All Cisco-Network Study Notes: July 2009

Components of IPSec

Protocol or Function Description
IKE
Internet Key Exchange
is a general term used to define how keys are
exchanged and tunnels are authenticated. It is defined in RFC 2409,
which is recommended reading for anyone deploying IPSec VPNs.
3DES Triple Data Encryption Standard performs three DES hash processes
with three keys in sequence to encrypt data. DES (Data Encryption
Standard) performs a single hash process.
AES Advanced Encryption Standard will likely replace DES and 3DES
because the processing power required for AES is significantly lower
than that for 3DES.
AH The
Authentication Header
option ensures authenticity and data integrity,
but it does not encrypt the payload—thus the name reference to
“authenticating the header.” It is defined in RFC 2402.
Tunnel mode
Tunnel mode
protects the entire IP packet—including the original
header—and appends a new 20-byte IP header. Tunnel mode must be
used for VPN applications involving hosts behind the IPSec peers,
which is the most common configuration.
Transport mode
Transport mode
protects only the IP payload via encryption, and the
original header information is left unencrypted.
ESP
Encapsulating Security Payload
protects the data within the datagram,
but does nothing to the header. It is defined in RFC 2406 and is best
remembered via the term
payload
in its title.

Because IPSec is the leading VPN technology, we will spend a moment discussing the
configuration of this technology; however, please note that the current exam does not
include configuration in scope.
The primary functions of IPSec address four key areas of concern for most data transmissions:

The confidential transmission of the data. This is provided by the encryption of the payload
as it crosses the network and is important to prevent confidential data compromises.

The integrity of the data. Receivers in IPSec can validate that the payload has not been
altered in transmission.

The authentication of the transmission source. IPSec receivers can authenticate the source
of the packets to validate that they are from a trusted source.

Protection from replay. The IPSec functions can support detection and rejection of packets
that are replayed. This function is useful in preventing the retransmission of a packet containing
a password for later authentication.

IPSec 2

IPSec is a generic description of a set of protocols that establish the parameters and encryption
for a tunnel between two end points, but IPSec itself provides none of these functions. The standard
is defined in RFCs 2401 through 2411 and in RFC 2451; this is recommended reading for
anyone supporting or installing a large-scale IPSec VPN. The elements that comprise many
IPSec functions are outlined in Table 28.2.

NOTE:Many configurations of IPSec have difficulties with Network Address Translation
(NAT), described in Chapter 32, “Centralized Security in Remote Access
Networks.” A new feature—IPSec NAT Transparency—has been introduced
with IOS version 12.2(13)T and should be evaluated for installations that
require NAT and IPSec support.

Virtual Private Networks 2

You might be questioning the inclusion of a section on virtual private network (VPN) technologies
in a chapter presenting cable modems. It is true that VPN is technology agnostic and will
operate over DSL, Frame Relay, or any other transport. However, cable modems and VPNs are
both covered briefly on the Remote Access exam, and neither seems to warrant a chapter on its
own. In addition, many cable modem installations for business customers leverage VPN tunnels
to provide connectivity.
A
virtual private network
is a logical tunnel across a physical topology. This physical layer
could be the Internet, or it could be a corporate network or other private network. The tunnel
need not be encrypted to be private, but this is a method of providing privacy. In reality, however,
so long as the data is not visible to non-recipients, the tunnel has a certain degree of protection.
As such, VPNs are commonly thought of as IPSec, L2TP (Layer 2 Tunneling Protocol),
SSL-VPN, and MPLS constructions, but Frame Relay and ATM PVCs, in addition to 802.1Q
and GRE (generic routing encapsulation) can also be considered VPNs. This is discussed in
greater detail later in this chapter.
By far the most common VPN technology deployed today is IPSec, or IP Security Protocol.
Quickly gaining momentum is an alternative technology that has been used for years for webbased
security, Secure Sockets Layer (SSL).

Cisco Cable Manager

To help customers configure and monitor large cable modem infrastructures, Cisco has developed
Cisco Cable Manager (CCM). This Solaris-based product is beyond the scope of the exam,
but it provides a centralized interface for managing up to 100,000 devices, and it provides autotopology
and polling features.

Cisco’s Cable Modem Product Line

As with the DSL product line, Cisco caters to the head end and the remote installation. At the
central office, Cisco provides the uBR10012 and uBR7100/7200 series Universal Broadband
routers. The uBR10012 product combines the Cisco 10000 Edge Services Router with the
uBR7200 product, which can support up to 8,000 terminations.
For remote installations, the product line contains two products: the uBR905 and the uBR925.
Both support VPN tunnels (IPSec) and firewall services in addition to routing, but the uBR925 adds
support for voice over the cable network and a USB port.
Unlike the DSL product line, Cisco does not currently support a cable modem interface for
the higher end routers, including the 1700, 2600XM, and the 3600 series. This will likely
change in the future, but administrators should note that cable television is not as prevalent in
business parks and commercial buildings as compared to residential settings.

DOCSIS

The primary purpose of DOCSIS was to ensure interoperability between vendors’ equipment.
Different versions provide standards for security, encapsulation, management, QoS, and services.
There are three versions of the DOCSIS specification, as outlined in Table 28.1.

TABLE 2 8 . 1
DOCSIS Specifications

Version Features
DOCSIS 1.0 This was the original specification and provided for standardization
between vendors.
DOCSIS 1.1 This version of DOCSIS is commonly used today and provides basic
quality of service and security functions. This is very important for most
users, and cable networks leverage these features to protect user traffic
in transit from being intercepted. Please note that this does not protect
user machines from attack; the specifications are not firewalls, but rather
a switched emulation over the shared infrastructure. The specification is
backward compatible. DOCSIS 1.1 adds voice and streaming services.
This version also takes steps to prevent theft of service from the provider.
In previous specifications, a user with cable service could remove the filter
in the street and have data service for free.
DOCSIS 2.0 This new standard will provide six times the upstream capacity of DOCSIS 1.0
(three times the capacity of 1.1). The channel is increased to 6.4MHz for greater
capacity and efficiency. It is also backward compatible.

NOTE:DOCSIS specifies the connection between only the CMTS and the cable
modem or cable modem router. The PC, network router(s), and other network
elements are not involved. Readers wanting to study the DOCSIS 2.0 standard
should visit
www.cisco.com/en/US/netsol/ns469/networking_solutions_
event_and_seminar_home.html
, where a number of DOCSIS white papers are
available.

A cable modem installation

HFC/CMTS HFC/CMTS
Router
Broadcast
Video
Internet

Note that cable modems have a perceived disadvantage of shared bandwidth for all users
on a particular link—there are two distinct shared domains shown in Figure 28.1. As noted in
Chapter 27, this is not a significant issue from a bandwidth perspective. It could be a security concern
however, as data from one home is viewable from all other homes within that domain. This
is addressed by the
Data Over Cable Service Interface Specification (DOCSIS)
ratified by Cable-
Labs, a nonprofit organization composed of cable service providers in the Americas. DOCSIS is
described in the following section; it provides customer data protection over the shared medium.
The biggest advantage to cable modems is their capability to provide high per-user bandwidth
over long distances, often significantly greater than DSL. Although the cable is capable
of providing up to 40Mbps of downstream bandwidth, the network is provisioned so that each
user can obtain only a predefined rate—typically less than 2Mbps. For consumer installations,
this is sufficient and leads to a very economical solution. However, the provider could easily
increase the bandwidth to an individual user, although they would need to have a dedicated
coax connection to attain the full capacity.

What Is a Cable Modem?

