compression
When TCP header compression is enabled on both sides of the router, which headers
are compressed?
A)
UDP headers
B)
TCP headers
C)
PPC headers
D)
STA headers
Which command is used in privileged EXEC mode to view compression statistics to
verify compression?
A)
show stacker
B)
show predictor
C)
show MPPC
D)
show compress
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
C
Relates to: PPP Callback Overview
Q2)
A
Relates to: Asynchronous Callback Operation Flowchart
Q3)
B
Relates to: PPP Callback Operation
Q4)
B
Relates to: Asynchronous Callback Line and Interface Commands
Q5)
C
Relates to: PPP Callback Client Configuration
Q6)
B
Relates to: PPP Callback Server Configuration
Q7)
B
Relates to: Compression and PPP
Q8)
B
Relates to: Compression Configuration
Q9)
D
Relates to: Compression Verification
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-63
3-64
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring LCP Options:
Multilink PPP
Overview
Multilink PPP (MLP) allows two or more connections to be bundled into a single virtual
connection. These bundles can be established through both circuit-switched and leased-line
topologies. This topic describes the use and operation of MLP.
Relevance
You should know how to configure MLP for situations when additional bandwidth is desired,
such as during periods of high utilization.
Objectives
Upon completing this lesson, you will be able to:
Describe MLP operation and concepts
Configure MLP
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Multilink PPP Overview
Multilink PPP Operation and Configuration
Multilink PPP Example
Summary
Quiz
3-66
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Multilink PPP Overview
This topic describes MLP over parallel circuits.
Why Use MLP?
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-2
MLP is an LCP option that permits a system to signal that it is capable of combining multiple
links into a bundle. MLP can improve throughput and reduce latency between systems by
splitting Layer 3 packets and sending the fragments over parallel circuits. It is important to
remember that MLP works by splitting packets into fragments, not by load-balancing complete
packets to a destination.
Prior to the adoption of MLP (described first in RFC 1717), there was no standardized way to
use both of the ISDN B channels of a BRI and also ensure proper sequencing. MLP is
interoperable between Cisco routers running Cisco IOS software and most routers that comply
with the most recent MLP standard, RFC 1990.
Typically, you should use MLP with applications, in which bandwidth requirements are
dynamic, such as remote LAN access applications for SOHO environments. When user traffic
exceeds a predefined threshold, an additional physical link (such as a B channel) can be
brought up to handle the burst of traffic.
MLP solves several problems related to load balancing across multiple WAN links, including
the following:
Multivendor interoperability, as specified by RFC 1990, which replaces RFC 1717
Packet fragmentation, improving the latency of each packet (supports RFC 1990
fragmentation and packet-sequencing specifications)
Packet-sequence and load calculation
This feature negotiates the Maximum Receive Reconstructed Unit (MRRU) option during the
PPP LCP negotiation to indicate to its peer that it can combine multiple physical links into a
bundle.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-67
Multilink PPP Operation and Configuration
This topic demonstrates how to configure an MLP connection on two parallel circuits.
MLP Operation and Configuration
᫬»®ø½±²º·¹ó·º÷ý°°° ³«´¬·´·²µ
• Enables MLP on an interface
᫬»®ø½±²º·¹ó·º÷ý¼·¿´»® ´±¿¼ó¬¸®»-¸±´¼ ´±¿¼
ű«¬¾±«²¼ ¤ ·²¾±«²¼ ¤ »·¬¸»®Ã
• Defines the threshold to bring up another link
BCRAN v2.1—3-3
© 2004 Cisco Systems, Inc. All rights reserved.
The ppp multilink interface configuration command enables MLP on an interface. The
interface must use PPP encapsulation. The maximum number of links in a bundle is the number
of interfaces in the dialer or ISDN interface. To limit the number of links in a multilink bundle,
include the ppp multilink links maximum links command on the MLP interface.
The dialer load-threshold command enables a dialer rotary group to bring up links and add the
links to a multilink bundle. The load threshold is expressed as a ratio of x/255, with a value of
128, meaning 50 percent bandwidth utilization. This command allows threshold determination
for the following:
Outbound traffic only (default)
Inbound traffic only
The maximum of either inbound or outbound traffic
It is necessary to configure only one end of a link for load threshold.
To ensure proper load calculation, be sure to set the correct interface bandwidth using the
bandwidth command.
Note
3-68
Standard dial-on-demand routing (DDR) configuration should be in place before you
configure MLP.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Multilink PPP Example
This topic discusses the steps that are necessary in configuring an MLP connection.
MLP Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-4
Only two commands must be added to this interface configuration to make MLP possible. The
router at the other end of the call must be similarly configured. These two commands are:
The ppp multilink command
The dialer load-threshold load [outbound | inbound | either] command
The ppp multilink command activates the interface for MLP operation and allows negotiation
of the protocol at connect time, thus establishing a single-channel MLP bundle. However, this
command is not sufficient to take advantage of the fragmentation, load-balancing, or
bandwidth-on-demand features of the protocol.
The dialer load-threshold load command sets the point at which additional B channels will be
added to the MLP bundle. When the total load of all up B channels is greater than the load
threshold, the dialer interface (in this case, the BRI or PRI) adds an extra channel to the
multilink bundle. In a similar way, if the total load for all the up B channels, minus one (n – 1)
is at or below the threshold, channels will be taken down.
The load argument is the average load for the interface. It is a value from 1 (unloaded) to 255
(fully loaded).
The outbound argument sets the load calculation to be made on outbound traffic only. The
inbound argument sets the load calculation to be made on inbound traffic only. The either
argument sets the load as the larger of the outbound and inbound loads.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-69
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• MLP allows several connections to be bundled into
a single virtual connection.
• MLP is controlled by adding a 2- or 4-byte
sequencing header in the PPP frame that indicates
sequencing for the fragments.
© 2004 Cisco Systems, Inc. All rights reserved.
3-70
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—3-5
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Why use MLP?
A)
MLP can improve throughput and reduce latency between systems by splitting
Layer 3 packets and sending the fragments over parallel circuits.
B)
MLP can reduce throughput and improve latency between systems by splitting
Layer 3 packets and sending the fragments over parallel circuits.
C)
MLP can improve throughput and increase latency between systems by
splitting Layer 3 packets and sending the fragments over parallel circuits.
D)
MLP can reduce throughput and reduce latency between systems by splitting
Layer 3 packets and sending the fragments over parallel circuits.
Which command enables a dialer rotary group to bring up additional links to form a
multilink bundle?
A)
ppp multilink
B)
dialer threshold
C)
dialer load-threshold
D)
bandwidth
Two commands must be added to the interface configuration to make MLP possible.
The router at the other end of the call must be similarly configured. What are these two
commands?
A)
ppp multilink and dialer group
B)
ppp multilink and dialer load-threshold load [outbound | inbound | either]
C)
ppp multilink and dialer map
D)
ppp multilink and dialer encapsulation
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-71
Quiz Answer Key
Q1)
A
Relates to: Multilink PPP Overview
Q2)
C
Relates to: Multilink PPP Operation and Configuration
Q3)
B
Relates to: Multilink PPP Example
3-72
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying and Debugging PPP
Overview
After you have configured PPP, you may need to troubleshoot an incorrect configuration for
intended data travel on the PPP link. This topic describes how to verify and debug a PPP
connection.
Relevance
Verification and debugging commands help troubleshoot nonworking PPP connections.
Objectives
Upon completing this lesson, you will be able to:
Verify proper PPP configurations using show commands
Verify proper dialer configurations using show commands
Identify the anomalies in PPP configurations using debug commands
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
PPP Verification
show dialer Command Example
PPP Debugging
Multilink Verification
Summary
Quiz
3-74
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Verification
This topic identifies the commands that verify PPP and link control protocol (LCP) options on
a Cisco router.
show interface Command Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-2
The show interface command is the best way to verify that a PPP connection has been
established.Command output indicates this by showing the status IP in IPCP as OPEN.
The show interface bri command also displays multilink status. The multilink field for the
individual B channel shows the LCP multilink status as OPEN if the multilink is active. If it is
enabled, but not active, the status is CLOSED.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-75
show dialer Command Example
This topic demonstrates the show dialer command to verify proper PPP operation.
show dialer Command Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-3
Use the show dialer, or the show user, and show line commands to determine if PAP or
CHAP authentication was passed. The show dialer command can be used for ISDN
connections.
If show dialer displays the name of the remote router, PAP or CHAP authentication has
passed. You can check the show dialer command output on both routers to verify that the name
of the other router is displayed. If it is, then you know that PAP or CHAP authentication
worked. The show dialer command output will also indicate if a line is a member of an MLP
bundle.
Use the show user command to view the progress of asynchronous dialup connections.
Authentication has passed if a name is displayed with the line number in the show user output.
Use the line number in a show line command for details about the asynchronous connection.
3-76
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP Debugging
This topic describes how to debug during the PPP negotiation process.
debug ppp negotiation Command Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-4
The debug ppp negotiation command is an excellent tool for troubleshooting the PPP LCP
negotiation parameters, such as authentication, compression, and MLP. When the LCP is in an
open state, the NCP negotiation takes place. For PPP to work, LCP options must be negotiated
before any NCP activities take place. The debug ppp negotiation command allows you to
observe the following:
Authentication (CHAP or PAP)
Compression Control Protocol (CCP)
NCP protocols such as IPCP, IPXCP, and ATCP
When debugging CHAP or PAP authentication specifically, the debug ppp authentication
command can be used in place of the debug ppp negotiation command. The debug ppp
authentication output is similar to the debug ppp negotiation output, but limited to CHAP
and PAP authentication events.
The CPU process assigns a high priority to the debugging output that can render the system
unusable. For this reason, use debug commands with caution and only to troubleshoot specific
problems.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-77
Multilink Verification
This topic identifies the command to verify MLP.
MLP Verification
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—3-5
The show ppp multilink command displays bundle information on a rotary group in the packet
multiplexing section, including the number of members in a bundle and the bundle to which a
link belongs.
The figure displays an example output when two active bundles are on a system.
3-78
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
MLP Troubleshooting
• CHAP/PAP/caller ID on answering router?
• Dialer load threshold on one router?
BCRAN v2.1—3-6
© 2004 Cisco Systems, Inc. All rights reserved.
Use the following problems and solutions to troubleshoot your MLP configuration:
Problem 1: MLP is open, but no data is passing through.
Solution: Check dialer map statements and verify that routing is on.
Problem 2: The last link of a bundle dials but never connects.
Solution: Check debug isdn q931, debug modem, or debug chat command output for
asynchronous application operation. You can also use the debug ppp multilink events
command for help. MLP might not be enabled.
Problem 3: Data throughput is low.
Solution: Verify that fair queuing is not enabled.
The debug ppp multilink command displays packet sequence numbers. The command is
useful only as a last resort because it will not help troubleshoot why connections are not being
bundled.
The debug ppp negotiation command displays the Maximum Receive Reconstructed Unit
(MRRU) option negotiation.
The debug ppp authentication command is useful for displaying the steps in the PPP
authentication process.
The debug isdn events command also displays information useful for monitoring and
troubleshooting MLP.
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-79
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The show interface command is the best way to
verify that PPP connection has been established.
• The show dialer command is the easiest way to
determine if PAP or CHAP authentication was
passed.
• The debug ppp negotiation command is an excellent
tool for troubleshooting the PPP LCP activities.
BCRAN v2.1—3-7
© 2004 Cisco Systems, Inc. All rights reserved.
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 3-1: Configuring and Verifying PPP Operations
3-80
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Which command is the best way to verify that PPP connection has been established?
A)
show interface
A)
show dialer
B)
show stacker
C)
show predictor
Which command is the easiest way to determine if the PAP or CHAP authentication
was passed?
A)
show dialer
B)
show interface
C)
show pap
D)
show authentication
Which command is an excellent tool for troubleshooting the PPP LCP activities, such
as authentication compression and MLP?
A)
debug ppp negotiation
B)
debug ppp negotiation tcp
C)
debug remote negotiation
D)
debug the negotiation
Copyright © 2004, Cisco Systems, Inc.
Configuring PPP Features
3-81
Quiz Answer Key
Q1)
A
Relates to: PPP Verification
Q2)
A
Relates to: show dialer Command Example
Q3)
A
Relates to: PPP Debugging
3-82
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 4
Accessing Broadband
Overview
This module reviews the use of broadband for remote access to a central site using Network
Address Translation (NAT). The four types of broadband covered are digital subscriber line
(DSL), cable technology, wireless, and satellite links.
Objectives
Upon completing this module, you will be able to:
Describe various broadband options
Configure NAT so you can reuse a limited number of available registered IP addresses for
your private network
Describe RF concepts and the physical infrastructure of a cable link
Distinguish key attributes for different types of DSL
Perform a simulated install procedure
Configure a Cisco 827 router for NAT with PPPoA
Verify proper operation of DSL and NAT with available Cisco verification commands
Outline
The module contains these lessons:
Identifying Broadband Features
Addressing Broadband with NAT
Describing Cable Technology
Defining DSL Technology
Configuring the CPE as the PPPoE Client
Configuring DSL with PPPoA
Troubleshooting DSL
4-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Identifying Broadband
Features
Overview
This lesson describes the needs that drive development of broadband and the challenges to its
widespread deployment.
Relevance
Broadband can allow remote office staff and small office, home office (SOHO) users to connect
to the central office (CO) LAN at high speeds for remote access.
Objectives
Upon completing this lesson, you will be able to:
Describe broadband options as a viable choice for remote access to a central site
Describe cable options for remote access
Describe DSL options for remote access
Describe satellite options for remote access
Describe wireless options for remote access
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Broadband Uses
Cable Options
DSL Options
Satellite Options
Wireless Options
Summary
Quiz
4-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Broadband Uses
This topic describes broadband options as a viable choice for remote access to a central site.
Why Broadband?
• High-speed access
• Rich voice and video services
• Always on
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-2
The Internet is moving from dialup modems and slow connections to a world of high-speed
broadband using a variety of technologies. Broadband access can allow remote office staff and
SOHO staff to connect to the CO LAN at high speeds (generally defined as any sustained speed
above 128 kbps). Broadband access improves employee productivity and provides a foundation
for rich new voice and video services. Unlike standard dialup connections, broadband is always
on.
Broadband options include DSL, fast downstream data connections from direct broadcast
satellite (DBS), fixed wireless providers, and high-speed cable modems.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-5
Cable Options
This topic describes cable options for remote access.
Cable Options
• High speed asymmetric access
• Constant connectivity without tying up telephone
service
• Cable bandwidth shared by users in coaxial
serving area
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-3
Currently, the most common remote access broadband service is a cable modem. Cable modem
users connect to the Internet through a digital cable TV connection. One benefit of cable is its
high speed. Cable modems also offer the benefit of constant connectivity. Because there is no
need to dial in to the Internet, a user does not have to worry about receiving busy signals.
Additionally, going online does not tie up a telephone line. Many cable operators offer
telephone services over cable, such as Voice over IP (VoIP) over Cable and Voice over Cable.
The primary disadvantage of cable is that the bandwidth is shared among all of the data users in
a given area. Connection speed could drop during busy periods if the cable operator has not
placed proper bandwidth quality of service (QoS) mechanisms in place. If there is not enough
bandwidth available, then customers might not get the minimum committed information rate
(CIR) that they have purchased. However, in practice, end users tend to experience a much
higher data rate than the level they have purchased.
4-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
DSL Options
This topic describes DSL options for remote access.
DSL Options
• Family of transmission technologies that move data over copper pairs
• Different types of xDSL (Asymmetric/Symmetric)
• All types of DSL are Layer 1 technologies
• ATU-R = ADSL Transmission Unit - Remote
• ATU-C = ADSL Transmission Unit - Central
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-4
DSL is a group of technologies that use the unused bandwidth on a regular copper telephone
line to deliver fast digital data transmission. DSL connections are as easy to obtain as dial
access. Like leased lines, DSL connections can be always on if the DSL modem of the
customer connects to a CO DSL termination. Occasionally, the DSL modem may need to place
a telephone call if the provider has oversubscribed the service.
There are two disadvantages to DSL:
1. DSL has a maximum distance requirement from the PSTN CO of 18,000 feet.
2. Not all PSTN central offices have been built-out to support DSL. As a result, you may live
in a neighborhood that is not serviced by a DSL-capable CO while a neighborhood down
the street may have access to DSL service.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-7
Satellite Options
This topic describes satellite options for remote access.
Satellite Options
• First came the original (bigger) C-band backyard satellite dish
in the 1980s
• Followed by direct broadcast satellite (DBS) in the 1990s
• DBS uses smaller-size dishes to receive the satellite signals
• The satellite orbits the earth 22,300 miles above the equator
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-5
The main issue that satellite access resolves is getting high-bandwidth remote access to places
without a high-bandwidth infrastructure. The only way to receive broadband communications
in many rural or low-population areas is via a two-way satellite.
Satellite services deliver downstream data in bursts up to 400 kbps, with upstream speeds as
much as 125 kbps. A computer connected to the satellite network does not require timeconsuming dialup protocols to log in. However, because of the asymmetric nature of satellite
communication, certain applications such as VoIP do not perform very well over satellite. Also,
heavy activity on the network can affect satellite speeds.
The typical satellite system requires a small, 1.2-meter or less satellite dish, two standard
coaxial cables to connect the satellite dish to a satellite modem, and a satellite modem that
connects to a PC through an Ethernet or Universal Serial Bus (USB) port. The latest satellite
systems allow subscribers to send and receive information using a satellite dish and still receive
television programming.
Satellite networks include geostationary orbit (GSO) satellites and nongeostationary orbit
(NGSO) satellites. The latter includes low-earth orbit (LEO) satellites. Latency is higher for
GSO satellites than for LEO satellites because the GSO is much higher. Most broadband
satellite options use a satellite in orbit approximately 22,300 miles above the equator.
4-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Wireless Options
This topic describes wireless options for remote access.
Wireless Options
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-6
Wireless technology provides line-of-sight bridging at 2-Mbps throughput at distances of up to
25 miles (40.2 km) in U.S. Federal Communications Commission (FCC)-regulated countries or
6.5 miles (10.5 km) in Europe. This technology can provide up to 11-Mbps connectivity from
one site to another or from the main site to many remote sites. You need only a bridge and an
antenna for each site, which can connect to either a wired or wireless network within those
sites. Wireless technology also enables multiple buildings to share a single high-speed
connection to the Internet without cabling or dedicated lines. However, you must have line of
sight.
Fixed-wireless systems have a long history. Point-to-point microwave connections have long
been used for voice and data communications. As technology has continued to advance, higher
frequencies have been employed. Thus, smaller antennas can be used, resulting in lower costs
and easier-to-deploy systems for private use. The reduction in cost has resulted in a whole
generation of carriers that are planning to use wireless access as their last mile of
communication.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-9
Wireless Options (Cont.)
• Various unlicensed frequency bands
• Spread spectrum
• Mobile—low data rate
• Residential, SOHO, and small/medium
business
• Fixed—high data rate
• Multi-sectored node sites
• Up to 6 miles in multipoint, 15 miles in
point-to-point
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-7
The fixed wireless broadband market consists of four segments: Local Multipoint Distribution
Service (LMDS), Multichannel Multipoint Distribution Service (MMDS), license-free fixed
wireless services in the Industrial, Scientific, and Medical (ISM) bands, and the Unlicensed
National Information Infrastructure (U-NII) bands.
LMDS, with a 3-mile range and slightly higher throughput than T3 fiber lines, is best suited to
large and medium-size enterprises in urban areas. MMDS, with about a 35-mile range and
throughput comparable to DSL and cable, is targeted at small businesses and residential
customers, particularly those in multitenant dwellings. License-free services, with a 3-to-25mile range and throughput from 128 kbps to 53 Mbps, vary according to the type of equipment
used and number of subscribers.
4-10
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points described in this lesson.
Summary
• A cable modem can provide up to 90 times the
speed of a dial-up connection.
• DSL uses the unused bandwidth on a telephone
line to deliver fast digital data transmission.
• Satellite delivers downstream data in bursts up to
400 kbps, with upstream speeds of up to 125 kbps.
• Wireless provides bridging at 2 Mbps throughput
at distances of up to 25 miles.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—4-8
Accessing Broadband
4-11
Quiz
Use the practice items here to review what you have learned in this lesson. The correct answers
follow in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
4-12
Broadband is generally defined as any sustained speed above_____.
A)
28,800 bps
B)
56,000 bps
C)
96,000 bps
D)
128,000 bps
A cable modem could provide up to _____ times the transmission speed (9 Mbps) for
remote access in the upstream compared to other technologies.
A)
40
B)
70
C)
150
D)
128
Like leased lines, DSL connections are_____.
A)
inexpensive
B)
always on
C)
easy to install
D)
all of the above
Most broadband satellite options use a satellite in orbit approximately _____ above the
equator.
A)
22,300 miles
B)
23,300 miles
C)
32,300 miles
D)
28,300 miles
Wireless technology provides line-of-sight bridging at _____ throughput at distances of
up to 25 miles, but you must have line of sight.
A)
1-Mbps
B)
2-Mbps
C)
3-Mbps
D)
4-Mbps
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q6)
LMDS has a slightly higher throughput than _____ fiber lines.
A)
T1
B)
T3
C)
ISDN
D)
cable
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-13
Quiz Answer Key
Q1)
D
Relates to: Broadband Uses
Q2)
C
Relates to: Cable Options
Q3)
B
Relates to: DSL Options
Q4)
A
Relates to: Satellite Options
Q5)
B
Relates to: Wireless Options
Q6)
B
Relates to: Wireless Options
4-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Addressing Broadband with
NAT
Overview
This lesson provides an overview of NAT for remote access networks and describes why NAT
should be implemented in a broadband environment.
Relevance
The two most compelling problems facing the Internet include IP address depletion and scaling
in routing. There are many solutions being developed to solve these problems, but as they are
being more fully adopted, a short-term solution is provided by NAT.
Objectives
Upon completing this lesson, you will be able to:
Describe the process of NAT and explain why you enable it
Explain the Cisco use of NAT terminology
Describe the process of translating inside source addresses
Describe the process of overloading inside global addresses
Configure NAT to provide dynamic translation
Configure NAT to provide global address overloading
Verify correct operation of NAT using the show commands
Identify specific operations in NAT using the debug commands
Remove specific or all NAT entries using the clear commands
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
NAT Overview
NAT Concepts and Terminology
NAT Operation
Inside Source Address Translation
Inside Global Address Overload
Dynamic NAT Configuration
Inside Global Address Overload Configuration
NAT Verification and Troubleshooting
NAT Troubleshooting
NAT Entry Clearing
Summary
Quiz
4-16
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
NAT Overview
This topic describes why NAT is used.
NAT Overview
• Conserves public Internet addresses
• Increases network privacy by hiding internal IP addresses
• Allows an unregistered address to connect to the Internet
• Allows translations of many inside addresses to one outside
address
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-2
IP address depletion is a key problem facing the public network. To maximize the use of
registered IP addresses, Cisco IOS software implements NAT. This feature, which is the Cisco
implementation of RFC 1631, provides a way to use the same IP addresses in multiple internal
subnetworks, thereby reducing the need for registered IP addresses.
NAT allows privately addressed networks to connect to public networks such as the Internet.
The privately addressed “inside” network sends a packet through the NAT router, and the
addresses are converted to legal, registered IP addresses, enabling the packets to be passed to
the public network.
NAT can be used when an internal address scheme must be altered due to a change in service
providers. It can also be used when merging two intranets, such as when two companies merge.
NAT can change addresses incrementally, without changes to hosts or routers other than those
bordering stub domains, thereby eliminating duplicate address ranges without readdressing host
computers.
The translation performed using NAT can be either static or dynamic:
Static translation occurs when addresses in a lookup table are manually configured. A
specific inside address maps into a prespecified outside address. The inside and outside
addresses are statically mapped one-for-one.
Dynamic mapping occurs when the NAT border router is configured to understand which
inside addresses must be translated and which pool of addresses may be used for the
outside addresses. There can be multiple pools of outside addresses.
Multiple internal hosts can also share a single outside IP address, which conserves address
space. Address sharing is accomplished by port multiplexing, or changing the source port on
the outbound packet so that replies can be directed back to the appropriate host. This option is
commonly referred to as Port Address Translation (PAT), or overloading.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-17
NAT Concepts and Terminology
This topic describes NAT concepts and terminology.
NAT Concepts
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-3
As discussed, NAT technology enables private IP networks that use nonregistered IP addresses
to connect to the public network such as the Internet. NAT is usually configured on border
routers between a stub domain (inside network) and a public network (outside network). To
properly understand the concepts and configuration of NAT, you must understand the terms
that Cisco uses to describe NAT components.
Using the NAT device as the reference point, all IP addresses can be classified as either inside
or outside and as either local or global:
Inside or Outside: Specifies the physical location of an IP host in relation to the NAT
device
Local or Global: Specifies the location of the user, or the user point of view, in relation to
the NAT device
For example, an inside global address is the address of an IP host located on the inside network
from the perspective of a user located on the global network; it is the address that a global user
would use to communicate with a host on the inside network.
Inside and local reference the same side of a NAT device; this side is commonly referred to as
the internal or private network. Outside and global also reference the same side of a NAT
device; this other side is commonly referred to as the external or public network. The key
difference is that inside/outside refers to host location whereas local/global refers to the user
perspective.
Note
4-18
The designations of inside/outside and local/global are relative to where NAT occurs. The
NAT process can occur anywhere and at multiple points between two hosts.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
NAT Terminology
BCRAN v2.1—4-4
© 2004 Cisco Systems, Inc. All rights reserved.
NAT translates the internal local addresses into globally unique IP addresses before sending
packets to the outside network. NAT takes advantage of the fact that relatively few hosts in a
stub domain communicate outside of the domain at any given time. Therefore, only a subset of
the IP addresses in a stub domain must be translated into globally unique IP addresses for
outside communication. The table details various terms that are used to define NAT functions.
NAT terminology
Term
Definition
Inside local IP
address (A, in figure)
The IP address assigned to a host on the inside network. The address can be
globally unique but obsolete, allocated from RFC 1918 (Address Allocation for
Private Internet Space), or randomly picked.
Inside global IP
address (B, in figure)
A legitimate IP address (assigned by the NIC or service provider) that
represents one or more inside local IP addresses to the outside world. The
address is allocated from a globally unique address space, typically provided by
the ISP.
Outside global IP
address (C, in figure)
The IP address that was assigned to a host on the outside network by its
owner. The address is allocated from a globally routable address space.
Outside local IP
address
The IP address of an outside host as it appears to the inside network. The
address can be allocated from address space routable on the inside, for
example, from RFC 1918.
Simple translation (D,
in figure)
A translation entry that maps one IP address to another.
Extended translation
A translation entry that maps one IP address and port pair to another address
and port pair.
Note
The NAT examples in this course use an alternative private address range to represent legal
registered IP addresses. This is a policy decision to avoid the unauthorized use of public
addresses.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-19
NAT Operation
This topic identifies the various NAT functions.
NAT Operation
NAT functions
• Translate inside source
addresses
• Overload inside global
addresses
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-5
NAT can be used to perform these functions to support a broadband subscriber:
Translating inside source addresses: Establishes a mapping between inside local and
inside global addresses.
Overloading inside global addresses: You can conserve addresses in the inside global
address pool by allowing source ports in TCP connections or UDP conversations to be
translated. When different inside local addresses map to the same inside global address, the
TCP or UDP port numbers of each inside host are used to distinguish between the hosts.
4-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Inside Source Address Translation
This topic describes the process of translating inside source addresses.
Translating Inside Source Addresses
BCRAN v2.1—4-6
© 2004 Cisco Systems, Inc. All rights reserved.
The figure illustrates NAT operation when it is used to translate source addresses from inside a
network to destinations outside the network. These steps include:
Step 1
User at host 10.1.1.1 opens a connection to outside Host B.
Step 2
The first packet that the border router receives from host 10.1.1.1 causes the router
to check its NAT table, because the packet is going from an inside interface to an
outside interface.
Note
If a translation is found because it has been statically configured, the router continues to
Step 3. If no translation is found and dynamic translation is configured, the router determines
that address 10.1.1.1 must be translated to an address available from an address pool. The
router dynamically allocates a new address and sets up a translation of the inside local
address 10.1.1.1 to a legal inside global address from the dynamic address pool. This type
of translation entry is referred to as a simple entry.
Step 3
The border router replaces the inside local IP address of 10.1.1.1 with the selected
inside global address, 192.168.2.2, and forwards the packet.
Step 4
Host B receives the packet and responds to that node using the inside global IP
address 192.168.2.2.
Step 5
When the border router receives the packet with the inside global IP address, the
router performs a NAT table lookup using the inside global address as the reference.
The router then translates the address back to 10.1.1.1, the inside local address, and
forwards the packet to 10.1.1.1. Host 10.1.1.1 receives the packet and continues the
conversation.
For each packet, the router performs Steps 2 through 5.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-21
Note
With static translations, you can initiate connections from either inside or outside. This is
because the translation will always be in the translation table. With dynamic translations,
however, connections must be initiated inside-to-outside or outside-to-inside, depending on
your configuration.
When configuring inside-to-outside dynamic NAT using the ip nat inside source list
command, connections must be initiated from inside. Likewise, when using ip nat outside
source list for outside-to-inside dynamic translations, connections must be initiated from the
outside.
4-22
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Inside Global Address Overload
This topic describes the process of overloading inside global addresses, also known as PAT.
Inside Global Address Overload
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-7
The figure illustrates NAT operation when a single inside global address is used to represent
multiple inside local addresses simultaneously. In this example, an extended translation entry
table is used, in which the combination of address and port makes each global IP address
unique. The use of ports to make an address unique is called PAT, a subset of NAT. This
operation consists of these steps:
Step 1
The first packet the router receives from 10.1.1.1 causes the router to check its NAT
table because the packet is going from inside to outside.
Step 2
User at host 10.1.1.1 opens a connection to Host B.
Note
If no translation is found, the router determines whether address 10.1.1.1 should be
translated based on the configuration. The router allocates a new address and sets up a
translation of the inside local address 10.1.1.1 to a legal global address if configured to do
so. If overloading is enabled and another translation is active, the router will reuse the global
address from that translation and save the unique port information to be able to distinguish it
from the other translation entry. This type of entry is called an extended entry.
The router replaces the inside local IP address of 10.1.1.1 with the selected inside
global address, 192.168.2.2, and forwards the packet.
Step 4
Outside Host B receives the packet and responds to that node using the inside global
IP address 192.168.2.2 and TCP port 1024.
Step 5
When the router receives the packet with the inside global IP address, the router
performs a NAT table lookup using the inside global address and port number, and
the outside address and port number as the references. The router then translates the
address back to the inside local address of 10.1.1.1 and forwards the packet to
10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation.
For each packet, the router performs Steps 2 through 5.
Step 3
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-23
Dynamic NAT Configuration
This topic describes a sample configuration of dynamic NAT
Dynamic NAT Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-8
To enable dynamic inside source IP address translation, perform these steps:
Step 1
Configure IP routing and appropriate IP addresses on the router.
Step 2
Define a standard IP access list for the inside network using the access-list accesslist-number {permit | deny} source source-wildcard command.
Note
Step 3
NAT does not always have to occur with directly connected networks. The access list can
match any inside local addresses or networks that are present on the inside internetwork.
Define an IP NAT pool of global addresses using the ip nat pool pool-name start-ip
end-ip {netmask netmask | prefix-length prefix-length} [type rotary] command.
·° ²¿¬ °±±´ °±±´ó²¿³» -¬¿®¬ó·° »²¼ó·° ¥²»¬³¿-µ ²»¬³¿-µ ¤
°®»º·¨ó´»²¹¬¸ °®»º·¨ó´»²¹¬¸£Å¬§°» ®±¬¿®§Ã ݱ³³¿²¼
4-24
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Command
Description
°±±´ó²¿³»
Name of the pool.
-¬¿®¬ó·°
Starting IP address that defines the range of addresses in the global
address pool.
»²¼ó·°
Ending IP address that defines the range of addresses in the global address
pool.
²»¬³¿-µ ²»¬³¿-µ
Network mask that indicates which address bits belong to the network and
subnetwork fields, and which bits belong to the host field. Specify the
netmask of the network to which the address pool belongs.
°®»º·¨ó´»²¹¬¸
°®»º·¨ó´»²¹¬¸
Number that indicates how many bits of the netmask are 1s. Specify the
netmask of the network to which the pool addresses belong.
¬§°» ®±¬¿®§
(Optional) Indicates that the range of addresses in the address pool
identifies real, inside hosts among which TCP load distribution will occur.
Step 4
Map the access list to the IP NAT pool using the ip nat inside source list accesslist-number pool pool-name command.
Step 5
Enable NAT on at least one inside and one outside interface with the ip nat {inside |
outside} command. Only packets traveling between inside and outside interfaces
can be translated. For example, if a packet is received on an inside interface but is
not destined for an outside interface, it will not be translated.
Note
The steps for enabling dynamic outside source IP address translation are similar to those
listed above, except that the ip nat outside source list access-list-number pool pool-name
command is used instead. This command maps the access list for outside global addresses
to the IP NAT pool of available outside local addresses.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-25
Inside Global Address Overload Configuration
This topic describes how to configure global address overloading.
Inside Global Address Overload
Configuration
BCRAN v2.1—4-9
© 2004 Cisco Systems, Inc. All rights reserved.
To configure inside global address overloading, perform these steps:
4-26
Step 1
Configure IP routing and appropriate IP addresses on the router.
Step 2
Configure dynamic address translation for inside source addresses.
Step 3
When you define the mapping between the access list and the IP NAT pool using the
ip nat inside source list access-list-number pool pool-name command, add the
overload keyword to the command.
Step 4
Enable NAT on the appropriate interfaces using the ip nat {inside | outside}
command.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
NAT Verification and Troubleshooting
This topic describes the commands that are used to verify and troubleshoot NAT.
Verifying NAT Translations
BCRAN v2.1—4-10
© 2004 Cisco Systems, Inc. All rights reserved.
The commands in the table here can be used to verify NAT operation.
Commands to Verify NAT Operation
Command
Description
show ip nat translations [verbose]
Shows active translations
show ip nat statistics
Shows translation statistics
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-27
Verifying NAT Statistics
BCRAN v2.1—4-11
© 2004 Cisco Systems, Inc. All rights reserved.
The show ip nat statistics command displays the number and type of active translations in the
system. This number is incremented each time a translation is created and is decremented each
time a translation is cleared or times out. The number of expired translations is also provided.
Other information displayed by this command includes:
Interfaces that are NAT-enabled using the ip nat {inside | outside} command.
Hits and misses: Number of times a translation table lookup is performed and an entry is
either found (hit) or an entry is not found and a new entry must be created (miss).
Dynamic translation configuration and statistics. These are described in the table here.
4-28
Output Field
Description
ײ-·¼» ͱ«®½»
The information that follows is about an inside source translation.
¿½½»--ó´·-¬
Access list number being used for the translation.
°±±´
Name of the pool (in this case, dyn-nat).
®»º½±«²¬
Number of translations using this pool.
²»¬³¿-µ
IP network mask being used in the pool.
-¬¿®¬ ñ »²¼
Starting / ending IP address in the pool range.
¬§°»
Type of pool. Possible types are generic or rotary.
¬±¬¿´
¿¼¼®»--»-
Number of addresses in the pool available for translation.
¿´´±½¿¬»¼
Number of addresses being used.
³·--»-
Number of failed allocations from the pool.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
NAT Troubleshooting
This topic describes how to troubleshoot NAT.
NAT Troubleshooting
BCRAN v2.1—4-12
© 2004 Cisco Systems, Inc. All rights reserved.
If you must use a trace on a NAT operation, use the debug ip nat [list | detailed] command in
this table.
debug ip nat [list | detailed] Command
Command
Description
debug ip nat [list | detailed]
Displays a line of output for each packet that gets translated
As shown in the figure, the debug output includes these key points:
The asterisk next to NAT indicates that the translation is occurring in the fast path. The first
packet in a conversation will always go through the slow path (being process-switched).
The remaining packets will go through the fast path if a cache entry exists.
s=10.1.1.1 is the source address and is being translated to 192.168.2.1.
d=172.16.2.2 is the destination address.
The value in brackets is the IP identification number. This information may be useful for
debugging because, for example, it can enable you to correlate with other packet traces
from sniffers.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-29
NAT Troubleshooting (Cont.)
BCRAN v2.1—4-13
© 2004 Cisco Systems, Inc. All rights reserved.
The debug ip nat [detailed] command generates a description of each packet that is being
considered for translation. This command also outputs information about certain errors or
exceptional conditions, such as the failure to allocate a global address. In addition to the
information provided by the basic debug ip nat command, the detailed option reports the
protocol and the source and destination port numbers for inbound and outbound translations.
As shown in the figure, the debug output includes these key points:
“i:” indicates a packet arriving on the inside interface requiring address translation.
“o:” indicates a packet arriving on the outside interface requiring address translation.
“tcp” refers to the protocol of the packet.
The value following the IP address represents the port number.
4-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
NAT Entry Clearing
This topic describes how to clear NAT entries.
Clearing NAT Entries
BCRAN v2.1—4-14
© 2004 Cisco Systems, Inc. All rights reserved.
If you must clear a dynamic translation entry, use the commands in the table here.
Commands for Clearing NAT Entries
Command
Description
clear ip nat translation *
Clears all translation entries
clear ip nat translation inside
global-ip local-ip [outside local-ip
global-ip]
Clears a simple translation entry containing an inside
translation, or both an inside and outside translation
clear ip nat translation outside
local-ip global-ip
Clears a simple translation entry containing an outside
translation
clear ip nat translation protocol
{inside global-ip global-port local-ip
local-port | outside local-ip localport global-ip global-port}
Clears an extended entry (in its various forms)
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-31
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• NAT technology enables private IP networks that use
nonregistered IP addresses to connect to a public
network.
• NAT can be used for translating inside source addresses.
• NAT can be used for overloading inside global
addresses.
• Configure Dynamic NAT configuration and enable
overloading of global addresses.
• Use show commands to verify correct operation of NAT.
• Use debug commands to identify specific operations
in NAT.
• Use clear commands to remove specific or all NAT
entries.
© 2004 Cisco Systems, Inc. All rights reserved.
4-32
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—4-15
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
How does NAT help solve the limited IP address problem?
A)
B)
C)
D)
Q2)
Which is a legitimate public IP address that represents one or more inside local IP
addresses to the outside world?
A)
B)
C)
D)
Q3)
overloading inside global addresses
translating inside source addresses
handling overlapping networks
translating inside global addresses
When translating inside source addresses, the inside local IP address is translated to the
________.
A)
B)
C)
D)
Q5)
inside local IP address
inside global IP address
outside global IP address
outside local IP address
What is the process of using unique TCP and UDP port numbers to distinguish
translations for traffic sourced from the same IP address?
A)
B)
C)
D)
Q4)
NAT allows the use of restricted IP addresses on the public Internet.
NAT translates 32-bit IP addresses to 48-bit IP addresses.
NAT has you renumber all your existing addresses to restricted IP addresses.
NAT translates inside private addresses to legal outside addresses.
inside IP address of the NAT router
outside global IP address of the source host device
inside global IP address of the source host device
outside global IP address of the destination host device
Here is the output of a show ip nat translations command:
Pro
Inside Global
Inside Local
Outside Local
Outside Global
¬½°
ïçîòïêèòîòïæïïððí
ïðòïòïòïæïïððí
ïéîòïêòîòîæîí
ïéîòïêòîòîæîí
¬½°
ïçîòïêèòîòïæïðêé
ïðòïòïòîæïðêé
ïéîòïêòîòíæîí
ïéîòïêòîòíæîí
Which type of NAT function do these lines indicate is occurring?
A)
B)
C)
D)
dynamic translation of outside local addresses
static translation of inside local addresses
overloading inside global addresses
this is an error display; no NAT function is occurring
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-33
Q6)
When translating inside source IP addresses, you use the ip nat pool command to
provide a pool of ________.
A)
B)
C)
D)
Q7)
Which best describes the overloading of inside global addresses using NAT?
A)
B)
C)
D)
Q8)
packet switched from cache entry
inside-to-outside NAT IP address and port translations
inside-to-outside NAT IP address translations
NAT translations timers
Which command clears an extended IP NAT translation?
A)
B)
C)
D)
4-34
show ip nat status
show ip nat pool
show ip nat translations
show ip route
What does the detailed option for the debug ip nat command display?
A)
B)
C)
D)
Q10)
translating multiple inside addresses to a single global IP address
translating multiple inside addresses to multiple outside IP addresses
combining two networks that have the same IP addresses
translating a single inside address to multiple outside IP addresses
Which command can you use to verify NAT is operating?
A)
B)
C)
D)
Q9)
static inside global IP addresses
static outside local IP addresses
dynamic inside local IP addresses
dynamic inside global IP addresses
clear ip nat translation
clear ip nat translation inside
clear ip nat translation outside
clear ip nat translation protocol inside
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
D
Relates to: NAT Overview
Q2)
B
Relates to: NAT Concepts and Terminology
Q3)
A
Relates to: NAT Operation
Q4)
C
Relates to: Inside Source Address Translation
Q5)
C
Relates to: Inside Global Address Overload
Q6)
D
Relates to: Dynamic NAT Configuration
Q7)
A
Relates to: Inside Global Address Overload Configuration
Q8)
C
Relates to: NAT Verification and Troubleshooting
Q9)
A
Relates to: NAT Troubleshooting
Q10)
D
Relates to: NAT Entry Clearing
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-35
4-36
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Describing Cable Technology
Overview
This lesson covers cable technology concepts and the physical infrastructure of a cable link.
Relevance
Cable technology can provide a reliable high-speed alternative for remote access to a central
site.
Objectives
Upon completing this lesson, you will be able to:
Describe a traditional hybrid fiber-coaxial architecture
Describe how data services can be delivered over a cable network
Describe how data signals are transmitted over RF channels
Describe current trends in digital cable systems
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Cable Features
Data over Cable
Cable System Functionality
Cable System Components
Hybrid Fiber-Coaxial Architecture
Digital Signals over RF Channels
Cable Technology Terms
Cable Technology: Putting It All Together
Process for Provisioning a Cable Modem
Configuration of a Router with a Cable Modem
Summary
Quiz
4-38
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Cable Features
This topic describes the features of cable technology.
What Is Cable?
• Cable refers to use of coaxial cable for signal transmission.
• CATV: originally meant “community antenna television.”
• Cost-effective “broadcast” architecture cascaded to users.
• Can offer voice and data as well as analog and digital video.
BCRAN v2.1—4-2
© 2004 Cisco Systems, Inc. All rights reserved.
CATV, commonly called cable TV, was invented to solve the problem of poor TV reception.
To ensure that consumers could obtain cable service with the same TV sets that they use to
receive over-the-air broadcast TV signals, cable operators recreate a portion of the over-the-air
radio frequency (RF) spectrum within a sealed coaxial cable line.
Since the introduction of high-speed data and telephony and other such services, it has become
more common for the larger cable operators to have telephone switches and the cable modem
termination system (CMTS). These cable operators also maintain other equipment in the same
facility, taking care of both telephony and data services, in addition to analog and digital video
services.
Small and medium-size businesses can gain the following benefits from high-speed cable
Internet access:
Virtual Private Network (VPN) connectivity to corporate intranets
SOHO capabilities for work-at-home employees
Interactive television
PSTN-quality voice and fax calls over the managed IP networks
Businesses large and small have employees who work from their homes. To stay in touch,
employees need secure high-speed remote access to the corporate intranet and access to the
Internet for e-mail communication with customers and suppliers.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-39
Data over Cable
This topic describes how data services can be delivered over a cable network using fiber cable
technology.
Why Fiber?
• Small size
• Lightweight
• Easy to handle
• Immune to external
interference
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-3
Fiber is used to replace cable amplifiers throughout the cable plant. Amplifiers are placed
approximately every 2000 feet to ensure that all RF signals will be delivered to the home of the
user with enough power and clarity to receive all channels within the spectrum (50 to 860
MHz) for analog TV, digital TV, and digital data cable modem services.
In a 20-mile plant, approximately 52 amplifiers would be used to reach the last house 20 miles
away. Fiber allows the cable operator to run longer distances, with less noise, and to remove
amplifiers from the link.
The downstream traffic emanates from the headend and is injected into a trunk cable, at signal
strength above 50 dB. Feeder cables emanate from the trunk cables. Passive devices called
splitters divide the traffic at branching points to provide geographical coverage.
4-40
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Cable System Functionality
This topic describes how data services can be delivered over a cable network.
How a Cable System Works
Headend:
• Somewhat analogous to a telephone company CO
• A facility where signals are received, processed,
formatted, and combined
• Cable signals transmitted on the distribution network
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-4
The headend and its connected coaxial cables and subscribers constitute a cable system. In most
cases, a cable system is a local operation in a given community that includes:
A business office
A variety of technical facilities, including the cable network itself
A warehouse where materials and spare parts are kept
A storage lot where vehicles are parked and some materials are stored
The headend is where the cable operator puts the various channels on the frequencies that are
compatible with the cable network.
Larger cable systems will be much more complex and may serve several communities in a
geographical area. Big companies that operate multiple systems are called multiple service
operators (MSOs).
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-41
How a Cable System Works (Cont.)
Distribution network
• In a hybrid fiber-coaxial (HFC) architecture, optical fiber
replaces trunk portion of the distribution network.
• Small service areas, each with from as few as 100 to as many
as 2,000 homes passed.
• Fiber connects between the headend (or hub) and an optical
node, where light is converted to RF.
• From the node, RF signals are distributed throughout the
serving area via coaxial cable.
BCRAN v2.1—4-5
© 2004 Cisco Systems, Inc. All rights reserved.
The distribution network is made up of fiber and coaxial cabling, which carry television signals
toward the subscriber. The last part, and also one of the most infamous parts of the cable
network, is the subscriber drop. The subscriber drop includes the following:
Everything from the connection to the feeder out of the utility pole
Set-top box
Grounding and attachment hardware
Cable
All the bits and pieces that make that final connection work
4-42
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Cable System Components
This topic describes the components of a cable system delivering data services.
Cable System Components
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-6
The major components of a cable system include:
Antenna site: The location of main receiving antennas for broadcast and satellite reception.
Headend: Somewhat analogous to a CO of a telephone company. A facility where signals
are received, processed, formatted, and combined for transmission on the distribution
network.
Transportation network: Used where necessary to link a remote antenna site to a headend
or a remote headend to the distribution network. Also used to link microwave, fiber, or
coaxial supertrunk.
Distribution network: In a classic tree-and-branch cable system, trunk and feeder cables
constitute the distribution network. The trunk is the backbone. The trunk distributes signals
throughout the community that is being served and typically uses 0.750-inch (19 mm)
diameter coaxial cable. The feeder branches off the trunk and passes all of the homes in the
service area, typically using 0.500-inch (13 mm) diameter coaxial cable.
Subscriber drop: Connection between the feeder portion of distribution network and the
subscriber terminal (TV set, VCR, and so forth). Includes coaxial (typically 59-series or
6-series coaxial cable), hardware, passive devices, and set-top box.
This topology minimizes the amount of wiring that is required and is a natural topology for
broadcasting. The fundamental technical problem encountered by cable TV engineers is that
broadcast analog signal strength attenuates (weakens) as it moves through conducting material.
Outside noise, weather, and temperature changes affect signal strength through coaxial cable.
To combat these problems, cable operators use fiber-optic cable in place of coaxial cable
trunks.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-43
Hybrid Fiber-Coaxial Architecture
This topic describes current trends in digital cable systems.
Hybrid Fiber-Coaxial Architecture
• Segments network into smaller serving areas
• Use of fiber minimizes cascaded devices
• Improved quality and reliability
• Reduced operating costs
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-7
To offer high-speed Internet services, a cable operator creates a data network that operates over
the HFC system. To deliver data services over a cable network, one 6-MHz television channel
(in the 50-to-750 MHz range) is typically allocated for downstream traffic to homes, and
another 6-MHz channel (in the 5-to-42 MHz band) is used to carry upstream signals.
A headend CMTS communicates through these channels with cable modems that are located in
subscriber homes to create a virtual LAN connection.
This upstream and downstream bandwidth is shared by the active data subscribers that are
connected to a given cable network segment, typically 500 to 2,000 homes on a modern HFC
network. The tree-and-branch network architecture for HFC can be a fiber backbone, cable area
network, superdistribution, Fiber to the Feeder, or a ring.
An individual cable modem subscriber may experience access speeds from 500 kbps to
2.5 Mbps, depending on the network architecture and traffic load.
If high usage does begin to cause congestion, cable operators have the flexibility to add more
bandwidth for data services. A cable operator can simply allocate an additional 6-MHz video
channel for high-speed data, doubling the downstream bandwidth that is available to users.
Another option for adding bandwidth is to subdivide the physical cable network by running
fiber-optic lines deeper into the neighborhoods. This practice reduces the number of homes that
are served by each network segment and increases the amount of bandwidth that is available to
customers.
4-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Digital Signals over RF Channels
This topic describes the current RF used in digital cable systems.
Digital Signals over RF Channels
• Cable uses radio frequency (RF) electromagnetic energy.
• Frequencies from a few hundred kilohertz to just below infrared.
• RF Spectrum usage in sub-split cable networks has two paths:
– Headend-to-subscriber is downstream path:
50 MHz to 860 MHz—this is 810 MHz to RF bandwidth
– Subscriber-to-headend is upstream path:
5 MHz to 42 MHz—this is 37 MHz of RF bandwidth
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-8
When you tune your FM radio across the spectrum to find different radio stations, you are
tuning that radio to different electromagnetic frequencies across the spectrum. Cable works the
same way.
The cable TV industry uses the portion of the electromagnetic spectrum between approximately
5 MHz and 1 GHz. This band is in a portion of the electromagnetic spectrum known as radio
waves and is commonly as RF.
Cable carries TV channels or data carriers at different frequencies. The equipment in the
subscriber home is able to tune to those frequencies and allow the customer to view the
channel, either on the TV or through a cable modem, and route that information to a computer.
Cable networks can transmit signals in both directions simultaneously on the same cable.
Outgoing frequencies to the customer are in the 50-to-860 MHz range, while the incoming
frequencies are in the 5-to-42 MHz range.
The downstream path is divided into 6 MHz (or 7 MHz or 8 MHz channels) as defined by a
frequency plan.
The cable TV spectrum has been defined by the cable industry as:
Very high frequency (VHF) low band (TV channels 2 through 6)
VHF midband (TV channels 98, 99, and 14 through 22)
VHF high band (TV channels 7 through 13)
VHF superband (TV channels 23 through 36)
VHF hyperband (TV channels 37 and higher)
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-45
The upstream or the reverse path is the frequency that is used to transmit signals from the
customer back to the cable company. The reverse path operates in the 5-to-42 MHz span.
The upstream path has no frequency plan. It is up to the cable operator to monitor the frequency
band of the upstream and place the data signals into clean areas where there is no interference
from noise and other signals. Usually, the area between 5 and 15 MHz is noisy and is unusable.
4-46
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Digital Signals over RF Channels (Cont.)
Data-over-Cable Service Interface Specification (DOCSIS):
• RF interface specification of minimum recommended technical
performance requirements for data
• Cable modem termination system (CMTS) and cable modem
(CM) vendors must pass certification
• CableLabs tests and grants (or withholds) DOCSIS “Certified” or
“Qualified” status
• Cable operators purchase certified/qualified equipment to
ensure interoperability with vendors
– Reference:
• www.cablemodem.com/specifications
• A variation is Euro-DOCSIS standards that use 7 MHz and 8 MHz
for cable plants
BCRAN v2.1—4-9
© 2004 Cisco Systems, Inc. All rights reserved.
Data-over-Cable Service Interface Specifications (DOCSIS) defines specific bandwidths for
data signals (200 kHz, 400 kHz, 800 kHz, 1.6 MHz, and 3.2 MHz) that the cable operator can
use.
The cable TV industry assigns the available spectrum to serve two purposes. Under the
National Television Standards Committee (NTSC) standard, the North American TV standard,
each country can determine its own splits and frequency assignments. DOCSIS specifications
are based on NTSC TV channel plans. Euro-DOCSIS specifications are written for Phase
Alternating Line (PAL) based deployments.
There are three DOCSIS standards currently used:
DOCSIS 1.0 was the first standard.
DOCSIS 1.1 was the standard needed to deploy VoIP packet cable with end-to-end quality.
DOCSIS 2.0, a standard in progress, will be able to provide 30 Mbps in the upstream path.
For more information, refer to the following:
www.cablemodem.com/specifications/specifications10.html
www.cablemodem.com/specifications/specifications11.html
www.cablemodem.com/specifications/specifications20.html
There is a separate set of standards for Euro-DOCSIS. This standards variation defines the
physical layers as they fit into 7-MHz and 8-MHz plants around the world. Euro-DOCSIS
standards specify 108 to 810 MHz for the downstream. These Euro-DOCSIS standards are:
SP-RFI-C01-01119 for DOCSIS 1.0, now ANSI/SCTE 22-1 2002
SP-RFIv1.1-I08-020301 for DOCSIS 1.1, now ANSI/SCTE 23-1 2002
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-47
Cable Technology Terms
This topic summarizes basic terms, standards organizations, and RF signaling terms.
Identifying Cable Technology Terms
Basic Cable Terms
• Broadband
• CATV: Originally community antenna television
• Coaxial cable
• Headend
• Downstream (DS)
• Upstream (US)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-10
The following key terms are commonly used to describe cable technology basics:
Broadband: Refers to the ability to frequency-division multiplex (FDM) many signals in a
wide RF bandwidth over an HFC network and the ability to handle vast amounts of
information.
Coaxial cable: The principal physical medium with which cable TV systems are built.
Coaxial cable is used to transport RF signals. Coaxial cable signal loss (attenuation) is a
function of the diameter of the cable, dielectric construction, ambient temperature, and
operating frequency (f).
Headend: The location where the cable company aggregates, combines, mixes, and
modulates all signals to send them downstream. Upstream signals usually are received in
the headend.
Downstream: RF signal flow from headend toward subscribers. Also called forward path.
Upstream: RF signal flow from the subscribers to the headend. Also called the return or
reverse path.
4-48
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Identifying Cable Technology Terms (Cont.)
• NTSC: National Television System Committee
• PAL: Phase Alternating Line
• SECAM: Sequential Couleur avec Mémoire
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-11
The following are commonly used standards:
National Television System Committee (NTSC): This North American TV technical
standard is named after the organization that created it in 1941. Uses a 6-MHz modulated
signal.
Phase Alternating Line (PAL): This TV system is used in most of Europe, Asia, Africa,
Australia, Brazil, and Argentina. The color difference signals an alternate phase at the
horizontal line rate. Uses a 6-MHz, 7-MHz, or 8-MHz modulated signal, depending on
PAL version.
Sequential Couleur avec Mémoire (SECAM): This TV system is used in France and
other eastern European countries. Uses an 8-MHz modulated signal.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-49
Identifying Cable Technology Terms (Cont.)
• Carrier or RF carrier
• Spectrum reuse
• FDM: Frequency-division multiplexing
• QPSK—Quadrature phase shift keying
• QAM—Quadrature amplitude modulation
• Carrier-to-noise: C/N (also CNR)
• Signal-to-noise: S/N (also SNR)
• Ingress noise
• FEC: Forward error correction
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-12
The following are important cable technology terms about RF signal handling:
Carrier: Also RF carrier. An electromagnetic signal on which another, lower-frequency
signal (usually baseband, such as analog audio, analog video, or digital data) is modulated
to transport the lower-frequency signal to another location.
Spectrum reuse: The most fundamental concept of cable TV is spectrum reuse.
Historically, the over-the-air spectrum has been assigned to many uses: two-way radio,
broadcasting, cellular phones, and pagers. Much of the spectrum is therefore not available
for the carriage of just TV. The result is an inadequate supply of spectrum to serve viewer
needs. Cable operators can reuse spectrum that is “sealed” in the coaxial cables of their
networks.
Frequency-division multiplexing (FDM): An RF transmission method in which a number
of transmitters share a transmission medium. Each transmitter occupies a different
frequency.
Quadrature phase shift keying (QPSK): A digital modulation method in which the phase
of the RF carrier is varied to transmit data. There are 2 bits per symbol.
Quadrature amplitude modulation (QAM): A digital modulation method in which the
phase and amplitude of an RF carrier are varied to transmit data. Typical QAM types are
16-QAM (4 bits per symbol), 64-QAM (6 bits per symbol), and 256-QAM (8 bits per
symbol).
Carrier-to-noise (C/N): Also carrier-to-noise ratio (CNR). The difference in amplitude
between the desired RF carrier and the noise in a defined bandwidth.
Signal-to-noise (S/N): Also signal-to-noise ratio (SNR). Similar to C/N but relates to a
baseband signal.
Ingress noise: Over-the-air (OTA) signals that are coupled into the nominally-closed
coaxial cable distribution system, generally via damaged cable, other network components,
or poorly shielded TVs and VCRs. Difficult to track down and intermittent in nature.
4-50
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Forward error correction (FEC): In data transmission, a process by which data is added
that is derived from the payload by an assigned algorithm. It allows the receiver to
determine if certain classes of errors have occurred in transmission and, in some cases,
allows other classes of errors to be corrected.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-51
Cable Technology: Putting It All Together
This topic describes the use of the various cable components and the issues surrounding the
technologies that are described in this module.
Putting Cable Technology All Together
• Components
– Router and HFC interface (DS/US ports)
– Bi-directional amplifiers
– Cable modem
• Issues
– Broadcast DS
– NBMA US
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-13
In the figure shown, the various cable technologies are combined to show how they work
together. In the downstream path, entertainment signals come in on the left through satellite
dishes, antennas, and analog and digital video servers.
The signals are combined onto a coaxial cable in the headend, and then are presented to a fiber
transmitter. The fiber transmitter converts the signals into light and sends to a fiber node
somewhere in town.
Farther down the distribution network, the light is converted back to an RF signal and
distributed through an amplifier network by the use of taps and drops.
The cable modem receives RF signals, tunes the RF signal, demodulates the data signal back
into digital data, and then presents it to the PC.
In the upstream path, the cable modem takes the response from the PC, modulates it to an RF
signal, and transmits it at a specific frequency and power level. The transmission specifics are
determined by the CMTS back into the drop, tap, distribution network, fiber, and eventually to
the CMTS.
The CMTS tunes the RF signal, demodulates the data signal back to digital, and routes it to the
Internet.
4-52
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Process for Provisioning a Cable Modem
This topic describes the steps that provision a cable modem to work in a SOHO of a subscriber
that uses TCP/IP.
Process for Provisioning a Cable Modem
The cable modem:
• Scans and locks on the RF data channel in the downstream
• Gets info on how to communicate in the upstream path
• Establishes terminations for Layer 1 and 2 communications
• Requests an IP address from a DHCP server
• Requests a DOCSIS configuration file from a TFTP server
• Registers any QoS
• Enables the PC-based network initialization
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-14
There are several steps for provisioning a cable modem to operate with a host system for
Internet services to provide Cisco Architecture for Voice, Video and Integrated Data (Cisco
AVVID) content.
Cable modems are designed and coded to perform these specific DOCSIS-defined steps in the
initialization and registration sequence:
Step 1
The cable modem powering up must scan and lock on the RF data channel in the
downstream path.
Step 2
The modem must read specific maintenance messages in the downstream path that
inform it how, where, and when to communicate in the upstream path.
Step 3
The modem communicates with the CMTS to establish Layer 1 and 2
communications.
Step 4
The cable modem then requests an IP address and core configuration information
from a Dynamic Host Configuration Protocol (DHCP) server. DHCP servers must
support RFC 2131 to provide IP addresses to the cable modem.
Step 5
The modem requests a DOCSIS configuration file from a TFTP server. DOCSIS
configuration files are ASCII files created by special DOCSIS editors. To handle the
request of the modem, the TFTP server must support RFC 1350.
Step 6
The cable modem registers with the CMTS, negotiating and ensuring any QoS.
Step 7
After the cable modem initiation has completed, the PC downstream from the cable
modem can request its own IP address from a DHCP server.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-53
Configuration of a Router with a Cable Modem
This topic provides a sample configuration of a Cisco 806 router with an external cable modem.
¸±-¬²¿³» ÕÛÒÍÎÑËÌÛÎ
ÿ
´±¹¹·²¹ ®¿¬»ó´·³·¬ ½±²-±´» ï𠻨½»°¬ »®®±®»²¿¾´» -»½®»¬ ¿²¼®»©·-¹±±¼
ÿ
·° -«¾²»¬ó¦»®±
·° ¼¸½° »¨½´«¼»¼ó¿¼¼®»-- ïðòïðòïðòï
ÿ
·° ¼¸½° °±±´ ÝÔ×ÛÒÌ
·³°±®¬ ¿´´
²»¬©±®µ ïðòïðòïðòð îëëòîëëòîëëòð
¼»º¿«´¬ó®±«¬»® ïðòïðòïðòï
ÿ
²± ·° ¼¸½°ó½´·»²¬ ²»¬©±®µó¼·-½±ª»®§
´½° ³¿¨ó-»--·±²ó-¬¿®¬- ð
ÿ
ÿ
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ð
·° ¿¼¼®»-- ïðòïðòïðòï îëëòîëëòîëëòð
·° ²¿¬ ·²-·¼»
²± ½¼° »²¿¾´»
¸±´¼ó¯«»«» íî ·²
²± -¸«¬
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ï
·° ¿¼¼®»-- ¼¸½°
·° ²¿¬ ±«¬-·¼»
²± ½¼° »²¿¾´»
²± -¸«¬
ÿ
·° ²¿¬ ·²-·¼» -±«®½» ´·-¬ ïðî ·²¬»®º¿½» Û¬¸»®²»¬ï ±ª»®´±¿¼
·° ½´¿--´»-ÿ
¿½½»--ó´·-¬ ïðî °»®³·¬ ·° ïðòïðòïðòð ðòðòðòîëë ¿²§
ÿ
´·²» ½±² ð
»¨»½ó¬·³»±«¬ ïîð ð
4-54
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
-¬±°¾·¬- ï
´·²» ª¬§ ð ì
»¨»½ó¬·³»±«¬ ð ð
°¿--©±®¼ µ»²·-¹±±¼
´±¹·²
ÿ
-½¸»¼«´»® ³¿¨ó¬¿-µó¬·³» ëððð
»²¼
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-55
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Cable networks can offer voice and integrated data as well as
analog and digital video.
• Cisco high-speed cable Internet equipment use the HFC
system.
• On a cable network:
– One 810-MHz channel carries downstream traffic from the
headend to subscribers.
– Another 37-MHz channel carries upstream signals from the
subscriber toward the headend.
• DOCSIS is the cable service interface standard for data carried
across RF interfaces.
• The DOCSIS CMTS communicates through channels with
cable modems located in subscriber homes.
© 2004 Cisco Systems, Inc. All rights reserved.
4-56
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—4-15
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you have learned in this lesson. The correct answers
follow in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
CATV, commonly called cable TV, was invented to solve what consumer problem?
A)
no data communications
B)
cost-effectiveness
C)
poor TV reception
D)
not enough channels
The downstream video traffic emanates from the headend and is injected into a trunk
cable at signal strength above _____.
A)
25 dB
B)
50 dB
C)
75 dB
D)
100 dB
The _____ is the beginning of the cable distribution network.
A)
headend
B)
MSO
C)
cable system
D)
CSP
The subscriber drop includes _____.
A)
the set-top box
B)
the TV set
C)
every thing up to the utility pole feeder
D)
the backyard pedestal
Which of the following does not affect signal strength through coaxial cable?
A)
weather
B)
outside noise
C)
temperature changes
D)
topology
An individual cable modem subscriber may experience access speeds from_____.
A)
128 kbps to 2.5 Mbps
B)
250 kbps to 2.5 Mbps
C)
500 kbps to 2.5 Mbps
D)
800 kbps to 2.5 Mbps
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-57
Q7)
Q8)
Q9)
Q10)
Q11)
Q12)
4-58
The upstream frequencies coming from the customer are in the range of _____.
A)
5 to 42 kHz
B)
5 to 42 MHz
C)
5 to 42 GHz
D)
all of the above
_________ defines specific bandwidths for data signals (200 kHz, 400 kHz, 800 kHz,
1.6 MHz, and 3.2 MHz) that the cable operator can use.
A)
Euro-DOCSIS
B)
DOCSIS
C)
NTSC
D)
PAL
The location where the cable company aggregates, combines, mixes, and modulates all
signals to send them downstream is called _____.
A)
headend
B)
DOCSIS
C)
NTSC
D)
PAL
_____ is the TV system used in most of Europe.
A)
Euro-DOCSIS
B)
DOCSIS
C)
NTSC
D)
PAL
In what path are signals demodulated back to digital?
A)
upstream
B)
downstream
C)
CMTS
D)
RF
Where does a PC receive an IP address in a CMTS?
