Enabling Dial-on-Demand Routing (DDR) • Chapter 6 217 bandwidth 64 dialer in-band dialer pool 2 dialer remote-name Router3 dialer string 8358661 class backup dialer load-threshold 127 either dialer-group 1 ppp multilink ! map-class dialer backup dialer fast-idle 30 dialer hold-queue 20 dialer idle-timeout 180 The first two bold commands in Figure 6.4 configure the BRI0 interface to be a member of dialer pools 1 and 2. The optional priority parameter can be used to specify that one pool receive priority over another. The pri- ority range is from 0 (lowest) to 255 (highest) with a default value of 0. The next two bold commands configure interfaces dialer1 and dialer2 to be members of dialer pools 1 and 2, respectively. Finally, the map class backup has been configured. You can see that under the dialer string com- mands in dialer pools 1 and 2, the class backup parameter has been used. The class parameter associates the map class backup with that interface when that string is dialed. Virtual Profiles The virtual profile feature of DDR is a method of customizing each dial-up connection with its own virtual interface. When using virtual profiles, as each user dials in to the network, he is assigned his own unique interface. This feature allows for a more scaleable dial-up network. Some of the vir- tual profiles work if you are using DDR dialer profiles or legacy DDR, or even if DDR is not configured. One use of a virtual profile is for a specific user to get a specific IP address and/or routing entries. NOTE In the event you are using a dialer profile for a specific user, the virtual profile will override the configuration. www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 217 218 Chapter 6 • Enabling Dial-on-Demand Routing (DDR) There are two components of a virtual profile: the generic component, which is information common to all dial-up users, including some router configuration; and the user-specific component with information about each user obtained from an authentication, authorization, and accounting (AAA) server. (See Chapter 8 for an overview of AAA.) When creating a vir- tual profile, you can use either the generic component (Case 1), the user- specific component (Case 2), or both (Case 3). Each of these cases is explained in the following section. Case 1: Create a Virtual Profile Using the Virtual Template In this first example, the virtual profile is created by applying the virtual template and a subset of the configuration obtained from the AAA server; the router will apply the configuration commands in the virtual interface to the physical interface. If the physical interface has been configured for legacy DDR or a dialer profile with no specific user, the virtual interface configuration will override the existing configuration. If, however, the inter- face has been configured with user information and a dialer profile, it will override the virtual profile. When the virtual interface is used, the router applies the configuration commands to the physical interface the user dialed into, whether it is an ISDN line, a serial line, or an asynchronous serial line. Once the virtual interface commands have been applied, the router checks for user-specific information on the AAA server. If the AAA server contains interface-specific information for that user, it is ignored. Only non–interface-specific information is applied, such as access lists, routes, address pools, and route filters. If you are using ISDN with virtual interfaces, the virtual interface is applied to the B-channel as opposed to the D-channel. This allows sepa- rate configurations on each B-channel for different users. Configure a Virtual Profile Using Virtual Templates To configure a virtual profile using a virtual template you need to perform the following steps: 1. Configure a virtual template interface 2. Group the virtual template interface with the virtual profile www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 218 Enabling Dial-on-Demand Routing (DDR) • Chapter 6 219 Configure a Virtual Template Interface The virtual template is a serial interface, which means you can con- figure the same commands on it as on any other serial interface, except shutdown and dialer commands. Figure 6.5 shows an example of a virtual template interface. Figure 6.5 Configuration for virtual template interface. Interface virtual-template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap As you can see, the configuration for the virtual template is very simple; in addition