The
cable modem
is the industry’s response to DSL and other broadband network services from
competitors. It provides remote access connectivity by establishing a shared data channel across
the existing cable television network. In fact, it’s apt to call it a channel—the bandwidth provided
to customers is actually taken from one of the 6MHz channels that would normally be
used for a video feed such as CNN or ESPN.
This 6MHz channel (NTSC—the North American standard from the National Television
System Committee) can provide up to 40Mbps of downstream (to the user) bandwidth and
12Mbps of upstream bandwidth. This bandwidth, as noted in Chapter 27, “Remote Access
with Digital Subscriber Line,” is shared by all the customers within a specific area. As such, due
to the normal installation and design model, in addition to bandwidth rate limiting by the provider,
a typical user should expect less than 2Mbps downstream and 128Kbps to 256Kbps
upstream. The typical cable modem installation is illustrated in Figure 28.1.
As shown in this figure, each home is connected to the coax (coaxial cable) that is running
through the neighborhood and providing video services. At the head end, or cable service provider,
this cable is connected to a hybrid fiber-coax (HFC) device that might also provide the
cable modem termination system (CMTS). This device is connected to the router that links to
the Internet and to the video streams (greatly simplified in this figure). The CMTS is the electronic
engine that processes cable modem feeds comparable to the digital subscriber line access
multiplexer (DSLAM) in DSL.
The installation at the home requires the installation of a filter to service all the televisions
on the premises. An unfiltered connection is provided to the cable modem itself. Note that for
customers without cable modems, the filter is typically placed in the street. In residences with
cable data services, the filter can be installed anywhere between the head end and the televisions
that will be using the cable signal. Many customers, as a result, never have to concern themselves
with the filter, but it does complicate the installation of a cable modem, just as the splitter
complicates DSL installations.

Remote Access with Cable Modems and Virtual Private Networks

THE CCNP EXAM TOPICS COVERED IN THIS
BLOG INCLUDE THE FOLLOWING:

Understand cable modem technologies.

Know how to configure cable modem technologies.

Understand how to troubleshoot cable modem
technologies.

Understand VPN technologies including IPSec.

Know how to configure VPN technologies.

In this blog, we discuss two increasingly important technologies
in remote access: cable modems and virtual private networks
(VPNs). Although Cisco has finally added these topics to the
Remote Access exam, they have not attained the prominence that one might expect compared
to legacy technologies such as ISDN. Cable modems, like DSL, provide high data rates at low
cost, and don’t suffer from the call setup and bonding issues that ISDN includes. In addition to
providing an overview of cable modem and VPN technologies, this chapter also covers the configuration
of IPSec, one of the most common VPN technologies.

Remote Access with Digital Subscriber Line Summary and Exam Essentials

Summary
In this blog, you learned that digital subscriber line (DSL) technology was developed to add
functionality to the large existing copper cable plant installed for the analog phone system. The
service is built around ATM technology and provides a wide variety of flavors to offer different
data rates and service distances. DSL variants range in bandwidth from 144Kbps to over 50Mbps.
Unlike other WAN technologies, many DSL flavors are asymmetric; that is, they provide different
bandwidths in upstream and downstream directions.
We described the configuration and troubleshooting elements of DSL, while noting that from
the transport point-of-view, DSL is examined the same as ATM. We also noted that DSL sometimes
uses complex bridging and routing solutions to simplify larger deployments. DSL is a consumer
service in many installations, and with over 28 million installations (as of late 2003),
simple, repeatable deployments are crucial. To that end, we described the primary feature of
G.lite, or splitterless DSL.
Exam Essentials
Understand how DSL can fit into your remote access solutions. DSL is well suited to
remote workers and small branch offices for remote connectivity. It offers many of the same
bandwidths as T-1 at lower prices, and, in some cases, its asymmetric offerings are perfect
for high-demand users.
Know the differences in the various flavors of DSL. The DSL service offerings are best
considered in terms of bandwidth and analog voice support. G.lite is a splitterless offering
that provides for analog voice without a splitter in the line. HDSL and SDSL provide symmetric
bandwidth.
Be able to compare DSL to other remote access technologies. HDSL and SDSL both provide
bandwidths comparable to T-1 services. This can be very important for the administrator—for
example, T-1 might not be available but HDSL is, and, ironically, HDSL might be cheaper.
Other xDSL services can be replacements for Frame Relay or other access methods.
Understand the configuration of DSL services. The key to configuring DSL services is to
understand their relationship to ATM in the networking model. DSL commonly uses the same
PVC configuration and other logical constructs.

Troubleshooting DSL

DSL is an ATM technology at its core, so troubleshooting DSL connections requires an understanding
of ATM in addition to generic troubleshooting. Generic troubleshooting includes
examination of the various layers, including physical connectivity, data-link connectivity, and
protocol configuration.
In the following example, the DSL interface has received 1,714 frames with CRC errors,
while the interface itself has reset three times. The IP address is confirmed to be correct, and the
load does not appear to be problematic. Although the problem could be the ATM PVC configuration
under different circumstances, in this case there is likely a line problem or an issue with
the physical interface at the transmission end. Remember that ATM is a cell-based technology,
and although beyond our scope here, each cell is 53 bytes long. Of this, with ATM adaptation
layer 5, 48 bytes are for user data and 5 bytes of each cell are used for header information. A
CRC error could occur if any one of the cells that made up a particular frame were damaged.
With an average frame size of just over 100 bytes (159,780 bytes in 1,512 frames), it’s apparent
that the average frame is sent via three cells:

Router#show int atm0
ATM0 is up, line protocol is up
Hardware is PQUICC_SAR (with Alcatel ADSL Module)
Internet address is 10.1.1.1/24
MTU 1500 bytes, sub MTU 1500, BW 640 Kbit, DLY 80 usec,
reliability 40/255, txload 2/255, rxload 2/255
Encapsulation ATM, loopback not set
Keepalive not supported
Encapsulation(s):AAL5, PVC mode
10 maximum active VCs, 1 current VCCs
VC idle disconnect time:300 seconds
Last input 00:16:39, output 00:16:39, output hang never
Last clearing of "show interface" counters never
Input queue:0/75/0 (size/max/drops); Total output drops:0
Queueing strategy:Per VC Queueing
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1512 packets input, 159780 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 1714 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1426 packets output, 146282 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 output buffer failures, 0 output buffers swapped out

Configuring DSL 3

The specific configuration settings for a DSL installation will depend on the type of router used
and the features desired, but there are common elements.
The key element of a DSL installation is that the technology is fundamentally a physical
transport of ATM cells. As such, we will configure a Cisco 3810 router to terminate multiple
DSL connections (ADSL, in this case). The head end is a T-1 ATM connection. You might realize
that the T-1 is a poor termination choice for ADSL services; however, for this application it
is an appropriate solution. A DS-3 or other ATM connection could provide the termination just
as well.
Configuration of the DSLAM is beyond the scope of the test and this book, but
functionally it is PVC configuration and other parameters. Stated another way,
it is not complicated.
In addition to the typical configuration parameters you might include (such as routing,
logging, security, and management), the DSL configuration requires very little additional
configuration. In this excerpt, we configure the T-1 physical interface with Extended Super
Frame and B8ZS encoding, in addition to setting it for ATM cells. The ATM interface has
no configuration, but is subinterfaced for multiple connections. (Recall that this is a headend,
non-DSLAM connection.) We configure a PVC with unspecified bit rate (UBR) ATM,
and, as an extra service, we configure Operation, Administration, and Maintenance (OAM)
cells to the PVC. OAM provides link monitoring; if any part of the PVC fails, OAM will
detect it and shut down the interface until corrected.
The following configuration also specifies AAL5SNAP, or AAL5 with SNAP headers, for the
encapsulation type. So long as this matches on each side, there is no issue in most cases. For
those not familiar with PVC configurations, interface ATM0.1 has a VPI (virtual path identifier)
of 5 and a VCI (virtual circuit identifier) of 51.

