Dial Solutions Quick Configuration Guide
IP, IPX, and AppleTalk Dial-Up Environments
Download this chapter
IP, IPX, and AppleTalk Dial-Up EnvironmentsIP, IPX, and AppleTalk Dial-Up Environments
give_us_feedback

Table Of Contents

IP, IPX, and AppleTalk Dial-Up Environments

Configuring Point-to-Point Protocol (PPP) Access

Accessing IP Resources

Enabling IP Network Protocol Support

Configuring PPP Encapsulation

Assigning IP Addresses to Dial-In Clients

Configuring Other IP Dial-in Parameters

Configuring NetBIOS over TCP

Enabling PPP Clients to Dial In and Access AppleTalk Resources

Accessing IPX Resources

Enabling IPX Network Protocol Support

Creating a Loopback Interface for Novell IPX Network Numbers

Configuring the Asynchronous Interfaces

IPX Client Addressing

Configuring Other IPX Dial-in Parameters

Setting up Windows 95 on the Remote PC Side of the Connection

Configuring AppleTalk Remote Access (ARA) for Macintosh Access

Enabling Macintosh Users to Dial In and Access AppleTalk Resources

Dial-In Configuration Examples

IP Dial-In Example

IPX Dial-in Example

ARA Example

Combined IP-PPP, IPX-PPP, and ARA Example


IP, IPX, and AppleTalk Dial-Up Environments

Remote node users are telecommuters and mobile users who need to dial in to a network from their PC or Macintosh computer, through an access server in to IP, IPX, or AppleTalk networks to access network resources. This chapter describes the following scenarios:

Getting a PC to dial in to a network by using a PPP application to access IP resources

Getting a PC to dial in to a network by using a PPP application to access Novell IPX resources

Getting a Macintosh to dial in to a network by using ARA to access AppleTalk and IP Resources

Note   This guide does not describe how to configure SLIP. For more information about SLIP, refer to the Dial Solutions Configuration Guide. For popular configuration tips gathered by Cisco's Technical Assistance Center (TAC), go to the "Sample Configurations" home page at http://www.cisco.com/warp/public/700/tech_configs.html.

Each configuration in this chapter builds on preceding configurations from previous chapters. It presents the whole configuration required to enable dial-in and configure security for each of the scenarios. Thus far, this guide has described how to configure the following on your access server:

Autoselect

Group asynchronous interfaces

Modem dial-in

Security

When a remote PC or Macintosh computer dials in to a network, it is considered a "node" on the LAN to which it is connecting. This is the case for each dial-in session, whether the device dialing in is a PC, Macintosh, or other computer. The IP address of a PC, for example, is selected from those available on the subnet assigned to the network that the PC is connecting to. In , for example, the telecommuter's Macintosh is a node in the AppleTalk network 2500 in the zone Mac-dialup, and is treated like a local host.

Figure 5-1 Remote Macintosh as a Node on the Local Network

In router-to-router configurations (such as between a remote and central office), the remote device (PC or Macintosh computer) is not considered a node on the LAN that it is dialing in to. That is, the remote computer is on a different LAN and has an IP address that is not chosen from those available on the local network. These configurations are typically more complex and require use of the dial-on-demand routing (DDR) facility in the Cisco IOS software. For more information, refer to the chapter "" later in this guide.

Configuring Point-to-Point Protocol (PPP) Access

This section describes how to configure your access server to accept calls into IP and IPX networks from clients (PCs) using PPP to access resources such as file servers and printers. It also describes how to allow Macintosh or PC clients running a PPP application to dial in to an AppleTalk network.

Specifically, this section describes the following:

Accessing IP Resources

Configuring NetBIOS over TCP

Enabling PPP Clients to Dial In and Access AppleTalk Resources

Accessing IPX Resources

Setting up Windows 95 on the Remote PC Side of the Connection

Accessing IP Resources

This section describes how to configure the access server to accept calls in to an IP network so that clients (remote PC computers) can access IP resources, such as a Windows NT server. It describes first the access server configuration, then presents some basic configuration information for the dial-in client. shows a typical dial-in scenario.

Figure 5-2 PC Dialing In to Access IP Network Resources

In , a remote telecommuter dialing through the access server uses the Windows 95 client to access the Windows NT server. The client is considered a node on the same network as the NT server.

Enabling IP Network Protocol Support

To dial in to an IP network by using PPP, you first need to enable the network protocol support. IP routing is enabled by default in the Cisco IOS software. However, if you have a routing protocol running on the LAN to which the access server provides access, you must specify this protocol in the access server's configuration, as well. This guide and the following procedure assume you are configuring OSPF routing. If so, perform the following steps to enable IP network support:

Note   If you are using a routing protocol other than OSPF, refer to the Network Protocols Configuration Guide, Part 1 in the Cisco IOS configuration guides and command references documentation.

