Dial Solutions Configuration Guide
Enterprise Dial Scenarios and Configurations

Table Of Contents

Enterprise Dial Scenarios and Configurations

Scalability and Design Issues

Remote Offices and Telecommuters Dialing In to a Central Site

Sample Configurations for Remote Offices and Telecommuters

Cisco 1604 Dialing In to a Cisco 3620 Central Site Router

Cisco 700 Series Router Dialing In to a Cisco 3620 Central Site Access Router

Cisco 700 Series Router Using PAT to Dial In to a Cisco AS5200 Central Site Access Server

Cisco 1600 Using Easy IP to Dial In to a Central Site

Cisco 3640 Central Site Configuration to Support ISDN and Modem Calls

Cisco AS5200 Central Site Configuration Using Remote Security

Bidirectional Dial Networking between a Central Site and Remote Offices or Telecommuters

Dialer Profiles and Virtual Profiles

Configuration Examples

Cisco AS5200 Configuration with Dialer Profiles

Cisco 1604 ISDN Configuration with Dialer Profiles

Cisco 1604 Async Configuration with Dialer Profiles

Cisco AS5200 Configuration without Dialer Profiles

Cisco 1604 ISDN Configuration without Dialer Profiles

Cisco 1604 Async Configuration without Dialer Profiles

Large Scale Dial-In Configuration Using Virtual Profiles

Telecommuters Dialing In to a Mixed Protocol Environment

Description of a Mixed Protocol Enterprise Environment

Sample Enterprise Network for Dial-In Access

Mixed Protocol Configuration Examples

Cisco 7200 #1 Backbone Router

Cisco 7200 #2 Backbone Router

Cisco AS5200 Universal Access Server


Enterprise Dial Scenarios and Configurations


This chapter provides sample hardware and software configurations for specific dial scenarios used by enterprises. Each configuration is designed to support IP network traffic with basic security for the specified scenario.

The following scenarios are described:

Scenario 1—Remote Offices and Telecommuters Dialing In to a Central Site

Scenario 2—Bidirectional Dial Networking between a Central Site and Remote Offices or Telecommuters

Scenario 3—Telecommuters Dialing In to a Mixed Protocol Environment


Note   If you use Token card-based security in your dial network, Cisco recommends that you enable PAP authentication and disable multilink to maximize dial-in performance.


Scalability and Design Issues

You need to consider scalablility and design issues when building dial enterprise networks. As the number of company employees increases, the number of remote users needing to dial in increases. A scalable dial solution is needed as the demand for dial-in ports grows. For example, it is not uncommon for a fast-growing enterprise to grow from a demand of 100 modems to 250 modems in less than one year.

You should always maintain a surplus of dial-in ports to accommodate company growth and occasional increases in access demand. In the early stages of a fast-growing company that has 100 modems installed for 6,000 registered remote users, only 50 to 60 modems might be active at the same time. One year later, however, 250 modems might be installed to support 10,000 registered token card holders.

During special company occasions, such as a worldwide convention, demand for remote access can also increase significantly. During such an activity, dial-in lines are heavily stressed throughout the day and evening by remote sales people using laptops to access e-mail and share files. This behavior is indicative of sales people working away from their home territories or sales offices. Network administrators need to prepare for these remote access bursts, which cause significant increases for remote access demand.

Remote Offices and Telecommuters Dialing In to a Central Site

Employees stationed in remote offices or disparate locations often dial in to central sites or headquarter offices to download or upload files and check e-mail. These employees often dial in to the corporate network from a remote office LAN using ISDN or from another location such as a hotel room using a modem.

The following types of remote enterprise users dial in to enterprise networks:

Full time telecommuters—Employees using stationary workstations to dial in from a small office or home office (SOHO), making ISDN connections with terminal adapters or PC cards through the public telephone network, and operating at higher speeds over the network, which rules out the need for a modem.