!
controller T1 0
framing esf
linecode b8zs
mode atm
fdl both
description T1 to DSL Cloud
!
interface ATM0
description DSL Headend
no ip address
no ip directed-broadcast
!
interface ATM0.1 point-to-point
description DSL link to Gryffendor
ip address 10.1.1.25 255.255.255.252
no ip directed-broadcast
pvc 5/51
ubr 1500
oam-pvc manage
oam retry 3 5 1
encapsulation aal5snap
!
interface ATM0.2 point-to-point
description DSL Link to Ravenclaw
ip address 10.1.1.33 255.255.255.252
no ip directed-broadcast
pvc 4/51
ubr 1500
oam-pvc manage
oam retry 3 5 1
encapsulation aal5snap
!

NOTE:If there were only one PVC for this circuit, it would be acceptable to use the major
interface and not a subinterface. However, if an installation
might
use more than
one PVC in the future, then the use of a subinterface is recommended.
Other routers might limit various options. The Cisco 827, for example, uses a Bridge Group
Virtual Interface (BVI), which is part of Integrated Routing and Bridging (IRB) services for connectivity
instead of routing in most installations. This bridging solution negates layer 3 and leverages
Network Address Translation (NAT) for those services that are layer 3. The configuration is
not DSL-specific however, because the use of IRB is primarily used to negate the need for remote
configuration. A standard router configuration file can service all end points because DHCP and
NAT hide the Ethernet network, and the DSL side is assigned its address dynamically.

NOTE:IRB, BVI, NAT, and DHCP in this context are beyond the scope of this chapter and
of the exam. Chapter 31, “Network Address Translation (NAT) and Port Address
Translation (PAT),” provides information regarding NAT, and Chapter 25, “Using
Microsoft Windows 95/98/2000/XP,” describes DHCP. If you are interested in learning
more about the 827 router (a common remote DSL platform) and IRB/BVI,
please refer to Cisco’s documentation at

Cisco DSL Routers

Cisco’s product line for supporting DSL services is comprised of three classifications of equipment.
The first is the focus of the Remote Access examination, which is primarily made up of the Cisco 800
series of routers and the SOHO (small office, home office) 70 series. The second is comprised of the
xDSL modules for the branch and office routers, including the 2600 and 3600 series. And the third
is the head-end DSLAM switches, including the Cisco 6260 IP DSL switch.
There could be a fourth Cisco DSL product category in their Linksys acquisition.
The Linksys product line includes a wide range of solutions for the SOHO
market and frequently integrates other functions such as print services and
wireless networking.
For the SOHO environment and small remote office, Cisco provides their SOHO line of DSL
routers in addition to the Cisco 800 series. Here is a list of the various DSL platforms in this category:

Cisco 837 ADSL Broadband Router

Cisco 836 ADSL over ISDN Broadband Router

Cisco 828 G.SHDSL Router

Cisco 827 ADSL Router

Cisco 827-4V ADSL Router

Cisco 826 ADSL Router

Cisco SOHO 78 G.SHDSL Router

Cisco SOHO 77 ADSL Router

Cisco SOHO 77 H ADSL Router

Cisco SOHO 76 ADSL Router
There is not much to focus on in this list, other than noting the diversity within the Cisco 827
product line, which includes the 827-4V. This platform provides four voice ports in addition to
ADSL support. The H variant of the 827 provides a four-port hub in addition to DSL termination.
For larger offices, Cisco provides DSL support on the 1700, 2600XM, and 3600 series routers
via a WAN Interface Card (WIC). This allows for the installation of other services, including
network modules (NMs) for content delivery. Voice Interface Cards (VICs) can also terminate
voice services on these platforms.
At the head end, Cisco provides the following switches for terminating DSL connections:

Cisco 6260 IP DSL Switch

Cisco 6160 IP DSL Switch

Cisco 6015 IP DSL Switch
These solutions are targeted toward servicing multi-tenant buildings, telecommunications
service providers, and ISPs. The specifics of these platforms are well beyond the scope of the
Remote Access examination.

DSL Types 2

Type Analog Support
Downstream
Bandwidth Upstream Bandwidth Range
ADSL Yes Up to 9Mbps Up to 640Kbps Up to 18,000 feet
G.lite Yes Up to 1.5Mbps Up to 512Kbps Up to 18,000 feet
HDSL No 1.544Mbps 1.544Mbps Up to 12,000 feet
SDSL No 1.544Mbps 1.544Mbps Up to 10,000 feet
IDSL No 144Kbps 144Kbps Up to 45,000 feet
VDSL Yes Up to 52Mbps Up to 2.3Mbps Up to 4,500 feet

NOTE:You might find that different vendors and sources document range and bandwidth
figures that are not the same as those in Table 27.1. We have used the Cisco
figures, which are sometimes over or under the values included in other specifications.
The variances should not have a significant impact on the test or real-world
deployment—for example, HDSL might have a range of 15,000 feet or 12,000 maximum,
but wire condition, interference, and other factors can greatly influence this,
and a real-world installation might operate correctly at only 7,000 feet. This chapter
covers only DSL basics consistent with the examination.

Very-High Data Rate DSL

Very-high data rate DSL (VDSL
), sometimes also called
very-high bit-rate DSL
, is exactly
that—a high-bandwidth variant of DSL. Most implementations are capable of downstream
bandwidths in excess of 50Mbps. Consider for a moment that most VDSL deployments are in
residential settings and that the service provides in essence a DS-3 worth of capacity, and you
begin to appreciate the “very-high” aspects indeed.
There are a few installations of VDSL available in large markets, including Denver and Phoenix
in the United States. These services leverage VDSL to provide video, data, and voice services over
the DSL circuit. With over 50Mbps, it’s possible to provide four broadcast-quality video streams
over the connection, while also supporting an always-available Internet data path and analog
voice services—a road to the fully converged network if you will.
Of course, you can’t get something for nothing, and VDSL is no exception. The significant
downside to the technology is its limited range. Stated another way, ADSL technologies can frequently
extend to over 18,000 feet, whereas VDSL is limited to 4,500 feet. The highest data
rates are attainable at only 1,000 feet in most real-world settings.
The DSL types described in this chapter are summarized in Table 27.1.

ISDN DSL

ISDN DSL (IDSL)
provides up to 144Kbps of bandwidth—which is equal to the two B channels
and one D channel of ISDN BRI—by employing the same line coding (2B1Q) as ISDN. It is important
to note that this flavor of DSL does not support analog voice service.
The primary reason for offering IDSL is that the range can be extended to cover virtually any
existing copper path that is devoid of amplifiers or load coils—both of which can be used in very
long analog connections. With repeaters, IDSL can extend to 45,000 feet.

Symmetric DSL

Symmetric DSL (SDSL)
is a variant of HDSL; however, it runs over a single copper pair. HDSL
requires two pairs of copper. The data rate is 1.544Mbps in each direction.

High Bit-Rate DSL

High bit-rate DSL (HDSL)
requires two pairs of copper for service, unlike most other DSL
offerings. In exchange, it provides a T-1-like presence of 1.544Mbps in each direction. It’s
important to note that this service does not support analog voice.

G.lite

G.lite
, which is sometimes called
splitterless
DSL
, is quickly dethroning ADSL for the most common
DSL variant, although technically it is only a subspecification of ADSL itself. As the
splitterless
nickname
infers, this technology does not require a splitter to be installed at the customer location. In this
splitterless installation, the provider isolates voice from data in the central office by controlling the
frequency of the voice channel.
The advantage to this type of installation is significant. In a splitter (ADSL) type of deployment,
the provider needs to visit the customer location and install a splitter on the line in addition to a
second jack—one jack is for the DSL router, and the other jack is for the telephone. The cost of
this is very high compared to the alternative of encoding the data and voice so the end equipment
can isolate the voice traffic where no splitter installation is required. G.lite installations can be
completed at the central office, and the user can simply plug their router into the jack as they
would a telephone.
G.lite is further described in ITU-T standard G.992.2.