to the commands above, you can configure many additional com- mands. Group the Virtual Template Interface with the Virtual Profile Grouping the virtual template with the virtual profile is done by issuing the virtual-profile virtual-template number command. The virtual templates can range from 1 to 30. With this method of creating a virtual profile, all interface-specific AAA commands are ignored and all other AAA commands such as routes and access lists are not. With this method of creating a vir- tual profile, there is no requirement for using AAA. If AAA is not used, all users that need access to the router must be specifically created in the router configuration. Case 2: Create a Virtual Profile Using the AAA Server In this case, the virtual profile is created solely from the configuration obtained from the AAA server. When a user establishes a Point-to-Point Protocol (PPP) session, the router contacts the AAA server and obtains user-specific information, which is then applied to the virtual profile for that user. The information is interpreted as IOS commands—as if the AAA server were directly connected to the router making configuration changes. Both interface and non-interface commands can be included in the infor- mation from the AAA server. Once the router gets the commands from the AAA server, it applies them to the interface, overriding any previous configurations for that inter- face. When the PPP session is terminated, the virtual profile is deleted and the interface is restored to default configuration. www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 219 220 Chapter 6 • Enabling Dial-on-Demand Routing (DDR) Configure a Virtual Profile Using the AAA Server To configure a virtual profile using an AAA server, you need to perform the following steps: 1. Configure AAA on the router 2. Specify AAA as the virtual profile source 3. Configure the per-user configurations on the AAA server Configure AAA on the Router For details on configuring AAA on the router, refer to Chapter 8, “Securing Your Remote Access Network.” Specify AAA as the Virtual Profile Source To specify AAA as the virtual profile source you need to use the virtual- profile aaa command from the global configuration mode. Configure the Per-user Configurations on the AAA Server The following example contains an excerpt from both the AAA server and the router running per-user configurations. Figure 6.6 contains a per-user configuration for users Mike and Dan. For more details on per-user config- urations on the AAA server, refer to Cisco’s Web site at www.cisco.com. In this example, two users are configured for authentication on the AAA server, and the router is configured to use AAA authentication. Figure 6.6 AAA server configuration for virtual profile using AAA server. AAA Configuration for Mike and Dan mike Password = "ekimpass" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "interface_config=ip address 172.16.1.100 255.255.255.0," dan Password = "danssecret" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "interface_config=ip address 172.16.2.100 255.255.255.0" www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 220 Enabling Dial-on-Demand Routing (DDR) • Chapter 6 221 The router in Figure 6.7 is configured to reference the AAA server for its virtual profile information. In this example, Mike would get IP address 172.16.1.100 when he dials in, and Dan would get IP address 172.16.2.100. Figure 6.7 Router configuration for virtual profile using AAA server. Router Configuration aaa new-model aaa authentication ppp default radius aaa authorization network radius virtual-profile aaa ! interface dialer 0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.0.1.2 name mike 8348661 dialer map ip 10.0.1.3 name dan 8348662 dialer-group 1 ppp authentication chap Case 3: Create a Virtual Profile Using Both the Virtual Template and AAA Server The configuration from the AAA server and the virtual interface template together make up Case 3. When using both AAA and virtual templates, the router processes a new PPP session in the following order: 1. The virtual profile is dynamically created from the information con- tained in the virtual template 2. The AAA server information is obtained and applied to the virtual profile Just as in Case 2, if there is conflicting information in either the AAA server or the virtual template with the router, the router configuration is overwritten. This case offers the most customizable configuration possible. Specific user information