Travelers—Employees such as sales people who are not in a steady location for more than 30% of the time, usually dial in to the network with a laptop and modem through the public telephone network, and primarily access the network to check e-mail or transfer a few files.

Workday extenders—Employees who primarily work in the company office, occasionally dial in to the enterprise with a mobile or stationary workstation plus modem, and primarily access the network to check e-mail or transfer a few files.

Remote office LANs typically dial in to other networks using ISDN, which provides a larger bandwidth that cannot be attained over analog telephone connections. Remote offices that use Frame Relay to access other networks require a more costly dedicated link.

Connections initiated by remote offices or telecommuters are brought up on an as-needed basis, which results in substantial cost savings for the company. In dial-on-demand scenarios, users are not connected for long periods of time. The number of remote nodes requiring access is relatively low, and the completion time for the dial-in task is short.

Central or headquarter sites typically do not dial out to the remote LANs or devices. Instead, central sites respond to calls. Remote sites initiate calls. For example, a field sales office might use ISDN to dial in to and browse a central site's intranet. Additionally a warehouse comprised of five employees can use ISDN to log in to a remote network server to download or upload product order information. For an example of bidirectional dialing, see the section "Bidirectional Dial Networking between a Central Site and Remote Offices or Telecommuters."


Note   When using dial-on-demand routing, you must make a fundamental decision about how your routing will be set up: to use static routes or snapshot routing. For IP-only configurations, static routes are commonly used for remote dial-in. For IPX networking, snapshot routing is often used to minimize configuration complexity.


shows an example of a remote office placing digital calls in to a central site network. The remote office router can be any Cisco router with a BRI physical interface, such as a Cisco 766 or Cisco 1604. The central office gateway router can be any Cisco router that supports PRI connections, such as a Cisco 3600 series, 4000 series, or 7000 series router.

Figure 17 Remote Office Dialing In to a Central Site

shows an example of a remote office and telecommuter dialing in to a central site. The remote office places digital calls. The telecommuter places analog calls. The remote office router can be any Cisco router with a BRI interface, such as a Cisco 766, 1604, or 2503. The central office gateway router is a Cisco AS5200 or Cisco 3640, which supports both PRI and analog connections.

Figure 18 Remote Office and Telecommuter Dialing In to a Central Site

 

Sample Configurations for Remote Offices and Telecommuters

The following sample configurations are provided for different combinations of dial-in scenarios, which can be derived from and :

Cisco 1604 Dialing In to a Cisco 3620 Central Site Router

Cisco 700 Series Router Dialing In to a Cisco 3620 Central Site Access Router

Cisco 700 Series Router Using PAT to Dial In to a Cisco AS5200 Central Site Access Server

Cisco 1600 Using Easy IP to Dial In to a Central Site

Cisco 3640 Central Site Configuration to Support ISDN and Modem Calls

Cisco AS5200 Central Site Configuration Using Remote Security


Note   Be sure to include your own IP addresses, host names, and security passwords where appropriate.


Cisco 1604 Dialing In to a Cisco 3620 Central Site Router

This section provides a common configuration for a Cisco 1604 remote office router dialing in to a Cisco 3620 access router positioned at a central enterprise site. Only ISDN digital calls are supported in this scenario. No analog modem calls are supported. All calls are initiated by the remote router on an as-needed basis. The Cisco 3620 is not setup to dial out to the Cisco 1604. (See .)

The following configurations for the Cisco 1604 and Cisco 3620 use the IP unnumbered address configuration, Multilink PPP, and the dial-load threshold feature, which brings up the second B channel when the first B channel exceeds a certain limit. Because static routes are used, a routing protocol is not configured. A default static route is configured on the Cisco 1604, which points back to the central site. The central site also has a static route that points back to the remote LAN. Static route configurations assume that you have only one LAN segment at each remote office.

Configuration for the Remote Cisco 1604

The following example runs on the Cisco 1604 router, shown in . This SOHO router places digital calls in to the Cisco 3620 central site access router. See the next example for the Cisco 3620 router's running configuration.