Oversubscription and Bandwidth Contention

A discussion of consumer DSL, of which ADSL is a common offering, necessitates a discussion
of vendor claims regarding oversubscription and bandwidth contention. As you might know,
oversubscription occurs when the network is provisioned with greater potential demand than
could be serviced at any one time, under the reasonable assumption that use patterns and the
quantity of bandwidth demanded will never be 100 percent.
This assumption is very reasonable in many networks. Consider your network for a moment.
You might have 100 workstations connected to a switch with a single 100Mbps uplink to the
core. If each of the 100 workstations is connected at 100Mbps, the network would be oversubscribed
100:1. Consumer DSL network vendors commonly oversubscribe at ratios between 3
and 10 to 1, or 10:1.
Let’s suspend discussion of oversubscription for a moment and consider bandwidth contention.
DSL providers quickly point out that cable modem networks provide shared bandwidth from the
head end to a population of users. Think of this as shared Ethernet. They then add that their DSL
technology is more akin to switched Ethernet, where each user has no contention for bandwidth
from their router to the DSLAM.
On the surface it would appear that DSL is the superior technology, as many networkers have
migrated from the old shared network model to the superior switched network in Ethernet.
The marketing folks for DSL providers enjoy that analogy and relish in users choosing the
dedicated technology.
However, all is not as it appears. Although it is true that DSL dedicates bandwidth from the end user
to the head end at the Physical layer, we must return to oversubscription. I might have a dedicated
100Mbps Ethernet connection to my workstation, and Piper might have 100Mbps to her workstation,
but if we have a single 100Mbps uplink from the switch to our resource, we could expect
only 50 percent, or 50Mbps in this example, of throughput. So long as we have that consideration,
shared bandwidth is always a factor, even if the hop from my router to the head end is dedicated.
As such, cable modem’s shared technology (presented further in Chapter 28, “Remote Access with
Cable Modems and Virtual Private Networks”) is less of a concern than DSL providers would like.
Cisco contends that ADSL is best suited to video on demand and video conferencing; however,
in practice we would recommend against this generalization. The asymmetric nature of
ADSL is such that quality upstream video conferencing is unlikely if there is concurrent load.
Because video conferencing is typically a bidirectional experience, it would be overgeneralizing
to conclude that ADSL is the best solution. We justify their answer by simplifying the
scope and comparing ADSL to ISDN, analog (POTS), and other remote access technologies.
In this light, ADSL is the best solution. However, HDSL and other DSL flavors, discussed
later, might be better for your installation.

Asymmetric Digital Subscriber Line

The most common DSL variant is
asymmetric digital subscriber line (ADSL)
, and this is often
used for home and business users. It is called
asymmetric
because the bandwidth is not equal in
the upstream and downstream directions. Upstream traffic is sent from the user, and downstream
traffic is sent from the direction of the DSLAM.
When discussing a DSL circuit without specifying the type of DSL being used,
it is common to refer to xDSL.
This unequal traffic flow is well suited to Internet surfing and centralized data storage, as
would be found in many tele-worker applications. For example, many users download graphics,
documents, and other large files from the remote network, while only sending small e-mail messages
or requests for information. As such, the network needs to provide only a small amount
of bandwidth to service these smaller datagrams from the user, and it’s preferable to provide
larger amounts of bandwidth to support the greater volume of data from the network.
ADSL requires the use of a splitter to isolate the voice traffic from the data stream on the
copper pair.

The Different Flavors of DSL

You learned in Chapter 26, “Integrated Services Digital Network (ISDN),” that there are a couple
of different flavors to that technology—specifically BRI and PRI. We will discuss six different
flavors of DSL in this chapter, although there are many more. These include:

Asymmetric digital subscriber line

G.lite

High bit-rate DSL

Symmetric DSL

ISDN DSL

Very-high data rate DSL
The different flavors of DSL typically alter the bandwidth available and the range—or
distance—between the DSLAM and the end point. There can be other differences as well,
such as the need for a
splitter
to separate voice traffic from the circuit.

What Is Digital Subscriber Line?

Digital subscriber line (DSL)
is the result of demand for cheaper and higher bandwidth services
over the already existing copper phone-line network. As with ISDN, there was, and is, a great
deal of installed and widely available sub-Category 3 cable that, with a new encoding method,
could provide high-bandwidth services.
Within this chapter the terms
DSL
and
xDSL
are used. By convention, both
mean the same thing, although
xDSL
is a generic term that means all DSL technologies,
including ADSL and HDSL. These variants of DSL are described later
in this chapter.
DSL
is typically used to describe the base technology.
However, this existing cable currently supports analog voice services, so the new technology,
again like ISDN, needs to support legacy voice services in addition to providing the new data
service. So DSL is a voice and data service that supports multi-megabit data rates over the same
cable that previously supported only voice.
The
digital subscriber line access multiplexer (DSLAM)
provides the cornerstone of the
DSL infrastructure. This device provides two important functions in the DSL network: First,
it separates voice and data traffic from each line, and, second, it terminates each connection
to the residence or business. Figure 27.1 illustrates a typical DSL residential installation with
an access terminal (DSLAM) extending the link from the central office. Note that a remote
access terminal is not required and that a one-mile copper connection could extend directly
from a central-office-located DSLAM.
As an overview, DSL provides the following benefits:

Voice and data services over the same copper pair

Significantly greater bandwidth than ISDN or analog services over comparable physical media
Unfortunately, DSL also has some negatives, including these:

Significant distance limitations at higher data rates

Low tolerance for low-quality copper wiring
Complex, labor-consuming installation procedures for some versions

An inability to work with legacy line-conditioning equipment, including load coils
This chapter covers the flavors of DSL that are available to the administrator for remote
access solutions, in addition to covering configuration and troubleshooting of this technology.

Remote Access with Digital Subscriber Line

Understand digital subscriber line technologies.

Know the differences in digital subscriber line technologies.

Know how to configure digital subscriber line technologies.

Understand how to troubleshoot digital subscriber line
technologies.

In this chapter we will examine the remote access technologies
encompassed in digital subscriber line (DSL) services. This set of
newer remote connectivity access methods provides residential
and business locations with high-speed, low-cost connections that can surpass T-1 in some
instances. In addition to the basics of DSL, we will also compare the different flavors of the technology
and the troubleshooting methodologies employed.

ISDN-ITU-T Q.921-Q.931-T-1 (1.544Mbps) or E-1 (2.048Mbps)

ISDN is an old but still very viable networking standard that supports voice, data, and
video. It is slowly being replaced by DSL and cable modems. Layer 2 is negotiated by using
the ITU-T Q.921 standard, and layer 3 is negotiated by using the Q.931 standard. The
ISDN reference model is set up with function groups and reference points. The function
groups classify each device in the ISDN network, and the reference points identify the connections
and electrical characteristics between each function group. Many IOS debug and
show commands are available to help you understand and troubleshoot ISDN connections.
The types of connections include dial backup, dial-on-demand routing (DDR), and
Bandwidth on Demand (BoD). There are many ways to set up a connection from one device
to another by using ISDN and analog links. The legacy method uses the physical interface to
specify IP address, dialing properties, and authentication. Dialer profiles provide more flexibility
when using dial backup and other dial-up connections. When using PPP authentication,
both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol
(CHAP) can be used. Some IOS debug and show commands are associated with PPP
negotiation and authentication.