as well as generic information can be combined to create user-unique profiles. www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 221 222 Chapter 6 • Enabling Dial-on-Demand Routing (DDR) Configure a Virtual Profile Using Both the Virtual Template and AAA Server To configure a virtual profile using both a virtual template and an AAA server, you need to perform the following steps: 1. Configure a virtual interface template 2. Configure AAA on the router 3. Configure the per-user configurations on the AAA server 4. Specify the virtual profile by both virtual templates and AAA Steps 1, 2, and 3 are similar to the steps in the previous two cases. Step 4 is a combination of Cases 1 and 2. Figures 6.8 and 6.9 show all four steps on both the AAA server and the router. Figure 6.8 AAA server configuration for virtual profile using both virtual template and AAA server. AAA Configuration for Mike and Dan mike Password = "ekimpass" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "interface_config=ip address 172.16.1.100 255.255.255.0," dan Password = "danssecret" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "interface_config=ip address 172.16.2.100 255.255.255.0" Figure 6.8 is an excerpt from the AAA server and is the same as the AAA server configuration used in the example on configuring a virtual pro- file using AAA. Figure 6.9 Router configuration for virtual profile using both virtual template and AAA server. aaa new-model aaa authentication ppp default radius aaa authorization network radius virtual-profile virtual-template 1 www.syngress.com Continued 93_sbcran_06 10/16/00 1:28 PM Page 222 Enabling Dial-on-Demand Routing (DDR) • Chapter 6 223 virtual-profile aaa ! interface Virtual-Template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ! interface dialer 0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.0.1.2 name mike 8348661 dialer map ip 10.0.1.3 name dan 8348662 dialer-group 1 ppp authentication chap Figure 6.9 is an excerpt from the router configuration for creating the virtual profile by both AAA and virtual templates. The two commands in bold group the virtual profile to both AAA and the virtual template. Creating the virtual template and configuring AAA are the same as in the previous examples. Fine Tuning Connections DDR has several options available for fine-tuning its connections. The biggest expense in DDR is the cost of the link, so most of the options avail- able directly address timers used in maintaining and terminating DDR ses- sions. Another way of keeping costs down is by limiting when and how often the line gets established. This is done through dialer lists. By now you should have a good understanding of what the dialer list is and how to configure one. The next section reiterates this and gives more examples of dialer lists with additional information on setting specific dialing and dis- connecting timers. Dialer Lists Interesting traffic is defined as traffic that the router deems important. The way to define this is by configuring an access list. All traffic destined for a DDR interface must pass through the dialer list before being marked “interesting.” When interesting traffic comes into the router destined for a remote network, the router establishes a call to the remote network and www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 223 224 Chapter 6 • Enabling Dial-on-Demand Routing (DDR) sends the data. Once the circuit is connected, all traffic (including uninter- esting traffic) can flow through the circuit. Once your defined interesting traffic stops (for a specified/configurable amount of time) the call will be disconnected. NOTE When the circuit has been connected, traffic that is marked interesting will reset the idle timer. The idle timer is what causes the link to be terminated. Because the dialer list is tied to how long the line is kept open, it is important to con- figure the dialer list carefully. The limit on the number of dialer lists in a router is 10, but each list can have multiple entries. Figures 6.10 and 6.11 are examples of dialer lists; they are followed by a brief explanation of what traffic will be permitted or denied. Figure 6.10 Dialer list example 1. dialer-list 1 protocol ip list 101 ! access-list 101 permit tcp any any eq smtp access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq pop3 access-list 101 permit tcp any any eq telnet access-list 101 permit icmp any any access-list 101 deny any any The dialer list in Figure 6.10 permits only IP traffic