Title: Building Cisco Remote Access Networks
1- Building Cisco Remote Access Networks
2I. Legacy DDR
- Legacy DDR is DDR that uses dial map statements.
- Maps IP addresses to phone numbers
- Dialer maps are configured on the dialing
interface (i.e. BRI0) along with other commands
dealing with - encapsulation
- authentication
- dialer options
3Legacy DDR
- The dialer-map command can also be used if your
router calls multiple destinations, as long as
they all use the same communication parameters. - e.g. for every call
- the encapsulation is Point-to-Point Protocol
(PPP), - the authentication method is CHAP
- the idle timeout is 300 seconds
4Legacy DDR
- RTA(config)dialer-list 1 protocol ip permit
- RTA(config)int bri0/0
- RTA(config-if)ip address 10.1.1.1 255.255.255.0
- RTA(config-if)encapsulation ppp
- RTA(config-if)ppp authentication chap
- RTA(config-if)isdn spid1 51055512340001 5551234
- RTA(config-if)isdn spid2 51055512350001 5551235
- RTA(config-if)dialer-group 1
- RTA(config-if)dialer map ip 10.1.1.2 name RTB
5554000 - RTA(config-if)dialer map ip 10.1.1.3 name RTC
5554001 - RTA(config-if)dialer map ip 10.1.1.4 name RTD
5554002 - RTA(config-if)dialer map ip 10.1.1.5 name RTE
5554003 - RTA(config-if)dialer idle-timeout 60
What if you want a different idle timeout for RTD
and RTE? What if you want a different
authentication method for each connection?
5II. The Dialer Interface
- The dialer interface is a mechanism in which
physical interfaces are not locked with permanent
configurations, but the mechanism assumes call
parameters on an as-needed basis. - Using the dialer interface allows you to specify
one set of dialer maps that can apply to multiple
physical lines.
6The Dialer Interface
- The dialer interface is not a physical interface.
- When a physical interface is being used for
dialing, it inherits the parameters configured
for the dialer interface. - Dialer interfaces provide flexibility through
rotary groups and dialer profiles. - Dialer pool member
7The Dialer Interface
- Inter bri 0
- dialer pool-member 1
- interface Dialer0
- ip address 21.1.1.1 255.0.0.0
- encapsulation lapb dce multi
- dialer remote-name RU1
- dialer idle-timeout 300
- dialer string 60036
- dialer-group 1
- interface Dialer1
- ip address 22.1.1.1 255.0.0.0
- encapsulation ppp
- dialer remote-name RU2
- dialer string 60043
- dialer-group 1
- ppp authentication chap
8The Dialer Interface
- Rotary Groups
- Using one dialer interface that can be used by
multiple physical interface (bri0). - Configure once, and use many.
- Used for hunt groups (coming)
- Dialer Profiles
- A single physical interface (bri0) that can use
multiple dialer interfaces, for various
encapsulations, dialer options, etc.
9(No Transcript)
10III. Rotary Groups
Dialer rotary groups simplify the configuration
of physical interfaces by allowing you to apply a
single logical interface configuration to a set
of physical interfaces .
11- Data-link layer configuration is done in the
dialer interface. - Can only associate a physical interface (bri) to
a single dialer interface.
12Rotary Groups
- Dialer rotary groups are useful in environments
that require multiple calling destinations. - Only the rotary group needs to be configured with
the dialer map commands. - The only configuration required for the
interfaces is the dialer rotary-group command
indicating that each interface is part of a
dialer rotary group.
13Rotary Groups
- The interface dialer command in global
configuration mode creates a dialer rotary group - Router(config)interface dialer group-number
- Router(config-if)ip add and data link layer
commands - Then, you use the dialer rotary-group command in
interface (BRI, async, and so on) configuration
mode to include that interface in the specified
rotary group - Router(config)int bri 0
- Router(config-if)dialer rotary-group
group-number
14Rotary Group
- hostname central-site
- interface dialer 1
- encapsulation ppp
- dialer in-band
- ip address 131.108.2.1 255.255.255.0
- ip address 131.126.4.1 255.255.255.0 secondary
- dialer map ip 131.108.2.5 name YYY 14155553434
- dialer map ip 131.126.4.5 name ZZZ
- interface bri 0
- dialer rotary-group 1
- interface bri 1
- dialer rotary-group 1
15Rotary Groups
- A dialer rotary group is not a physical
interface, instead, it represents a group of
interfaces. - Interface configuration commands entered after
the interface dialer command will be applied to
all physical interfaces assigned to specified
rotary groups. - Individual interfaces in a dialer rotary group do
not have individual addresses. - The dialer interface has a protocol address, and
that address is used by all interfaces in the
dialer rotary group.