!
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname remotelan1
!
enable secret cisco
!
username NAS password dialpass
username admin password cisco

isdn switch-type basic-5ess
!
interface Ethernet0
 ip address 10.2.1.1 255.255.255.0
!
interface BRI0
 ip unnumbered Ethernet0
 encapsulation ppp
 dialer map ip 10.1.1.10 name NAS 5551234
 dialer load-threshold 100 either
 dialer-group 1
 no fair-queue
 ppp authentication chap pap callin
 ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.10
ip route 10.1.1.10 255.255.255.255 BRI0
dialer-list 1 protocol ip permit
!
line con 0
line vty 0 4
 login local
!
end

Configuration for the Cisco 3620 Central Site Access Router

The following sample configuration runs on the Cisco 3620 shown in . This modular access router has one 2-port PRI network module installed in slot 1 and one 1-port Ethernet network module installed in slot 0. The router receives only digital ISDN calls from the Cisco 1604. The configuration for the Cisco 1604 is provided in the previous example.

!
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass

async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 1/0
 framing esf
 clock source line 
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1/1
 framing esf
 clock source line 
 linecode b8zs
 pri-group timeslots 1-24
!
interface Loopback0
 ip address 10.1.2.254 255.255.255.0
!
interface Ethernet 0/0
 ip address 10.1.1.10 255.255.255.0
 ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial 1/0:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Serial 1/1:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Dialer0
 ip unnumbered Loopback0
 no ip mroute-cache
 encapsulation ppp
 peer default ip address pool dialin_pool
 dialer in-band
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap dialin
 ppp multilink
!
router eigrp 10
 network 10.0.0.0
 passive-interface Dialer0
 default-metric 64 100 250 100 1500
 redistribute static 
 no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1

ip route 10.2.1.1 255.255.255.255 Dialer0
ip route 10.2.1.0 255.255.255.0 10.2.1.1

ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
 login authentication console
line aux 0
 login authentication console
line vty 0 4
 login authentication vty
 transport input telnet rlogin
!
end

Cisco 700 Series Router Dialing In to a Cisco 3620 Central Site Access Router

This section provides a common configuration for a Cisco 760 or Cisco 770 series remote office router placing digital calls in to a Cisco 3620 router positioned at a central enterprise site. All calls are initiated by the remote router on an as-needed basis. The Cisco 3620 is not set up to dial out to the remote office router. (See .)

Configuration for the Remote Cisco 700 Series Router

The following example is for a Cisco 760 or Cisco 770 series ISDN router placing digital calls in to a central site router that supports ISDN PRI, such as the Cisco 3620. In this scenario, ISDN unnumbered interfaces with static routes are pointing back to the Cisco 3620.

To configure the router, perform the following tasks. However, this configuration assumes you are starting from the router's default configuration. To return the router to its default configuration, issue the set default command.

Step
Command
Purpose
1

>

> set systemname remotelan1

remotelan1>

At the system prompt level, specify the router's host name, which is also used when responding to CHAP authentication with the Cisco 3620. For CHAP authentication, the system's name must match the username configured on the Cisco 3620.

2

remotelan1> set ppp secret client
remotelan1> Enter new password: dialpass
remotelan1> Enter new password: dialpass

Set the transmit and receive password for the client. This is the password which is used in response to CHAP authentication requests, and it must match the username password configured on the Cisco 3620.

3

remotelan1> set encapsulation ppp

Set PPP encapsulation for incoming and outgoing authentication instead of CPP.

4

remotelan1> set ppp multilink on

Enable PPP multilink.

5

remotelan1> set user nas
remotelan1> New user nas being created

Create the profile nas, which is reserved for the Cisco 3620.

6

remotelan1:nas> set ip 0.0.0.0

Specify the LAN IP address. The sequence 0.0.0.0 means that it will use the address assigned to it from the central Cisco 3620 router. See step 14.