A)
from headend
B)
from DHCP server
C)
from TFTP server
D)
from DOCSIS
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
C
Relates to: Cable Features
Q2)
B
Relates to: Data over Cable
Q3)
A
Relates to: Data over Cable
Q4)
A
Relates to: Cable System Functionality
Q5)
D
Relates to: Cable System Components
Q6)
C
Relates to: Hybrid Fiber-Coaxial Architecture
Q7)
B
Relates to: Digital Signals over RF Channels
Q8)
B
Relates to: Digital Signals over RF Channels
Q9)
A
Relates to: Cable Technology Terms
Q10)
D
Relates to: Cable Technology Terms
Q11)
B
Relates to: Cable Technology: Putting It All Together
Q12)
B
Relates to: Process for Provisioning a Cable Modem
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-59
4-60
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Defining DSL Technology
Overview
This lesson distinguishes among the variations of DSL and explains the various encapsulation
methods, including Point-to-Point Protocol over ATM (PPPoA), Point-to-Point Protocol over
Ethernet (PPPoE), and RFC 1483 Bridged.
Relevance
DSL technology can provide a reliable high-speed alternative for remote access to a central site.
Objectives
Upon completing this lesson, you will be able to perform the following tasks:
Describe DSL fundamentals
Describe the various types of DSL
Describe the distance limitations of DSL
Describe the fundamentals of ADSL
Describe how ADSL and POTS coexist
Describe encapsulation types for ADSL
Describe bridging functionality
Describe PPPoE functionality
Describe PPPoA functionality
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
DSL Features
DSL Types
DSL Limitations
ADSL
ADSL and POTS Coexistence
ADSL Channels and Encoding
Data over ADSL: Bridging
Data over ADSL: PPPoE
Data over ADSL: PPPoA
Summary
Quiz
4-62
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
DSL Features
This topic describes the features of DSL.
What Is DSL?
DSL is a family of access technologies
that utilize high transmission frequencies
(up to 1MHz) to deliver high bandwidth
over conventional copper wiring at limited
distances.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-2
DSL, although considered an end-to-end solution, really occurs only in the local loop between
the customer premises equipment (CPE) and the digital subscriber line access multiplexer
(DSLAM). A DSLAM is the device in the CO that is used to terminate many Layer 1 DSL
connections. Like dial, cable, wireless, and T1, DSL by itself is a Layer 1 transmission
technology, not a complete end-to-end solution.
DSL uses the high-frequency range of up to approximately 1 MHz. For example, asymmetric
digital subscriber line (ADSL) uses the frequency range of approximately 20 kHz to 1 MHz.
ADSL does not overlap the plain old telephone service (POTS) voice frequency range.
Therefore, POTS and ADSL service can coexist over the same wire. Other DSL variants, such
as single-line digital subscriber line (SDSL), use a frequency range that overlaps the POTS
voice frequency range. Therefore, POTS and SDSL services cannot coexist over the same wire.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-63
DSL Types
This topic describes the various types of DSL.
DSL Variants Examples
• Asymmetric DSL (ADSL)
– Key feature: Slow travel upstream (from subscriber to CO), fast travel
downstream (from CO to subscriber)
• Single-Line DSL (SDSL)
– Key feature: Upstream and downstream speeds are the same
• G.SHDSL
– Key feature: G.SHDSL is a new standard that was developed by the
International Telecommunications Union (ITU) that addresses the
worldwide SDSL market.
• Integrated Services Digital Network DSL (IDSL)
– Key feature: No call setup
• Very-High-Data-Rate DSL (VDSL)
– Key feature: Very high speed with shorter reach
• High-Data-Rate DSL (HDSL)
– Key feature: Used to replace T1 or E1 service
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-3
DSL variants include the following:
ADSL: With ADSL, the connection speed for downloading data is faster than the
connection speed for uploading data. This type of DSL service is geared more toward a
residential application, where the typical end user is not concerned with being able to send
large amounts of data to the Internet. ADSL is perfect for common residential high-speed
requirements, such as downloading music or movies, playing online games, surfing the
Internet, or receiving large e-mail messages. ADSL provides slow upstream speed for
uploading (sending) low-data-rate requests and fast downstream speed for downloading
bursts of rich graphics and multimedia content
SDSL: With SDSL, the connection speed for downloading data is exactly the same as the
connection speed for uploading data. This type of DSL service is ideal for a commercial
application where the end user must send large amounts of data over the Internet. SDSL is
perfect for applications such as sending large e-mail messages with attachments to
customers, uploading information to a company or corporate server, or updating web pages.
G.SHDSL: A new standard, G.SHDSL, is a symmetric high-data-rate digital subscriber
line, was developed by the International Telecommunication Union (ITU) that addresses
the worldwide SDSL market. G.SHDSL is multirate, multiservice, extended reach, and
repeatable. Supporting data rates from 192 kbps to 2.3 Mbps, G.SHDSL delivers
approximately 30 percent greater reach than currently deployed DSL technologies and is
expected to rapidly replace the proprietary SDSL implementations of today.
4-64
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN DSL (IDSL): IDSL is a cross between ISDN and DSL. Like ISDN, it uses a single
wire pair to transmit full-duplex data up to 144 kbps. IDSL also uses a 2B1Q line code to
enable transparent operation through the ISDN U interface. IDSL is essentially a leasedline ISDN BRI, or an ISDN BRI that is not switched and does not contain signaling (a data
[D] channel). The line can be configured for a speed of 64 kbps, 128 kbps, or 144 kbps.
IDSL carries only data, but is ideal for remote users because the signals can be repeated, as
with ISDN, and because it is billed at a flat rate, thus avoiding per-call fees.
Very-high-data-rate digital subscriber line (VDSL): VDSL delivers 13 to 52 Mbps
downstream and 1.5 to 2.3 Mbps upstream over a single-twisted copper pair. The operating
range of VDSL is limited to 1,000 to 4,500 feet (304.8 to 1,372 meters). The Cisco Long
Reach Ethernet (LRE) solution is based on Ethernet over VDSL.
High-data-rate digital subscriber line (HDSL): HDSL is commonly used as a T1 or E1
replacement. Because HDSL provides T1 or E1 speed, telephone companies have been
using HDSL to provision local access to T1 or E1 services whenever possible. The
operating range of HDSL is limited to 12,000 feet (3658.5 meters), so signal repeaters are
installed to extend the reach.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-65
DSL Limitations
This topic describes the distance limitations of DSL.
DSL Distance Limitations
• The tradeoff between different DSL variants is reach vs. speed.
• Maximum Reach numbers are best-case assuming “clean” copper.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-4
The trade-off among various DSL types is reach versus speed. The longer the local loop, the
lower the maximum speed the DSL connection can support.
For example, VDSL supports the highest speed but it has the shortest distance limitation.
For ADSL, the maximum distance is typically about 18,000 feet (5,460 meters). To support the
maximum ADSL download speed of 8 Mbps, the CPE must be very close to the CO, within
several thousand feet.
The maximum speed listed in the figure assumes that there are minimal local loop impairments.
Here are some of the many local loop impairments that will influence the maximum speed of
the DSL connections and the ability to obtain DSL service in an area:
Loading coils in the local loop: Loading coils will cut off (block) the DSL frequency.
Loading coils are used to improve POTS quality on long local loops. They are effectively
low-frequency band pass filters. Loading coils must be removed from the local loop to
support DSL.
Distance from CO to the DSL CPE: The longer the distance, the lower the speed.
Gauge of wire used in the local loop: Thicker wire supports higher speeds.
Wire gauge change: Changes in wire gauge cause an impedance mismatch that can reduce
speed.
Bridge taps: Bridge taps in the local loop cause reflections that can reduce speed.
Crosstalk: Crosstalk between different wires in the same bundle can cause interference
that can reduce speed.
AM radio: AM radio interference can also reduce speed.
4-66
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ADSL
This topic describes ADSL fundamental concepts.
ADSL
• ADSL is designed to coexist with POTS, unlike most
other DSL types.
• ADSL provides slow upstream speed for uploading
(sending) low-data-rate requests.
• ADSL provides fast downstream speed for downloading
bursts of rich graphics and multimedia content.
• ADSL features three basic modulation techniques:
– Carrierless Amplitude and Phase
(CAP) modulation
– Discrete MultiTone (DMT)
– Consumer/Mass-Market DMT (G.lite)
NOTE: The type of modulation must match the provider.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-5
ADSL features three basic modulation techniques:
Carrierless Amplitude and Phase (CAP) modulation
Discrete Multitone (DMT) modulation
Consumer/mass-market DMT (G.lite). This technique is the most popular.
DMT is a line code that is implemented in ITU 992.1 (G.dmt), ITU 992.2 (G.lite), and ANSI
T1.413 Issue 2. DMT divides the 1-MHz spectrum offered by a telephone line into multiple
4-kHz subchannels. Each subchannel is optimized based on the local loop characteristics.
In contrast, CAP relies on a single channel for upstream and another single channel for
downstream.
An installer must check with the service provider to determine which modulation technique is
being used. The modulation method used must correspond with the ADSL CPE and the ADSL
modems on the DSLAM.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-67
ADSL and POTS Coexistence
This topic describes how ADSL and POTS coexist.
ADSL and POTS Coexistence
• ADSL permits transmission of voice and data signals on the samewire pair.
• Offloads data circuits from the voice switch.
• POTS splitter at the CO separates analog POTS from data.
• Microfilters at customer premises percent off-hook interference between
analog voice signal and ADSL signal.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-6
ADSL is designed to coexist with POTS voice service because ADSL does not overlap the
POTS frequency range. ADSL and POTS can be carried over the same wire (local loop) to the
CO.
A POTS splitter at the CO splits up the POTS (voice) and ADSL (data) traffic. The POTS
traffic goes to the voice switch in the CO, and the ADSL traffic goes to the DSLAM in the CO.
The POTS splitter is a passive device. In the event of a power failure, the voice traffic will still
be carried to the voice switch in the CO.
ADSL offloads the data (modem) traffic from the voice switch and keeps analog POTS separate
from data. Separating voice and data traffic provides fail-safe 911 emergency-call services for
POTS operation in the United States.
At the customer premises, a POTS splitter can be installed at the network interface device
(NID) by the service provider technician. However, this process will require a trunk roll
(having a technician go out to the customer site to install the POTS splitter) to set up the ADSL
service. Instead of installing a POTS splitter at the NID, most installations today use
microfilters. Microfilters can be installed by the customer and prevent off-hook interference
between the analog voice signal and ADSL signal. A microfilter is a passive low-pass filter
with two ends. One end connects to the telephone, and the other end connects to the telephone
wall jack.
4-68
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ADSL Channels and Encoding
This topic describes the encapsulation types for ADSL.
ADSL Channels and Encoding
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-7
There are two competing and incompatible standards for ADSL. The official American
National Standards Institute (ANSI) and ITU standard for ADSL is DMT. Most of the ADSL
equipment installed today uses DMT. An earlier and more easily implemented modulation
method was the CAP system, which was used on many of the early installations of ADSL.
Unlike DMT, CAP is proprietary.
CAP operates by dividing the signals on the telephone line into three distinct bands. Voice
conversations are carried in the 0-to-4 kHz band, because they are in all POTS circuits. The
upstream channel is carried in a band between 25 and 160 kHz. The downstream channel
begins at 240 kHz and goes up to a point that varies, depending on a number of conditions (line
length, line noise, or number of users in a particular telephone company switch) but has a
maximum of about 1.5 MHz. This system, with the three channels widely separated, minimizes
the possibility of interference between the channels on one line or between the signals on
different lines.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-69
ADSL Basics—CAP vs DMT
Modulation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-8
DMT also divides signals into separate channels, but does not use two fairly broad channels for
upstream and downstream data. Instead, DMT divides the data into 250 separate channels, each
4 kHz. Each channel is monitored and, if the quality is too impaired, the signal is shifted to
another channel. This system constantly shifts signals among different channels, searching for
the best channels for transmission and reception. Because DMT uses 250 channels, it is more
complex to implement than CAP, but it gives more flexibility on lines of differing quality.
G.lite is a less complex version of the DMT standard. Also known as half-rate DMT, G.lite uses
only half as many subchannels as DMT and supports a lower maximum downstream speed of
1.5 Mbps and a maximum upstream speed of 640 kbps.
4-70
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Data over ADSL: Bridging
This topic describes bridging functionality.
Data over ADSL: Bridging
• Subscriber Ethernet traffic is bridged over ATM using ATM Adaptation Layer 5 (AAL5).
• All subscribers are in the same broadcast domain (this is bridging).
• Bridged traffic can be routed via the BVI interface at the aggregation router.
• The BVI IP address is the end user’s PCs default gateway.
• Bridging does not scale well.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-9
DSL is a high-speed Layer 1 transmission technology that works over copper wires. ATM is
used as the data-link layer protocol over DSL.
A DSLAM is basically an ATM switch containing DSL interface cards. The DSL Layer 1
connection from the CPE is terminated at the DSLAM. The DSLAM terminates the ADSL
connections, then switches the traffic over an ATM network to an aggregation router. For
example, the Cisco 6160 DSLAM has an OC-3 ATM uplink and can terminate up to 256 DSL
subscriber lines.
There are three major approaches to encapsulating an IP packet over an ATM/DSL connection:
RFC 1483/2684 Bridged
PPPoE
PPPoA
RFC 1483/2684 describes two methods for carrying the traffic over an ATM network. These
methods are routed and bridged protocol data units (PDUs). This topic examines only the
bridged method.
Using RFC 1483 Bridging, the ADSL CPE is bridging the Ethernet frame from the PC of the
end user to the aggregation router (this process will be similar in PPPoE).
At the aggregation router, integrated routing and bridging (IRB) can be used to provide the
ability to route between a bridge group and a routed interface using a concept called BridgeGroup Virtual Interface (BVI). The BVI, a virtual interface within the router, acts like a normal
routed interface that does not support bridging, but represents the corresponding bridge group
to routed interfaces within the router.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-71
Some of the advantages of bridging are as follows:
Bridging is simple to understand and to implement because there are no complex issues of
routing, authentication requirements for users, and so forth.
The CPE in bridge mode acts as a dumb device and does not require any routing
functionalities.
Troubleshooting is minimal because whatever comes in from the Ethernet side passes
(bridged) over to the ATM WAN side.
Bridging architecture is easy to install because of its simple nature.
Bridging is ideal for single-user Internet access, because the CPE acts as a set-top box.
There is no complex troubleshooting required for upper-layer protocols and there is no
requirement for additional client software installation on the end-user PCs.
Some of the disadvantages of bridging are as follows:
Bridging depends heavily on broadcasts to establish connectivity.
Bridging broadcasts to thousands of users and is inherently unscalable. It consumes
bandwidth across the xDSL loop of users and requires resources at the headend router to
replicate packets for the broadcast over a point-to-point (ATM permanent virtual circuit
[PVC]) medium.
Bridging is inherently insecure and requires a trusted environment because Address
Resolution Protocol (ARP) replies can be spoofed and a network address can be hijacked.
Broadcast attacks can be initiated on the local subnet, which will deny service to all
members of the local subnet.
IP address hijacking is possible in a bridge environment.
In a bridged environment, a DHCP server located at the service provider traditionally
allocates IP addresses to the end-user PC. The BVI IP address is the end-user PCs default
gateway.
Certain Internet service providers (ISPs) have used an approach of providing illegal IP
addresses to their subscribers and then performing Network Address Translation (NAT) at the
service provider aggregation router. However, this approach does not scale very well as the
number of subscribers increases because the large number of address translations tax the
processing power and memory requirements of the router.
RFC 1483 Bridging is more suitable for smaller ISPs or corporate access, where scalability
does not become an issue. RFC1483 Bridging has become the choice of many smaller ISPs
because it is very simple to understand and implement. However, security and scalability issues
are causing bridging architecture to lose its popularity.
ISPs are now opting for PPPoA or PPPoE, which are more scalable and much more secure than
bridging, but are more complex and not very easy to implement.
4-72
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Data over ADSL: PPPoE
This topic describes PPPoE functionality.
Data over ADSL: PPPoE
Either workstation has special PPPoE Client software loaded
or the CPE device can be configured to act as the PPPoE Client.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-10
PPPoE is also a bridged solution, similar to RFC 1483/2684 Bridging. As with RFC 1483/2684
Bridging, the CPE is bridging the Ethernet frames from the PC of the end user to an
aggregation router over ATM. But in this case, the Ethernet frame is carrying a PPP frame
inside it. The PPP session is established between the end-user PC (the PPPoE client) and the
aggregation router.
In the PPPoE architecture, the PC of the end user runs the PPPoE client software to connect to
the ADSL service. The PPPoE client software first encapsulates the end-user data into a PPP
frame, and then the PPP frame is further encapsulated inside an Ethernet frame. The IP address
allocation for the PPPoE client is based on the same principle as PPP in dial mode, which is via
IP Control Protocol (IPCP) negotiation, with Password Authentication Protocol (PAP) or
Challenge Handshake Authentication Protocol (CHAP) authentication. The aggregation router
that authenticates the users can use either a local database on the aggregation router or a
RADIUS (authentication, authorization, and accounting [AAA]) server.
PPPoE provides the ability to connect a network of hosts over a simple bridging CPE to an
aggregation router. With this model, a host uses its own PPP stack and the user is presented
with a familiar user interface (using the PPPoE client software) similar to establishing a dialup
connection. Unlike PPPoA, access control, billing, and type of service can be controlled on a
per-user, rather than a per-site, basis.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-73
4-74
Note
If supporting end-user PPPoE client software is undesirable, then CPE such as the Cisco
827 router can be configured as the PPPoE client. In this case, the Cisco 827 router acts as
a router rather than as a simple bridge. It can also act as the DHCP server and use
NAT/Port Address Translation (PAT) to allow multiple users behind the router to connect to
the service providers using a single ADSL connection and a single PPP username and
password.
Note
If an external ADSL modem is used, a Cisco 806 router can be used behind the ADSL
modem, and the Cisco 806 router can be configured as the PPPoE client. The Cisco 806
router can also act as the DHCP server and use NAT/PAT to allow multiple users behind the
router to connect to the service providers using a single ADSL connection and a single PPP
username and password.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Data over ADSL: PPPoE (Cont.)
• PPP session is from the end user PC to the aggregation router.
• Subscriber PC IP address assigned by the aggregation router via IPCP.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-11
PPP normally works over a point-to-point connection only. Additional enhancements to PPP
were needed to support PPP over an Ethernet multiaccess environment.
As specified in RFC 2516, PPPoE has two distinct stages, a discovery stage and a PPP session
stage.
When the discovery stage is complete, both PPPoE peers know the PPPoE session ID and the
other Ethernet address of the peer, which together uniquely define the PPPoE session. There are
four steps to the discovery stage:
Step 1
The PPPoE client (end-user PC) broadcasts a PPPoE Active Discovery Initiation
(PADI) packet.
Step 2
The PPPoE server (aggregation router) sends a PPPoE Active Discovery Offer
(PADO) packet.
Step 3
The PPPoE client sends a unicast PPPoE Active Discovery Request (PADR) packet
to the PPPoE server.
Step 4
The PPPoE server sends a PPPoE Active Discovery Session-Confirmation (PADS)
packet.
PPP then goes through the normal link control protocol (LCP) and Network Control Protocol
(NCP)-(IPCP) process.
When a host initiates a PPPoE session, it must first perform discovery to identify which PPPoE
server can meet the client request. Then, the host must identify the Ethernet MAC address of
the peer and establish a PPPoE session ID. Although PPP defines a peer-to-peer relationship,
discovery is inherently a client-server relationship. In the discovery process, a host (the PPPoE
client) discovers an aggregation router (the PPPoE server).
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-75
There may be more than one PPPoE server that the host (the PPPoE client) can communicate
with, based on the network topology. The discovery stage allows the host to discover all PPPoE
servers and then select one.
When discovery has been completed successfully, both the host and the selected PPPoE server
have the information they will use to build their point-to-point connection over the Ethernet.
After the PPPoE session begins, PPP goes through the normal LCP and NCP (IPCP) process.
A PPPoE Active Discovery Terminate (PADT) packet may be sent anytime after a session has
been established to indicate that a PPPoE session has been terminated. Either the host or the
PPPoE server may send it.
For more information on the PPPoE specification, refer to RFC 2516.
Note
4-76
As per RFC 2516, the maximum-receive-unit (MRU) option must not be negotiated to a size
larger than 1492 bytes, because Ethernet has a maximum payload size of 1500 octets. The
PPPoE header is 6 octets and the PPP protocol ID is 2 octets, so the PPP MTU must not be
greater than (1500 – 8) 1492 bytes.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Data over ADSL: PPPoA
This topic describes PPPoA functionality.
Data over ADSL: PPPoA
• PPP session is from the CPE to the aggregation router.
• CPE receives an IP address via IPCP like the dial model.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-12
PPPoA is a routed solution, unlike RFC 1483 Bridged and PPPoE, where the CPE is set up as a
bridge. With PPPoA, the CPE is routing the packets from the PC of the end user over ATM to
an aggregation router. The PPP session is established between the CPE and the aggregation
router. Unlike PPPoE, PPPoA does not require a host-based software.
The CPE device must have a PPP username and password configured for authentication to the
aggregation router that terminates the PPP session from the CPE. The aggregation router that
authenticates the users can either use a local database on the aggregation router or a RADIUS
(AAA) Server. The PPPoA session authentication can be based on PAP or CHAP. After the
PPP username and password have been authenticated, IPCP negotiation takes place and the IP
address is assigned to the CPE. After the IP address has been assigned, a host route is
established both on the CPE and the aggregation router. The aggregation router must assign
only one IP address to the CPE, and the CPE can be configured as a DHCP server and use
NAT/PAT to support multiple hosts connected via Ethernet behind the CPE.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-77
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• ADSL provides faster downloading speed than
uploading speed.
• SDSL provides exactly the same downloading and
uploading speeds.
• ADSL is designed to co-exist with POTS because
there is a POTS splitter at the CO.
• The trade-off between different DSL types is reach
versus speed.
• The three common encapsulation methods are:
RFC1483/2684 Bridging, PPPoE, and PPPoA.
© 2004 Cisco Systems, Inc. All rights reserved.
4-78
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—4-13
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
DSL utilizes high transmission frequencies up to what limit?
A)
1 MHz
B)
2 MHz
C)
3 MHz
Which of the following DSL variants offers symmetric speed up to 2.3 Mbps and is an
ITU standard?
A)
IDSL
B)
ADSL
C)
SDSL
D)
G.SHDSL
Which DSL variant offers the highest speed but the shortest reach?
A)
VDSL
B)
ADSL
C)
IDSL
D)
SDSL
E)
G.SHDSL
The typical maximum distance limit for ADSL service is_____.
A)
18,000 feet
B)
22,000 feet
C)
30,000 feet
D)
5,000 feet
Which three of the following are ADSL modulation methods? (Choose three.)
A)
CAP
B)
DMT
C)
G.lite
D)
2B1Q
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-79
Q6)
Q7)
Q8)
Q9)
Q10)
Q11)
4-80
ADSL is designed to coexist with POTS because_____.
A)
the ADSL CPE combines voice and data signals
B)
the DSLAM can be configured to separate the voice and data traffic
C)
separate sets of transmission wires are used to transmit the voice and data
traffic
D)
a POTS splitter at the CO separates voice and data frequency
Which ADSL modulation method uses 250 subchannels that are 4 kHz each?
A)
CAP
B)
DMT
C)
G.lite
D)
2B1Q
Which three of the following are among the advantages of bridging? (Choose three.)
A)
The CPE in bridge mode acts as a dumb device.
B)
IP address hijacking is possible in a bridge environment.
C)
Bridging architecture is easy to install because of its simple nature.
D)
Bridging is very simple to understand and implement because there are no
complex issues about routing, authentication requirement for users, and so
forth.
With the PPPoE client software running on the end-user PC, the PPP session is
established between which two devices?
A)
the end-user PC and the aggregation router
B)
the ADSL CPE and the aggregation router
C)
the end-user PC and the ADSL CPE
D)
the ADSL CPE and the DSLAM
PPPoE is specified in _____.
A)
RFC 2516
B)
RFC 2545
C)
RFC 2216
D)
RFC 2534
When using PPPoE, the MTU should be set to what size?
A)
1492 bytes
B)
1500 bytes
C)
1508 bytes
D)
1518 bytes
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q12)
Q13)
PPP over ATM requires which two of the following: (Choose two.)
A)
host-based software on the end-user PC
B)
no host-based software on the end-user PC
C)
the CPE to be set up as a bridge
D)
the CPE to be set up as a router
With PPPoA, the PPP session is established between which two devices?
A)
the end-user PC and the aggregation router
B)
the ADSL CPE and the aggregation router
C)
the end-user PC and the ADSL CPE
D)
the ADSL CPE and the DSLAM
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-81
Quiz Answer Key
Q1)
A
Relates to: DSL Features
Q2)
D
Relates to: DSL Types
Q3)
A
Relates to: DSL Limitations
Q4)
A
Relates to: DSL Limitations
Q5)
A, B, C
Relates to: ADSL
Q6)
D
Relates to: ADSL and POTS Coexistence
Q7)
B
Relates to: ADSL Channels and Encoding
Q8)
A, C, D
Relates to: Data over ADSL: Bridging
Q9)
A
Relates to: Data over ADSL: PPPoE
Q10)
A
Relates to: Data over ADSL: PPPoE
Q11)
A
Relates to: Data over ADSL: PPPoE
Q12)
B, D
Relates to: Data over ADSL: PPPoA
Q13)
B
Relates to: Data over ADSL: PPPoA
4-82
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring the CPE as the
PPPoE Client
Overview
PPPoE provides the ability to connect a network of hosts over a simple bridging access device
to an aggregation router. Normally, the end-user PC uses the PPPoE client software on the PC
to connect to the DSL service. However, instead of using the PPPoE client software on the enduser PC, the CPE can be configured as the PPPoE client. This configuration will allow multiple
PCs behind the CPE to connect to the DSL service using a single DSL connection and PPP
username and password. In this case, the CPE would be configured for routing. This lesson
discusses how to configure the Cisco 827 router CPE as the PPPoE client.
Relevance
This lesson provides an overview of the configuration of a PPPoE client on the Cisco 827
router CPE.
Objectives
Upon completing this lesson, you will be able to:
List the tasks required to successfully configure a PPPoE client connection on a Cisco 827
router
List and explain the commands required to configure a PPPoE client on a Cisco 827 router
List and explain the commands required to enable a dynamic IP address to be assigned via
IPCP
List and explain the commands required to configure PAT to scale DSL operations
List and explain the commands required to configure DHCP to scale DSL operations
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Configuration of a Cisco 827 Router as the PPPoE Client
Configuration of PPPoE in a VPDN Group
Configuration of a PPPoE Client
Configuration of the PPPoE DSL Dialer Interface
Configuration of PAT
PAT Configuration Example
DHCP to Scale DSL
Configuration of a DHCP Server
Configuration of a Static Default Route
PPPoE Sample Configuration
Summary
Quiz
4-84
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of a Cisco 827 Router as the
PPPoE Client
This topic describes the configuration tasks that are required to configure a Cisco 827 router as
the PPPoE client. Configuring DSL requires global and interface configuration commands.
Configuration Tasks:
Configuring the CPE as the PPPoE Client
• Configure a PPPoE virtual private data network
(VPDN) group
• Configure the ATM Interface
• Configure a Dialer Interface
• Configure Port Address Translation
• Configure DHCP Server
• Configure a Static Default Route
BCRAN v2.1—4-2
© 2004 Cisco Systems, Inc. All rights reserved.
Use the PPPoE DSL configuration tasks listed here in addition to dial-on-demand routing
(DDR)-derived commands.
1. Configure a PPPoE virtual private dialup network (VPDN) group.
2. Configure the ATM interface (ADSL interface) of the Cisco 827 router with an ATM PVC
and encapsulation.
3. Create and configure the dialer interface of the Cisco 827 for PPPoE with a negotiated IP
address and an MTU size of 1492.
4. Configure PAT on the Cisco 827 router to allow sharing of the dynamic public IP address
of the dialer interface.
5. Configure the Cisco 827 router to allow it to be the DHCP server for the end-user PCs
behind it.
6. Configure a static default route on the Cisco 827 router.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-85
Configuration of PPPoE in a VPDN Group
This topic describes how to configure PPPoE in a VPDN group. VPDN is a Cisco standard that
enables a private network dial-in service to span remote access servers.
PPPoE VPDN Configuration
᫬»®ø½±²º·¹÷ýª°¼² »²¿¾´»
• Enables VPDN on the router
᫬»®ø½±²º·¹÷ýª°¼²ó¹®±«° ²¿³»
• Creates a VPDN group
᫬»®ø½±²º·¹óª°¼²ó®»¯ó·²÷ý®»¯«»-¬ó¼·¿´·²
᫬»®ø½±²º·¹óª°¼²ó®»¯ó·²÷ý°®±¬±½±´ °°°±»
• Creates a request-dialin VPDN subgroup and
enables the subgroup to establish PPPoE sessions
BCRAN v2.1—4-3
© 2004 Cisco Systems, Inc. All rights reserved.
VPDN permits networks to extend beyond the physical central network while giving to remote
users the appearance and functionality of being directly connected to a central network.
To enable PPPoE in a VPDN, use the enable vpdn command in global configuration mode.
Next, use the vpdn-group name command in global configuration mode to create a VPDN
group. Use the commands in the table to configure the VPDN group parameters in config-vpdn
mode.
VPDN Commands
4-86
Command
Description
request-dialin
Creates a request-dial-in VPDN subgroup
protocol pppoe
Enables the VPDN subgroup to establish PPPoE sessions
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of a PPPoE Client
This topic describes how to configure a PPPoE client. After the VPDN group has been defined,
the ATM interface must be configured.
PPPoE Client Configuration
᫬»®ø½±²º·¹÷ý·²¬»®º¿½» ¿¬³ ²«³¾»®
• Configure the ATM interface
᫬»®ø½±²º·¹÷ý°ª½ ª°·ñª½·
• Identify the VPI/VCI virtual circuits
᫬»®ø½±²º·¹ó·ºó¿¬³óª½÷ý°°°±»ó½´·»²¬ ¼·¿´ó°±±´ó²«³¾»® ²«³¾»®
• Bind a dialer profile to the ATM interface
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-4
Configure the ATM interface (ADSL interface) of the Cisco 827 router with an ATM PVC and
encapsulation.
To configure a PPPoE client on an ATM interface, use the interface atm number command in
global configuration mode to enter interface configuration mode.
Next, specify the virtual path identifier/virtual channel identifier (VPI/VCI). A virtual path is a
logical grouping of virtual circuits (VCs) that allows an ATM switch to perform operations on
groups of VCs. A virtual channel describes a logical connection between the two ends of an
ATM VC. A PPPoE deployment offers no easy way to dynamically discover the PVC
(VPI/VCI) values. The DSL service provider will provide the VPI/VCI value to use in the
Cisco 827 router.
To configure the VPI/VCI, use the pvc vpi/vci command.
Note
ATM cells consist of five bytes of header information and 48 bytes of payload data. The VPI
and VCI fields in the ATM header are used to route cells through ATM networks. The VPI
and VCI fields of the cell header identify the next network segment that a cell must transmit
on its way to its final destination.
Next, configure the PPPoE client encapsulation and specify which dialer interface to use. Use
the pppoe-client dial-pool-number number command to bind the ATM interface to a dialer
interface to set the encapsulation to PPPoE client.
Finally, configure the ATM interface by default with the dsl operating-mode auto command.
This default value should not be altered because it allows the Cisco 827 router to automatically
detect the proper modulation method to use.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-87
Configuration of the PPPoE DSL Dialer Interface
This topic describes the commands that are required to configure a DSL dialer interface. After
the ATM interface has been configured, the dialer interface must be configured.
Configuring the PPPoE Dialer Interface
BCRAN v2.1—4-5
© 2004 Cisco Systems, Inc. All rights reserved.
Use the commands in the table for PPPoE DSL dialer configuration.
Dialer Commands for DSL
Command
Description
ip address negotiated
Enables a dynamic address from the service provider using IPCP. With
IPCP, DSL routers automatically negotiate a globally unique (registered or
public) IP address for the dialer interface from the service provider
aggregation router.
encapsulation ppp
Specifies PPP encapsulation for the dialer interface.
dialer pool number
Specifies to which pool the dialer interface is assigned.
no cdp enable
Stops Cisco Discovery Protocol (CDP) advertisements from going out the
dialer interface.
ip mtu 1492
Reduces the maximum Ethernet payload size from 1500 to 1492. (PPPoE
header requires 8 bytes).
dialer-group number
Configures the dialer group number that will correspond with a dialer list to
identify interesting traffic.
Note
4-88
Unlike ISDN DDR configuration, DSL is always on. Therefore, a dialer list is not required to
identify interesting traffic.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of PAT
This topic describes how to configure addressing translations using PAT.
Configure PAT
᫬»®ø½±²º·¹÷ý·° ²¿¬ ·²-·¼» -±«®½» ´·-¬ ïðï ·²¬»®º¿½» Ü·¿´»®ð
±ª»®´±¿¼
• Enable dynamic translation of addresses using the
assigned IP address of the DIaler0 interface
᫬»®ø½±²º·¹÷ý¿½½»--ó´·-¬ ïðï °»®³·¬ ·° ïðòðòðòð ðòîëëòîëëòîëë ¿²§
• Specify the addresses that may be translated
᫬»®ø½±²º·¹ó·º÷ý·° ²¿¬ ·²-·¼»
᫬»®ø½±²º·¹ó·º÷ý·° ²¿¬ ±«¬-·¼»
• Ethernet interface as inside and the Dialer interface
as outside
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-6
NAT overload, commonly referred to as PAT, and PPP/IPCP are popular techniques used to
scale limited addresses. Using NAT overload means that you can use one registered IP address
for the interface to access the Internet from all devices in the network.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-89
PAT Configuration Example
This topic describes an example of configuring PAT.
PAT Configuration Example
BCRAN v2.1—4-7
© 2004 Cisco Systems, Inc. All rights reserved.
The figure illustrates a sample PAT configuration on the Cisco 827 router.
The access list will match any source address in the 10.0.0.0 network.
In this example, the Dialer0 interface is the outside interface, and the Ethernet0 interface is the
inside interface.
The 10.x.x.x source addresses will be translated using PAT to the Dialer0 IP address. The
Dialer0 interface receives its IP address from the service provider aggregation router using
IPCP.
4-90
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
DHCP to Scale DSL
This topic describes how to scale DSL.
Configure a DHCP Server
᫬»®ø½±²º·¹÷ý·° ¼¸½° °±±´ Å°±±´ ²¿³»Ã
• Enable a DHCP pool for use by hosts
᫬»®ø¼¸½°ó½±²º·¹÷ý·³°±®¬ ¿´´
• Import DNS and WINS information from IPCP
᫬»®ø¼¸½°ó½±²º·¹÷ý²»¬©±®µ Ų»¬©±®µ ¿¼¼®»--ÃÅ-«¾²»¬ ³¿-µÃ
• Specify the network and subnet mask of the pool
᫬»®ø¼¸½°ó½±²º·¹÷ý¼»º¿«´¬ó®±«¬»® Ÿ±-¬ ¿¼¼®»--Ã
• Specify the default router for the pool to use
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-8
The Cisco IOS DHCP Server feature is a full implementation that assigns and manages IP
addresses from specified address pools within the router to DHCP clients. After a DHCP client
has booted, the client begins sending packets to its default router. The IP address of the default
router should be on the same subnet as the client.
The Cisco IOS DHCP Server was enhanced to allow configuration information to be updated
automatically. Network administrators can configure one or more centralized DHCP servers to
update specific DHCP options within the DHCP pools. The remote servers can request or
“import” these option parameters from the centralized servers.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-91
Configuration of a DHCP Server
This topic describes how to configure the Cisco 827 router as the DHCP server for the end-user
PCs behind the router Ethernet interface.
DHCP Server Configuration Example
BCRAN v2.1—4-9
© 2004 Cisco Systems, Inc. All rights reserved.
To configure a DHCP address pool on a Cisco IOS DHCP Server and enter DHCP pool
configuration mode, use the ip dhcp pool name global configuration command.
To import DHCP option parameters into the Cisco IOS DHCP Server database, use the
import all DHCP pool configuration command. This example uses PPP IPCP.
To configure the subnet number and mask for a DHCP address pool on a Cisco IOS DHCP
Server, use the network network-number [mask | prefix-length] DHCP pool configuration
command.
To specify the default router list for a DHCP client, use the default-router address
[address2...address8] DHCP pool configuration command. Note that the DHCP server excludes
this address from the pool of assignable addresses.
The commands in the table here allow individual configuration of which DHCP option
parameters are requested.
ppp ipcp Commands
4-92
Command
Description
°°° ·°½° ¼²- ®»¯«»-¬
Requests the Domain Name System (DNS) server addresses
from the peer
°°° ·°½° ©·²- ®»¯«»-¬
Requests the Windows Internet Name Service (WINS) server
addresses from the peer
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of a Static Default Route
This topic describes how to configure a default static route.
Configuring a Static Default Route
᫬»®ø½±²º·¹÷ý·° ®±«¬» ðòðòðòð ðòðòðòð ¼·¿´»®ð
• The CPE can use a static default route to reach all
remote destinations
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-10
Configure a static default route on the Cisco 827 router to allow the router to reach all unknown
destinations toward the dialer interface. In most DSL installations, the CPE will not be running
a dynamic routing protocol to the aggregation router of the service provider. Therefore, a static
default route is required on the Cisco 827 router.
When the PPPoE session has been established between the Cisco 827 router and the
aggregation router of the service provider, the dialer interface IP address is assigned from the
service provider aggregation router via IPCP. The service provider aggregation route will
automatically build a host route to reach the Cisco 827 router-dialer interface.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-93
PPPoE Sample Configuration
This topic describes an example of a complete PPPoE configuration.
PPPoE Sample Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-11
The sample shows the commands for configuring DHCP services and the commands for setting
up static default routing.
4-94
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Configuring DSL requires global and interface
configuration commands.
• In DSL, an ATM VCI/VPI pair must be configured to
match the service provider.
• After the ATM interface is configured, the dialer
interface must be configured.
• The Cisco 827 router performs PAT and serve as a
DHCP server for the end-user PCs.
• A static default routes is configured on the Cisco
827 router.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—4-12
Accessing Broadband
4-95
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
4-96
When configuring a PPPoE client on the Cisco 827 router, on which interface is the
MTU size set to 1492?
A)
the Ethernet interface
B)
the ATM interface
C)
the serial interface
D)
the dialer interface
Which PPPoE configuration command is used to establish PPPoE sessions?
A)
request-dialin
B)
protocol pppoe
B)
enable vpdn
C)
vpdn enable
D)
vpdn-group name
Which ATM interface configuration command is used to set the VPI/VCI on a Cisco
router?
A)
encapsulation pvc 1/32
B)
pvc 1/32
C)
interface-dlci 1/32
D)
vpi/vci 1/32
Which dialer interface command sets the maximum Ethernet payload size from 1500 to
1492?
A)
mtu 1492
B)
ip mtu 1492
B)
1492 mtu
C)
no such command
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
D
Relates to: Configuration of a Cisco 827 Router as the PPPoE Client
Q2)
B
Relates to: Configuration of PPPoE in a VPDN Group
Q3)
B
Relates to: Configuration of a PPPoE Client
Q4)
B
Relates to: Configuration of the PPPoE DSL Dialer Interface
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-97
4-98
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring DSL with PPPoA
Overview
DSL is an ideal solution for high bandwidth remote access to a central site.
Relevance
This lesson provides an overview of the concepts and configuration of PPPoA on a Cisco 827
router CPE.
Objectives
Upon completing this lesson, you will be able to:
List the tasks required to successfully configure a Cisco 827 router for PPPoA DSL
connection
List and explain the commands required to configure an ATM interface for PPPoA
List and explain the commands required to configure a dialer interface for PPPoA
operations
List and explain the commands required to configure PAT to scale DSL operations
List and explain the commands required to configure a DHCP server to scale DSL
operations
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Configuration of a PPPoA DSL Connection
DSL Modulation Configuration
Configuration of the DSL ATM Interface
Configuration of the DSL Dialer Interface
Configuration of PAT
PAT Configuration Example
DHCP to Scale DSL
Configuration of a Static Default Route
PPPoA Sample Configuration
Summary
Quiz
4-100
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of a PPPoA DSL Connection
This topic provides a list of configuration tasks that are required to configure a PPPoA DSL
connection. Configuring DSL requires global and interface configuration commands.
Configuration Tasks for DSL
• Configure the ATM Interface
• Configure a Dialer Interface
• Configure Port Address Translation
• Configure DHCP
• Configure a Static Default Route
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-2
Use the tasks listed here in addition to DDR-derived commands to configure DSL:
1. Configure the ATM interface (ADSL interface) of the Cisco 827 router with an ATM PVC
and encapsulation. Specify the VCI/VPI that has been assigned by the service provider.
Assign the ATM interface to a dialer pool.
2. Configure a dialer interface. Use IPCP IP address negotiation and PPP CHAP or PAP
authentication.
3. Configure PAT.
4. Configure DHCP. The Cisco 827 router can be the DHCP server for the end-user PCs.
5. Configure a static default route.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-101
DSL Modulation Configuration
This topic describes the dsl operating-mode command. Selecting the correct DSL modulation
is crucial when configuring DSL.
DSL Modulation Configuration
᫬»®ø½±²º·¹÷ý·²¬»®º¿½» ¿¬³ ð
᫬»®ø½±²º·¹ó·º÷ý¼-´ ±°»®¿¬·²¹ó³±¼» ¿«¬±
• Permits the router to automatically determine the
service provider’s DSL modulation.
• This is the default setting on the Cisco router.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-3
Use the dsl operating-mode auto interface configuration command to specify that the router
will automatically detect the DSL modulation that the service provider is using and set the DSL
modulation to match.
An incompatible DSL modulation configuration can result in failure to establish a DSL
connection to the DSLAM of the service provider.
4-102
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of the DSL ATM Interface
This topic lists and explains the command required to configure the ATM interface on the
Cisco 827 ADSL router. In DSL, an ATM VC must be configured to communicate with the
service provider.
Configure the DSL ATM Interface
᫬»®ø½±²º·¹ó·º÷ý°ª½ ïñíî
• Create an ATM PVC for the router.
NOTE: the PVC VPI/VCI must match the provider.
᫬»®ø½±²º·¹ó¿¬³óª½÷ý»²½¿°-«´¿¬·±² ¿¿´ë³«¨ °°° ¼·¿´»®
• Use the encapsulation command to identify the
layer 2 encapsulation.
᫬»®ø½±²º·¹ó¿¬³óª½÷ý¼·¿´»® °±±´ó³»³¾»® ï
• Specify a dialer pool-member.
NOTE: DSL only runs between the CPE and the DSLAM.
BCRAN v2.1—4-4
© 2004 Cisco Systems, Inc. All rights reserved.
Use the pvc interface configuration command with the VPI/VCI to set the VPI/VCI that is used
by the DSL service provider, as shown in the table here. Settings for the VPI/VCI value on the
Cisco 827 router must match the DSLAM of the service provider switch configuration. ATM
uses the VPI/VCI to identify an ATM VC.
pvc Commands
Command
Description
vpi
Virtual path identifier from service provider
vci
Virtual circuit identifier from service provider
The encapsulation method must correspond with that configured on the aggregation router. The
table here shows encapsulation commands.
Use the dialer pool-member command to specify which dialer interfaces may use the ATM
physical interface on the Cisco router.
Encapsulation Commands
Command
Description
encapsulation aal5mux ppp
dialer
Sets the encapsulation for PPPoA, which uses ATM adaptation layer
5 (AAL5) in the mux mode
dialer pool-member
Links the ATM interface to a dialer interface
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-103
Configuration of the DSL Dialer Interface
This topic lists and reviews the commands that are required for configuring the DSL dialer
interface After the ATM interface has been configured, the dialer interface must be configured.
Configuring the DSL Dialer Interface
BCRAN v2.1—4-5
© 2004 Cisco Systems, Inc. All rights reserved.
Use the commands in the table for DSL dialer configuration.
Dialer Commands for DSL
4-104
Command
Description
ip address negotiated
Enables a dynamic address from the service provider aggregation router
using IPCP. With IPCP, DSL routers automatically negotiate a globally
unique (registered or public) IP address for the dialer interface from the
aggregation router of the service provider.
encapsulation ppp
Specifies PPP encapsulation for the dialer interface.
dialer pool 1 number
Specifies to which pool the dialer interface is assigned. Links the dialer
interface to the ATM interface.
no cdp enable
Stops CDP advertisements from going out the dialer interface.
ppp chap hostname
Specifies the hostname for CHAP authentication.
ppp chap password
Specifies the password for CHAP authentication.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of PAT
This topic describes how to configure address translations using PAT.
Configure PAT
᫬»®ø½±²º·¹÷ý·° ²¿¬ ·²-·¼» -±«®½» ´·-¬ ïðï ·²¬»®º¿½»
Ü·¿´»®ð ±ª»®´±¿¼
• Enable dynamic translation of addresses using the
assigned IP address of the Dialer0 interface.
᫬»®ø½±²º·¹÷ý¿½½»--ó´·-¬ ïðï °»®³·¬ ·° ïðòðòðòð
ðòîëëòîëëòîëë ¿²§
• Specify the addresses that may be translated.
᫬»®ø½±²º·¹ó·º÷ý·° ²¿¬ ·²-·¼»
᫬»®ø½±²º·¹ó·º÷ý·° ²¿¬ ±«¬-·¼»
• Establish the Ethernet interface as inside and the
Dialer interface as outside.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-6
NAT overload, commonly referred to as PAT, and PPP/IPCP are popular techniques that are
used to scale limited addresses. Using NAT overload means that you can use one registered IP
address for the interface to access the Internet from all devices in the network.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-105
PAT Configuration Example
This topic describes an example for configuring PAT.
PAT Configuration Example
BCRAN v2.1—4-7
© 2004 Cisco Systems, Inc. All rights reserved.
The figure illustrates a sample PAT configuration on the Cisco 827 router.
The access list will match any source address in the 10.0.0.0 network.
In this example, the Dialer0 interface is the outside interface and the Ethernet0 interface is the
inside interface.
The 10.x.x.x source addresses will be translated using PAT to the Dialer0 IP address. The
Dialer0 interface receives its IP address from the service provider aggregation router using
IPCP.
4-106
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
DHCP to Scale DSL
This topic describes how to scale DSL with DHCP.
Using DHCP to Scale DSL
᫬»®ø½±²º·¹÷ý·° ¼¸½° °±±´ Å°±±´ ²¿³»Ã
• Enable a DHCP pool for use by hosts
᫬»®ø¼¸½°ó½±²º·¹÷ý·³°±®¬ ¿´´
• Import DNS and WINS information from IPCP
᫬»®ø¼¸½°ó½±²º·¹÷ý²»¬©±®µ Ų»¬©±®µ ¿¼¼®»--ÃÅ-«¾²»¬ ³¿-µÃ
• Specify the network and subnet mask of the pool
᫬»®ø¼¸½°ó½±²º·¹÷ý¼»º¿«´¬ó®±«¬»® Ÿ±-¬ ¿¼¼®»--Ã
• Specify the default router for the pool to use
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-8
The Cisco IOS DHCP Server feature is a full DHCP server implementation that assigns and
manages IP addresses from specified address pools within the router. After a DHCP client has
booted, the client begins sending packets to the default router. The IP address of the default
router should be on the same subnet as the client.
The Cisco IOS DHCP Server was enhanced to allow configuration information to be updated
automatically. Network administrators can configure one or more centralized DHCP servers to
update specific DHCP options within the DHCP pools. The remote servers can request, or
“import” these option parameters from the central servers.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-107
Configuration of a Static Default Route
This topic describes how to configure a static default route.
Configuring a Static Default Route
᫬»®ø½±²º·¹÷ý·° ®±«¬» ðòðòðòð ðòðòðòð ¼·¿´»®ð
• The CPE can use a static default route to reach all
remote destinations
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-9
Configuring a static default route on the Cisco 827 router allows the router to reach all
unknown destinations toward the dialer interface. In most DSL installations, the CPE will not
be running a dynamic routing protocol to the aggregation router of the service provider.
Therefore, a static default route is required on the Cisco 827 router.
When the PPP session has been established between the Cisco 827 router and the aggregation
router of the service provider, the dialer interface IP address is assigned from the aggregation
router of the service provider via IPCP. The aggregation router of the service provider will
automatically build a host route to reach the Cisco 827 router dialer interface.
4-108
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPPoA Sample Configuration
This topic describes an example of a PPPoA configuration.
PPPoA Sample Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-10
The sample shows an example of the commands that are used for configuring PPPoA.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-109
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Configuring DSL requires global and interface
configuration commands.
• In DSL, an ATM VCI/VPI pair must be configured to
communicate with the service provider.
• Once the ATM interface is configured, the dialer
interface must be configured.
• The Cisco 827 router performs PAT and serves as
a DHCP server for the end-user PCs.
• A static default routes is configured on the Cisco
827 router.
© 2004 Cisco Systems, Inc. All rights reserved.
4-110
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—4-11
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you have learned in this lesson. The correct answers
follow in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
When configuring DSL on a Cisco router, where does the information for the correct
VCI/VPI come from?
A)
the DSL service provider
B)
the DSL modem manufacturer
C)
the local electronics retail store
D)
can be any number that is locally assigned by the customer
Which Cisco router command is used to permit the DSL router to determine
modulation automatically?
A)
dsl modulation auto
B)
dsl operating-mode auto
B)
dsl hub-type auto
C)
dsl dmt-type auto
Which ATM interface configuration command is used to set the encapsulation method
to PPPoA?
A)
encapsulation aal5mux ppp dialer
B)
encapsulation ppp
C)
encapsulation pppoa
D)
encapsulation aal5 dialer pool-member 1
Which dialer interface configuration command is used to stop CDP advertisements on a
Cisco router?
A)
no cdp run
B)
no cdp enable
C)
no cdp adv
D)
cdp disable
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-111
Quiz Answer Key
Q1)
A
Relates to: Configuration of a PPPoA DSL Connection
Q2)
B
Relates to: DSL Modulation Configuration
Q3)
A
Relates to: Configuration of the DSL ATM Interface
Q4)
B
Relates to: Configuration of the DSL Dialer Interface
4-112
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Troubleshooting DSL
Overview
The lesson presents some common reasons why the ADSL connection might fail to be
established and describes how to repair the connection if it fails.
Relevance
This lesson provides an overview of troubleshooting methods for Layer 1 and Layer 2.
Objectives
Upon completing this lesson, you will be able to:
List the tasks required to troubleshoot Layer 1 (physical) issues
List the tasks required to troubleshoot Layer 2 (data link) issues
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Layer Troubleshooting
Layer 1 Issues
Administratively Down State for an ATM Interface
Correct Power Supply
Correct DSL Operating Mode
Layer 2 Issues
Data Received from the ISP
Proper PPP Negotiation
Summary
Quiz
4-114
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Layer Troubleshooting
This topic describes the first troubleshooting step, determining which layer of the ADSL
service is failing. There could be many reasons why the DSL connection might not be
functioning properly.
Determining the Layer to Troubleshoot
• Showtime will appear after the DSL modem has trained.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-2
Failure can occur at Layer 1, Layer 2, or Layer 3. This topic focuses on Layer 1 and Layer 2.
To troubleshoot Layer 1 problems, you can use the show dsl interface atm 0 command to
verify that the Cisco 827 router is trained to the DSLAM. If the router is successfully trained to
the DSLAM, this command will also display the trained upstream and downstream speed in
kbps.
If training is successful, the problem could be a Layer 2 problem.
If training is not successful, as shown in the following sample output, you must continue
troubleshooting to isolate the Layer 1 problem.
èîéóïý -¸ ¼-´ ·²¬ ¿¬³ ð
Ô·²» ²±¬ ¿½¬·ª¿¬»¼æ ¼·-°´¿§·²¹ ½¿½¸»¼ ¼¿¬¿ º®±³ ´¿-¬
¿½¬·ª¿¬·±²
Ô±¹ º·´» ±º ¬®¿·²·²¹ -»¯«»²½»æ
䱫¬°«¬ ±³·¬¬»¼â
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-115
Layer 1 Issues
This topic describes the steps that are used to determine whether Layer 1 is the cause of the
problem.
Layer 1 Issues
• Is the Carrier Detect (CD) light on the front panel of the
Cisco 827 on or off?
– If the CD light is on, go to the Layer 2 Issues section of this
document.
– If the CD light is off, continue with the next question.
• Is your service provider using a DSLAM that supports the
Alcatel DSL chipset? Does the modulation match with what the
DSLAM is using?
– Verify this information with your service provider.
• Is the DSL (ATM) port on the back of the Cisco 827 plugged into
the wall jack?
– If the DSL (ATM) port is not plugged into the wall jack,
connect the port to the wall with a 4-pin or 6-pin RJ-11cable.
This is a standard telephone cable.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-3
If the ATM 0 interface status is down and down, the router is not seeing a carrier on the ADSL
line. To determine the ATM 0 interface status, issue the show interface atm 0 command from
enable mode of the router:
᫬»®ý -¸±© ·²¬»®º¿½» ¿¬³ ð
ßÌÓð ·- ¼±©²ô ´·²» °®±¬±½±´ ·- ¼±©²
This message generally indicates one of two issues:
1. The active pins on the DSL wall jack may be incorrect.
2. The service provider may not be providing DSL service on this wall jack.
Determine whether the cable pinout is correct.
4-116
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Cisco 827 Router xDSL Port Pinouts
Pin
Description
3
XDSL_Tip
4
XDSL_Ring
The RJ-11 connector provides an xDSL connection to external media via a standard RJ-11
6-pin modular jack. If the ATM interface is down and down, not just administratively down,
check the pinout of the DSL wall jack. The Cisco 827 router uses a standard RJ-11 cable to
provide the ADSL connection to the wall jack. The center pair of pins on the RJ-11 cable is
used to carry the ADSL signal (pins 3 and 4 on a 6-pin cable, or pins 2 and 3 on a 4-pin cable).
If the correct pins on the wall jack are being used, and the ATM 0 interface is still down and
down, replace the RJ-11 cable between the DSL port and the wall jack.
If the interface is still down and down after you have replaced the RJ-11 cable, contact the
service provider to verify that ADSL service has been enabled on the wall jack that is being
used.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-117
Administratively Down State for an ATM Interface
This topic describes troubleshooting situations where the interface is down because of an
administrative action.
Is the ATM Interface in an Administratively
Down State?
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-4
To determine if the ATM 0 interface is administratively down, issue the commands shown in
the figure in enabled mode.
4-118
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Correct Power Supply
This topic discusses checking for the correct power supply.
Is the Correct Power Supply Being Used?
• To determine the correct power supply, on the
back of the power adapter look for:
– Output +12V 0.1A, -12V 0.1A, +5V 3A, -24V 0.12A, and -71V 0.12A.
• If the power supply is missing the +12V and -12V
feeds, then it is for a different Cisco 800 series
router and will not work on the 827.
• Note that if using the wrong power supply, the
Cisco 827 will power up but will be unable to train
up (connect) to the ISP DSLAM.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-5
If the DSL cable is good and the proper pinouts are being used, the next step is to make sure
that the correct power supply for the Cisco 827 router is being used.
Note
The Cisco 827 router does not use the same power supply as other Cisco 800 Series
routers.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-119
Correct DSL Operating Mode
This topic describes determining whether the DSL operating mode is correct.
Is the DSL Operating Mode Correct?
• The command to configure operating-mode
auto-detection is as follows:
• The default operating mode for DSL is AUTO
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-6
If everything that was checked up to this point in the Layer 1 troubleshooting procedure is
correct, the next step is to make sure that the correct DSL operating mode is being used.
Cisco Systems recommends using the default dsl operating-mode auto command when the
DSL modulation being used by the service provider is unknown.
4-120
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Layer 2 Issues
This topic discusses Layer 2 troubleshooting issues.
Layer 2 Issues
• The debug atm events command shows the VPI/VCI
values that the DSLAM expects.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-7
Complete the following steps to determine whether the correct VPI/VCI values are configured
on the router.
Use the debug atm events command on the Cisco 827 router, and then go to a working Internet
connection and begin to ping the static IP address assigned by your ISP. It is important that the
ATM interface is up and up and that the IP address provided by the ISP is being pinged.
Contact the ISP for support if the ping test is not successful.
Verify the VPI/VCI values, and then make the necessary changes to the configuration. If there
is no output during 60 seconds of debugging, contact the ISP.
Note
Use the Router# undebug all command to turn off the debug events.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-121
Data Received from the ISP
This topic describes determining whether data is being received from the ISP.
Is Data Being Received from the ISP?
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-8
If the correct VPI/VCI values are being used, the next step is to verify that data is being sent
and received on the ATM interface. Issue the show int atm0 command and check the input and
output packet.
If the packet counters are incrementing in both directions, the router should be sending and
receiving packets from the ISP.
If packets are incrementing in both directions, continue with the troubleshooting steps in this
lesson.
4-122
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Proper PPP Negotiation
This topic describes determining whether PPP is negotiating successfully.
Is PPP Negotiating Successfully?
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-9
There are four main points of failure in a PPP negotiation:
1. No response from the remote device (ISP)
2. LCP not open
3. PAP or CHAP authentication failure
4. IPCP failure
If Layer 1 is up and if the correct VPI/VCI is being used, the next step is to make sure that PPP
is coming up properly. Run a series of debug commands on the Cisco 827 router and interpret
the output. The primary debug command to use is the debug ppp negotiation command. The
output shown in the figure is an example of a successful PPP negotiation.
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-123
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• First step in troubleshooting is to determine the Layer to
troubleshoot.
• For layer 1
– Is the ATM interface in an administratively down state?
– Is the correct power supply being used?
– Is the DSL operating mode correct?
• Layer 2 Issues
– Are data being received from the ISP?
– Are PPP negotiating successful?
– Are the PAP username and password correct?
– Are the CHAP username and password correct?
• Knowledge of troubleshooting show commands
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—4-10
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 4-1: E-Lab: Simulation for Configuring a Cisco 827 Router for NAT with
PPPoA
4-124
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
If the CD LED on the front panel of the Cisco 827 router is off, at which layer should
you being troubleshooting?
A)
Layer 1
B)
Layer 2
C)
Layer 3
D)
Layer 4
The Cisco 827 router uses which type of standard cable?
A)
crossover
B)
RJ-45
C)
RJ-11 (4-pin or 6-pin)
D)
RJ-31x
Routers in the Cisco 800 Series all use the same power supply.
A)
true
B)
false
When configuring operating mode autodetection, the router should be in which mode?
A)
#
B)
(config)#
C)
configure terminal
D)
(config-if)#
Which command is used to determine the VPI/VCI that the DSLAM expects?
A)
show interface
B)
debug atm events
C)
show vlan
Use the show int atm0 command to check which type of packets?
A)
input and output
B)
input only
C)
output only
Copyright © 2004, Cisco Systems, Inc.
Accessing Broadband
4-125
Quiz Answer Key
Q1)
A
Relates to: Layer 1 Issues
Q2)
C
Relates to: Layer 1 Issues
Q3)
B
Relates to: Correct Power Supply
Q4)
D
Relates to: Correct DSL Operating Mode
Q5)
B
Relates to: Layer 2 Issues
Q6)
A
Relates to: Data Received from the ISP
4-126
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 5
Virtual Private Networks
Overview
This module is an introduction to Virtual Private Network (VPN) concepts, processes, and
procedures that are available on Cisco IOS software-based router products.
The lessons in this module focus primarily on IPSec encryption and Internet Key Exchange
(IKE), although there is mention of other tunneling protocols and VPN alternatives. Procedures
and labs focus on router-based tasks. Other products such as the Cisco PIX Firewall, VPN
concentrator, and Unity VPN client are briefly mentioned.
Objectives
Upon completing this module, you will be able to:
Describe the fundamental concepts of VPNs and tunneling, and define commonly used
VPN terms
Describe the fundamental concepts and operations used in Cisco IOS cryptosystems for
encryption, authentication, and key management
Identify the main IPSec technologies and the major tasks necessary to configure IPSec on
Cisco routers
Verify proper IPSec and IKE configuration with available Cisco IOS commands
Outline
The module contains these lessons:
Identifying VPN Features
Identifying Cisco IOS Cryptosystem Features
Identifying IPSec Technologies
Task 1: Preparing for IKE and IPSec
Task 2: Configuring IKE
Task 3: Configuring IPSec
Task 4: Testing and Verifying IPSec
5-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Identifying VPN Features
Overview
Virtual Private Networks (VPNs) provide the same secure site-to-site network connectivity for
remote users over the Internet as they would over a secure private network. Enabling this
secure connectivity requires policies and technologies for VPN cryptographic services to
support user authentication, data integrity, and encryption. This lesson provides a high-level,
conceptual overview of VPN alternatives, elements, and terms.
Relevance
This lesson helps the learner identify the various VPN alternatives, the network connectivity
supported by each, and the main terminology used. The lesson offers the learner a knowledge
baseline to use for understanding VPN and to set a foundation for more in-depth learning after
this lesson.
Objectives
Upon completing this lesson, you will be able to:
Define a VPN and describe its advantages over alternative WAN access technologies
Describe the functions performed by encryption and network tunnels
Describe the scenarios for using VPNs for remote access and site-to-site network traffic
Identify the main components, or attributes, of VPN implementations
Select the best VPN technology for providing network connectivity for VPN design
scenarios
Match key VPN terms with their definition or descriptions
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
VPN Features and Advantages
Tunneling and Encryption
VPN Usage Scenarios
VPN Technologies
VPN Protocols
VPN and IPSec Terms
Summary
Quiz
5-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
VPN Features and Advantages
This topic describes the basic functions and advantages of VPNs.
Virtual Private Networks
A VPN carries private traffic over a public network using
advanced encryption and tunnels to protect:
• Confidentiality of information
• Integrity of data
• Authentication of users
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
A VPN is defined as network connectivity deployed on a shared infrastructure with the same
policies and security as a private network.
A VPN is established between two end systems, or between two or more networks. A VPN can
be built using tunnels, encryption, or both, at essentially any layer of the OSI protocol stack. A
VPN is an alternative WAN infrastructure that replaces or augments existing private networks
that use leased-line or enterprise-owned Frame Relay ATM networks.
VPNs provide three critical functions:
Confidentiality (encryption): The sender can encrypt the packets before transmitting them
across a network, thereby prohibiting anyone from eavesdropping on the communication. If
intercepted, the communication cannot be read.
Data integrity: The receiver can verify that the data was transmitted through the Internet
without being changed or altered in any way.
Origin authentication: The receiver can authenticate the source of the packet,
guaranteeing and certifying the source of the information.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-5
Why Have VPNs?
• Higher cost
• Lower cost
• Less flexible
• More flexible
• WAN management
• Simpler management
• Complex topologies
• Tunnel topology
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-3
VPNs offer many advantages over traditional, leased-line networks. The primary benefits
include the following:
Lower cost than private networks: Total cost of ownership is reduced through lower-cost
transport bandwidth, backbone equipment, and operations. Costs of LAN-to-LAN
connectivity are typically reduced by 20 to 40 percent over domestic leased-line networks;
cost reduction for remote access is in the range of 60 to 80 percent.
Flexibility for enabling the Internet economy: VPNs are inherently more flexible and
scalable network architectures than classic WANs, thereby enabling enterprises to quickly
and cost-effectively extend connectivity. In this way, VPNs can facilitate connection or
disconnection of remote offices, international locations, telecommuters, roaming mobile
users, and external business partners as business requirements demand.
Simplified management burdens: Enterprises may outsource some or all of their WAN
functions to a service provider, enabling the enterprises to focus on core business objectives
instead of managing a WAN or dial-access network.
Tunneled network topologies, thus reducing management burdens: Using an IP
backbone eliminates static permanent virtual circuits (PVCs) associated with connectionoriented protocols such as Frame Relay and ATM, thereby creating a fully-meshed network
topology while actually decreasing network complexity and cost.
5-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Virtual Private Networking
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-4
VPNs provide the greatest benefits of a private network, that is, privacy and the use of multiple
protocols. VPNs enable these benefits over the larger shared IP infrastructure of the Internet.
A virtual network is created through the ability to tunnel multiple protocols over a standard IP
connection. Generic routing encapsulation (GRE) and Layer 2 Tunneling Protocol (L2TP) are
two methods of tunneling. Both tunneling methods are configurable on Cisco routers. A third
method, IPSec, is also configurable on Cisco routers and is the key focus of this VPN module.
A private network is one that ensures Confidentiality, Integrity, and Authentication (CIA).
Encrypting traffic and using the IPSec protocol enables traffic to traverse the shared public
infrastructure with the same CIA as with a private network.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-7
Tunneling and Encryption
VPNs allow the creation of private networks across the Internet, enabling tunneling or
encryption of TCP/IP (and non-TCP/IP) protocols. This topic describes tunneling and
encryption.