16- Rotary Groups are also useful in a Hub - Spoke
environment. - Single dialer interface and a single physical
interface, but two destinations.
17- Another example using a single dialer interface
with two physical interfaces. - Two physical interfaces (bris) - Central Site
can communicate with both destinations
simultaneously, using either bri for either
destination. - If remote sites initiate the call, one problem is
if both SiteA and SiteB dial same central site
bri interface (bri0) and only one gets through. -
see hunt groups.
18Rotary Group Limitations
- With Rotary Groups, we can only associate a
physical interface (bri) to a single dialer
interface. (However, you can associate multiple
physical interfaces to the same dialer.) - This is limiting when dialing with large, complex
environments. - With Rotary Groups, since the physical interface
can only use a single dialer, a single physical
interface (bri) will only be able to dial (dialer
maps) remote sites that share the same layer 2
and layer 3 configurations. - Cant dial different sites with PPP and HDLC
- Cant dial different sites with IP and IPX
19Rotary Group Limitations
20Rotary Group Limitations
- Solution?
- Dialer Profiles!
- When?
- Right after rotary group - hunt groups!
21Rotary Group Hunt Groups
- A hunt group is a series of telephone lines that
are programmed by the Telco so that as incoming
calls arrive, if the first line is busy, the
second line is tried, and then the third line is
tried, and so on until a free line is found. - This way, an incoming call should not end up with
a busy signal.
22(No Transcript)
23IV. Dialer Interface Commands
- 6.1.2 and 6.1.3 deals with dialer commands that
we covered previously in the chapter on
Asynchronous Communications. - Please read this section (and all sections) to
make sure you understand these commands.
24- Next Dialer Profiles
- ISDN Labs
25V. Dialer Profiles
Dialer Profiles A single physical interface
(bri0) that can use multiple dialer interfaces
(pools), for various encapsulations, dialer
options, etc.
26Dialer Profiles
- The limitation with rotary groups is that we can
only associate one physical interface (bri) to a
single dialer interface. - This means a bri interface can only use the
configuration parameters of the dialer interface
it is assigned to (dialer rotary-group). - Dialer Profiles overcome this by letting us
assign the dialer interface on a per-call-basis. - A single physical interface will now be able to
use several different dialer interfaces. - This is done by the use of dialer pools.
27Dialer Profiles
- Dialer profiles separate the logical portion of
DDR-such as the network layer, encapsulation, and
dialer parameters-from the physical interface
that places or receives calls, - Dialer profiles address several dialup issues
- One configured interface per ISDN interface
- Dialer map complexity
- Limited dial backup
28Dialer Profiles
- Dialer profiles let you create different
configurations for B channels on an ISDN PRI or
BRI interface. - The main difference between a rotary group and a
dialer profile is that a physical interface
participates in only one rotary group. - With a dialer profile, a physical interface can
belong to many different pools.
29How Dialer Profiles Work
BRI01
BRI02
BRI21
BRI22
30Elements of a Dialer Profile
- Dialer interface
- Dialer map class (optional)
- Dialer pool
- Physical interfaces
31dialer pool 30
32Dialer Profiles
- Dialer pools allow us to associate a physical
interface, (bri or async interface), with one or
more logical interfaces (dialer interface). - Dialer pools are not actual interfaces but a way
to bind the physical interface to the dialer
interface.
33Dialer Profiles
- To configure the physical, bri interface we need
to - 1. Specify the type of encapsulation
- 2. Specify the dialer pools which will
participate - dialer pool-member pool-number
- To configure the dialer interface, we need to
- 1. Specify the type of encapsulation
- 2. Specify the network protocols
- 3. Specify the remote router name
- 4. Specify the remote destination call
string (optional) - 5. Specify the dialing pool to use (only one
can be configured) - dialer pool pool-number
342
35Dialer Profiles
- Physical Interface
- dialer pool-member pool-number priority
- Physical interface can associated only with a
single dialer interface, but they can be
associated with multiple dialer pools. (Can have
multiple dialer pool-member statements.) - Priority is used when dialing out. If there are
several physical interfaces which are associated
with the same dialer interface, the priority is
used to determine which physical interface will
be tried first. Lower the number, higher the
priority.
