Building Cisco Remote Access Networks

1

• Building Cisco Remote Access Networks

2
I. Legacy DDR

• Legacy DDR is DDR that uses dial map statements.
• Maps IP addresses to phone numbers
• Dialer maps are configured on the dialing
  interface (i.e. BRI0) along with other commands
  dealing with
• encapsulation
• authentication
• dialer options

3
Legacy DDR

• The dialer-map command can also be used if your
  router calls multiple destinations, as long as
  they all use the same communication parameters.
• e.g. for every call
• the encapsulation is Point-to-Point Protocol
  (PPP),
• the authentication method is CHAP
• the idle timeout is 300 seconds

4
Legacy DDR

• RTA(config)dialer-list 1 protocol ip permit
• RTA(config)int bri0/0
• RTA(config-if)ip address 10.1.1.1 255.255.255.0
• RTA(config-if)encapsulation ppp
• RTA(config-if)ppp authentication chap
• RTA(config-if)isdn spid1 51055512340001 5551234
• RTA(config-if)isdn spid2 51055512350001 5551235
• RTA(config-if)dialer-group 1
• RTA(config-if)dialer map ip 10.1.1.2 name RTB
  5554000
• RTA(config-if)dialer map ip 10.1.1.3 name RTC
  5554001
• RTA(config-if)dialer map ip 10.1.1.4 name RTD
  5554002
• RTA(config-if)dialer map ip 10.1.1.5 name RTE
  5554003
• RTA(config-if)dialer idle-timeout 60

What if you want a different idle timeout for RTD
and RTE? What if you want a different
authentication method for each connection?
5
II. The Dialer Interface

• The dialer interface is a mechanism in which
  physical interfaces are not locked with permanent
  configurations, but the mechanism assumes call
  parameters on an as-needed basis.
• Using the dialer interface allows you to specify
  one set of dialer maps that can apply to multiple
  physical lines.

6
The Dialer Interface

• The dialer interface is not a physical interface.
• When a physical interface is being used for
  dialing, it inherits the parameters configured
  for the dialer interface.
• Dialer interfaces provide flexibility through
  rotary groups and dialer profiles.
• Dialer pool member

7
The Dialer Interface

• Inter bri 0
• dialer pool-member 1
• interface Dialer0
• ip address 21.1.1.1 255.0.0.0
• encapsulation lapb dce multi
• dialer remote-name RU1
• dialer idle-timeout 300
• dialer string 60036
• dialer-group 1
• interface Dialer1
• ip address 22.1.1.1 255.0.0.0
• encapsulation ppp
• dialer remote-name RU2
• dialer string 60043
• dialer-group 1
• ppp authentication chap

8
The Dialer Interface

• Rotary Groups
• Using one dialer interface that can be used by
  multiple physical interface (bri0).
• Configure once, and use many.
• Used for hunt groups (coming)
• Dialer Profiles
• A single physical interface (bri0) that can use
  multiple dialer interfaces, for various
  encapsulations, dialer options, etc.

9
(No Transcript)
10
III. Rotary Groups
Dialer rotary groups simplify the configuration
of physical interfaces by allowing you to apply a
single logical interface configuration to a set
of physical interfaces .
11

• Data-link layer configuration is done in the
  dialer interface.
• Can only associate a physical interface (bri) to
  a single dialer interface.

12
Rotary Groups

• Dialer rotary groups are useful in environments
  that require multiple calling destinations.
• Only the rotary group needs to be configured with
  the dialer map commands.
• The only configuration required for the
  interfaces is the dialer rotary-group command
  indicating that each interface is part of a
  dialer rotary group.

13
Rotary Groups

• The interface dialer command in global
  configuration mode creates a dialer rotary group
• Router(config)interface dialer group-number
• Router(config-if)ip add and data link layer
  commands
• Then, you use the dialer rotary-group command in
  interface (BRI, async, and so on) configuration
  mode to include that interface in the specified
  rotary group
• Router(config)int bri 0
• Router(config-if)dialer rotary-group
  group-number

14
Rotary Group

• hostname central-site
• interface dialer 1
• encapsulation ppp
• dialer in-band
• ip address 131.108.2.1 255.255.255.0
• ip address 131.126.4.1 255.255.255.0 secondary
• dialer map ip 131.108.2.5 name YYY 14155553434
• dialer map ip 131.126.4.5 name ZZZ
• interface bri 0
• dialer rotary-group 1
• interface bri 1
• dialer rotary-group 1

15
Rotary Groups

• A dialer rotary group is not a physical
  interface, instead, it represents a group of
  interfaces.
• Interface configuration commands entered after
  the interface dialer command will be applied to
  all physical interfaces assigned to specified
  rotary groups.
• Individual interfaces in a dialer rotary group do
  not have individual addresses.
• The dialer interface has a protocol address, and
  that address is used by all interfaces in the
  dialer rotary group.