7

remotelan1:nas> set ip framing none

Configure the profiles to not use Ethernet framing.

8

remotelan1:nas> set ip route destination 0.0.0.0 gateway 10.1.1.10

Set the default route to point to the Cisco 3620 router's Ethernet IP address.

9

remotelan1:nas> set timeout 300

Set the idle time at which the B channel will be dropped. In this case, the line is dropped after 300 seconds of idle time.

10

remotelan1:nas> set 1/2 number 5551234

Set the number to call when dialing out of the first and second B channel.

11

remotelan1:nas> cd lan

Enter LAN profile mode.

12

remotelan1:LAN> set bridging off

Turn bridging off.

13

remotelan1:LAN> set ip routing on

Turn on IP routing.

14

remotelan1:LAN> set ip 10.2.1.1

Set the LAN IP address for the interface.


After you configure the Cisco 760 or Cisco 770 series router, the final configuration should look like this:

set systemname remotelan1
set ppp secret client
set encapsulation ppp
set ppp multilink on
cd lan
set bridging off
set ip routing on
set ip 10.2.1.1
set subnet 255.255.255.0
set user nas
set bridging off
set ip 0.0.0.0
set ip netmask 0.0.0.0
set ip framing none
set ip route destination 0.0.0.0 gateway 10.1.1.10 
set timeout 300
set 1 number 5551234
set 2 number 5551234

The previous software configuration does not provide for any access security. The following optional commands provide access security.

Command
Purpose

set ppp authentication incoming chap

Provides CHAP authentication to incoming calls.

set callerid

Requires the calling parties number to be matched against the configured receive numbers (such as set by the set callidreceive # command). This command also denies all incoming calls if no callidreceive number is configured.

set remoteaccess protected

Specifies a remote system password, which enables you to make changes on the Cisco 700 series router from a remote location.

set localaccess protected

Specifies a local system password, which enables you to make changes on the Cisco 700 series router from a local console connection.

set password system

Sets the system password for the above access configurations.


Configuration for the Cisco 3620 Central Site Access Router

The following example provides a sample configuration for the Cisco 3620 router. This modular access router has one 2-port PRI network module installed in slot 1 and one 1-port Ethernet network module installed in slot 0. The router receives only digital ISDN calls over T1 lines from the Cisco 700 series remote office router, which is described in the previous example.

!
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 1/0
 framing esf
 clock source line 
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1/1
 framing esf
 clock source line 
 linecode b8zs
 pri-group timeslots 1-24
!
interface Loopback0
 ip address 10.1.2.254 255.255.255.0
!
interface Ethernet 0/0
 ip address 10.1.1.10 255.255.255.0
 ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial 1/0:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Serial 1/1:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Dialer0
 ip unnumbered Loopback0
 no ip mroute-cache
 encapsulation ppp
 peer default ip address pool dialin_pool
 dialer in-band
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap dialin
 ppp multilink
!
router eigrp 10
 network 10.0.0.0
 passive-interface Dialer0
 default-metric 64 100 250 100 1500
 redistribute static 
 no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1

ip route 10.2.1.1 255.255.255.255 Dialer0
ip route 10.2.1.0 255.255.255.0 10.2.1.1

ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
 login authentication console
line aux 0
 login authentication console
line vty 0 4
 login authentication vty
 transport input telnet rlogin
!
end

Cisco 700 Series Router Using PAT to Dial In to a Cisco AS5200 Central Site Access Server

This section shows a Cisco 700 series router using the port address translation (PAT) feature to dial in to a Cisco AS5200 central site access server. IP addresses are assigned from the central site, which leverages the PAT feature to streamline multiple devices at the remote site through a single assigned address. In this example, the Cisco 700 series router has a private range of IP addresses used on the Ethernet side. However, the router is able to translate between the local private addresses and the dynamically registered address on the WAN interface. (See .)