Know the types of ISDN. ISDN comes in two flavors: BRI and PRI. The BRI is a standard that
runs over a 192Kbps circuit, whereas a PRI can run over a T-1 (1.544Mbps) or E-1 (2.048Mbps)
circuit. Know when to use a BRI and when to use a PRI. There are many PRI and BRI ISDN switch
types supported, and you should know which ones require SPIDs and which do not.
Understand the ISDN function groups. You need to know what function the groups NT1,
NT2, TA, LT, ET, TE1, and TE2 provide in the ISDN network.
Know the ISDN reference points. Identify the ISDN reference points of R, S, T, and U. Know
where these reference points are in the ISDN network and between which function groups they
are found.
Understand the two ITU-T Q standards used by ISDN. The Q.921 standard is used to set up
layer 2 between the router and local switch, and the Q.931 standard is used to set up layer 3.
You need to know what these protocols’ structures look like and what happens when a call is
set up and when it is torn down. You should also be familiar with the debug isdn q921 and
debug isdn q931 commands and what to look for in troubleshooting a problem.
Know how to set up dial-on-demand routing (DDR), dial backup, and Bandwidth on Demand
(BoD) by using both legacy and dialer profiles. Dialer profiles are used when you need to set
up a routing protocol over a dial-up connection; the legacy setup is used when a simple pointto-
point connection is needed between two sites. You should know how to set up authentication
and callback when security is needed on a dial-up connection. Multilink is also available when
more bandwidth is needed on a connection.
Know how to set up a channelized interface. You should know how to set up a T-1 or E-1
controller for channelized operation. You need to know the different framing and linecoding
options. The pri-group command is used when setting up a channelized interface to become
an ISDN PRI. The channel-group command is used when an interface or a portion of the interface
is used for dedicated access.

906

Configuring E-1

The E-1 configuration is similar to the T-1 configuration but has a few different parameters:
Framing The E-1 framing types available are crc4 and no-crc4, with australia as an
option. The default is crc4, and it specifies CRC error checking, with no-crc4 specifying
that CRC checking is (surprise!) disabled. The australia framing method is used when configuring
an E-1 in (another surprise!) Australia.
Linecode This is either AMI or HDB3 when configuring an E-1, with HDB3 as the default.
In the following example, we specified slot 0, port 1 on our MIP card, using the crc4 framing
type. The provider has defined HDB3 as the linecode (HDB3 is the default) to match the carrier’s
equipment. For an E-1 PRI circuit, the D channel is 15 so the command pri-group time-slots
1-16 will specify that channels 1 through 15 will be controlled by the D channel (subchannel 15).
Again, remember not to get confused with the channel group and time slot numbering; the channel
group numbers range from 0 to 30, whereas the time slot values range from 1 to 31. Also remember
that channel 15 on the E-1 and channel 23 on the T-1 are for the D channels. However, time
slots 17 to 30 are for a dedicated connection with up to 30 available if purchased:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#controller E1 1/0
Router(config-if)#framing crc4
Router(config-if)#linecode hdb3
Router(config-if)#pri-group timeslots 1-16
Router(config-if)#channel-group 1 timeslots 17-30 speed 64
Router(config-if)#^Z
Router#
You then need to specify the IP address and encapsulation methods used, just as in the T-1
example:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial1/0:15
Router(config-if)#encapsulation ppp
Router(config-if)#ip address 172.16.30.5 255.255.255.252
Router(config)#interface serial1/0:1
Router(config-if)#encapsulation hdlc
Router(config-if)#ip address 172.16.30.5 255.255.255.252
Router(config-if)#^Z
Router#

Configuring ISDN PRI

The serial links connect into either a private data network or a service provider’s network. Both
the line encoding and the framing must match the service provider’s equipment. To configure
a PRI on a serial link, you must supply the following information:
Channel type Either T-1 or E-1.
Frame type When using a T-1, this can be either D4, sometimes referred to as Super Frame,
or Extended Super Frame (ESF). D4 is the original T-1 frame format and comprises one framing
bit and a DS0 time slot for each channel on the line. ESF comprises 24 D4 frames. As each D4
frame contains a framing bit, an ESF has 24 framing bits that it uses for synchronization (6 bits),
error checking (6-bit cyclic redundancy check), and diagnostic data channel (12 bits).
Linecode This will be either alternate mark inversion (AMI) or binary 8-zero substitution
(B8ZS). B8ZS is typically used in the U.S.; however, most legacy phone systems still use AMI.
Dynamic Multiple Encapsulation Back in the old days, prior to Cisco IOS 12.1, the interface
encapsulation that we used in the previous example—PPP and others such as Frame Relay,
High-Level Data Link Control (HDLC), Link Access Procedure (LAP), and X.25—could support
only one ISDN B channel connection over the entire link, or as in the case of HDLC and
PPP, the entire link needed to use the same encapsulation method. With the Dynamic Multiple
Encapsulation feature, the ISDN B channel becomes a forwarding device, and the D channel is
ignored, thereby allowing different encapsulation types and per-user configuration.
Which T-1 time slots to use By using the pri-group command on your PRI interface, you
can define which time slots will be controlled by the D channel (subchannel 23). You can also
specify dedicated time slots on the same interface with the channel-group number time slot
range command. This will assign the time slots in the range specified, to the subchannel group
of number.
In the following example, we chose to configure slot 1, port 0 of the MIP card in a 7000 router,
and we opted for ESF framing, with B8ZS line coding. Remember not to get confused with the
channel group and time slot numbering; the channel group numbers range from 0 to 23, whereas
the time slot values range from 1 to 24. Also remember that channel 15 on the E-1 and channel 23
on the T-1 are for the D channels. The command pri-group timeslots 12-24 indicates that
the D channel will control time slots 11 through 23 on the PRI circuit. Channel group 1 has six
time slots running at 64Kbps. We could choose up to 24 DS0s but purchased only six from our
provider, with 12 through 24 being controlled with the PRI D channel. Here’s the output:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#controller T1 1/0
Router(config-if)#framing esf
Router(config-if)#linecode b8zs
Router(config-if)#pri-group timeslots 12-24
Router(config-if)#channel-group 1 timeslots 1-6 speed 64
Router(config-if)#^Z
An IP address and the serial encapsulation method (HDLC is the default) then needs to be
assigned to each interface, as shown in the following example:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial1/0:23
Router(config-if)#encapsulation ppp
Router(config-if)#ip address 172.16.30.5 255.255.255.252
Router(config)#interface serial1/0:1
Router(config-if)#encapsulation hdlc
Router(config-if)#ip address 172.16.30.5 255.255.255.252
Output for the five other B channels (serial/0-2-6) has been omitted to save space.
Router(config-if)#^Z
Router#
When connecting two MIP cards back-to-back, you must specify the clocking on
one controller. This is done with the clock source internal command.

Channelized T-1/E-1 (PRI)

Large businesses typically use point-to-point connections with DSU/CSUs to connect two sites.
In turn, these are connected to low- and high-speed serial interfaces on routers—usually Cisco
routers. The router backplane and the number of interfaces the router can handle determine
how well it supports WAN connections. The Cisco 7000 series of routers supports the Fast
Serial Interface Processor (FSIP), which provides either four or eight serial ports, permitting
the four or eight point-to-point connections to remote offices. Other Cisco routers support the
Multichannel Interface Processor (MIP), which furnishes support for two full T-1/E-1 ports in
the 7000 series and one port in the 4000 series.
ISDN T-1s, which are called Primary Rate Interfaces (PRIs), run at 1.544Mbps. These use 24
channels in contrast to E-1s, which use 31 channels and run at 2.048Mbps. E-1 is mainly used
in Europe, and both T-1 and E-1 are considered wide-area digital transmission schemes.
Each port in the MIP can support 24 DS0 channels of 64Kbps each when using a T-1 interface,
and 31 DS0 channels when using an E-1 interface. The MIP refers to each serial interface
as a channel group; this enables each channel or DS0 to be configured individually. Each channel
has the same characteristics and options as regular serial interfaces.