VPN Tunnels and Encryption
• A tunnel is a virtual point-to-point connection.
• The tunnel carries one protocol inside another protocol.
• Encryption transforms content information into ciphertext.
• Decryption restores content information from ciphertext.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-5
The Internet has created new opportunities for companies to streamline business processes,
enter new markets, and work with partners and customers more effectively. At the same time, it
has also created a greater reliance on networks and a need to protect against a wide range of
security threats. The main function that a VPN offers for this protection is encryption through a
tunnel.
Tunnels provide logical, point-to-point connections across a connectionless IP network,
enabling application of advanced security features. Tunnels for VPN solutions employ
encryption to protect data from being viewed by unauthorized entities and to perform
multiprotocol encapsulation, if necessary. Encryption is applied to the tunneled connection to
scramble data, thus making data legible to authorized senders and receivers only.
Encryption ensures that messages cannot be read by anyone but the intended recipient. As more
information travels over public networks, the need for encrypting the information becomes
more important. Encryption transforms content information into a ciphertext that is meaningless
in its encrypted form. The decryption function restores the ciphertext back into content
information intended for the recipient.
5-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
VPN Usage Scenarios
The topic describes the variety of options for deploying VPNs with modern networking devices
and ecosystems. This topic also shows how VPN encryption and tunnels are used.
Use VPNs with a Variety of Devices
BCRAN v2.1—5-6
© 2004 Cisco Systems, Inc. All rights reserved.
Networked VPN tunnels can carry encrypted data in four topologies:
From router to router: This is the focus of the BCRAN labs.
From one router to many other routers: Each tunnel is a point-to-point connection.
From PC to router or VPN concentrator: This option enables the mobility of network
transactions.
Router to firewall and PC to firewall: The firewall monitors traffic that crosses network
perimeters and imposes restrictions according to security policy.
The proliferation of the networked economy supported by these and other network devices has
spawned a fundamental change in how corporations conduct business. Corporate staff is no
longer defined by where they do their jobs as much as how well they perform their job
functions. Virtual Private Networking can be done from anywhere using routers, firewalls, or
dedicated VPN concentrators.
Competitive pressures in many industries have spawned alliances and partnerships among
enterprises, requiring separate corporations to act and function as one when facing customers.
Although such developments have increased productivity and profitability for many
corporations, they have also created new demands on the corporate network. Connectivity that
is focused solely on connecting fixed corporate sites—such as branch and regional offices
connected to the headquarters campus—is no longer sufficient connectivity for many
enterprises. In addition to these standard network connections, connectivity must focus on
business-to-business and business-to-customer connections within an expanding ecosystem.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-9
Cisco VPN Solution Ecosystem
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-7
VPNs help remote users, such as telecommuters and external business partners, to access
enterprise computing resources. This access may use several service provider networks
accessing and traversing the Internet.
There may be firewalls operating that help to separate the internal network of an enterprise
from its extended external network and the Internet at large. The enterprise may offer a variety
of web services and network applications, including those that use Domain Name System
(DNS) and Simple Mail Transfer Protocol (SMTP).
The classic WAN must be extended to accommodate these new remote users. Consequently,
many enterprises are using VPNs that help to complement their existing classic WAN
infrastructure.
VPN solutions are organized into two main types:
Remote-access VPNs: Securely connect remote users, such as mobile users and
telecommuters, to the enterprise
Site-to-Site VPNs: Securely connect remote and branch offices to the enterprise (intranet
VPNs), and connect third parties, such as customers, suppliers, and business partners, to the
enterprise (extranet VPNs).
5-10
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
VPN—Types
• Remote-access
– Client-initiated
– Network access server
• Site-to-site
– Intranet
– Extranet
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-8
There are two types of remote-access VPNs:
Client-initiated: Remote users use clients to establish a secure tunnel across an ISP shared
network to the enterprise.
Network access server (NAS)-initiated: Remote users dial in to an Internet service
provider (ISP). The NAS establishes a secure tunnel to the enterprise private network that
might support multiple remote user-initiated sessions.
Site-to-site VPNs include two main types:
Intranet VPNs: Connect corporate headquarters, remote offices, and branch offices over a
public infrastructure.
Extranet VPNs: Link customers, suppliers, partners, or communities of interest to a
corporate intranet over a public infrastructure.
A more detailed description of the scenarios for these various VPN types will illustrate
solutions and benefits.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-11
Remote-Access VPN Solutions
• VPN replacing toll and toll - free dial connectivity
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-9
Remote-access VPN solutions are targeted to mobile users and home telecommuters. In the
past, corporations supported remote users via dial-in networks, typically requiring a toll or tollfree call to access the corporation. Remote-access VPNs are an extension of dial networks.
With the advent of VPNs, mobile users can make a local call to their ISP to access the
corporation via the Internet, regardless of their location.
Remote-access VPNs can terminate on headend devices such as Cisco routers, PIX Firewalls,
or VPN concentrators. Remote-access clients can include Cisco routers and VPN clients.
5-12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Site-to-Site VPN Solutions
• Extension of classic WAN
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-10
VPN site-to-site solutions can be used to connect corporate sites. In the past, a leased line or
Frame Relay connection was required to connect sites. Today, most corporations have Internet
access.
With Internet access, leased lines and Frame Relay lines can be replaced with site-to-site VPN
to provide the network connection. VPN can support company intranets and business partner or
customer extranets.
Site-to-site VPN is an extension of the classic WAN network. Site-to-site VPNs can be built
using Cisco routers, PIX Firewalls, and VPN concentrators.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-13
VPN Technologies
This topic describes the main VPN technologies that are available and compares them to the
various Open System Interconnection (OSI) layers. The topic then focuses on the preferred
layer for selecting a VPN technology and the preferred choices at that layer.
Encryption at Several Layers
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-11
Various methods for VPN protection are implemented on different layers. Providing privacy
and other cryptographic services at the application layer was very popular in the past, and in
some situations is still done today. For example, Secure Shell Protocol (SSH) offers Internetbased data security technologies and solutions, especially cryptography and authentication
products.
The Internet Engineering Task Force (IETF) has a standards-based protocol called Secure
Multipurpose Internet Mail Extensions (S/MIME) for VPN applications generated by a number
of communication system components (for example, message transfer agents, guards, and
gateways).
However, application-layer security is application-specific and protection methods must be
implemented anew in every application.
Some standardization has been successful at layer four (transport) of the OSI model, with
protocols such as Secure Socket Layer (SSL) providing privacy, authenticity, and integrity to
TCP-based applications. SSL is popular in modern e-commerce sites, but fails to address the
issues of flexibility, ease of implementation, and application independence.
Protection at lower levels of the OSI stack, especially the data-link layer, was also used in
communication systems of the past, as it provided protocol-independent protection on specific
untrusted links. However, data-link layer protection is expensive to deploy on a large scale
(protecting every link separately), therefore allowing a “man-in-the-middle” attack (hijacking a
network session) on intermediate stations (routers).
Because of the limitations discussed, layer three has become the most popular level on which to
apply cryptographic protection to network traffic.
5-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Tunneling Protocols
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-12
With implementation of encryption on Layer 1, this layer and all layers above it are
automatically protected. Network-layer protection offers one of the most flexible solutions, as it
is media-independent and application-independent at the same time.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-15
VPN Protocols
This topic describes a variety of network-layer technologies that are available to enable
tunneling of protocols through networks to create a VPN. The main focus of this topic is on
three of these technologies: Layer 2 Tunneling Protocol (L2TP), Cisco generic routing
encapsulation (GRE), and the IPSec.
VPN Protocols
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-13
The figure describes three VPN tunneling protocols: L2TP, GRE, and IPSec.
L2TP
Prior to the L2TP standard (August 1999), Cisco used Layer 2 Forwarding (L2F) as its
proprietary tunneling protocol. L2TP is 100 percent backward-compatible with L2F. L2F is not
forward-compatible with L2TP.
L2TP, defined in RFC 2661, is a combination of Cisco L2F and Microsoft Point-to-Point
Tunneling Protocol (PPTP). Microsoft supports PPTP in its earlier versions of Windows, and
PPTP and L2TP in Windows NT and 2000.
L2TP is used to create a media-independent, multiprotocol virtual private dialup network
(VPDN). L2TP allows users to invoke corporate security policies across any VPN or VPDN
link as an extension of their internal networks.
L2TP does not provide encryption and can be monitored with a protocol analyzer.
5-16
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
GRE
This multiprotocol transport encapsulates IP, Connectionless Network Protocol (CLNP), and
any other protocol packets inside IP tunnels.
With GRE tunneling, a Cisco router at each site encapsulates protocol-specific packets in an IP
header, creating a virtual point-to-point link to Cisco routers at other ends of an IP cloud where
the IP header is stripped off.
By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP
tunneling allows network expansion across a single-protocol backbone environment. GRE
tunneling allows desktop protocols to take advantage of the enhanced route selection
capabilities of IP.
GRE does not provide encryption and can be monitored with a protocol analyzer.
IPSec
IPSec is the choice for secure corporate VPNs. IPSec is a framework of open standards that
provides data confidentiality, data integrity, and data authentication between participating
peers.
IPSec provides these security services using Internet Key Exchange (IKE) to handle negotiation
of protocols and algorithms based on local policy and to generate the encryption and
authentication keys to be used by IPSec.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-17
Selecting a VPN Technology
Depending on your traffic needs, select the best VPN technology to provide network
connectivity.
The flow chart shows a process for selecting a network-layer VPN tunneling option that is
based on your VPN design scenarios.
Selecting Layer 3 VPN Tunnel Options
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-14
IPSec is the main option that is featured in this topic for securing enterprise VPNs.
Unfortunately, IPSec supports IP unicast traffic only. If IP unicast packets are being tunneled,
then a single encapsulation provided by IPSec is sufficient and much less complicated to
configure and troubleshoot.
For multiprotocol or IP multicast tunneling, you must use GRE or L2TP.
For network traffic that uses Microsoft networking, L2TP may be the best choice. Because of
its ties to PPP, L2TP may also be suited for remote-access VPNs that require multiprotocol
support.
GRE is best suited for site-to-site VPNs that require multiprotocol support. It is typically used
to tunnel multicast packets such as routing protocols. GRE encapsulates all traffic, regardless of
its source and destination.
Neither L2TP nor GRE tunneling protocols support data encryption or packet integrity. For
these valuable functions, you must combine the protocol or protocols with IPSec. You can use
IPSec in combination with L2TP or GRE protocols to provide IPSec encryption, such as
L2TP/IPSec or GRE/IPSec.
5-18
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
VPN and IPSec Terms
This topic describes commonly used VPN and IPSec terms that will help you to make the best
use of VPN and IPSec protocols.
Identifying Key VPN Terms
• Tunnel
• Encryption and decryption
• Cryptosystem
• Hashing
• Authentication
• Authorization
• Key management
• CA—certification authority service
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-15
These terms define key components and elements that can be commonly used in VPNs:
Tunnel: A virtual point-to-point connection that is used in a network to carry traffic from
one protocol (for example, encrypted ciphertext) encapsulated inside another protocol (for
example, an IP packet).
Encryption and decryption: Encryption is the process of transforming information
content—called clear text or plain text—into a hidden form called ciphertext so that it will
not be readable by unauthorized users. Decryption transforms ciphertext back into clear or
plain text so that it is accessible for reading by authorized users.
Cryptosystem: A system to accomplish encryption and decryption, user authentication,
hashing, and key-exchange processes. A cryptosystem may use one of several different
methods, depending on the policy intended for various user traffic situations.
Hashing: A data integrity technology that uses a formula or algorithm to convert a
variable-length message and shared secret key into a single fixed-length string of digits, or
hash. The message, key, and hash traverse the network from source to destination. At the
destination, the recalculated hash is used to verify that the message and key have not
changed while traversing the network.
Authentication: The process of identifying a user or process attempting to access a
computer system or network connection. Authentication ensures that the individual or
process is who they claim to be. Authentication does not confer associated access rights.
Authorization: The process of giving authenticated individuals or processes access to a
computer system or network connection resources.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-19
Key management: A key is information (usually a sequence of random or pseudorandom
binary digits) that is used initially to set up and then to periodically change the operations
that are performed in a cryptosystem. Key management is the supervision and control of
the process whereby keys are generated, stored, protected, transferred, loaded, used, and
destroyed.
Certification authority (CA) service: A third-party service that is trusted to help secure
the communications between network entities or users by creating and assigning digital
certificates (for example, public key certificates) for encryption purposes. A CA vouches
for the binding between the data security items in the certificate. Optionally, a CA creates
user encryption keys.
5-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
As the VPN of choice, IPSec uses a number of terms and acronyms, as noted here.
Identifying Key IPSec VPN Terms
• AH: Authentication Header
• ESP: Encapsulating Security Payload
• IKE: Internet Key Exchange
• ISAKMP: Internet Security Association and Key
Management Protocol
• SA: security association
• AAA: authentication, authorization, and accounting
• TACACS+: Terminal Access Controller Access Control
System Plus
• RADIUS: Remote Authentication Dial-In User Service
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-16
These terms define key protocols and elements that are components of IPSec:
Authentication Header (AH): A security protocol that provides data authentication, data
integrity, and optional anti-replay services. AH is embedded in the data to be protected (a
full IP datagram).
Encapsulating Security Payload (ESP): A security protocol that provides data
confidentiality, data integrity, protection services, optional data origin authentication, and
anti-replay services. ESP encapsulates the data to be protected.
IKE: A hybrid protocol that implements Oakley key exchange and Skeme key exchange
inside the ISAKMP framework. Oakley and Skeme each define a method to establish an
authenticated key exchange. This includes payload construction, the information payloads
carried, the order in which keys are processed, and how the keys are used.
Internet Security Association and Key Management Protocol (ISAKMP): A protocol
framework that defines payload formats, the mechanics of implementing a key exchange
protocol, and the negotiation of an SA.
Security association (SA): A policy and key or keys that are used to protect information.
The ISAKMP SA is the shared policy and key or keys that are used by the negotiating
peers in this protocol to protect their communication.
Authentication, authorization, and accounting (AAA): The network security services
that provide the primary framework through which you set up access control on your router
or access server. Two major protocols that support AAA are TACACS+ and RADIUS.
TACACS+: A security application that provides centralized validation of users attempting
to gain access to a router or network access server.
RADIUS: A distributed client-server system that secures networks against unauthorized
access.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-21
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• A VPN carries private user traffic over the Internet,
securing the traffic using encryption and tunneling.
• VPNs take advantage of cost, flexibility, management,
and topology benefits compared to legacy WAN
connections.
• Encryption converts clear text into cyphertext;
cyphertext traverses the VPN tunnel.
• Decryption converts cypher text back into clear text.
• In VPN tunnels, one protocol carries traffic from
another protocol for a variety of VPN usage scenarios.
• Remote-access VPN types evolve and extend dialup;
Site-to-site VPN types extend classic WANs.
BCRAN v2.1—5-17
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• VPN solution at the Network Layer 3 are recommended
compared to application or data-link alternatives.
• L2TP is recommended for Microsoft Networks and traffic
that can use PPP capabilities.
• GRE is recommended for multi-protocol traffic and for
non-unicast traffic.
• IPSec, largely due to its encryption facilities is the VPN of
choice and is recommended for unicast IP traffic.
• Combinations of IPSec with L2TP and GRE allow
maximum VPN flexibility but can be complex to set up and
manage.
• Knowing commonly-used VPN and IPSec terms or
acronyms can help communications and simplify
additional learning.
© 2004 Cisco Systems, Inc. All rights reserved.
5-22
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—5-18
Copyright
2004, Cisco Systems, Inc.
References
For additional information, refer to these resources:
IETF IPSec home page at http://www.ietf.org/html.charters/ipsec-charter.html
Cisco.com Technologies section, “Security and VPN” category, at http://www.cisco.com/
Federal Standard 1037C telecommunications glossary at http://www.its.bldrdoc.gov/fs1037/
Networking and Telecom definitions at http://whatis.techtarget.com/
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-23
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
5-24
Which of the following is NOT a reason for using VPN?
A)
VPNs provide secure communication over a public infrastructure.
B)
VPNs reduce cost when compared to maintaining dedicated circuits.
C)
VPNs allow users to shield information from others on the Internet.
D)
VPNs allow communication at 20-40 percent faster rates than non-VPN
connections.
Tunnels permit which two of the following? (Choose two.)
A)
multiple protocols to cross an IP network
B)
packet encryption to cross an IP network
C)
packets to move faster through a congested network
D)
overhead of packet size and process to be reduced
Which of the following devices can terminate a VPN connection?
A)
Cisco firewall
B)
Cisco router
B)
Cisco VPN concentrator
C)
all of the above
Which of the following is NOT a benefit of Layer 3 (IPSec) encryption?
A)
Layer 3 encryption can be used independent of the type of application.
B)
Layer 3 encryption hides the port number and the type of application being
used.
C)
Layer 3 encryption prevents intruders from seeing the addresses of the host
conversations.
D)
Layer 3 encryption is easily scalable.
A GRE or L2TP tunnel can be encapsulated within an IPSec tunnel to keep data
private.
A)
true
B)
false
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q6)
Q7)
If a corporate network uses a multicast protocol, how can traffic be sent securely from a
corporate headquarters to a branch office?
A)
Multicast protocols natively control security between offices.
B)
A GRE tunnel will provide adequate security.
C)
An L2TP tunnel will provide adequate security.
D)
A GRE tunnel encapsulated in IPSec will provide adequate security.
A cryptosystem can best be defined as_____.
A)
a method of enabling two devices to negotiate security protocols
B)
the ability to use a substance like Kryptonite to weaken security
C)
the system of securing traffic by using encryption
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-25
Quiz Answer Key
Q1)
D
Relates to: VPN Features and Advantages
Q2)
A, B
Relates to: Tunneling and Encryption
Q3)
D
Relates to: VPN Usage Scenarios
Q4)
C
Relates to: VPN Technologies
Q5)
A
Relates to: VPN Technologies
Q6)
D
Relates to: VPN Technologies
Q7)
C
Relates to: VPN and IPSec Terms
5-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Identifying Cisco IOS
Cryptosystem Features
Overview
The Cisco IOS cryptosystem, which performs encryption, authentication, and key management,
is a complex tool and supports many technologies.
Relevance
Understanding cryptosystem is helpful in understanding encryption and key exchanges.
Objectives
Upon completing this lesson, you will be able to:
List the various encryptions, authentications, hash functions, and key management systems
used in cryptography
Describe the fundamentals of symmetric encryption (secret-key encryption)
Describe the fundamentals of asymmetric encryption (public-key encryption)
Identify the steps in a key exchange operation using the Diffie-Hellman algorithm
Describe the fundamentals of hashing, including the HMAC-MD5 and HMAC-SHA-1
hashing algorithms
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Cryptosystem Overview
Symmetric Encryption
Asymmetric Encryption
Key Exchange—Diffie-Hellman
Hashing
Summary
Quiz
5-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Cryptosystem Overview
This topic describes encryptions, authentications, hash functions, and key management systems
that are used in cryptography.
Cryptosystem Overview
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
There are numerous encryption technologies that are available to provide confidentiality,
including Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption
Standard (AES). DES encrypts packet data with a 56-bit key. At its development in the 1970s,
DES was thought to be unbreakable. Today, supercomputers can crack DES encryption in a
few days. 3DES uses a double-length key (112 bits) and performs three DES operations in
sequence. 3DES is 256 times stronger than DES. AES currently specifies keys with a length of
128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits (all nine
combinations of key length and block length are possible). Cisco intends AES to be available
on all Cisco products that currently have IPSec DES and 3DES functionality, such as Cisco
IOS routers, Cisco Secure PIX Firewalls, Cisco VPN concentrators, and Cisco VPN clients.
Many standards have emerged to protect the secrecy of keys and to facilitate the changing of
these keys. Diffie-Hellman implements key exchange without exchanging the actual keys. This
is the most well-known and widely used algorithm for establishing session keys to encrypt data.
Note
Cisco IOS images with strong encryption are subject to United States government export
controls and have a limited distribution. Please check license availability before installing an
encryption technology. This course uses the less powerful DES rather than 3DES due to
more flexible export restrictions.
Rivest, Shamir, and Adelman (RSA) is the public-key cryptographic system developed by Ron
Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide nonrepudiation while
RSA-encrypted nonces (randomly generated values) provide repudiation. There are several
technologies that provide authentication, including message digest algorithm 5 (MD5) and
Secure Hash Algorithm (SHA).
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-29
Symmetric Encryption
This topic describes the fundamentals of symmetric encryption (secret-key encryption).
Symmetric Encryption
• Encryption turns clear text into ciphertext
• Decryption restores clear text from ciphertext
• Keys enable encryption and decryption
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-3
The figure shows symmetric encryption, also known as secret-key encryption. It is used for
large volumes of data. During the data exchange, the keys may change several times.
Asymmetric encryption, or public-key encryption such as RSA, is several times more CPUintensive, so it is usually used only for key exchanges.
With block ciphers, it is possible to further guarantee the integrity of the data received by using
feedback. Cisco encryption algorithm incorporates cipher feedback (CFB), which does an
Exclusive-OR of the plain text data with each block of encrypted data. CFB provides a means
to verify that all data was received as transmitted.
The most important feature of a cryptographic algorithm is its security against being
compromised. The security of a cryptosystem, or the degree of difficulty for an attacker to
determine the contents of the ciphertext, is the function of a few variables. In most protocols,
the cornerstone to security lies in the secrecy of the key used to encrypt data. The DES
algorithm is built so that it is too difficult for anyone to be able to determine the clear text
without having this key. In any cryptosystem, great lengths are taken to protect the secrecy of
the encryption key.
DES is one of the most widely used symmetric encryption standards. DES turns clear text into
ciphertext via an encryption algorithm. The decryption algorithm on the remote end restores
clear text from ciphertext. Keys enable the encryption and decryption. DES is the most widely
used symmetric encryption scheme today. It operates on 64-bit message blocks. The algorithm
uses a series of steps to transform 64-bit input into 64-bit output. In its standard form, the
algorithm uses 64-bit keys, of which 56 bits are chosen randomly. The remaining eight bits are
parity bits, one for each seven-bit block of the 56-bit random value.
5-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
3DES is an alternative to DES that preserves the existing investment in software but makes a
brute-force attack more difficult. 3DES takes a 64-bit block of data and performs the operations
of encrypt, decrypt, and encrypt. 3DES can use one, two, or three different keys. The advantage
of using one key is that, with the exception of the additional processing time that is required,
3DES with one key is the same as standard DES (for backward compatibility). Although DES
and 3DES algorithms are in the public domain and freely available, 3DES software is
controlled by United States export laws.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-31
Asymmetric Encryption
This topic describes the fundamentals of asymmetric encryption (public-key encryption).
Asymmetric Encryption
• Private key is known only to receiver.
• Public key is known to public.
• Public key distribution not a secret operation.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-4
Asymmetric encryption is often referred to as public-key encryption. It can use either the same
algorithm to encrypt and decrypt data, or different but complementary algorithms. Two
different, but related, key values are required: a public key and a private key. For example, if
Alice and Bob want to communicate using public-key encryption, both need a public-key and
private-key pair. Alice has to create her public-key or private-key pair, and Bob has to create
his own public-key or private-key pair. When communicating with each other securely, Alice
and Bob use different keys to encrypt and decrypt data.
Although the mechanisms that are used to generate these public or private key pairs are
complex, they result in the generation of two very large random numbers, one of which
becomes the public key and the other the private key. Because these numbers must adhere to
stringent mathematical criteria to preserve the uniqueness of each public or private key pair,
generating these numbers is processor-intensive. Public-key encryption algorithms are rarely
used for data confidentiality because of their performance constraints, but instead are typically
used in applications involving authentication that uses digital signatures and key management.
Two common public-key algorithms are the RSA algorithm and the El Gamal algorithm.
5-32
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Key Exchange—Diffie-Hellman
This topic describes the steps in a key exchange operation using the Diffie-Hellman algorithm.
Key Exchange—Diffie-Hellman Overview
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-5
One of the most important aspects of creating a secure VPN involves exchanging the keys. The
Diffie-Hellman algorithm provides a way for two parties, Router A and Router B in the figure,
to establish a shared secret key that only they know, even though they are communicating over
an insecure channel.
This secret key is then used to encrypt data using their favorite secret-key encryption algorithm.
Two numbers, “p” (a prime) and “g” (a number less than “p” but with some restrictions), are
shared.
Router A and Router B each create a large random number that is kept secret, “XA” and
“XB.”The Diffie-Hellman algorithm is now performed, whereby both Router A and Router B
carry out some computations and exchange results.
The final exchange results in a common value “K.” Anyone who knows “p” or “g” cannot
guess or easily calculate the shared secret value—largely because of the difficulty in factoring
large prime numbers.
It is important to note that a means for knowing with whom the key is established has not yet
been created, so the exchange is subject to a “man-in-the-middle” attack (hijacking a network
session between the source and destination). Diffie-Hellman provides for confidentiality but not
for authentication. Authentication is achieved via the use of digital signatures in the DiffieHellman message exchanges.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-33
Hashing
This topic describes the fundamentals of hashing, including the Hash-based Message
Authentication Code (HMAC)-MD5 and HMAC-SHA-1 hashing algorithms.
Hashing
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-6
Hashing guarantees the integrity of the message. At the local end, the message and a shared
secret key are sent through a hash algorithm, which produces a hash value. Basically, a hash
algorithm is a formula that is used to convert a variable-length message into a single string of
fixed-length digits. It is a one-way algorithm. A message can produce a hash but a hash cannot
produce the original message. It is analogous to dropping a plate on the floor. The plate can
produce a multitude of pieces, but the pieces cannot be recombined to reproduce the plate in its
original form. The message and hash are sent over the network.
At the remote end, there is a two-step process. First, the received message and shared secret key
are sent through the hash algorithm, resulting in a recalculated hash value. Second, the receiver
compares the recalculated hash with the hash that was attached to the message. If the original
hash and the recalculated hash match, the integrity of the message is guaranteed. If any part of
the original message is changed while in transit, the hash values are different.
There are two common hashing algorithms:
HMAC-MD5: Uses a 128-bit shared secret key. The variable-length message and 128-bit
shared secret key are combined and run through the HMAC-MD5 hash algorithm. The
output is a 128-bit hash. The hash is appended to the original message and forwarded to the
remote end.
HMAC-SHA-1: Uses a 160-bit secret key. The variable-length message and the 160-bit
shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The
output is a 160-bit hash. The hash is appended to the original message and forwarded to the
remote end.
HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5.
5-34
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• In systematic encryption, clear text is turned into
ciphertext, and then decrypted back into clear text, by
use of keys.
• Asymmetric encryption uses either the same algorithm,
or different but complementary algorithms, to scramble
and unscramble data.
• The Diffie-Hellman algorithm provides a way for two
parties to establish a shared secret key that only they
know, while communicating over an insecure channel.
• A hash algorithm is a formula used to convert a
variable-length message into a single string of digits of
a fixed length.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—5-7
Virtual Private Networks
5-35
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
5-36
Which technology can provide authentication?
A)
DES
B)
Digital Signatures
C)
Diffie-Hellman
D)
RSA
Symmetric encryption requires that the same key be used during encryption and
decryption.
A)
true
B)
false
Which of the following is a form of asymmetric encryption?
A)
shared secret
B)
RSA
C)
SHA
D)
MD5
Diffie-Hellman provides for confidentiality and authentication.
A)
true
B)
false
What is the key size difference between HMAC-MD5 and HMAC-SHA-1?
A)
HMAC-MD5 = 64 bit, HMAC-SHA-1 = 128 bit
B)
HMAC-MD5 = 128 bit, HMAC-SHA-1 = 160 bit
C)
HMAC-MD5 = 160 bit, HMAC-SHA-1 = 128 bit
D)
HMAC-MD5 = 128 bit, HMAC-SHA-1 = 64 bit
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
B
Relates to: Cryptosystem Overview
Q2)
A
Relates to: Symmetric Encryption
Q3)
B
Relates to: Asymmetric Encryption
Q4)
B
Relates to: Key Exchange—Diffie-Hellman
Q5)
B
Relates to: Hashing
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-37
5-38
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Identifying IPSec Technologies
Overview
IPSec is a set of security protocols and algorithms that are used to secure data at the network
layer. Prior to the IPSec standard, Cisco implemented its proprietary Cisco Encryption
Technology (CET) to provide protection at the packet level.
IPSec consists of two protocols and two protection modes. The first protocol is ESP, which
encapsulates the data but does not provide protection to the outer headers. ESP encrypts the
payload for data confidentiality, authenticity, and integrity. The second protocol is AH, which
verifies the authenticity and integrity of the IP datagram by including a keyed MAC in the
header.
Relevance
IPSec and the underlying protocols are important for establishing SAs as a way to secure all
confidential communications running through insecure public networks.
Objectives
Upon completing this lesson, you will be able to:
Describe the fundamentals of IPSec
List the differences in how the ESP and AH are applied using transport mode and tunnel
mode
Describe the concepts of SAs
List the five steps of IPSec operation
Describe how IKE enhances IPSec
Describe the IPSec process using SAs and CAs
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
IPSec
Tunnel vs. Transport Mode
Security Associations
Five Steps to IPSec
IPSec and IKE Relationship
IKE and IPSec Flowchart
Tasks to Configure IPSec
Summary
Quiz
5-40
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IPSec
This topic describes the fundamentals of IPSec.
IPSec—Interoperable Encryption and
Authentication
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
The IPSec feature is supported across Cisco IOS-based 1600, 2x00, 36x0, 4x00, 5x00, and 7x00
platforms using Cisco IOS Software Release 12.0(x), Cisco PIX Firewalls, and VPN Client and
Concentrators.
RFC 2401 describes the general framework for this architecture. Like all security mechanisms,
RFC 2401 helps to enforce a security policy. The policy defines the need for security on
various connections—these will be IP sessions. The framework provides data integrity,
authentication, and confidentiality, in addition to security association and key management.
Authentication Header
The IP AH is used to provide connectionless integrity and data origin authentication for IP
datagrams, and to provide protection against replays. The receiver can elect protection against
replays when a security association is established. Although the default calls for the sender to
increment the sequence number that is used for anti-replay, the service is effective only if the
receiver checks the sequence number. AH, defined in RFC 2402, provides authentication for as
much of the IP header as possible, in addition to upper-level protocol data. However, some IP
header fields may change in transit and the value of these fields, when the packet arrives at the
receiver, may not be predictable by the sender. The values of such fields cannot be protected by
AH. Thus, the protection provided to the IP header by AH is limited.
AH may be applied alone, in combination with the IP ESP, or in a nested fashion through the
use of tunnel mode. Security services can be provided between a pair of communicating hosts,
between a pair of communicating security gateways, or between a security gateway and a host.
ESP may be used to provide the same security services, and it also provides a confidentiality
(encryption) service. The primary difference between the authentication services provided by
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-41
ESP and AH is the extent of the coverage. Specifically, ESP does not protect any IP header
fields unless they are encapsulated by ESP (tunnel mode).
Encapsulating Security Payload
The ESP header is inserted after the IP header and before the upper-layer protocol header
(transport mode) or before an encapsulated IP header (tunnel mode).
ESP, defined in RFC 2406, is used to provide confidentiality, data origin authentication,
connectionless integrity, an anti-replay service (a form of partial sequence integrity), and
limited traffic flow confidentiality by defeating traffic-flow analysis. The set of services
provided depends on the options that are selected at the time of security association
establishment and upon placement of the implementation. Confidentiality may be selected
independent of all other services. However, use of confidentiality without integrity or
authentication (either in ESP or separately in AH) may subject traffic to certain forms of active
attacks that could undermine the confidentiality service.
Data origin authentication and connectionless integrity are joint services and are offered as an
option in conjunction with (optional) confidentiality. The anti-replay service may be selected
only if data origin authentication is selected, and its election is solely at the discretion of the
receiver. Although the default calls for the sender to increment the sequence number that is
used for anti-replay, the service is effective only if the receiver checks the sequence number.
Traffic flow confidentiality requires the selection of tunnel mode, and is most effective if it is
implemented at a security gateway, where traffic aggregation may be able to mask true sourcedestination patterns. Although both confidentiality and authentication are optional, at least one
of them must be selected.
5-42
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Tunnel vs. Transport Mode
This topic describes the differences in how the ESP and AH are applied using transport mode
and tunnel mode.
Tunnel Versus Transport Mode
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-3
This figure shows an IPSec-protected path in basic scenarios in tunnel and transport modes. In
transport mode, end hosts do IPSec encapsulation of their own data (host-to-host) Therefore,
IPSec has to be implemented on end-hosts. The application endpoint must also be the IPSec
endpoint. In tunnel mode, IPSec gateways provide IPSec services to other hosts in peer-to-peer
tunnels, and end-hosts are not aware of the IPSec that are being used to protect their traffic.
IPSec gateways provide transparent protection of other host traffic over untrusted networks.
ESP and AH can be applied to IP packets in two different ways, referred to as modes:
Transport mode: In transport mode, security is provided for the upper protocol layers—
transport layer and above only. Transport mode protects the payload of the packet but
leaves the original IP address in the clear. The original IP address is used to route the
packet through the Internet. ESP transport mode is used between hosts.
Tunnel mode: Provides security for the whole original IP packet. The original IP packet is
encrypted. Next, the encrypted packet is encapsulated in another IP packet. The outside IP
address is used to route the packet through the Internet.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-43
Security Associations
This topic describes the concepts of security associations.
Security Association
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-4
SAs are one of the most basic concepts of IPSec. They represent a policy contract between two
peers or hosts, and describe how the peers will use IPSec security services to protect network
traffic. SAs contain all the security parameters that are needed to securely transport packets
between peers or hosts, and they practically define the security policy used in IPSec.
The figure illustrates the concept of an SA. The routers in the figure use IPSec to protect traffic
between hosts A and B, and therefore need two SAs (one in each direction) to describe traffic
protection in both directions. Establishment of SAs is a prerequisite for IPSec traffic protection
to work. When relevant SAs are established, IPSec refers to them for all parameters that are
needed to protect a particular traffic flow. For example, an SA might enforce the following
policy: “For traffic between hosts A and B use ESP 3DES with keys K1, K2, and K3 for
payload encryption, SHA-1 with K4 for authentication…”
IPSec SAs always contain unidirectional (one-way) specifications. They are also encapsulation
protocol specific. For each given traffic flow, there is a separate SA for each encapsulation
protocol, AH and ESP. If two hosts A and B are communicating securely using both AH and
ESP, then each host builds separate SAs (inbound and outbound) for each protocol. VPN
devices store all their active SAs in a local database called the SA database.
5-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
An SA contains these security parameters:
Authentication encryption algorithm, key length, and other encryption parameters (such as
key lifetime, for example) that are used with protected packets.
Session keys for authentication (HMACs) and encryption fed to the above algorithms.
Those can be entered manually or negotiated automatically with the help of the IKE
protocol.
A specification of network traffic to which the SA will be applied (that is, all IP traffic,
only TELNET sessions, and so forth).
IPSec encapsulation protocol (AH or ESP) and mode (tunnel or transport).
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-45
Five Steps to IPSec
This topic describes the five steps of IPSec operation.
Five Steps of IPSec
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-5
The goal of IPSec is to protect the desired data with the necessary security and algorithms. The
figure shows only one of the two bidirectional IPSec SAs. IPSec operation can be broken down
into five primary steps:
5-46
Step 1
Interesting traffic initiates the IPSec process. Traffic is deemed interesting when the
VPN device recognizes that the traffic you want to send must be protected.
Step 2
IKE Phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this
phase, setting up a secure communications channel for negotiating IPSec SAs in
Phase 2.
Step 3
IKE Phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs
in the peers. These security parameters are used to protect data and messages that are
exchanged between endpoints.
Step 4
Data transfer. Data is transferred between IPSec peers, based on the IPSec
parameters and keys stored in the SA database.
Step 5
IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IPSec and IKE Relationship
This topic describes how IKE enhances IPSec.
How IPSec uses IKE
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-6
IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for
the IPSec standard. IKE, defined in RFC 2409, is a hybrid protocol which implements the
Oakley and Skeme key exchanges inside the ISAKMP framework. ISAKMP is defined in RFC
2408. ISAKMP, Oakley, and Skeme are security protocols implemented by IKE. IKE provides
authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec SAs.
The IKE tunnel protects the SA negotiations. After the SAs are in place, IPSec protects the data
that A and B exchange.
IKE mode configuration allows a gateway to download an IP address (and other network-level
configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway
gives IP addresses to the IKE client to be used as an inner IP address encapsulated under IPSec.
This provides a known IP address for the client, which can be matched against IPSec policy.
This feature implements IKE mode configuration into existing Cisco IOS IPSec software
images. Using IKE mode configuration, you can configure a Cisco access server to download
an IP address to a client as part of an IKE transaction. IKE automatically negotiates IPSec SAs
and enables IPSec secure communications without costly manual preconfiguration.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-47
IKE provides these benefits:
Eliminates the need to manually specify all the IPSec security parameters in the crypto
maps at both peers
Allows you to specify a lifetime for the IPSec SA
Allows you to change encryption keys during IPSec sessions
Allows IPSec to provide anti-replay services
Permits CA support for a manageable, scalable IPSec implementation
Allows dynamic authentication of peers
The component technologies implemented for use by IKE include:
DES: DES is used to encrypt packet data. IKE implements the 56-bit DES-cipher block
chaining (CBC) with explicit initialization value (IV) standard.
3DES: 168-bit encryption.
AES: Advanced Encryption Standard is the new standard that provides stronger encryption
(128-bit, 192-bit, 256-bit) and is less CPU-intensive.
CBC: Requires an IV to start encryption. The IV is explicitly given in the IPSec packet.
Diffie-Hellman: A public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within
IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.
MD5 (HMAC variant): MD5 is a hash algorithm that is used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
SHA (HMAC variant): SHA-1 is a hash algorithm that is used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
RSA signatures and RSA encrypted nonces: RSA is the public key cryptographic system
developed by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide
nonrepudiation while RSA-encrypted nonces (uniquely occurring numbers) provide
repudiation.
X.509v3 digital certificates are used with the IKE protocol when authentication requires public
keys. This certificate support allows the protected network to scale by providing the equivalent
of a digital ID card for each device. When two devices must communicate, they exchange
digital certificates to prove their identity, thus removing the need to exchange public keys
manually with each peer or to specify a shared key manually at each peer.
5-48
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IKE and IPSec Flowchart
This topic describes the IPSec process using SAs and CAs.
IKE and IPSec Flowchart
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-7
IPSec in Cisco IOS software processes packets as shown in the figure. The process assumes
that you have already created your own public and private keys, and that at least one access list
exists. The steps are listed here:
Step 1
Access lists applied to an interface and crypto maps are used by Cisco IOS software
to select interesting traffic to be encrypted.
Cisco IOS software checks to see if IPSec SAs have been established.
If the SA has already been established by manual configuration using the crypto
ipsec transform-set and crypto map commands, or previously set up by IKE,
the packet is encrypted based on the policy that is specified in the crypto map,
and is transmitted out the interface.
Step 2
If the SA has not been established, Cisco IOS software checks to see if an ISAKMP
SA has been configured and set up. If the ISAKMP SA has been set up, the
ISAKMP SA governs negotiation of the IPSec SA as specified in the ISAKMP
policy configured by the crypto isakmp policy command. Then the packet is
encrypted by IPSec and is transmitted.
Step 3
If the ISAKMP SA has not been set up, Cisco IOS software checks to see if
certification authority has been configured to establish an ISAKMP policy. If CA
authentication is configured with crypto ca commands, the router uses public and
private keys previously configured, gets the public certificate of the CA, gets a
certificate for its own public key, uses the key to negotiate an ISAKMP SA, which
in turn is used to establish IPSec SA. Finally, it encrypts and transmits the packet.
This is usually a one-time enrollment process with the CA.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-49
Tasks to Configure IPSec
This topic describes the tasks to configure IPSec.
Tasks to Configure IPSec
Task 1 – Prepare for IKE and IPSec
Step 1: Determine IKE (IKE Phase 1) policy
Step 2: Determine IPSec (IKE Phase 2) policy
Step 3: Check the current configuration
Step 4: Ensure that the network works without encryption
Step 5: Ensure that access lists are compatible with IPSec
Task 2 – Configure IKE
Step 1: Enable or disable IKE
Step 2: Create IKE policies
Step 3: Configure ISAKMP identity
Step 4: Configure preshared keys
Step 5: Verify IKE configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-8
Tasks to Configure IPSec (Cont.)
Task 3 – Configure IPSec
Step 1: Configure transform set suites
Step 2: Configure global IPSec lifeline
Step 3: Create crypto ACLs
Step 4: Create crypto ACLs using extended access lists
Step 5: Create crypto maps
Step 6: Configure IPSec crypto maps
Task 4 – Test and Verify IPSec
© 2004 Cisco Systems, Inc. All rights reserved.
5-50
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—5-9
Copyright
2004, Cisco Systems, Inc.
The use of IKE preshared keys for authentication of IPSec sessions is relatively easy to
configure, yet does not scale well for a large number of IPSec clients.
The process for configuring IKE preshared keys in Cisco IOS software for Cisco routers
consists of four major tasks. Subsequent lessons of this module discuss each configuration task
in more detail. The four major tasks are as follows:
Task 1—Prepare for IPSec: This task involves determining the detailed encryption
policy. This includes identifying the hosts and networks that you must protect, determining
details about the IPSec peers, determining the IPSec features that you need, and ensuring
that existing ACLs are compatible with IPSec.
Task 2—Configure IKE: This task involves enabling IKE, creating the IKE policies, and
validating the configuration.
Task 3—Configure IPSec: This task includes defining the transform sets, creating crypto
ACLs, creating crypto map entries, and applying crypto map sets to interfaces.
Task 4—Test and verify IPSec: Use show, debug, and related commands to test and
verify that IPSec encryption works, and to troubleshoot problems.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-51
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• IPSec is a set of security protocols and algorithms
used to secure data at the network layer.
• IPSec consists of the Encapsulating Security
Payload (ESP) and Authentication Header (AH).
• Internet Key Exchange (IKE) enhances IPSec by
providing additional features, flexibility, and ease
of configuration for the IPSec standard.
© 2004 Cisco Systems, Inc. All rights reserved.
5-52
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—5-10
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
IPSec supports which two encapsulation protocols?
A)
MD5 and SHA-1
B)
SH1 and ESP
C)
ESP and AH
D)
AH and MD5
Transport mode provides protection for which layer and above?
A)
network
B)
transport
C)
session
D)
application
How many security associations are generated for IPSec tunnels between routers?
A)
1
B)
2
C)
3
D)
4
What is the first step in terminating an IPSec tunnel?
A)
IKE Phase 1 is negotiated.
B)
IKE Phase 2 is negotiated.
C)
IPSec peers terminate a tunnel.
D)
Interesting traffic must be generated.
Internet Key Exchange increases the functionality of IPSec.
A)
true
B)
false
To use IKE with IPSec, you must have a CA setup.
A)
true
B)
false
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-53
Q7)
5-54
To configure IKE, you must enable IKE, create the IKE policies, and _______.
A)
apply crypto ACLs
B)
validate the configuring
C)
identify the host
D)
use the show command
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
C
Relates to: IPSec
Q2)
B
Relates to: Tunnel vs. Transport Mode
Q3)
C
Relates to: Security Associations
Q4)
D
Relates to: Five Steps to IPSec
Q5)
A
Relates to: IPSec and IKE Relationship
Q6)
B
Relates to: IKE and IPSec Flowchart
Q7)
B
Relates to: Tasks to Configure IPSec
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-55
5-56
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Task 1: Preparing for IKE and
IPSec
Overview
Successful implementation of an IPSec network requires advance planning before beginning
the configuration of individual routers.
Relevance
Before configuring IPSec it is necessary to establish a proper IPSec security policy.
Objectives
Upon completing this lesson, you will be able to:
Identify the steps in creating an IKE and IPSec security policy
Describe the process for determining the IKE Phase 1 policy
Define the IKE Phase 1 policy parameters
Describe the process for determining the IKE Phase 2 policy
Identify the IPSec transforms supported by Cisco IOS software
Describe an example of an IPSec policy
Describe the importance of identifying the IPSec peer
Identify the commands that are used to check for existing IPSec security policies
Identify the commands that are used to ensure connectivity between IPSec peers
Describe how to ensure that access lists are compatible with IPSec
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Networking Devices (ICND) course
Outline
This lesson includes these topics:
Overview
IKE Creation and IPSec Security Policy
Step 1: Determine IKE (IKE Phase 1) Policy
IKE Phase 1 Policy Parameters
Step 2: Determine IPSec (IKE Phase 2) Policy
IPSec Transforms Supported in Cisco IOS Software
IPSec Policy Example
IPSec Peers
Step 3: Check Current Configuration
Step 4: Ensure That the Network Works
Step 5: Ensure That Access Lists Are Compatible with IPSec
Summary
Quiz
5-58
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IKE Creation and IPSec Security Policy
This topic identifies the steps for creating an IKE and IPSec security policy.
Task 1—Prepare for IKE and IPSec
Task 1 – Prepare for IKE and IPSec
Step 1—Determine IKE (IKE Phase 1) policy.
Step 2—Determine IPSec (IKE Phase 2) policy.
Step 3—Check the current configuration.
show running-configuration
show crypto isakmp policy
show crypto map
Step 4—Ensure the network works without encryption.
ping
Step 5—Ensure access lists are compatible with IPSec.
show access-lists
Task 2 – Configure IKE
Task 3 – Configure IPSec
Task 4 – Test and Verify IPSec
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
Configuring IPSec encryption can be complicated. You must plan in advance if you desire to
configure IPSec encryption correctly the first time and minimize misconfiguration. You should
begin this task by defining the IPSec security policy based on the overall company security
policy. Some planning steps are as follows:
Step 1
Determine IKE (IKE Phase 1) policy: Determine the IKE policies between IPSec
peers based on the number and location of the peers.
Step 2
Determine IPSec (IKE Phase 2) policy: Identify IPSec peer details such as IP
addresses, IPSec transform sets, and IPSec modes. Then configure crypto maps to
gather all IPSec policy details together.
Step 3
Check the current configuration: Use the show running-configuration, show
isakmp [policy], and show crypto map commands, and many other show
commands to check the current configuration of the router. This is covered later in
this lesson.
Step 4
Ensure the network works without encryption (no excuses!): Ensure that basic
connectivity has been achieved between IPSec peers using the desired IP services
before configuring IPSec. You can use the ping command to check basic
connectivity.
Step 5
Ensure that access control lists (ACLs) are compatible with IPSec: Ensure that
perimeter routers and the IPSec peer router interfaces permit IPSec traffic. In this
step you need to enter the show access-lists command.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-59
Step 1: Determine IKE (IKE Phase 1) Policy
This topic describes the process for determining the IKE Phase 1 policy
Step 1—Determine IKE (IKE Phase 1) Policy
Determine the following policy details:
• Key distribution method
• Authentication method
• IPSec peer IP addresses and hostnames
• IKE Phase 1 policies for all peers
– Encryption algorithm
– Hash algorithm
– IKE SA lifetime
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-3
Configuring IKE is complicated. You should determine the IKE policy details to enable the
selected authentication method, and then configure it. Having a detailed plan reduces the
chances of improper configuration. Some of the planning steps include:
Determine the key distribution method: Determine the key distribution method that is
based on the numbers and locations of IPSec peers. For a small network, you may want to
manually distribute keys. For a larger network, you may want to use a CA server to support
scalability of IPSec peers. You must then configure the ISAKMP to support the selected
key distribution method.
Determine the authentication method: Choose the authentication method that is based on
the key distribution method. Cisco IOS software supports either preshared keys, RSA
encrypted nonces, or RSA signatures to authenticate IPSec peers. This lesson focuses on
using preshared keys.
Identify IPSec peer IP addresses and hostnames: Determine details of all of the IPSec
peers that will use ISAKMP and preshared keys for establishing SAs. You will use this
information to configure IKE.
5-60
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Determine ISAKMP policies for peers: An ISAKMP policy defines a combination, or
suite, of security parameters to be used during the ISAKMP negotiation. Each ISAKMP
negotiation begins by each peer agreeing on a common (shared) ISAKMP policy. The
ISAKMP policy suites must be determined in advance of configuration. You must then
configure IKE to support the policy details that you determined. Some ISAKMP policy
details include:
—
Encryption algorithm
—
Hash algorithm
—
IKE SA lifetime
The goal of this planning step is to gather the precise data that you will need in later steps to
minimize misconfiguration.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-61
IKE Phase 1 Policy Parameters
This topic describes the IKE Phase 1 policy parameters.
IKE Phase 1 Policy Parameters
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-4
An IKE policy defines a combination of security parameters that are used during the IKE
negotiation. A group of policies make up a “protection suite” of multiple policies that enable
IPSec peers to establish IKE sessions and establish SAs with a minimal configuration. The
figure shows an example of possible combinations of IKE parameters to form either a strong or
a stronger policy suite.
Create IKE Policies for a Purpose
Because IKE negotiations must be protected, each IKE negotiation begins with each peer
agreeing on a common (shared) IKE policy. This policy states which security parameters will
be used to protect subsequent IKE negotiations.
After the two peers agree upon a policy, an SA established at each peer identifies the security
parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation.
You can create multiple, prioritized policies at each peer to ensure that at least one policy will
match a remote peer policy.
Define IKE Policy Parameters
You can select specific values for each IKE parameter, according to the IKE standard. You
select one value over another based on the security level you want and the type of IPSec peer to
which you will connect.
There are five parameters to define in each IKE policy, as shown in the figure and in the table
here. The figure shows the relative strength of each parameter. The table shows the default
values.
5-62
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IKE Policy Parameters
Parameter
Accepted Values
Keyword
Default
Message encryption
algorithm
DES
des
56-bit DES-CBC
3DES
3des
Message integrity
(hash) algorithm
SHA-1 (HMAC variant)
sha
MD5 (HMAC variant)
md5
Peer authentication
method
Preshared keys
pre-share
RSA encrypted nonces
rsa-encr
RSA signatures
rsa-sig
Key exchange
parameters (DiffieHellman group
identifier)
768-bit Diffie-Hellman
1
ISAKMP-established
security association
lifetime
Can specify any number of
seconds
SHA-1
RSA signatures
768-bit Diffie-Hellman
or
1024-bit Diffie-Hellman
2
86,400 sec (one day)
You can select specific values for each ISAKMP parameter per the ISAKMP standard. You
select one value over another based on the security level you want and the type of IPSec peer to
which you will connect. There are five parameters to define in each IKE policy as presented in
the table here. The table shows the relative strength of each parameter.
Parameter
Strong
Stronger
Message encryption algorithm
DES
3DES
Message integrity (hash) algorithm
MD5
SHA-1
Peer authentication method
Preshare
RSA encryption
RSA signature
Key exchange parameters (DiffieHellman group identifier)
D-H Group 1
D-H Group 2
ISAKMP-established security
association lifetime
86,400 sec
<86,400 sec
You should determine IKE policy details for each peer before configuring IKE. The figure
shows a summary of IKE policy details that will be configured in examples and later, in labs
for this lesson. The authentication method of preshared keys is also covered in this lesson.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-63
Step 2: Determine IPSec (IKE Phase 2) Policy
This topic describes the process for determining the IKE Phase 2 policy.
Step 2—Determine IPSec (IKE Phase 2)
Policy
Determine the following policy details:
• IPSec algorithms and parameters for optimal
security and performance
• Transforms and, if necessary, transform sets
• IPSec peer details
• IP address and applications of hosts to be
protected
• Manual or IKE-initiated SAs
Goal: Minimize misconfiguration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-5
An IPSec policy defines a combination of IPSec parameters that are used during the IPSec
negotiation. Planning for IPSec (IKE Phase 2) is another important step you should complete
before actually configuring IPSec on a Cisco router. Policy details to determine at this stage
include:
Select IPSec algorithms and parameters for optimal security and performance:
Determine what type of IPSec security to use when securing interesting traffic. Some IPSec
algorithms require that you make tradeoffs between high performance and stronger
security. Some algorithms have import and export restrictions that may delay or prevent
implementation of your network.
Select transforms and, if necessary, transform sets: Use the IPSec algorithms and
parameters previously decided upon to help select IPSec transforms, transform sets, and
modes of operation.
Identify IPSec peer details: Identify the IP addresses and host names of all IPSec peers to
which you will connect.
Determine IP address and applications of hosts to be protected: Decide which IP
addresses and applications of hosts should be protected at the local peer and remote peer.
Select manual or IKE-initiated SAs: Choose whether SAs are manually established or are
established via IKE.
The goal of this planning step is to gather the precise data that you will need in later steps to
minimize misconfiguration.
5-64
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IPSec Transforms Supported in Cisco IOS
Software
This topic describes the IPSec transforms that are supported by Cisco IOS software.
IPSec Transforms Supported in
Cisco IOS Software
Cisco IOS software supports the following IPSec transforms:
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-6
Cisco IOS software supports the IPSec transforms as shown in the figure. Newer Cisco IOS
software includes support for Advanced Encryption Standard (AES).
Note
AH is rarely used because authentication is now available with the esp-sha-hmac and espmd5-hmac transforms. AH is also not compatible with NAT or PAT.
Note
IOS Release 12.2(13)T adds the AES feature support for the new encryption standard AES.
The National Institute of Standards and Technology (NIST) has created AES, which is a new
Federal Information Processing Standards (FIPS) publication that describes an encryption
method. AES is a privacy transform for IPSec and IKE, and has been developed to replace
DES. AES is designed to be more secure than DES in that AES offers a larger key size. The
algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-65
Encapsulating Security Payload
Transform
Description
esp-des
ESP transform using DES cipher (56 bits)
esp-3des
ESP transform using 3DES(EDE) cipher (168 bits)
esp-md5-hmac
ESP transform with HMAC-MD5 authentication used with an ESP-DES or ESP3DES transform to provide additional integrity of ESP packet
esp-sha-hmac
ESP transform with HMAC-SHA authentication used with an ESP-DES or ESP3DES transform to provide additional integrity of ESP packet
esp-null
ESP transform without a cipher. May be used in combination with ESP-MD5-HMAC
or ESP-SHA-HMAC if one wants ESP authentication with no encryption
Caution
Never use esp-null in a production environment because it does not protect data flows.
Examples of acceptable transforms that can be combined into sets are shown in the table here.
Acceptable Transforms
Transform Type
AH transform
(Pick up to one)
Allowed Transform Combinations
ah-md5-hmac—AH with the MD5 (HMAC variant) authentication
algorithm
ah-sha-hmac—AH with the SHA (HMAC variant) authentication
algorithm
ESP encryption transform
(Pick up to one)
esp-des—ESP with the 56-bit DES encryption algorithm
esp-3des—ESP with the 168-bit DES encryption algorithm (3DES)
esp-null—Null encryption algorithm
esp-aes—ESP with 128-bit AES encryption
esp-aes 192—ESP with 192-bit AES encryption
esp-aes 256—ESP with 256-bit AES encryption
ESP authentication
transform
(Pick up to one)
esp-md5-hmac—ESP with the MD5 (HMAC variant) authentication
algorithm
IP compression transform
comp-lzs—IP compression with the LZS algorithm
esp-sha-hmac—ESP with the SHA (HMAC variant) authentication
algorithm
The Cisco IOS command parser prevents you from entering invalid combinations; for example,
after you specify an AH transform, it does not allow you to specify another AH transform for
the current transform set.
5-66
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IPSec Policy Example
This topic describes an example of an IPSec policy.
IPSec Policy Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-7
The figure shows a summary of IPSec encryption policy details that will be configured in
examples in this lesson. (Details about IPSec transforms are covered later in this lesson.) The
example policy specifies that TCP traffic between the hosts should be encrypted by IPSec that
uses DES.
Determining network design details includes defining a more detailed IPSec policy for
protecting traffic. You can then use the detailed policy to help select IPSec transform sets and
modes of operation. Your IPSec policy should answer these questions:
What protections are required or are acceptable for the protected traffic?
Which IPSec transforms or transform sets should be used?
What are the peer IPSec endpoints for the traffic?
What traffic should or should not be protected?
Which router interfaces are involved in protecting internal nets and external nets?
How are SAs set up (manual or IKE negotiated) and how often should the SAs be
renegotiated?
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-67
IPSec Peers
This topic describes the importance of identifying the IPSec peer.
Identify IPSec Peers
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-8
An important part of determining the IPSec policy is to identify the IPSec peer with which the
Cisco router will communicate. The peer must support IPSec as specified in the RFCs that are
supported by Cisco IOS. Many different types of peers are possible. Before configuration,
identify all the potential peers and their VPN capabilities. Possible peers include, but are not
limited, to these:
Other Cisco routers
The Cisco PIX Firewall
The Cisco VPN client (hardware or software)
The Cisco VPN concentrator
CA servers if they are used
IPSec products of other vendors that conform to IPSec RFCs
Caution
5-68
Incompatibilities may exist when configuring IPSec and IKE between older and newer IOS
images; for example, configuring IPSec between a router with IOS 12.0.3 and another router
with IOS 12.2.8. Compatibility matrixes should be checked in the planning stages.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 3: Check Current Configuration
This topic describes the commands that are used to check for existing IPSec security policies.
Step 3—Check Current Configuration
router#
-¸±© ®«²²·²¹ó½±²º·¹
• View router configuration for existing IPSec policies.
-¸±© ½®§°¬± ·-¿µ³° °±´·½§
• View default and any configured IKE Phase 1 policies.
-¸±© ½®§°¬± ³¿°
• View any configured crypto maps.
-¸±© ½®§°¬± ·°-»½ ¬®¿²-º±®³ó-»¬
• View any configured transform sets.
BCRAN v2.1—5-9
© 2004 Cisco Systems, Inc. All rights reserved.
The current Cisco router configuration should be checked to see if there are any IPSec policies
already configured that are useful for—or may interfere with—the IPSec policies that you plan
to configure. Previously configured IKE and IPSec policies and details can and should be used,
if possible, to save configuration time. However, they can make troubleshooting more difficult
if problems arise.
You can see if any IKE policies have previously been configured by using the show runningconfig command. You can also use the variety of show commands that are specific to IPSec.
For example, you can use the show crypto isakmp policy command, shown in the figure, to
examine IKE policies.
᫬»®ßý -¸±© ½®§°¬± ·-¿µ³° °±´·½§
Ü»º¿«´¬ °®±¬»½¬·±² -«·¬»
»²½®§°¬·±² ¿´¹±®·¬¸³æ
¾·¬ µ»§-÷
¸¿-¸ ¿´¹±®·¬¸³æ
ÜÛÍ ó Ü¿¬¿ Û²½®§°¬·±² ͬ¿²¼¿®¼ øëê
Í»½«®» Ø¿-¸ ͬ¿²¼¿®¼
¿«¬¸»²¬·½¿¬·±² ³»¬¸±¼æ
窻-¬ó͸¿³·®óß¼´»³¿² Í·¹²¿¬«®»
Ü·ºº·»óØ»´´³¿² Ù®±«°æ
ýï øéêè ¾·¬÷
´·º»¬·³»æ
èêìðð -»½±²¼-ô ²± ª±´«³» ´·³·¬
The default protection suite seen here is available for use without modification. You can also
use the other available show commands covered in other lessons of this module to view IKE
and IPSec configuration.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-69
The show crypto map command shown in the figure is useful for viewing any previously
configured crypto maps (crypto maps are covered in detail later in this module). Previously
configured maps can and should be used to save configuration time. However, previously
configured crypto maps can interfere with the IPSec policy that you are trying to configure.
᫬»®ßý -¸±© ½®§°¬± ³¿°
Ý®§°¬± Ó¿° þ³§³¿°þ ïð ·°-»½ó·-¿µ³°
л»® ã ïéîòíðòîòî
Û¨¬»²¼»¼ ×Ð ¿½½»-- ´·-¬ ïðî
¿½½»--ó´·-¬ ïðî °»®³·¬ ·° ¸±-¬ ïéîòíðòïòî ¸±-¬
ïéîòíðòîòî
Ý«®®»²¬ °»»®æ ïéîòíðòîòî
Í»½«®·¬§ ¿--±½·¿¬·±² ´·º»¬·³»æ ìêðèððð µ·´±¾§¬»-ñíêðð
-»½±²¼ÐÚÍ øÇñÒ÷æ Ò
Ì®¿²-º±®³ -»¬-㥠³·²»ô £
You can also use the show crypto ipsec transform-set command to view previously
configured transform sets. Previously configured transforms can, and should, be used to save
configuration time.
᫬»®ßý -¸±© ½®§°¬± ·°-»½ ¬®¿²-º±®³ó-»¬ ³·²»
Ì®¿²-º±®³ -»¬ ³·²»æ ¥ »-°ó¼»©·´´ ²»¹±¬·¿¬» ã ¥ Ì«²²»´ô
5-70
Building Cisco Remote Access Networks (BCRAN) v2.1
£
£ô
Copyright
2004, Cisco Systems, Inc.
Step 4: Ensure That the Network Works
This topic describes the commands that are used to ensure connectivity between IPSec peers.
Step 4—Ensure That the Network Works
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-10
Basic connectivity between peers must be checked before you begin configuring IPSec.
The router ping command can be used to test basic connectivity between IPSec peers. While a
successful Internet Control Message Protocol (ICMP) echo (ping) will verify basic connectivity
between peers, you should ensure the network works with any other protocols or ports you
want to encrypt, such as Telnet, FTP, or SQL*NET before beginning IPSec configuration.
After IPSec is activated, basic connectivity troubleshooting can be difficult because the security
configuration may mask a more fundamental networking problem. Previous security settings
could result in no connectivity.
Note
The ping command may be limited by access lists.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-71
Step 5: Ensure That Access Lists Are Compatible
with IPSec
This topic describes how to ensure that access lists are compatible with IPSec.
Step 5—Ensure That Access Lists Are
Compatible with IPSec
• Ensure that protocols 50 and 51, and UDP port 500 traffic are
not blocked at interfaces used by IPSec.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-11
You will need to ensure that existing ACLs on perimeter routers, firewalls, or other routers do
not block IPSec traffic. Perimeter routers typically implement a restrictive security policy with
ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive
policy blocks IPSec traffic. Therefore, you must add specific permit statements to the ACL to
allow IPSec traffic.
Ensure that your ACLs are configured so that ISAKMP, ESP, and AH traffic is not blocked at
interfaces used by IPSec. ISAKMP uses User Datagram Protocol (UDP) port 500. ESP is
assigned IP protocol number 50, and AH is assigned IP protocol number 51. In some cases, you
may need to add a statement to router ACLs to explicitly permit this traffic. You may need to
add the ACL statements to the perimeter router by performing these steps:
Step 1
Examine the current ACL configuration at the perimeter router and determine if it
will block IPSec traffic:
᫬»®ßý -¸±© ¿½½»--ó´·-¬-
5-72
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 2
Add ACL entries to permit IPSec traffic. To do this, copy the existing ACL
configuration and paste it into a text editor as follows:
1. Copy the existing ACL configuration and paste it into a text editor.
2. Add the ACL entries to the top of the list in the text editor.
3. Delete the existing ACL with the no access-list access-list number command.
4. Enter configuration mode and copy and paste the new ACL into the router.
5. Verify that the ACL is correct with the show access-lists command.
A concatenated example showing ACL entries permitting IPSec traffic for RouterA is as
follows:
᫬»®ßý -¸±© ®«²²·²¹ó½±²º·¹
ÿ
·²¬»®º¿½» Í»®·¿´ðñï
·° ¿¼¼®»-- ïéîòíðòïòî îëëòîëëòîëëòð
·° ¿½½»--ó¹®±«° ïðî ·²
ÿ
¿½½»--ó´·-¬ ïðî °»®³·¬ ¿¸° ¸±-¬ ïéîòíðòîòî ¸±-¬ ïéîòíðòïòî
¿½½»--ó´·-¬ ïðî °»®³·¬ »-° ¸±-¬ ïéîòíðòîòî ¸±-¬ ïéîòíðòïòî
¿½½»--ó´·-¬ ïðî °»®³·¬ «¼° ¸±-¬ ïéîòíðòîòî ¸±-¬ ïéîòíðòïòî »¯
·-¿µ³°
Note that the protocol keyword of esp equals the ESP protocol (number 50), the keyword of
ahp equals the AH protocol (number 51), and the isakmp keyword equals UDP port 500.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-73
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Determine the IKE policy details to enable the
selected authentication method, and then
configure it.
• An IKE policy defines a combination of security
parameters used during the IKE negotiation.
• It is important to identify the IPSec that peer the
Cisco router will communicate with.
• The current Cisco router configuration should be
checked to see if there are any IPSec that policies
already configured that are useful for, or may
interfere with, the IPSec that policies you plan to
configure.
© 2004 Cisco Systems, Inc. All rights reserved.