36Dialer Profiles
- Dialer Interface
- dialer pool pool-number
- The dialer interface can only be associated with
a single dialer pool. - dialer remote-name name
- The name is used for more than just
authentication, the Cisco router looks for a
dialer interface within the dialer pool in which
the dialer profile has the name that matches the
name of the remote site.
37dialer pool 30
38No more Dialer Map!
- In legacy configurations you configure call
parameters under a physical interface using
dialer map - RTA(config)int bri 0
- RTA(config-if)dialer map ip 10.1.1.2 name RTB
5554000 - With dialer interfaces, you configure a dialer
string - RTA(config)int dialer 0
- Router(config-if)dialer string dial-string
- Router(config-if)dialer remote-name name
39Dialer Profiles
- NOTE Prior to IOS 12.0(7)T
- Because the binding of the physical interface to
the dialer interface only happens after the
incoming call has been identified, you must
define the layer 2 encapsulation and
authentication on both the physical interface and
the dialer interface. - The layer 2 encapsulations and authentications
must match. - IOS 12.0(7)T introduces Dynamic Multiple
Encapsulations feature, only the layer 2
encapsulation and authentication on the dialer
interface is used. - Go to Ciscos web site for more information on
this feature.
40Dialer Profiles Config
- RTA(config)interface bri0/0
- RTA(config-if)isdn spid1 51055512340001 5551234
- RTA(config-if)isdn spid2 51055512350001 5551235
- RTA(config-if)encapsulation ppp
- RTA(config-if)ppp authentication chap
- RTA(config-if)dialer pool-member 1
- RTA(config)interface dialer 0
- RTA(config-if)dialer pool 1
- RTA(config-if)ip address 10.1.1.1 255.255.255.0
- RTA(config-if)encapsulation ppp
- RTA(config-if)ppp authentication chap
- RTA(config-if)dialer-group 1
- RTA(config-if)dialer remote-name RTB
- RTA(config-if)dialer string 5554000
- RTA(config-if)dialer string 5554001
41(No Transcript)
42(No Transcript)
43Dialer Profiles - outgoing
- RTB(config)interface dialer 0
- RTB(config-if)ip address 10.1.1.2 255.255.255.0
- RTB(config-if)dialer pool 1
- RTB(config-if)encapsulation ppp
- RTB(config-if)ppp authentication chap
- RTB(config-if)dialer remote-name RTA
- RTB(config-if)dialer-group 5
- RTB(config-if)dialer string 5551234
- RTB(config-if)dialer string 5551235
- Â
- RTB(config)interface dialer 1
- RTB(config-if)ip address 172.16.0.2
255.255.255.0 - RTB(config-if)dialer pool 1
- RTB(config-if)encapsulation ppp
- RTB(config-if)ppp authentication chap
- RTB(config-if)ppp chap hostname JULIET
- RTB(config-if)dialer remote-name ROMEO
- RTB(config-if)dialer-group 5
- RTB(config-if)dialer string 5555678
Ping 10.1.1.1 Without a dialer map, which maps an
IP to a phone number (dialer string), how does
the router know which dialer interface to bind to
the BRI?
44Dialer Profiles
- Physical Interfaces
- dialer pool-member pool-number priority
- When dialing out, if more than one interface is a
member of the same dialer pool, the dialer
interface will use whichever interface has the
lowest priority value (which is the highest
priority) will be tried first. - inter bri 0
- dialer pool-member 10 2 (the winner!)
- inter bri 1
- dialer pool-member 10 50
- inter dialer 1
- dialer pool 10
45Sample Config
interface Dialer0 ip address 10.1.1.1
255.255.255.0 encapsulation ppp dialer
remote-name RTB dialer string 5554000 dialer
string 5554001 dialer load-threshold 1 either
dialer pool 1 dialer-group 1 ppp authentication
chap ppp multilink ! ip route 192.168.1.0
255.255.255.0 10.1.1.2 dialer-list 1 protocol ip
permit
- enable password cisco
- username RTB password 0 cisco
- isdn switch-type basic-ni
- !