Testing the Backup

After the configuration, it’s important to test your backup link. You don’t want to wait for an
actual outage before discovering you have made a configuration mistake. You’ll test the backup
by disabling the connected serial interface on R2.
When the test is performed, it takes 11 seconds for the backup line to come out of Standby
mode and another four seconds for layers 1 and 2 to come up. The following router output
shows this. Why would using a dialer interface save you four seconds in this scenario?
00:46:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, _
➥changed state to down
00:46:23: %LINK-3-UPDOWN: Interface Serial0, changed state to down
00:46:23: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 202 state changed_
➥to DELETED
00:46:23: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 100 state changed
➥_to DELETED
00:46:23: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 200 state changed
➥_to DELETED
00:46:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.202,
➥_ changed state to down
00:46:34: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:46:34: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down
00:46:34: %LINK-3-UPDOWN: Interface BRI0, changed state to up
00:46:38: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 107 changed to up
00:46:38: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 108 changed to up
00:46:59: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:47:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, _
➥changed state to up
00:47:06: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662
00:47:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, _
➥changed state to up
00:47:24: %LINK-3-UPDOWN: Interface Serial0, changed state to up
00:47:24: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 202 state changed_
➥to ACTIVE
00:47:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.202, _
➥changed state to up
00:48:24: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:48:24: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from_
➥unknown, call lasted 85 seconds
00:48:24: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 107_
➥changed to down
00:48:24: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 108_
➥changed to down
00:48:24: %LINK-5-CHANGED: Interface BRI0, changed state to standby mode
00:48:24: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:48:24: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down
00:48:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, _
➥changed state to down
You should also note in the preceding router output that the backup line dropped one minute
after the primary link came up. Changing the delay between primary failure and activation of
the backup line plus delay between primary recovery and deactivation of the backup line can be
modified by using the backup delay 10 60 command. The first number (10) is how many seconds
to wait before activating the backup interface, and the second number (60) is how many
seconds to stay up once the primary line recovers.
As we stated earlier, it is best to use a dialer profile, or dialer interface, as the backup interface,
so we will show you how this is done. Setting up a dialer profile requires two steps: configuring
the primary interface and configuring the dialer interface. The primary interface needs
only some basic information; for example, take a look at this configuration:

interface BRI0
no ip address
encapsulation ppp
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
dialer pool-member 1
!

Basically, all we did was set up ISDN layers 1 and 2, enable PPP encapsulation, and assign
this interface to dialer pool 1—pretty simple so far.
The next step involves the dialer interface. A dialer interface is virtual, meaning it is not
a physical interface, and you add it by using the global command interface dialer 1.
The connection-specific configuration commands are placed under this interface, including
creation of the dialer pool, phone number to dial, remote device name, interesting traffic,
authentication, and IP address information. Again, it’s not that difficult. Take a look at this
configuration:
interface Dialer1
ip address 192.168.254.2 255.255.255.0
encapsulation ppp
dialer remote-name r3
dialer string 8358662
dialer pool 1
dialer-group 1
ppp authentication chap callin
Note that the callin option on the ppp authentication command indicates authentication
on incoming (received) calls only.
You will notice that the dialer interface goes into Standby but the BRI interface doesn’t. You
can verify this by using the show ISDN status command:
r2#show isdn status
The current ISDN Switchtype = basic-ni
ISDN BRI0 interface
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 109, State = MULTIPLE_FRAME_ESTABLISHED
TEI = 110, State = MULTIPLE_FRAME_ESTABLISHED
Spid Status:
TEI 109, ces = 1, state = 5(init)
spid1 configured, spid1 sent, spid1 valid
Endpoint ID Info: epsf = 0, usid = 1, tid = 1
TEI 110, ces = 2, state = 5(init)
spid2 configured, spid2 sent, spid2 valid
Endpoint ID Info: epsf = 0, usid = 3, tid = 1
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 0 CCBs = 1
CCB: callid=0x0, sapi=0, ces=1, B-chan=0
Total Allocated ISDN CCBs = 1

service timestamps log uptime
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname r2
!
enable password cisco
!
username r3 password 0 cisco
isdn switch-type basic-ni
!
interface Serial0
no ip address
encapsulation frame-relay
no fair-queue
!
interface Serial0.202 point-to-point
backup delay 10 60
backup interface Dialer1
ip address 172.16.34.2 255.255.255.0
frame-relay interface-dlci 202
!
interface BRI0
no ip address
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
dialer pool-member 1
!
interface Dialer1
ip address 192.168.254.2 255.255.255.0
encapsulation ppp
dialer remote-name r3
dialer string 8358662
dialer pool 1
dialer-group 1
ppp authentication chap
!

ip classless
ip route 0.0.0.0 0.0.0.0 172.16.34.3
ip route 0.0.0.0 0.0.0.0 192.168.254.3 210
!
dialer-list 1 protocol ip permit
!
end
r2#
r3#show run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r3
!
enable password cisco
!
username r2 password 0 cisco
ip subnet-zero
!
isdn switch-type basic-ni
!
interface FastEthernet0/0
ip address 192.168.252.3 255.255.255.255
no ip directed-broadcast
!
interface Serial0/0
no ip address
no ip directed-broadcast
encapsulation frame-relay
no ip mroute-cache
frame-relay lmi-type cisco
!

interface Serial0/0.203 point-to-point
ip address 172.16.34.3 255.255.255.0
no ip directed-broadcast
frame-relay interface-dlci 203
!
interface BRI0/0
ip address 192.168.254.3 255.255.255.0
no ip directed-broadcast
encapsulation ppp
dialer map ip 192.168.254.2 8358661
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866201 8358662
isdn spid2 0835866401 8358664
ppp authentication chap
dialer hold-queue 75
!
ip classless
ip route 172.16.2.0 255.255.255.0 172.16.34.2
ip route 172.16.2.0 255.255.255.0 192.168.254.2 210
!
dialer-list 1 protocol ip permit
!
end

As you can see, the configuration is not that complex. Having a good working knowledge of
this will help you solve many dial backup scenarios. Of course, you can make this as complex
as you’d like; we kept this example fairly simple as an illustration.
The command dialer-list creates the interesting traffic. The command dialer-group
assigns the dialer list to an interface. The numbers must match. In the previous example, both
the dialer list and the dialer group are 1. The dialer hold-queue command creates a buffer
for incoming interesting traffic that is waiting for the BRI to be dialed. The 75 means is that if
75 interesting packets arrive on queue before the interface comes up, the 76th and subsequent
will be dropped until the line comes up and the queue gets some relief.

Bandwidth on Demand

What do you do if you have more traffic than bandwidth? Wouldn’t it be great if you could pull
your magic router wand out and make the traffic go faster? You can approximate this magic by
using Bandwidth on Demand.

Bandwidth on Demand (BoD) is an interface-only command, meaning you cannot apply it
to a subinterface. Here is the syntax to assign a backup load to an interface:
backup load {enable-threshold | never} {disable-load | never}
The enable threshold load is the percentage of interface load where you want the additional
bandwidth dialed up. The disable load is the percentage of interface load where you want the
extra bandwidth dropped. At what point is the circuit congested enough to need extra bandwidth?
Some people say 75 percent; yet others say queuing is needed. You will probably have
to figure this out based on corporate policy, cost, sensitivity to slow responsiveness, and so on.
Because BoD is a dial-up feature, you might incur additional long-distance costs, so be careful
about setting your thresholds.
Configuring BoD is almost the same as configuring dial backup, except you’re replacing the
amount of backup delay with the amount of backup threshold. Here is an example:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial0
Router(config-if)#backup interface BRI0
This configuration sets the interface serial0 to use interface BRI0 as a backup as the main
interface goes down. The following configuration shows how to configure the backup delay and
the backup load:

Router(config-if)#backup ?
delay Delays before backup line up or down transitions
interface Configure an interface as a backup
load Load thresholds for line up or down transitions
Router(config-if)#backup delay ?
<0-4294967294> Seconds
never Never activate the backup line
Router(config-if)#backup delay 10 ?
<0-4294967294> Seconds
never Never deactivate the backup line
Router(config-if)#backup delay 10 60
The previous configuration sets the backup delay to 10 seconds and 60 seconds. This means
that the backup interface will not dial until serial0 is down for 10 seconds, and it will drop the link
after the serial link is back up for 60 seconds. The backup load command syntax is as follows:
Router(config-if)#backup load ?
<0-100> Percentage

never Never activate the backup line
Router(config-if)#backup load 75 ?
<0-100> Percentage
never Never deactivate the backup line
Router(config-if)#backup load 75 35
Router(config-if)#^Z
Router#
This command sets the router to dial the ISDN BRI0 interface if the bandwidth reaches a
maximum of 75 percent and then to drop the link after the bandwidth is back at 35 percent.
The interface configuration is shown next:
Router#show run
[output cut]
interface Serial0
backup delay 10 60
backup interface BRI0
backup load 75 35
ip address 10.53.69.69 255.255.255.0
no ip directed-broadcast
--More—