Step 1 Enter privileged EXEC and global configuration mode on the access server named 2511. 

2511> enable

Password: 

2511# configure terminal

2511(config)#

Step 2 If you haven't done so already, specify the IP address of the Ethernet interface on the access server. This should be a valid, unique, and unused IP address for a subnet on a connected LAN. 

2511(config-router)# interface ethernet 0

2511(config-if)# ip-address 172.16.42.24 255.255.255.0

Step 3 Enable OSPF routing (assuming a routing process is given the number 101): 

2511(config-if)# router ospf 101

2511(config-router)#

Step 4 Define the IP address of the Ethernet interface on which OSPF runs and define the area ID for that interface: 

2511(config-router)# network 172.16.42.24 0.0.0.255 area 0

Step 5 Configure an OSPF network type of point-to-multipoint on the Ethernet interface 0 on the access server: 

2511(config-router)# interface ethernet 0

2511(config-if)# ip ospf network point-to-multipoint

Step 6 Identify the IP domain name and IP name server on the LAN segment: 


2511(config-if)# exit

2511(config)# ip domain-name eapp.com

2511(config)# ip name-server 172.16.42.128

To configure IGRP instead of OSPF routing, issue the router igrp process-id global configuration command, then associate the network with the IGRP process ID by issuing the network address router configuration command. For example, you enter the following commands to configure IGRP routing: 

2511(config-if)# router igrp 101

2511(config-router)# network 172.16.42.0

You can also configure a number of other routing protocols with IP, including RIP, IS-IS, BGP, EGP, GDP, IRDP, and IP multicast routing. For more information about configuring any of these routing protocols, refer to the Network Protocols Configuration Guide, Part 1 in the Cisco IOS documentation.

Configuring PPP Encapsulation

To enable IP dial-in, configure PPP encapsulation on asynchronous interfaces, as follows:

Step 1 To conserve IP addresses, configure the asynchronous interfaces as unnumbered and assign the IP address of the Ethernet interface to them: 

2511(config)# interface group-async2

2511(config)# group-range 1 16

2511(config-if)# ip unnumbered ethernet0

Step 2 Specify PPP encapsulation on asynchronous interfaces to which you will allow PPP connections: 

2511(config-if)# encapsulation ppp

Step 3 Enable interactive mode on asynchronous interfaces: 

2511(config-if)# async mode interactive

Step 4 Configure lines on the access server to detect incoming PPP packets and permit a PPP client to connect to the network automatically. The following example shows lines 1 to 8 on an access server being configured to autoselect incoming PPP packets: 

2511(config-if)# line 1 8 

2511(config-line)# autoselect ppp

Note   You do not need to configure autoselect for incoming PPP packets. You can issue the async mode dedicated command in place of the async mode interactive command. If you use dedicated asynchronous mode on a set of interfaces, users are not automatically connected to the network. Rather, they are connected to the EXEC facility on the access server, and then they must issue the ppp command to connect to network resources. For more information, refer to the Dial Solutions Configuration Guide in the Cisco IOS documentation.

Assigning IP Addresses to Dial-In Clients

This section describes the methods you can use to assign IP addresses to dial-in clients. The methods are as follows:

Method 1: Obtain Addresses from a Pool Configured in the Access Server

This is the simplest mechanism for assigning IP addresses to dial-in clients and is most useful when there is only one access server providing access to the network. A set of IP addresses is defined in a database that exists inside the access server. If there is more than one access server providing access to the network, you should refer to method 2.

Method 2: Obtain Addresses from a Pool Configured in a DHCP Server

This is the next most convenient method, and is most useful for a medium to large-size pool of dial-in clients. A pool of IP addresses is defined inside of a centralized IP address server, called a Dynamic Host Configuration Protocol (DHCP) server. This central database can serve addresses to several different access servers at the same time. Although this method provides long-term flexibility, it requires that you configure a third-party host (such as a UNIX computer) as a DHCP server.

Method 3: Assign Static IP Addresses to Each PC

This is the least efficient most time-consuming method of assigning IP addresses to clients. As clients are added, removed, and moved in the network, IP addresses must be reassigned.