16

• Rotary Groups are also useful in a Hub - Spoke
  environment.
• Single dialer interface and a single physical
  interface, but two destinations.

17

• Another example using a single dialer interface
  with two physical interfaces.
• Two physical interfaces (bris) - Central Site
  can communicate with both destinations
  simultaneously, using either bri for either
  destination.
• If remote sites initiate the call, one problem is
  if both SiteA and SiteB dial same central site
  bri interface (bri0) and only one gets through. -
  see hunt groups.

18
Rotary Group Limitations

• With Rotary Groups, we can only associate a
  physical interface (bri) to a single dialer
  interface. (However, you can associate multiple
  physical interfaces to the same dialer.)
• This is limiting when dialing with large, complex
  environments.
• With Rotary Groups, since the physical interface
  can only use a single dialer, a single physical
  interface (bri) will only be able to dial (dialer
  maps) remote sites that share the same layer 2
  and layer 3 configurations.
• Cant dial different sites with PPP and HDLC
• Cant dial different sites with IP and IPX

19
Rotary Group Limitations
20
Rotary Group Limitations

• Solution?
• Dialer Profiles!
• When?
• Right after rotary group - hunt groups!

21
Rotary Group Hunt Groups

• A hunt group is a series of telephone lines that
  are programmed by the Telco so that as incoming
  calls arrive, if the first line is busy, the
  second line is tried, and then the third line is
  tried, and so on until a free line is found.
• This way, an incoming call should not end up with
  a busy signal.

22
(No Transcript)
23
IV. Dialer Interface Commands

• 6.1.2 and 6.1.3 deals with dialer commands that
  we covered previously in the chapter on
  Asynchronous Communications.
• Please read this section (and all sections) to
  make sure you understand these commands.

24

• Next Dialer Profiles
• ISDN Labs

25
V. Dialer Profiles
Dialer Profiles A single physical interface
(bri0) that can use multiple dialer interfaces
(pools), for various encapsulations, dialer
options, etc.
26
Dialer Profiles

• The limitation with rotary groups is that we can
  only associate one physical interface (bri) to a
  single dialer interface.
• This means a bri interface can only use the
  configuration parameters of the dialer interface
  it is assigned to (dialer rotary-group).
• Dialer Profiles overcome this by letting us
  assign the dialer interface on a per-call-basis.
• A single physical interface will now be able to
  use several different dialer interfaces.
• This is done by the use of dialer pools.

27
Dialer Profiles

• Dialer profiles separate the logical portion of
  DDR-such as the network layer, encapsulation, and
  dialer parameters-from the physical interface
  that places or receives calls,
• Dialer profiles address several dialup issues
• One configured interface per ISDN interface
• Dialer map complexity
• Limited dial backup

28
Dialer Profiles

• Dialer profiles let you create different
  configurations for B channels on an ISDN PRI or
  BRI interface.
• The main difference between a rotary group and a
  dialer profile is that a physical interface
  participates in only one rotary group.
• With a dialer profile, a physical interface can
  belong to many different pools.

29
How Dialer Profiles Work
BRI01
BRI02
BRI21
BRI22
30
Elements of a Dialer Profile

• Dialer interface
• Dialer map class (optional)
• Dialer pool
• Physical interfaces

31
dialer pool 30
32
Dialer Profiles

• Dialer pools allow us to associate a physical
  interface, (bri or async interface), with one or
  more logical interfaces (dialer interface).
• Dialer pools are not actual interfaces but a way
  to bind the physical interface to the dialer
  interface.