- interface BRI0
- no ip address
- no ip directed-broadcast
- encapsulation ppp
- dialer pool-member 1
- isdn switch-type basic-ni
- isdn spid1 51055512340001 5551234
- isdn spid2 51055512350001 5551235
- ppp authentication chap
46Dialer Profiles - map-class
- Dialer map-class is an optional command that
allows you to specify unique characteristics
based upon the dialer string that is used. - Map-class dialer name
- Options
- callback-server, enable-timeout, fast-idle,
idle-timeout - see earlier chapters - isdn speed 56 - change speed of isdn line
- isdn spc and voice call
47Dialer Map-Class
- The dialer map class is an optional element that
defines specific characteristics for a call to a
specified dial string. - ISDN speed (56 Kbps only, 64Kbps is default)
- dialer fast-idle
- dialer idle-timeout
- dialer wait-for-carrier-time
48Dialer Map-Class
49Dialer Map-Class
- RTA(config)map-class dialer AGRESSIVE
- RTA(config-map-class)dialer idle timeout 30
- RTA(config-map-class)dialer fast-idle 10
- RTA(config-map-class)dialer wait-for-carrier-time
25 - RTA(config-map-class)exit
50Dialer Map-Class
- Apply the map-class using the dialer string
command - RTA(config-if)dialer string 5554000 class
AGRESSIVE
51Sample Config
map-class dialer AGRESSIVE dialer idle-timeout
30 dialer fast-idle 10 dialer
wait-for-carrier-time 25 dialer-list 5 protocol
ip permit
- interface Dialer1
- ip address 172.16.0.1 255.255.255.0
- encapsulation ppp
- dialer remote-name JULIET
- dialer string 5554000 class AGRESSIVE
- dialer string 5554001 class AGRESSIVE
- dialer pool 1
- dialer-group 5
- ppp authentication chap
52Time Based ACLs
- Time-based access lists extend the notion of time
to the access-list facility. - Now, network administrators can define when the
permit or deny statements in the access lists are
in effect, by time of day and week, and on an
absolute basis.
53- In global configuration mode.
- 1 . time-range time-range-name
- Identify the time-range by a meaningful name.
- 2 . absolute start time date end time date
- and/or
- periodic days-of-the-week hhmm to
days-of-the-week hhmm
54Create an extended ACL
- access-list access-list-number deny permit
protocol source source-wildcard destination
destination-wildcard precedence precedence tos
tos established log time-range
time-range-name
55Example 1 using Named ACL
- The following example denies HTTP traffic on
Monday through Friday between the hours of 800
am and 600 pm on IP. The example allows UDP
traffic on Saturday and Sunday from noon to 800
pm only. - time-range no-http
- periodic weekdays 800 to 1800
- !
- time-range udp-yes
- periodic weekend 1200 to 2000
- !
- ip access-list extended strict
- deny tcp any any eq http time-range no-http
- permit udp any any time-range udp-yes
- !
- interface ethernet 0
- ip access-group strict in
56Example 2 using Named ACL
- The following example configures an access list
named northeast, which references a time range
named xyz. The access list and time range
together permit traffic on Ethernet interface 0
starting at 1200 noon on January 1, 2001 and
going forever. - time-range xyz
- absolute start 1200 1 January 2001
- !
- ip access-list extended northeast
- permit ip any any time-range xyz
- !
- interface ethernet 0
- ip access-group northeast in
57Example 3 using Named ACL
- The following example permits UDP traffic out
Ethernet interface 0 on weekends only, from
800am on January 1, 1999 to 600 pm on December
31, 2001 - time-range test
- absolute start 800 1 January 1999 end 1800 31
December 2001periodic weekends 0000 to 2359 - !
- ip access-list extended northeast
- permit udp any any time-range test
- !
- interface ethernet 0
- ip access-group northeast out
58Dial on Demand Routing
- Read this section on your own.
- As far as I can tell, or remember, this section
is not a Remote-Access Exam Objective - Most of this information is covered in the
routing class or just for their case studies.
59The End