Method 1: Obtain Addresses from a Pool Configured in the Access Server

To configure the address pool locally on the access server, perform the following steps:

Step 1 Create a local IP address pooling mechanism in the access server: 

2511(config)# ip address-pool local

Step 2 Assign a pool of specific IP addresses in a pool (addresses 172.16.80.0 through 172.16.80.16 in pool1): 

2511(config)# ip local pool pool1 172.16.80.1 172.16.80.16

The address pool named pool1 is applied automatically to each asynchronous interface configured for point-to-point access, so you do not have to apply it manually. If you need to apply this pool manually to asynchronous interfaces, issue the peer default ip-address pool pool1 interface configuration command.

For a comprehensive configuration example of PPP dial-in to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.

Method 2: Obtain Addresses from a Pool Configured in a DHCP Server

To configure the access server to obtain IP addresses from a DHCP server, perform the following steps:

Step 1 Configure asynchronous interfaces on an access server to assign IP addresses to dial-in clients from a DHCP server (in this example, a group async interface is configured): 

2511(config)# interface group-async 1

2511(config-if)# peer default ip-address dhcp

Step 2 Configure the Cisco IOS software to query a DHCP server for IP addresses that can be supplied to IP clients as they dial in: 

2511(config)# ip address-pool dhcp-proxy-client

You also must configure the client software on client PCs to obtain IP addresses from a DHCP server. Refer to the documentation that accompanied the PC client software for more information about configuring IP addressing options.

For a comprehensive configuration example for PPP dialing to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.

Method 3: Assign Static IP Addresses to Each PC

To configure the access server to statically define IP addresses to each client dialing in to the network, enter interface configuration mode and issue the peer default ip address address command, as shown in the following example: 

2511(config)# interface async 1

2511(config-if)# peer default ip-address 172.16.42.26

Note   To prevent duplicate IP addresses from being assigned on two or more interfaces, you cannot assign a static IP address to a group asynchronous interface. A single IP address on a group asynchronous interface permits assignment of the same address to more than one dial-in client. For the same reason, this command also cannot be applied to dialer rotary groups or to ISDN interfaces.

The IP address you assign must be the same as the address specified on the remote dial-in client. Refer to the documentation that accompanied the PC client software for more information about configuring IP addressing options.

For a comprehensive configuration example for PPP dialing to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.

Configuring Other IP Dial-in Parameters

Though optional, you generally identify the IP domain name and IP name server on the LAN segment, as shown in the following example: 

2511(config)# ip domain-name eapp.com

2511(config)# ip name-server charlatan

lists other parameters that are often useful for administrators configuring IP dial-in using PPP.

Table 5-1 Additional PPP Dial-in Parameters 

Command
Purpose

ip tcp header-compression passive (interface configuration command)

Instructs the access server port to perform compression of TCP headers if requested by the client.

asynchronous dynamic address (interface configuration command)

(IP only.) Enables the client to select an IP address dynamically when dialing in.


Caution   
If you have configured network protocol support, PPP encapsulation, and an IP addressing method, IP clients can dial in to your network. Ensure that you configure security, as described in the chapter "" in this guide. Also, the configuration examples at the end of this chapter show IP configuration examples with security.

Configuring NetBIOS over TCP

To enable clients running NetBIOS over TCP to dial in to IP network resources, perform the following tasks on the access server:

Step 1 Specify a hostname or IP address of your Wins server on the network: 

2511(config)# async-bootp nbns-server 172.18.42.8

Step 2 If you have one or more domain name servers on the network, specify a host name or IP address of that domain name server: 

2511(config)# async-bootp dns-server 172.18.42.12 172.18.42.10

Make sure you have the following in your NetBIOS network:

A Microsoft Windows domainized environment

A Wins server

A primary domain controller (logon controller)

For more information about configuring your Windows NT environment, refer to your Microsoft documentation or online resource, such as the World-Wide Web page "Microsoft TechNet" at the following URL: http://www.microsoft.com/TechNet/.

Enabling PPP Clients to Dial In and Access AppleTalk Resources

To enable PPP clients using PPP applications to access AppleTalk resources on a network, first perform the following tasks, as described in the earlier section "Accessing IP Resources."

Assign an IP address to an Ethernet interface

Enable PPP encapsulation on all asynchronous interfaces that will accept calls from PPP clients that need to access AppleTalk resources.

Note   AppleTalk routing is not supported on asynchronous interfaces configured for PPP that allow IP clients to access AppleTalk resources.

Next, perform the following steps:

Step 1 Create an internal network on the access server by issuing the appletalk virtual-net command. The internal network number and zone name also can be used for dial-in using ARA (but do not need to be the same). 