Configuration for the Cisco 700 Remote Router

The sample configuration in this section allows PCs on a LAN to boot up and acquire their IP address dynamically from a Cisco 700 series router, which in turn translates the private addresses into a single IP address assigned from a Cisco AS5200 central site router. The Cisco 700 series router also passes information via DHCP regarding the DNS server (in this example, 10.2.10.1) and the WINS server (in this example, 10.2.11.1) along with the domain name.

A possible sequence of events would be a remote PC running Windows 95 boots up on the Ethernet segment and gets its IP address and network information from the Cisco 700 series router. The PC then opens up Netscape and attempts to view a web page at the central site, which causes the Cisco 700 series router to dial in to the central site. The Cisco 700 series router dynamically obtains its address from the central site pool of addresses and uses it to translate between the private address on the local Ethernet segment and the registered IP address borrowed from the central site router.

To configure the Cisco 700 series remote router, perform the following tasks beginning in system configuration mode:

Step
Command
Purpose
1

>
> set systemname remotelan1
remotelan1>

At the system prompt level, specify the router's host name, which is also used when responding to CHAP authentication with the Cisco 3620. For CHAP authentication, the system's name must match the username configured on the Cisco 3620.

2

remotelan1> set ppp secret client
remotelan1> Enter new password:dialpass
remotelan1> Enter new password: dialpass

Set the transmit and receive password for the client. This is the password which is used in response to CHAP authentication requests, and it must match the username password configured on the Cisco 3620.

3

remotelan1> set encapsulation ppp

Set PPP encapsulation for incoming and outgoing authentication instead of CPP.

4

remotelan1> set ppp multilink on

Enable PPP multilink.

5

remotelan1> set dhcp server

Enable the router to act as a DHCP server and assign addresses from the private network. By default, all DHCP client addresses are assigned from the 10.0.0.0 network.

6

remotelan1> set dhcp dns primary 10.2.10.1

Pass the DNS server IP address to the DHCP client.

7

remotelan1> set dhcp wins 10.2.11.1

Pass the IP address of the WINs server to the DHCP client.

8

remotelan1> set dhcp domain nas.com

Set the DHCP domain name for the Cisco 3620 central site router.

9

remotelan1> set user nas
remotelan1> New user nas being created

Create the profile nas, which is setup for the Cisco 3620.

10

remotelan1:nas> set ip pat on

Enable Port Address Translation (PAT) on the router.

11

remotelan1:nas> set ip framing none

Configure the profiles to not use Ethernet framing.

12

remotelan1:nas> set ip route destination 0.0.0.0                 gateway 10.1.1.0

Set the default route to point to the Cisco 3620 router's Ethernet IP address.

13

remotelan1:nas> set 1 number 5551234

Set the number to call when dialing out of the first B channel.

14

remotelan1:nas> set 2 number 5551234

Set the number to call when dialing out of the second B channel.

15

remotelan1:nas> cd lan

Enter LAN profile mode.

16

remotelan1:LAN> set bridging off

Turn bridging off.

17

remotelan1:LAN> set ip routing on

Turn on IP routing on.


After you configure the router, the configuration should look like this:

set systemname remotelan1
set encapsulation ppp
set ppp secret client
set ppp multilink on
set dhcp server
set dhcp dns primary 10.2.10.1
set dhcp wins 10.2.11.1
set dhcp domain nas.com
set user nas
set bridging off
set ip routing on
set ip framing none
set ip pat on
set ip route destination 0.0.0.0 gateway 10.1.1.0
set 1 number 5551234
set 2 number 5551234

Configuration for a Cisco AS5200 Central Site Access Server

This example provides a sample configuration for a Cisco AS5200 receiving calls from the Cisco 700 series router in the previous example.


Note   This configuration can also run on a Cisco 4000, 3600, or 7000 series router. However, the interface numbering scheme for these routers will be in the form of slot/port. Additionally, the clocking will be set differently. See your product's hardware and software configuration guides and configuration notes for more details.