5-74
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—5-12
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
What is the purpose of examining the access lists when preparing for IKE and IPSec?
A)
to enforce VPN security
B)
to make sure VPN security is not blocked by an access list
C)
to show which interfaces are serial interfaces
D)
to implement unused security policies
Which key distribution method is most effective for a number of VPN users?
A)
preshared keys
B)
a network administrator PDA
C)
hashing
D)
certification authorities
Which transform type is most secure?
A)
ah-sha-hmac
B)
ah-md5-hmac
C)
esp-null
D)
esp-des
It is not necessary to define a transform set when determining IPSec policy.
A)
true
B)
false
Which of the following devices may NOT be an IPSec peer?
A)
a PC with a VPN client
B)
a Cisco network switch
C)
a Cisco router
D)
a VPN concentrator
The show crypto map command will not define the peer of the map.
A)
true
B)
false
IPSec implementation makes basic troubleshooting difficult because _______.
A)
there are many commands to memorize
B)
analyzing packets may be difficult if they are encrypted
C)
it applies access lists that block traffic with the implicit deny command
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-75
Q8)
5-76
Which of the following does NOT need to be allowed through an access list to ensure
that a VPN will function?
A)
protocol 50
B)
protocol 51
C)
UDP port 500
D)
UDP port 53
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
B
Relates to: IKE Creation and IPSec Security Policy
Q2)
D
Relates to: Step 1: Determine IKE (IKE Phase 1) Policy
Q3)
D
Relates to: IPSec Transforms Supported in Cisco IOS Software
Q4)
B
Relates to: IPSec Policy Example
Q5)
B
Relates to: IPSec Peers
Q6)
B
Relates to: Step 3: Check Current Configuration
Q7)
B
Relates to: Step 4: Ensure That the Network Works
Q8)
D
Relates to: Step 5: Ensure That Access Lists Are Compatible with IPSec
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-77
5-78
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Task 2: Configuring IKE
Overview
The next major task in configuring Cisco IOS IPSec is to configure the IKE parameters that
you gathered earlier. This lesson describes the steps that are used to configure IKE policies.
Relevance
A major task in configuring IPSec is to configure the proper IKE parameters that are used in
IKE policies.
Objectives
Upon completing this lesson, you will be able to:
List the steps to configure IKE
Identify the command that is used to enable or disable ISAKMP
Identify the command that is used to define an IKE policy
Identify the command that is used to set ISAKMP parameters
Describe the process and commands in IKE policy negotiation
Identify the command that is used to configure the ISAKMP identity
Identify the command that is used to configure a preshared authentication key
Identify the command to verify IKE configuration
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
IKE Configuration
Step 1: Enable or Disable IKE
Step 2: Create IKE Policies
IKE Policy Creation with the crypto isakmp Command
IKE Policy Negotiation
Step 3: Configure ISAKMP Identity
Step 4: Configure Preshared Keys
Step 5: Verify IKE Configuration
Summary
Quiz
5-80
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IKE Configuration
This topic describes the steps that are required to configure IKE.
Task 2—Configure IKE
Task 1 – Prepare for IKE and IPSec
Task 2 – Configure IKE
Step 1—Enable or disable IKE.
crypto isakmp enable
Step 2—Create IKE policies.
crypto isakmp policy
Step 3—Configure ISAKMP
crypto isakmp identity
Step 4—Configure preshared keys.
crypto isakmp key
Step 5—Verify the IKE configuration.
show crypto isakmp policy
Task 3 – Configure IPSec
Task 4 – Test and Verify IPSec
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
Configuring IKE consists of these essential steps and commands:
Step 1
Enable or disable IKE with the crypto isakmp enable command.
Step 2
Create IKE policies with the crypto isakmp policy commands.
Step 3
Configure preshared keys with the crypto isakmp key and associated commands.
Step 4
Verify the IKE configuration with the show crypto isakmp policy command.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-81
Step 1: Enable or Disable IKE
This topic describes the command that is used to enable or disable IKE.
Step 1—Enable IKE
᫬»® ß ½®§°¬± ·-¿µ³° »²¿¾´»
• Globally enables or disables IKE at your router.
• IKE is enabled by default.
• IKE is enabled globally for all interfaces at the router.
• Use the no form of the command to disable IKE.
• An ACL can be used to block IKE on a particular interface.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-3
The first step in configuring IKE is to enable or disable ISAKMP, thereby enabling or disabling
IKE. ISAKMP, and consequently IKE, is globally enabled and disabled with the crypto
isakmp enable command. ISAKMP is enabled by default. Use the no form of the command to
disable ISAKMP.
Although ISAKMP does not have to be enabled for individual interfaces, it is enabled globally
for all interfaces at the router. You may choose to block ISAKMP access on interfaces that are
not used for IPSec to prevent possible denial of service attacks by using an ACL statement that
blocks UDP port 500 on the interfaces.
5-82
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 2: Create IKE Policies
This topic describes the command that is used to create an IKE policy.
Step 2—Create IKE Policies
router(config) #
½®§°¬± ·-¿µ³° °±´·½§ °®·±®·¬§
• Defines an IKE policy, which is a set of parameters used
during IKE negotiation.
• Invokes the config-isakmp command mode.
᫬»®ß ø ½±²º·¹ ÷ý ½®§°¬± ·-¿µ³° °±´·½§ ïïð
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-4
The next major step in configuring Cisco IOS ISAKMP support is to define a suite of ISAKMP
policies. The goal of defining a suite of IKE policies is to establish ISAKMP peering between
two IPSec endpoints. Use the IKE policy details that you gathered during the planning task.
Use the crypto isakmp policy command to define an IKE policy. IKE policies define a set of
parameters that are used during the IKE negotiation. Use the no form of this command to delete
an IKE policy. The command syntax and parameter definition is shown in the table.
½®§°¬± ·-¿µ³° °±´·½§ °®·±®·¬§
crypto isakmp policy priority Command Parameter
Parameter
Description
°®·±®·¬§
Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer
from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
This command invokes the ISAKMP policy configuration (config-isakmp) command mode.
Note
Assign the most secure policy the lowest priority number so that the most secure policy will
find a match before any less-secure policies are configured.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-83
IKE Policy Creation with the crypto isakmp
Command
This topic describes the command that is used to set ISAKMP parameters.
Create IKE Policies with the
crypto isakmp Command
router(config) #
½®§°¬± ·-¿µ³° °±´·½§ °®·±®·¬§
• Defines the parameters within the IKE policy 110.
᫬»®ßø½±²º·¹÷ý ½®§°¬±
᫬»®ßø½±²º·¹Š·-¿µ³°÷ý
᫬»®ßø½±²º·¹Š·-¿µ³°÷ý
᫬»®ßø½±²º·¹Š·-¿µ³°÷ý
᫬»®ßø½±²º·¹Š·-¿µ³°÷ý
᫬»®ßø½±²º·¹Š·-¿µ³°÷ý
·-¿µ³° °±´·½§ ïïð
¿«¬¸»²¬·½¿¬·±² °®»ó-¸¿®»
»²½®§°¬·±² ¼»¹®±«° ï
¸¿-¸ ³¼ë
´·º»¬·³» èêìðð
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-5
The crypto isakmp policy command invokes the ISAKMP policy configuration command
mode (config-isakmp) where you can set ISAKMP parameters. If you do not specify one of
these commands for a policy, the default value will be used for that parameter. The table lists
the keywords available to specify the parameters in the policy while you are in the configisakmp command mode.
5-84
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Keywords for ISAKMP Parameters
Parameter
Keyword
Accepted Values
Default Value
Description
Encryption
des
56-bit DES-CBC
des
aes
128-bit AES
Message encryption
algorithm.
aes 192
192-bit AES
aes 256
256-bit AES
sha
SHA-1 (HMAC variant)
sha
md5
MD5 (HMAC variant)
Message integrity
(Hash) algorithm.
rsa-sig
RSA signatures
rsa-sig
rsa-encr
RSA encrypted nonces
Peer authentication
method.
pre-share
preshared keys
1
768-bit Diffie-Hellman or
1
2
1024-bit Diffie-Hellman
Key exchange
parameters (DiffieHellman group
identifier).
seconds
Can specify any number
of seconds
86,400 sec
(one day)
ISAKMP-established
SA lifetime. You can
usually leave this
value at the default.
Hash
Authentication
Group
Lifetime
exit
Exits the configisakmp mode.
Multiple ISAKMP policies can be configured on each peer participating in IPSec. ISAKMP
peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-85
IKE Policy Negotiation
This topic describes the processes and commands in IKE policy negotiation.
IKE Policy Negotiation
• The first two policies in each router can be successfully negotiated while the
last one can not.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-6
ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used
for IPSec.
When the ISAKMP negotiation begins in IKE Phase 1 main mode, ISAKMP looks for an
ISAKMP policy that is the same on both peers. The peer that initiates the negotiation sends all
of its policies to the remote peer, and the remote peer tries to find a match with its policies. The
remote peer looks for a match by comparing its own highest priority policy against the other
peer received policies in its ISAKMP policy suite. The remote peer checks each of its policies
in order of its priority (highest priority first) until a match is found.
A match is made when both policies from the two peers contain the same encryption, hash,
authentication, Diffie-Hellman parameter values, and when the policy of the remote peer
specifies a lifetime less than or equal to the lifetime of the policy being compared. If the
lifetimes are not identical, the shorter lifetime from the remote peer policy is used. Assign the
most secure policy the lowest priority number so that the most secure policy will find a match
before any less secure policies are configured.
If an acceptable match is not found, ISAKMP refuses negotiation and IPSec is not established.
If a match is found, ISAKMP completes the main mode negotiation, and IPSec SAs are created
during IKE Phase 2 quick mode.
5-86
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 3: Configure ISAKMP Identity
This topic describes the command that is used to configure the ISAKMP identity.
Step 3—Configure ISAKMP Identity
router(config) #
½®§°¬± ·-¿µ³° ·¼»²¬·¬§ ¥¿¼¼®»-- ¤ ¸±-¬²¿³»£
• Defines whether ISAKMP identity is done by IP address or
hostname.
• Use consistently across ISAKMP peers.
BCRAN v2.1—5-7
© 2004 Cisco Systems, Inc. All rights reserved.
IPSec peers authenticate each other during ISAKMP negotiations by using the preshared key
and the ISAKMP identity. The identity can either be the IP address or the host name of the
router. Cisco IOS software uses the IP address identity method by default. A command
indicating the address mode does not appear in the router configuration.
If you choose to use the host name identity method, you must specify the method with the
crypto isakmp identity global configuration command. Use the no form of this command to
reset the ISAKMP identity to the default value (address). The command syntax and parameter
definitions are as follows:
½®§°¬± ·-¿µ³° ·¼»²¬·¬§ ¥¿¼¼®»-- ¤ ¸±-¬²¿³»£
crypto isakmp identity (address | hostname) Command
crypto isakmp
identity Command
Description
¿¼¼®»--
Sets the ISAKMP identity to the IP address of the interface that is used to
communicate to the remote peer during ISAKMP negotiations.
The keyword is typically used when there is only one interface that will be used
by the peer for ISAKMP negotiations, and the IP address is known.
¸±-¬²¿³»
Sets the ISAKMP identity to the host name concatenated with the domain name
(for example, myhost.domain.com).
The keyword should be used if there is more than one interface on the peer that
might be used for ISAKMP negotiations, or if the interface IP address is
unknown (such as with dynamically-assigned IP addresses).
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-87
If you use the host name identity method, you may need to specify the host name for the remote
peer if a DNS server is not available for name resolution. An example of this follows:
᫬»®ßø½±²º·¹÷ý ·° ¸±-¬ ᫬»®Þò¼±³¿·²ò½±³ ïéîòíðòîòî
5-88
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 4: Configure Preshared Keys
This topic describes the command that is used to configure a preshared authentication key.
Step 4—Configure Preshared Keys
router(config) #
½®§°¬± ·-¿µ³° µ»§ µ»§-¬®·²¹ ¿¼¼®»-- °»»®ó¿¼¼®»--
router(config) #
½®§°¬± ·-¿µ³° µ»§ µ»§-¬®·²¹ ¸±-¬²¿³» ¸±-¬²¿³»
᫬»®ßø½±²º·¹÷ý ½®§°¬± ·-¿µ³° µ»§ ½·-½±ïîíì
¿¼¼®»-- ïéîòíðòîòî
• Assigns a keystring and the peer address.
• The peer IP address or hostname can be used.
BCRAN v2.1—5-8
© 2004 Cisco Systems, Inc. All rights reserved.
Configure a preshared authentication key with the crypto isakmp key global configuration
command. You must configure this key whenever you specify preshared keys in an ISAKMP
policy. Use the no form of this command to delete a preshared authentication key. The
command syntax parameter definitions are as follows:
½®§°¬± ·-¿µ³° µ»§ µ»§-¬®·²¹ ¿¼¼®»-- °»»®ó¿¼¼®»-½®§°¬± ·-¿µ³° µ»§ µ»§-¬®·²¹ ¸±-¬²¿³» °»»®ó¸±-¬²¿³»
crypto isakmp key Command Arguments
cyrpto isakmp key
keystring Command
Description
keystring
Specify the preshared key. Use any combination of alphanumeric characters
up to 128 bytes. This preshared key must be identical at both peers.
peer-address
Specify the IP address of the remote peer.
hostname
Specify the host name of the remote peer. This is the peer host name
concatenated with its domain name (for example, myhost.domain.com).
Note
A given preshared key is shared between two peers. At a given peer, you can specify the
same key to share with multiple remote peers; however, a more secure approach is to
specify different keys to share between different pairs of peers.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-89
The following configuration example shows ISAKMP and preshared keys for routerA and
routerB. Note that the keystring of cisco1234 matches. The address identity method is
specified. The ISAKMP policies are compatible. Default values do not have to be configured.
᫬»®ßø½±²º·¹÷ý ½®§°¬± ·-¿µ³° µ»§ ½·-½±ïîíì ¿¼¼®»-ïéîòíðòîòî
᫬»®ßø½±²º·¹÷ý ½®§°¬± ·-¿µ³° °±´·½§ ïïð
᫬»®ßø½±²º·¹ó·-¿µ³°÷ý ¸¿-¸ ³¼ë
᫬»®ßø½±²º·¹ó·-¿µ³°÷ý ¿«¬¸»²¬·½¿¬·±² °®»ó-¸¿®»
᫬»®ßø½±²º·¹ó·-¿µ³°÷ý »¨·¬
᫬»®Þø½±²º·¹÷ý ½®§°¬± ·-¿µ³° µ»§ ½·-½±ïîíì ¿¼¼®»-ïéîòíðòïòî
᫬»®Þø½±²º·¹÷ý ½®§°¬± ·-¿µ³° °±´·½§ ïïð
᫬»®Þø½±²º·¹ó·-¿µ³°÷ý ¸¿-¸ ³¼ë
᫬»®Þø½±²º·¹ó·-¿µ³°÷ý ¿«¬¸»²¬·½¿¬·±² °®»ó-¸¿®»
᫬»®Þø½±²º·¹ó·-¿µ³°÷ý »¨·¬
5-90
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 5: Verify IKE Configuration
This topic describes the command that is used to verify IKE configuration.
Step 5—Verify IKE Configuration
• Displays configured and default IKE policies.
BCRAN v2.1—5-9
© 2004 Cisco Systems, Inc. All rights reserved.
You can use the show crypto isakmp policy command to display configured and default
policies. The resultant ISAKMP policy for routerA is shown in the output here and in the
figure. RouterB configuration is identical.
᫬»®ßý -¸±© ½®§°¬± ·-¿µ³° °±´·½§
Ю±¬»½¬·±² -«·¬» ±º °®·±®·¬§ ïïð
»²½®§°¬·±² ¿´¹±®·¬¸³æ
ÜÛÍ ó Ü¿¬¿ Û²½®§°¬·±² ͬ¿²¼¿®¼ øëê ¾·¬ µ»§-÷ò
¸¿-¸ ¿´¹±®·¬¸³æ
Ó»--¿¹» Ü·¹»-¬ ë
¿«¬¸»²¬·½¿¬·±² ³»¬¸±¼æ
Ю»ó͸¿®»¼ Õ»§
Ü·ºº·»óØ»´´³¿² ¹®±«°æ
ýï øéêè ¾·¬÷
´·º»¬·³»æ
èêìðð -»½±²¼-ô ²± ª±´«³» ´·³·¬
Ü»º¿«´¬ °®±¬»½¬·±² -«·¬»
»²½®§°¬·±² ¿´¹±®·¬¸³æ
µ»§-÷ò
ÜÛÍ ó Ü¿¬¿ Û²½®§°¬·±² ͬ¿²¼¿®¼ øëê ¾·¬
¸¿-¸ ¿´¹±®·¬¸³æ
Í»½«®» Ø¿-¸ ͬ¿²¼¿®¼
¿«¬¸»²¬·½¿¬·±² ³»¬¸±¼æ
窻-¬ó͸¿³·®óß¼´»³¿² Í·¹²¿¬«®»
Ü·ºº·»óØ»´´³¿² ¹®±«°æ
ýï øéêè ¾·¬÷
´·º»¬·³»æ
èêìðð -»½±²¼-ô ²± ª±´«³» ´·³·¬
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-91
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Configuring IKE consists of several essential steps
and commands.
• Configure IKE to enable or disable ISAKMP with
the crypto isakmp enable command.
• Use the crypto isakmp policy command to define an
IKE policy.
• ISAKMP peers negotiate acceptable ISAKMP
policies before agreeing upon the SA to be used
for IPSec.
• IPSec peers authenticate each other during
ISAKMP negotiations using the preshared key and
the ISAKMP identity.
© 2004 Cisco Systems, Inc. All rights reserved.
5-92
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—5-10
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Which command enables IKE?
A)
crypto isakmp enable
B)
crypto isakmp policy
C)
crypto isakmp key
D)
show crypto isakmp policy
The crypto isakmp enable command is defined on a per-interface basis.
A)
true
B)
false
Crypto isakmp policies are read in descending order of priority.
A)
true
B)
false
What types of authentication methods cannot be used by Cisco IOS ISAKMP peers?
A)
token cards
B)
RSA signatures
C)
RSA nonces
D)
preshared keys
If two identical isakmp policies are not configured on potential IPSec partners, what
happens?
A)
The peers negotiate on all other parameters and use the defaults for dissimilar
elements.
B)
The peers refuse to negotiate and do not continue building an IPSec tunnel.
C)
The peers build an IPSec tunnel but there is a risk that the traffic will not be
encrypted.
D)
The peers are forced to reboot and search their startup configuration.
If there is no DNS server available in the network, you may NOT use the crypto
isakmp identity hostname command.
A)
true
B)
false
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-93
Q7)
Q8)
5-94
What command is used to identify the preshared key?
A)
crypto isakmp key key address peer-address
B)
crypto isakmp pre-share key address peer-address
C)
crypto ipsec key key address peer-address
D)
crypto ipsec pre-share key address peer-address
The show crypto isakmp policy command displays all of the information below
except _____.
A)
hash algorithm
B)
encryption algorithm
C)
authentication method
D)
interface-type number
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
A
Relates to: IKE Configuration
Q2)
B
Relates to: Step 1: Enable or Disable IKE
Q3)
B
Relates to: Step 2: Create IKE Policies
Q4)
A
Relates to: IKE Policy Creation with the ½®§°¬± ·-¿µ³° Command
Q5)
B
Relates to: IKE Policy Negotiation
Q6)
B
Relates to: Step 3: Configure ISAKMP Identity
Q7)
A
Relates to: Step 4: Configure Preshared Keys
Q8)
D
Relates to: Step 5: Verify IKE Configuration
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-95
5-96
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Task 3: Configuring IPSec
Overview
The next major task in configuring Cisco IOS IPSec is to configure the IPSec parameters that
you previously gathered. This lesson describes the steps that are used to configure IPSec.
Relevance
It is important to understand and properly configure all of the necessary features of IPSec.
Objectives
Upon completing this lesson, you will be able to:
List the steps to configure IPSec encryption on Cisco routers
Describe the process of configuring Cisco IOS IPSec to define a transform set objective
Describe the process of transform set negotiation
Describe how to configure global SAs
Describe how to configure crypto ACLs
Describe the process of using crypto ACLs to identify traffic flows that need to be
protected
Describe how to configure symmetric crypto ACLs for use by IPSec
Define the purpose of crypto maps, examining the crypto map command and example
crypto maps
Describe the use of crypto maps and their parameters
Provide an example of the use of IPSec on two routers
Provide an example of configuring IPSec to apply the crypto map set to an interface
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
IPSec Configuration
Step 1: Configure Transform Set Suites
Set Negotiation Transformation
Step 2: Configure Global IPSec Security Association Lifetimes
Crypto Access Lists Functionality
Step 3: Create Crypto ACLs Using Extended Access Lists
Symmetric Peer Crypto Access Lists Configuration
Crypto Maps Functionality
Crypto Map Parameters
Step 4: Configure IPSec Crypto Maps
Crypto Map Commands Example
Step 5: Apply Crypto Maps to Interfaces
IPSec Configuration Examples
Summary
Quiz
5-98
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IPSec Configuration
This topic describes the steps that are used to configure IPSec encryption on Cisco routers.
Task 3—Configure IPSec
Task 1 – Prepare for IKE and IPSec
Task 2 – Configure IKE
Task 3 – Configure IPSec
Step 1—Configure transform set suites
crypto ipsec transform-set
Step 2—Configure global IPSec SA lifetimes
lifetime
crypto ipsec security-association
Step 3—Create crypto ACLs using extended access lists
crypto map
Step 4—Configure IPSec crypto maps
Step 5—Apply crypto maps to interfaces
crypto map map-name
Task 4 – Test and Verify IPSec
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
Configuring IPSec consists of these essential steps and commands:
Step 1
Configure transform set suites with the crypto ipsec transform-set command.
Step 2
If it is necessary to change the default, configure global IPSec security association
lifetimes with the crypto ipsec security-association lifetime command.
Step 3
Configure crypto ACLs with the access-list command.
Step 4
Configure crypto maps with the crypto map command.
Step 5
Apply the crypto maps to the terminating or originating interface with the interface
and crypto map commands.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-99
Step 1: Configure Transform Set Suites
This topic describes the first major step in configuring Cisco IOS IPSec, using the IPSec
security policy to define a transform set.
Step 1—Configure Transform Sets
router(config) #
½®§°¬± ·°-»½ ¬®¿²-º±®³ Š-»¬ ¬®¿²-º±®³ ó-»¬ó²¿³»
¬®¿²-º±®³ï Ŭ®¿²-º±®³î Ŭ®¿²-º±®³íÃÃ
®±«¬»®ø½º¹ó½®§°¬± Š¬®¿²-÷ý
᫬»®ßø½±²º·¹÷ý ½®§°¬± ·°-»½ ¬®¿²-º±®³ ó-»¬ ³·²» »-°ó¼»• A transform set is a combination of IPSec transforms that enact a security
policy for traffic.
• Sets are limited to up to one AH and up to two ESP transforms.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-3
A transform set is a combination of individual IPSec transforms that are designed to enact a
specific security policy for traffic. During the ISAKMP IPSec SA negotiation that occurs in
IKE Phase 2 quick mode, the peers agree to use a particular transform set for protecting a
particular data flow. Transform sets combine these IPSec factors:
Mechanism for payload authentication: AH transform
Mechanism for payload encryption: ESP transform
IPSec mode (transport versus tunnel)
Transform sets equal a combination of an AH transform, an ESP transform, and the IPSec
mode (either tunnel or transport mode). Transform sets are limited to one AH transform and
one or two ESP transforms. Define a transform set with the crypto ipsec transform-set global
configuration command. To delete a transform set, use the no form of the command. The
command syntax and parameter definitions are as follows:
½®§°¬± ·°-»½ ¬®¿²-º±®³ó-»¬ ¬®¿²-º±®³ó-»¬ó²¿³» ¬®¿²-º±®³ï
Ŭ®¿²-º±®³î Ŭ®¿²-º±®³íÃÃ
5-100
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
crypto ipsec transform-set Command Parameters
Command
Description
¬®¿²-º±®³ó-»¬ó²¿³»
Specifies the name of the transform set to create (or modify).
¬®¿²-º±®³ïô
¬®¿²-º±®³îô ¬®¿²-º±®³í
Specifies up to three transforms. These transforms define the
IPSec security protocol(s) and algorithm(s).
The command invokes the crypto-transform configuration mode.
You can configure multiple transform sets and then specify one or more of the transform sets in
a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA
negotiation to protect the data flows specified by the ACL of that crypto map entry. During the
negotiation, the peers search for a transform set that is the same at both peers. When such a
transform set is found, it is selected and applied to the protected traffic as part of the IPSec SAs
of both peers.
When ISAKMP is not used to establish SAs, a single transform set must be used. The transform
set is not negotiated.
Edit Transform Sets
Use these steps if you must edit a transform set:
Step 1
Delete the transform set from the crypto map.
Step 2
Delete the transform set from global configuration.
Step 3
Reenter the transform set with corrections.
Step 4
Assign the transform set to a crypto map.
Step 5
Clear the SA database.
Step 6
Observe the SA negotiation and ensure that it works properly.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-101
Set Negotiation Transformation
This topic describes the process of transform set negotiation.
Transform Set Negotiation
• Transform sets are negotiated during IKE Phase 2.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-4
Transform sets are negotiated during quick mode in IKE Phase 2 using the transform sets that
you previously configured. You can configure multiple transform sets and then specify one or
more of the transform sets in a crypto map entry. Configure the transforms from most to least
secure, according to your policy. The transform set defined in the crypto map entry is used in
the IPSec SA negotiation to protect the data flows that are specified by the ACL of that crypto
map entry.
During the negotiation, the peers search for a transform set that is the same at both peers, as
illustrated in the figure. Each of the RouterA transform sets are compared against each of the
RouterB transform sets in succession. RouterA transform sets 10, 20, and 30 are compared with
RouterB transform set 40. The result is no match. All of RouterA transform sets are then
compared against RouterB transform sets. Finally, RouterA transform set 30 matches RouterB
transform set 60. When such a transform set match is found, it is selected and is applied to the
protected traffic as part of the IPSec SAs of both peers. IPSec peers agree on one unidirectional
transform proposal per SA.
5-102
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 2: Configure Global IPSec Security
Association Lifetimes
This topic describes how to configure global SAs. Both global and interface-specific SA
lifetimes can be created.
Step 2—Configure Global
IPSec Security Association Lifetimes
router(config) #
½®§°¬± ·°-»½ -»½«®·¬§ Š¿--±½·¿¬·±² ´·º»¬·³»
¥-»½±²¼-»½±²¼- ¤ µ·´±¾§¬»- µ·´±¾§¬»Î±«¬»®ß ø½±²º·¹÷ý ½®§°¬± ·°-»½ -»½«®·¬§ Š ¿--±½·¿¬·±²
´·º»¬·³» èêìðð
• Configures global IPSec SA lifetime values used when negotiating IPSec
security associations.
• IPSec SA lifetimes are negotiated during IKE Phase 2.
• Can optically configure interface-specific IPSec SA lifetimes in
crypto maps.
• IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes.
BCRAN v2.1—5-5
© 2004 Cisco Systems, Inc. All rights reserved.
The IPSec SA lifetime determines how long IPSec SAs remain valid before they are
renegotiated. Cisco IOS software supports a global lifetime value that applies to all crypto
maps. The global lifetime value can be overridden with a crypto map entry. You can change
global IPSec SA lifetime values using the crypto ipsec security-association lifetime global
configuration command. To reset a lifetime to the default value, use the no form of the
command. The command syntax and parameter definitions are as follows:
½®§°¬± ·°-»½ -»½«®·¬§ó¿--±½·¿¬·±² ´·º»¬·³» ¥-»½±²¼- -»½±²¼- ¤
µ·´±¾§¬»- µ·´±¾§¬»-£
crypto ipsec security-association lifetime Command
Command
Description
-»½±²¼- -»½±²¼-
Specifies the number of seconds a security association will live
before expiring. The default is 3600 sec (one hour).
µ·´±¾§¬»- µ·´±¾§¬»-
Specifies the volume of traffic (in kilobytes) that can pass
between IPSec peers using a given SA before that SA expires.
The default is 4,608,000 KB.
Cisco recommends that you use the default lifetime values. Individual IPSec SA lifetimes can
be configured using crypto maps, which are covered later in this lesson.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-103
Crypto Access Lists Functionality
This topic describes the purpose of crypto ACLs. Crypto ACLs are used to define which IP
traffic is or is not protected by IPSec.
Purpose of Crypto Access Lists
• Outbound indicates the data flow to be protected by IPSec.
• Inbound filters out and discards traffic that should have been
protected by IPSec.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-6
Crypto ACLs perform these functions:
Outbound: Selects outbound traffic to be protected by IPSec. Traffic not selected is sent in
clear text.
Inbound: If desired, inbound access lists can be created to filter and discard traffic that
should have been protected by IPSec.
5-104
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 3: Create Crypto ACLs Using Extended
Access Lists
This topic describes the process of using crypto ACLs to identify traffic flows that must be
protected.
Step 3—Create Crypto ACLs using
Extended Access Lists
• Define which IP traffic will be protected by crypto.
• Permit = encrypt / Deny = do not encrypt.
BCRAN v2.1—5-7
© 2004 Cisco Systems, Inc. All rights reserved.
The crypto ACLs identify the traffic flows that should be protected. Extended IP ACLs select
IP traffic to encrypt by using protocol, IP address, network, subnet, and port. Although the
ACL syntax is unchanged from extended IP ACLs, the meanings are slightly different for
crypto ACLs. That is, permit specifies that matching packets must be encrypted and deny
specifies that matching packets must not be encrypted. Crypto ACLs behave similarly to an
extended IP ACL that is applied to outbound traffic on an interface.
The command syntax and parameter definitions for the basic form of extended IP access lists
are as follows:
¿½½»--ó´·-¬ ¿½½»--ó´·-¬ó²«³¾»® ¥ °»®³·¬ ¤ ¼»²§ £ °®±¬±½±´
-±«®½»
-±«®½»ó©·´¼½¿®¼ ¼»-¬·²¿¬·±² ¼»-¬·²¿¬·±²ó©·´¼½¿®¼ Å°®»½»¼»²½»
°®»½»¼»²½»Ã Ŭ±- ¬±-à Ŵ±¹Ã
access-list access-list-number Command
access-list access-list-number
Command
Description
°»®³·¬
Causes all IP traffic that matches the specified conditions to be
protected by crypto, using the policy described by the
corresponding crypto map entry.
¼»²§
Instructs the router to route traffic in the clear.
-±«®½» ¿²¼ ¼»-¬·²¿¬·±²
These are networks, subnets, or hosts.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-105
Note
Although the ACL syntax is unchanged, the meanings are slightly different for crypto ACLs.
That is, permit specifies that matching packets must be encrypted and deny specifies that
matching packets must not be encrypted.
Any unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto
map entry that is flagged as IPSec will be dropped. This drop occurs because this traffic was
expected to be protected by IPSec.
If you want certain traffic to receive one combination of IPSec protection (authentication only)
and other traffic to receive a different combination (both authentication and encryption), create
two different crypto ACLs to define the two different types of traffic. These different ACLs are
then used in different crypto map entries that specify different IPSec policies.
Warning
Cisco recommends that you avoid using the any keyword to specify source or destination
addresses. The permit any any statement is strongly discouraged because this will cause
all outbound traffic to be protected and all protected traffic to be sent to the peer that is
specified in the corresponding crypto map entry. Then, all inbound packets that lack IPSec
protection will be silently dropped, including packets for routing protocols, NTP, echo, echo
response, and so on.
Try to be as restrictive as possible when defining which packets to protect in a crypto ACL. If
you must use the any keyword in a permit statement, you must preface that statement with a
series of deny statements to filter out any traffic (that would otherwise fall within that permit
statement) that you do not want to be protected.
Later in Step 4, you will associate a crypto ACL to a crypto map, which in turn is assigned to a
specific interface.
5-106
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Symmetric Peer Crypto Access Lists
Configuration
This topic describes how to configure symmetric crypto ACLs for use by IPSec.
Configure Symmetric Peer Crypto
Access Lists
• You must configure mirror image ACLs.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-8
You must configure symmetric crypto ACLs for use by IPSec. Both inbound and outbound
traffic are evaluated against the same outbound IPSec ACL. The ACL criteria are applied in the
forward direction to traffic exiting your router, and the reverse direction to traffic entering your
router. When a router receives encrypted packets back from an IPSec peer, it uses the same
ACL to determine which inbound packets to decrypt by viewing the source and destination
addresses in the ACL in reverse order.
The example shown in the figure illustrates why symmetric ACLs are recommended. For site 1,
IPSec protection is applied to traffic between hosts on the 10.0.1.0 network as the data exits the
RouterA 0 interface enroute to site 2 hosts on the 10.0.2.0 network. For traffic from site 1 hosts
on the 10.0.1.0 network to site 2 hosts on the 10.0.2.0 network, the ACL entry on RouterA is
evaluated as follows:
source = hosts on 10.0.1.0 network
destination = hosts on 10.0.2.0 network
For incoming traffic from site 2 hosts on the 10.0.2.0 network to site 1 hosts on the 10.0.1.0
network, that same ACL entry on RouterA is evaluated as follows:
source = hosts on 10.0.2.0 network
destination = hosts on 10.0.1.0 network
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-107
Crypto Maps Functionality
This topic describes the purpose of crypto maps. It also examines the crypto map command
and considers example crypto maps. Crypto map entries must be created for IPSec to set up
SAs for traffic flows that must be encrypted.
Purpose of Crypto Maps
Crypto maps pull together the various parts
configured for IPSec, including:
• The traffic to be protected by IPSec and a set of SAs
• The local address to be used for the IPSec traffic
• The destination location of IPSec-protected traffic
• The IPSec type to be applied to this traffic
• The method of establishing SAs (manually or via RSA)
• Other parameters needed to define an IPSec SA
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-9
Crypto map entries that are created for IPSec set up SA parameters, thus tying together the
various parts that are configured for IPSec, including:
The traffic to be protected by IPSec and a set of SAs (crypto ACL): The access list
defines the address, protocol, and port information for traffic that will be encrypted.
The local address to be used for the IPSec traffic: The source address specified by the
access list and the crypto map peer define the local address for IPSec traffic.
The destination location of IPSec-protected traffic: The destination specified by the
access list defines the identity of the remote IPSec peer.
The type IPSec security applied to this traffic: The transform set applies the method of
encryption and authentication.
The method of SA establishment: This establishment may be completed manually
(preshared) or through RSA.
Other: Other parameters that might be necessary to define an IPSec SA.
5-108
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Crypto Map Parameters
This topic describes the use of crypto maps and their parameters.
Crypto Map Parameters
Crypto maps define the following:
• The access list to be used
• Remote VPN peers
• Transform set to be used
• Key management method
• Security association lifetimes
BCRAN v2.1—5-10
© 2004 Cisco Systems, Inc. All rights reserved.
You can apply only one crypto map set to a single interface. The crypto map set can include a
combination of Cisco Encryption Technology (CET) and IPSec using IKE. Multiple interfaces
can share the same crypto map set if you want to apply the same policy to multiple interfaces. If
you create more than one crypto map entry for a given interface, use the sequence number
(seq-num) of each map entry to rank the map entries; the lower the seq-num, the higher the
priority. At the interface that has the crypto map set, traffic is evaluated against higher priority
map entries first.
You must create multiple crypto map entries for a given interface if any of these conditions
exist:
If different data flows are to be handled by separate IPSec peers.
If you want to apply different IPSec security to different types of traffic (to the same or
separate IPSec peers); for example, if you want traffic between one set of subnets to be
authenticated, and traffic between another set of subnets to be both authenticated and
encrypted. In this case, the different types of traffic should be defined in two separate
ACLs, and you must create a separate crypto map entry for each crypto ACL.
If you are not using IKE to establish a particular set of security associations, and you want
to specify multiple ACL entries, you must create separate ACLs (one per permit entry) and
specify a separate crypto map entry for each ACL.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-109
Step 4: Configure IPSec Crypto Maps
This topic describes the use of the IPSec crypto map command.
Step 4—Configure IPSec Crypto Maps
router(config)#
½®§°¬± ³¿° ³¿°ó²¿³» -»¯ó²«³ ·°-»½ó³¿²«¿´
½®§°¬± ³¿° ³¿°ó²¿³»ó-»¯ó²«³ ·°-»½ó·-¿µ³°
ż§²¿³·½ ¼§²¿³·½ó³¿°ó²¿³»Ã
᫬»®ßø½±²º·¹÷ý ½®§°¬± ³¿° ³§³¿° ïïð ·°-»½ó·-¿µ³°
• Use a different sequence number for each peer.
• Multiple peers can be specified in a single crypto map for redundancy.
• Use one crypto map per interface.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-11
You must use the crypto map global configuration command to create or modify a crypto map
entry and enter the crypto map configuration mode. Set the crypto map entries that reference
dynamic maps to the lowest priority in a crypto map set (that is, they should have the highest
sequence numbers). Use the no form of this command to delete a crypto map entry or set. The
command syntax and parameter definitions are as follows:
½®§°¬± ³¿° ³¿°ó²¿³» -»¯ó²«³ ½·-½±
½®§°¬± ³¿° ³¿°ó²¿³» -»¯ó²«³ ·°-»½ó³¿²«¿´
½®§°¬± ³¿° ³¿°ó²¿³» -»¯ó²«³ ·°-»½ó·-¿µ³° ż§²¿³·½ ¼§²¿³·½ó³¿°ó²¿³»Ã
²± ½®§°¬± ³¿° ³¿°ó²¿³» Å-»¯ó²«³Ã
5-110
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
crypto map map-name seq-num Command
Command
Description
½·-½±
(Default value) Indicates that CET will be used instead of IPSec
for protecting the traffic specified by this newly specified crypto
map entry.
³¿°ó²¿³»
The name you assign to the crypto map set.
-»¯ó²«³
The number you assign to the crypto map entry.
·°-»½ó³¿²«¿´
Indicates that ISAKMP will not be used to establish the IPSec
SAs for protecting the traffic specified by this crypto map entry.
·°-»½ó·-¿µ³°
Indicates that ISAKMP will be used to establish the IPSec SAs for
protecting the traffic specified by this crypto map entry.
ܧ²¿³·½
(Optional) Specifies that this crypto map entry references a
preexisting static crypto map. If you use this keyword, none of the
crypto map configuration commands are available.
¼§²¿³·½ó³¿°ó²¿³»
(Optional) Specifies the name of the dynamic crypto map set that
should be used as the policy template.
When you enter the config-crypto-map command, you invoke the crypto map configuration
mode with the following available commands:
®±«¬»®ø½±²º·¹ó½®§°¬±ó³¿°÷ý ¸»´°
³¿¬½¸ ¿¼¼®»-- Å¿½½»--ó´·-¬ó·¼ ¤ ²¿³»Ã
°»»® Ÿ±-¬²¿³» ¤ ·°ó¿¼¼®»--Ã
¬®¿²-º±®³ó-»¬ Å-»¬Á²¿³»ø-÷Ã
-»½«®·¬§ó¿--±½·¿¬·±² Å·²¾±«²¼¤±«¬¾±«²¼Ã
-»¬
²±
»¨·¬
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-111
Crypto Map Commands Example
This topic illustrates an example of a crypto map.
Example Crypto Map Commands
• Multiple peers can be specified for redundancy.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-12
The figure illustrates a crypto map with two peers specified for redundancy. If the first peer
cannot be contacted, the second peer is used. There is no limit to the number of redundant peers
that can be configured.
5-112
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The crypto map command is used in crypto map configuration mode with the commands
shown in the following table.
config-crypto-map Command
Command
Description
-»¬
Used with the peer, pfs, transform-set, and securityassociation commands.
°»»® Ÿ±-¬²¿³» ¤ ·°ó
¿¼¼®»--Ã
Specifies the allowed IPSec peer by IP address or hostname.
°º- Ź®±«°ï ¤ ¹®±«°îÃ
Specifies Diffie-Hellman Group 1 or Group 2.
¬®¿²-º±®³ó-»¬
Å-»¬Á²¿³»ø-÷Ã
Specify list of transform sets in priority order. For an ipsecmanual crypto map, you can specify only one transform set. For
an ipsec-isakmp or dynamic crypto map entry, you can specify
up to six transform sets.
-»½«®·¬§ó¿--±½·¿¬·±²
´·º»¬·³»
Sets security association lifetime parameters in seconds or
kilobytes.
³¿¬½¸ ¿¼¼®»-- Å¿½½»--ó
´·-¬ó·¼ ¤ ²¿³»Ã
Identifies the extended ACL by its name or number. The value
should match the access-list-number or name argument of a
previously defined IP-extended ACL being matched.
²±
Used to delete commands entered with the set command.
»¨·¬
Exits crypto map configuration mode.
After you define crypto map entries, you can assign the crypto map set to interfaces that use the
crypto map (interface configuration) command.
Note
ACLs for crypto map entries tagged as ipsec-manual are restricted to a single permit entry,
and subsequent entries are ignored. The SAs established by that particular crypto map entry
are for a single data flow only. To be able to support multiple manually established SAs for
different kinds of traffic, you must define multiple crypto ACLs and then apply each one to a
separate ipsec-manual crypto map entry. Each ACL should include one permit statement
that defines the traffic that it must protect.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-113
Step 5: Apply Crypto Maps to Interfaces
This topic describes the last step in configuring IPSec, which is to apply the crypto map set to
an interface.
Step 5—Applying Crypto Maps to Interfaces
router(config-if)#
½®§°¬± ³¿° ³¿°ó²¿³»
᫬»®ß ø½±²º·¹÷ý ·²¬»®º¿½» »¬¸»®²»¬ðñï
᫬»®ß ø½±²º·¹ ó·º÷ý ½®§°¬± ³¿° ³§³¿°
• Apply the crypto map to outgoing interface
• Activates the IPSec policy
BCRAN v2.1—5-13
© 2004 Cisco Systems, Inc. All rights reserved.
Apply the crypto map to the interface of the IPSec router connected to the Internet with the
crypto map command in interface configuration mode. Use the no form of the command to
remove the crypto map set from the interface. The command syntax and parameter definition
are as follows:
½®§°¬± ³¿° ³¿°ó²¿³»
crypto map map-name Command
5-114
Command
Description
³¿°ó²¿³»
This is the name that identifies the crypto map set, and is the
name assigned when the crypto map is created.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
IPSec Configuration Examples
This topic illustrates an IPSec configuration example for two routers.
IPSec Configuration Examples
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-14
Consider the configuration example for RouterA and RouterB in the figure and as follows.
Note
More complete commands relating to what has been covered so far in this lesson are shown
in output.
᫬»®ßý -¸±© ®«²²·²¹ó½±²º·¹
½®§°¬± ·-¿µ³° °±´·½§ ïðð
¸¿-¸ ³¼ë
¿«¬¸»²¬·½¿¬·±² °®»ó-¸¿®»
½®§°¬± ·-¿µ³° µ»§ ½·-½±ïîíì ¿¼¼®»-- ïéîòíðòîòî
ÿ
½®§°¬± ·°-»½ ¬®¿²-º±®³ó-»¬ ³·²» »-°ó¼»ÿ
ÿ
½®§°¬± ³¿° ³§³¿° ïð ·°-»½ó·-¿µ³°
-»¬ °»»® ïéîòíðòîòî
-»¬ ¬®¿²-º±®³ó-»¬ ³·²»
³¿¬½¸ ¿¼¼®»-- ïïð
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ðñï
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-115
·° ¿¼¼®»-- ïéîòíðòïòî îëëòîëëòîëëòð
·° ¿½½»--ó¹®±«° ïðï ·²
½®§°¬± ³¿° ³§³¿°
ÿ
¿½½»--ó´·-¬ ïðï °»®³·¬ ¿¸° ¸±-¬ ïéîòíðòîòî ¸±-¬ ïéîòíðòïòî
¿½½»--ó´·-¬ ïðï °»®³·¬ »-° ¸±-¬ ïéîòíðòîòî ¸±-¬ ïéîòíðòïòî
¿½½»--ó´·-¬ ïðï °»®³·¬ «¼° ¸±-¬ ïéîòíðòîòî ¸±-¬ ïéîòíðòïòî »¯
·-¿µ³°
¿½½»--ó´·-¬ ïïð °»®³·¬ ¬½° ïðòðòïòð ðòðòðòîëë ïðòðòîòð
ðòðòðòîëë
¿½½»--ó´·-¬ ïïð ¼»²§ ·° ¿²§ ¿²§
᫬»®Þý -¸±© ®«²²·²¹ó½±²º·¹
½®§°¬± ·-¿µ³° °±´·½§ ïðð
¸¿-¸ ³¼ë
¿«¬¸»²¬·½¿¬·±² °®»ó-¸¿®»
½®§°¬± ·-¿µ³° µ»§ ½·-½±ïîíì ¿¼¼®»-- ïéîòíðòïòî
ÿ
½®§°¬± ·°-»½ ¬®¿²-º±®³ó-»¬ ³·²» »-°ó¼»ÿ
ÿ
½®§°¬± ³¿° ³§³¿° ïð ·°-»½ó·-¿µ³°
-»¬ °»»® ïéîòíðòïòî
-»¬ ¬®¿²-º±®³ó-»¬ ³·²»
³¿¬½¸ ¿¼¼®»-- ïïð
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ðñï
·° ¿¼¼®»-- ïéîòíðòîòî îëëòîëëòîëëòð
·° ¿½½»--ó¹®±«° ïðï ·²
½®§°¬± ³¿° ³§³¿°
ÿ
¿½½»--ó´·-¬ ïðï °»®³·¬ ¿¸° ¸±-¬ ïéîòíðòïòî ¸±-¬ ïéîòíðòîòî
¿½½»--ó´·-¬ ïðï °»®³·¬ »-° ¸±-¬ ïéîòíðòïòî ¸±-¬ ïéîòíðòîòî
¿½½»--ó´·-¬ ïðï °»®³·¬ «¼° ¸±-¬ ïéîòíðòïòî ¸±-¬ ïéîòíðòîòî »¯
·-¿µ³°
¿½½»--ó´·-¬ ïïð °»®³·¬ ¬½° ïðòðòîòð ðòðòðòîëë ïðòðòïòð
ðòðòðòîëë
¿½½»--ó´·-¬ ïïð ¼»²§ ·° ¿²§ ¿²§
5-116
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Configure transform set suites with the crypto ipsec
transform-set command.
• Configure global IPSec security association
lifetimes with the crypto ipsec security-association
lifetime command.
• Configure crypto ACLs with the access-list
command.
• Configure crypto maps with the crypto map
command.
• Apply the crypto maps to the terminating and
originating interface with the interface and crypto
map commands.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—5-15
Virtual Private Networks
5-117
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
5-118
Configuring IPSec requires the user to create an IPSec list in place of an access list.
A)
true
B)
false
A router must have only one transform set in its running configuration in order for
IPSec to function properly.
A)
true
B)
false
When are transform sets negotiated?
A)
on the initial router configuration
B)
during IKE Phase 1
C)
during IKE Phase 2
D)
transform sets do not need to be negotiated
Crypto SA lifetimes may be configured either globally, or per SA.
A)
true
B)
false
What is the function of a crypto ACL?
A)
defines the source IP address of the IPSec traffic
B)
defines the destination IP address of the IPSec traffic
C)
provides protocol information for traffic that will be encrypted
D)
all of the above
The crypto access list takes the exact same form as an extended access list.
A)
true
B)
false
Which statement correctly describes access lists that are used to define IPSec peers on
routers sending and receiving to each other?
A)
They must be identical.
B)
They must be identical, but each router can also have other access lists.
C)
They do not need to be related.
D)
They must be mirror images of each other, but each router can also have other
access lists.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q8)
Q9)
Q10)
Q11)
Q12)
Q13)
Which of the following cannot be done by crypto maps?
A)
define destination traffic for IPSec
B)
define source traffic for IPSec
C)
define the number of IPSec conversations that a router can maintain
D)
specify the granularity of traffic protected by SAs
What is the number of crypto maps that can be created on an interface?
A)
0; crypto maps are global
B)
1
C)
2
D)
an unlimited number of crypto maps
Which of the following commands are optional commands when you are configuring
IPSec crypto maps?
A)
sequence number
B)
dynamic dynamic map name
C)
map name
D)
IPSec tuning number
The crypto map peer command may be either a hostname or an IP address.
A)
true
B)
false
Crypto maps must be applied to interfaces based on the map name interface number.
A)
true
B)
false
Based on the access lists, ping (ICMP) traffic will be allowed into RouterA Ethernet
0/1 interface from any source on the Internet.
A)
true
B)
false
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-119
Quiz Answer Key
Q1)
B
Relates to: IPSec Configuration
Q2)
B
Relates to: Step 1: Configure Transform Set Suites
Q3)
C
Relates to: Set Negotiation Transformation
Q4)
A
Relates to: Step 2: Configure Global IPSec Security Association Lifetimes
Q5)
D
Relates to: Crypto Access Lists Functionality
Q6)
A
Relates to: Step 3: Create Crypto ACLs Using Extended Access Lists
Q7)
D
Relates to: Symmetric Peer Crypto Access Lists Configuration
Q8)
C
Relates to: Crypto Maps Functionality
Q9)
B
Relates to: Crypto Map Parameters
Q10)
B
Relates to: Step 4: Configure IPSec Crypto Maps
Q11)
A
Relates to: Crypto Map Commands Example
Q12)
A
Relates to: Step 5: Apply Crypto Maps to Interfaces
Q13)
B
Relates to: IPSec Configuration Examples
5-120
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Task 4: Testing and Verifying
IPSec
Overview
Cisco IOS software contains a number of show, clear, and debug commands that are useful for
testing and verifying IPSec and ISAKMP. These commands are considered in this lesson.
Relevance
In order to implement IPSec, it is necessary to be able to test and verify that IPSec is
functioning properly.
Objectives
Upon completing this lesson, you will be able to:
List the commands to test and verify IPSec
Describe the use of the show crypto isakmp policy command
Describe the use of the show crypto ipsec transform-set command
Describe the use of the show crypto ipsec sa command
Describe the use of the show crypto map command
Describe the use of the clear crypto isakmp command
Describe the use of the debug crypto command
Describe how to interpret crypto error messages for ISAKMP
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Task 4: Test and Verify IPSec
The show crypto isakmp policy Command
The show crypto ipsec transform-set Command
The show crypto ipsec sa Command
The show crypto map Command
The clear Commands
The debug crypto Commands
Crypto System Error Messages for ISAKMP
Summary
Quiz
5-122
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Task 4: Test and Verify IPSec
This topic describes the commands that are used to test and verify IPSec.
Task 4—Test and Verify IPSec
Task 1 – Prepare for IKE and IPSec
Task 2 – Configure IKE
Task 3 – Configure IPSec
Task 4 – Test and Verify IPSec
• Display your configured IKE policies.
show crypto isakmp policy (show isakmp policy on a PIX)
• Display your configured transform sets.
show crypto ipsec transform set
• Display Phase I security associations.
show crypto isakmp sa (show isakmp sa on a PIX)
• Display the current state of your IPSec SAs.
show crypto ipsec sa
• Display your configured crypto maps.
show crypto map
• Enable debug output for IPSec events.
debug crypto ipsec
• Enable debug output for ISAKMP events.
debug crypto isakmp
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-2
You can perform the following actions to test and verify that you have correctly configured the
VPN using Cisco IOS software:
Display your configured IKE policies using the show crypto isakmp policy command.
Display your configured transform sets using the show crypto ipsec transform set
command.
Display the current state of your IPSec SAs with the show crypto ipsec sa command.
View your configured crypto maps with the show crypto map command.
Debug IKE and IPSec traffic through Cisco IOS software with the debug crypto ipsec and
debug crypto isakmp commands.
Note
The Cisco PIX IPSec troubleshooting commands are very similar to the Cisco IOS
commands. Differences in the “isakmp” versus “crypto isakmp” statements are noted in the
figure.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-123
The show crypto isakmp policy Command
This topic illustrates an example of the show crypto isakmp policy command.
show crypto isakmp policy
BCRAN v2.1—5-3
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show crypto isakmp policy EXEC command to view the parameters for each
ISAKMP policy as shown in the following example for RouterA:
᫬»®ßý -¸±© ½®§°¬± ·-¿µ³° °±´·½§
Ю±¬»½¬·±² -«·¬» ±º °®·±®·¬§ ïïð
»²½®§°¬·±² ¿´¹±®·¬¸³æ
øëê ¾·¬ µ»§-÷ò
ÜÛÍ ó Ü¿¬¿ Û²½®§°¬·±² ͬ¿²¼¿®¼
¸¿-¸ ¿´¹±®·¬¸³æ
Ó»--¿¹» Ü·¹»-¬ ë
¿«¬¸»²¬·½¿¬·±² ³»¬¸±¼æ
窻-¬ó͸¿³·®óß¼´»³¿² Û²½®§°¬·±²
Ü·ºº·»óØ»´´³¿² ¹®±«°æ
ýï øéêè ¾·¬÷
´·º»¬·³»æ
èêìðð -»½±²¼-ô ²± ª±´«³» ´·³·¬
Ü»º¿«´¬ °®±¬»½¬·±² -«·¬»
5-124
»²½®§°¬·±² ¿´¹±®·¬¸³æ
øëê ¾·¬ µ»§-÷ò
ÜÛÍ ó Ü¿¬¿ Û²½®§°¬·±² ͬ¿²¼¿®¼
¸¿-¸ ¿´¹±®·¬¸³æ
Í»½«®» Ø¿-¸ ͬ¿²¼¿®¼
¿«¬¸»²¬·½¿¬·±² ³»¬¸±¼æ
窻-¬ó͸¿³·®óß¼´»³¿² Í·¹²¿¬«®»
Ü·ºº·»óØ»´´³¿² ¹®±«°æ
ýï øéêè ¾·¬÷
´·º»¬·³»æ
èêìðð -»½±²¼-ô ²± ª±´«³» ´·³·¬
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The show crypto ipsec transform-set Command
This topic illustrates an example of the show crypto ipsec transform-set command.
show crypto ipsec transform-set
show crypto isakmp sa30
᫬»®ß ý -¸±© ½®§°¬± ·°-»½ ¬®¿²-º±®³ Š-»¬
Ì®¿²-º±®³ -»¬ ³·²»æ ¥ »-° Š¼»-
£
©·´´ ²»¹±¬·¿¬» ã ¥ Ì«²²»´ô £ô
• View the currently defined transform sets.
᫬»®ß ý -¸±© ½®§°¬±
·-¿µ³° -¿
¼-¬
-¬¿¬»
½±²²ó·¼
-´±¬
ÏÓÁ×ÜÔÛ
ìé
ë
ïéîòíðòîòî
-®½
ïéîòíðòïòî
• Shows Phase I security associations.
BCRAN v2.1—5-4
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show crypto ipsec transform-set EXEC command to view the configured transform
sets. The command has the following syntax:
-¸±© ½®§°¬± ·°-»½ ¬®¿²-º±®³ó-»¬ Ŭ¿¹ ¬®¿²-º±®³ó-»¬ó²¿³»Ã
show crypto ipsec transform-set Command
Command
Description
tag transform-set-name
(Optional) Shows only the transform sets with the specified
transform-set-name
If no transform-set-name keyword is used, all transform sets configured at the router are
displayed.
Use the show crypto isakmp sa command to show Phase I SAs. If the connection is working
properly and an ISAKMP SA exists, it will be in its quiescent state—QM_IDLE—indicating
that the ISAKMP SA is present but idle. It remains authenticated with its peer and may be used
for subsequent quick mode exchanges.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-125
The show crypto ipsec sa Command
This topic illustrates an example of the show crypto ipsec sa command.
show crypto ipsec sa
BCRAN v2.1—5-5
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show crypto ipsec sa EXEC command to view the settings used by current SAs. If no
keyword is used, all security associations are displayed. The command syntax is as follows:
-¸±© ½®§°¬± ·°-»½ -¿ ų¿° ³¿°ó²¿³» ¤ ¿¼¼®»-- ¤ ·¼»²¬·¬§Ã
ż»¬¿·´Ã
show crypto ipsec sa Command
5-126
Command
Description
map map-name
(Optional) Shows any existing SAs created for the crypto map.
address
(Optional) Shows all the existing SAs, sorted by the destination
address and then by protocol (Authentication Header [AH] or
Encapsulating Security Payload [ESP]).
identity
(Optional) Shows only the flow information. It does not show the
SA information.
detail
(Optional) Shows detailed error counters. (The default is the highlevel send and receive error counters.)
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The show crypto map Command
This topic illustrates an example of the show crypto map command.
show crypto map
• View the currently configured crypto maps.
BCRAN v2.1—5-6
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show crypto map EXEC command to view the crypto map configuration. If no
keywords are used, all crypto maps configured at the router will be displayed. The command
syntax is as follows:
-¸±© ½®§°¬± ³¿° Å·²¬»®º¿½» ·²¬»®º¿½» ¤ ¬¿¹ ³¿°ó²¿³»Ã
show crypto map Command
Command
Description
interface interface
(Optional) Shows only the crypto map set applied to the specified
interface
tag map-name
(Optional) Shows only the crypto map set with the specified mapname.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-127
The clear Commands
This topic illustrates an example of the clear commands for when you are changing or
troubleshooting VPN tunnels.
clear Commands
router#
½´»¿® ½®§°¬± -¿
½´»¿® ½®§°¬± -¿ °»»® ä×Ð ¿¼¼®»-- ¤ °»»® ²¿³»â
½´»¿® ½®§°¬± -¿ ³¿° 䳿° ²¿³»â
½´»¿® ½®§°¬± -¿ »²¬®§ ä¼»-¬·²¿¬·±² ¿¼¼®»-- °®±¬±½±´ -°·â
• Clears IPSec SAs in router’s database
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-7
The clear commands are helpful to use after altering VPN configurations. When changing
transform sets and global lifetimes, the changes will not all be applied to existing IPSec
connections. To ensure that these settings affect all VPN connections, the clear commands
must be used. If a VPN device is processing a great deal of IPSec traffic that should remain
uninterrupted, the clear commands may be applied to specific maps, entries, or peers, if
specified within the command.
Note
Using clear commands requires reestablishment of the VPN tunnel between devices and
might cause inconvenience to the user.
The clear commands are also beneficial when troubleshooting VPN connectivity. They can
show if SAs are no longer being built by peers. By comparing results of show commands
before and after clear commands are used, it is often apparent that ISAKMP or IPSec SAs are
not created after making a network change.
Occasionally, the Address Resolution Protocol (ARP) table will interfere with establishment or
changes to IPSec tunnels and must be cleared. This ARP table interference occurs more often in
PIX VPN configurations and can be remedied by clearing the ARP cache. Although not an
IPSec-specific clear command, use the clear arp command to clear the ARP cache.
5-128
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The debug crypto Commands
This topic illustrates an example of the debug crypto commands.
debug crypto
router#
¼»¾«¹ ½®§°¬± ·°-»½
• Displays debug messages about all IPSec actions
router#
¼»¾«¹ ½®§°¬± ·-¿µ³°
• Displays debug messages about all ISAKMP actions
BCRAN v2.1—5-8
© 2004 Cisco Systems, Inc. All rights reserved.
Use the debug crypto ipsec EXEC and the debug crypto isakmp commands to display IPSec
and ISAKMP events. The no form of these commands disables debugging output.
Note
Because this command generates a significant amount of output for every IP packet
processed, use it only when traffic on the IP network is low so that other activity on the
system is not adversely affected.
The following example of ISAKMP and IPSec debugging shows normal IPSec setup messages.
Note the inline comments (!).