Setting Up Dial Backup

Your first project is setting up dial backup on the routers. You’ll keep this fairly basic. R2
will call R3 when serial 0.202 goes down. The interesting traffic you’ll designate is all IP.
You will not use a routing protocol, so you’ll have to use a floating static route. Typically,
floating static routes are used with DDR because they can be set to a higher administrative
distance than the routing protocol being used. This enables the router to automatically
bring up the BRI line if the main serial line were to drop.
In the following configuration, you’ll issue a show isdn status command on Router 2 to
verify that the interface configuration is working correctly:

r2#show isdn status
The current ISDN Switchtype = basic-ni
ISDN BRI0 interface
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 100, State = MULTIPLE_FRAME_ESTABLISHED
TEI = 101, State = MULTIPLE_FRAME_ESTABLISHED
Spid Status:
TEI 100, ces = 1, state = 5(init)
spid1 configured, spid1 sent, spid1 valid
Endpoint ID Info: epsf = 0, usid = 1, tid = 1
TEI 101, ces = 2, state = 5(init)
spid2 configured, spid2 sent, spid2 valid
Endpoint ID Info: epsf = 0, usid = 3, tid = 1
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 0 CCBs = 1
CCB: callid=0x0, sapi=0, ces=1, B-chan=0
Total Allocated ISDN CCBs = 1
As you can see, layers 1 and 2 are up, you are using TEI 100 and 101, and the SPIDs and dialed
numbers (DNs) are valid. This is one of the most important commands you can use. If the SPIDs
are invalid or the configuration is wrong, you will see it in the show isdn status command.
Now you’ll issue the backup interface bri0 command under serial 0.202. This tells the
interface s0.202 to use interface BRI0 if the serial interface loses DCD (data carrier detect),
which means the link is down:
r2(config)#interface serial0.202
r2(config-subif)#backup interface bri0
r2(config-subif)#
%ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 100 changed to down
%ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 101 changed to down
%LINK-5-CHANGED: Interface BRI0, changed state to standby mode
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:2, changed state to down
As you can see, this command places the main interface in Standby mode, effectively turning
the interface down. This deactivates layer 1 on the BRI0 interface. This can be verified by issuing
a show ISDN status command at the router prompt:
r2#show ISDN status
The current ISDN Switchtype = basic-ni
ISDN BRI0 interface
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Spid Status:
TEI Not Assigned,ces = 1, state = 1(terminal
down)
spid1 configured,spid1 NOT sent,spid1 NOT
valid
TEI Not Assigned,ces = 2, state = 1(terminal
down)
spid2 configured,spid2 NOT sent,spid2 NOT
valid
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 0 CCBs = 0
Total Allocated ISDN CCBs = 0

Using the physical BRI interface as a backup can cause problems because the BRI interface
appears to be disconnected to the service provider. There is no way to verify that the ISDN BRI
circuit is in proper working order unless you remove it as a backup interface. This is why it’s
best to use a dialer interface as the backup and not the physical ISDN BRI interface, which is
illustrated later in this chapter.

Dial Backup

Dial backup, dial-on-demand routing (DDR), and Bandwidth on Demand (BoD) all use the
same basic interface configuration. Dial backup and BoD use the interface backup commands
to determine if, when, and how long an interface is to be activated. DDR is used for a temporary
dial-up connection from a branch or home office.
Time to do some design work: Using Figure 26.10, you’ll design and configure both legacy
and dialer interfaces. For the sake of this project, you’ll assign some addresses to the
interfaces on R2 and R3 in the figure. Add any additional configuration required to complete
the project. The following list of addresses will give you a starting point. Here is a list
of the addresses you’ll use.
R2 - To0 172.16.2.0/24
R3 - E0/0 192.168.252.0/24
ISDN cloud 192.168.254.0/24
Frame cloud 192.168.123.0/24
Frame Relay
ISDN
To0
R2
E0/0
S0/0
R3
BRI0 BRI0/0
ISDN Information
Network diagram
R2 SPID 1 0835866101 DN 8358661
R2 SPID 2 0835866301 DN 8358663
R3 SPID 1 0835866201 DN 8358662
R3 SPID 2 0835866401 DN 8358664
Switchtype is National 1.

Verifying the ISDN Operation

The following commands can be used to verify legacy DDR and ISDN:
ping and telnet These are great IP tools for any network. However, your interesting traffic
must dictate that ping and telnet are acceptable as interesting traffic to bring up a link.
After a link is up, you can ping or telnet to your remote router regardless of your interesting
traffic lists.
show dialer This command gives good diagnostic information about your dialer and shows
the number of times the dialer string has been successfully connected, the idle-timeout values
of each B channel, the length of the call, and the name of the router to which the interface is
connected.
show isdn active This command shows the number called and whether a call is in progress.
show isdn status A good command to use before you try to dial, this shows whether your
SPIDs are valid and whether you are connected and communicating with layers 1 through 3 to
the provider’s switch.
show ip route A popular Cisco diagnostics command, this shows all routes that the router
currently knows about.
debug isdn q921 This command is used to see layer 2 information only between the router
and the service provider’s ISDN switch.
debug isdn q931 This command is like debug isdn q921 but is used to see layer 3 information,
including call setup and teardown between the access server and the provider’s
ISDN switch.
debug dialer This command gives you call setup and teardown activity from the dialer’s
standpoint.
isdn disconnect interface bri0 This clears the interface and drops the current connection if
one exists. Performing a shutdown on the interface can give you the same results.

Using DDR with Access Lists

You can use access lists to be more specific about what is interesting traffic. In the preceding
examples, we set the dialer list to allow any IP traffic to bring up the line and keep it up.
That’s great if you are testing, but it can defeat the purpose of why you use a DDR line in
the first place. You can use extended access lists to set the restriction, for example, to only
e-mail or Telnet.
Here is an example of how you define the dialer list to use an extended access list:
804A(config)#dialer-list 1 protocol ip list 110
804A(config)#access-list 110 permit tcp any any eq smtp
804A(config)#access-list 110 permit tcp any any eq telnet
804A(config)#int bri0
804A(config-if)#dialer-group 1
In the previous example, you configure the dialer-list command to look at an IP extended
access list. This doesn’t have to be IP; it can be used with any protocol. Create your dialer list and
then apply it to the BRI interface with the dialer-group command.
889

Using Optional Commands

You should configure two other commands on your BRI interface: dialer load-threshold
and dialer idle-timeout. The dialer load-threshold command is used in conjunction
with the ppp multilink command for multilink PPP (MPPP).
The dialer load-threshold command tells the BRI interface when to bring up the second
B channel. The value specified is from 1–255, where 255 tells the BRI to bring up the second B
channel only when the first channel is 100 percent loaded. The second option for that command
Dial-on-Demand Routing (DDR) 847
is in, out, or either. This calculates the actual load on the interface either on outbound traffic,
inbound traffic, or either inbound or outbound traffic. The default is outbound.
The dialer idle-timeout command specifies the number of seconds to wait for interesting
traffic before a call is disconnected. The default is 120 seconds.
RouterA(config-if)#dialer load-threshold 127 either
RouterA(config-if)#dialer idle-timeout 180
The dialer load-threshold 127 command tells the BRI interface to bring up the second B
channel if either the inbound or outbound traffic load is 50 percent. The dialer idle-timeout
180 command changes the default disconnect time from 120 to 180 seconds.
MPPP allows load-balancing between two or more B channels on a BRI or PRI interface. It is
non-vendor-specific and provides packet fragmentation and reassembly, along with sequencing
and load-calculating. Cisco’s MPPP is based on RFC 1990, which is referred to as PPP Multilink
Protocol (MP). The configuration would then look like this:
RouterA(config)#int BRI0
RouterA(config-if)#dialer load-threshold 127 either
RouterA(config-if)#dialer idle-timeout 180
RouterA(config-if)#ppp multilink
Not a tough configuration, but you should use it nonetheless. The ppp multilink command will
fragment packets and send them over both lines, which provides a load-balancing effect on the data
being sent over the link. You can verify that the Multilink Protocol is working by using the show ppp
multilink command.