!
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass

async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 framing esf
 clock source line secondary
 linecode b8zs
 pri-group timeslots 1-24
!
interface Loopback0
 ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
 ip address 10.1.1.10 255.255.255.0
 ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 no ip address
 shutdown
!
interface Serial0:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Serial1:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Dialer0
 ip unnumbered Loopback0
 no ip mroute-cache
 encapsulation ppp
 peer default ip address pool dialin_pool
 dialer in-band
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap dialin
 ppp multilink
!
router eigrp 10
 network 10.0.0.0
 passive-interface Dialer0
 default-metric 64 100 250 100 1500
 redistribute static 
 no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1

ip route 10.2.1.1 255.255.255.255 Dialer0
ip route 10.2.1.0 255.255.255.0 10.2.1.1

ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
 login authentication console
line aux 0
 login authentication console
line vty 0 4
 login authentication vty
 transport input telnet rlogin
!
end

In this configuration, the local pool is using a range of unused addresses on the same subnet that the Ethernet interface is configured on. The addresses will be used for the remote devices dialing in to the Cisco AS5200.

Cisco 1600 Using Easy IP to Dial In to a Central Site

The following example shows the running configuration on a Cisco 1600 series router using the Easy IP (Phase 1) feature. Unlike the PAT feature for the Cisco 700 series routers, Easy IP (Phase 1) does not support DHCP server functionality. However, Easy IP (Phase 2) will support this feature. For Easy IP (Phase 1) configuration, you must statically configure the IP addresses for the hosts (PCs) on the Cisco 1600 series side of the connection. For additional information about using Easy IP, see the chapter "Configuring Easy IP" later in this document.

!
version 11.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname remotelan1
!
enable secret cisco
!
username NAS password dialpass
username admin password cisco
ip nat inside source list 1 interface BRI0 overload
!
isdn switch-type basic-5ess
!
interface Ethernet0
 ip address 13.1.1.1 255.255.255.0
 ip nat inside
!
interface BRI0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer map ip 10.1.1.10 name NAS 5551234
 dialer load-threshold 100 either
 dialer-group 1
 no fair-queue
 ppp authentication chap pap callin
 ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.10
ip route 10.1.1.10 255.255.255.255 BRI0
access-list 1 permit 13.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!         
line con 0
line vty 0 4
 login local
!
end

Cisco 3640 Central Site Configuration to Support ISDN and Modem Calls

The following configuration allows remote LANs and standalone remote users with modems to dial in to a central site. shows the network topology.

The Cisco 3640 has the following hardware configuration for this scenario:

One 2-port ISDN-PRI network module installed in slot 1.

One digital modem network module installed in slot 2 and slot 3.

One 1-port Ethernet network module installed in slot 0.


Note   Each MICA digital modem card has its own group async configuration. Additionally, a single range of async lines is used for each modem card. For additional interface numbering information, refer to the document Digital Modem Network Module Configuration Note.


!
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass1
username remotelan2 password dialpass2
username PCuser1 password dialpass3
username PCuser2 password dialpass4

async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 1/0
 framing esf
 clock source line 
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1/1
 framing esf
 clock source line 
 linecode b8zs
 pri-group timeslots 1-24
!
interface Loopback0
 ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial 1/0:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Serial 1/1:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Group-Async1
 ip unnumbered Loopback0
 encapsulation ppp
 async mode interactive
 peer default ip address pool dialin_pool
 no cdp enable
 ppp authentication chap pap dialin
 group-range 65 88
!
interface Group-Async2
 ip unnumbered Loopback0
 encapsulation ppp
 async mode interactive
 peer default ip address pool dialin_pool
 no cdp enable
 ppp authentication chap pap dialin
 group-range 97 120
!
interface Dialer0
 ip unnumbered Loopback0
 no ip mroute-cache
 encapsulation ppp
 peer default ip address pool dialin_pool
 dialer in-band
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap dialin
 ppp multilink
!
router eigrp 10
 network 10.0.0.0
 passive-interface Dialer0
 no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
 login authentication console
line 65 88
 autoselect ppp
 autoselect during-login
 login authentication dialin
 modem DialIn
line 97 120
 autoselect ppp
 autoselect during-login
 login authentication dialin
 modem DialIn
line aux 0
 login authentication console
line vty 0 4
 login authentication vty
 transport input telnet rlogin
!
end