that passes access list 101. Access list 101 allows only e-mail, WWW, Telnet and ICMP traffic. Figure 6.11 Dialer list example 2. dialer-list 1 protocol ip permit dialer-list 1 protocol appletalk permit dialer-list 1 protocol ipx permit dialer-list 1 protocol decnet permit www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 224 Enabling Dial-on-Demand Routing (DDR) • Chapter 6 225 The example in Figure 6.11 allows IP, AppleTalk, IPX, and DECNET traffic to initiate a connection. This type of dialer list would be costly if the line being used was measured by how long it was connected. Dialer Timers In addition to dialer lists, dialer timers are another way of keeping DDR costs down. There are several different timers associated with DDR. The timers are: ■ Enable-timeout ■ Fast-idle ■ Hold-queue ■ Idle-timeout ■ Wait-for-carrier-time The enable-timeout timer sets the amount of time that an interface stays down before it is capable of dialing. The command syntax is dialer enable-timeout seconds, where seconds is a value between 1 and 2147483. The default is 15 seconds. The fast-idle timer is a timer that overrides the idle-timeout timer. If an interface is connected to location A and traffic destined for location B enters the router and the interface cannot dial, the fast-idle timer starts counting down to 0. Once the fast-idle timer reaches 0, the interface is reset, allowing the traffic destined for location B to be sent. The syntax for the fast-idle timer is dialer fast-idle seconds, where seconds is a value between 1 and 2147483. The default value for the dialer fast-idle time is 20 seconds. The hold-queue is a queue that the interface maintains. If the interface is not connected and interesting traffic comes in, the hold-queue holds a specified amount of packets while the interface is brought up. Once the interface is connected, the hold-queue is emptied and any future traffic can flow directly through the interface. The syntax for the hold-queue is dialer hold-queue packets [timeout seconds], where packets is the number of packets to be held from 0 to 100 and the optional timeout parameter is how long the packets will be kept while the interface is being connected. By default, the hold queue is 0, which means that during a call establish- ment all incoming packets will be dropped. As mentioned earlier, the idle-timeout is the amount of time the router waits between seeing interesting traffic and disconnecting the line. Once an interface is connected, the idle-timeout timer is started. Once the timer reaches 0, the interface is disconnected. If interesting traffic enters the www.syngress.com 93_sbcran_06 10/16/00 1:28 PM Page 225 226 Chapter 6 • Enabling Dial-on-Demand Routing (DDR) router during the call, the idle-timeout timer is reset. The syntax for the command is dialer idle-timeout seconds [either] where seconds is the amount of time before disconnecting the line (between 1 and 2147483 sec- onds) and either informs the router to count both inbound and outbound traffic for the idle-timeout. The default idle-timeout is 120 seconds. The wait-for-carrier-time timer is how long the router will wait for a carrier to come up before dialing. The syntax for this command is dialer wait-for-carrier-time seconds, where seconds is a value between 1 and 2147483. The default wait-for-carrier-time is 30 seconds. Walkthrough The following walkthrough shows how to configure a router to make mul- tiple connections over the same physical interface. In this example, a 3640 router is used with PRI, FastEthernet, and Digital modem modules. The 3640 is configured to accept analog and ISDN dial-up connections as well as a connection to a remote 3620 router, all through the PRI interface. Figure 6.12 shows the network diagram. Figure 6.13 is the router configu- ration for the 3640. www.syngress.com Figure 6.12 PRI with ISDN dialup, ISDN dialout, and analog dialup. 3620 E0 Telco 3640 PRI0 FE0/0 10.0.2.2 - 10.0.2.20 10.0.0.1 10.0.4.1 10.0.3.2 ISDN Dialup BRI0 Workstation 10.0.3.1 Dialer 3 Dialer 2 Async Group 1 10.0.2.1 192.168.100.1 Workstation Analog Dialup 192.168.100.2 - 192.168.100.20 835-8662 93_sbcran_06 10/16/00 1:28 PM Page 226 [...]... 10.1.1.1 255 . 255 . 255 .0 ! interface Serial0 ip address 192.168.3.1 255 . 255 . 255 .0 no shutdown ! router rip network 192.168.3.0 network 10.0.0.0 ! Continued www.syngress.com 93_sbcran_07 10/16/00 236 3 :58 PM Page 236 Chapter 7 • Configuring and Backing Up Permanent Connections Figure 7.2 Continued end Branch ! version 11.3 ! hostname Branch ! interface Ethernet0 ip address 192.168.1.1 255 . 