Configuring the Dialer Information

There are five steps in the configuration of dialer information:
1. Choose the interface.
2. Set the IP address.
Dial-on-Demand Routing (DDR) 845
3. Configure the encapsulation type.
4. Link interesting traffic to the interface.
5. Configure the number or numbers to dial.
Here is an example of how to configure the five steps:
804A#config t
804A(config)#interface bri0
804A(config-if)#ip address 172.16.60.1 255.255.255.0
804A(config-if)#no shutdown
804A(config-if)#encapsulation ppp
804A(config-if)#dialer-group 1
804A(config-if)#dialer string 8358662
Instead of the dialer string command, you can use a dialer map command, which
provides more security:
804A(config-if)#dialer map ip 172.16.60.2 name 804B 8358662
The dialer map command is used to configure the IP address of the next hop router, the
name of the remote router for authentication, and the number to dial to get there. The name is
usually the host name of the remote router, but it must be the name used by the remote router
to identify itself.
Take a look at the following configuration of an 804 router:
804B#show run
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 804B
!
ip subnet-zero
!
isdn switch-type basic-ni
!
interface Ethernet0
ip address 172.16.50.10 255.255.255.0
846 Chapter 26 Integrated Services Digital Network (ISDN)
no ip directed-broadcast
!
interface BRI0
ip address 172.16.60.2 255.255.255.0
no ip directed-broadcast
encapsulation ppp
dialer idle-timeout 300
dialer string 8358661
dialer load-threshold 2 either
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866201 8358662
isdn spid2 0835866401 8358664
dialer hold-queue 75
ppp multilink
!
ip classless
ip route 172.16.30.0 255.255.255.0 172.16.60.1
ip route 172.16.60.1 255.255.255.255 BRI0
!
dialer-list 1 protocol ip permit
!
The BRI interface is running the PPP encapsulation and has a timeout value of 300 seconds,
which is discussed in the next section. The load-threshold command makes both
BRI channels come up immediately (if you are paying for both, you want them both up all
the time) and is used with multilink, which we will discuss later in this section. The one
thing you should really notice is the number in the dialer-group 1 command. That number
must match the number in the dialer-list command, which is used to define what is
interesting traffic. The dialer hold-queue 75 command tells the router that when it
receives an interesting packet, it should queue up to 75 packets while it is waiting for the
BRI to come up. If more than 75 packets are queued before the link comes up, the packets
beyond the 75 will be dropped.

Specifying Interesting Traffic

After setting the route tables in each router, you need to configure the router to determine what
brings up the ISDN line. An administrator uses the dialer-list global configuration command
to define what is interesting traffic.
The command to configure all IP traffic as interesting is as follows:
804A(config)#dialer-list 1 protocol ip permit
804A(config)#interface bri0
804A(config-if)#dialer-group 1
The dialer-group command associates a dialer list to the BRI interface. Extended access
lists can be used with the dialer-list command to define exactly which traffic is interesting.
We’ll cover that in a minute.

Configuring the Static Routes

To forward traffic across the ISDN link, you configure static routes in each of the routers. The suggested
routing method is static routes. Keep the following in mind when creating static routes:
All participating routers must have static routes defining all routes of known networks.
Default routing can be used if the network is a stub network.
An example of static routing with ISDN follows:
RouterA(config)#ip route 172.16.50.0 255.255.255.0 172.16.60.2
RouterA(config)#ip route 172.16.60.2 255.255.255.255 bri0
What this does is tell the router how to get to network 172.16.50.0, which is through
172.16.60.2. The second line tells the router how to get to host address 172.16.60.2 and to send
traffic out the BRI0 interface.

Configuring DDR

To configure legacy DDR, you need to perform three tasks:
Define static routes, which define how to get to the remote networks and which interface
to use to get there.
Specify the traffic that is considered interesting to the router.
Configure the dialer information that will be used to dial the interface to get to the remote
network.

Dial-on-Demand Routing (DDR)

Dial-on-demand routing (DDR) enables two Cisco routers to use a dial-up connection on an
as-needed basis and is usually used as a backup solution in case of WAN circuit failure. DDR
is used only for low-volume, periodic network connections using either a PSTN asynchronous
or ISDN link. This was designed to reduce WAN costs if you have to pay on a per-minute or
per-packet basis.
Other terms you will undoubtedly run into are Legacy DDR Spoke configuration and Legacy
DDR Hub configuration. These terms are pretty simple to understand. A spoke interface
is any interface that calls or receives calls from exactly one other router. A hub, on the other
hand, calls or receives calls from more than one other router. Both configurations are similar
in theory, except that the hub is configured to call multiple locations.
DDR works when a packet received on an interface meets the requirements of an administratordefined
access list, which defines interesting traffic. The following seven steps give a basic description
of how DDR works when an interesting packet is received in a router interface:
1. The route to the destination network is determined.
2. Interesting packets dictate a DDR call.
3. Dialer information is looked up.
4. The call is placed.
5. The connection is established.
6. Traffic is transmitted.
7. The call is terminated when no more interesting traffic is being transmitted over a link and
the idle-timeout period ends.

The CHAP Authentication Process

The authentication process between two routers occurs as follows:
1. Challenger sends a Challenge (Type 1) packet to the remote end.
2. The remote end copies the identifier into a new packet and into a Response (Type 2) packet
along with the hashed secret. The secret (the password) isn’t transmitted, only the hashed value.
3. The Challenger receives the Response packet and checks the hashed secret against its
hashed secret. If they match, it sends a Success (Type 3) packet back. Otherwise, it’ll send
a Failure (Type 4) packet back.
Challenge and Response packets have the following fields:
Code Eight bits; value of 1 for Challenge, or 2 for Response.
Identifier Eight bits; must be changed every time a challenge is sent.
Value-Size Eight bits; indicates the length of the Value field.
Value Variable (eight-bit minimum). The field is quite different depending on a Challenge or
Response. The Challenge value contains the challenge and is a variable stream of octets. The
Challenge value must be changed each time a Challenge is sent. The length of the Challenge
value depends on the method used to generate the octets and is independent of the hash algorithm
used.
The Response value is the one-way hashed response calculated over a stream of octets consisting
of the Identifier, followed by (concatenated with) the “secret,” followed by (concatenated with)
the Challenge value. The length of the Response value depends on the hash algorithm used (16
octets for MD5).
Name Variable (eight-bit minimum); identifies the system transmitting the packet.
Success (3) and Failure (4) packets have these fields:
CodeIdentifier (which is copied from Response)
Length
Message
The Message field is one or more octets long and contains information that is readable by
humans. By using the debug ppp authentication command, you can see each step that is
taken with the CHAP Challenge and Response fields:
BR0:1 PPP: Treating connection as a callout
BR0:1 PPP: Phase is AUTHENTICATING, by both
BR0:1 CHAP: O CHALLENGE id 1 len 23 from "r2"
BR0:1 CHAP: I CHALLENGE id 1 len 23 from "r3"
BR0:1 CHAP: O RESPONSE id 1 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 1 len 4
BR0:1 CHAP: I RESPONSE id 1 len 23 from "r3"
BR0:1 CHAP: O SUCCESS id 1 len 4
Figure 26.9 shows the CHAP authentication process.