2511(config)# appletalk virtual-net 101 ara-dialin

Step 2 Enable AppleTalk client mode on asynchronous interfaces configured for PPP dial-in. The following example shows client mode configured on a group asynchronous interface. 

2511(config)# interface group-async1

2511(config-if)# appletalk client-mode

At this point, PPP clients can dial in to a network and access AppleTalk resources, such as AppleShare servers and printers.

Accessing IPX Resources

This section describes how to configure the access server to accept calls in to an IPX network so that clients can access IPX resources, such as a Novell IPX server. It describes first the access server configuration, then presents some basic configuration information for the dial-in client. shows a typical dial-in scenario.

Figure 5-3 PC Dialing In to Access IPX Network Resources

In , a remote telecommuter dialing through the access server uses the Novell IPX client to access the Novell IPX server. The client is a node on the same network as the IPX server.

Enabling IPX Network Protocol Support

For PPP dialing to an IPX network, you must first enable network protocol support. This includes enabling IPX routing on the access server. If the dial-in client will be a routing client, you also must specify the routing protocol running on the LAN to which the access server provides access. To enable IPX network protocol support, perform the following steps:

Step 1 Enable IPX routing on the access server. 

2511(config)# ipx routing 0060.3ef1.6f74

Note   In the preceding step, the MAC address (0060.3ef1.6f74) is added automatically, based on the MAC address of the Ethernet interface on the access server. You only need to issue the ipx routing command if you want to assign a different MAC address. The MAC address is shown in the preceding step only for illustrative purposes.

Step 2 If you are configuring IPX only and not IP, configure the Ethernet interface 0 as IP unnumbered. 

2511(config)# interface Ethernet0

2511(config-if)# ip unnumbered

However, if you are configuring IP and IPX on the interface, you must provide an IP address for Ethernet interface 0. This must be a valid, unique, and unused IP address for a subnet on a connected LAN. 

2511(config)# interface Ethernet0

2511(config-if)# ip address 172.21.14.64 255.255.255.0

Step 3 Set the IPX network number and encapsulation to match your existing network. The following example shows network 123ABCD and an encapsulation type of SAP: 

2511(config-if)# ipx network 123ABCD encapsulation SAP

Step 4 If the client connecting to the network is not performing routing, you do not have to enable a routing protocol and can skip to the next step. If the client connecting to the network is performing routing, configure a routing protocol. RIP routing is enabled by default. To specify a different routing protocol, such as Enhanced IGRP or NLSP, enter the ipx router command, followed by the name of the routing protocol.

The first example shows how to enable Enhanced IGRP routing with an autonomous system number of 1205. Enhanced IGRP is usually used in large networks. 

2511(config)# ipx router eigrp 1205

The next example shows how to enable NLSP routing with an NLSP process tag of 210. An NLSP tag is optional if there is only one NLSP process. The process of configuring NLSP is somewhat complex and you must add NLSP servers to the network. 

2511(config)# ipx router nlsp 210

Creating a Loopback Interface for Novell IPX Network Numbers

If you allow remote clients to dial in to IPX network resources, you should create a loopback interface, which is a "virtual" interface existing only in the router. Assign a Novell IPX network number to this loopback interface, then assign this network number to each asynchronous interface. The alternative is to assign a unique Novell IPX network number to each asynchronous interface, which could consume hundreds of Novell IPX network numbers. This section assumes that nonrouting clients are dialing in to access IPX network resources.

Note   Follow these steps only if you IPX clients are nonrouting clients. If they are routing clients, you must assign a unique IPX network number to each asynchronous interface and you cannot use group asynchronous interfaces, because there is no way to assign a unique IPX network number to each interface in a group.

Step 1 Create a loopback interface: 

2511(config-if)# interface Loopback0

Step 2 Do not require an IP address on the Loopback interface 0: 

2511(config-if)# no ip address

Step 3 Assign a Novell IPX network number (in this case, 1F) to the loopback interface: 

2511(config-if)# ipx network 1F

Configuring the Asynchronous Interfaces

This section assumes you are configuring group asynchronous interfaces.

After you configure IPX network support and a loopback interface, you then configure the asynchronous interfaces for PPP and assign the Novell IPX network number of the loopback interface to the asynchronous interface. You can also enable interactive mode on the interfaces.

Step 1 Assign the IP address of the Ethernet interface to a single master or each asynchronous interface: 

2511(config-if)# ip unnumbered ethernet0

Step 2 Specify PPP encapsulation on asynchronous interfaces to which you need to allow PPP connections: 

2511(config-if)# encapsulation ppp

Step 3 Assign the Novell IPX network number of the loopback interface to the group asynchronous interface. 