᫬»®ßý ¼»¾«¹ ½®§°¬± ·°-»½
Ý®§°¬± ×ÐÍÛÝ ¼»¾«¹¹·²¹ ·- ±²
᫬»®ßý ¼»¾«¹ ½®§°¬± ·-¿µ³°
Ý®§°¬± ×ÍßÕÓÐ ¼»¾«¹¹·²¹ ·- ±²
᫬»®ßý
öÚ»¾ îç ðèæðèæðêòëëê ÐÍÌæ ×ÐÍÛÝø-¿Á®»¯«»-¬÷æ ô
øµ»§ »²¹ò ³-¹ò÷ -®½ã ïéîòíðòïòîô ¼»-¬ã ïéîòíðòîòîô
-®½Á°®±¨§ã ïðòðòïòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
¼»-¬Á°®±¨§ã ïðòðòîòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
°®±¬±½±´ã ÛÍÐô ¬®¿²-º±®³ã »-°ó¼»- »-°ó³¼ë󸳿½ ô
´·º»¼«®ã íêðð- ¿²¼ ìêðèðððµ¾ô
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-129
-°·ã ð¨ðøð÷ô ½±²²Á·¼ã ðô µ»§-·¦»ã ðô º´¿¹-ã ð¨ìððì
ÿ ײ¬»®»-¬·²¹ ¬®¿ºº·½ º®±³ Í·¬»ï ¬± Í·¬»î ¬®·¹¹»®- ×ÍßÕÓÐ Ó¿·² Ó±¼»ò
öÚ»¾ îç ðèæðèæðêòëëê ÐÍÌæ ×ÍßÕÓÐ øì÷æ ¾»¹·²²·²¹ Ó¿·² Ó±¼» »¨½¸¿²¹»
öÚ»¾ îç ðèæðèæðêòèîè ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ Íß °¿§´±¿¼ò ³»--¿¹»
×Ü ã ð
öÚ»¾ îç ðèæðèæðêòèîè ÐÍÌæ ×ÍßÕÓÐ øì÷æ ݸ»½µ·²¹ ×ÍßÕÓÐ ¬®¿²-º±®³ ï
¿¹¿·²-¬ °®·±®·¬§ ïðð °±´·½§
öÚ»¾ îç ðèæðèæðêòèîè ÐÍÌæ ×ÍßÕÓÐæ
»²½®§°¬·±² ÜÛÍóÝÞÝ
öÚ»¾ îç ðèæðèæðêòèîè ÐÍÌæ ×ÍßÕÓÐæ
¸¿-¸ ÓÜë
öÚ»¾ îç ðèæðèæðêòèîè ÐÍÌæ ×ÍßÕÓÐæ
¼»º¿«´¬ ¹®±«° ï
öÚ»¾ îç ðèæðèæðêòèíî ÐÍÌæ ×ÍßÕÓÐæ
¿«¬¸ °®»ó-¸¿®»
öÚ»¾ îç ðèæðèæðêòèíî ÐÍÌæ ×ÍßÕÓÐ øì÷æ ¿¬¬- ¿®» ¿½½»°¬¿¾´»ò Ò»¨¬
°¿§´±¿¼ ·- ð
ÿ ̸» ×ÐÍ»½ °»»®- ¸¿ª» º±«²¼ ¿ ³¿¬½¸·²¹ ×ÍßÕÓÐ °±´·½§
öÚ»¾ îç ðèæðèæðêòçêì ÐÍÌæ ×ÍßÕÓÐ øì÷æ Íß ·- ¼±·²¹ °®»ó-¸¿®»¼ µ»§
¿«¬¸»²¬·½¿¬·±²
ÿ Ю»-¸¿®»¼ µ»§ ¿«¬¸»²¬·½¿¬·±² ·- ·¼»²¬·º·»¼
öÚ»¾ îç ðèæðèæðéòíêè ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ÕÛ °¿§´±¿¼ò ³»--¿¹»
×Ü ã ð
öÚ»¾ îç ðèæðèæðéòëìð ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ÒÑÒÝÛ °¿§´±¿¼ò
³»--¿¹» ×Ü ã ð
öÚ»¾ îç ðèæðèæðéòëìð ÐÍÌæ ×ÍßÕÓÐ øì÷æ ÍÕÛÇ×Ü -¬¿¬» ¹»²»®¿¬»¼
öÚ»¾ îç ðèæðèæðéòëìð ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ª»²¼±® ·¼ °¿§´±¿¼
öÚ»¾ îç ðèæðèæðéòëìì ÐÍÌæ ×ÍßÕÓÐ øì÷æ -°»¿µ·²¹ ¬± ¿²±¬¸»® ×ÑÍ ¾±¨ÿ
öÚ»¾ îç ðèæðèæðéòêéê ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ×Ü °¿§´±¿¼ò ³»--¿¹»
×Ü ã ð
öÚ»¾ îç ðèæðèæðéòêéê ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ØßÍØ °¿§´±¿¼ò ³»--¿¹»
×Ü ã ð
öÚ»¾ îç ðèæðèæðéòêèð ÐÍÌæ ×ÍßÕÓÐ øì÷æ Íß ¸¿- ¾»»² ¿«¬¸»²¬·½¿¬»¼ ©·¬¸
ïéîòíðòîòî
ÿ Ó¿·² ³±¼» ·- ½±³°´»¬»ò ̸» °»»®- ¿®» ¿«¬¸»²¬·½¿¬»¼ô ¿²¼ -»½®»¬
ÿ µ»§- ¿®» ¹»²»®¿¬»¼ò Ѳ ¬± Ï«·½µ Ó±¼»ÿ
öÚ»¾ îç ðèæðèæðéòêèð ÐÍÌæ ×ÍßÕÓÐ øì÷æ ¾»¹·²²·²¹ Ï«·½µ Ó±¼» »¨½¸¿²¹»ô
Óó×Ü ±º óïðéçëçéîéç
öÚ»¾ îç ðèæðèæðéòêèð ÐÍÌæ ×ÐÍÛÝøµ»§Á»²¹·²»÷æ ¹±¬ ¿ ¯«»«» »ª»²¬òòò
öÚ»¾ îç ðèæðèæðéòêèð ÐÍÌæ ×ÐÍÛÝø-°·Á®»-°±²-»÷æ ¹»¬¬·²¹ -°· íêëèîéêçï´¼
º±® Íß
º®±³ ïéîòíðòîòî
¬± ïéîòíðòïòî
º±® °®±¬ í
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ Íß °¿§´±¿¼ò ³»--¿¹»
×Ü ã óïðéçëçéîéç
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐ øì÷æ ݸ»½µ·²¹ ×ÐÍ»½ °®±°±-¿´ ï
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐæ ¬®¿²-º±®³ ïô ÛÍÐÁÜÛÍ
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐæ
5-130
¿¬¬®·¾«¬»- ·² ¬®¿²-º±®³æ
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐæ
»²½¿°- ·- ï
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐæ
Íß ´·º» ¬§°» ·² -»½±²¼-
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
öÚ»¾ îç ðèæðèæðèòìîì ÐÍÌæ ×ÍßÕÓÐæ
íêðð
Íß ´·º» ¼«®¿¬·±² ø¾¿-·½÷ ±º
öÚ»¾ îç ðèæðèæðèòìîè ÐÍÌæ ×ÍßÕÓÐæ
Íß ´·º» ¬§°» ·² µ·´±¾§¬»-
öÚ»¾ îç ðèæðèæðèòìîè ÐÍÌæ ×ÍßÕÓÐæ
ð¨ìê ð¨ëð ð¨ð
Íß ´·º» ¼«®¿¬·±² øÊÐ×÷ ±º
öÚ»¾ îç ðèæðèæðèòìîè ÐÍÌæ ×ÍßÕÓÐæ
¿«¬¸»²¬·½¿¬±® ·- ØÓßÝóÓÜë
ð¨ð
öÚ»¾ îç ðèæðèæðèòìîè ÐÍÌæ ×ÍßÕÓÐ øì÷æ ¿¬¬- ¿®» ¿½½»°¬¿¾´»ò
öÚ»¾ îç ðèæðèæðèòìîè ÐÍÌæ ×ÐÍÛÝøª¿´·¼¿¬»Á°®±°±-¿´Á®»¯«»-¬÷æ °®±°±-¿´
°¿®¬ ýïô
øµ»§ »²¹ò ³-¹ò÷ ¼»-¬ã ïéîòíðòîòîô -®½ã ïéîòíðòïòîô
¼»-¬Á°®±¨§ã ïðòðòîòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
-®½Á°®±¨§ã ïðòðòïòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
°®±¬±½±´ã ÛÍÐô ¬®¿²-º±®³ã »-°ó¼»- »-°ó³¼ë󸳿½ ô
´·º»¼«®ã ð- ¿²¼ ðµ¾ô
-°·ã ð¨ðøð÷ô ½±²²Á·¼ã ðô µ»§-·¦»ã ðô º´¿¹-ã ð¨ì
öÚ»¾ îç ðèæðèæðèòìíî ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ÒÑÒÝÛ °¿§´±¿¼ò
³»--¿¹» ×Ü ã óïð
éçëçéîéç
öÚ»¾ îç ðèæðèæðèòìíî ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ×Ü °¿§´±¿¼ò ³»--¿¹»
×Ü ã óïðéçëçéîéç
öÚ»¾ îç ðèæðèæðèòìíî ÐÍÌæ ×ÍßÕÓÐ øì÷æ °®±½»--·²¹ ×Ü °¿§´±¿¼ò ³»--¿¹»
×Ü ã óïðéçëçéîéç
ÿ ß ³¿¬½¸·²¹ ×ÐÍ»½ °±´·½§ ¸¿- ¾»»² ²»¹±¬·¿¬»¼ ¿²¼ ¿«¬¸»²¬·½¿¬»¼ò
ÿ Ò»¨¬ ¬¸» Íß- ¿®» -»¬ «°ò
öÚ»¾ îç ðèæðèæðèòìíê ÐÍÌæ ×ÍßÕÓÐ øì÷æ Ý®»¿¬·²¹ ×ÐÍ»½ ÍßöÚ»¾ îç ðèæðèæðèòìíê ÐÍÌæ
ïéîòíðòïòî
ø°®±¨§ ïðòðòîòð
·²¾±«²¼ Íß º®±³ ïéîòíðòîòî
¬± ïðòðòïòð
±
÷
öÚ»¾ îç ðèæðèæðèòìíê ÐÍÌæ
º´¿¹- ì
¸¿- -°· íêëèîéêçï ¿²¼ ½±²²Á·¼ ë ¿²¼
öÚ»¾ îç ðèæðèæðèòìíê ÐÍÌæ
´·º»¬·³» ±º íêðð -»½±²¼-
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ
´·º»¬·³» ±º ìêðèððð µ·´±¾§¬»-
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ
ïéîòíðòîòî
±«¬¾±«²¼ Íß º®±³ ïéîòíðòïòî
ø°®±¨§ ïðòðòïòð
¬± ïðòðòîòð
±
÷
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ
º´¿¹- ì
¸¿- -°· ìéðïëèìíé ¿²¼ ½±²²Á·¼ ê ¿²¼
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ
´·º»¬·³» ±º íêðð -»½±²¼-
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ
´·º»¬·³» ±º ìêðèððð µ·´±¾§¬»-
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ ×ÐÍÛÝøµ»§Á»²¹·²»÷æ ¹±¬ ¿ ¯«»«» »ª»²¬òòò
öÚ»¾ îç ðèæðèæðèòììð ÐÍÌæ ×ÐÍÛÝø·²·¬·¿´·¦»Á-¿-÷æ ô
øµ»§ »²¹ò ³-¹ò÷ ¼»-¬ã ïéîòíðòïòîô -®½ã ïéîòíðòîòîô
¼»-¬Á°®±¨§ã ïðòðòïòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
-®½Á°®±¨§ã ïðòðòîòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
°®±¬±½±´ã ÛÍÐô ¬®¿²-º±®³ã »-°ó¼»- »-°ó³¼ë󸳿½ ô
´·º»¼«®ã íêðð- ¿²¼ ìêðèðððµ¾ô
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-131
-°·ã ð¨ïëÝÛïêêÞøíêëèîéêçï÷ô ½±²²Á·¼ã ëô µ»§-·¦»ã ðô º´¿¹-ã ð¨ì
öÚ»¾ îç ðèæðèæðèòììì ÐÍÌæ ×ÐÍÛÝø·²·¬·¿´·¦»Á-¿-÷æ ô
øµ»§ »²¹ò ³-¹ò÷ -®½ã ïéîòíðòïòîô ¼»-¬ã ïéîòíðòîòîô
-®½Á°®±¨§ã ïðòðòïòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
¼»-¬Á°®±¨§ã ïðòðòîòðñîëëòîëëòîëëòðñðñð ø¬§°»ãì÷ô
°®±¬±½±´ã ÛÍÐô ¬®¿²-º±®³ã »-°ó¼»- »-°ó³¼ë󸳿½ ô
´·º»¼«®ã íêðð- ¿²¼ ìêðèðððµ¾ô
-°·ã ð¨ïÝðêðÝêëøìéðïëèìíé÷ô ½±²²Á·¼ã êô µ»§-·¦»ã ðô º´¿¹-ã ð¨ì
öÚ»¾ îç ðèæðèæðèòììì ÐÍÌæ ×ÐÍÛÝø½®»¿¬»Á-¿÷æ -¿ ½®»¿¬»¼ô
ø-¿÷ -¿Á¼»-¬ã ïéîòíðòïòîô -¿Á°®±¬ã ëðô
-¿Á-°·ã ð¨ïëÝÛïêêÞøíêëèîéêçï÷ô
-¿Á¬®¿²-ã »-°ó¼»- »-°ó³¼ë󸳿½ ô -¿Á½±²²Á·¼ã ë
öÚ»¾ îç ðèæðèæðèòììì ÐÍÌæ ×ÐÍÛÝø½®»¿¬»Á-¿÷æ -¿ ½®»¿¬»¼ô
ø-¿÷ -¿Á¼»-¬ã ïéîòíðòîòîô -¿Á°®±¬ã ëðô
-¿Á-°·ã ð¨ïÝðêðÝêëøìéðïëèìíé÷ô
-¿Á¬®¿²-ã »-°ó¼»- »-°ó³¼ë󸳿½ ô -¿Á½±²²Á·¼ã ê
ÿ ×ÐÍ»½ Íß- ¿®» -»¬ «° ¿²¼ ¼¿¬¿ ½¿² ¾» -»½«®»´§ »¨½¸¿²¹»¼ò
᫬»®ßý
5-132
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Crypto System Error Messages for ISAKMP
This topic describes how to interpret crypto error messages for ISAKMP.
Crypto System Error Messages for ISAKMP
ûÝÎÇÐÌÑ óêó×ÕÓÐÁÍßÁÒÑÌÁßËÌØæ Ý¿²²±¬ ¿½½»°¬ Ï«·½µ Ó±¼» »¨½¸¿²¹»
º®±³ ûïë· ·º Íß ·- ²±¬ ¿«¬¸»²¬·½¿¬»¼ÿ
• ISAKMP SA with the remote peer was not authenticated.
ûÝÎÇÐÌÑ óêó×ÕÓÐÁÍßÁÒÑÌÁÑÚÚÛÎÛÜæ λ³±¬» °»»® ûïë· ®»-°±²¼»¼ ©·¬¸
¿¬¬®·¾«¬» Ž¸¿®-à ²±¬ ±ºº»®»¼ ±® ½¸¿²¹»¼
• ISAKMP peers failed protection suite negotiation for ISAKMP.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-9
Cisco IOS software can generate many useful system error messages for ISAKMP. Two of the
error messages are as follows:
%CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from
%15i if SA is not authenticatedÿ—The ISAKMP security association with the remote peer
was not authenticated yet the peer attempted to begin a quick mode exchange. This
exchange must only be done with an authenticated SA. The recommended action is to
contact the remote peer administrator to resolve the improper configuration.
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with
attribute [chars] not offered or changed—ISAKMP peers negotiated policy by the initiator
offering a list of possible alternate protection suites. The responder responded with an
ISAKMP policy that the initiator did not offer. The recommended action is to contact the
remote peer administrator to resolve the improper configuration.
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-133
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Display your configured IKE policies using the
show crypto isakmp policy command.
• Display your configured transform sets using the
show crypto ipsec transform set command.
• Display the current state of your IPSec SAs with
the show crypto ipsec sa command.
• View your configured crypto maps with the show
crypto map command.
• Debug IKE and IPSec traffic through the Cisco IOS
with the debug crypto ipsec and debug crypto isakmp
commands.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—5-10
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 5-1: Configuring a Site-to-Site IPSec VPN Using Preshared Keys
5-134
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
Q8)
Which command displays all crypto maps?
A)
display crypto transform
B)
show crypto map
C)
show crypto isakmp policy
D)
debug crypto isakmp
The show crypto isakmp policy command will display the hash algorithm.
A)
true
B)
false
If a transform set name is not specified in the show crypto ipsec transform-set
command, what is the result?
A)
The router will not understand the command.
B)
It will turn on crypto ipsec debugging.
C)
Every configured transform set will be displayed.
The state QM_IDLE on the show crypto isakmp sa command means the configuration
is idle and the tunnel is not working.
A)
true
B)
false
The show crypto ipsec sa shows the settings used by current security associations.
A)
true
B)
false
The show crypto map command will display peer addresses.
A)
true
B)
false
Clearing the full security association database should be reserved for large-scale
changes, or when a device is processing only a small amount of other IPSec traffic.
A)
true
B)
false
Debug commands are acceptable to use on a busy network.
A)
true
B)
false
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-135
Q9)
5-136
If a remote router responds with an unoffered ISAKMP policy, the communication will
continue to function normally.
A)
true
B)
false
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
B
Relates to: Task 4: Test and Verify IPSec
Q2)
A
Relates to: The show crypto isakmp policy Command
Q3)
C
Relates to: The show crypto ipsec transform-set Command
Q4)
B
Relates to: The show crypto ipsec sa Command
Q5)
A
Relates to: The show crypto ipsec sa Command
Q6)
A
Relates to: The show crypto map Command
Q7)
A
Relates to: The clear Commands
Q8)
B
Relates to: The debug crypto Commands
Q9)
B
Relates to: Crypto System Error Messages for ISAKMP
Copyright © 2004, Cisco Systems, Inc.
Virtual Private Networks
5-137
5-138
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 6
Using ISDN and DDR to
Enhance Remote Connectivity
Overview
ISDN is typically deployed to provide remote access for small office or home office. This
module reviews the configuration of dial-on-demand routing (DDR) to implement ISDN dial
up for remote access.
Objectives
Upon completing this module, you will be able to:
List the steps and commands that are required to configure an ISDN connection
List the tasks that are required to successfully configure an ISDN PRI connection
Configure ISDN DDR using dialer maps
Define interesting traffic with dialer and access lists
Explain various ISDN PPP configuration options that are used with DDR
Verify and troubleshoot ISDN environments using Cisco IOS commands
Outline
The module contains these lessons:
Configuring ISDN BRI
Configuring ISDN PRI
Configuring DDR
Verifying ISDN and DDR Configurations
6-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Configuring ISDN BRI
Overview
To connect to an ISDN network, you must use the correct router. A BRI interface requires
specific commands to enable ISDN.
Relevance
Because ISDN is still widely used for remote access and backup connectivity, it is important to
know how to configure an ISDN BRI interface. This lesson covers the concepts and commands
for configuring ISDN BRI.
Objectives
Upon completing this lesson, you will be able to:
Identify the ISDN BRI services and protocols
List the steps and commands that are required to configure an ISDN connection
Configure the appropriate switch type with the isdn switch-type command
Configure the Layer 2 B channel encapsulation method with the encapsulation ppp or
encapsulation hdlc commands
Describe the basic concepts of ISDN SPIDs
Configure SPIDs with the isdn spid1 and isdn spid2 commands
Configure advanced calling features to accept and respond to selected ISDN calls
Configure channel rate adaption using the speed command available in dialer maps
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
ISDN Services
ISDN Protocols
ISDN Protocol Layers
ISDN Configuration Tasks
ISDN Configuration Commands
ISDN Switch Types
Interface Protocol Settings
SPID Setting If Necessary
Caller Identification Screening
Configuration of Caller ID Screening
Called-Party Number Verification
Rate Adaption
Summary
Quiz
6-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN Services
This topic describes the differences between ISDN BRI and ISDN PRI. ISDN services are
offered as either ISDN BRI or ISDN PRI.
ISDN Services
BCRAN v2.1—6-2
© 2004 Cisco Systems, Inc. All rights reserved.
ISDN BRI specifies:
Two 64 kbps B Channels (bearer channels) used mainly for video, data or voice
One 16 kbps D Channel (data or delta channel) used mainly for signaling of the B Channels
Framing and synchronization overhead at 48 kbps
Total speed (64 * 2) + (16 + 48) = (128 + 64) = 192 kbps
Intended to be used at small concentration points
Note
The B channel carries the main data. The D channel carries control and signaling
information.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-5
ISDN Protocols
This topic describes the most common components and reference points of ISDN BRI. ISDN
BRI includes various components and reference points.
BRI Reference Points
BCRAN v2.1—6-3
© 2004 Cisco Systems, Inc. All rights reserved.
Given all the ISDN interface abbreviations such as T, S, U, S/T, and so on, what do all of these
components and reference points look like in practice?
When creating a network, connect the Network Termination 1 (NT-1) to the wall jack with a
standard two-wire connector, then to the ISDN phone, terminal adapter, Cisco ISDN router, and
perhaps a fax with a four-wire connector. The S/T interface is implemented using an eight-wire
connector (two pairs for data transmission and two pairs for providing optional power to the
NT and TE).
Because RJ-11 and RJ-45 connectors look similar, caution should be taken when connecting
ISDN devices.
The S/T reference point is:
Four-wire interface (sending [TX] and receiving [RX])
Point-to-point and multipoint (passive bus), as shown in the figure
Covered by International Telecommunication Union Telecommunication Standardization
Sector (ITU-T) I.430 physical layer specification for BRI interfaces, and American
National Standards Institute (ANSI) T1.601 standard for the United States
The S/T interface defines the interface between a TE1 or terminal adaptor (TA) and an NT. A
maximum of eight devices can be daisy-chained to the S/T bus.
The U interface defines the two-wire interface between the NT-1 and the ISDN cloud. The U
interface is used in the United States. Countries outside the United States use an S/T interface.
6-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The R interface defines the interface between the TA and an attached non-ISDN device (TE2).
In North America, the NT-1 function is commonly integrated into the ISDN device (router,
TA), thus permitting a direct connection from the ISDN device to the telco jack.
An NT-1 and NT-2 combination device is sometimes referred to as an NTU. In most countries,
the NT-1/NT-2 combination is provided by the service provider (telco), and customer access is
available only at the S/T interface.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-7
ISDN Protocol Layers
This topic discusses ISDN protocol layers. ISDN is based on a suite of standards.
ISDN Protocol Layers
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-4
The B channel carries Layer 3 protocols for data transmission. It typically operates in either a
High-Level Data Link Control (HDLC) or PPP encapsulation mode at Layer 2 to encapsulate
the upper-layer protocols such as IP. Although not as common, other encapsulations such as
Frame Relay can be used, depending on networking requirements.
The D channel is continuously active and works with dial-on-demand routing (DDR) to build
connections over the ISDN connection. The D Channel uses Q.921 (also known as LAPD) at
the Data Link Layer and Q.931 at the Network Layer. The B Channel uses PPP or HDLC at the
Data Link Layer and IP, IPX, Appletalk, and so on for the Network Layer.
The ITU-T I.430 and I.431 standards define the physical layer for the BRI and PRI network
interfaces, respectively. In the United States, the U and S/T interfaces are governed by the
ANSI T1.601 standards and conform, where possible, to the ITU-T specifications.
6-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN Configuration Tasks
This topic describes the configuration tasks that are required to successfully configure an ISDN
BRI connection. Configuring ISDN BRI requires global and interface configuration tasks.
ISDN Configuration Tasks
• Global configuration
– Select switch type
– Specify traffic to trigger call
• Interface configuration
– Select interface specifications
– Configure ISDN addressing
• Optional feature configuration
BCRAN v2.1—6-5
© 2004 Cisco Systems, Inc. All rights reserved.
To configure an ISDN BRI interface on a router, you must use specific global and interface
configuration commands.
Global configuration includes these steps:
Step 1
Select the switch type that matches the ISDN provider switch at the central office
(CO).
Step 2
Set destination details. Indicate static routes from the router to other ISDN
destinations.
Step 3
Specify the traffic criteria that initiate an ISDN call to the appropriate destination.
Interface configuration includes these steps:
Step 1
Select the ISDN BRI port and configure an IP address and subnet mask.
Although the interface automatically inherits the global switch-type setting, some
configurations may require a specific switch type to be configured on an interface.
Step 2
Step 3
Step 4
Step 5
Specify the encapsulation if it is not HDLC. If PPP encapsulation is selected
(typical), configure PPP including authentication, callback, and multilink options.
Configure ISDN addressing and any parameters supplied by the ISDN service
provider.
Configure DDR information and calling parameters.
Configure optional features, including time-to-wait for the ISDN carrier to respond
to the call, and seconds of idle time before the router times out and drops the call.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-9
ISDN Configuration Commands
This topic describes the configuration commands that are required to successfully configure an
ISDN BRI connection. Configuring ISDN BRI requires global and interface configuration
commands.
ISDN Configuration Commands
• Global commands:
– isdn switch-type
• Interface commands:
– ip address
– isdn switch-type
– encapsulation ppp
– PPP options
(for example, Authentication, Multilink)
– isdn spid1
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-6
At the global level, the administrator must specify the ISDN service provider CO switch type.
There are several types of switches to choose from and some of these require special
parameters. Because standards signaling specifics differ by region, the switch type varies
according to its geographical location. For example, the DMS-100 and National-1 require a
service profile identifier (SPID) to be specified. This is optional on some switches (for
example, AT&T 5ESS), or may not required at all on other switches.
Although the interface configuration and selection tasks apply to all routers, this topic focuses
on BRI for access routers. (PRI details for Cisco routers and access servers with T1/E1
controllers are covered in lesson two.)
Configuring the ISDN interface may include assigning the IP address, defining encapsulation,
and creating ISDN service profile statements. The tasks also include a legacy method of
configuring ISDN with the dialer map command. The dialer map command statically maps a
remote site (usually its host name) to a destination IP address (Layer 3 address) and ISDN dial
number (Layer 2 address). A more contemporary implementation includes creating dialer
profiles that dynamically create these mappings. (Dialer maps are covered later in this module,
and dialer profiles are covered in module 7.)
6-10
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN Switch Types
This topic describes the isdn switch-type command. Selecting the correct switch type to
connect is crucial when configuring ISDN BRI.
Selecting the ISDN Switch Type
᫬»®ø½±²º·¹÷ý·-¼² -©·¬½¸ó¬§°» -©·¬½¸ó¬§°»
᫬»®ø½±²º·¹ó·º÷ý·-¼² -©¬·½¸ó¬§°» -©·¬½¸ó¬§°»
• Specifies the type of ISDN switch with which the
router communicates
• Global or interface command
BCRAN v2.1—6-7
© 2004 Cisco Systems, Inc. All rights reserved.
Use the isdn switch-type command to specify the CO switch to which the router connects. For
BRI ISDN service, the possible switch types and their corresponding commands are shown in
the table.
isdn switch-type Commands
Command
Description
basic-5ess
AT&T basic rate switches (United States)
basic-dms100
NT DMS-100 (North America)
basic-ni
National ISDN-1 (North America)
basic-qsig
PINX (PBX) switches with QSIG signaling per Q.931
basic-net3
NET3 switch type for United Kingdom, Europe, Asia, and Australia
Ntt
Japanese NTT ISDN switches
none
No switch defined
Note
Other switch types are available. The list of switch types can differ based on the Cisco IOS
software version that is used.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-11
When the isdn switch-type command is used in global configuration mode, all ISDN interfaces
on the router are configured for that switch type. Beginning with Cisco IOS Release 11.3T, the
interface configuration mode command was introduced to allow different interfaces to be
configured with different switch types. If the command is used in interface configuration mode,
only the interface that is configured assumes that switch type. The interface setting always
overrides the global setting.
6-12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Interface Protocol Settings
This topic describes the encapsulation ppp and encapsulation hdlc commands. You may have
to configure the Layer 2 B channel encapsulation protocol and authentication when configuring
ISDN BRI.
BRI Configuration Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-8
The interface bri interface-number command designates the interface that is used for ISDN on
a router acting as a TE1 device.
A router without a native BRI interface is a TE2 device. It must connect to an external ISDN
TA via a serial interface. On a TE2 router, the interface serial interface-number command
must be used.
The default encapsulation on a BRI interface is HDLC. The encapsulation ppp command
changes the encapsulation on the ISDN interface. Although HDLC encapsulation offers a
simpler configuration, it lacks much of the functionality provided by PPP. Some of the
functionality that is lacking includes link control protocol (LCP) options such as Password
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)
authentication, as well as multilink capability. Authentication is typically a requirement in
networks of today, particularly if calls are to be received from multiple dialup sources.
Otherwise, calling line identification (CLID) can be used with HDLC encapsulation to identify
callers, providing that the service provider sends this information.
To revert from PPP encapsulation to the default, use the encapsulation hdlc command. Other
encapsulation options for BRI interfaces may include Link Access Procedure, Balanced
(LAPB) and Frame Relay.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-13
SPID Setting If Necessary
This topic describes ISDN SPIDs and the isdn spid1 and isdn spid2 commands. Depending on
the switch type, you may have to configure SPIDs.
BRI Configuration Example (Cont.)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-9
Several ISDN service providers use CO switches that require dial-in numbers called SPIDs.
The SPIDs are used to authenticate call requests that are within contract specifications. These
switches include National ISDN and DMS-100 ISDN switches, as well as the AT&T 5ESS
multipoint switch. SPIDs are used only in the United States and are typically not required for
ISDN data communications applications. The service provider supplies the local SPID
numbers. If uncertain, contact the service provider to determine if the SPIDs must be
configured on your access routers.
Use the isdn spid1 and isdn spid2 commands to access the ISDN network when your router
makes its call to the local ISDN exchange.
The isdn spid1 command syntax is shown in the figure for the first BRI 64-kbps channel. The
field for ldn, if required, matches the number provided by the dialer map command.
6-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The commands for isdn spid1 and isdn spid2 are listed in the following table.
isdn spid1 and isdn spid2 Commands
Command
Description
spid-number
Number identifying the service to which you have subscribed. This
value is usually a ten-digit telephone number followed by more digits.
The ISDN service provider assigns this value.
ldn
(Optional) Seven-digit local directory number assigned by the ISDN
service provider.
Note
If you want the SPID to be automatically detected, you can specify 0 for the spid-number
argument. You can also use the interface command isdn autodetect for SPID and switch
type detection. This command is available in IOS Release 12.0(3)T and later.
The ldn parameter allows you to associate up to three local directory numbers with each SPID.
This number must match the called-party information coming in from the ISDN switch in order
to use both B channels on most switches.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-15
Caller Identification Screening
This topic describes the basic features of calling line identification (CLID).
Caller Identification Screening
• Extra level of call management
• Call not set up (or charged) until acceptance
• A simple alternative or additional layer of authentication for
PPP CHAP
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-10
CLID (also known as caller ID) adds a level of security between ISDN connections by
screening incoming ISDN calls based on the setup request. The calling number in the call setup
request message supplied by the local service provider is verified against a table of allowed
numbers configured in the router.
This feature prevents charges for calls from unauthorized numbers. However, in some
situations, there are charges for call setup attempts, even if the call does not pass caller ID
screening.
The figure shows the router, the medium, and the connection to the ISDN cloud. The upper
arrow displays the number of the calling party (RouterA). The calling party number comes
from the network, not from the router that initiated the call.
The table at the right of the figure contains the allowed numbers that are configured on
RouterB. Call verification using this table provides extra security. Call acceptance does not
occur until the router has verified the calling number.
CLID is not universally available. Not all service providers have the calling party number
contained in the call setup request. In addition, CLID screening records the number exactly as it
was sent, with or without an area code prefix, which can cause errors.
6-16
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Caller ID Screening
This topic describes the commands that are required to enable CLID.
Configuring CLID Screening
᫬»®ø½±²º·¹ó·º÷ý·-¼² ½¿´´»® ²«³¾»®
• Enables CLID screening
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-11
Use the isdn caller number command to configure ISDN CLID. This command configures the
router to accept calls from the specified telephone number. More than one caller number can be
assigned to an interface.
The telephone number can be up to 25 characters in length. As part of this number, you can
enter an x in any position to stand for any number (a “wildcard”).
For example, isdn caller 55666612xx would accept calls from any number beginning with
55666612 followed by any other number in the last two positions.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-17
Called-Party Number Verification
This topic describes the commands that are required to enable called-party number verification.
Called-party number verification is used to ensure that the correct device answers an incoming
call.
Configuring Called Party Number
Verification
᫬»®ø½±²º·¹ó·º÷ý·-¼² ¿²-©»®ï Ž¿´´»¼ó°¿®¬§ó²«³¾»®Ã
or
᫬»®ø½±²º·¹ó·º÷ý·-¼² ¿²-©»®î Ž¿´´»¼ó°¿®¬§ó²«³¾»®Ã
• Sets the number to allow the interface to respond
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-12
When multiple devices and a router share the same ISDN local loop, you can ensure that the
correct device answers an incoming call. This guarantee is accomplished by configuring the
router to verify the called-party number. However, the ISDN switch must support the delivery
of called-party numbers.
The isdn answer1 interface configuration command verifies a called-party number or
subaddress number in the incoming setup message for ISDN BRI calls, if the ISDN switch
supplies the number. Use the isdn answer2 interface command to verify an additional calledparty number or subaddress number. To remove a verification request, use the no form of the
command.
All calls are processed or accepted if you do not specify the isdn answer1 or isdn answer2
commands. If you specify one of these commands, the router must verify the incoming calledparty number before processing or accepting the call. Devices on multipoint ISDN connections
are typically assigned a specific subaddress. The isdn answer1 command can also verify the
incoming call based on the specific subaddress.
You can configure just the called-party number or just the subaddress, in which case only that
part will be verified.
6-18
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The table describes the arguments for the isdn answer 1 command.
·-¼² ¿²-©»®ï Ž¿´´»¼ó°¿®¬§ó²«³¾»®ÃÅæ-«¾¿¼¼®»--Ã
isdn answer1 Command
Command
Description
called-party-number
Number supplied in the call setup request.
:
(Optional) Identifies the number that follows as a subaddress. Use
the colon (:) when you configure both the called-party number and
the subaddress, or when you configure only the subaddress.
subaddress
(Optional) Subaddress number used for ISDN multipoint
connections.
Some service providers require that both isdn answer1 and isdn answer2 parameters be
specified.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-19
Rate Adaption
This topic describes rate adaption. Rate adaption allows the ISDN channel to adjust to a lower
speed if requested in the call setup.
BRI Rate Adaption Configuration Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-13
If requested in the call setup by the access router, rate adaption allows the ISDN channel to
adjust to a lower speed. The speed may be designated in a dialer map statement using the
optional parameter of speed 56 or speed 64 on the router that is placing the call.
Use rate adaption for cases where the destination does not use the default DS-0 of 64 kbps. The
alternative speed used in most of North America is 56 kbps.
6-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• ISDN BRI: total speed is 64 kbps x 2 (B channels) +
16 kbps (D channel) + 48 kbps (framing and
synchronization) = 192 kbps.
• In most countries, customer access to BRI is
available at the S/T interface.
• Enabling ISDN BRI requires global configuration
and interface configuration commands.
• A switch type can be configured in global
configuration or in interface configuration mode.
BCRAN v2.1—6-14
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• BRI supports HDLC encapsulation and 64 kbps by
default.
• PPP encapsulation is more advantageous because
of its LCP options such as PAP, CHAP, Multilink.
• Some ISDN switches require the configuration of
SPID numbers.
• BRI supports CLID and called-party number
verification.
• Use rate adaption for 56 kbps.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—6-15
Using ISDN and DDR to Enhance Remote Connectivity
6-21
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
6-22
What is the data rate of one ISDN B channel?
A)
48 kbps
B)
56 kbps
C)
64 kbps
D)
128 kbps
Which ISDN channel is always active and in communication with the ISDN switch
while using the Q.931 signaling protocol?
A)
A
B)
B
C)
C
D)
D
Which ISDN channel carries network layer protocols for data transmission?
A)
A
B)
B
C)
C
D)
D
Which type of configuration task category does configuring ISDN addressing fall into?
A)
global
B)
interface
C)
standard
D)
primary
Which configuration task category level applies to specifying the ISDN service
provider CO switch type?
A)
global
B)
interface
C)
standard
D)
primary
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q6)
Q7)
Q8)
Q9)
Q10)
Which Cisco router global command is used to specify the CO switch to which the
router connects?
A)
isdn router-type
B)
isdn switch-type
C)
isdn hub-type
D)
isdn bridge-type
Which Cisco router command designates the interface that is used for ISDN on a router
acting as a TE1 device?
A)
interface serial interface-number
B)
interface Ethernet interface-number
C)
interface bri interface-number
D)
interface ISDN interface-number
The dial-in numbers that an ISDN service provider CO site switch might require are
known as _____?
A)
service provider identifiers (SPIDs)
B)
service profile identifiers (SPIDs)
C)
service profile interface devices (SPIDs)
D)
service provider interface devices (SPIDs)
Which Cisco router command is used to configure ISDN CLID screening?
A)
caller ID
B)
isdn caller
C)
ID caller
D)
ID caller
Rate adaption allows the ISDN channel to adjust to which of the following:
A)
lower speed
B)
higher speed
C)
speed of 128 kbps
D)
speed of 256 kbps
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-23
Quiz Answer Key
Q1)
C
Relates to: ISDN Services
Q2)
D
Relates to: ISDN Protocols
Q3)
B
Relates to: ISDN Protocol Layers
Q4)
B
Relates to: ISDN Configuration Tasks
Q5)
A
Relates to: ISDN Configuration Commands
Q6)
B
Relates to: ISDN Switch Types
Q7)
C
Relates to: Interface Protocol Settings
Q8)
B
Relates to: SPID Setting If Necessary
Q9)
B
Relates to: Configuration of Caller ID Screening
Q10)
A
Relates to: Rate Adaption
6-24
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring ISDN PRI
Overview
ISDN BRI is typically used for remote access at small branch sites with lower bandwidth
requirements. Primary Rate Interface (PRI) is typically used by larger central sites with higher
bandwidth requirements to aggregate multiple remote BRIs. Internet service providers (ISPs)
also use ISDN PRI to support combined large numbers of analog modem and ISDN BRI calls.
Relevance
This lesson provides an overview of concepts and configuration of ISDN PRI.
Objectives
Upon completing this lesson, you will be able to:
List the tasks required to successfully configure an ISDN PRI connection
Configure the appropriate switch type with the isdn switch-type command
List and explain the commands that are required to configure an ISDN T1 or E1 controller
List and explain the commands that are required to configure the ISDN PRI channels and D
channel
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
ISDN Services
PRI Reference Points
Configuration Tasks for PRI
ISDN PRI Configuration
T1 and E1 Controller Parameters
Additional ISDN PRI Configuration Parameters
PRI Configuration Example
Summary
Quiz
6-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN Services
This topic describes the services of the ISDN PRI. ISDN services are offered as either ISDN
BRI or ISDN PRI.
ISDN PRI and Channelized E1 and T1
BCRAN v2.1—6-2
© 2004 Cisco Systems, Inc. All rights reserved.
In the figure, the ISDN PRI specifies:
23 B (U.S. T1) or 30 B (European E1) channels at 64 kbps each
1 D channel at 64 kbps
Framing and synchronization at 8 kbps (T1), or 64 kbps (E1)
Total speed 1.544 Mbps (T1), or 2.048 Mbps (E1)
Because an ISDN BRI comprises two B channels and one D channel, it is often referred to as
“2B+D.” Likewise, a U.S. T1 PRI is commonly referred to as “23B+D,” and a European E1
PRI as “30B+D.”
In Europe the D channel is carried in timeslot 16. In the United States it is in timeslot 24.
Note
In an E1 PRI there are actually 32 channels: 30 B, 1 D, and 1 synchronization channel.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-27
The table below displays the relationships between the DS level, speed, “T” designations, and
number of channels.
North American Digital Hierarchy
Digital Signal Level
Speed
“T” Designation
Channels or DS-0s
DS-0
64 kbps
–
1
DS-1
1.544 Mbps
T1
24
DS-3
44.736 Mbps
T3
672
In some cases, a DS-0 can carry only 56 kbps, usually because of legacy telco equipment or a
signaling method called robbed-bit signaling (RBS).
In Europe, the equivalent of a T1 facility is an E1 facility.
6-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PRI Reference Points
This topic describes the most common components and reference points of ISDN PRI.
PRI Reference Points
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-3
Depending on country implementation, either the ANSI T1.601 or ITU-T I.431 standard
governs the physical layer of the PRI interface.
PRI technology is simpler than BRI. The wiring is not multipoint because there is only the
straight connection between the CSU/DSU and the PRI interface. (Multipoint refers to the
ability to have multiple ISDN devices connected to the network, all of which have access to the
ISDN network.) Arbitration at Layer 1 and Layer 2 allows multiple devices that need to share
the ISDN network to access the network without collisions or interruptions. PRI does not
require this arbitration because there are no multiple devices.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-29
Configuration Tasks for PRI
This topic describes the configuration tasks that are required to successfully configure an ISDN
PRI connection.
Configuration Tasks for PRI
• Select the PRI switch type
• Specify T1/E1 controller, framing, and line coding for
the facility
• Set PRI group timeslots for T1/E1 and indicate the
speed used
• Specify the interface on the router that you will
configure for DDR
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-4
Use the PRI configuration task steps listed in the figure, in addition to the DDR-derived
commands covered earlier in BRI configurations, to enable a PRI connection.
Complete the following configuration tasks:
1. Specify the ISDN switch type used by the service provider for this PRI connection.
2. Specify the T1/E1 controller, framing type, and line coding for the service provider facility.
3. Set a PRI group timeslot for the T1/E1 facility and indicate the speed used.
4. Identify the interface used to configure DDR for the PRI.
6-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN PRI Configuration
This topic describes the isdn switch-type command. Configuring ISDN PRI requires global
and interface configuration commands. Selecting the correct switch type to connect is critical
when configuring ISDN PRI.
ISDN PRI Configuration
᫬»®ø½±²º·¹÷ý·-¼² -©·¬½¸ó¬§°» -©·¬½¸ó¬§°»
• Configures the ISDN PRI switch type
᫬»®ø½±²º·¹÷ý½±²¬®±´´»® ¥¬´ ¤ »´£
¥-´±¬ñ°±®¬ ¤ «²·¬ó²«³¾»®£
• Configures the ISDN PRI controller
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-5
Use the isdn switch-type command to specify the CO PRI switch to which the router connects.
With Cisco IOS Release 11.3(3)T or later, this command is also available as a controller
command to allow different switch types to be supported on different controllers. If configured
as a global command, the specified switch type applies to all controllers, unless a switch type is
specifically configured on an individual controller.
An incompatible switch selection configuration can result in failure to make ISDN calls. After
changing the switch type, you must reload the router to make the new configuration effective.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-31
Telco isdn switch-type commands are shown in the table below.
isdn switch-type Command
Command
Description
primary-4ess
AT&T Primary-4ESS switches (United States)
primary-5ess
AT&T Primary -5ESS switches (United States)
primary-dms100
NT DMS-100 switches (North America)
primary-ni
National ISDN switch type
primary-ntt
NTT ISDN PRI switches (Japan)
primary-net5
European and Australian ISDN PRI switches
primary-qsig
Q Signaling (QSIG) per Q.931
None
No switch defined
Unlike BRI operation, ISDN PRIs do not use SPIDs. Therefore, there is no requirement to
configure SPIDs, regardless of the ISDN switch type used by the PRI.
Use the controller {t1 | e1} slot/port command in global configuration mode to identify the
controller to be configured. Use a single unit-number to identify the AS5000 Series controller.
These commands are shown in the table below.
controller {t1 | e1} Command
6-32
Command
Description
t1
Specifies the controller interface for North America and Japan
e1
Specifies the controller interface for Europe and most other
countries
slot/port or unit number
Specifies the physical slot/port location or unit number of the
controller
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
T1 and E1 Controller Parameters
This topic describes the commands that are required to configure an ISDN T1 or E1 controller.
In ISDN PRI, a T1 or E1 controller must first be configured to communicate with the service
provider.
T1 and E1 Controller Parameters
᫬»®ø½±²º·¹ó½±²¬®±´´»®÷ýº®¿³·²¹
¥-º ¤ »-º ¤ ½®½ì ¤ ²±ó½®½ì£
• Selects the framing type on the controller
᫬»®ø½±²º·¹ó½±²¬®±´´»®÷ý´·²»½±¼»
ø¿³· ¤ ¾è¦- ¤ ¸¼¾í£
• Selects the line-code type on the controller
᫬»®ø½±²º·¹ó½±²¬®±´´»®÷ý½´±½µ -±«®½»
¥´·²» Å°®·³¿®§ ¤ -»½±²¼¿®§Ã ¤ ·²¬»®²¿´£
• Specifies the T1 clock source
BCRAN v2.1—6-6
© 2004 Cisco Systems, Inc. All rights reserved.
Use the framing controller configuration command to select the frame type used by the PRI
service provider. The table shows framing commands that you can use.
framing Command
Command
Description
sf
Super Frame. Use for some older T1 configurations.
esf
Extended Super Frame. Use for T1 PRI configurations.
crc4 or no-crc4
Cyclic redundancy check 4. Use for E1 PRI
configurations.
Without a sufficient number of ones in the digital bit stream, the switches and multiplexers in a
WAN can lose their synchronization for transmitting signals. Use the linecode command to
identify the physical layer signaling method to satisfy the “ones” density requirement on the
digital facility of the provider.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-33
The table shows line code commands that you can use.
linecode Command
Command
Description
ami
Alternate mark inversion. Use for T1 configurations.
b8zs
Binary 8-zero substitution. Use for T1 PRI configurations.
hdb3
High density binary 3. Use for E1 PRI configurations.
Binary 8-zero substitution (B8ZS) accommodates the ones density requirements for T1 carrier
facilities using special binary signals that are encoded over the digital transmission link. It
allows 64 kbps (clear channel) for ISDN channels.
Settings for these two Cisco IOS software controller commands on the router must match the
framing and line-code types used at the T1/E1 WAN CO switch of the provider.
Use the clock source {line | internal} command to configure the T1 and E1 clock source on
Cisco routers. T1 configurations typically require framing esf and linecode b8zs. E1
configurations typically require framing crc4 and linecode hdb3.
6-34
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Additional ISDN PRI Configuration Parameters
This topic describes the commands that are required to configure the ISDN PRI channels and D
channel. After the T1 or E1 controller is configured, the PRI channels and the corresponding D
channel interface must be configured.
Additional ISDN PRI
Configuration Parameters
᫬»®ø½±²º·¹ó½±²¬®±´´»®÷ý°®·ó¹®±«° Ŭ·³»-´±¬- ®¿²¹»Ã
• Specifies ISDN PRI on the T1 or E1 controller
• Specifies timeslots (channels) used by PRI
᫬»®ø½±²º·¹÷ý·²¬»®º¿½» -»®·¿´ ¥-´±¬ñ°±®¬ ¤ «²·¬æ£¥îí ¤ ïë£
• Specifies the serial interface for the PRI D channel
᫬»®ø½±²º·¹ó·º÷ý·-¼² ·²½±³·²¹óª±·½» ³±¼»³
• Switches incoming analog calls to internal modems
BCRAN v2.1—6-7
© 2004 Cisco Systems, Inc. All rights reserved.
The pri-group command configures the specified interface for PRI operation and specifies
which fixed timeslots (channels) are allocated on the digital facility of the provider.
pri-group Command
Command
Description
timeslots range
The range of timeslots allocated to this PRI. For T1, use values in
the range of 1 to 24, and for E1, use values from 1 to 31. The speed
of the PRI is the aggregate of the channels assigned.
Example 1: If using all 30 B channels on an E1 PRI (30B+D), specify pri-group 1-31.
Example 2: If allocated only the first eight B channels (512-kbps total data bandwidth) for a T1
PRI (23B+D), then specify pri-group 1-8,24. Note that the D channel must be specified.
Note
When provisioning a PRI line with less than 24 time slots (or 30 for E1), include the D
channel for signaling.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-35
Specification of the PRI group automatically creates the corresponding serial interface for the D
channel: interface serial {slot/port | unit}:{23 | 15}. This interface is used to configure the PRI
D channel. The table shows the interface serial commands that you can use.
interface serial Command
Command
Description
slot/port
The slot/port of the channelized controller
unit
The unit number of the channelized controller on a Cisco 4000 or
AS5000 Series router
23
A T1 interface that designates channelized DS-0s 0 to 22 as the B
channels, and DS-0 23 as the D channel
15
An E1 interface that designates 30 B channels and timeslot 16 as the
D channel
Note
In an E1 or T1 facility, the channels start numbering at 1 (1 to 31 for E1 and 1 to 24 for T1).
Serial interfaces in the Cisco router start numbering at 0. Therefore, channel 16, the E1
signaling channel, is serial port subinterface 15. Channel 24, the T1 signaling channel, is
serial subinterface 23.
The isdn incoming-voice modem command allows incoming analog calls to be switched to
internal modems. Software examines the bearer capability fields of the D channel data and
determines whether a call is a normal ISDN call or an analog call being carried on an ISDN B
channel. If it is an analog call, it is switched to internal modems. This command is only
available for access servers with the capability for internal modems.
6-36
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PRI Configuration Example
The following topic highlights a sample ISDN PRI configuration.
PRI Configuration Example
BCRAN v2.1—6-8
© 2004 Cisco Systems, Inc. All rights reserved.
The table describes the commands in the figure.
PRI Configuration Commands
Command
Description
isdn switch-type primary-5ess
Selects a switch type of AT&T 5ESS
controller t1 0/0
Selects the T1 controller 0/0
pri-group timeslots 1–24
Establishes the interface port to function as PRI with 24 timeslots
(including D channel) designated to operate at a speed of 64
kbps
framing esf
Selects Extended Superframe (ESF) framing, a T1 configuration
feature
linecode b8zs
Selects line code B8ZS for T1
clock source line
Specifies the T1 line as the clock source for the router
interface serial 0/0:23
Identifies the D channel on serial interface 0/0
Note
Static mapping and DDR commands are also used for configuring PRI. Although they are
also required for ISDN operation, these commands are omitted from this example.
The controller t1 0/0 command configures the T1 controller. In the example, the switch type
selected is an AT&T model. This example is accurate for some operations in the United States.
For an E1 example, the timeslot argument for the pri-group command would be 1–31 rather
than 1–24 as shown for a T1 example, and the interface command would be 0/0:15 instead of
0/0:23.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-37
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• ISDN PRI is typically used to aggregate multiple BRIs or
for higher-bandwidth requirements.
• ISDN PRI (T1) total speed is 64 kbps x 23 (B channels) +
64 kbps (D channel) + 8 kbps (framing and
synchronization) = 1.544 Mbps.
• ISDN PRI (E1) total speed is 64 kbps x 30 (B channels) +
64 kbps (D channel) + 64 kbps (framing and
synchronization) = 2.048 Mbps.
• ISDN PRI requires that a T1 (or E1) controller be
configured.
• A T1 controller configuration must include the framing
type and line coding.
BCRAN v2.1—6-9
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• Like ISDN BRI, a PRI switch type must also be
configured.
• ISDN PRI does not require SPIDs.
• The ISDN PRI D and B channels are configured
separately from the controller, using the interface
serial command.
• The pri-group command configures the specified
interface for PRI operation and the number of fixed
timeslots that are allocated on the provider digital
facility.
© 2004 Cisco Systems, Inc. All rights reserved.
6-38
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—6-10
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
When you are configuring PRI on a Cisco router, where does the information for the
correct PRI switch type, T1 or E1 controller, framing type, and line coding come from?
A)
B)
C)
D)
Q2)
Which Cisco router command is used to specify the CO PRI switch to which the router
connects?
A)
B)
C)
D)
Q3)
sf
esf
crc4
esc4
Which Cisco router command configures the specified interface for PRI operation and
specifies the number of fixed timeslots that are allocated on the digital facility of the
provider?
A)
B)
C)
D)
Q5)
isdn switch-type
isdn router-type
isdn hub-type
switch isdn-type
Which framing controller configuration command code parameter is used to select the
frame type used by the PRI service provider for Extended Super Frame?
A)
B)
C)
D)
Q4)
service provider facility
client facility
company human resources department
local electronic retail store
BRI group
SER group
PRI group
Eth group
Which command would be used to configure a European ISDN PRI switch type?
A)
B)
C)
D)
isdn switch-type primary-4ess
isdn switch-type primary-net5
isdn switch-type primary-5ess
isdn switch-type primary-dms100
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-39
Quiz Answer Key
Q1)
A
Relates to: Configuration Tasks for PRI
Q2)
A
Relates to: ISDN PRI Configuration
Q3)
B
Relates to: T1 and E1 Controller Parameters
Q4)
C
Relates to: Additional ISDN PRI Configuration Parameters
Q5)
B
Relates to: PRI Configuration Example
6-40
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring DDR
Overview
DDR enables routers to connect on an as-needed basis. They typically connect long enough to
exchange information and then disconnect. This results in significant cost savings for the
enterprise.
Relevance
ISDN connects and disconnects faster than plain old telephone service (POTS), and has greater
throughput. For these reasons, DDR is most often used with ISDN. This lesson provides an
overview of ISDN DDR.
Objectives
Upon completing this lesson, you will be able to:
Explain the logic flow when defining interesting traffic
List the steps that are required to configure DDR
Define and configure interesting traffic on selected interfaces
Configure access lists to provide more granular control when defining interesting traffic
Apply dialer lists to ISDN BRI interfaces
Configure dialer maps to specify how to reach a remote destination
Configure a simple ISDN network
Define interesting traffic with dialer and access lists
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
DDR Operation
DDR and ISDN Usage
DDR Configuration Tasks
Interesting Traffic for DDR
Access Lists for DDR
Destination Parameters for DDR
Configuration of a Simple ISDN Call
Configuration Example: RouterA
Configuration Example: RouterB
Access List for DDR Example
Summary
Quiz
6-42
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
DDR Operation
This topic describes the ISDN DDR process and explains the logic flow when defining
interesting traffic. DDR routing enables predefined interesting traffic to initiate a call across the
ISDN WAN connection.
DDR Operation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-2
Cisco implements DDR from the perspective of the outgoing data from the router.
With DDR, all traffic that is destined to the dialer interface is classified as either “interesting”
or “uninteresting,” based on the dialer list. If the traffic is interesting (permitted by the dialer
list), then the router connects to the remote router if not currently connected. If the traffic is
uninteresting (denied by the dialer list) and there is no connection, then it does not dial the
remote router, thereby saving costs.
The dialer idle timer is used to reset the connection if no interesting traffic for the destination
arrives within the configured timer interval.
Note
When a connection is made, all traffic uses the link (unless denied by another access list
applied to the interface). For example, if the dialer list is configured to allow only ping
(Internet Control Message Protocol [ICMP]) traffic, a user could send a ping to bring up the
connection and then start a Telnet session on the open DDR interface.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-43
DDR and ISDN Usage
This topic describes the sequence of events that triggers an ISDN DDR call. ISDN is commonly
configured with DDR
Using DDR with ISDN
1. Packet arrives.
2. Switch packet to DDR interface,
determine if interesting.
3. If interesting, dial DDR destination via ISDN.
4. Connect to remote router.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-3
Access routers use DDR to connect to remote routers. The access router will initiate a
connection only when it detects “interesting traffic” that is bound for a remote site. Dialer lists
specify interesting traffic. You can place a BRI interface in a dial group, which is linked to a
dialer list that specifies interesting traffic. You can use multiple dialer list entries to identify
traffic that is interesting and destined for other DDR destination routers, based on various
protocols. Access lists can also be used to refine the designation of interesting packets that will
initiate DDR calls.
Routing updates may cause ISDN calls to remote routers. This could dramatically increase
service charges from the ISDN service provider. For this reason, it is usually best to use static
and default routes to reach destination networks.
Note
Some dynamic routing protocols, like Open Shortest Path First (OSPF), support features
specifically designed to work over DDR connections. In addition, Cisco IOS software
supports a feature called Snapshot Routing. This feature permits the use of distance-vector
routing protocols over DDR links while minimizing routing and service advertisement
updates, thus saving link charges. Further information on these features can be located at
http://www.cisco.com.
DDR commands map a host ID and dialer string to initiate the setup of an ISDN call for
interesting traffic. The router then makes an outgoing call from its BRI interface through the
ISDN NT-1. If using an external TA, it must support V.25bis dialing. Calling details for these
devices come from dialer commands.
6-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
An idle timer starts when no more interesting traffic is transmitted over the ISDN call. The
timer is reset if an interesting packet is received before the Idle-Timeout value is reached. If no
interesting packets are received when the Idle-Timeout expires, the call disconnects.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-45
DDR Configuration Tasks
This topic describes the tasks that are required to configure DDR. Several tasks are required to
configure ISDN with DDR.
DDR Configuration Tasks
• Define interesting traffic
• Assign interesting traffic definition
to ISDN interface
• Define destination
• Define call parameters
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-4
To configure DDR, you must complete these tasks:
1. Define what constitutes interesting traffic by using the dialer-list command.
2. Assign this interesting traffic definition to an interface using the dialer-group command.
3. Define the destination IP address, host name, telephone number to dial, and optional call
parameters using the dialer map command.
4. Define call parameters using the following commands:
6-46
—
dialer idle-timeout seconds: Specifies the time that the line can remain idle without
receiving interesting traffic before it is disconnected. Default time is 120 seconds.
—
dialer fast-idle seconds: Specifies the time that a line for which there is contention
(another call is waiting to use line) can remain idle before the current call is
disconnected, to allow the competing call to be placed. Default time is 20 seconds.
—
dialer load-threshold load [outbound | inbound | either]: Specifies the interface
load at which time the dialer initiates another call to the destination. This command
is used with Bandwidth on Demand (BoD) or Multilink PPP (MLP).
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Definitions of the arguments and options for the dialer load-threshold load [outbound |
inbound | either command are displayed in the table.
dialer load-threshold Command
Command
Description
load
A number from 1 to 255, with 255 equal to 100 percent load and 128
equal to 50 percent load
outbound
Calculates the load on outbound data only (the default)
inbound
Calculates the load on inbound data only
either
Calculates the load on the maximum of the outbound or inbound data
Note
For more information, refer to the “Cisco Access Dial Configuration Cookbook” at
http://www.cisco.com/.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-47
Interesting Traffic for DDR
This topic describes how to configure interesting traffic and apply it to an ISDN interface. With
ISDN DDR, an interface is activated when it sees interesting traffic that it must forward.
Defining Interesting Traffic
᫬»®ø½±²º·¹÷ý¼·¿´»®ó´·-¬ ¼·¿´»®ó¹®±«°ó²«³¾»®
°®±¬±½±´ °®±¬±½±´ó²¿³» ¥°»®³·¬ ¤ ¼»²§ ¤´·-¬
¿½½»--ó´·-¬ó²«³¾»®£
• Defines interesting packets for DDR
• Associated with the dialer group assigned to the
interface
᫬»®ø½±²º·¹ó·º÷ý¼·¿´»®ó¹®±«° ¹®±«°ó²«³¾»®
• Assigns an interface to the dialer access group
specified in the dialer-list command
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-5
The dialer-list command is used to configure dial-on-demand calls that will initiate a
connection. The simple form of the command specifies whether a whole protocol suite, such as
IP or Internetwork Packet Exchange (IPX), will be permitted or denied to trigger a call. The
more complex form references an access list that allows finer control of the interesting traffic
definition for a given protocol. A dialer list can contain multiple entries to define multiple
protocol types as interesting.
The dialer-group interface command applies the dialer list specifications to an interface. Only
one dialer list can be applied to an interface at a time.
6-48
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The dialer-list and dialer-group command syntax is described in the table.
dialer-list and dialer-group Commands
Command
Description
dialer-list dialer-group-number
protocol protocol-name
{permit | deny | list access-listnumber | access-group}
Defines a DDR dialer list to control dialing by protocol or by a
combination of protocol and access list.
dialer-group-number
Number of a dialer access group identified in any dialer-group
interface configuration command.
protocol-name
One of the following protocol keywords: appletalk, bridge, clns,
clns_es, clns_is, decnet, decnet_router-L1, decnet_router-L2,
decnet_node, ip, ipx, vines, or xns.
dialer-group group-number
Configures an interface to belong to a specific dialer group. The
dialer group points to a dialer list.
group-number
Number of the dialer access group to which the specific interface
belongs. This access group is defined with the dialer-list command,
which specifies interesting traffic that initiates a DDR call.
Acceptable values are nonzero, positive integers from 1 to 10.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-49
Access Lists for DDR
This topic describes how to define ISDN DDR interesting traffic by referencing an access list.
Interesting traffic can be specifically defined with an access list.
Using Access Lists for DDR
᫬»®ø½±²º·¹÷ý¿½½»--ó´·-¬ ¿½½»--ó´·-¬ó²«³¾»® ¥°»®³·¬¤¼»²§£
¥°®±¬±½±´ ¤ °®±¬±½±´óµ»§©±®¼ £
¥-±«®½» -±«®½»ó©·´¼½¿®¼ ¤ ¿²§£
¥¼»-¬·²¿¬·±² ¼»-¬·²¿¬·±²ó©·´¼½¿®¼ ¤ ¿²§£
Å°®±¬±½±´ó-°»½·º·½ó±°¬·±²-à Ŵ±¹Ã
• Gives tighter control over “interesting” traffic and
uses standard or extended access lists
᫬»®ø½±²º·¹÷ý¼·¿´»®ó´·-¬ ¼·¿´»®ó¹®±«° °®±¬±½±´ °®±¬±½±´ó
²¿³» ´·-¬ ¿½½»--ó´·-¬ó²«³¾»®
• Associates an access list with a dialer access group
BCRAN v2.1—6-6
© 2004 Cisco Systems, Inc. All rights reserved.
When linked to a dialer list, access lists give strict control over which packets are considered
interesting. The access-list command specifies the interesting traffic that initiates a DDR call.
Both standard and extended access lists are supported, which enables the identification of
interesting traffic based on simple destination addresses, or based on both source and
destination addresses, and upper layer protocols.
An extended access list is displayed in the figure shown, providing more control over the
protocol, source address, and destination address in determining interesting packets.
Note
Not all command parameters are displayed for the access-list command. Refer to the Cisco
Documentation CD-ROM or http://www.cisco.com for the complete syntax.
The dialer-list command is used in conjunction with the access list. This command associates
the access list with the dialer access group.
The following is a sample configuration:
·²¬»®º¿½» ÞÎ×ð
¼·¿´»®ó¹®±«° ï
¿½½»--ó´·-¬ ïðï ¼»²§ ·¹®° ðòðòðòð ¿²§ ¿²§
¿½½»--ó´·-¬ ïðï °»®³·¬ ·° ¿²§ ¿²§
¼·¿´»®ó´·-¬ ï °®±¬±½±´ ·° ´·-¬ ïðï
6-50
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Destination Parameters for DDR
This topic describes how to identify a remote destination with the dialer map command. When
interesting traffic has been detected, the interface is activated and initiates a call to the remote
ISDN destination, which is identified by a dialer map.
Defining Destination Parameters
• Maps an IP network layer address to a remote
phone number
• Defines the method of reaching a remote ISDN
destination
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-7
When interesting traffic has been identified for the ISDN interface, the router initiates a DDR
call, if the call is not already connected. The router uses the information that is configured in
the dialer map command to determine dialing parameters to the destination router, such as the
telephone number to dial. The dialer map command binds the next-hop protocol address to a
telephone number, or dial-string, for a particular destination.
A dialer map is similar in concept to an Address Resolution Protocol (ARP) entry for a LAN
that binds an IP address to a MAC address, or a Frame Relay map that binds a next-hop
protocol address to a data-link connection identifier (DLCI). Each dialer map associates a
destination or next-hop Layer 3 network address to a destination Layer 2 address.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-51
The dialer map command options are described in the table.
dialer map Commands
Command
Description
dialer map protocol next-hop-address
[name hostname] [speed 56|64]
[broadcast] [dial-string[:isdn-subaddress]]
Configures a serial interface or ISDN interface to call one
or multiple sites.
name parameter refers to the name of the remote
system
speed parameter is the line speed to use in kilobits per
second
broadcast parameter indicates that broadcasts should
be forwarded to this address
dial-string[:isdn-subaddress] is the number to dial to
reach the destination and the optional ISDN
subaddress
[modem-script modem-regexp]
(Optional) Indicates the modem script to use for the
connection (for asynchronous interfaces). Create modemregexp using a chat script.
[system-script system-regexp]
(Optional) Indicates the system script to use for the
connection (for asynchronous interfaces). Create systemregexp using a chat script.
Note
6-52
The dialer map command has many other optional parameters available. For a complete
description of the command and its parameters, refer to the documentation CD-ROM or
http://www.cisco.com.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of a Simple ISDN Call
This topic describes a simple ISDN BRI connection with DDR-enabled configuration.
Configuring a Simple ISDN Call
• Use PPP encapsulation
• All IP traffic to destination triggers ISDN call
• Carrier uses a 5ESS basic-rate switch
• Service provider assigns connection parameters
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-8
The figure displays an example of how you can combine the commands described in the
previous lessons to set up ISDN and initiate DDR.
DDR is configured to connect RouterA to RouterB. Interesting traffic is defined as any IP
traffic that will initiate a DDR call to RouterB. Similar to a telephone call, the number dialed is
for the remote ISDN device. The ISDN service provider supplies this number.
As shown in the figure, traffic is routed to the LAN. Before a connection can be made, you
must configure Challenge Handshake Authentication Protocol (CHAP) authentication, a dialer
map, and static routes of how to reach the RouterB 192.68.1.0 network.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-53
Configuration Example: RouterA
This topic describes a sample ISDN BRI and DDR configuration for RouterA.
Configuration Example: RouterA
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-9
The configuration in the figure is for legacy DDR, which uses dialer maps.
6-54
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The table describes the commands that are used in the configuration.
BRI and DDR RouterA Configuration Commands
Command
Description
isdn switch-type
Selects the AT&T 5ESS switch as the central office (CO) ISDN switch type
for this interface.
username rtb password
itsasecret
Sets up a CHAP username and password for the remote router.
interface bri 0
Enters BRI 0 configuration mode.
Ip address 10.170.0.1
255.255.0.0
Specifies the BRI 0 IP address and subnet mask.
encapsulation ppp
Sets up PPP encapsulation for BRI 0.
dialer idle-timeout 300
Specifies the number of seconds of idle time before the router drops the
ISDN call (300 sec = 5 min).
dialer map
Establishes how to call the next-hop router.
ip
Specifies the name of the protocol that is used by this map.
10.170.0.2
Specifies the IP address for the next-hop router BRI interface.
RouterB
Specifies the CHAP identification name for the remote router.
4085554000
Specifies the telephone number that is used to reach the BRI interface on
the remote router for this DDR destination.
dialer-group 1
Associates the BRI 0 interface with dialer list 1.
ppp authentication chap
Sets up CHAP PPP authentication for BRI 0.
ip route....
Configures a static route to the subnet on the remote router.
dialer-list 1 protocol ip
permit
Associates permitted IP traffic with dialer group 1. The router will start an
ISDN call for IP traffic only.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-55
Configuration Example: RouterB
This topic describes a sample ISDN BRI and DDR configuration for RouterB.
Configuration Example: RouterB
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-10
This figure displays the configuration of RouterB. This configuration is also for legacy DDR.
6-56
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The table describes the commands that are used in the configuration.
BRI and DDR RouterB Configuration Commands
Command
Description
isdn switch-type
Selects the ISDN switch type for this interface.
username rta
password itsasecret
Sets up the CHAP username and password for the remote router.
interface bri0
Enters BRI 0 configuration mode.
ip address 10.170.0.2
255.255.0.0
Specifies the BRI 0 IP address and net mask.
encapsulation ppp
Sets up PPP encapsulation for BRI 0.
dialer idle-timeout 300
Specifies the number of seconds of idle time before the router drops the
ISDN call (300 sec = 5 min).
dialer map
Establishes how to call the next-hop router.
ip
Specifies the name of the protocol that is used by this map.
10.170.0.1
Specifies the IP address for the next-hop router BRI interface.
RouterA
Specifies the CHAP identification name for the remote router.
5105551234
Specifies the telephone number that is used to reach the remote router for
this DDR destination.
dialer-group 1
Associates the BRI 0 interface with dialer list 1.
ppp authentication
chap
Sets up CHAP PPP authentication for BRI 0.
ip route....
Configures a static route to the subnet on the remote router.
dialer-list 1 protocol
ip permit
Associates permitted IP traffic with dialer group 1. The router will start an
ISDN call for IP traffic only.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-57
Access List for DDR Example
This topic describes a simple ISDN BRI connection that uses a DDR configuration. Interesting
traffic is more specifically defined with an access list.
Access List for DDR Example
RouterA allows all IP traffic except Telnet and FTP to trigger
ISDN calls to RouterB, and access subnet 192.168.1.0
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-11
This figure displays how to combine DDR commands with an extended access list to trigger an
ISDN call. The configuration uses many of the same commands for configuring a simple ISDN
call. Through dialer lists, access lists are applied to a dialer group to trigger call setup.
DDR is configured on RouterA to connect with RouterB for all IP traffic except Telnet and the
FTP. The details about what is interesting to DDR are defined in an access list.
The service provider offering the ISDN service uses a Northern Telecom DMS-100 switch.
Therefore, the configuration requires that the service profile identifiers (SPIDs) be specified.
The service provider supplies other details to use when you are configuring the router for
ISDN.
It is more common in networks to reference an access list in the dialer list because it offers
more granular control over the protocols, users, and destinations that trigger a call. The
previous example permitted any IP packet to trigger the call. It is likely that noncritical packets
will activate the line unnecessarily, thereby resulting in an inflated line.