255 . 255 .0 no shutdown... analogdialup ! (Section 5) interface Dialer 2 description connected to Dial-inPCs(ISDN) ip address 10.0.2.1 255 . 255 . 255 .224 encapsulation ppp dialer in-band dialer idle-timeout 180 dialer pool 2 ppp authentication chap pap callin ppp multilink peer default ip address pool isdndialup ! (Section 6) interface Dialer 3 description connected to Cisco3620 ip address 10.0.3.1 255 . 255 . 255 . 252 encapsulation ppp... 192.168.3.1 255 . 255 . 255 .224 no ip route-cache no ip mroute-cache x 25 address 31101234 !specify the node address given by X. 25 service provider ! x 25 map ip 192.168.3.2 31103 456 broadcast ! Map statement provides mapping between remote ! X.121 address and tcp/ip address The broadcast option provides a mechanism to send broadcasts to remote interface ! ! encapsulation x 25 dce ! clockrate 56 000 These two... Serial0 ip address 192.168.3.2 255 . 255 . 255 .0 encapsulation x 25 no ip route-cache no ip mroute-cache x 25 address 31103 456 x 25 map ip 192.168.3.1 31101234 broadcast no shutdown ! ! ! The statement below activates ip routing for specific networks using rip Continued www.syngress.com 93_sbcran_07 10/16/00 3 :58 PM Page 2 45 Configuring and Backing Up Permanent Connections • Chapter 7 2 45 Figure 7.6 Continued router... 10.0.0.1 255 . 255 . 255 .0 ! (Section 3) interface Serial 0/0:23 description PRI D-channel no ip address encapsulation ppp dialer pool-member 2 dialer pool-member 3 ! Continued www.syngress.com 93_sbcran_06 10/16/00 228 1:28 PM Page 228 Chapter 6 • Enabling Dial-on-Demand Routing (DDR) (Section 4) interface Group-Async 1 description connected to Dial-inPCs(modem) ip address 192.168.100.1 255 . 255 . 255 .0 encapsulation... to the remote site address Check out the figure and the accompanying configurations: Hub site X 25 – address = 31101234 Remote site X 25 – address = 31103 456 Figures 7 .5, 7.6, and 7.7 show additional configuration detail Figure 7 .5 is a simple example of an X. 25 implementation Figure 7 .5 Example of an X. 25 network E0 192.168.1.0./24 SERVER A 10.1.1.2 Central 1 192.168.3.0/24 serial E0 s0 1 X. 25 x 25 Router1... address=31101234 s1=.2 Branch1-1 Host A Branch 1 x 25 address=31103 456 E0 1 E0 10.1.1.1/24 Figure 7.6 Central Router Configuration Central-1 # ! version 11.3 ! Continued www.syngress.com 93_sbcran_07 10/16/00 3 :58 PM Page 243 Configuring and Backing Up Permanent Connections • Chapter 7 243 Figure 7.6 Continued hostname Central-1 ! interface Ethernet0 ip address 10.1.1.1 255 . 255 . 255 .0 no ip route-cache no ip mroute-cache... x. 25 network no shutdown ! ! router rip network 192.168.3.0 network 10.0.0.0 Continued www.syngress.com 93_sbcran_07 244 10/16/00 3 :58 PM Page 244 Chapter 7 • Configuring and Backing Up Permanent Connections Figure 7.6 Continued ! ip classless ! line con 0 ! end Figure 7.7 Branch Router Configuration Branch1-1 # ! version 11.3 ! hostname Branch1-1 ! interface Ethernet0 ip address 192.168.1.1 255 . 255 . 255 .0... Permanent Connections Figure 7.2 Continued end Branch ! version 11.3 ! hostname Branch ! interface Ethernet0 ip address 192.168.1.1 255 . 255 . 255 .0 no shutdown ! interface Serial0 ip address 192.168.3.2 255 . 255 . 255 .0 no shutdown ! ! router rip network 192.168.3.0 network 10.0.0.0 Notice that Figure 7.2 did not specify an encapsulation on any of the serial interfaces This means that the encapsulation would... connected to the PAD www.syngress.com 93_sbcran_07 240 10/16/00 3 :58 PM Page 240 Chapter 7 • Configuring and Backing Up Permanent Connections X. 75 Specifies the interoperability between two or more public switching X. 25 networks X.121 Specifies the X. 25 addressing standard It is also called the DNIC (Data Network Identification Code) address X. 25 Virtual Circuits A virtual circuit is simply a logical circuit . 172.16.1.100 255 . 255 . 255 .0," dan Password = "danssecret" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "interface_config=ip address 172.16.2.100 255 . 255 . 255 .0" www.syngress.com 93_sbcran_06. 172.16.1.100 255 . 255 . 255 .0," dan Password = "danssecret" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "interface_config=ip address 172.16.2.100 255 . 255 . 255 .0" Figure. 11.3 ! hostname Central ! interface Ethernet0 ip address 10.1.1.1 255 . 255 . 255 .0 ! interface Serial0 ip address 192.168.3.1 255 . 255 . 255 .0 no shutdown ! router rip network 192.168.3.0 network 10.0.0.0 ! Configuring