2511(config-if)# ipx ppp-client loopback0

Step 4 (Optional) Filter SAP routing updates on asynchronous interfaces. SAP updates take up a great deal of bandwidth, and asynchronous interfaces have low bandwidth. 

2511(config-if)# ipx sap-interval 0

Step 5 Enable interactive mode. Interactive mode enables you to support services other than PPP (such as EXEC sessions, SLIP, or ARA). 

2511(config-if)# async mode interactive

IPX Client Addressing

The Cisco IOS software assumes that all PCs dialing in have their own unique IPX address and that they send this address to the access server.

Configuring Other IPX Dial-in Parameters

For additional parameters that enable PPP dial-in to IPX networks, refer to Table 5-1.

Note   At this point, IPX clients can dial in to your network. Ensure that you configure security, as described in the chapter "" in this guide. The configuration examples at the end of this chapter show IPX configuration examples with basic security.

Setting up Windows 95 on the Remote PC Side of the Connection

This section describes how to install and configure Windows 95 client software to dial in to and access network resources through a Cisco access server.

If you need information about configuring the CiscoRemote client software, you can receive a fax-back document from the Cisco Technical Assistance Center at 800 553-2447 or 408 526-7209 or call directly into the fax-on-demand service at 415 596-4408.

You can use virtually any other dial-in client applications to dial in to a network through access servers.

This configuration procedure is intended only as a starting point. The configuration requirements can change without warning because Cisco does not control the design and development efforts of other companies. This configuration information is only one of many ways of configuring a Win95 client application for dial-in using PPP. To set up the built-in PPP application in Win95 so that you can access the ISP's IP or NetBEUI network resources, perform the following steps:

Step 1 Double-click on the My Computer icon located either in your Applications window or on the desktop.

The My Computer window appears.

Step 2 If you are making a connection for the first time, double-click on the Make a New Connection icon. If you have already configured your connection profiles, additional icons exist in this window and you can double-click on them to use them.

Step 3 Give the connection session a name, such as MyConnection.

Step 4 Select the type of modem connected to your PC (or built in to the PC) from the list of modems.

Step 5 When the dialog box appears, click on the Configure button.

The General, Connection, and Options folders appear stacked on top of one another. You can select each tab to configure the appropriate parameters.

Step 6 Select the Connection tab. In the Connection folder, set data bits to 8, parity to No, and stop bits to 1, then click Apply.

The Advanced Connection Settings window appears.

Step 7 Modems usually perform all the data compress you'll ever need. However, if you have a very old modem, you should Select Data Compression and Hardware flow control and click OK.

Step 8 Select the Options tab. In the Options folder, select "Bring up terminal window after dialing" and click on the Next button.

The option "Bring up terminal window after dialing" means that when you dial in, the access server prompts you for your username and password, then logs you in to the EXEC facility.

A new dialog box appears that indicates you have finished configuring a dialup profile and the Myconnection connectoid appears.

Step 9 Click on the Next button.

Step 10 In the Phone Number field, enter the phone number, area code, and country of the access server you intend to dial and press Return.

You have configured preliminary parameters to enable the Win95 client to dial in to an access server. At this point, you need to define additional properties.

Step 1 Select the dialup profile connectoid, then click with the right mouse button, and pull down the menu. Select Properties.

Step 2 In the Properties dialog box, select Server_Type.

The ServerTypes dialog box appears, as shown in .

Figure 5-4 Windows 95 Server Types Dialog Box

Step 3 Select PPP Windows 95 Windows NT 3.5 Internet.

Step 4 In the Allowed Network Protocols area of the dialog box, select TCP/IP if you intend to function as an IP client to access IP network resources.

Step 5 Select the TCP/IP Settings pull-down menu at the bottom right corner of the dialog box.

Step 6 Select Server assigned IP and Name server addresses if you are getting your addresses from a server. Otherwise, enter an IP address.

Step 7 Select Use default gateway on remote network. Click Apply. Select IP compression if you also intend to enable header compression of IP packets on the access server, which is enabled with the ip tcp header-compression passive interface configuration command.

Step 8 Go to the Control Panel and select Internet.

Step 9 Check the AutoDial checkbox if your PPP connection is the only modem or ISDN connection to the Internet. Uncheck this box if you have more than one outgoing connection.

Step 10 Select MyConnection and click on the Apply button.