6-58
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Access List for DDR Example: RouterA
BCRAN v2.1—6-12
© 2004 Cisco Systems, Inc. All rights reserved.
This figure displays the configuration of RouterA from the previous figure. This configuration
is for legacy DDR and uses dialer maps and extended access lists. The table describes the
commands that are used in the configuration.
Access List Configuration Commands
Command
Description
isdn switch-type
Selects the ISDN switch type for this interface.
username RouterB
password itsasecret
Sets up the CHAP username and password for the remote router in the local
user database.
interface bri0
Enters BRI 0 configuration mode, and sets up DDR and ISDN functions.
ip address 10.170.0.1
255.255.0.0
Specifies the BRI 0 IP address and net mask.
encapsulation ppp
Sets up PPP encapsulation for BRI 0.
dialer idle-timeout 300
Specifies the number of seconds of idle time (300 sec = 5 min) before the
router drops the ISDN call.
dialer map
Establishes the IP address and ISDN number to call the next-hop routers.
dialer-group 2
Associates the BRI 0 interface with dialer list 2.
ppp authentication
chap
Sets up CHAP PPP authentication for BRI 0.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-59
Access List for DDR Example: RouterA
(Cont.)
BCRAN v2.1—6-13
© 2004 Cisco Systems, Inc. All rights reserved.
This figure shows the continuation of the configuration of RouterA. This simple example
shows how access lists are linked to dialer lists and dialer groups to determine interesting traffic
that triggers DDR calls. Either simple or extended access lists can be linked with dialer lists and
dialer groups to identify interesting traffic, thus creating a powerful set of tools to control
dialup costs.
The table describes the commands that are used in the configuration.
Access List Configuration Example Commands
6-60
Command
Description
ip route ...
Configures static routes to subnets on remote router Ethernet
interfaces.
access-list 101 deny ...
Defines extended TCP access list entries to prevent FTP and Telnet
packets from triggering calls.
access-list 101 permit ...
Defines entry in the extended access list to permit remaining IP traffic
to trigger ISDN calls.
dialer-list 2 protocol ip list
101
Sets up control for automatic DDR dialing. Assigns access list 101 to
dialer list 2, which is assigned to the BRI 0 interface by the dialergroup command statement. Only IP will trigger DDR calls with this
configuration.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• ISDN DDR enables routers to connect on an asneeded basis and therefore can result in
significant cost savings.
• The global configuration dialer-list command is
used to define interesting traffic.
• Access lists can also be used with dialer lists to
provide more granular control.
BCRAN v2.1—6-14
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• The interface configuration dialer-group command
is used to apply a dialer list to an ISDN BRI
interface.
• The interface configuration dialer map command is
used to specify how to connect to a remote site.
• Call parameters which can be specified include
dialer idle-timeout, dialer fast-idle, and dialer
load-threshold.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—6-15
Using ISDN and DDR to Enhance Remote Connectivity
6-61
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
6-62
What type of traffic is passed on to the router in DDR?
A)
uninteresting traffic
B)
uninvited traffic
C)
invited traffic
D)
interesting traffic
A DDR-configured Cisco access router initiates a connection to a remote router _____?
A)
as soon as the connection is broken
B)
when it detects “interesting traffic” bound for a remote site
C)
when the network administrator issues a no shutdown command on the
Ethernet interface
D)
when the network administrator issues a shutdown command on the Ethernet
interface
Which Cisco router command defines what constitutes interesting traffic?
A)
dialer-group
B)
dialer-map
C)
dialer-list
D)
dialer-interesting
Which Cisco router command applies the dialer list specifications to an interface?
A)
dialer-group
B)
dialer-map
C)
dialer-list
D)
dialer-interesting
Which Cisco router command specifies source, destination, and protocols that define
interesting traffic that will initiate a DDR call?
A)
dialer-group
B)
dialer-map
C)
dialer-list
D)
access-list
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q6)
Q7)
Q8)
Which Cisco router command identifies destination router information, such as the
telephone number to dial?
A)
dialer-group
B)
dialer-map
C)
dialer-list
D)
dialer-access-list
Which Cisco router command feature associates permitted IP traffic with dialer group 1?
A)
dialer-group 1
B)
dialer map
C)
dialer-list 1 protocol ip permit
D)
dialer idle-timeout 1
Which Cisco router command configures static routes to subnets on remote router
Ethernet interfaces?
A)
access-list 101 permit
B)
access-list 101 deny
C)
ip route
D)
dialer list 2 protocol ip list 101
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-63
Quiz Answer Key
Q1)
A
Relates to: DDR Operation
Q2)
B
Relates to: DDR and ISDN Usage
Q3)
C
Relates to: DDR Configuration Tasks
Q4)
A
Relates to: Interesting Traffic for DDR
Q5)
D
Relates to: Access Lists for DDR
Q6)
B
Relates to: Destination Parameters for DDR
Q7)
C
Relates to: Configuration Example: RouterB
Q8)
C
Relates to: Access List for DDR Example
6-64
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying ISDN and DDR
Configurations
Overview
ISDN still serves as a viable technology in many parts of the world. It is commonly used in a
WAN environment as a backup technology for Frame Relay. ISDN is also used for small
office, home office (SOHO) connectivity in areas where a digital subscriber line (DSL) or cable
modem technology is not available. This lesson provides an overview of various commands to
verify ISDN and dial-on-demand routing (DDR) connectivity.
Relevance
Implementing and troubleshooting ISDN is a necessary skill for network engineers.
Objectives
Upon completing this lesson, you will be able to:
Monitor ISDN connections
Verify and troubleshoot ISDN environments using debug commands
Monitor the ISDN BRI D channel
Monitor the ISDN BRI B channels
Monitor PPP on an ISDN BRI connection
Test an ISDN and DDR connection
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
ISDN BRI Monitoring
ISDN Layer 2 debug Commands
ISDN Layer 3 debug Commands
ISDN BRI D Channel Monitoring
ISDN BRI B Channel Monitoring
PPP on BRI Monitoring
DDR Configuration Test
Summary
Quiz
6-66
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN BRI Monitoring
This topic describes the show isdn status command, which is useful when monitoring and
troubleshooting Layer 1 and Layer 2 of an ISDN BRI configuration. Various commands are
required to monitor and troubleshoot ISDN BRI and DDR connections.
ISDN BRI Monitoring
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-2
Use the show isdn status command to display a status summary of each of the three ISDN
layers. The command is very useful to determine if Layer 1 and Layer 2 are active and are
properly communicating with the telco ISDN switch. After this has been verified, you can
proceed on to higher-level troubleshooting issues such as dialer interfaces, interesting traffic
definitions, PPP negotiation, and authentication failures.
The output displayed in the figure is an example of a properly functioning BRI circuit. In this
example, the correct switch type has been configured and Layer 1 is ACTIVE. The command
also reports that Layer 2 has been successfully negotiated because it is displaying the TEI and
the MULTIPLE_FRAME_ESTABLISHED state. Finally, the output reports that the ISDN
Layer 3 (end-to-end) is ready to make or receive calls.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-67
The following tables show status messages for the Layer 1 and 2 states, as well as
troubleshooting tips.
Layer 1 Status Messages
Status
Description
ACTIVE
There is physical connectivity with the telco ISDN switch.
DEACTIVATED
There is no physical connectivity with the telco ISDN switch. Check
the following:
BRI not shut down (no shutdown) - Is interface up/up?
Check cabling
External NT-1 required and not connected or operational?
Service from telco down
GOINGDOWN, INIT, TESTING,
RESET, DELEATED (sic),
SHUTDOWN, ACTIVATING
ACTIVE_ErrorInd
Most of the Layer 1 states are temporary. Use the clear interface
bri number command to clear them. If those states persist for
extended periods, contact the telco for further troubleshooting.
Layer 2 Status Messages
Status
Description
TEI = #
Valid TEI number range is 64 to 126.
MULTIPLE_FRAME_
Indicates there is data-link connectivity to the telco ISDN switch.
This is the state that you should see under normal operations. Any
other state usually indicates a problem on the circuit.
ESTABLISHED
Layer 2 is NOT Activated
Layer 2 is down. Use the debug q.921 command to help
troubleshoot.
TEI_ASSIGNED
Indicates that the router has lost connectivity to the switch. Check
the following:
Verify configured switch-type setting
Verify SPID settings, if required
Verify with service provider the correct values
TEI_UNASSIGNED,
ASSIGN_AWAITING_TEI,
ESTABLISH_AWAITING_TEI,
AWAITING_ESTABLISHMENT,
AWAITING_RELEASE,
TIMER_RECOVERY
6-68
Most of these Layer 2 states are temporary. Use the clear interface
bri number command to reestablish connectivity. If those states
persist for extended periods, use the debug isdn q921 command
for further troubleshooting.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN Layer 2 debug Commands
This topic describes the debug isdn q921 command, which is useful when monitoring and
troubleshooting Layer 2 of an ISDN BRI configuration.
ISDN Layer 2 debug Commands
᫬»®ý¼»¾«¹ ·-¼² ¯çîï
• Shows data-link layer messages (Layer 2) on the
D channel between the access router and the ISDN
switch
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-3
To monitor Layer 2 problems, use the debug isdn q921 EXEC command. The command
displays real-time data-link layer (Layer 2) access procedures that are taking place at the access
router on the D channel (LAPD) of its ISDN interface. This command is useful when you want
to observe signaling events between the access router and the ISDN switch.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-69
ISDN Layer 3 debug Commands
This topic describes the debug isdn q931 command, which is useful when monitoring and
troubleshooting Layer 3 of an ISDN BRI configuration.
ISDN Layer 3 debug Commands
᫬»®ý¼»¾«¹ ·-¼² ¯çíï
• Shows call setup and teardown of ISDN network
connections (Layer 3) between the access router and
the ISDN switch
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-4
To display information about call setup and teardown of ISDN network connections (Layer 3)
between the local router (user side) and the network, use the debug isdn q931 EXEC
command. The router tracks activities that occur on the user side only, not the network side of
the network connection.
The debug isdn output for q921 and q931 is limited to commands and responses exchanged
during peer-to-peer communication carried over the D channel. This debug information does
not include data transmitted over the B channels that are also part of the router ISDN interface.
Multiple debug commands can be entered concurrently. Results will display in real time as they
occur, so output may be intermingled.
6-70
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
ISDN BRI D Channel Monitoring
This topic describes the show interface command, which is useful when monitoring an ISDN
BRI D channel configuration.
ISDN BRI D Channel Monitoring
BCRAN v2.1—6-5
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show interfaces bri privileged EXEC command without arguments to display
information about the BRI interface D channel only.
Command syntax:
-¸±© ·²¬»®º¿½»- ¾®· ²«³¾»®Åæ¾½¸¿²²»´Ã ¤ ź·®-¬Ã Å´¿-¬Ã
The arguments for the show interfaces bri command are shown in the following table.
show interfaces bri Command
Command
Description
Number
Interface number.
:bchannel
(Optional) Colon (:) followed by a specific B channel number.
first
(Optional) Specifies the first of the B channels; the value can be either
1 or 2 for BRI.
last
(Optional) Specifies the last of the B channels; the value can only be
2 for a BRI.
The show interfaces bri command displays the first B channel on the BRI. The alternate value
for this field is 2, which displays information about the second B channel. To display both B
channels (first and last), enter show interfaces bri number 1 2.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-71
If the router is an older platform and is a TE2 (non-native BRI with an external terminal
adapter), use the show interfaces serial command.
6-72
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Note that in the figure, line protocol is up (spoofing). This does not mean that the B channel is
active, but that it is pretending, or spoofing, to be up. This is required because routes known
through this interface would otherwise be removed from the routing table. This permits packets
to be forwarded to the interface. Whether or not the packets trigger the link depends on the
dialer list that is configured for the interface.
The number of resets is not important for ISDN connections.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-73
ISDN BRI B Channel Monitoring
This topic describes the show interface command, which is useful when monitoring an ISDN
BRI B channel configuration.
ISDN BRI B Channel Monitoring
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-6
Use the show interfaces bri number 1 2 (or sh int) command to display information about the
B1 and B2 channels. If the command is entered without the parameters 1 and 2, only D channel
status is shown.
For information about the DDR configuration or functions used by ISDN, use the show dialer
and debug dialer commands.
6-74
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
PPP on BRI Monitoring
This topic describes the show interface command, which is useful when monitoring an ISDN
BRI PPP configuration.
PPP on BRI Monitoring
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-7
After you have configured for ISDN connectivity, you can check the interface to see evidence
of your configuration and some of the resulting call setup details. If your router acts as a TE1
(has a native BRI), use the show interfaces bri EXEC command to monitor the interface and
optionally, the individual B channels for the BRI interface.
The command displays information on the encapsulation and channel status for LCP and
Network Control Protocol (NCP), including the protocols that can transmit over the link. The
figure displays output for the first B channel of the BRI. It shows that the interface is
configured for PPP encapsulation, that LCP is Open (currently active), and that NCP is Open
and has negotiated the protocols IP and Cisco Discovery Protocol (CDP) on the link.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-75
DDR Configuration Test
This topic describes the debug dialer command and other commands, which are useful when
troubleshooting a DDR configuration.
DDR Configuration Test
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-8
The debug dialer command displays debugging information about the packets received on a
dialer interface. Some of the information indicates whether the multilink is up after
authentication.
The debug dialer command also shows when overload occurs.
6-76
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The isdn test call interface and isdn disconnect interface commands are useful when testing
an ISDN and DDR configuration.
DDR Configuration Test (Cont.)
᫬»®ý·-¼² ¬»-¬ ½¿´´ ·²¬»®¼¿½» ·²¬»®º¿½»ó²«³¾»® ¼·¿´·²¹ó
-¬®·²¹ ÅêìÃ
Þ®¿²½¸ý·-¼² ½¿´´ ·²¬»®º¿½» ¾®· ð ëëëîððï
• Used to test your DDR configuration
᫬»®ý·-¼² ¼·-½±²²»½¬ ·²¬»®º¿½» ·²¬»®º¿½»ó¬§°» ·²¬»®º¿½»ó
²«³¾»® ¥¾ï ¤ ¾î ¤ ¿´´£
Þ®¿²½¸ý·-¼² ½¿´´ ·²¬»®º¿½» ¾®· ð ëëëîððï
• Disconnects any data calls placed manually or
caused by DDR
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-9
The isdn test call interface command can be used to test the DDR configuration. Introduced in
Cisco IOS software Release 12.0(3)T, this command can also be used to verify the dialing
string and speed without having to know the IP address of the remote router or without
configuring a dialer map or string.
Use the isdn disconnect interface command to disconnect any ongoing data calls placed
manually or caused by DDR.
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-77
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The show isdn status command can display a status
summary of each of the three ISDN layers.
• The debug isdn q921 and debug isdn q931
commands display Layer 2 and Layer 3 debugging
information.
• The show interface bri command can be used to
display PPP, B channel, and D channel
information.
BCRAN v2.1—6-10
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• The debug dialer command displays debugging
information about the packets received on a dialer
interface.
• To test your DDR connection, use the isdn call
interface command.
• To disconnect a call, use the isdn disconnect
interface command.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—6-11
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 6-1: Using ISDN and DDR to Enhance Remote Connectivity
6-78
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Which Cisco router command is used to display data-link layer (Layer 2) access
procedures that are taking place at the access router on the D channel (LAPD) of its
ISDN interface?
A)
debug isdn q921
B)
debug isdn q931
C)
debug isdn q920
D)
debug isdn q941
Which Cisco router command is used to display network layer (Layer 3) access
procedures that are taking place at the access router on the D channel (LAPD) of its
ISDN interface?
A)
debug isdn q921
B)
debug isdn q931
C)
debug isdn q941
D)
debug isdn q951
Which Cisco router command is used to display information about the BRI interface D
channel only?
A)
show interface serial 0/0
B)
show interface Ethernet 0/0
C)
show interface bri 0 1
D)
show interface bri 0
Which Cisco router command is used to display information about the channel?
A)
show interface serial 0/0
B)
show interface Ethernet 0/0
C)
show interface bri 0 1
D)
show interface bri 0 2
After you have configured for ISDN connectivity, you can check the interface to see
evidence of your configuration.
A)
true
B)
false
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-79
Q6)
6-80
The isdn call interface command can be used to verify the ________.
A)
IP address and speed
B)
dialing string and IP address
C)
dialing string and speed
D)
connection
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
A
Relates to: ISDN Layer 2 debug Commands
Q2)
B
Relates to: ISDN Layer 3 debug Commands
Q3)
D
Relates to: ISDN BRI D Channel Monitoring
Q4)
D
Relates to: ISDN BRI B Channel Monitoring
Q5)
A
Relates to: PPP on BRI Monitoring
Q6)
C
Relates to: DDR Configuration Test
Copyright © 2004, Cisco Systems, Inc.
Using ISDN and DDR to Enhance Remote Connectivity
6-81
Module 7
Using DDR Enhancements
Overview
This module introduces the configuration of dialer profiles and rotary groups.
Objectives
Upon completing this module, you will be able to:
Select appropriate dialup capabilities to place a call
Configure rotary groups and dialer profiles
Verify proper configuration and troubleshoot any incorrect configuration to properly
initiate a call
Configure and test the use of both ISDN B channels by calling the central and branch sites
from the SOHO site.
Outline
The module contains these lessons:
Describing the Dialer Profile
Configuring Dialer Profiles
Verifying and Troubleshooting a Dialer Profile Configuration
7-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Describing the Dialer Profile
Overview
This lesson contains an overview of dialer profiles, which provide improvements over dialer
maps by separating the logical dialing configuration from the physical interfaces.
Relevance
To establish a dialup connection, there must be an understanding of the technology and
components required, and how to configure them. This lesson provides an overview of dialer
profile features and concepts.
Objectives
Upon completing this lesson, you will be able to:
Describe the purpose of a dialer profile
List the four elements of a dialer profile
Describe the use of dialer map classes
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Dialer Profile
Dialer Profile Features
Dialer Profile Elements
Dialer Map Classes
Summary
Quiz
7-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dialer Profile
This topic identifies the basic concepts of a dialer profile.
Dialer Profiles Overview
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-2
Dialer profiles separate the logical configuration from the interface receiving or making calls.
Profiles can turn features on or off, and can define encapsulation, access control lists, and
minimum or maximum calls.
With dialer profiles, the logical and physical configurations are dynamically bound to each
other on a per-call basis, which allows physical interfaces to dynamically take on different
characteristics based on incoming or outgoing call requirements.
Legacy dial-on-demand routing (DDR), although useful in many scenarios, is restrictive in
instances where it is desired to differentiate per user by defining different characteristics to
different users. This cannot be accomplished with legacy DDR.
Dialer profiles were designed as a new DDR model to allow a user access to a specific profile.
The profile would determine the characteristics of a particular user, and would be dynamically
bound to a physical interface for incoming or outgoing DDR calls.
Note
Dialer profiles support PPP, High-Level Data Link Control (HDLC), Frame Relay, or X.25
encapsulation for inbound or outbound dialing. PPP encapsulation is the recommended
choice, and the discussion here will focus on PPP.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-5
The advantages of dialer profiles over legacy DDR include:
There is no requirement for a Layer 3- to Layer 2-map and the added complexities of
managing multiple maps. Unlike legacy DDR, the dialer profile is a point-to-point
interface.
Dialer profiles allow you to configure different members of a physical interface with
different Layer 3 network addresses.
Dialer profiles allow physical interfaces to take on different characteristics that are based
on incoming or outgoing call requirements.
Dialer profiles allow a backup interface to be nondedicated and useable when the primary
interface is operational.
A DDR interface allows you to control the number of minimum and maximum
connections.
Note
7-6
Prior to using dialer profiles, the ISDN bearer (B) channels on a BRI or PRI inherited the
same physical interface configuration. When used as a backup interface, all B channels were
down and unusable until the interface came out of backup mode. Dialer profiles solved this
issue.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dialer Profile Features
This topic describes the different features of dialer profiles.
Dialer Profiles Overview
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-3
Dialer profiles were first introduced in Cisco IOS Software Release 11.2. They help users
design and deploy complex and scalable circuit-switched internetworks by implementing a new
DDR model in Cisco routers and access servers. Dialer profiles separate the logical portion of
DDR (that is, the network layer, encapsulation, and dialer parameters) from the physical
interface that places or receives calls.
Dialer profiles address several dialup issues:
One configured interface per ISDN interface: Before dialer profiles, all ISDN B
channels inherited the configuration of the physical interface.
Dialer map complexity: Before dialer profiles, one dialer map was required per dialer per
protocol, making multiprotocol configurations very complex.
Limited dial backup: When a BRI or PRI is used to back up an interface, all the B
channels are down and the entire interface is idle. None of the B channels could be used
until the interface came out of backup mode. In addition, in a packet-switching
environment with many virtual circuits that may need to be backed up individually, the
one-to-one relationship between interfaces and backup interfaces would not scale well.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-7
Dialer profiles let you create different configurations for each call on an ISDN interface,
providing these configuration advantages:
Different IP subnets: You can configure each call on the ISDN interface with different IP
subnets.
Different encapsulations: You can use different encapsulations of each call on the ISDN
interface. However, only PPP and HDLC encapsulation are now supported.
Different DDR parameters: You can set different DDR parameters for each call on the
ISDN interface.
Multiple dialer pools: You can eliminate the waste of ISDN B channels by letting ISDN
BRI interfaces belong to multiple dialer pools.
Note
7-8
Because of changes that were made to dialer profiles, it is recommended that Cisco IOS
Software Release 12.1 or later be used.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dialer Profile Elements
This topic describes the elements that make up a dialer profile.
Dialer Profile Elements
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-4
A dialer profile consists of these elements:
Dialer interface: A logical entity that uses a per-destination dialer profile.
—
All configuration settings specific to the destination go into the dialer interface
configuration. Multiple dialer maps can be specified for the same dialer interface. A
dialer map can be associated with different per-call parameters that are defined with
each dialer map class.
—
The dialer interface is configured with the IP address of the destination network,
encapsulation type, PPP authentication type, dialer remote name (for PPP Challenge
Handshake Authentication Protocol [CHAP]), dialer string or dialer map, dialer pool
number, dialer group number, dialer list number, Multilink PPP (MLP), and optional
dialer Idle-Timeout and dialer inband entries.
Map class: An optional element that defines specific characteristics for a call to a specified
dial string.
Dialer pool: Each dialer interface references a dialer pool, which is a group of one or more
physical interfaces associated with a dialer profile.
Physical interfaces: Interfaces in a dialer pool are configured for encapsulation parameters
and to identify the dialer pools of which the interface is a member.
—
Note
Channelized T1: Access link operating at 1.544 Mbps that is subdivided into 24
channels (23 B channels and 1 data (D) channel) of 64 kbps each. The individual
channels or groups of channels connect to different destinations. It supports DDR,
Frame Relay, and X.25, and is also called fractional T1.
Dialer profiles support PPP or HDLC encapsulation, PPP authentication (Password
Authentication Protocol [PAP] or CHAP), and MLP.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-9
Dialer Map Classes
This topic describes dialer map classes.
Dialer Map Classes
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-5
Map classes are optional. They are used to specify different characteristics for different types of
calls on a per-destination basis.
In the figure shown, three map classes are used with the dialer interfaces. The telephone
number being called determines which map class to use. A different map class might be used if
a different number is called.
The same map class can be used for multiple dialer interfaces. The configuration parameters of
a map class are specific to one or more destinations.
As an example, the map class for one destination might specify an ISDN speed of 64 kbps,
while a map class for a different destination might specify an ISDN semipermanent connection.
The dialer map class can also contain optional dialer timing parameters including dialer fastidle, dialer idle-timeout, and dialer wait-for-carrier-time.
7-10
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Dialer profile elements include:
• Dialer interface
• Dialer pool
• Physical interfaces
• Optional dialer map-class
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—7-6
Using DDR Enhancements
7-11
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
7-12
Which Cisco router feature was designed as a new DDR model to allow a user access
to a specific profile?
A)
dialer calls
B)
dialer maps
C)
dialer profiles
D)
dialer groups
Which Cisco router feature separates the logical portion of DDR (for example, the
network layer, encapsulation, and dialer parameters) from the physical interface that
places or receives calls?
A)
dialer groups
B)
dialer calls
C)
dialer maps
D)
dialer profiles
Which element of the dialer profile is a logical entity that uses a per-destination dialer
profile?
A)
a dialer interface
B)
the dialer map class
C)
a dialer pool
D)
physical interfaces
Which optional Cisco dialer map router feature is used to specify different
characteristics for different types of calls on a per-destination basis?
A)
map rooms
B)
map profiles
C)
map classes
D)
map calls
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
C
Relates to: Dialer Profile
Q2)
D
Relates to: Dialer Profile Features
Q3)
A
Relates to: Dialer Profile Elements
Q4)
C
Relates to: Dialer Map Classes
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-13
7-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Dialer Profiles
Overview
This lesson covers dialer profile configuration and how it relates the logical configuration to the
physical interface.
Relevance
To establish dialup connections using dialer profiles, you must understand the steps to
configure a dialer profile.
Objectives
Upon completing this lesson, you will be able to:
Configure physical interfaces to operate with dialer profiles
Create multiple dialer profiles
Configure dialer interfaces to be used in a dialer profile
Customize a dialer profile for the dialup connection
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Dialer Profile Configuration Concepts and Commands
Typical Dialer Profile Application
Configuration of Dialer Interfaces
Configuration of Physical Interfaces
Dialer Profiles Configuration Example
Summary
Quiz
7-16
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dialer Profile Configuration Concepts and
Commands
This topic describes the basic configuration steps for a dialer profile.
Dialer Profile Configuration Concepts and
Commands
BCRAN v2.1—7-2
© 2004 Cisco Systems, Inc. All rights reserved.
The configuration commands that create the relationships between the elements of a dialer
profile are displayed in the figure. The commands and the configuration mode in which they
are used are described in the following table.
Dialer Profile Configuration Commands
Command
Description
¼·¿´»® -¬®·²¹
²«³¾»® ½´¿-³¿° ½´¿--󲿳»
A dialer interface command that specifies the telephone number of the
destination. The use of the optional keyword class, followed by the map class
name, points to a specific map class and uses the configuration commands of
that map class in the call.
¼·¿´»® °±±´
²«³¾»®
A dialer interface command that specifies the pool of physical interfaces
available to reach the destination subnetwork. A number between 1 and 255
identifies the pool.
¼·¿´»® °±±´ó
³»³¾»® ²«³¾»®
An interface configuration command that associates and places a physical
interface in a specifically numbered pool. A physical interface can belong to
multiple dialer pools. Contention for a specific physical interface is resolved
with a configured priority, which is optional.
Note
When you use the dialer pool command to configure a dialer interface, you create a dialer
profile. You must use the dialer string command to allow the router to dial out.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-17
Typical Dialer Profile Application
This topic describes an example of a dialer profile application.
Typical Dialer Profile Application
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-3
The configuration displayed in this figure provides an example of a typical application of dialer
profiles. Network RouterA has dialer interface 1 for DDR with subnetwork 10.1.1.0, and dialer
interface 2 for DDR with subnetwork 10.2.2.0.
Calls destined for subnetwork 10.1.1.0, and any of the networks reachable through it (networks
3, 4, and 5), use dialer interface 1.
Calls destined for subnetwork 10.2.2.0, and any of the networks reachable through it (networks
6, 7, and 8), use dialer interface 2.
7-18
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Dialer Interfaces
This topic describes the configuration of multiple dialer profiles.
Configuration of Dialer Interfaces
BCRAN v2.1—7-4
© 2004 Cisco Systems, Inc. All rights reserved.
To configure dialer profiles, perform these tasks:
1.
Configure one or more dialer interfaces.
2.
Configure a dialer string and optionally a dialer map class to specify different
characteristics on a per-call basis.
3.
Configure the physical interfaces and attach them to a dialer pool.
Any number of dialer interfaces can be configured on a router. Each dialer interface is the
complete configuration for a destination. The interface dialer global command creates a dialer
interface and enters interface configuration mode.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-19
The figure displays dialer profiles that are created using the commands listed in the table.
interface dialer Command
Command
Description
·° ¿¼¼®»-- ¿¼¼®»-- ³¿-µ
Specifies the IP address and mask of the destination
network.
¼·¿´»® ®»³±¬»ó²¿³» ²¿³»
Specifies the remote router name, which is passed for
CHAP authentication.
¼·¿´»® -¬®·²¹ -¬®·²¹ ½´¿-³¿° ½´¿--󲿳»
Defines the destination of the router telephone number,
and supports optional map classes. Map classes are
covered in the next table.
¼·¿´»® ´±¿¼ó¬¸®»-¸±´¼ ´±¿¼
ű«¬¾±«²¼ ¤ ·²¾±«²¼ ¤
»·¬¸»®Ã
Specifies at what traffic load additional links will be
brought up for MLP. Valid values are 1 to 255. Optionally,
you may specify which direction of traffic is used to
calculate the actual load. If you want the links to remain in
a MLP bundle indefinitely, use a very high dialer IdleTimeout value (9999, for example) instead of a dialer
load-threshold.
¼·¿´»® ¸±´¼ó¯«»«» ²«³¾»®Š
±ºó°¿½µ»¬-
Specifies the length of the queue for packets that are
waiting for the line to come up. Valid values are from 0 to
100.
¼·¿´»® °±±´ ²«³¾»®
Binds a dialer interface to a dialer pool configured with the
dialer remote-name command that gives the CHAP
username for a remote user. Valid values are from 1 to
255.
¼·¿´»®ó¹®±«° ¹®±«°ó²«³¾»®
Specifies a dialer list that defines “interesting” packets to
trigger a call for DDR. The dialer-list command can
reference access lists to more specifically define
“interesting” packets. Valid values are from 1 to 10.
°°° ³«´¬·´·²µ
Specifies that this dialer interface uses MLP. This
command is placed on the physical interface for incoming
calls, in the dialer profile for outgoing calls, and on both
the interface and dialer profile when incoming and
outgoing calls are expected.
¼·¿´»®ó´·-¬ ¹®±«°ó²«³¾»®
Associates a DDR dialer list for dialing by protocol or by a
combination of protocols and a previously defined accesslist.
After the interface is configured, an optional dialer map class can be defined. Use the mapclass dialer class-name command to specify a map class and enter the map class configuration
mode. In the figure, the dialer “interface dialer3” is associated with map class “Eng.” Any
dialer associated with this map class will set the ISDN line speed to 56 kbps. You can set the
speed to 56 kbps, but 64 kbps is the default value.
7-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The following table shows other map-class commands that are available in map class
configuration mode.
map-class Commands
Command
Description
¼·¿´»® ·-¼² Å-°»»¼
ëê ¤ -°½Ã
Specifies the ISDN line speed. The default is 64 kbps; therefore, the
parameter is used only with 56-kbps line speed. [spc] is used for
specifying that an ISDN semipermanent connection will be used for calls
associated with this map.
¼·¿´»® ·¼´»ó
¬·³»±«¬ -»½±²¼-
Specifies the idle timer values to use for the call. This timer disconnects
the call if there has been no data for the specified time. Defaults to 120
seconds.
¼·¿´»® º¿-¬ó·¼´»
-»½±²¼-
Specifies the fast-idle timer value to use for a call. This timer specifies a
quick disconnect time if there is another call waiting for the same
interface and the interface is idle. The waiting call will not have to wait for
the idle timer to expire. Defaults to 20 seconds.
¼·¿´»® ©¿·¬óº±®ó
½¿®®·»®ó¬·³»
-»½±²¼-
Specifies the Carrier Detect (CD) time value to use for the call. The call
is abandoned if no carrier is detected within the time value specified.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-21
Configuration of Physical Interfaces
This topic describes the steps that are needed to configure the physical interfaces used by the
dialer profiles.
Configuration of Physical Interfaces
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-5
Use the dialer pool-member command to assign a physical interface to a dialer pool. An
interface can be assigned to multiple dialer pools by using this command to specify several
dialer pool numbers. A combination of synchronous, serial, BRI, or PRI interfaces can be
assigned with dialer pools.
Use the priority option of this command to set the interface priority within a dialer pool. The
priority keyword is used only when dialing out.
7-22
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The following table shows the arguments that are used with the dialer pool-member
command.
dialer pool-member Command
Command
Description
²«³¾»®
Specifies the dialer pool number. This is a decimal value from 1 to 255.
°®·±®·¬§
°®·±®·¬§
²«³¾»®
Sets the priority of the physical interface within the dialer pool. This is a decimal
value from 1 (lowest) to 255 (highest). Interfaces with the highest priority number
are selected first when dialing out. Use this to determine which interfaces are
used the most, or which are reserved for special pool uses.
³·²ó´·²µ
³·²·³«³
Sets the minimum number of ISDN B channels on an interface reserved for this
dialer pool. This is a number from 1 to 255 (used for dialer backup).
³¿¨ó´·²µ
³¿¨·³«³
Sets the maximum number of ISDN B channels on an interface that can be used
for this dialer pool. This is a number from 1 to 255.
Note
The optional min-link and max-link apply to ISDN interfaces only. The max-link defaults to
255, and the min-link defaults to 0. A reserved channel is inactive until it is used by the
specified interface.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-23
Dialer Profiles Configuration Example
This topic describes an example configuration of two dialer profiles.
Dialer Profiles
Configuration Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-6
The dialer interfaces are visible to the upper-layer protocols only, not to the physical interfaces
making up the dialing pool. Because one dialer interface maps to one destination, addressing,
access lists, and static routes can be specified on a per-destination basis, regardless of which
interface actually carries out the call.
Dialer commands can be configured under the dialer interface directly. The same command
may appear more than once, possibly with different parameters. The order of precedence is as
follows (from highest to lowest):
Map class parameters
Interface parameters
Note
7-24
Refer to the “Configuring Dialer Interfaces” figure earlier in this lesson for examples of the
use and syntax for the map-class command.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Dialer profiles allow logical and physical
configurations to be dynamically bound to each
other on a per-call basis.
• Basic configuration of an interface dialer includes
dialer string, dialer pool, dialer-group,
encapsulation, and logical address.
• Physical interfaces are assigned via the
dialer pool-member command.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—7-7
Using DDR Enhancements
7-25
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
7-26
Which interface configuration command associates and places a physical interface in a
specifically numbered pool?
A)
dialer pool-member number
B)
dialer pool number
C)
dialer string number class map class-name
D)
dialer interface
Which dialer interface command specifies the phone number of the destination?
A)
dialer interface
B)
dialer string number class map class-name
C)
dialer pool number
D)
dialer pool-member number
Which Cisco router global command creates a dialer interface and enters interface
configuration mode?
A)
interface caller
B)
interface group
C)
interface dialer
D)
interface port
Which Cisco router command is used to assign a physical interface to a dialer pool?
A)
dialer pool-member
B)
pool-dialer member
C)
dialer member-pool
D)
pool member-dial
At which Cisco router configuration level are dialer profile commands configured?
A)
under the serial interface directly
B)
under the dialer interface directly
C)
under the Ethernet interface directly
D)
under the BRI interface directly
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
A
Relates to: Dialer Profile Configuration Concepts and Commands
Q2)
B
Relates to: Typical Dialer Profile Application
Q3)
C
Relates to: Configuration of Dialer Interfaces
Q4)
A
Relates to: Configuration of Physical Interfaces
Q5)
B
Relates to: Dialer Profiles Configuration Example
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-27
7-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying and Troubleshooting
a Dialer Profile Configuration
Overview
This lesson covers the commands that are used to verify and troubleshoot a dialer profile
configuration.
Relevance
To verify and troubleshoot the operation of a dialup connection using dialer profiles, you must
understand the show and debug commands.
Objectives
Upon completing this lesson, you will be able to:
Describe the output from the show dialer command
Describe the output from the show interfaces dialer command
Describe the output from the debug dialer command
Troubleshoot unsuccessful outgoing calls
Troubleshoot unsuccessful incoming calls
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Verification of Dialer Profiles
Outbound Dialing Issues
Outbound Binding Issues
Examples
Inbound Call Issues
Disconnect Issues
Summary
Quiz
7-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verification of Dialer Profiles
This topic describes the show dialer interface and the show dialer interface commands.
Verification of Dialer Profiles
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-2
The show dialer interface bri number command displays information in the same format as
the legacy DDR statistics on incoming and outgoing calls.
In the figure, the message “Dialer state is data link layer up” suggests that the dialer came up
properly.
If the message “physical layer up” is displayed, it means that the line protocol came up but the
Network Control Protocol (NCP) did not.
In the figure, “Dial reason” refers to the source and destination addresses of the packet that
initiated the dialing.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-31
Verification of Dialer Profiles (Cont.)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-3
The show interface dialer command displays information on incoming and outgoing calls.
In the figure, the messages “Dialer1 is up, line protocol is up” and “BRI0:1 is up, line protocol
is up” suggest that the dialer came up properly.
The message “Interface is bound to BRIO:1” informs you that this dialer is bound to the 1 B
channel.
You also know that BRI0:1 is active and that the PPP encapsulation has been applied by the
dialer interface.
7-32
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Outbound Dialing Issues
This topic describes the use of the debug dialer command.
Outbound Dialing Issues: Dialing Never
Occurs
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-4
As is the case with legacy DDR, the most appropriate command for debugging dialer profile
problems is debug dialer. In the case of a successful call, the debug will not indicate any more
than the logged messages already have indicated. In the case of a failure, there are a number of
problems that can be the cause.
Enable debug dialer and generate interesting traffic to the peer. The router should attempt to
dial. In the figure, dialing is attempted but never occurs.
The following is an example output:
᫬»®ý ¼»¾«¹ ¼·¿´»®
᫬»®ý °·²¹ ïðòïòïòï
Ì®§ »-½¿°» -»¯«»²½» ¬± ¿¾±®¬ò
Í»²¼·²¹ ëô ïð𠾧¬» ×ÝÓÐ Û½¸±- ¬± ïðòïòïòïô ¬·³»±«¬ ·- î -»½±²¼-æ
öѽ¬ ï ððæîìæìéòîìîæ ÞÎð ÜÜÎæ ®±¬±® ¼·¿´±«¬ Å°®·±®·¬§Ã
öѽ¬ ï ððæîìæìéòîëðæ ÞÎð ÜÜÎæ Ü·¿´·²¹ ½¿«-» ·° ø-ãïçîòïêèòïòïô
¼ãïðòïòïòï÷
öѽ¬ ï ððæîìæìéòîëðæ ÞÎð ÜÜÎæ ߬¬»³°¬·²¹ ¬± ¼·¿´ ëëëïïïï
Verify if debug dialer generates any debug output. If there is no debug dialer output, it is most
likely because the IP packet being sent is not routed to the dialer interface, or binding fails.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-33
Outbound Binding Issues
This topic describes troubleshooting for unsuccessful outgoing calls.
Outbound Binding Issues:
Dialing Never Occurs
᫬»®ý öÓ¿® ï ðéæîðæìëòêéêæ Ü·ïëæ Ý¿²²±¬ °´¿½» ½¿´´ô ²± ¼·¿´»® °±±´ -»¬
• Configure the dialer pool command on the dialer
interface.
᫬»®ý öÓ¿® ï ïïæëìæïìòçíéæ Ü·ïëæ Ò± º®»» ¼·¿´»® Š -¬¿®¬·²¹ º¿-¬ ·¼´» ¬·³»®
• Enter the dialer pool-member command on the
physical interface to associate it to the dialer pool.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-5
If the dialer profile is not associated with a dialer pool, debug dialer will indicate the following
for an outbound call:
öÓ¿® ï ðéæîðæìëòêéêæ Ü·ïëæ Ý¿²²±¬ °´¿½» ½¿´´ô ²± ¼·¿´»® °±±´
-»¬
The solution is to configure the dialer pool command on the dialer interface.
If the physical interface is not associated with any pool, the debug message on the calling router
will be the same as in the case where physical interfaces are no longer available, causing the
fast idle timer to trigger:
öÓ¿® ï ïïæëìæïìòçíéæ Ü·ïëæ Ò± º®»» ¼·¿´»® ó -¬¿®¬·²¹ º¿-¬ ·¼´»
¬·³»®
The solution is to enter the dialer pool-member command on the physical interface to
associate it to a dialer pool.
7-34
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
After you have verified that the dialer pool configuration is correct, perform the following
tasks:
Verify that IP is configured on the dialer interface. You should either have an IP address on
the interface or ip unnumbered type number (where type number is another interface on
which the router has an assigned IP address) or ip address negotiated.
Check whether the command ip routing is configured. When you look at your
configuration using the show running-config command, you should not see the command
no ip routing configured.
Ensure that there is a static route pointing at the dialer interface. The following example is
a static route for 172.22.53.0/24 with next-hop dialer 1:
᫬»®ø½±²º·¹÷ý·° ®±«¬» ïéîòîîòëíòð îëëòîëëòîëëòð ¼·¿´»® ï
Verify that the dialer interface is not in shutdown state. Use the show interface dialer
interface command to verify that the interface is up/up or check to see if no shutdown
exists under the dialer interface configuration.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-35
Examples
This topic describes examples of troubleshooting when dialing does not occur.
Examples
• No dialer-group configured on the dialer interface
No dialer-group defined
• Dialer-list does not exist
dialer-list 1 not defined
• No physical interface available to make the call
No free dialer
• No dialer-string configured on the dialer interface
Cannot place call, no dialer string set
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-6
Another scenario occurs when there is debug output, but there is no “Attempting to Dial”
message generated. In this case, there is probably an IP packet routed to the interface, but the
router discards it and does not initiate the call for some reason. Look at the debug dialer output
to find out why the call attempt is not made.
The following are examples of output generated by the debug dialer command. The examples
focus on specific problems followed by possible solutions.
Example 1
öÓ¿® ï ððæðéæîîòîëëæ Ü·ï ÜÜÎæ ·° ø-ãïðòïòðòïô
¼ãïçîòïêèòîðïòï÷ô
ïð𠾧¬»-ô ±«¬¹±·²¹ «²·²¬»®»-¬·²¹ ø²± ¼·¿´»®ó¹®±«° ¼»º·²»¼÷ò
There is no dialer-group configured on the dialer interface. Add a dialer-group as in this
example:
·²¬»®º¿½» Ü·¿´»®ï
¼·¿´»®ó¹®±«° ï
7-36
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Example 2
öÓ¿® ï ððæðèæîìòçïçæ Ü·ï ÜÜÎæ ·° ø-ãïðòïòðòïô
¼ãïçîòïêèòîðïòï÷ô
ïð𠾧¬»-ô ±«¬¹±·²¹ «²·²¬»®»-¬·²¹ ø¼·¿´»®ó´·-¬ ï ²±¬
¼»º·²»¼÷ò
There is a dialer group statement on the dialer interface, but the dialer list referred to does not
exist. Configure the dialer list as in this example:
¼·¿´»®ó´·-¬ ¹®±«°ó²«³¾»® °®±¬±½±´ ·° °»®³·¬
Note
Example 3
The value for group-number of the dialer-group command must match dialer-group-number
of the dialer-list command. For example, the number 1 in dialer-group 1 matches
dialer-list 1.
öÓ¿® ï ððæîëæíîòëëïæ Ü·ï ÜÜÎæ ·° ø-ãïðòïòðòïô
¼ãïçîòïêèòîðïòï÷ô
ïð𠾧¬»-ô ±«¬¹±·²¹ ·²¬»®»-¬·²¹ ø·° ÐÛÎÓ×Ì÷
öÓ¿® ï ððæîëæíîòëëëæ Ü·ï ÜÜÎæ Ò± º®»» ¼·¿´»® ó -¬¿®¬·²¹ º¿-¬
·¼´» ¬·³»®ò
In this case, the outgoing packet is considered interesting enough to bring up the link, but there
is no physical interface available to place the call. Make sure that dialer pool-member number
is configured in the physical interface and dialer pool number is configured in the dialer
interface. For example:
·²¬»®º¿½» ÞÎ×ð
¼·¿´»® °±±´ó³»³¾»® ï
ÿ
·²¬»®º¿½» Ü·¿´»®ï
¼·¿´»® °±±´ ï
Also, verify that the physical interface is not in shutdown state. Use the no shutdown
command on the physical interface.
Example 4
öÓ¿® ï ððæíéæîìòîíëæ Ü·ï ÜÜÎæ ·° ø-ãïðòïòðòïô
¼ãïçîòïêèòîðïòï÷ô
ïð𠾧¬»-ô ±«¬¹±·²¹ ·²¬»®»-¬·²¹ ø·° ÐÛÎÓ×Ì÷
öÓ¿® ï ððæíéæîìòîíçæ Ü·ï ÜÜÎæ Ý¿²²±¬ °´¿½» ½¿´´ô ²± ¼·¿´»®
-¬®·²¹ -»¬ò
In this case, no dialer string dial-string is configured on the dialer interface. The router wants
to place a call but does not know the number to call. Define a dialer string:
·²¬»®º¿½» Ü·¿´»®ï
¼·¿´»® -¬®·²¹ èïíì
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-37
Inbound Call Issues
This topic describes troubleshooting for unsuccessful incoming calls.
Inbound Call Issues
• Check configured dialer pool on dialer interface.
• Check authentication on the physical interface.
• Check remote dialer name on the dialer interface.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-7
When incoming calls fail to connect with a dialer profile, there may a problem with binding the
physical interface to the dialer interface for that call. Verify that the router meets one of the
conditions for binding.
Follow these steps:
Step 1
If the dialer profile is not associated with a dialer pool, debug dialer will indicate
the following for an inbound call:
öÓ¿® ï ïïæëïæîìòèéíæ ÞÎ×ðæïæ ß«¬¸»²¬·½¿¬»¼ ¸±-¬ Þ®¿²½¸ ©·¬¸ ²±
³¿¬½¸·²¹ ¼·¿´»® °®±º·´»
Solution: Configure the dialer pool command on the dialer interface.
Step 2
There are four attempts to bind. Assuming that you have more than one dialer
profile, the calling line identification (CLID) and dialed number identification
service (DNIS) bind attempt fails, and PPP authentication is not configured
(preempting the possibility of the fourth test), then the following debug dialer
message will be generated on the called router:
öÓ¿® ï ïïæëçæíêòëîïæ ×ÍÜÒ ÞÎðæïæ ײ½±³·²¹ ½¿´´ ®»¶»½¬»¼ô
«²¾·²¼¿¾´»
Solution: Configure ppp authentication chap | pap [callin] on the physical
interface.
7-38
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 3
If PPP authentication is enabled on the physical interface, then the fourth attempt to
bind will proceed. The router will use the authenticated username in an attempt to
bind to one of the dialer interfaces in the dialer pool. If that attempt fails, you will
see the following debug output on the called router.
öÓ¿® ï ïîæðíæíîòîîéæ ÞÎ×ðæïæ ß«¬¸»²¬·½¿¬»¼ ¸±-¬ Þ®¿²½¸ ©·¬¸ ²±
³¿¬½¸·²¹ ¼·¿´»® °®±º·´»
Solution: Configure the dialer remote-name command on the dialer interface. The
name specified must exactly match the username provided by the remote router for
authentication. In this example, the authenticated username is “Branch.”
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-39
Disconnect Issues
This topic describes troubleshooting for calls that are unexpectedly disconnected.
Disconnect Issues
• Check dialer Idle-Timeout values.
• Check interesting traffic definition (ACL).
®±«¬»®ý¼»¾«¹ ¼·¿´»® °¿½µ»¬
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-8
A common problem affecting dialup links is unexpected call drops. Dialer drops are calls that
are disconnected prematurely, or calls that never disconnect. There are many reasons for this,
including hardware failures and telco issues. However, one of the most common causes for
unexpected call drops is the expiration of the Idle-Timeout.
Another common Idle-Timeout problem occurs when the link does not disconnect because the
Idle-Timeout never expires. This situation can result in high toll charges for connections that
are charged, based on the time that the call is connected.
If the call disconnects unexpectedly, or the call never disconnects, check the dialer IdleTimeout and interesting traffic definition. Use the debug dialer packet command to see if a
particular packet is interesting or not. For example:
ß°® îê ðïæëéæîìòìèíæ Ü·ï ÜÜÎæ ·° ø-ãïçîòïêèòïòïô ¼ãîîìòðòðòë÷ô
êì ¾§¬»-ô
±«¬¹±·²¹ «²·²¬»®»-¬·²¹ ø´·-¬ ïðï÷
ß°® îê ðïæëéæîêòîîëæ Ü·ï ÜÜÎæ ·° ø-ãïçîòïêèòïòïô ¼ãïðòïòïòï÷ô
ïð𠾧¬»-ô
±«¬¹±·²¹ ·²¬»®»-¬·²¹ ø´·-¬ ïðï÷
In the last example, Open Shortest Path First (OSPF) hellos are uninteresting per access-list
101, while the second packet is interesting per access-list 101.
Adjust the dialer idle-timeout in the dialer interface configuration. The default is 120 seconds,
but you may wish to raise or lower this value depending on your needs.
7-40
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Change the interesting traffic definition (configured with the dialer-list command). If the call
disconnects prematurely, you may wish to define the interesting traffic more loosely. If the call
never disconnects, change your interesting traffic definition to be more restrictive. For example,
you can define routing protocol traffic as uninteresting. The following is a sample interesting
traffic definition:
¿½½»--ó´·-¬ ïðï ®»³¿®µ ײ¬»®»-¬·²¹ ¬®¿ºº·½ º±® ¼·¿´»®ó´·-¬ ï
¿½½»--ó´·-¬ ïðï ¼»²§ ±-°º ¿²§ ¿²§
ÿóóó ³¿®µ ÑÍÐÚ ¿- «²·²¬»®»-¬·²¹ò ̸·- ©·´´ °®»ª»²¬ ÑÍÐÚ ¸»´´±ÿóóó º®±³ µ»»°·²¹ ¬¸» ´·²µ «°ò
¿½½»--ó´·-¬ ïðï ¼»²§ «¼° ¿²§ ¿²§ »¯ ²¬°
ÿóóó Ü»º·²» ²¬° ¬®¿ºº·½ ¿- ÒÑÌ ·²¬»®»-¬·²¹ò
ÿóóó ̸·- ©·´´ °®»ª»²¬ °»®·±¼·½ ²¬° ¬®¿ºº·½ º®±³ µ»»°·²¹ ¬¸»
ÿóóó ´·²µ «° ·²¼»º·²·¬»´§ò
¿½½»--ó´·-¬ ïðï °»®³·¬ ·° ¿²§ ¿²§
ÿóóó ß´´ ±¬¸»® ×Ð ¬®¿ºº·½ ·- ·²¬»®»-¬·²¹ò ݸ¿²¹» ¬¸·¼»°»²¼·²¹ ±² §±«® ¬®¿ºº·½ ²»»¼-ò
¼·¿´»®ó´·-¬ ï °®±¬±½±´ ·° ´·-¬ ïðï
The following symptoms may indicate issues related to the Idle-Timeout:
Calls get disconnected every 120 seconds after the connection is established.
This disconnection is normally due to the default Idle-Timeout of 120 seconds being
enabled, while the interesting traffic definition is either not defined or is not applied to the
interface. Although the dialer in-band command enables a default Idle-Timeout of 120
seconds on the interface, this value does not appear in the show running-configuration
output. Because the default Idle-Timeout is not visible, a 120-second disconnect is often
misdiagnosed.
Calls get disconnected every x minutes after the connection is established.
This disconnection occurs because the Idle-Timeout is being configured (using the dialer
idle-timeout command), while the interesting traffic definition is either not defined or is
not applied to the interface.
Calls disconnect prematurely. This problem is probably due to a low dialer Idle-Timeout
value, or a restrictive interesting traffic definition.
Calls do not disconnect. This problem is probably caused by a high dialer Idle-Timeout
value, combined with a loose interesting traffic definition.
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-41
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The show dialer and show interface dialer commands
are useful when verifying proper operation of a
dialer profile.
• The debug dialer command is useful when
troubleshooting dialer profile functionality.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—7-9
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 7-1: Using Dialer Profiles to Enhance DDR
7-42
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Which Cisco router command displays information on incoming and outgoing calls?
A)
show interface dialer
B)
show dialer ver
C)
show dialer mem
D)
show dialer calls
What is the most appropriate command for debugging dialer profile problems?
A)
show dialer
B)
debug dialer
C)
show calls
D)
debug calls
When debug dialer output indicates that the dialer profile is not associated with a dialer
pool, which of the following is the most appropriate solution?
A)
enter the dialer pool-member command on the physical interface to associate
it with a dialer pool
B)
configure the dialer call command on the dialer interface
C)
configure the dialer pool command on the dialer interface
D)
configure the dialer group command on the dialer interface
When you have a problem or error message such as “no dialer group configured on the
dialer interface,” what is most likely the problem?
A)
No dialer string is set.
B)
There is no free dialer.
C)
No dialer group has been defined.
D)
There is no dialer list.
How many attempts are made to bind the physical interface with the dialer interface for
that call?
A)
2
B)
3
C)
4
D)
5
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-43
Q6)
7-44
A common issue affecting dialup links is unexpected call drops. Which command is
most appropriate to use to see if a particular packet is interesting or not when calls are
disconnected prematurely (or when they never disconnect)?
A)
debug dialer packet
B)
show run
C)
erase start
D)
reload
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
A
Relates to: Verification of Dialer Profiles
Q2)
B
Relates to: Outbound Dialing Issues
Q3)
C
Relates to: Outbound Binding Issues
Q4)
C
Relates to: Examples
Q5)
C
Relates to: Inbound Call Issues
Q6)
A
Relates to: Disconnect Issues
Copyright © 2004, Cisco Systems, Inc.
Using DDR Enhancements
7-45
7-46
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 8
Configuring Frame Relay with
Traffic Shaping
Overview
This module reviews Frame Relay operation and configuration. It also covers traffic shaping.
You will learn how to configure Frame Relay traffic shaping (FRTS) on a Cisco router.
Objectives
Upon completing this module, you will be able to:
Configure Frame Relay so that two sites can exchange data
Configure the subinterfaces on each virtual interface to solve a reachability problem caused
by split horizon
Configure FRTS
Verify proper configuration and troubleshoot an incorrect configuration so data travels as
intended across the Frame Relay link
Outline
The module contains these lessons:
Reviewing Frame Relay
Configuring Frame Relay
Verifying Frame Relay Configuration
Configuring Frame Relay Subinterfaces
Identifying Frame Relay Traffic Shaping Features
Configuring Frame Relay Traffic Shaping
8- 2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Reviewing Frame Relay
Overview
This lesson provides an overview of Frame Relay features and operation.
Relevance
To establish a Frame Relay connection, there must be an understanding of the technology and
components required, and how to configure them.
Objectives
Upon completing this lesson, you will be able to:
Describe the basic features of Frame Relay
Describe how Frame Relay connections operate over VCs
Explain the function of the LMI and how it operates
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Frame Relay Overview
Frame Relay Operation
Frame Relay Signaling
Summary
Quiz
8-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Frame Relay Overview
This topic provides an overview of Frame Relay concepts and features. Frame Relay is an
important and popular WAN connection standard.
Frame Relay Overview
• Virtual circuits make connections
• Connection-oriented service
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-2
Frame Relay is an International Telecommunication Union Telecommunication Standardization
Sector (ITU-T) and American National Standards Institute (ANSI) standard. Frame Relay
defines the process for sending data over a public data network (PDN). As a next-generation
protocol to X.25, it is a connection-oriented data-link technology that is streamlined to provide
high performance and efficiency. Frame Relay relies on upper-layer protocols for error
correction and more dependable fiber and digital networks.
The connection between the customer and the service provider is known as the User-Network
Interface (UNI). The Network-to-Network Interface (NNI) is used to describe how different
Frame Relay service provider networks connect to each other. ATM is the technology
commonly used within the network of the service provider to carry Frame Relay data.
However, regardless of the technology that is used inside the cloud, the connection between the
customer and the Frame Relay service provider is still Frame Relay.
Note that Frame Relay defines the interconnection process between the customer premises
equipment (CPE, also known as DTE), such as a router, and the local access switching
equipment of the service provider (known as DCE). Frame Relay does not define how the data
is transmitted within the Frame Relay cloud of the service provider.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-5
Frame Relay Operation
This topic describes the operation of Frame Relay. Frame Relay connections operate over
virtual circuits (VCs). Each VC is identified by a data-link connection identifier (DLCI) that is
mapped to an IP address.
Frame Relay Operation
• Get locally significant DLSIs from your Frame
Relay provider
• Map your network addresses to DLCIs
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-3
Frame Relay provides a means for statistically multiplexing many logical data conversations—
or VCs—over a single physical transmission link. Frame Relay assigns connection identifiers to
each pair of DTE devices. The switching equipment of the service provider constructs a table
that maps connection identifiers to outbound ports. When a frame is received, the switching
device analyzes the connection identifier and delivers the frame to the preestablished,
associated outbound port. The association of a connection identifier to an outbound port is
established when the VC is created, and occurs before any data is transferred across the link.
Frame Relay networks are known as nonbroadcast multiaccess (NBMA) networks. Multiaccess
means that a customer with a single connection to the Frame Relay network (cloud) has the
ability to communicate with any other customer remote network. This communication remains
as long as the customer is connected to the same Frame Relay network of the provider. A single
connection to a Frame Relay network of the provider is likely to be much less expensive than
separate leased lines to each remote site, particularly where long distances exist between sites.
The service provider must set up a VC between these sites within the Frame Relay network so
that any two sites that are connected to the same Frame Relay network are able to
communicate. Service providers typically charge for each VC. With a full-mesh topology, this
could be expensive, depending upon the number of circuits needed. Many enterprises use huband-spoke topology, with VCs between a central site and each of the branch offices. In this
configuration, the traffic must pass through the central site in order for two branch offices to
reach each other.
8-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The VCs can be either permanent virtual circuits (PVCs) or switched virtual circuits (SVCs).
PVCs are permanently established connections that are used when there is frequent and
consistent data transfer between DTE devices across a Frame Relay network.
Based on specifications from ANSI T1.617, ITU-T Q.933 (Layer 3), and Q.922 (Layer 2),
Frame Relay now supports SVCs. SVCs are temporary connections used when there is only
sporadic data transfer between DTE devices across a Frame Relay network. Because they are
temporary, SVC connections require call setup and termination for each connection. Cisco IOS
Software Release 11.2 and later support Frame Relay SVCs. You must determine whether your
carrier supports SVCs before implementing them.
Note
Frame Relay SVCs are not covered in this course.
Data-Link Connection Identifier
Frame Relay uses a DLCI to identify the logical VC between the CPE and the Frame Relay
switch. The Frame Relay switch maps the DLCIs between each pair of routers to create a PVC.
DLCIs have local significance because the identifier references the point between the local
router and the Frame Relay switch to which it is connected. Although some Frame Relay
service providers use globally significant DLCIs, this is not the norm. Your Frame Relay
provider sets up the DLCI numbers to be used by the routers for establishing PVCs.
Some Frame Relay providers allow their customers to choose their DLCI numbers, within a
specific range, usually between 16 and 1007. DLCIs 0 through 15, and DLCIs 1008 through
1023 are reserved for special purposes: DLCI 1019 and DLCI 1020 are reserved for multicasts,
DLCI 1023 is reserved for Cisco LMI, and DLCI 0 is reserved for ANSI and Q933A LMI
types.
DLCI-to-Address Mappings
To pass data over the Frame Relay circuit, you must associate each local DLCI with a
destination address. This association, or mapping, tells the router which DLCI to use when
packets are destined for the remote address. For example, referring to the figure, an
administrator would map the IP address of the destination Frame Relay interface (10.1.1.1) to
DLCI 500, which is the PVC to that remote router. Any routes that point to 10.1.1.1 as the
next-hop IP address will use this mapping that the PVC identified as DLCI 500, and forward
packets to the remote site.
On Cisco routers, the address mapping can be either configured manually or dynamically
assigned. With dynamic address mapping, Frame Relay Inverse Address Resolution Protocol
(Inverse ARP) is used to dynamically discover the protocol address of the remote device
associated with a given PVC. During initial link establishment, the router sends an Inverse ARP
packet out each active DLCI and requests the next-hop protocol addresses from the device at
the other end of the connection. The remote device responds with the protocol addresses
associated with that PVC. The router then updates its mapping table and uses the information to
forward packets on the correct route.
When packets are sent across the network, the intermediate switches look up the DLCI in the
map table and perform the following
If the DLCI is defined on the link, the switch forwards packets toward their destination.
If the DLCI is not defined on the link, the switch discards the frame.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-7
Frame Relay Signaling
This topic describes the function of the Local Management Interface (LMI) and how it
operates. Routers and Frame Relay switches communicate using an LMI signaling standard.
Frame Relay Signaling
Cisco supports three LMI standards:
• ANSI T1.617 Annex D
• ITU-T Q.933 Annex A
• Cisco
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-4
Local Management Interface
LMI is a signaling standard between the CPE device and the Frame Relay switch that is
responsible for managing the connection and maintaining status between the devices. LMI
supports the following items:
A keepalive mechanism, which verifies that data is flowing
A multicast mechanism, which provides the DTE with its local DLCI
Multicast addressing, which gives DLCIs global rather than local significance in Frame
Relay networks
A status mechanism, which provides an ongoing status on the DLCIs known to the switch
Although LMI is configurable, beginning in Cisco IOS software Release 11.2, the Cisco router
attempts to autosense the LMI type that the Frame Relay switch is using by sending one or
more full status requests to the Frame Relay switch. The Frame Relay switch responds with one
or more LMI types. The router configures itself with the last LMI type received.
Cisco routers support three LMI types:
Cisco: Cisco LMI type defined jointly by the “Gang of Four” (Cisco, StrataCom, Northern
Telecom, and Digital Equipment Corporation)
ANSI: ANSI T1.617 Annex D
Q933a: ITU-T Q.933 Annex A
8-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
If LMI autosensing does not take place, then the administrator setting up a connection to a
Frame Relay network must choose the appropriate LMI from the three supported types to
ensure proper Frame Relay operation.
When an Inverse ARP request is made, the router updates its map table with one of three
possible PVC connection states:
Active state: Indicates that the connection is active and that routers can exchange data
Inactive state: Indicates that the local connection to the Frame Relay switch is working,
but the remote router connection to the Frame Relay switch is not working
Deleted state: Indicates that no LMI is being received from the Frame Relay switch, the
DLCI has been removed from the Frame Relay switch, or there is no service between the
CPE router and Frame Relay switch
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-9
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Frame Relay is a standard that defines the process
for sending data over a public data network.
• Frame Relay connections operate over virtual
circuits.
• LMI is a signaling standard between the CPE
device and the Frame Relay switch that is
responsible for managing the connection and
maintaining status between the devices.
© 2004 Cisco Systems, Inc. All rights reserved.
8-10
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—8-5
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
The connection between the customer site and the service provider network is known
as the _____.
A)
Network-to-Network Interface
B)
user-network interface
C)
serial interface
D)
network to user interface
Frame Relay provides connections between sites using a VC that is identified by its
_____.
A)
IP address
B)
network address
C)
DLCI
D)
PVC
Which DLCI does the Frame Relay LMI type “Cisco” use for communication?
A)
15
B)
1023
C)
0
D)
16
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-11
Quiz Answer Key
Q1)
B
Relates to: Frame Relay Overview
Q2)
C
Relates to: Frame Relay Operation
Q3)
B
Relates to: Frame Relay Signaling
8-12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Frame Relay
Overview
This lesson illustrates how to configure Frame Relay on a serial interface.
Relevance
It is important to know how to configure a Frame Relay connection because it is the most
popular WAN connectivity solution. This lesson covers the concepts and commands for
configuring Frame Relay.
Objectives
Upon completing this lesson, you will be able to:
List the steps and commands that are required to configure a basic Frame Relay connection
Explain how DLCI numbers are dynamically mapped to IP addresses
Describe how DLCI numbers are statically mapped to IP addresses
Identify the significance of DLCI numbers
Explain the function of a hub-and-spoke topology
List the commands that are required to configure a hub-and-spoke topology
Explain why static DLCI maps should be configured to reach the hub site and the other
spoke sites
Configure a Frame Relay map
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Configuration of Basic Frame Relay
Dynamic Address Mapping
Configuration of Static Address Mapping
Different DLCIs at the Remote Routers
Hub-and-Spoke Topology
Spoke Router
Summary
Quiz
8-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Basic Frame Relay
This topic describes the steps and commands that are required to configure a basic Frame Relay
connection.
Configuring Basic Frame Relay
BCRAN v2.1—8-2
© 2004 Cisco Systems, Inc. All rights reserved.
There are five steps required to configure a basic Frame Relay connection:
Step 1
Select the interface and enter interface configuration mode.
Step 2
Configure a network-layer address, for example, an IP address.
Step 3
Select the encapsulation type used to encapsulate data traffic end-to-end using the
following command:
»²½¿°-«´¿¬·±² º®¿³»ó®»´¿§ Ž·-½± ¤ ·»¬ºÃ
The default argument is cisco. It is the recommended setting if connecting to another Cisco
router. Select ietf if connecting to a router from another vendor.