Cisco AS5200 Central Site Configuration Using Remote Security

The previous examples in this section configure static CHAP authentication on the central router using the username command. A more common configuration to support modem and ISDN calls on a single chassis is to use the AAA security model and an external security server at the central site. Cisco recommends that you have a solid understanding of basic security principles and the AAA model before you set up this configuration. For more information about security, see the publication Security Configuration Guide.

Central Site Cisco AS5200 Configuration Using TACACS+ Authentication

The following example assumes you are running TACACS+ on the remote security server.

!
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 framing esf
 clock source line secondary
 linecode b8zs
 pri-group timeslots 1-24
!
interface Loopback0
 ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
 ip address 10.1.1.10 255.255.255.0
 ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 no ip address
 shutdown
!
interface Serial0:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Serial1:23
 no ip address
 encapsulation ppp
 isdn incoming-voice modem
 dialer rotary-group 0
 dialer-group 1
 no fair-queue
 no cdp enable
!
interface Group-Async1
 ip unnumbered Loopback0
 encapsulation ppp
 async mode interactive
 peer default ip address pool dialin_pool
 no cdp enable
 ppp authentication chap pap dialin
 group-range 1 48
!
interface Dialer0
 ip unnumbered Loopback0
 no ip mroute-cache
 encapsulation ppp
 peer default ip address pool dialin_pool
 dialer in-band
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap dialin
 ppp multilink
!
router eigrp 10
 network 10.0.0.0
 passive-interface Dialer0
 redistribute static
 default-metric 64 100 250 100 1500
 no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
 login authentication console
line 1 48
 autoselect ppp
 autoselect during-login
 login authentication dialin
 modem DialIn
line aux 0
 login authentication console
line vty 0 4
 login authentication vty
 transport input telnet rlogin
!
end

TACACS+ Security Server Entry

The following configuration file entry runs on the remote TACACS+ security server, which compliments the Cisco AS5200 configuration in the previous example.

user = remotelan1 {
           chap = cleartext "dialpass1"
           service = ppp protocol = ip {
                       addr = 10.2.1.1
                       route = "10.2.1.0 255.255.255.0"
           }
}


user = PCuser1 {
           login = cleartext "dialpass2"
           chap = cleartext "dialpass2"
           service = ppp protocol = ip {
                       addr-pool = dialin_pool
           	}
           service = exec {
                       autocmd = "ppp negotiate"
           	}
}

user = PCuser2 {
           login = cleartext "dialpass3"
           chap = cleartext "dialpass3"
           service = ppp protocol = ip {
                       addr-pool = dialin_pool
           	}
           service = exec {
                       autocmd = "ppp negotiate"
           	}

Bidirectional Dial Networking between a Central Site and Remote Offices or Telecommuters

Sometimes a headquarter's gateway access server is required to dial out to a remote site while receiving incoming calls. This type of networking need is designed around a specific business support model, such as shown in .

Figure 19 Headquarters Configured for Dial-In and Dial-Out Networking

shows a typical dial-in and dial-out network scenario, which amounts to only 25% of all dial topologies. The headquarters' Cisco AS5200 initiates a connection with a Cisco 1604 at remote office 1. After a connection is established, the remote site's file server (shown as Inventory child host) runs a batch processing application with the headquarters' mainframe (shown as Inventory totals parent host). While files are being transferred between remote office 1 and headquarters, remote office 2 is successfully dialing in to headquarters.

There are some restrictions for dial out calling. Dial out analog and digital calls are commonly made to remote ISDN routers, such as the Cisco 1604. On the whole, dial out calls are not made from a central site router to a remote PC but rather from a remote