When you start an application that requires network access, you are prompted for a username and password. This username and password must match the username and password on the access server. When you select Connect, the client dials the number you entered. In a status box, you can see the information dialing, verifying username/password, and the dial-in application should run without problems. shows a successful connection:

Figure 5-5 Windows 95 Connection Status Box

Configuring AppleTalk Remote Access (ARA) for Macintosh Access

This section describes how to configure the access server to accept calls in to an AppleTalk network so that clients can access AppleTalk resources, such as an AppleShare server, a colleague's Macintosh to retrieve files, or a printer. For information about configuring the ARA client, you can receive a fax-back document from Cisco's Technical Assistance Center at 800 553-2447 or 408 526-7209 or call directly into the fax-on-demand service at 415 596-4408.

For information about configuring the access server to enable IP clients to access AppleTalk resources, refer to the later section "Enabling PPP Clients to Dial In and Access AppleTalk Resources." shows a typical dial in scenario.

Figure 5-6 Macintosh Dialing In to Access AppleTalk Network Resources

shows a Macintosh with ARA 2.0 dialing in to a corporate network through an access server. The Macintosh client is a node on network 2500 in zone Mac-dialup.

After connecting to a corporate network with ARA, clients can also launch applications that enable them to communicate with IP devices, such as UNIX servers, although you must have configured a MacIP server on the network first.

Enabling Macintosh Users to Dial In and Access AppleTalk Resources

The following configuration provides a range of 16 IP addresses, which can be assigned to each of the dial-in remote nodes. The MacIP server resides in the same zone and IP subnet it is providing IP addresses for. This is highly recommended for a gateway server of this kind. The IP address under interface Ethernet 0 strengthens the correlation of subnet to server.

To enable ARA dial in on the access server, perform the following steps:

Step 1 Enable AppleTalk Routing. 

2511(config)# appletalk routing

Step 2 Create a new internal AppleTalk network in the access server. In the following example, the network number is 2500 and the zone name is Mac-dialup. 

2511(config)# arap network 2500 Mac-dialup

Note   The nonextended AppleTalk network number used with the arap network command must be unique within the AppleTalk intranetwork.

Step 3 Bring up the interface Ethernet 0, assign it an IP address, and configure a cable range. In this example, the cable range is 110 to 110. 

2511(config)# interface ethernet 0

2511(config-if)# ip address 172.16.42.26 255.255.250.0

2511(config-if)# appletalk cable-range 110-110

Step 4 Create an AppleTalk zone on the Ethernet interface 0. In the following example, the zone is given the name Corporate. 

2511(config-if)# appletalk zone Corporate

Step 5 Enter line configuration mode for the lines on which you need to allow ARA clients to dial in and enable ARA. The following example shows lines 1 through 16 being configured for ARA dial in (these are the physical asynchronous TTY lines) and disables guest access to the AppleTalk network. 

2511(config-if)# line 1 16

2511(config-line)# arap enable

2511(config-line)# autoselect arap 

2511(config-line)# arap noguest

Step 6 Configure an AppleTalk zone for ARA dial-in sessions. (In Step 4, the zone that was created was Corporate. This example uses the same zone.) 

2511(config)# appletalk macip server 172.16.42.26 zone Corporate

Step 7 Allocate IP addresses for Macintosh users if you are using dynamic addressing 

2511(config)# appletalk macip dynamic 172.16.42.27 zone Corporate

lists other useful dial-in parameters for ARA.

Table 5-2 Additional ARA Dial-In Parameters 

Command
Purpose

arap dedicated

Makes the line only available for ARA dial-in access. Do not issue this command if you are also allowing PPP users to dial in through the line or if you issue the autoselect ppp command on the line.

arap timelimit minutes

Sets a time limit on dial-in sessions. This prevents clients from staying connected indefinitely.

arap warningtime minutes

Sets the amount of time before which the connection is closed because of the arap timelimit command. A reasonable amount of time is 15 minutes.


Dial-In Configuration Examples

The configuration examples in this section show comprehensive configurations that enable remote clients to dial in to networks and access resources. The configurations in this section borrow information from the previous chapters and present each component (such as modem configuration and security) as a separate piece. Examples in this section include the following:

IP Dial-In Example

IPX Dial-in Example

ARA Example

Combined IP-PPP, IPX-PPP, and ARA Example

IP Dial-In Example

The following example configures an access server to enable a PC running a Windows 95 PPP application to dial in to an IP network. It also enables the Windows 95 client to access AppleTalk resources. The example starts with the modem configuration, then moves on to the security configuration, then the protocol configuration. This example assumes that you are using a local username database that is set up inside the access server for authentication.