Step 4
If using Cisco IOS Software Release 11.1 or earlier, specify the LMI type used by
the Frame Relay switch using this command:
º®¿³»ó®»´¿§ ´³·ó¬§°» ¥¿²-· ¤ ½·-½± ¤ ¯çíí¿£
With Cisco IOS Software Release 11.2 or later, the LMI type is autosensed and manual
configuration is required. Otherwise, the customer can obtain the LMI type from their Frame
Relay service provider and manually configure it. The default LMI type is cisco.
Step 5
Configure address mapping.
On Cisco routers, the address mapping of a local DLCI to a remote IP address can be
configured manually with static address mapping, or with dynamic address mapping. In the
above example, the address mapping is dynamic.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-15
Dynamic Address Mapping
This topic describes how DLCI numbers are dynamically mapped to IP addresses. The DLCI to
IP address mapping can be done dynamically or statically.
Dynamic Address Mapping
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-3
If you use dynamic address mapping, Frame Relay Inverse ARP dynamically associates a given
DLCI with the next-hop protocol addresses for that connection. The router then updates its
mapping table and uses the information in the table to route outgoing traffic to the appropriate
PVC. Frame Relay Inverse ARP, and therefore dynamic addressing, is enabled by default for
all protocols that are enabled on a physical interface. No additional commands are necessary.
If Inverse ARP has been previously disabled on a Frame Relay interface, it can be reenabled
using the frame-relay inverse-arp command in interface configuration mode.
Note
8-16
LMI must be functioning on an interface to use Frame Relay Inverse ARP because LMI is
used to determine the PVCs to map.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Static Address Mapping
This topic describes how DLCI numbers are statically mapped to IP addresses. The DLCI to IP
address mapping can be done dynamically or statically.
Configuring Static Address Mapping
BCRAN v2.1—8-4
© 2004 Cisco Systems, Inc. All rights reserved.
Whether the mapping of a DLCI to a remote IP address happens dynamically or statically, the
DLCI that is used does not have to be the same number at both ends of the PVC.
If you use static address mapping, you must use the frame-relay map command to statistically
map destination network protocol addresses to a designated DLCI. In this figure, the central site
router is configured with static maps to both branch routers, Branch A and Branch B.
The static address mapping command syntax is as follows:
º®¿³»ó®»´¿§ ³¿° °®±¬±½±´ °®±¬±½±´ó¿¼¼®»-- ¼´½· ž®±¿¼½¿-¬Ã
Å·»¬º ¤ ½·-½±Ã
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-17
The following table describes the frame-relay map command syntax.
frame-relay map Command
8-18
Command
Description
protocol
Selects the protocol type. Commonly used protocols are dlsw, ip,
and ipx.
protocol-address
Specifies the destination protocol address.
dlci
Specifies the DLCI number used to connect to the specified
protocol address on the interface.
broadcast
(Optional) Specifies that broadcasts should be forwarded when
multicast is not enabled.
ietf
(Optional) Enables the Internet Engineering Task Force (IETF)
encapsulation.
cisco
(Optional) Enables the Cisco encapsulation.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Different DLCIs at the Remote Routers
This topic describes the significance of DLCI numbers. DLCI numbers are locally significant
only and do not have to be the same at each end of the PVC.
Different DLCIs at the Remote Routers
• The different remote routers can use the same or
different DLCIs when accessing the same PVC.
• DLCI numbers are local between the customer and
the Frame Relay switch.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-5
Whether the mapping of a DLCI to a remote IP address happens dynamically or statically, the
DLCI that is used does not have to be the same number at both ends of the PVC. In this
example, the central router is using DLCI 500 and the Branch A router is using DLCI 100.
Each router is communicating with the other router using a different DLCI over the same PVC.
Locally significant DLCIs mean that the DLCI number has meaning between the individual
customer and the Frame Relay switch only. Different customers may use the same DLCI
number to communicate with different switches within the same Frame Relay network.
Although not a requirement, Frame Relay providers usually assign the same DLCI number to
VCs that connect to a common site. For example, all remote sites that have a Frame Relay
connection to the headquarters site may be assigned DLCI 100 for this hub connection.
Network topology diagrams often display this common DLCI assignment at the hub location.
This DLCI assignment represents the DLCI that remote devices use to connect to that site, even
though the DLCI value is actually assigned to each of the remote locations and not to the hub.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-19
Hub-and-Spoke Topology
This topic describes the function of a hub-and-spoke topology and the commands that are
required to configure it. Frame Relay is most commonly configured in a hub-and-spoke
topology.
Hub-and-Spoke Topology
BCRAN v2.1—8-6
© 2004 Cisco Systems, Inc. All rights reserved.
The topology shown is known as a Frame Relay hub-and-spoke topology. The central site is
acting as the hub and the Branch A and Branch B routers are acting as the spokes. Each of the
spoke routers is connected only to the hub. When two spoke routers need to communicate with
each other, the traffic is sent via the hub router. The advantage to this type of topology is that
there does not have to be a full mesh of PVCs between all routers. This will provide a cost
savings on the number of PVCs needed.
The configurations for the hub-and-spoke routers in the example would be as follows:
½»²¬®¿´ø½±²º·¹÷ý·²¬»®º¿½» -»®·¿´ï
½»²¬®¿´ø½±²º·¹ó·º÷ý·° ¿¼¼®»-- ïðòïêòðòï îëëòîëëòîëëòð
½»²¬®¿´ø½±²º·¹ó·º÷ý»²½¿°-«´¿¬·±² º®¿³»ó®»´¿§
½»²¬®¿´ßø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ³¿° ·° ïðòïêòðòî ïïð ¾®±¿¼½¿-¬
½»²¬®¿´ßø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ³¿° ·° ïðòïêòðòí ïîð ¾®±¿¼½¿-¬ ·»¬º
¾®¿²½¸ßø½±²º·¹÷ý·²¬»®º¿½» -»®·¿´ð
¾®¿²½¸ßø½±²º·¹ó·º÷ý·° ¿¼¼®»-- ïðòïêòðòî îëëòîëëòîëëòð
¾®¿²½¸ßø½±²º·¹ó·º÷ý»²½¿°-«´¿¬·±² º®¿³»ó®»´¿§
¾®¿²½¸ßø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ³¿° ·° ïðòïêòðòï îïð ¾®±¿¼½¿-¬
¾®¿²½¸ßø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ³¿° ·° ïðòïêòðòí îïð ¾®±¿¼½¿-¬
8-20
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
¾®¿²½¸Þø½±²º·¹÷ý·²¬»®º¿½» -»®·¿´ð
¾®¿²½¸Þø½±²º·¹ó·º÷ý·° ¿¼¼®»-- ïðòïêòðòí îëëòîëëòîëëòð
¾®¿²½¸Þø½±²º·¹ó·º÷ý»²½¿°-«´¿¬·±² º®¿³»ó®»´¿§
¾®¿²½¸Þø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ³¿° ·° ïðòïêòðòï îîð ¾®±¿¼½¿-¬ ·»¬º
¾®¿²½¸Þø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ³¿° ·° ïðòïêòðòî îîð ¾®±¿¼½¿-¬ ·»¬º
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-21
Spoke Router
This topic describes how static DLCI maps should be configured to reach the hub site and the
other spoke sites. Static DLCI maps are configured with the frame-relay map command.
Spoke Router
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-7
In this example, both branch routers are using static mapping to communicate with the central
office (CO) router and the other branch office router. Notice that the branch routers use the
same DLCI to communicate with both the CO and the other branch office router. The only
difference is the remote IP address.
The branch routers can be configured using Inverse ARP to the central site and a static map to
the other branch office, both using the same DLCI. This arrangement works until the branch
office router is rebooted. After the router reboots, the static map disables Inverse ARP for that
DLCI. This situation means that the branch router will not be able to reach either the central
site or the other branch office. Because there is no dynamic mapping to the central site, there is
no way to reach the other branch office via the hub router, even though a static map is
configured. When configuring the branch office routers, static map addresses should be used to
reach both the central site and the other branch router, as shown in the example.
Note
8-22
None of these example configurations take into account the routing updates and splithorizon issues with distance-vector routing protocols. This will be discussed further along in
this module.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• There are five steps required to configure a basic
Frame Relay connection.
• The DLCI to IP Address mapping can be done
dynamically or statically.
• Locally significant DLCIs have meaning between
the customer and the Frame Relay switch only.
• Frame Relay is commonly configured in a
hub-and-spoke topology.
• Static DLCI maps are configured with the
frame-relay map command.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—8-8
Configuring Frame Relay with Traffic Shaping
8-23
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
8-24
Which Frame Relay LMI type is the default on Cisco routers?
A)
ANSI
B)
IETF
C)
Cisco
D)
Q.933I
Which function does Inverse ARP perform?
A)
multicast support
B)
periodic keepalive transmission
C)
static mappings of DLCIs to local Layer 3 addresses
D)
dynamic mappings of DLCIs to remote Layer 3 addresses
The frame-relay map command is used to create a static map between an IP address
and a DLCI.
A)
true
B)
false
Locally significant DLCIs mean that the DLCI number has meaning between the
individual customer and the Frame Relay switch only.
A)
true
B)
false
What is an advantage of designing a hub-and-spoke Frame Relay network?
A)
full redundancy
B)
requires subinterfaces
C)
cost effective
D)
partial redundancy
Which type of encapsulation should be used when connecting equipment from another
vendor to a Cisco Frame Relay network?
A)
Cisco
B)
IETF
C)
ANSI
D)
Q.933A
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
C
Relates to: Configuration of Basic Frame Relay
Q2)
D
Relates to: Dynamic Address Mapping
Q3)
A
Relates to: Configuration of Static Address Mapping
Q4)
A
Relates to: Different DLCIs at the Remote Routers
Q5)
C
Relates to: Hub-and-Spoke Topology
Q6)
B
Relates to: Spoke Router
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-25
8-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying Frame Relay
Configuration
Overview
This lesson highlights Cisco IOS commands that help verify proper Frame Relay configuration.
Relevance
Implementing and troubleshooting Frame Relay is a necessary skill for network engineers. This
lesson provides an overview of various commands to verify Frame Relay connectivity.
Objectives
Upon completing this lesson, you will be able to:
List commands that are useful when implementing and troubleshooting a Frame Relay
connection
Identify key fields for each command
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Verification of Frame Relay Operation
Summary
Quiz
Verification of Frame Relay Operation
This topic describes the Frame Relay monitoring commands and highlights key fields for each
command. Various commands are required to monitor and troubleshoot a Frame Relay
connection.
Verifying Frame Relay Operation
• Displays line, protocol, DLCI, and LMI information
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-2
After you configure Frame Relay, you can verify that the connections are active using the
available show commands. The show interface command displays information regarding the
encapsulation and Layer 1 and Layer 2 status. It also displays Frame Relay LMI information
for the interface, including the number of LMI messages exchanged, LMI type, and the DLCI
that is used by LMI.
8-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying Frame Relay Operation (Cont.)
• Displays PVC traffic statistics
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-3
The show frame-relay pvc command displays the status of each configured connection as well
as traffic statistics. This command is also useful for viewing the number of backward explicit
congestion notification (BECN) and forward explicit congestion notification (FECN) packets
received by the router. The PVC STATUS can be active, inactive, or deleted.
If you enter the show frame-relay pvc command without any additional arguments, you will
see the status of all the PVCs configured on the router. If you specify the PVC, you will see the
status for that PVC only. In the figure, the show frame-relay pvc 110 command displays the
status of PVC 110 only.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-29
Verifying Frame Relay Operation (Cont.)
• Displays the route maps, either statistic or dynamic.
• In this example DLCI 110 was configured statistically
while DLCI 120 was learned dynamically.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-4
Use the show frame-relay map command to display the current DLCI protocol address map
entries and information about the connections.
The show frame-relay map command will display various information including the remote
protocol address, the DLCI number, dynamic or static address mapping, and the state of the
PVC.
In the example, DLCI 120 on interface Serial0 maps to remote IP address 10.16.0.3; the
mapping was dynamically discovered using Inverse ARP.
8-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying Frame Relay Operation (Cont.)
• Displays LMI information
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-5
The show frame-relay lmi command displays LMI traffic statistics. For example, the
command shows the number of status messages exchanged between the local router and the
Frame Relay switch, including the number of invalid LMI packets by type.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-31
Verifying Frame Relay Operation (Cont.)
• Displays LMI debug information
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-6
The debug frame-relay lmi command allows you to verify and troubleshoot the Frame Relay
connection.
The “(out)” status field is an LMI status inquiry sent by the router. The “(in)” status is a reply
by the Frame Relay switch.
The “type 1” field is a keepalive message sent by the router to the Frame Relay switch
approximately every 10 seconds. The purpose of the keepalive message is to verify that the
Frame Relay switch is still active.
The “type 0” field represents a full LMI status message sent every 60 seconds. The “dlci 130,
status 0x2” field indicates that the status of DLCI 130 is active. The most common values of the
status field are as follows:
0x0: Added/inactive. The switch has this DLCI programmed but for some reason (such as
the other end of this PVC is down) it is not usable.
0x2: Added/active. The Frame Relay switch has the DLCI and everything is operational.
You can start sending traffic with this DLCI in the header.
0x4: Deleted. The Frame Relay switch does not have this DLCI programmed for the router.
However, it was programmed at some point in the past. This could also be caused by the
DLCIs being reversed on the router, or by the PVC being deleted by the telco in the Frame
Relay cloud.
8-32
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verifying Frame Relay Operation (Cont.)
• Clears dynamically created Frame Relay maps
• Disables Inverse ARP
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-7
To clear dynamically created Frame Relay maps, which are created by the use of Inverse ARP,
use the clear frame-relay-inarp privileged EXEC command. This command disables Inverse
ARP for the router.
Note
Do not use this command in a production network. Doing so will cause user traffic to be
stopped because of the lack of a Layer 2 DLCI mapped to a Layer 3 protocol address. To reenable Inverse ARP, use the interface command frame-relay inverse-arp.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-33
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• The show frame-relay pvc command displays the
status of each configured connection, as well as
traffic statistics.
• The show frame-relay map command displays the
DLCI-protocol address map entries, as well as
information about the connection.
• The show frame-relay lmi command displays LMI
traffic statistics.
• The debug frame-relay lmi command allows you to
verify and troubleshoot the Frame Relay
connection.
© 2004 Cisco Systems, Inc. All rights reserved.
8-34
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—8-8
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Which information from a show interfaces display indicates that your Frame Relay
connection is operating correctly?
A)
Bandwidth is 128 kbps.
B)
Hardware is in sync mode.
C)
MTU size is 1500 bytes or more.
D)
LMI enq sent and stat recvd are non-zero.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-35
Quiz Answer Key
Q1)
D
Relates to: Verification of Frame Relay Operation
8-36
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Frame Relay
Subinterfaces
Overview
This lesson provides a review of Frame Relay subinterfaces, and explains why and when you
would use subinterfaces.
Relevance
A Frame Relay network can be connected in a star, full-mesh, or partial-mesh topology.
Depending on the topology configured, there may be some reachability issues with routing
updates because of the split horizon rule. Subinterfaces can be configured to resolve this issue.
Objectives
Upon completing this lesson, you will be able to:
Explain the issues that can occur with routing protocols in a multipoint Frame Relay
configuration
Explain the issues that can occur with distance-vector routing protocols and the split
horizon rule in a multipoint Frame Relay configuration
Explain why it is not recommended to disable split horizon in a multipoint Frame Relay
configuration
Identify the reasons why subinterfaces can be used to help solve issues with distance-vector
routing protocols and the split horizon rule in a multipoint Frame Relay configuration
Describe how point-to-point subinterfaces can solve reachability issues
Explain how multipoint subinterfaces can solve reachability issues
List the steps and commands required to configure a subinterface on a basic Frame Relay
connection
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Reachability Issues with Routing Updates
Resolution of Reachability Issues
Subinterface Usages
Point-to-Point Subinterfaces
Multipoint Subinterfaces
Configuration of Subinterfaces
Subinterface Configuration Example
Summary
Quiz
8-38
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Reachability Issues with Routing Updates
This topic describes reachability issues with routing updates in a multipoint Frame Relay
configuration. Multipoint Frame Relay connections are prone to reachability issues.
Reachability Issues with
Routing Updates
• Broadcast traffic must be replicated for each active
connection.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-2
There is a major issue with a router that supports multipoint connections over a single interface.
Because many DLCIs terminate in a single router, that router must replicate routing updates
and service advertising updates on each DLCI to the remote routers. The updates can consume
access-link bandwidth and cause significant latency variations in user traffic. The updates can
also consume interface buffers and lead to higher packet-rate loss for both the user data and
routing updates.
The amount of broadcast traffic and the number of VCs terminating at each router should be
evaluated during the design phase of a Frame Relay network. Overhead traffic, such as routing
updates, can impact the delivery of critical user data, especially when the delivery path contains
low-bandwidth (56 kbps) links.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-39
Resolution of Reachability Issues
This topic describes the problems that are associated with disabling split horizon in a multipoint
Frame Relay configuration. Disabling split horizon could be used to resolve distance-vector
protocols and split horizon rule reachability issues.
Resolving Reachability Issues
• Split horizon can cause problems in NBMA
environments.
• A single physical interface simulates multiple
logical interfaces.
• Subinterfaces can resolve split horizon issues.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-3
The simplest answer to resolving the reachability issues brought on by split horizon may seem
to be to turn off split horizon. Two problems exist with this solution. First, only IP allows you
to disable split horizon. Second, disabling split horizon increases the chances of routing loops
in your network.
Note
8-40
Split horizon is disabled by default for the IP protocol on Frame Relay interfaces. Enhanced
Interior Gateway Routing Protocol (EIGRP) is an exception. EIGRP requires IP split horizon
to be manually disabled.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Subinterface Usages
This topic describes subinterfaces to help solve issues with distance-vector routing protocols
and the split horizon rule in a multipoint Frame Relay configuration. Subinterfaces are logical
subdivisions of a physical interface.
Subinterface Usages
• Point-to-point subinterfaces can be used to solve
split horizon issues.
BCRAN v2.1—8-4
© 2004 Cisco Systems, Inc. All rights reserved.
To enable the forwarding of broadcast routing updates in a Frame Relay network, you can
configure the router with logically assigned interfaces called subinterfaces. Subinterfaces are
logical subdivisions of a physical interface.
You can configure subinterfaces to support these connection types:
Point-to-point
Multipoint
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-41
Point-to-Point Subinterfaces
This topic describes how point-to-point subinterfaces can solve reachability issues in a Frame
Relay configuration. Subinterfaces can be configured either as point-to-point or multipoint.
Point-to-Point Subinterfaces
• Split horizon is not an issue with point-to-point
subinterfaces.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-5
In point-to-point subinterface configurations, a single subinterface is used to establish one PVC
connection to another physical or subinterface on a remote router. In this case, the subinterfaces
would be in the same subnet and each subinterface would have a single DLCI. Each point-topoint connection is its own subnet.
In split horizon routing environments, routing updates received on one point-to-point
subinterface can be sent out another point-to-point subinterface. Each VC can be configured as
a point-to-point connection, which allows the subinterface to act like a leased line. This is
because each point-to-point subinterface is treated as a separate physical interface.
8-42
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Multipoint Subinterfaces
This topic describes how multipoint subinterfaces can solve reachability issues in a Frame
Relay configuration.
Multipoint Subinterfaces
• Split horizon can be still be an issue with
multipoint subinterfaces.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-6
In multipoint subinterface configurations, a single subinterface is used to establish multiple
PVC connections to multiple physical or subinterfaces on remote routers. In this case, all the
participating interfaces would be in the same subnet and each interface would have its own
local DLCI. In this environment, because the subinterface is acting like a regular NBMA Frame
Relay network, broadcast traffic is subject to the split horizon rule.
Cisco routers can be configured to simultaneously support both point-to-point and multipoint
subinterfaces. Each subinterface is configured as one or the other, not both. This permits a
company to configure individual Frame Relay connections as needed, and to provide a more
flexible transition from one configuration to another.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-43
Configuration of Subinterfaces
There are a total of six steps that are required to configure a subinterface on a basic Frame
Relay connection. This topic describes the first four steps.
Configuration of Subinterfaces
• Point-to-point
– Subinterfaces act as leased line
– Each point-to-point connection requires its own
subnet
– Good for star or partial-mesh topologies
• Multipoint
– Subinterfaces act as default NBMA network
– Can save subnets because uses single subnet
– Good for full-mesh topology
BCRAN v2.1—8-7
© 2004 Cisco Systems, Inc. All rights reserved.
To configure subinterfaces on a physical interface, perform these steps:
Step 1
Select the interface upon which you want to create subinterfaces, and enter the
interface configuration mode.
Step 2
Remove any network-layer address assigned to the physical interface. If the physical
interface has an address, frames will not be received by the local subinterfaces.
Step 3
Configure Frame Relay encapsulation, as discussed in the Configuring Frame Relay
lesson in this module.
Step 4
Select the subinterface you want to configure, as follows:
·²¬»®º¿½» -»®·¿´ ²«³¾»®ò-«¾·²¬»®º¿½»ó²«³¾»® ¥³«´¬·°±·²¬ ¤
°±·²¬ó¬±ó°±·²¬£
8-44
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The following table lists the command and parameters to use when setting up a subinterface on
a serial link.
interface serial Command Parameters
Command
Description
subinterface-number
Subinterface number. The interface number that precedes the
period (.) must match the interface number to which this
subinterface belongs. The number of subinterfaces possible
on one interface is interface description block (IDB)dependent. The IDB is a set of data structures that provide
hardware and software views of network interfaces.
multipoint
Select if you want the router to forward the broadcasts and
routing updates that it receives. Select this option if you are
routing IP and you want all routers in the same subnet.
point-to-point
Select if you do not want the router to forward broadcasts or
routing updates and if you want each pair of point-to-point
routers to have its own subnet.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-45
Subinterface Configuration Example
This topic describes the last two steps and commands that are required to configure a
subinterface on a basic Frame Relay connection.
Subinterface Configuration Example
© 2004 Cisco Systems, Inc. All rights reserved.
Step 5
BCRAN v2.1—8-8
Configure a network-layer address on the subinterface. If the subinterface is pointto-point and you are using IP, you can configure an unnumbered subinterface as
follows:
ip unnumbered interface
The interface parameter specifies a router interface with an IP address assigned. The
subinterface associates itself with this interface for address purposes. If you use this command,
it is recommended that the interface be a loopback interface because the Frame Relay link will
not work if this command is pointing to an interface that is not fully operational. The loopback
interface is a stable interface that is accessible from all other interfaces.
Step 6
If you configured the subinterface as point-to-point, you must configure the local
DLCI for the subinterface to distinguish it from the physical interface as follows:
frame-relay interface-dlci dlci-number
The dlci-number parameter defines the local DLCI number being linked to the subinterface.
This is the only way to link an LMI-derived PVC to a subinterface, because LMI does not
know about subinterfaces.
This command is required for all point-to-point subinterfaces. It is also required for multipoint
subinterfaces for which dynamic addressing is enabled through the use of Inverse ARP. It is not
required for multipoint subinterfaces configured with static address mappings (those using the
frame-relay map command).
8-46
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Remember, within the Frame Relay network, the service provider handles the actual mapping
of the DLCIs between the routers.
Note
If you defined a subinterface for point-to-point communication, you cannot reassign the same
subinterface number to be used for multipoint communication without first rebooting the
router. Instead, you can avoid using that subinterface number and use a different
subinterface number.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-47
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Disabling split horizon should not be used to resolve
distance-vector protocols and split horizon rule
reachability issues.
• In point-to-point subinterface configurations, a single
subinterface is used to establish one PVC connection
to another physical connection or subinterface on a
remote router.
• In multipoint subinterface configurations, a single
subinterface is used to establish multiple PVC
connections to multiple physical connection or
subinterfaces on remote routers.
• There are six steps required to configure a subinterface
on a basic Frame Relay connection.
© 2004 Cisco Systems, Inc. All rights reserved.
8-48
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—8-9
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Turning off split horizon on an NBMA environment increases the chance of creating
routing loops.
A)
true
B)
false
What is the recommended solution to avoid split horizon issues?
A)
Do not use a distance-vector protocol over Frame Relay.
B)
Enable broadcast on the serial interface.
C)
Configure subinterfaces.
D)
Turn off split horizon.
Which type of Frame Relay connection will eliminate broadcast and split horizon
issues?
A)
multipoint subinterface
B)
point-to-point subinterface
C)
multipoint
D)
point-to-point
What must be configured on the hub router to allow one subnet to be used for all router
interfaces participating in the Frame Relay circuit?
A)
multipoint subinterfaces
B)
point-to-point subinterfaces
C)
IP unnumbered with multipoint subinterfaces
To configure Frame Relay subinterfaces, you must specify which parameter?
A)
ARP
B)
traffic rate
C)
map class
D)
traffic shaping
E)
multipoint or point-to-point
The command frame-relay interface-dlci should be used only on subinterfaces.
A)
true
B)
false
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-49
Quiz Answer Key
Q1)
A
Relates to: Reachability Issues with Routing Updates
Q2)
C
Relates to: Resolution of Reachability Issues
Q3)
B
Relates to: Point-to-Point Subinterfaces
Q4)
A
Relates to: Multipoint Subinterfaces
Q5)
E
Relates to: Configuration of Subinterfaces
Q6)
A
Relates to: Subinterface Configuration Example
8-50
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Identifying Frame Relay Traffic
Shaping Features
Overview
This lesson describes the Frame Relay traffic shaping (FRTS) features that are available in
Cisco IOS software and explains why you use FRTS.
Relevance
A Frame Relay switch cannot determine which packets take precedence, and therefore which
packets should be dropped when congestion occurs. Traffic shaping is also critical for real-time
traffic such as Voice over Frame Relay (VoFR). Failure to do so can result in bottlenecks and
packet loss. Traffic shaping controls the traffic going out an interface so that it can match its
flow to the speed of the remote target interface, ensuring that the traffic conforms to policies for
which it was contracted.
Objectives
Upon completing this lesson, you will be able to:
List the strategies for implementing FRTS
Define the terminology associated with FRTS
Identify the purpose of FRTS
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Frame Relay Traffic Flow Terminology
Traffic Shaping Over Frame Relay
Summary
Quiz
8-52
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Frame Relay Traffic Flow Terminology
This topic describes the terminology that is associated with FRTS. Traffic shaping can address
bottlenecks and packet loss from mismatched data rates between source and destination.
Frame Relay Traffic Flow
Terminology
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-2
You should be familiar with some of the terminology that is related to Frame Relay traffic flow,
as listed here:
Local access rate: The clock speed (port speed) of the connection (local loop, access line,
or access circuit) to the Frame Relay cloud. This is the rate at which data travels into or out
of the network, regardless of other settings.
Committed information rate (CIR): The rate, in bits per second, at which the Frame
Relay switch agrees to transfer data. The rate is usually averaged over a period of time,
referred to as the committed time window (Tc).
Oversubscribe, oversubscription: Oversubscription occurs when the sum of the CIRs on
all the VCs coming into a device exceeds the access line speed. Oversubscription also
occurs when the access line supports the sum of the CIRs purchased, but not the sum of the
CIRs plus the bursting capacities of the VCs. Oversubscription results in frames being
dropped if the access line rate is exceeded.
Committed burst (Bc): The maximum number of data (in bits) that the switch agrees to
transfer during any Tc. For example, if the Tc is 125 milliseconds and the CIR is 32 kbps,
the Bc is 64 kbps. (CIR=Bc/Tc)
Excess burst (Be): The maximum number of uncommitted bits that the Frame Relay
switch attempts to transfer beyond the CIR for the first time interval only. Be is dependent
on the service offerings available by your vendor, but is typically limited to the port speed
of the local access line.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-53
FECN: When a Frame Relay switch is in congestion locally, it marks the FECN bit in the
frame header, indicating that congestion has been encountered. Other switches in the path
forward the frame, never resetting the FECN or BECN flag.
BECN: When a Frame Relay switch is in congestion locally, it marks the BECN bit in the
frame header, indicating that congestion has been encountered. With Cisco IOS Software
Release 11.2 or later, Cisco routers can respond to BECN notifications. This topic is
discussed in this lesson.
Discard eligible (DE) indicator: The DE bit is set on the oversubscribed traffic, that is, the
traffic that was received after the CIR was met. Until the release of Cisco IOS Software
Release 12.2(6), Cisco routers were not able to set the DE bit.
Note
These are generic Frame Relay terms. They may be the same or slightly different than the
terms your Frame Relay service provider uses.
Frame Relay Traffic Flow
Terminology (Cont.)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-3
The CIR, by itself, does not provide much flexibility when dealing with varying traffic rates. In
practice, the Frame Relay switch measures traffic over a time interval specific to each logical
connection.
The Bc and Be are amounts of data that a Frame Relay network agrees to transfer over a time
interval, Tc. Be is the maximum amount in excess of the Bc that the network attempts to
transfer under normal conditions. The traffic that is beyond the Bc is marked with the DE bit
set.
Notice that the actual frame transfer rate parallels the access rate. When a frame is being
transmitted on a channel, that channel is dedicated to that transmission.
8-54
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Traffic Shaping Over Frame Relay
This topic describes why FRTS is used. Traffic shaping is used to control access to available
bandwidth and to regulate the flow of traffic to avoid congestion that can occur when the
transmitted traffic exceeds the access speed of its remote target interface.
Why Use Frame Relay Traffic Shaping?
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-4
FRTS is used in these typical situations:
When you have a Frame Relay network topology that consists of a high-speed (T1 line
speed) connection at the central site and low-speed (64-kbps) connections at the branch
sites. Because of the speed mismatch, a bottleneck often exists for traffic on a VC when the
central site tries to communicate with the branch site. This bottleneck results in poor
response times for traffic such as Systems Network Architecture (SNA) or interactive
Telnet when it is stuck behind a large FTP packet on the low-speed line. Packets get
dropped or delayed at the bottleneck, resulting in lost SNA sessions and possibly causing
the central site to retransmit unacknowledged packets, making the congestion problem
worse. The rate enforcement capability in FRTS can be used to limit the rate at which data
is sent on the VC at the central site. Rate enforcement can also be used in conjunction with
the existing DLCI prioritization feature to further improve performance in this situation.
The VCs send traffic as fast as the physical line speed allows. This occurs when you have a
Frame Relay network that is constructed with many VCs to different locations on a single
physical line into the network. The rate enforcement capability of FRTS enables you to
control the transmission speed used by the router by other criteria, such as the CIR or
excess information rate (EIR). The rate enforcement feature preallocates the bandwidth that
each VC receives on the physical line into the network, effectively creating a virtual
statistical time-division multiplexing (TDM) network.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-55
Why Use Frame Relay Traffic Shaping?
(Cont.)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-5
If you have noticed that your Frame Relay connections occasionally get congested, you
may want the router to throttle traffic instead of sending it into the network. Throttling the
traffic may help prevent packet loss in the network. The BECN-based throttling capability
provided with FRTS allows you to have the router dynamically throttle traffic based on
receiving BECN-tagged packets from the network. This throttling holds packets in the
buffers of the router to reduce the data flow from the router into the Frame Relay network.
The throttling is done on a per-VC basis, and the rate is dynamically increased as fewer
BECNs are received.
Quite often you may have several different types of traffic to transmit on the same Frame
Relay VC, such as IP, SNA, or Internetwork Packet Exchange (IPX). You may want to
ensure that each different traffic type receives a certain amount of bandwidth. Using
custom queuing with the per-VC queuing and rate enforcement capabilities enables you to
configure VCs to perform this task. Prior to Cisco IOS Software Release 11.2, custom
queuing was defined at the interface level only. Today, custom queuing can be defined at
the VC level.
8-56
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Local access rate is the clock speed of the connection
to the Frame Relay cloud.
• Committed information rate is the rate in which the
Frame Relay switch agrees to transfer data.
• Oversubscription occurs when the sum of the CIRs on
all the virtual circuits coming into a device exceeds the
access line speed.
• Committed burst is the maximum number of bits that
the switch agrees to transfer during any committed rate
measurement interval.
• Excess burst is the maximum number of uncommitted
bits that the Frame Relay switch will attempt to transfer
beyond the CIR for the first time interval only.
BCRAN v2.1—8-6
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• When a Frame Relay switch is in congestion locally, it
marks the FECN bit in the frame header towards the
destination device indicating that congestion has been
encountered.
• When a Frame Relay switch is in congestion locally, it
marks the BECN bit in the frame header indicating that
congestion has been encountered.
• The DE bit is set on the oversubscribed traffic.
• Traffic shaping is used to control access to available
bandwidth and to regulate the flow of traffic in order to
avoid congestion that can occur when the transmitted
traffic exceeds the access speed of its remote target
interface.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—8-7
Configuring Frame Relay with Traffic Shaping
8-57
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
8-58
When a Frame Relay switch recognizes congestion in the network, which bit field will
the switch use to notify the destination that congestion was experienced in the
network?
A)
DE
B)
FECN
C)
BECN
D)
CIR
Traffic shaping is primarily used to ____________.
A)
direct traffic flow to particular networks
B)
break up data into smaller segments
C)
control traffic transmission speeds
D)
encapsulate data on Frame Relay connections
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
B
Relates to: Frame Relay Traffic Flow Terminology
Q2)
C
Relates to: Traffic Shaping Over Frame Relay
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-59
8-60
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Frame Relay
Traffic Shaping
Overview
This lesson discusses Frame Relay traffic shaping (FRTS) configuration tasks.
Relevance
Traffic shaping controls the traffic leaving an interface to match its flow to the speed of the
remote target interface. Traffic shaping also ensures that the traffic conforms to the policies for
which it was contracted. For this reason, it is important to know how to configure FRTS. This
lesson covers the concepts and commands for configuring FRTS.
Objectives
Upon completing this lesson, you will be able to:
List the steps and commands that are required when configuring FRTS
Manually configure FRTS
Describe Frame Relay rate enforcement with BECN support
Configure Frame Relay rate enforcement with BECN support
Learner Skills and Knowledge
To fully benefit from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Step 1: Configuration of FRTS
Step 2: Configuration of FRTS
Steps 3-5: Configuration of FRTS
Traffic-Shaping Rate Enforcement
Traffic-Shaping Rate Enforcement Configuration Example
Traffic-Shaping BECN Support Example
Traffic-Shaping BECN Support Configuration Example
Traffic-Shaping Example
Verification of FRTS
show traffic-shape Command
show traffic-shape statistics Command
Summary
Quiz
8-62
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 1: Configuration of FRTS
There are five steps that are required to configure FRTS. This topic describes the commands
that are required in the first step.
Step 1: Configuration of FRTS
᫬»®ø½±²º·¹÷ý³¿°ó½´¿-- º®¿³»ó®»´¿§ ³¿°ó½´¿--󲿳»
• Enters map class configuration mode so you can
define a map class
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-2
To enable FRTS, perform these steps:
Step 1
Specify a map class name to be defined with the map-class frame-relay map-classname command.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-63
Step 2: Configuration of FRTS
This topic describes the second step to configure FRTS, the specification of traffic-shaping bit
rates (versus multiple commands to set individual rate parameters).
Step 2: Configuration of FRTS
᫬»®ø½±²º·¹ó³¿°ó½´¿--÷ýº®¿³»ó®»´¿§ ¬®¿ºº·½ó®¿¬» ¿ª»®¿¹» Å°»¿µÃ
• Defines the average and peak rates
or
᫬»®ø½±²º·¹ó³¿°ó½´¿--÷ýº®¿³»ó®»´¿§ ¿¼¿°¬·ª»ó-¸¿°·²¹ ¾»½²
• Specifies that the router fluctuates the sending rate
based on the BECNs received
© 2004 Cisco Systems, Inc. All rights reserved.
Step 2
BCRAN v2.1—8-3
Define the map class. When you define a map class for Frame Relay, you can use
these options for traffic shaping:
Define the average and peak rates (in bits per second) allowed on virtual circuits
associated with the map class.
Specify that the router dynamically changes the rate at which it sends packets,
depending on the BECNs that it receives.
Specify either a custom queue list or a priority queue group to use on virtual
circuits associated with the map class.
Regarding the first option, define the average and peak rates if the data is being sent faster than
the speed at which the destination is receiving. If you define the average and peak rates (in bits
per second) allowed on VCs that are associated with the map class, use the frame-relay trafficrate average [peak] command.
8-64
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The command syntax is described in the following table:
frame-relay traffic-rate Command Parameters
Command
Description
average
Average rate in bits per second; equivalent to specifying the
contracted CIR.
peak
(Optional) Peak rate, in bits per second; equivalent to CIR +
Be/Tc = CIR + EIR.
Specify that the sending router adjust its transmission rate based on the BECNs received. To
select BECN as the mechanism to which traffic shaping will adapt, use the frame-relay
adaptive-shaping becn command.
Note
The frame-relay adaptive-shaping command replaces the frame-relay becn-responseenable command.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-65
Step 2: Configuration of FRTS (Cont.)
or
᫬»®ø½±²º·¹ó³¿°ó½´¿--÷ýº®¿³»ó®»´¿§ ½«-¬±³ó¯«»«»ó´·-¬ ²«³¾»®
• Specifies a custome queue list
or
᫬»®ø½±²º·¹ó³¿°ó½´¿--÷ýº®¿³»ó®»´¿§ °®·±®·¬§ó¹®±«° ²«³¾»®
• Specifies a priority group
BCRAN v2.1—8-4
© 2004 Cisco Systems, Inc. All rights reserved.
(Optional) If you want to distinguish and control traffic flow, you must specify a queuing
mechanism such as a custom queue list or a priority group. To specify a custom queue list,
use the frame-relay custom-queue-list number command. To specify a priority queue list,
use the frame-relay priority-group number command. The number is a required number
assigned to the custom or priority queue list. The command syntax is described in the
following table.
frame-relay custom-queue-list and frame-relay priority-group Commands
Command
Description
frame-relay custom-queue-list
number
Assigns a custom queue to VCs associated with the map class.
Use this command when you want to guarantee a particular
protocol or service.
Use this command after you have defined a custom queue using
the queue-list command.
frame-relay priority-group
number
Assigns a priority queue to VCs that are associated with the map
class. Use this command when you want to guarantee an absolute
priority for a protocol or service.
Use this command after defining the priority queue using prioritylist command.
Only one queuing mechanism may be associated with a map class. To change the queuing
mechanism from a type other than the default (FIFO), the previous queuing mechanism must
first be disabled using the no form of the command.
Note
8-66
Custom and priority queuing are not recommended methods of queuing. Low latency
queuing (LLQ) and class-based weighted fair queuing (CBWFQ) have replaced them.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Steps 3-5: Configuration of FRTS
This topic describes last three steps to configure FRTS.
Steps 3-5: Configuration of FRTS
Step 3
᫬»®ø½±²º·¹ó·º÷ý»²½¿°-«´¿¬·±² º®¿³»ó®»´¿§
• Enables Frame Relay on an interface
Step 4
᫬»®ø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ½´¿-- ³¿°ó½´¿--󲿳»
• Maps the map class to virtual circuits on the interface
Step 5
᫬»®ø½±²º·¹ó·º÷ýº®¿³»ó®»´¿§ ¬®¿ºº·½ó-¸¿°·²¹
• Enables Frame Relay traffic shaping on an interface
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-5
Step 3
After you have defined a map class with queuing and traffic-shaping parameters,
enter interface configuration mode and enable Frame Relay encapsulation on an
interface with the encapsulation frame-relay command.
Step 4
Map a map class to all VCs on the interface with the frame-relay class map classname command. The map class-name argument must match the map class-name of
the map class that you configured.
Step 5
Enable FRTS shaping on an interface with the frame-relay traffic-shaping
command. Enabling FRTS on an interface enables both traffic shaping and per-VC
queuing on all the PVCs and SVCs on the interface. Traffic shaping enables the
router to control the output rate of the circuit and react to congestion notification
information, if that is also configured.
Note
You can map the map class to the interface or a specific subinterface on the interface.
Subinterfaces inherit the class parameters mapped to the main interface, unless a specific
class is applied to the subinterface.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-67
Traffic-Shaping Rate Enforcement
Traffic shaping is used to implement rate enforcement. This topic describes a typical scenario
where Frame Relay rate enforcement should be configured.
Traffic-Shaping Rate Enforcement
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-6
The figure illustrates a typical Frame Relay environment. The central site has a T1-speed local
loop connection, and the branch offices have slower local loop connections, in this case 64
kbps. In addition, the CIR for each PVC going from the central site to each branch office is 64
kbps. In this environment, the following process occurs:
1. The central site may send data across the T1-speed line. Even though the CIR is 64 kbps,
the router continues to send the data based on the T1 rate.
2. The data goes through the cloud.
3. When the data reaches the local loop that is connected to the branch office, a bottleneck
occurs because the data is being sent faster than the speed of the branch office local loop.
At this point packets are buffered at the egress point of the network, which increases line
response time and can cause problems, particularly for latency-sensitive protocols such as
SNA.
The solution to this bottleneck is to slow the speed at which the central site router is sending
data. With FRTS, you can define and enforce a rate on the VC at which the router will send
data. The pace you set can be the CIR, EIR, or some other value.
8-68
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Traffic-Shaping Rate Enforcement Configuration
Example
This topic describes how to manually configure Frame Relay rate enforcement.
Configuring Traffic-Shaping Rate
Enforcement Example
BCRAN v2.1—8-7
© 2004 Cisco Systems, Inc. All rights reserved.
Perform these steps to configure FRTS rate enforcement:
Step 1
Define a map class and enter map class configuration mode, as follows:
³¿°ó½´¿-- º®¿³»ó®»´¿§ ³¿°ó½´¿--󲿳»
Step 2
Define the rate enforcement parameters to use, as follows:
Ų±Ã º®¿³»ó®»´¿§ ¬®¿ºº·½ó®¿¬» ¿ª»®¿¹» Å°»¿µÃ
average is the “average rate” (equivalent to setting CIR).
peak is the “peak rate”
(equivalent to CIR + Be/Tc = CIR(1 + Be/Bc) = CIR + EIR).
If the peak value is not configured, the peak rate will default to the average
value configured.
For SVCs, the configured peak and average rates are converted to the equivalent
CIR, Be, and Bc values for use by SVC signaling.
The frame-relay traffic-rate command configures all of the traffic-shaping
characteristics of a VC (CIR, Bc, Be) in a single command. It is much simpler
than setting each parameter individually in the map class, but it does not provide
the additional granularity. Only one command format—either traffic rate or
setting individual values for CIR, Be, or Bc—will be accepted in one map class.
The user is warned when entering a second command type that the previous
traffic rate is being overwritten.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-69
Step 3
Enable both traffic shaping and per-VC queuing for all VCs (PVCs and SVCs) on a
Frame Relay interface, as follows:
º®¿³»ó®»´¿§ ¬®¿ºº·½ó-¸¿°·²¹
For VCs where no specific traffic-shaping or queuing parameters are specified, the
values are inherited from the parent interface; otherwise, a default set of values is
used.
Step 4
Associate a map class with an interface or subinterface, as follows:
º®¿³»ó®»´¿§ ½´¿-- ²¿³»
Each VC created on the interface or subinterface inherits all of the relevant
parameters defined in the Frame Relay class name. For each VC, the precedence
rules are as follows:
Use a map class associated with the VC, if it exists.
If not, use a map class associated with the subinterface, if it exists.
If not, use a map class associated with the interface, if it exists.
If not, use the default parameters.
Step 5
(Optional) Apply a map class to a specific DLCI for which a Frame Relay map
statement exists, as follows:
º®¿³»ó®»´¿§ ·²¬»®º¿½»ó¼´½· ¼´½· Å·»¬º ¤ ½·-½±Ã
½´¿-- ²¿³»
8-70
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Traffic-Shaping BECN Support Example
This topic describes Frame Relay rate enforcement with BECN support.
Traffic-Shaping BECN Support Example
BCRAN v2.1—8-8
© 2004 Cisco Systems, Inc. All rights reserved.
The figure illustrates a Frame Relay environment where a site has a different speed on its local
loop connections to the Frame Relay cloud.
In this environment, without FRTS, the following process can occur:
1. The central site router sends data to the branch office router.
2. One of the switches within the cloud determines that it is getting congested with traffic. In
this case, the congested switch sets the BECN bit in reply packets from the branch office
router to the central site router.
3. The central site router notes that the BECN is received but does not slow its transmission
rate.
4. At this point, packets from the central site router begin dropping within the switch that is
encountering the congestion. This condition results in retransmissions, further congesting
the link.
The solution for this problem is to enable the router to dynamically fluctuate the rate at which it
sends packets, depending on the BECNs that it receives. For example, if the router begins
receiving many BECNs, it reduces the packet transmit rate. As the BECNs become intermittent,
the router increases the packet transmit rate. The goal is to send the optimal amount of traffic
without incurring drops, thus maximizing throughput.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-71
Traffic-Shaping BECN Support Configuration
Example
This topic describes how to configure Frame Relay rate enforcement with BECN support.
Configuring Traffic-Shaping BECN Support
Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-9
Perform these steps to configure traffic shaping with Frame Relay BECN support:
Step 1
Define a map class and enter map class configuration mode, as previously discussed.
Step 2
Make sure that BECN support is enabled, as follows:
º®¿³»ó®»´¿§ ¿¼¿°¬·ª»ó-¸¿°·²¹ ¾»½²
BECN support is disabled by default.
When enabled, BECNs received from the network on this VC are used to further
regulate the output rate on the VC. As the frequency of BECNs increases, the
output rate is steadily reduced from peak to average (equivalent of CIR). As
congestion eases in the network and the frequency of BECNs decreases, the
output rate is allowed to increase gradually to its configured peak.
Step 3
Enable both traffic shaping and per-VC queuing for all VCs (PVCs and SVCs) on a
Frame Relay interface, as follows:
º®¿³»ó®»´¿§ ¬®¿ºº·½ó-¸¿°·²¹
For VCs where no specific traffic-shaping or queuing parameters are specified, a set of default
values are used.
Step 4
Associate a map class with an interface or subinterface, as follows:
º®¿³»ó®»´¿§ ½´¿-- ²¿³»
8-72
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 5
(Optional) Apply the map class to a specific DLCI for which a Frame Relay map
statement exists, as follows:
º®¿³»ó®»´¿§ ·²¬»®º¿½»ó¼´½· ¼´½· ž®±¿¼½¿-¬Ã Å·»¬º ¤ ½·-½±Ã
½´¿-- ²¿³»
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-73
Traffic-Shaping Example
This topic describes an example of Frame Relay rate enforcement with BECN support
configuration.
Traffic-Shaping Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-10
In this example, the VC on subinterfaces Serial0.1 and Serial0.3 inherit class parameters from
the main interface, namely those defined in slow_vcs. However, the virtual circuit defined on
subinterface Serial0.2 (DLCI 102) is specifically configured to use map class fast_vcs.
Map class slow_vcs uses a peak rate of 9600 bps and an average rate of 4800 bps. If BECN
adaptive shaping is configured for this map class, the output rate will be cut back to as low as
4800 bps in response to received BECNs. This map class is configured to use custom queuing
using queue-list 1. In this example, queue-list 1 has three queues, with the first two queues
being defined by access lists 100 and 115.
Map class fast_vcs uses a peak rate of 64,000 bps and an average rate of 16,000 bps. If BECN
adaptive shaping was configured for this map class, the output rate would be cut back to as low
as 4800 bps in response to received BECNs. This map class is configured to use priority
queuing using priority-group 2.
8-74
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Verification of FRTS
Various commands are required to monitor and troubleshoot FRTS. This topic describes the
show frame-relay pvc command, which is useful for displaying the parameters that are used in
traffic shaping and the queuing algorithm that is in use for all interfaces.
Verification of FRTS
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-11
In addition to Frame Relay PVC status, traffic, and DLCI information, the show frame-relay
pvc [interface interface] [dlci] command includes the parameters that are used in traffic
shaping, if enabled, and the queuing algorithm that is in use for all interfaces. The specific
details displayed for traffic shaping and queuing depend on the specific Cisco IOS software
release.
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-75
show traffic-shape Command
This topic describes another command that is used to monitor and troubleshoot FRTS. The
show traffic-shape command is used to display the current traffic-shaping configuration.
show traffic-shape Command
BCRAN v2.1—8-12
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show traffic-shape command to display the current traffic-shaping configuration. The
command output contains these fields:
show traffic-shape Command Fields
8-76
Field
Description
Target Rate
Rate that traffic is shaped to, in bps.
Byte Limit
Maximum number of bytes transmitted per internal interval.
Sustain bits/int
Configured sustained bits per interval.
Excess bits/int
Configured excess bits per interval.
Interval (ms)
Interval being used internally. This interval may be smaller
than the Bc divided by the CIR if the router determines that
traffic flow will be more stable with a smaller configured
interval.
Increment (bytes)
Number of bytes that are sustained per internal interval.
Adapt Active
Contains BECN if Frame Relay has BECN adaptation
configured.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
show traffic-shape statistics Command
This topic describes the show traffic statistics command, which is used to display the current
traffic-shaping statistics.
show traffic-shape statistics Command
BCRAN v2.1—8-13
© 2004 Cisco Systems, Inc. All rights reserved.
Use the show traffic-shape statistics command to display the current traffic-shaping statistics.
The command output contains the fields in the following table.
show traffic-shape statistics Command Fields
Field
Description
Queue Depth
Number of messages in the queue
Packets
Number of packets sent through the interface
Bytes
Number of bytes sent through the interface
Packets Delayed
Number of packets sent through the interface that were
delayed in the traffic-shaping queue
Bytes Delayed
Number of bytes sent through the interface that were
delayed in the traffic-shaping queue
Shaping Active
Contains “yes” when timers indicate that traffic shaping is
occurring and “no” if traffic shaping is not occurring
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-77
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Traffic shaping can be used to address bottlenecks
and packet loss due to mismatched data rates
between source and destination.
• Traffic shaping controls the traffic going out an
interface in order to match its flow to the speed of
the remote, target interface, and to ensure that the
traffic conforms to policies contracted for it.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—8-14
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 8-1: Establishing a Dedicated Frame Relay Connection and Controlling
Traffic Flow
8-78
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
In the command frame-relay adaptive-shaping becn, what does becn indicate?
A)
the mechanism that traffic shaping will use
B)
the name to represent this process
C)
how packets will be prioritized
How many queuing mechanism(s) may be associated with a map class?
A)
one
B)
two
C)
three
D)
four
The encapsulation frame-relay command enables Frame Relay on an interface.
A)
true
B)
false
Your central site has a T1 connection and the branch offices have 56-kbps connections.
You should apply traffic shaping at the _____ to limit _____traffic.
A)
central site; outgoing
B)
central site; incoming
C)
branch offices; outgoing
D)
branch offices; incoming
Traffic-shaping rate enforcement will optimize asynchronous Frame Relay
connections.
A)
true
B)
false
The command frame-relay class name may be used on physical interfaces only.
A)
true
B)
false
Which command is used to configure traffic-shaping BECN support?
A)
frame-relay class becn
B)
frame-relay adaptive-shaping becn
C)
no configuration necessary, enabled by default
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-79
Q8)
Q9)
Q10)
Q11)
8-80
What does 1200 refer to in the command frame-relay traffic-rate 1200 4800?
A)
committed information rate
B)
average rate
C)
peak rate
D)
normal rate
Both the show queuing and show interfaces commands display queuing information
about interfaces.
A)
true
B)
false
The show traffic-shape command output contains the following fields except:
A)
target rate
B)
byte limit
C)
interval (sec)
D)
increment (bytes)
The show traffic-shape statistics command contains the following fields except:
A)
packets
B)
bytes
C)
packets delayed
D)
packets rejected
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quiz Answer Key
Q1)
A
Relates to: Step 1: Configuration of FRTS
Q2)
A
Relates to: Step 2: Configuration of FRTS
Q3)
A
Relates to: Steps 3-5: Configuration of FRTS
Q4)
A
Relates to: Traffic-Shaping Rate Enforcement
Q5)
A
Relates to: Traffic-Shaping Rate Enforcement Configuration Example
Q6)
B
Relates to: Traffic-Shaping BECN Support Example
Q7)
B
Relates to: Traffic-Shaping BECN Support Configuration Example
Q8)
B
Relates to: Traffic-Shaping Example
Q9)
A
Relates to: Verification of FRTS
Q10)
C
Relates to: show traffic-shape Command
Q11)
D
Relates to: show traffic-shape statistics Command
Copyright © 2004, Cisco Systems, Inc.
Configuring Frame Relay with Traffic Shaping
8-81
8-82
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 9
Implementing DDR Backup
Overview
This module describes how to configure a backup connection for a primary connection, such as
a Frame Relay serial connection, in the event that the link goes down or is overused.
Objectives
Upon completing this module, you will be able to:
Configure a backup connection that activates upon primary line failure
Configure a backup connection to engage when the primary line reaches a specified
threshold
Configure a dialer interface and a specific physical interface to function as backup to the
primary interface
Outline
The module contains these lessons:
Configuring Dial Backup
Routing with the Load Backup Feature
9-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Configuring Dial Backup
Overview
This lesson describes how to configure a backup connection for a primary connection, such as a
Frame Relay serial connection, in the event that the link goes down or is overused.
Relevance
Dial backup provides protection against WAN downtime by allowing the network administrator
to configure a backup serial line through a circuit-switched connection.
Objectives
Upon completing this lesson, you will be able to:
Configure a backup connection that activates upon primary line failures
Configure a backup connection to engage when the primary line reaches a specified load
threshold
Identify the steps that are needed to correctly configure a backup connection to engage
when the primary line fails
Configure a backup connection to correctly identify when the primary line fails and to
delay engaging when the primary line fails
Configure a backup connection to delay engaging when the primary line fails and delay the
shutdown of the backup interface after the primary interface is re-enabled
Show an example of a configuration of a backup connection that will engage when the
primary line reaches a specified load threshold of 60 percent
Identify the limitations of using a physical interface as a backup interface
Identify scalability measures for backup interfaces by using dialer profiles
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Dial Backup Overview
Dial Backup for High Primary Line Usage
Activation of Backup Interfaces for Primary Line Failures
Activation of Dial Backup
Dial Backup Activation Example
Configuration of Dial Backup for Excessive Traffic Load
Configuration Example of Dial Backup for Excessive Traffic Load
Backup Limitations with Physical Interfaces
Dial Backup with Dialer Profile
Configuration of a Backup Dialer Profile
Dialer Profile Backup Example
Summary
Quiz
9-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dial Backup Overview
This topic describes configuring a backup connection that activates upon primary line failures.
Dial Backup for Primary Line Failures
• A backup connection will enable if the primary line
fails
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-2
Dial-on-demand routing (DDR) backup is a method of bringing up an alternate dialup link if
the primary WAN link fails. When the router configured for DDR backup recognizes that the
primary connection to the remote site has been lost, it initiates a DDR connection to the remote
site using an alternative dialup connection. In some cases, when a single permanent virtual
connection (PVC) or data-link connection identifier (DLCI) fails on a Frame Relay multipoint
interface, the PVC failure will not initiate a dial backup connection. The router will initiate a
DDR backup connection only if it detects that the primary interface has failed.
The backup interface can be a physical interface or an assigned backup interface to be used in a
dialer pool. Backup interfaces for a primary line can be an ISDN BRI interface, an
asynchronous interface, dialer interface, or another serial interface.
Backup interfaces are beneficial for redundancy in case primary lines fail. The example in the
figure illustrates an ISDN backup for a Frame Relay network.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-5
Dial Backup for High Primary Line Usage
This topic describes configuring a backup connection to engage when the primary line reaches
a specified threshold.
Dial Backup for High Primary Line Usage
• A backup connection will enable if the primary line
reaches a specified threshold
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-3
In addition to backing up a primary line in case of failure, a secondary backup interface can be
configured to activate when one of the following circumstances occurs:
The load on the primary line reaches a specified threshold
The load on the primary line exceeds a specified threshold
9-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Activation of Backup Interfaces for Primary Line
Failures
This topic describes the steps needed to correctly configure a backup connection to engage
when the primary line fails.
Activating Dial Backup for
Line Failures
᫬»®ø½±²º·¹ó·º÷ý¾¿½µ«° ·²¬»®º¿½» ·²¬»®º¿½»ó¬§°» ²«³¾»®
• Specifies the backup interface
᫬»®ø½±²º·¹ó·º÷ý¾¿½µ«° ¼»´¿§ ¥»²¿¾´»ó¼»´¿§ ¤ ²»ª»®£
¥¼·-¿¾´»ó¼»´¿§ ¤ ²»ª»®£
• Designates when to activate the backup line if a
primary line fails
BCRAN v2.1—9-4
© 2004 Cisco Systems, Inc. All rights reserved.
Perform these steps to configure backup if a primary line goes down:
Step 1
Select the primary interface and configure it as needed (for DDR, Frame Relay
interfaces and subinterfaces, ATM, and so on).
Step 2
On the primary interface, use the backup interface interface-type number command
to specify the backup to be used if a dial backup is needed. The command syntax is
shown in the table.
backup interface interface-type number Command
Command
Description
interface-type number
Specifies the interface or dialer interface to use for backup.
Interface number specifications vary from router to router. For
example, some routers require you to just specify the port number,
while others require you to specify the slot and port.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-7
Step 3
Define the period of time to wait before enabling the backup link when the primary
link goes down with the backup delay {enable-delay | never} {disable-delay |
never} command. The command syntax is shown in the table.
backup delay {enable-delay | never} {disable-delay | never} Command
9-8
Command
Description
enable-delay
Number of seconds that elapse after the primary line goes down
before the Cisco IOS software activates the secondary line
disable-delay
Number of seconds that elapse after the primary line comes up
before the Cisco IOS software deactivates the secondary line
never
Prevents the secondary line from being activated or deactivated
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Activation of Dial Backup
This topic describes configuring a backup connection to correctly identify when the primary
line fails, and configuring a backup connection to delay engaging when the primary line fails.
Activating Dial Backup
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-5
When a backup interface is specified on a primary line, the backup interface is placed in
standby mode, as illustrated in the figure. Once in standby mode, the backup interface is
effectively shut down until enabled. The backup route between the two company sites is not
resolvable and does not appear in the routing table.
The primary link is the only route that appears in the routing table. The branch office router
continues to monitor the line protocol of the primary interface or subinterface.
When the branch office router receives an indication that the primary interface is down, the
backup interface is brought up. The amount of time that the device waits to bring up the backup
interface is adjustable using the backup delay command. You can also configure the backup
interface to go down (after a specified time) when the primary connection is restored.
The backup interface command is dependent on the router identifying that an interface is
physically down. Because of this, the backup interface command is commonly used to back
up ISDN BRI connections, asynchronous lines, and leased lines. This is because the interfaces
to such connections go down when the link fails; therefore, the backup interface can quickly
identify such failures. The backup interface approach may also be used for point-to-point
Frame Relay subinterfaces. However, with Frame Relay, the main or multipoint interfaces can
remain in an up/up state even if the PVC goes down. This could cause the router to fail to
detect a down primary Frame Relay connection, and thereby fail to bring up the backup link.
A new development for end-to-end PVC management is a Cisco proprietary feature known as
Frame Relay end-to-end keepalive. In Frame Relay end-to-end keepalive, keepalive packets are
encapsulated in Frame Relay. This feature provides a status to verify that end-to-end
communications are working and that traffic is getting through. This feature also allows a Cisco
device to quickly detect that a link is down and enable the backup link.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-9
Dial Backup Activation Example
This topic describes configuring a backup connection to delay engaging when the primary line
fails, and delaying the shutdown of the backup interface after the primary interface is reenabled.
Dial Backup Activation Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-6
In the figure, interface serial 3/1 is the primary interface. If the primary interface is down for 20
seconds, the backup interface, bri 0/0, is activated. The secondary line deactivates 40 seconds
after the primary line is re-enabled.
Note
9-10
The example in the figure illustrates only the commands to enable a backup. The interface
must also be configured as needed (for DDR, Frame Relay, ATM, and so on).
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Dial Backup for Excessive
Traffic Load
This topic describes configuring a backup connection to engage when the primary line reaches
a specified load threshold. Also discussed are the steps that are needed to engage a backup
interface when the primary line reaches a specified load threshold.
Configuring Dial Backup for Excessive
Traffic Load
᫬»®ø½±²º·¹ó·º÷ý¾¿½µ«° ·²¬»®º¿½» ·²¬»®º¿½»ó¬§°» ²«³¾»®
• Specifies the backup interface
᫬»®ø½±²º·¹ó·º÷ý¾¿½µ«° ´±¿¼ ¥»²¿¾´»ó¬¸®»-¸±´¼ ¤ ²»ª»®£
¥¼·-¿¾´»ó´±¿¼ ¤ ²»ª»®£
• Specifies when the backup interface should
enable or disable
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-7
You can configure a backup to activate the secondary line based on the traffic load on the
primary line. The software monitors the traffic load and computes a 5-minute moving average.
The 5-minute moving average can be modified to provide a more responsive load backup with
the load-interval command. If this average exceeds the value you set for the line, the
secondary line is activated. In addition, depending on how the line is configured, some or all of
the traffic flows onto the secondary dialup line.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-11
Perform these steps to configure backup if a primary line reaches or exceeds a certain
threshold:
Step 1
Select the primary interface and configure it as needed (for DDR, Frame Relay
interfaces and subinterfaces, ATM, and so on).
Step 2
On the primary interface, use the backup interface interface-type number command
to specify the backup to be used if a dial backup is needed. The command syntax is
shown in the table.
backup interface interface-type number Command
Command
Description
interface-type number
Specifies the interface or dialer interface to use for backup.
Interface number specifications vary from router to router. For
example, some routers require you to just specify the port number,
while others require you to specify the slot and port.
Step 3
To set the traffic load threshold for dial backup service, use the backup load
{enable-threshold | never} {disable-load | never} command. The command syntax is
shown in the table.
backup load {enable-threshold | never}{disable-load | never} Command
Command
Description
enable-threshold
Percentage of the available bandwidth of the primary line that the
traffic load must exceed to enable dial backup
disable-load
Percentage of the available bandwidth of the primary line that the
traffic load must be less than to disable dial backup
never
Prevents the secondary line from being activated or deactivated
Note
Step 4
Because the backup load is determined on an interface, the backup load feature cannot be
configured on a subinterface.
(Optional) To change the length of time for which data is used to compute load
statistics, use the load-interval seconds interface configuration command. The
command syntax is shown in the table.
load-interval seconds Command
Command
Description
seconds
Length of time for which data is used to compute load statistics; a
value between 30 and 600 that is a multiple of 30. Used to increase
the accuracy of the interface load.
Warning: This command will increase the load on the CPU because
of more frequent calculations.
9-12
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration Example of Dial Backup for
Excessive Traffic Load
This topic describes the configuration of a backup connection to engage when the primary line
reaches a specified load threshold of 60 percent.
Configuration Example of Dial Backup for
Excessive Traffic Load
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-8
The example in the figure sets the traffic threshold to 60 percent of the primary line serial 3/1.
When the load is exceeded, the secondary line, BRI 0/0, is activated, and is not deactivated
until the load is less than 5 percent of the primary bandwidth.
Note
The example in the figure illustrates only the commands to enable a backup. The interface
must also be configured as needed (for DDR, Frame Relay, ATM, and so on).
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-13
Backup Limitations with Physical Interfaces
This topic describes the limitations of using a physical interface as a backup interface.
Backup Limitations with Physical Interfaces
• A physical interface cannot be a backup and
active at the same time
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-9
If a physical ISDN BRI interface is used as a backup to a primary connection, it will be placed
in standby mode and cannot be used as a link to another site. This method illustrates an
inefficient use of router resources, because the physical BRI interface can be used to send
traffic across the WAN.
In the figure shown, the branch office wants to back up its Frame Relay connection with ISDN
BRI. However, the branch office also wants to use the same BRI interface as a DDR link to a
small office, home office (SOHO). If the branch office places the physical BRI link in standby
mode, it is deactivated and will not activate until the primary line fails or reaches a specified
threshold. Thus, the BRI link cannot be used to connect to the SOHO.
9-14
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dial Backup with Dialer Profile
This topic describes the scalability measures for backup interfaces by using dialer profiles.
Using Dialer Interfaces as the
Backup Interface
• A dialer interface can be used as the backup
without deactivating the physical interface.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-10
With dialer profiles, the BRI connection in the preceding figure can be used to back up the
primary Frame Relay link between the central site and branch office. At the same time, a BRI
connection can be configured for DDR between the branch office and SOHO. By configuring
one dialer profile to act as the backup line, this profile will be in standby mode until engaged.
Configuring another dialer profile allows for communication between the branch office and
SOHO sites. Thus, configuring the physical BRI interface to be a member of both dialer pools
enables the physical BRI interface for backup and remote connectivity.