33
Dialer Profiles

• To configure the physical, bri interface we need
  to
• 1. Specify the type of encapsulation
• 2. Specify the dialer pools which will
  participate
• dialer pool-member pool-number
• To configure the dialer interface, we need to
• 1. Specify the type of encapsulation
• 2. Specify the network protocols
• 3. Specify the remote router name
• 4. Specify the remote destination call
  string (optional)
• 5. Specify the dialing pool to use (only one
  can be configured)
• dialer pool pool-number

34
2
35
Dialer Profiles

• Physical Interface
• dialer pool-member pool-number priority
• Physical interface can associated only with a
  single dialer interface, but they can be
  associated with multiple dialer pools. (Can have
  multiple dialer pool-member statements.)
• Priority is used when dialing out. If there are
  several physical interfaces which are associated
  with the same dialer interface, the priority is
  used to determine which physical interface will
  be tried first. Lower the number, higher the
  priority.

36
Dialer Profiles

• Dialer Interface
• dialer pool pool-number
• The dialer interface can only be associated with
  a single dialer pool.
• dialer remote-name name
• The name is used for more than just
  authentication, the Cisco router looks for a
  dialer interface within the dialer pool in which
  the dialer profile has the name that matches the
  name of the remote site.

37
dialer pool 30
38
No more Dialer Map!

• In legacy configurations you configure call
  parameters under a physical interface using
  dialer map
• RTA(config)int bri 0
• RTA(config-if)dialer map ip 10.1.1.2 name RTB
  5554000
• With dialer interfaces, you configure a dialer
  string
• RTA(config)int dialer 0
• Router(config-if)dialer string dial-string
• Router(config-if)dialer remote-name name

39
Dialer Profiles

• NOTE Prior to IOS 12.0(7)T
• Because the binding of the physical interface to
  the dialer interface only happens after the
  incoming call has been identified, you must
  define the layer 2 encapsulation and
  authentication on both the physical interface and
  the dialer interface.
• The layer 2 encapsulations and authentications
  must match.
• IOS 12.0(7)T introduces Dynamic Multiple
  Encapsulations feature, only the layer 2
  encapsulation and authentication on the dialer
  interface is used.
• Go to Ciscos web site for more information on
  this feature.

40
Dialer Profiles Config

• RTA(config)interface bri0/0
• RTA(config-if)isdn spid1 51055512340001 5551234
• RTA(config-if)isdn spid2 51055512350001 5551235
• RTA(config-if)encapsulation ppp
• RTA(config-if)ppp authentication chap
• RTA(config-if)dialer pool-member 1
• RTA(config)interface dialer 0
• RTA(config-if)dialer pool 1
• RTA(config-if)ip address 10.1.1.1 255.255.255.0
• RTA(config-if)encapsulation ppp
• RTA(config-if)ppp authentication chap
• RTA(config-if)dialer-group 1
• RTA(config-if)dialer remote-name RTB
• RTA(config-if)dialer string 5554000
• RTA(config-if)dialer string 5554001

41
(No Transcript)
42
(No Transcript)
43
Dialer Profiles - outgoing

• RTB(config)interface dialer 0
• RTB(config-if)ip address 10.1.1.2 255.255.255.0
• RTB(config-if)dialer pool 1
• RTB(config-if)encapsulation ppp
• RTB(config-if)ppp authentication chap
• RTB(config-if)dialer remote-name RTA
• RTB(config-if)dialer-group 5
• RTB(config-if)dialer string 5551234
• RTB(config-if)dialer string 5551235
•  
• RTB(config)interface dialer 1
• RTB(config-if)ip address 172.16.0.2
  255.255.255.0
• RTB(config-if)dialer pool 1
• RTB(config-if)encapsulation ppp
• RTB(config-if)ppp authentication chap
• RTB(config-if)ppp chap hostname JULIET
• RTB(config-if)dialer remote-name ROMEO
• RTB(config-if)dialer-group 5
• RTB(config-if)dialer string 5555678

Ping 10.1.1.1 Without a dialer map, which maps an
IP to a phone number (dialer string), how does
the router know which dialer interface to bind to
the BRI?
44
Dialer Profiles

• Physical Interfaces
• dialer pool-member pool-number priority
• When dialing out, if more than one interface is a
  member of the same dialer pool, the dialer
  interface will use whichever interface has the
  lowest priority value (which is the highest
  priority) will be tried first.
• inter bri 0
• dialer pool-member 10 2 (the winner!)
• inter bri 1
• dialer pool-member 10 50
• inter dialer 1
• dialer pool 10

45
Sample Config
interface Dialer0 ip address 10.1.1.1
255.255.255.0 encapsulation ppp dialer
remote-name RTB dialer string 5554000 dialer
string 5554001 dialer load-threshold 1 either
dialer pool 1 dialer-group 1 ppp authentication
chap ppp multilink ! ip route 192.168.1.0
255.255.255.0 10.1.1.2 dialer-list 1 protocol ip
permit