Modem and Line Configuration

The following sample configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes you have a Telebit T3000 modem or one that can be automatically initialized using the Telebit_3000 initialization string. 

line 1 16

 speed 115200

 flowcontrol hardware

 modem inout

 modem autoconfigure Telebit_t3000

!

 autoselect during-login

 autoselect ppp

!

interface group-async 0

 group-range 1 16

Security Configuration

The following sample configuration uses a local authentication database inside the access server. It prevents unauthenticated login to all vty lines. It assumes dial-in users rely on autoselect and do not log in to the EXEC on the access server, but have immediate access to the network when their connection session begins. No security is configured on the console port, which is physically secure. This configuration uses defaults in most cases, except that it uses CHAP authentication for PPP instead of the default of PAP (because CHAP is more secure). It uses the username command to populate the local authentication database. The password that appears has been automatically encrypted automatically. 

aaa new-model

aaa authentication login default local 

aaa authentication ppp default local 

enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570

enable password cloudcity 

!

username hansolo password 7 095E470B1110

username leiaorga password 7 0215055500070C294D

username anakin password 7 032A5K39068R1935 

username jacen password 7 087X2G10385V8148 

username jaina password 7 075V3W50429L2943 

!

line vty 10 47 

 login authentication default

!

line 1 16

 arap authentication default 

!

interface Group-Async1

 ppp authentication chap default

 group-range 1 16

Protocol Configuration (Using a Local Pool of IP Addresses)

The following sample configuration enables an IP client to dial in to a network via an access server (with an IGRP routing process of 101) and be assigned an IP address from a locally defined pool (from 172.16.80.1 to 172.16.80.200). It also places all 16 asynchronous interfaces in a group interface and PPP encapsulation. IP clients (such as Windows 95 clients) dial in and automatically have a PPP session started (after the security dialog appears).

If you want to obtain IP addresses for dial-in clients from a Dynamic Host Configuration Protocol (DHCP) server, you must change the peer default ip address pool pool-1 command to peer default ip address dhcp. If you want to assign a static address to a remote client, you must change this command (for an address of 172.18.24.48, for example) to peer default ip address 172.18.24.48. 

router igrp 101

 network 172.16.0.0

!

ip address-pool local

ip local pool pool-1 172.16.80.1 172.16.80.200

appletalk virtual-net 101 AT-zone

!

ethernet 0

 ip-address 172.16.42.24 255.255.255.0

!

group-async1

 ip unnumbered ethernet0

 encapsulation ppp

 async mode interactive

 peer default ip address pool pool-1

 ip tcp header-compression passive

 appletalk client-mode

 group-range 1 16

!

ip domain-name eapp.com

ip name-server charlatan

IPX Dial-in Example

The following configuration example enables a PC client running a PPP application to dial in to a network and access IPX resources. The modem attached to the access server is a Telebit T3000 modem. For security, the access server uses TACACS+ for lines and asynchronous interfaces and RADIUS for an ISDN interface (attached via an external ISDN terminal adaptor).

Modem and Line Configuration

The following sample configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes you have a Telebit T 3000 modem. 

line 1 16

 speed 115200

 flowcontrol hardware

 modem inout

 modem autoconfigure discovery

 modem autoconfigure type t_3000

!

 autoselect during-login

 autoselect ppp

!

Security Configuration

This configuration uses remote security. It uses TACACS+ security for lines and asynchronous interfaces, and RADIUS security for ISDN interfaces. This portion of the configuration only contains security commands. Modem and protocol configuration commands are presented in the sections "Modem and Line Configuration" and "Protocol Configuration." 

aaa new-model

aaa authentication login default tacacs+ local 

aaa authentication con-special tacacs+ enable

aaa authentication ppp default if-needed tacacs+

aaa authentication ppp use-radius radius

!


enable secret 5 $1$Kv7T$yjdYBYi70X56gOpEtLj.Q.!

!

line 1 16

! Modem commands deleted

 autoselect ppp

 autoselect during-login

!

line con 0

 login authentication con-special

!

interface Group-Async1

 ip unnumbered ether 0

 encapsulation ppp

 async mode interactive

 ppp authentication chap pap default

 group range 1 16

! 

interface Group-Async2

 ip unnumbered ether 0

 encapsulation ppp

 async mode interactive

 ppp authentication chap use-radius

 group range 9 16

Protocol Configuration

The following sample configuration enables an IPX client to dial in to a network to access IPX resources (IPXCP). In this sample configuration, the IPX client connections are permitted on group asynchronous interface 8, which is associated with loopback interface 0. Loopback interface 0 is configured to run IPX. Routing updates have been filtered on all asynchronous interfaces. 

ipx routing 0000.0c07.b509

!

loopback0

 no ip address

 ipx network 544

!