Note
When you use a BRI for a dial backup, neither of the bearer (B) channels can be used while
the interface is in standby mode. In addition, when a BRI is used as a backup interface and
the BRI is configured for legacy DDR, only one B channel is usable. After the backup is
initiated over one B channel, the second B channel is unavailable. If the backup interface is
configured for dialer profiles, both B channels can be used.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-15
Configuration of a Backup Dialer Profile
This topic describes configuring a backup connection to engage when the primary line fails,
using dialer profiles. Also described is configuring a backup connection to engage when the
primary line reaches a specified load threshold, using dialer profiles.
Configuring a Backup Dialer Profile
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-11
A dialer interface can be configured as the logical intermediary between one or more physical
interfaces. Another physical interface that is configured to belong to a dialer pool can also be
used as the backup interface.
Perform these steps to configure a dialer interface and a specific physical interface to function
as a backup to other physical interfaces:
Step 1
9-16
Create and configure a dialer interface as described in Module 7, “Using DDR
Enhancements.”
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
This table reviews how to configure a dialer interface.
Review of Commands for Configuring a Dialer Interface
Command
Description
interface dialer number
Creates a dialer interface
ip unnumbered loopback0
Specifies an IP address for your dialer interface
encapsulation ppp
Specifies PPP encapsulation
dialer remote-name name
Specifies the CHAP authentication name of the remote router
dialer string string
Specifies the remote destination to call
dialer pool number
Specifies the dialer pool to use for calls to this destination
dialer-group number
Assigns the dialer interface to a dialer group
Configuring a Backup
Dialer Profile (Cont.)
BCRAN v2.1—9-12
© 2004 Cisco Systems, Inc. All rights reserved.
Step 2
Configure the physical BRI interface for ISDN using PPP encapsulation.
Step 3
Use the dialer pool-member number command to place the physical BRI interface
into the same dialer pool as the backup dialer interface.
dialer pool-member number Command
Command
Description
number
Makes the interface a member of the dialer pool. This value must
match the appropriate dialer pool number.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-17
Configuring a Backup
Dialer Profile (Cont.)
BCRAN v2.1—9-13
© 2004 Cisco Systems, Inc. All rights reserved.
Now configure the primary interface to use the dialer interface as backup.
Step 4
Enter interface configuration mode for the primary interface.
Step 5
Specify the backup interface dialer to be used with the backup interface dialer
number command.
backup interface dialer number Command
Command
Description
number
Specifies the interface or dialer interface to use for backup.
Interface number specifications vary from router to router. For
example, some routers require you to only specify the port
number, while others require you to specify the slot and port.
Step 6
9-18
Specify the delay or the load percent after which the backup engages with the
backup {delay enable-delay disable delay | load enable-threshold disablethreshold} command.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dialer Profile Backup Example
This topic describes a backup connection that engages when the primary line fails. This is done
using dialer profiles and configuring a backup connection.
Dialer Profile Backup Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-14
The figure shows the configuration of a site that backs up a leased line using a BRI interface.
One dialer interface, dialer 0, is defined. The leased line, serial 3/1, is configured to use the
dialer interface, dialer 0, as a backup. The dialer interface uses dialer pool 1, which has
physical interface bri 0/0 as a member. Thus, physical interface bri 0/0 can back up the serial
interface.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-19
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Dial backup provides protection against WAN
downtime.
• DDR backup is a method of bringing up an
alternate dialup link should the primary WAN
link fail.
• When a backup interface is specified on a
primary line, the backup interface is placed in
standby mode.
© 2004 Cisco Systems, Inc. All rights reserved.
9-20
Building Cisco Remote Access Networks (BCRAN) v2.1
BCRAN v2.1—9-15
Copyright
2004, Cisco Systems, Inc.
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
Backup interfaces for a primary line can be any of the following, except_____.
A)
an ISDN interface
B)
an asynchronous interface
C)
an Ethernet interface
D)
a dialer pool
A secondary backup interface can be configured to activate when any of the following
circumstances occur, except when_____.
A)
the primary line load exceeds a specified threshold
B)
the primary line fails
C)
the primary line load reaches a specified threshold
D)
the router hardware fails
Which command specifies the interface or dialer interface to use for backup?
A)
interface number
B)
interface-type number
C)
interface-type
D)
enable-delay
Which command is used to adjust the amount of time that the device waits to bring up
the backup interface?
A)
interface backup
B)
backup interface
C)
delay backup
D)
backup delay
In the command backup delay 25 40, how long will it take the backup line to activate
if the primary goes down?
A)
25 seconds
B)
40 seconds
C)
between 25 to 40 seconds
D)
greater than 40 seconds
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-21
Q6)
Q7)
Q8)
Q9)
Q10)
9-22
The software monitors the traffic load and computes a moving average for what period
of time?
A)
200 seconds
B)
250 seconds
C)
300 seconds
D)
350 seconds
In the command backup load 60 5, when the load is exceeded the secondary line is
activated and will not be deactivated until the combined load is _____.
A)
equal to 5 percent of the primary bandwidth
B)
less than 5 percent of the primary bandwidth
C)
greater than 60 percent of the primary bandwidth
D)
equal to 60 percent of the primary bandwidth
If a physical link is used as a backup to a primary connection, what mode is it in?
A)
standby mode, and can be used as a link to another site
B)
active mode, and cannot be used as a link to another site
C)
active mode, and can be used as a link to another site
D)
standby mode, and cannot be used as a link to another site
Using dialer profiles, a BRI connection can be used for both a backup for a Frame
Relay connection and DDR between the branch office and SOHO, provided_____.
A)
the physical BRI interface is a member of both dialer pools and the profile is in
active mode
B)
the physical BRI interface is a member of both dialer pools and the profile is in
standby mode
C)
the physical BRI interface is a member of one of the pools and the profile is in
standby mode
Which of the following commands is required to set up a dialer profile?
A)
dialer rotary-group 1
B)
dialer map ip 131.108.2.5 name cisco 5552121
C)
dialer string 5551234
D)
PPP multilink
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q11)
In which situation would it be advantageous to use dialer profiles over legacy DDR
configurations?
A)
One physical interface needs to call multiple sites with the same
communication parameters.
B)
All asynchronous interfaces need to share the same configuration parameters.
C)
All of the asynchronous interfaces are members of the same hunt group.
D)
Physical interfaces need to have different characteristics based on incoming or
outgoing calls.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-23
Quiz Answer Key
Q1)
C
Relates to: Dial Backup Overview
Q2)
D
Relates to: Dial Backup for High Primary Line Usage
Q3)
B
Relates to: Activation of Backup Interfaces for Primary Line Failures
Q4)
D
Relates to: Activation of Dial Backup
Q5)
A
Relates to: Dial Backup Activation Example
Q6)
C
Relates to: Configuration of Dial Backup for Excessive Traffic Load
Q7)
B
Relates to: Configuration Example of Dial Backup for Excessive Traffic Load
Q8)
D
Relates to: Backup Limitations with Physical Interfaces
Q9)
B
Relates to: Dial Backup with Dialer Profile
Q10)
C
Relates to: Configuration of a Backup Dialer Profile
Q11)
D
Relates to: Dialer Profile Backup Example
9-24
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Routing with the Load Backup
Feature
Overview
This lesson discusses how load sharing and load balancing work with different routing
protocols when the load backup feature is enabled.
Relevance
To effectively manage an enterprise network, you must understand how to maintain
communication in the event of a primary line failure or add additional bandwidth during times
of primary line congestion.
Objectives
Upon completing this lesson, you will be able to:
Identify bandwidth utilization issues affecting OSPF routing during load sharing when the
primary line reaches a specified load threshold
Identify bandwidth utilization issues affecting EIGRP and static routing during load sharing
when the primary line reaches a specified load threshold
Identify the commands to verify dial backup configuration
Configure a floating static route as a backup connection that activates upon primary line
failures
Describe how to use dialer watch as a backup connection that activates upon primary line
failures
Configure dialer watch as a backup connection that activates upon primary line failures
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (CCNAB)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Load Sharing with OSPF and EIGRP
Verification of Dial Backup Configuration
Configuration of Floating Static Routes as Backup
Dialer Watch as Backup
Configuration of Dialer Watch
Summary
Quiz
9-26
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Load Sharing with OSPF and EIGRP
This topic describes the bandwidth utilization issues affecting Open Shortest Path First (OSPF)
and Enhanced Interior Gateway Routing Protocol (EIGRP) routing during load sharing when
the primary line reaches a specified load threshold.
Load Sharing with OSPF
• Load sharing will occur if the costs are equal.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-2
If the OSPF routing protocol is used, the load backup feature load-shares between the primary
and backup links after the backup link is activated. However, the cost assigned to the primary
link and the backup link must be equal if both links are used. If one link has a lower cost than
the other, all routing will occur over the link with the lower cost, even though both lines are up.
OSPF does not support load balancing between the primary link and the backup connection if
the links are not equal. If load balancing is to occur in this environment, the backup connection
must be able to support comparable bandwidth environments. (For example, a 64-kbps ISDN
connection backs up a 64-kbps serial connection.)
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-27
Load Sharing with EIGRP
BCRAN v2.1—9-3
© 2004 Cisco Systems, Inc. All rights reserved.
If EIGRP is used, the load backup feature will load-share between the primary and backup links
after the backup link is activated. However, the metric assigned to the primary link and the
backup link must be equal if both links are to be used. If one link has a lower metric than the
other, all routing will occur over the link with the lower metric even though both lines are up. If
load balancing is to occur in this environment, each connection must be able to support
comparable bandwidth environments. (For example, a 64-kbps ISDN link backs up a 64-kbps
serial connection.)
Instead of relying on equal metrics to load-share and load-balance, the variance configuration
command can also be used to control load balancing in an EIGRP environment. Use the
variance multiplier command to configure unequal-cost load balancing by defining the
difference between the best metric and the worst acceptable metric. An oversimplified
explanation is that a router can use paths with worse routing metrics up to a value less than the
current best route metric times the variance.
variance multiplier Command
Command
Description
multiplier
The range of metric values that will be accepted for load balancing.
Acceptable values are nonzero, positive integers. The default value
is 1, which means equal-cost load balancing. In the example, the
multiplier is set to 2.
Setting this value lets the router determine the feasibility of a potential route.
9-28
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
If the following two conditions are met, the route is deemed feasible and can be added to the
routing table for load sharing:
Local best metric (current FD) > best metric (AD) learned from the next router. This
condition exists if the next router in the path is closer to the destination than the current
router. This approach prevents routing loops.
The variance number multiplied by the local best metric (current FD) > metric (FD)
through the next router. This condition is true if the metric of the alternate path is within
the variance.
In the figure, the variance 2 command specifies to use both paths even if the metric of the
backup path is two times worse than the primary path.
You can use the traffic-share {balanced | min} command to control how traffic is distributed
among EIGRP load-sharing routes. The default is four routes and the maximum is six routes.
The traffic-share balanced command distributes traffic proportionally to the ratios of the
metrics. As a result of the variance 2 command, the best route will transport two times the
traffic of the worst route. The traffic-share min command specifies to use routes with the least
cost.
Note
Advertised distance (AD) is the metric that a neighbor uses to reach a given destination
network. The AD is advertised as part of the EIGRP update for a given network. A router
receiving the update adds its cost to reach that neighbor to the AD. The sum of these values
provides the feasible distance (FD) to reach that destination network through that neighbor
router.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-29
Verification of Dial Backup Configuration
This topic describes the commands that are used to verify dial backup configuration.
Verifying the Dial Backup Configuration
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-4
To verify a backup line link for a primary line connection, enter the show interface type
number command.
The primary interface output in the figure illustrates that dialer 1 is specified as a backup if the
serial subinterface 3/1.1 fails. If the line protocol on the subinterface goes down because of the
Local Management Interface (LMI) state changing from ACTIVE to INACTIVE or
DELETED, the backup will be enabled 20 seconds later. The backup will deactivate 40 seconds
after the serial subinterface reactivates.
The backup interface output shows the backup link in standby mode until the primary line
subinterface line protocol goes down.
9-30
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Floating Static Routes as
Backup
This topic describes configuring a floating static route as a backup connection that activates
upon primary line failures.
Floating Static Routes as Backup
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-5
Floating static routes are static routes that have an administrative distance greater than the
administrative distance of dynamic routes. The administrative distance can be configured on a
static route so that the static route is less desirable than a dynamic route, and the static route is
not used when the dynamic route is available. However, if the dynamic route is lost, the static
route can take over and traffic can be sent through this alternate route. If the alternate route is
provided by a DDR interface, the DDR can then be used as a backup mechanism.
Note
The administrative distance values of some common Interior Gateway Routing Protocols
(IGRPs) are: EIGRP: 90, IGRP: 100, OSPF: 110, Routing Information Protocol (RIP): 120,
and External EIGRP: 170.
In the previous example, the dynamic primary route to the central site Ethernet network,
10.1.2.0, is over the Frame Relay network, 10.1.4.0. A floating static route over the ISDN
network, 10.1.5.0, is configured with the administrative distance of 130. However, the route
over the ISDN network will only be used to get to network 10.1.2.0 if the Frame Relay network
is down because the administrative distance is set higher on the ISDN connection.
Floating static routes are independent of line protocol status. The line protocol of a Frame
Relay multipoint interface may not go down if the PVC becomes inactive. This situation
defeats the purpose of configuring backup interfaces. A failed PVC may not bring down a line
protocol status; thus, dynamic routes will not be flushed from the routing table. The floating
static route with a higher administrative distance will not be installed in the routing table of that
router.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-31
To configure a floating static route, establish a static route for a designated network by
specifying a higher administrative distance than that of the dynamic routing protocol. Use the
ip route command to configure a floating static route. The ip route command arguments are
listed in the table.
ip route Command Arguments
9-32
Command
Description
Network-number
IP address of the target network or subnet
Network-mask
Network mask that lets you mask network and subnetwork bits
IP address
IP address of the next hop that can be used to reach that network
in standard IP address notation. Example 1.1.1.1
Interface
Network interface to use
Distance
(Optional) An administrative distance, which is a rating of the
trustworthiness of a routing information source, such as an
individual router or a group of routers
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Dialer Watch as Backup
This topic describes how to use dialer watch as a backup connection that activates upon
primary line failures.
Using Dialer Watch as Backup
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—9-6
As an alternative to floating static routes, you can use the dialer watch commands. Dialer
watch is a backup feature that integrates dial backup with routing capabilities. Dialer watch
provides reliable connectivity without relying solely on defining interesting traffic to trigger
outgoing calls to the central site router. Hence, dialer watch can also be considered regular
DDR with no requirement for interesting traffic, just lost routes. By configuring a set of
watched routes that define the primary interface, you are able to monitor and track the status of
the primary interface as watched routes are added and deleted.
The figure shows the configuration of the branch site using dialer watch to monitor the network
10.1.2.0/24 coming from the central site. This network and mask must be an exact match or
dialer watch will fail.
With dialer watch, the router monitors the existence of a specified route and if that route is not
present, it initiates dialing of the backup link. Unlike the other backup methods (such as backup
interface or floating static routes) dialer watch does not require interesting traffic to trigger the
dial. Instead it triggers a dial backup call when a watched route is deleted from the routing
table.
When a monitored network is deleted from the routing table of a dialer watch router, the router
checks for another valid route for the lost network. If an alternate valid route using a
nonbackup interface exists for a deleted watched network, the primary link is considered active
and the backup link is not initiated. However, if there is no valid route, the primary line is
considered down and unusable, and the router then initiates a dial backup call. Upon activation
of the secondary link, the router forwards all traffic destined for the remote network over the
backup link.
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-33
After the dial backup link is initialized, the router checks to see if the primary link has been reestablished after each idle timeout period. If the router finds that the primary link remains
down, the idle timer resets and the backup link remains active. As soon as the primary link is
re-established, the router updates its routing table and routes traffic over the primary link.
Because traffic is no longer routed over the dialup connection, the backup link deactivates as
the idle timeout expires.
Note
9-34
Dialer watch is supported with IGRP, EIGRP, and OSPF routing protocols only.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuration of Dialer Watch
This topic describes how to configure dialer watch as a backup connection that activates upon
primary line failures.
Dialer Watch Example
BCRAN v2.1—9-7
© 2004 Cisco Systems, Inc. All rights reserved.
Use the three steps below to configure a dialer watch function. The command parameters are
described respectively in the tables below.
Step 1
Define the IP addresses or networks to be watched using the dialer watch-list
group-number ip ip-address address-mask command in global configuration mode.
dialer watch-list group-number ip ip-address address-mask Command
Command
Description
group-number
Dialer list number
ip-address address-mask
The IP address of the network being watched
Step 2
Enable dialer watch on the backup interface. Use the dialer watch-group command
in interface configuration mode.
dialer watch-group group-number Command
Command
Description
group-number
Dialer watch group number references the dialer
list number
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-35
Step 3
To set a delay timer on the backup interface to ensure stability for flapping
interfaces, use the optional dialer watch-disable seconds command.
dialer watch-disable seconds Command
9-36
Command
Description
seconds
Number of seconds to set for the delay timer
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• To effectively manage an enterprise network, you
must use the load backup feature to maintain
communication in the event of a primary line
failure, or add additional bandwidth during times of
primary line congestion.
BCRAN v2.1—9-8
© 2004 Cisco Systems, Inc. All rights reserved.
Next Steps
For the associated lab exercise, refer to the following section of the course Lab Guide:
Lab Exercise 9-1: Enabling a Backup to a Primary Connection
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-37
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Q2)
Q3)
Q4)
Q5)
9-38
How many links will OSPF load-balance across if the costs are different?
A)
0
B)
1
C)
2
D)
3
Under what conditions will unequal-cost load balancing occur?
A)
The metric assigned to the primary link must be greater than the backup link.
B)
The metric assigned to the primary link and the backup link must be equal if
both links are to be used.
C)
The metric assigned to the primary link must be less than the backup link.
D)
There can be no metric assigned to the backup link.
What command must be entered to verify a backup line link for a primary line
connection?
A)
show running-config
B)
show version
C)
show startup-config
D)
show interface
Under what conditions is the static route NOT used when the dynamic route is
available?
A)
when the static route has an administrative distance greater than the
administrative distance of dynamic routes
B)
when the static route has an administrative distance less than the administrative
distance of dynamic routes
C)
when the static route has an administrative distance equal to the administrative
distance of dynamic routes
D)
when the static route is administratively enabled
With dialer watch, what causes the router to initiate dialing of the backup link?
A)
The monitored route is not present.
B)
The monitored route is in active state.
C)
The monitored route has a higher variance.
D)
There cannot be a mask on the network address.
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q6)
What is the function of the dialer watch-list command?
A)
verifies IP addresses
B)
defines the networks to be watched
C)
sets up a list of dialer strings
D)
all of the above
Copyright © 2004, Cisco Systems, Inc.
Implementing DDR Backup
9-39
Quiz Answer Key
Q1)
A
Relates to: Load Sharing with OSPF and EIGRP
Q2)
B
Relates to: Load Sharing with OSPF and EIGRP
Q3)
D
Relates to: Verification of Dial Backup Configuration
Q4)
A
Relates to: Configuration of Floating Static Routes as Backup
Q5)
A
Relates to: Dialer Watch as Backup
Q6)
B
Relates to: Configuration of Dialer Watch
9-40
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Module 10
Using QoS in Wide-Area
Networks
Overview
This module explains why you may need to implement queuing technologies on your WAN
connection. It also describes how to implement the queuing technologies available with Cisco
IOS software so you can prioritize traffic over your WAN connection. This module also
explains how you can use compression to optimize WAN utilization.
Objectives
Upon completing this module, you will be able to:
Discuss QoS categories of service models
Discuss the queuing options available using Cisco IOS software
Describe where weighted fair queuing can be used and what problems it will solve
Use Cisco IOS commands to configure weighted fair queuing
Describe where class-based weighted fair queuing can be used and what problems it can
solve
Use Cisco IOS commands to configure class-based weighted fair queuing
Describe where low latency queuing can be used and what problems it can solve
Use Cisco IOS commands to configure low latency queuing
Use show commands to identify queuing anomalies in an operational router
Verify proper queuing configuration
Implement compression in the network to optimize throughput
Outline
The module contains these lessons:
Identifying Quality of Service Models and Tools
Configuring Congestion Management
Verifying Congestion Management
Implementing Link Efficiency
10-2
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright © 2004, Cisco Systems, Inc.
Identifying Quality of Service
Models and Tools
Overview
The connection between your network and the service provider network is commonly made
with a serial point-to-point connection. This lesson describes the features and components of
queuing to assist with traffic management during times of congestion.
Relevance
Before you configure queuing, it is helpful to know the general principles in the context of a
WAN.
Objectives
Upon completing this lesson, you will be able to:
Define and describe the considerations for quality of service
Discuss QoS service models and mechanisms
Identify situations where traffic prioritization would be beneficial
Determine which queuing method best suits a situation
Specify the queuing options available using Cisco IOS software
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
Quality of Service Defined
Converged Networks: Quality Issues
QoS Considerations
QoS Application Requirements
QoS Models
QoS Mechanisms
QoS Mechanisms and Remote Access
Congestion Avoidance: Random Early Detection
Congestion Avoidance: Weighted Random Early Detection
Effective Use of Traffic Prioritization
Queuing Overview
Establishing a Queuing Policy
Cisco IOS Queuing Options
Link Efficiency Usage
Summary
Quiz
10-4
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Quality of Service Defined
This topic describes the features of quality of service (QoS).
Quality of Service Defined
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-2
QoS is “the ability of the network to provide better or “special” service to selected users and/or
applications to the detriment of other users and/or applications.”
Cisco IOS QoS features enable network administrators to control and predictably service a
variety of networked applications and traffic types, thus allowing network managers to take
advantage of a new generation of media-rich and mission-critical applications.
The goal of QoS is to provide better and more predictable network service by doing the
following:
Providing dedicated bandwidth
Controlling jitter and latency
Optimize loss characteristics
QoS achieves these goals by providing tools for managing network congestion, shaping
network traffic, using expensive wide-area links more efficiently, and setting traffic policies
across the network.
QoS offers intelligent network services that, when correctly applied, help to provide consistent,
predictable performance.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-5
Converged Networks: Quality Issues
This topic describes the types of problems that can occur when you are merging different traffic
streams.
Converged Networks:
Quality Issues
•
Phone Call: “I can’t understand; your voice is breaking up.”
•
Teleconferencing: “The picture is very jerky. Voice is not
synchronized.”
Brokerage House: “I needed data two hours ago. Where is it?”
Call Center: “Please hold while my screen refreshes.”
•
•
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-3
A converged network is one in which voice, video, and data traffic use the same network
facilities. Merging different traffic streams with dramatically differing requirements can lead to
a number of problems.
While packets carrying voice traffic are typically very small, they cannot tolerate delay and
delay variation as they traverse the network or voice quality will suffer. Voices will break up
and words will become incomprehensible.
On the other hand, packets carrying file transfer data are typically large and can survive delays
and drops. It is possible to retransmit part of a dropped file, but it is not feasible to retransmit a
part of a conversation.
The constant, but small packet voice flow competes with bursty data flows. Unless some
mechanism mediates the overall flow, voice quality will severely degrade at times of network
congestion. The critical voice traffic must get priority.
Voice and video traffic are very time-sensitive. They cannot be delayed and they cannot be
dropped or the resulting quality of voice and video will suffer.
Finally, a converged network cannot fail. While a file transfer or email packets can wait until
the network recovers, voice and video packets cannot. Even a brief network outage on a
converged network can seriously disrupt business operations.
10-6
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Converged Networks:
Quality Issues (Cont.)
• Packet loss: Some packets may have to be
dropped when a link is congested
• Delay:
– End-to-end: Overall delay as packets traverse
several devices and links
– Jitter: Adjusting to variable delays from other
traffic; causes additional delay
• Lack of bandwidth: Multiple flows compete for
limited bandwidth
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-4
The three big problems facing converged enterprise networks are packet loss, delays (fixed
delay, variable delay, and variation of delay), and lack of sufficient bandwidth capacity.
Packet loss: This is usually occurs when a WAN data link is congested. Packet loss can
also happen when routers run out of buffer space for a particular interface (output queue) or
if the router input queue is full because the main CPU is congested and cannot process
packets. Hardware-detected errors in a frame (bad CRC, or runt packet or giant packet) can
also cause packet loss.
Delay: This is the time it takes for a packet to reach the receiving endpoint after being
transmitted from the sending endpoint-- the “end-to-end delay.” It consists of two
components: fixed network delay and variable network delay. Jitter is the delta, or
difference, in the total end-to-end delay values of two voice packets in the voice flow.
Two types of fixed delay are serialization and propagation delays. Serialization is the
process of placing bits on the circuit. The higher the circuit speed, the less time it takes to
place the bits on the circuit. Therefore, the higher the speed of the link, the less serialization
delay. Propagation delay is the time it takes for frames to transit the physical media.
Processing delay is a type of variable delay, and is the time required by a networking
device to look up the route, change the header, and complete other switching tasks. In some
cases, the packet also must be manipulated. For example, the encapsulation type or the hop
count must be changed. Each of these steps can contribute to the processing delay.
Lack of bandwidth: This is insufficient physical capacity of the facility. Until recently,
bandwidth was plentiful. But as more applications like IP telephony, videoconferencing, elearning and mission critical data applications are being implemented lack of bandwidth
(among other quality issues) must be addressed. Large graphic files or multimedia with
voice and video cause bandwidth capacity problems over data networks.
Calculation of bandwidth is complicated by various multiple flows and the total hops endto-end. Even with an empty network, the maximum bandwidth available equals the
bandwidth of the slowest link.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-7
QoS Considerations
This topic describes the issues that can affect QoS.
QoS Considerations
Elements of QoS:
• Packet loss: Packet drops when congestion occurs
• Delay: 200ms, 150ms ideal
– Fixed: Codec, serialization, processing, WAN propagation
– Variable (Jitter): Queuing, SP WAN, dejitter buffer, traffic shaping
• Bandwidth: Contention induces delay (traffic shaping, queuing)
BCRAN v2.1—10-5
© 2004 Cisco Systems, Inc. All rights reserved.
There are several areas to be considered when evaluating your QoS.
Campus: On campus there is typically a large bandwidth available, thus minimizing QoS
issues on campus.
WAN edge: Often results in slow access links. If less than 2M, QoS techniques are a must
to attain acceptable voice quality.
WAN considerations: This area is often forgotten or misunderstood. Speed mismatches;
oversubscription; and lack of control over a SP network can have impacts on QoS.
10-8
Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
QoS Application Requirements
This topic identifies the varying requirements different applications may have.
Not All Traffic Is Created Equal
BCRAN v2.1—10-6
© 2004 Cisco Systems, Inc. All rights reserved.
Each of the various traffic types on modern networks may require a different type of service for
the amount of bandwidth required. Different traffic types also vary on how sensitive they are to
other transmission quality issues. To be successful, all traffic cannot receive the same service.
Mission-critical data traffic requires different handling than other non-critical data traffic. First
come first serve treatment of network traffic may not necessarily handle mission-critical traffic
well.
Voice and video traffic are very time-sensitive. This traffic should not be delayed or dropped,
or the resulting voice or video fidelity will suffer.
The figure shows how traffic types have the following characteristics:
Different bandwidth requirements
Sensitivity to packet drops (and the recovery of any lost packets)
Sensitivity to end-to-end delay for receiving the packets
Sensitivity to jitter (variation of that delay)
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-9
QoS Models
This topic identifies the three QoS models.
Three Models for Quality of Service
• Best Effort (BE): No QoS is applied to packets
• Integrated Services (IntServ): Applications signal
that they need QoS to the network
• Differentiated Services (DiffServ): The network
recognizes classes that require special QoS
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-7
There are three models used to design and implement QoS for a network: Best Effort,
Integrated Services, and the Differentiated Services model.
Best Effort model: This model has no applied QoS tools. This model is appropriate if there
is enough bandwidth and there is no concern as to when packets arrive or to whom.
This model is easily scalable and requires no special mechanisms. But this model does not
allow you to differentiate services, as there are no service guarantees.
Integrated Services (IntServ) model: This model (also known as “Hard QoS”) allows
applications to signal the network in advance to request special QoS such as delay or
bandwidth. Once the network agrees with the conditions, the traffic cannot be impacted.
Resource Reservation Protocol (RSVP) is commonly used to provide admission control for
resources. This protocol includes explicit resource admission control (end to end) per
application. This protocol lacks scalability due to the continuous signaling of the stateful
architecture and resources used for thousands of per-flow guarantees.
Differentiated Services (DiffServ) model: This model (also known as “Soft QoS”)
addresses the limitations of both the Best Effort model and the IntServ model. This model
provides a cost effective, “almost guarantee” on a hop-by-hop basis versus end-to-end of
IntServ. DiffServ provides QoS by marking packets for special treatment based on groups
known as classes. This service is addressed on a hop-by-hop basis versus IntServ’s call
admission to guarantee resource end-to-end before packet flows are initiated.
The DiffServ model is highly scalable with many levels of service. But this model also
includes complex mechanisms with no absolute service guarantee.
10-10 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
QoS Mechanisms
This topic identifies the mechanisms used to achieve QoS.
An Overview of QoS Mechanisms
• Classification: Each class-oriented QoS mechanism has to
support some type of classification
• Marking: Used to mark packets based on classification and/or
metering
• Congestion Avoidance: Used to drop packets early in order to
avoid congestion later in the network
• Congestion Management: Each interface must have a
queuing mechanism to prioritize transmission of packets
• Policing and Shaping: Used to enforce a rate limit based on
the metering (Example: Frame Relay traffic shaping)
• Link Efficiency: Used to improve bandwidth efficiency
through compression (or link fragmentation and interleaving)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-8
From the moment an IP packet enters the network, it may get the required service needed by
the provision of various QoS mechanisms. A packet may be classified and then usually marked
with its class identification. From that point on, the packet may be treated by other IP QoS
mechanisms, depending on its packet classification. The figure above and the text below outline
the main categories of IP QoS mechanisms.
Classification and marking mechanisms identify and split traffic into different classes. Traffic
classes get a mark according to the traffic behavior and the intended business policies.
With congestion avoidance various mechanisms discard specific packets based on the
markings. These mechanisms attempt to prevent or reduce network congestion.
Congestion management mechanisms attempt to prioritize, protect, and isolate traffic based on
the markings.
Policing and shaping mechanisms attempt to condition the traffic; policing drops misbehaving
traffic to maintain network integrity; shaping controls bursts by queuing network traffic.
Link efficiency mechanisms also provide QoS. One type of link efficiency mechanism is packet
header compression to improve the bandwidth efficiency of a link. Another technology is Link
Fragmentation and Interleaving (LFI) that can decrease the “jitter” of voice transmission by
reducing voice packet delay.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-11
QoS Mechanisms and Remote Access
This topic describes the issues that must be considered when you are applying QoS
mechanisms to remote access situations.
Which QoS Mechanisms for
Remote Access?
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-9
To provide end-to-end QoS, both the enterprise and service provider must implement the
proper QoS mechanisms to ensure the proper traffic handling across the whole network.
Until recently, IP QoS was not an issue in an enterprise campus network because bandwidth
was plentiful. Recent applications such as IP telephony, videoconferencing, e-learning as well
as traditional mission-critical data applications have changed the requirement. Now network
administrators must address the issues of buffer management and additional bandwidth.
In addition, IP QoS functions such as classification, scheduling, and provisioning are now
required within the enterprise to manage bandwidth and buffers to minimize loss, delay, and
jitter.
This figure lists some of the requirements within the different building blocks that make up the
end-to-end enterprise network.
Most of the more complex QoS configurations of specific interest for remote access occur at
the WAN edges. Some QoS tools used specifically at the WAN edge are the following:
Congestion avoidance using weighted random early detection (WRED)
Congestion management using queuing
Link efficiency using compression.
10-12 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Congestion Avoidance: Random Early Detection
This topic describes the CBWFQ default of using tail drops as a method to avoid congestion.
Congestion Avoidance:
Random Early Detection (RED)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-10
A router must handle how it queues network traffic to control packet access to the limited
network bandwidth. Traffic variations such as packet bursts or flows demanding high
bandwidth can cause congestion when packets arrive at an output port faster than they can be
transmitted.
The router tries to handle short-term congestion by packet buffering. This absorbs periodic
bursts of excessive packets so they can be transmitted later. Although packet buffering has a
cost of delay and jitter, packets are not dropped.
For network traffic causing longer-term congestion, a router using queuing methods faces a
need to drop some packets. A traditional strategy is tail drop. With tail drop, a router simply
discards a packet when that packet arrives at the tail end of a queue that has completely used up
its packet-holding resources. Tail drop is the default queuing response to congestion. Tail drop
treats all traffic equally and does not differentiate between classes of service (CoS).
Using tail drop, the router drops all traffic that exceeds the queue limit. Many TCP sessions
then simultaneously go into slow start (TCP window size reduced). Consequently, traffic
temporarily slows down to the extreme. All flows then begin to increase the window size as the
congestion is reduced.
This activity creates a condition called global synchronization. Global synchronization occurs
when multiple TCP hosts reduce their transmission rates in response to packet dropping, and
then increase their transmission rates again when the congestion is reduced. The important
point is that the fluctuations of transmission known as global synchronization will result in
significant underuse of a link.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-13
Congestion Avoidance: Weighted Random Early
Detection
This topic describes WRED as an alternative to tail drops for congestion handling.
Congestion Avoidance:
Using WRED to Avoid Tail Drops
For most traffic weighted RED (WRED) is preferred congestion avoidance*
* For voice traffic, use low latency queuing (LLQ)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-11
The use of tail drops is a passive queue management mechanism. Active queue management
mechanisms drop packets before congestion occurs. Larger-scale networks employ algorithms,
such as RED, so they can proactively discard packets to prevent (or delay) tail drops.
RED directs one TCP session at a time to slow down, allowing for fuller use of the bandwidth,
and it can thereby prevent the traffic crests and troughs from global TCP synchronization.
WRED extends RED functions by permitting more granular RED drop profiles for different
types of traffic. WRED combines RED with IP precedence values or with differentiated
services code point (DSCP) values. Before tail drops are required, the router can drop packets
based on these IP precedence or DSCP markings.
The figure shows how WRED is implemented, and what parameters influence WRED drop
decisions. The WRED algorithm is constantly updated with the calculated average queue size,
which is based on the recent history of queue sizes.
The configured WRED profiles define the drop thresholds. When a packet arrives at the output
queue, the IP precedence of DSCP value is used to select the correct WRED profile for the
packet, and the packet is passed to WRED to perform either a drop or enqueue decision.
Based on the profile and the average queue size, WRED calculates the probability for dropping
the current packet and either drops it or passes it to the output queue. If the queue is already
full, the packet is tail-dropped. Otherwise, it is eventually transmitted out on the interface.
WRED monitors the average queue depth in the router and determines when to begin packet
drops based on the queue depth. When the average queue depth crosses the user-specified
minimum threshold, WRED begins to drop packets (both TCP and User Data Protocol [UDP]).
10-14 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
If the average queue depth ever crosses the user-specified maximum threshold, then WRED
reverts to tail drop, where all incoming packets might be dropped. The idea behind using
WRED is to maintain the queue depth at a level somewhere between the minimum and
maximum thresholds, and to implement different drop policies for different classes of traffic.
WRED is only useful when the bulk of the traffic is TCP traffic. With TCP, dropped packets
indicate congestion, so the packet source reduces its transmission rate. With other protocols,
packet sources might not respond or might resend dropped packets at the same rate; therefore
dropping packets does not decrease congestion.
WRED can be used wherever there is a potential bottleneck (a congested link) at an access or
edge link of the network. It is normally used in the core routers of a network rather than at the
edge of the network. Edge routers assign IP precedence to packets as they enter the network.
WRED uses these IP precedences to determine how to treat different types of traffic.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-15
Effective Use of Traffic Prioritization
This topic identifies the effective use of traffic prioritization techniques.
Congestion Management:
Low-speed Prioritization
• Prioritization is most effective on bursty WAN links
(T1/E1 or below) that experience temporary
congestion
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-12
The figure shows a converged network in which voice, video, and data file transfers use the
same low-speed T1/E1 facilities. Merging these different traffic streams with their respective
differing requirements can lead to performance problems. Different types of traffic that share a
data path through the network can result in temporary congestion on these data links.
Prioritization may be necessary at the WAN edge congestion points. Prioritization is most
effective on WAN links where the combination of bursty traffic and relatively lower data rates
can cause temporary congestion. Depending on the average packet size, prioritization is most
effective when applied to links at T1/E1 bandwidth speeds or lower.
If there is no congestion on the WAN link, traffic prioritization is not necessary. However, if a
WAN link is constantly congested, traffic prioritization may not resolve the problem. Adding
bandwidth might be the appropriate solution.
10-16 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Queuing Overview
This topic describes various queuing options that you can implement.
Congestion Management:
Queuing
• Prioritizes traffic through router.
• Cisco IOS software offers:
– Weighted fair queuing
– Class-based weighted fair queuing
– Low latency queuing
BCRAN v2.1—10-13
© 2004 Cisco Systems, Inc. All rights reserved.
A protocol-dependent switching process handles traffic arriving at a router interface. The
switching process includes delivery of traffic to an outgoing interface buffer.
FIFO queuing is the classic algorithm for packet transmission. With FIFO, transmission occurs
in the same order as messages are received. Until recently, FIFO queuing was the default for all
router interfaces. If users require traffic to be ordered differently, they must establish a queuing
policy other than FIFO queuing.
In addition to FIFO, Cisco IOS software offers other alternative queuing options:
Weighted fair queuing (WFQ): Prioritizes interactive traffic over file transfers to ensure
satisfactory response time for common user applications. WFQ can prioritize traffic based
on flows (flow-based WFQ) or user-defined classes (class-based WFQ [CBWFQ]).
Class-based weighted fair queuing (CBWFQ) (Cisco IOS Release 12.2)
Low latency queuing (LLQ) (Cisco IOS Release 12.2)
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-17
Establishing a Queuing Policy
This topic describes the considerations for establishing a queuing policy.
Congestion Management:
Establishing a Queuing Policy
• Determines which packets get through first
• Helps provide acceptable service levels and
control WAN costs
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-14
A queuing policy helps network managers meet two challenges: providing an appropriate level
of service for all users and controlling expensive WAN costs.
Typically, the corporate goal is to deploy and maintain a single enterprise network that supports
a variety of applications, organizations, technologies, and user expectations. Consequently,
network managers are concerned with providing all users with an appropriate level of service
while continuing to support mission-critical applications and planning for integration of new
technologies.
Because the major cost of running a network is also related to WAN circuit charges, network
managers balance the capacity and cost of these WAN circuits with an acceptable level of
service for their users.
To meet these challenges, queuing allows network managers to prioritize, reserve, and manage
network resources, and to ensure the seamless integration and migration of disparate
technologies without unnecessary costs.
In the above example, three types of traffic are vying for access to the WAN, because of limited
bandwidth. These three types of traffic are as follows:
RTP (Real-Time Transport Protocol): RTP is used to carry multimedia application
traffic, including packetized audio and video, over an IP network.
SSH (Secure Shell Protocol): SSH is a secure application used for logging into a remote
device, executing commands on a remote device, and moving files from remote device to
remote device.
FTP: FTP is a standard protocol in the TCP/IP suite of protocols used to transfer files from
one device to another.
10-18 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The network administrator needs to determine the priority of each of these traffic types based
on the network policy. The administrator then needs to apply the appropriate queuing technique
to ensure that each type of traffic is treated according to the policy.
It is likely the administrator prioritizes the RTP traffic first. Due to the delay-sensitive nature of
voice and video traffic, the SSH traffic is prioritized second. The FTP traffic is third.
The queuing mechanism used to do this is dependent on the relative importance of each type of
traffic, the volume of traffic, and available bandwidth.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-19
Cisco IOS Queuing Options
This topic describes the steps necessary to correctly choose a Cisco IOS queuing option.
Choosing a Cisco IOS Queuing Option
• Delay-sensitive applications may require higher
priority than others.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-15
Complete these steps when you are choosing a Cisco IOS queuing option:
Step 1
Determine whether the WAN is congested.
If traffic does not back up, there is no need to prioritize it. The traffic is serviced as
it arrives. However, if the load exceeds the transmission capacity for periods of time,
you may want to prioritize the traffic with one of the Cisco IOS queuing options.
Step 2
Decide whether strict control over traffic prioritization is necessary and whether
automatic configuration is acceptable.
Proper queuing configuration is a nontrivial task. The network manager must study
the traffic types traversing the interface, determine how to classify them, and decide
on their relative priority. The manager must install the filters and test their effect on
the traffic. Traffic patterns change over time, so the analysis must be repeated
periodically.
Step 3
Establish a queuing policy.
A queuing policy results from the analysis of traffic patterns and the determination
of relative traffic priorities discussed in Step 2.
Step 4
Determine whether any of the traffic types identified in your traffic pattern analysis
can tolerate a delay. Typically, voice and video have the lowest tolerance for delay.
10-20 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
The table illustrates the typical queuing options a network administrator would choose from
when determining how to best implement a queuing policy.
Queuing Options
Queuing Type
Description
FIFO
FIFO queuing is simply sending packets out of an interface in the order in which
they arrived.
PQ
Priority queuing (PQ) defines four priorities of traffic—high, normal, medium, and
low—on a given interface. As traffic comes into the router, it is assigned to one of
the four output queues. Packets on the highest-priority queue are transmitted first;
packets on the next highest-priority queue are transmitted second; and so on.
CQ
Custom queuing (CQ) reserves a percentage of bandwidth for specified protocols.
Up to 16 output queues can be configured for normal data and an additional
queue can be created for system messages such as LAN keepalives. Each queue
is serviced sequentially, by transmitting a configurable percentage of traffic and
then moving on to the next queue.
WFQ
WFQ provides traffic management that dynamically prioritizes traffic into
conversations, or flows, based on Layer 3 or 4 information. It then breaks up a
stream of packets within each conversation to ensure that bandwidth is shared
equally between individual conversations.
CBWFQ
CBWFQ defines traffic classes, typically using access control lists (ACLs), and
then applies parameters, such as bandwidth and queue-limits, to these classes.
The bandwidth assigned to a class is used to calculate the "weight" of that class.
The weight of each packet that matches the class criteria is also calculated. WFQ
is then applied to the classes, which can include several flows, rather than to the
flows themselves.
LLQ
LLQ provides strict PQ for CBWFQ, reducing jitter in voice conversations. Strict
PQ gives delay-sensitive data, such as voice, preferential treatment over other
traffic. With this feature, delay-sensitive data is sent first, before packets in other
queues are treated. Low latency queuing is also called PQ/CBWFQ because it is a
combination of the two techniques.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-21
Link Efficiency Usage
This topic identifies two link efficiency mechanisms.
Link Efficiency
Usage and Tool Categories
• Use link efficiency:
– For low speed links (768kbps or less)
– When mixing large data MTU with smaller real
time packets
• Two categories of tools for link efficiency:
– Fragmentation/interleaving
– Compression (Header compression or data
compression)
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-16
Link-efficiency mechanisms work best on low speed data links that have large MTU data
packets as well as interactive traffic such as Telnet and Voice over IP (VoIP).
Cisco IOS QoS software offers two link efficiency mechanisms that work in conjunction with
queuing and traffic shaping to manage existing bandwidth more efficiently and predictably:
Link Fragmentation and Interleaving (LFI): The network fragments data packets and
interleaves voice packets to improve the link efficiency.
Compressed Real-Time Protocol (CRTP): The network protocol improves link
efficiency as it compresses headers to reduce the overhead of converged traffic.
10-22 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
• Quality of Service is “the ability of the network to
provide better or ‘special’ service to selected users
and/or applications to the detriment of other users
and/or applications.”
• A converged network is one in which voice, video,
and data traffic use the same network facilities.
• The three quality of service models are Best Effort,
IntServ and DiffServ.
• For QoS at the WAN Edge, consider WRED,
congestion management and link efficiency
mechanisms.
BCRAN v2.1—10-17
© 2004 Cisco Systems, Inc. All rights reserved.
Summary (Cont.)
• To provide end-to-end QoS, the enterprise and
service providers must implement the proper QoS
mechanisms.
• Active queuing management mechanisms drop
packets before congestion occurs.
• First-in-first-out (FIFO) queuing is the classic
algorithm for packet transmission.
• The queuing options preferred for remote access
are WFQ, CBWFQ and LLQ.
© 2004 Cisco Systems, Inc. All rights reserved.
Copyright © 2004, Cisco Systems, Inc.
BCRAN v2.1—10-18
Using QoS in Wide-Area Networks
10-23
Quiz
Use the practice items here to review what you learned in this lesson. The correct answers are
found in the Quiz Answer Key.
Q1)
Which of the following is true of voice traffic?
A)
B)
C)
D)
Q2)
Video has what kind of bandwidth requirement?
A)
B)
C)
D)
Q3)
classification
marking
congestion avoidance
congestion management
What is it called when multiple TCP hosts reduce their transmission rates in response
to packet dropping, and then increase their transmission rates again when congestion is
reduced?
A)
B)
C)
D)
Q6)
Best Effort
Integrated Services
Differentiated Services
Which QoS mechanism drops packets early in order to prevent congestion later in the
network?
A)
B)
C)
D)
Q5)
average
moderate to high
moderate to low
low
Which quality of service model allows applications to signal the network in advance to
request special QoS?
A)
B)
C)
Q4)
can tolerate delays
is time-sensitive
can wait until a network recovers
is typically very large
global synchronization
global packeting
packet buffering
load balancing
Prioritization may be necessary in which location?
A)
B)
C)
campus
end-to-end points
WAN edge congestion points
10-24 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Q7)
Which queuing option is NOT an alternative to FIFO queuing on Cisco routers?
A)
B)
C)
D)
Q8)
Depending on the average packet size, prioritization is most effective when applied to
links at __________.
A)
B)
C)
D)
Q9)
ISDN BRI bandwidth speeds or higher
T1/E1 bandwidth speeds or lower
56 kbps bandwidth speeds or lower
OC-3 bandwidth speeds or higher
Which factors must a network manager consider when establishing a queuing policy?
A)
B)
C)
D)
Q10)
weighted fair queuing
class-based weighted fair queuing
traffic-rate queuing
custom queuing
providing an appropriate level of service for all users
controlling expensive WAN costs
A and B
none of the above
Which queuing method would work best on congested WAN links where delay is a
concern?
A)
B)
C)
D)
WFQ
CQ
LLQ
CBWFQ
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-25
Quiz Answer Key
Q1)
B
Relates to: Converged Networks: Quality Issues
Q2)
B
Relates to: QoS Application Requirements
Q3)
B
Relates to:
Q4)
QoS Models
C
Relates to: QoS Mechanisms
Q5)
A
Relates to: Congestion Avoidance: Random Early Detection
Q6)
C
Relates to: Effective Use of Traffic Prioritization
Q7)
C
Relates to: Queuing Overview
Q8)
B
Relates to: Effective Use of Traffic Prioritization
Q9)
C
Relates to: Establishing a Queuing Policy
Q10)
C
Relates to: Cisco IOS Queuing Options
10-26 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring Congestion
Management
Overview
This lesson describes class-based weighted fair queuing (CBWFQ) operation as compared to
flow-based weighted fair queuing (WFQ). It also describes the congestion handling technique
of tail drops and how these can cause the problem of global synchronization. The lesson
finishes with the CBWFQ option of using weighted random early detection (WRED) to actively
manage queuing and congestion avoidance.
Relevance
Managing network performance is crucial in the bandwidth-demanding applications of today.
CBWFQ is one popular method of managing bandwidth over a WAN. A basic introduction to
queuing using techniques that minimize or eliminate tail drops can enable a better
understanding of QoS alternatives.
Objectives
Upon completing this lesson, you will be able to:
Describe a situation where WFQ would be appropriate
Configure WFQ using Cisco IOS commands
Describe the operations concept of CBWFQ
List the benefits of CBWFQ over WFQ
Describe the configuration that is required to define traffic classes and to specify
classification policy
Configure policies to be applied to packets belonging to one of the classes previously
defined through a class map
Configure CBWFQ with WRED
Configure a CBWFQ default class
Configure low latency queuing with the use of the priority command for a policy-map
class
Learner Skills and Knowledge
To benefit fully from this lesson, you must have these prerequisite skills and knowledge:
All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO)
course
All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course
Outline
This lesson includes these topics:
Overview
WFQ Operation
Configuring WFQ
WFQ Example
CBWFQ Operation
CBWFQ vs. Flow-Based WFQ
Step 1: Configuring CBWFQ
Step 2a: Configuring CBWFQ with Tail Drop
Step 2b: Configuring CBWFQ with WRED
Step 2c: Configuring CBWFQ Default Class (Optional)
Step 3: Configuring CBWFQ
CBWFQ Example
LLQ Operation
Configuring LLQ
Summary
Quiz
10-28 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
WFQ Operation
This topic describes an overview of weighted fair queuing (WFQ) and its importance during
times of WAN congestion.
WFQ Operation
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-2
When FIFO queuing is in effect, traffic is transmitted in the order received without regard for
bandwidth consumption or the associated delays. File transfers and other high-volume network
applications often generate a series of packets of associated data known as packet trains. Packet
trains are groups of packets that tend to move together through the network. These packet trains
can consume all available bandwidth and other traffic flows can back up behind them.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-29
WFQ Operation (Cont.)
• Messages are sorted into flows
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-3
WFQ overcomes an important limitation of FIFO queuing. It is an automated method that
provides fair bandwidth allocation to all network traffic. It provides traffic management that
dynamically prioritizes traffic into conversations, or flows. WFQ then breaks up a stream of
packets within each conversation to ensure that bandwidth is shared fairly between individual
conversations. There are four types of WFQ: flow-based, distributed, class-based, and
distributed class-based.
WFQ is a flow-based algorithm that moves delay-sensitive traffic to the front of a queue to
reduce response time, and shares remaining bandwidth fairly among high-bandwidth flows. By
breaking up packet trains, WFQ assures that low-volume traffic is transferred in a timely
fashion. WFQ gives low-volume traffic, such as Telnet sessions, priority over high-volume
traffic, such as FTP sessions. It gives concurrent file transfers a balanced use of available
bandwidth. WFQ automatically adapts to changing network traffic conditions.
WFQ is enabled by default for physical interfaces whose bandwidth is less than or equal to
2.048 Mbps.
10-30 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
WFQ Operation (Cont.)
• Flows are assigned a channel.
• Sorts the queue by order of the last bit crossing its
channel.
BCRAN v2.1—10-4
© 2004 Cisco Systems, Inc. All rights reserved.
The WFQ algorithm arranges traffic into conversations, or flows. The sorting of traffic into
flows is based on packet header addressing. Common conversation discriminators are as
follows:
Source or destination network address
Source or destination MAC address
Source or destination port or socket numbers
Frame Relay data-link connection identifier (DLCI) value
Quality of service (QoS) or type of service (ToS) value
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-31
In the figure, the WFQ algorithm has identified three flows.
WFQ Operation (Cont.)
• Messages are transmitted in a fair order.
• High-volume conversations share the link.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-5
The flow-based WFQ algorithm places packets of the various conversations in the fair queue
before transmission. The order of removal from the fair queue is determined by the virtual
delivery time of the last bit of each arriving packet.
WFQ assigns a weight to each flow, which determines the transmit order for queued packets. In
this scheme, lower weights are served first. Small, low-volume packets are given priority over
large, high-volume conversation packets.
After low-volume conversations have been serviced, high-volume conversations share the
remaining link capacity and interleave or alternate transmission timeslots. In this figure, highvolume conversation packets are queued in order of arrival after the low-volume packet.
The queuing algorithm ensures the proper amount of bandwidth for each datagram. With flowbased WFQ, two equal-size file transfers get equal bandwidth, rather than the first file transfer
using most of the bandwidth. Although the flow-based WFQ algorithm allocates a separate
queue for each conversation, each queue can belong to one of only seven priority
classifications, based on the IP precedence.
In the example, packet 3 is queued before packets 1 or 2 because packet 3 is a small packet in a
low-volume conversation.
The result of the queuing order and the transmission order is that short messages that do not
require much bandwidth are given priority and transmitted on the link first. For example,
packet 3 before packets 1 and 2.
10-32 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Configuring WFQ
This topic describes how to configure WFQ on an interface.
Configuring WFQ
᫬»®ø½±²º·¹ó·º÷ýº¿·®ó¯«»«» ¥½±²¹»-¬·ª»ó¼·-½¿®¼ó¬¸®»-¸±´¼£
• Enables WFQ
BCRAN v2.1—10-6
© 2004 Cisco Systems, Inc. All rights reserved.
The fair-queue command enables WFQ on an interface.
fair-queue Command
Command
Description
½±²¹»-¬·ª»ó¼·-½¿®¼ó
¬¸®»-¸±´¼
The number of messages creating a congestion threshold after
which messages for high-volume traffic will no longer be queued.
It is the maximum number of packets in a conversation held in a
queue before they are discarded. Valid values are 1 to 512,
inclusive. The default is 64 messages. The fair-queue 128
command sets the congestive-discard-threshold to 128.
congestive-discard-threshold is an optional command. It is not
required, as indicated by the braces {} in the figure.
The congestive discard policy applies only to high-volume conversations that have more than
one message in the queue. The discard policy tries to control conversations that would
monopolize the link. If an individual conversation queue contains more messages than the
congestive discard threshold, that conversation will not have any new messages queued until
the content of that queue drops below one-fourth of the congestive discard value.
Note
WFQ is used by default on serial interfaces at E1 speeds (2.048 Mbps) and below. WFQ is
disabled on serial interfaces using X.25 or compressed PPP. LAN interfaces and serial lines
operating at E3 or T3 speeds do not support WFQ.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-33
WFQ Example
This topic describes WFQ being used on a Frame Relay network to enable interactive traffic to
flow during times of congestion.
WFQ Example
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-7
In the figure, interface Serial 1 is attached to a Frame Relay network and is configured to
operate at a 56-kbps link speed. The fair-queue 128 command sets the congestive discard
threshold to 128.
Because conversations may not have any new messages queued until the queue content drops
below one-fourth of the congestive discard value, a queue must contain fewer than 32 entries
(one-quarter of 128).
10-34 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
CBWFQ Operation
This topic describes class-based weighted fair queuing (CBWFQ).
CBWFQ
The WFQ algorithm is applied to classes
rather than the flows themselves.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-8
CBWFQ extends the standard WFQ functionality to provide support for user-defined traffic
classes. By using CBWFQ, network managers can define traffic classes based on several match
criteria, including protocols, ACLs, and input interfaces. A FIFO queue is reserved for each
class, and traffic belonging to a class is directed to the queue for that class. More than one flow,
or conversation, can belong to a class.
After a class has been defined according to its match criteria, you can assign its characteristics.
To characterize a class, you assign it bandwidth and maximum packet limit. The bandwidth
assigned to a class is the guaranteed bandwidth given to the class during congestion.
CBWFQ assigns a weight to each configured class instead of each flow. This weight is
proportional to the bandwidth that is configured for each class (weight = interface bandwidth
divided by the class bandwidth). Therefore, the larger the bandwidth value of a class, the
smaller its weight.
By default, the total amount of bandwidth allocated for all classes must not exceed 75 percent
of the available bandwidth on the interface. The other 25 percent is used for control and routing
of traffic. However, the maximum-reserved bandwidth can be configured to circumvent this
limitation.
You must also specify the queue limit for the class, which is the maximum number of packets
allowed to accumulate in the queue for the class. Packets belonging to a class are subject to the
bandwidth and queue limits that are configured for the class.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-35
CBWFQ vs. Flow-Based WFQ
This topic describes the benefits of CBWFQ over WFQ.
CBWFQ vs. Flow-Based WFQ
• CBWFQ provides for up to 64 classes; flow-based
WFQ is limited to 7 classifications, or weights.
• CBWFQ allows for coarser granularity. Multiple IP
flows can belong to a single class.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-9
CBWFQ offers these benefits over flow-based WFQ:
Bandwidth allocation: CBWFQ allows you to specify the exact amount of bandwidth to
be allocated for a specific class of traffic. You can configure up to 64 classes and control
distribution among them.
Note
This is not the case with flow-based WFQ. Flow-based WFQ applies weights to traffic and
classifies traffic into conversations, thus controlling how much bandwidth each conversation
is allocated relative to other conversations. For flow-based WFQ, these weights and traffic
classifications are limited to the seven IP precedence levels.
Finer granularity and scalability: CBWFQ allows you to define classification based on
more criteria. It allows you to use ACLs, protocols, and input interface names to define
how traffic will be classified, thereby providing finer granularity. You can configure up to
64 discrete classes in a service policy.
10-36 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 1: Configuring CBWFQ
This topic describes the configuration required to define traffic classes and to specify
classification policy.
Step 1: Configuring CBWFQ
• Use only one match command with each
class-map.
BCRAN v2.1—10-10
© 2004 Cisco Systems, Inc. All rights reserved.
These are the steps involved in the CBWFQ configuration process:
Step 1
Define traffic classes to specify the classification policy (class maps).
Step 2
Associate policies, or class characteristics, with each traffic class (policy map).
A: CBWFQ with tail drop
or
B: CBWFQ with WRED
C: Optional: Default Class
Step 3
Attaching policies to interfaces (service policies).
This process determines how many types of packets are to be differentiated from one another.
To create a class map, use the class-map command to specify the name of the class map and
enter class map configuration mode. You can use only one match command for each class
map.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-37
match Command
Command
Description
¿½½»--ó¹®±«° ¥¿½½»--ó
¹®±«° ¤ ²¿³» ¿½½»--ó
¹®±«° ²¿³»£
Specifies the name of the ACL against whose contents packets
are checked to determine if they belong to the class. CBWFQ
supports numbered and named ACLs.
·²°«¬ó·²¬»®º¿½»
·²¬»®º¿½» ²¿³»
°®±¬±½±´ °®±¬±½±´
·° °®»½»¼»²½» ¬±-
Specifies the name of the input interface used as a match
criterion against which packets are checked to determine if they
belong to the class.
Specifies the name of the protocol used as a match criterion
against which packets are checked to determine if they belong to
the class.
Specifies the IP precedence ToS level used as a match criterion
against which packets are checked to determine if they belong in
this class.
10-38 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 2a: Configuring CBWFQ with Tail Drop
This topic describes configuration of policies built from previously defined classes. This
CBWFQ is configured with tail drop rather than WRED. You can implement either one of
these options, 2a or 2b, but not both.
Step 2a: Configuring CBWFQ with Tail Drop
• Use the queue-limit command when configuring
CBWFQ with tail drop.
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-11
This process entails configuration of policies to be applied to packets belonging to one of the
classes previously defined through a class map. For this process, you must configure a policy
map that specifies the policy for each traffic class.
Use the policy-map command to specify the policy map name and enter the policy map
configuration mode. Then, use one or more of the following commands to configure policy for
a standard class or the default class:
class
bandwidth
fair-queue (for class-default class only)
queue-limit or random-detect
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-39
Step 2b: Configuring CBWFQ with WRED
This topic describes configuration of CBWFQ with WRED rather than tail drop. Remember,
you can choose this step or the prior one (2a), but not both.
Step 2b: Configuring CBWFQ with WRED
• Use the random-detect command when configuring
CBWFQ with WRED.
BCRAN v2.1—10-12
© 2004 Cisco Systems, Inc. All rights reserved.
Note
If you configure a class in a policy map to use WRED for packet drop instead of tail drop,
you must ensure that WRED is not configured on the interface to which you intend to attach
that service policy.
class Command
Command
Description
½´¿--󲿳»
Specifies the name of a class to be created and included in the
service policy
½´¿--󼻺¿«´¬
Specifies the default class so that you can configure or modify
its policy
bandwidth Command
Command
Description
¾¿²¼©·¼¬¸óµ¾°-
Specifies the amount of bandwidth in kbps (or as a percentage
of the link) to be assigned to the class. The amount of
bandwidth configured should be large enough to also
accommodate Layer 2 overhead.
10-40 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
queue-limit Command
Command
Description
²«³¾»®ó±ºó°¿½µ»¬-
Specifies the maximum number of packets that can be queued
for the class. If this is not specified, the default queue limit is 64
packets.
random-detect Command
Command
Description
Random-detect
Enables WRED. The class policy will drop packets using WRED
instead of tail drop.
»¨°±²»²¬·¿´ó©»·¹¸¬·²¹ó
½±²-¬¿²¬ »¨°±²»²¬
Configures the exponential weight factor that is used in
calculating the average queue length.
°®»½»¼»²½» °®»½»¼»²½»
³·²ó¬¸®»-¸±´¼ ³¿¨ó
¬¸®»-¸±´¼ ³¿®µó°®±¾ó
¼»²±³·²¿¬±®
Configures WRED parameters for packets with a specific IP
precedence. Repeat this command for each precedence.
You can configure policy for more than one class in the same policy map.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-41
Step 2c: Configuring CBWFQ Default Class
(Optional)
This topic describes configuration of a CBWFQ default class. You can use default class with
either tail drop (2a) or WRED (2b).
Step 2c: Configuring CBWFQ Default Class
(Optional)
• Configure the default class for tail drop using the
queue-limit command.
• Configure the default class for WRED using the
random-detect command.
BCRAN v2.1—10-13
© 2004 Cisco Systems, Inc. All rights reserved.
Optionally, you can modify the policy for IP flows that do not match any of the match criteria
of the classes. The class class-default command is used to classify traffic that does not fall into
one of the defined classes. The class-default class is predefined when you create the policy
map. By default, the class-default class is defined as flow-based WFQ.
Configuring the default class with the bandwidth policy-map class configuration command
disqualifies the default class for flow-based WFQ. If a default class is configured with the
bandwidth policy-map class configuration command, all unclassified traffic is put into a single
FIFO queue and treated according to the configured bandwidth. If a default class is configured
with the fair-queue command (or if no default class is configured), all unclassified traffic is
flow-classified and given best-effort treatment.
fair-queue Command
Command
Description
Ų«³¾»®ó±ºó¼§²¿³·½ó
¯«»«»-Ã
In policy-map class configuration mode, this command
specifies the number of dynamic queues to be reserved for use
by flow-based WFQ running on the default class. The number
of dynamic queues is derived from the bandwidth of the
interface.
10-42 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
Step 3: Configuring CBWFQ
This topic describes the configuration for attaching policies to interfaces.
Step 3: Configuring CBWFQ
᫬»®ø½±²º·¹ó·º÷ý-»®ª·½»ó°±´·½§ ±«¬°«¬ °±´·½§ó³¿°
• Use the service-policy output command to attach the
service policy to an interface and enable CBWFQ.
BCRAN v2.1—10-14
© 2004 Cisco Systems, Inc. All rights reserved.
This process requires that you apply an existing policy map, or service policy, with an interface
to associate the particular set of policies for the map to that interface.
Use the service-policy output command in interface configuration mode to attach the policy to
an interface.
service-policy output Command
Command
Description
±«¬°«¬ °±´·½§ó³¿°
Enables CBWFQ and attaches the specified service policy
map to the output interface
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-43
CBWFQ Example
This topic describes a CBWFQ configuration example.
CBWFQ Example
• Class1 uses access-list 101 to match a UDP port range for voice
• Class2 uses access-list 102 to match a UDP port range for video
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-15
In the configuration example shown in the figure, class1 is defined by referencing access-list
101 with the match access-group 101 command. Class1 will therefore match UDP traffic from
host 10.10.10.10 to host 10.10.10.20 on ports 16382 to 20000.
Class2 is defined by referencing access-list 102 with the match access-group 102 command.
Class2 will therefore match UDP traffic from host 10.10.10.10 to host 10.10.10.20 on ports
53000 to 56000.
10-44 Building Cisco Remote Access Networks (BCRAN) v2.1
Copyright
2004, Cisco Systems, Inc.
CBWFQ Example (Cont.)
• Class2 does not specify a queue limit, so the
default of 64 packets is assumed.
• Tail drop will be used for both classes
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-16
The policy-map command creates a policy map. The configuration example in the figure
shows that the policy map, policy1, includes two class maps:
Class1: Configured with a bandwidth of 3000 kbps and a queue limit of 30 packets.
Class2: Configured with a bandwidth of 2000 kbps. Because the queue limit is not
specified, the default of 64 packets applies.
Since neither class is configured with the random-detect command, Cisco IOS software will
tail drop packets if their destination queue is full. Use the random-detect command to
configure WRED.
Copyright © 2004, Cisco Systems, Inc.
Using QoS in Wide-Area Networks
10-45
LLQ Operation
This topic describes the concept of low latency queuing (LLQ).
LLQ
• LLQ provides for strict priority queuing of voice
traffic (V).
© 2004 Cisco Systems, Inc. All rights reserved.
BCRAN v2.1—10-17
The LLQ feature provides strict priority queuing (PQ) for CBWFQ, reducing jitter in voice
conversations. Configured by the priority command, strict PQ gives delay-sensitive data—
such as voice—preferential treatment over other traffic. With this feature, delay-sensitive data
is sent first, before packets in other queues are treated. LLQ is also called PQ/CBWFQ, because
it is a combination of the two techniques.
For CBWFQ, the weight for a packe