• enable password cisco
• username RTB password 0 cisco
• isdn switch-type basic-ni
• !
• interface BRI0
• no ip address
• no ip directed-broadcast
• encapsulation ppp
• dialer pool-member 1
• isdn switch-type basic-ni
• isdn spid1 51055512340001 5551234
• isdn spid2 51055512350001 5551235
• ppp authentication chap

46
Dialer Profiles - map-class

• Dialer map-class is an optional command that
  allows you to specify unique characteristics
  based upon the dialer string that is used.
• Map-class dialer name
• Options
• callback-server, enable-timeout, fast-idle,
  idle-timeout - see earlier chapters
• isdn speed 56 - change speed of isdn line
• isdn spc and voice call

47
Dialer Map-Class

• The dialer map class is an optional element that
  defines specific characteristics for a call to a
  specified dial string.
• ISDN speed (56 Kbps only, 64Kbps is default)
• dialer fast-idle
• dialer idle-timeout
• dialer wait-for-carrier-time

48
Dialer Map-Class
49
Dialer Map-Class

• RTA(config)map-class dialer AGRESSIVE
• RTA(config-map-class)dialer idle timeout 30
• RTA(config-map-class)dialer fast-idle 10
• RTA(config-map-class)dialer wait-for-carrier-time
  25
• RTA(config-map-class)exit

50
Dialer Map-Class

• Apply the map-class using the dialer string
  command
• RTA(config-if)dialer string 5554000 class
  AGRESSIVE

51
Sample Config
map-class dialer AGRESSIVE dialer idle-timeout
30 dialer fast-idle 10 dialer
wait-for-carrier-time 25 dialer-list 5 protocol
ip permit

• interface Dialer1
• ip address 172.16.0.1 255.255.255.0
• encapsulation ppp
• dialer remote-name JULIET
• dialer string 5554000 class AGRESSIVE
• dialer string 5554001 class AGRESSIVE
• dialer pool 1
• dialer-group 5
• ppp authentication chap

52
Time Based ACLs

• Time-based access lists extend the notion of time
  to the access-list facility.
• Now, network administrators can define when the
  permit or deny statements in the access lists are
  in effect, by time of day and week, and on an
  absolute basis.

53

• In global configuration mode.
• 1 . time-range time-range-name
• Identify the time-range by a meaningful name.
• 2 . absolute start time date end time date
• and/or
• periodic days-of-the-week hhmm to
  days-of-the-week hhmm

54
Create an extended ACL

• access-list access-list-number deny permit
  protocol source source-wildcard destination
  destination-wildcard precedence precedence tos
  tos established log time-range
  time-range-name

55
Example 1 using Named ACL

• The following example denies HTTP traffic on
  Monday through Friday between the hours of 800
  am and 600 pm on IP. The example allows UDP
  traffic on Saturday and Sunday from noon to 800
  pm only.
• time-range no-http
• periodic weekdays 800 to 1800
• !
• time-range udp-yes
• periodic weekend 1200 to 2000
• !
• ip access-list extended strict
• deny tcp any any eq http time-range no-http
• permit udp any any time-range udp-yes
• !
• interface ethernet 0
• ip access-group strict in

56
Example 2 using Named ACL

• The following example configures an access list
  named northeast, which references a time range
  named xyz. The access list and time range
  together permit traffic on Ethernet interface 0
  starting at 1200 noon on January 1, 2001 and
  going forever.
• time-range xyz
• absolute start 1200 1 January 2001
• !
• ip access-list extended northeast
• permit ip any any time-range xyz
• !
• interface ethernet 0
• ip access-group northeast in

57
Example 3 using Named ACL

• The following example permits UDP traffic out
  Ethernet interface 0 on weekends only, from
  800am on January 1, 1999 to 600 pm on December
  31, 2001
• time-range test
• absolute start 800 1 January 1999 end 1800 31
  December 2001periodic weekends 0000 to 2359
• !
• ip access-list extended northeast
• permit udp any any time-range test
• !
• interface ethernet 0
• ip access-group northeast out

58
Dial on Demand Routing

• Read this section on your own.
• As far as I can tell, or remember, this section
  is not a Remote-Access Exam Objective
• Most of this information is covered in the
  routing class or just for their case studies.

59
The End