interface ethernet0

 ip address 172.21.14.64 255.255.255.0

 ipx network AC150E00

 ipx encapsulation SAP

!

interface group-async1 

 ip unnumbered ethernet0 

 encapsulation ppp

 async mode interactive 

 async default ip address 172.18.1.128

 ipx ppp-client loopback0

 ipx sap-interval 0


interface group-async2 

 ip unnumbered ethernet0 

 encapsulation ppp

 async mode interactive 

 async default ip address 172.18.1.128

 ipx ppp-client loopback0

 ipx sap-interval 0

ARA Example

The following example configures an access server to enable a Macintosh running ARA 2.0 to dial in to an AppleTalk network. It also permits IP clients to dial in and access AppleTalk resources. The example starts with the modem configuration, then moves on to the security configuration, then the protocol configuration. This example assumes you are using a local username database that is set up inside the access server for authentication.

Modem and Line Configuration

The following example configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes you have a modem that uses an initialization string that corresponds to the Usr_sportster string that is used to configure a modem automatically. 

line 1 16

 arap enable

 flowcontrol hardware

 modem inout

 modem autoconfigure Usr_sportster

 autoselect during-login

 autoselect arap

!

Security Configuration

The following example uses a TACACS+ security database. No security is configured on the console port, which is physically secure. This configuration uses default configuration parameters. ARA authentication permits guests to log in and access network resources. 

aaa new-model

aaa authentication login default tacacs+ 

aaa authentication arap default guest tacacs+ 

enable secret 5 $17dd$VTNs4.BAfQMUU0Lrvw6570

!

line 1 16

 arap authentication default

 login authentication default

Protocol Configuration

The following example enables an ARA client to dial in with AppleTalk over PPP (ATCP). ARA clients dial in and automatically have an ARA session started (after the security dialog appears). In this example, IP is enabled on Ethernet interface 0 to allow basic IP connectivity. 

appletalk routing 

arap network 108 dialin14

appletalk virtual-net 107 dialin14

!

ethernet 0

 ip-address 172.16.42.24 255.255.255.0

 appletalk cable-range 20-22

 appletalk zone marketing

!

line 1 16

 arap enable

 arap timelimit 180

 arap warningtime 15

 autoselect arap

 autoselect during-login 

!

ip domain-name eapp.com

ip name-server alices-diner

!

! the following commands enable IP clients to dial in and access AppleTalk resources

interface group-async1

 encapsulation ppp

 appletalk client-mode

 group-range 1 16

Combined IP-PPP, IPX-PPP, and ARA Example

The following configuration example enables remote clients to dial in to IP, IPX, AppleTalk networks and permits users to log in and connect to the EXEC facility.

Modem and Line Configuration

The following example configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes lines 1 through 8 have Hayes Optima modems. (The Cisco IOS software can configure a Hayes Optima modem automatically.)

This configuration assumes that lines 9 through 16 have Practical Peripherals PC28800SA V.42bis modems. If you issue the modem autoconfigure discovery line configuration command, the Cisco IOS software attempts to identify the modem string that initializes the Practical Peripherals modem. If it cannot find a string that automatically initializes the Practical Peripherals modems, you must initialize them manually, as specified in the following section, "Initializing the Practical Peripherals Modems."

In this example, the access server is configured to allow dial-in clients to launch ARA, PPP, or an EXEC session on lines 1 through 16. 

version 11.2

!

hostname 2511

!

line 1 16

 modem autoconfigure type hayes_optima

 speed 115200

 flowcontrol hardware

 modem inout

 transport input all

 autoselect arap

 autoselect during-login

 autoselect ppp

 arap enabled

!

line con 0

 speed 9600

 flowcontrol software

Initializing the Practical Peripherals Modems

The following steps show how to initialize a Practical Peripherals modem to function with a Cisco 2509 access server.

Step 1 Connect with the modem, which is attached to asynchronous port 4. The IP address of the Ethernet interface is 172.18.2.24: 

2509# telnet 172.18.2.24 2004 

Trying 172.16.1.10, 2001 ... Open

Step 2 Issue an at command to ensure the modem connection has been established: 

at

ok

Step 3 Configure the modem initialization string (the following is the string for a Practical Peripherals 28.8 modem): 

AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W 

ok

Step 4 Store the modem settings in the modem NVRAM: 

at&w 

OK

Step 5 Suspend and disconnect your Telnet session: 

- suspend keystroke - 

2509# disconnect

Closing connection to 172.18.2.24, 2004 [confirm] y

2509#

Security Configuration

This sample configuration uses a RADIUS security server for asynchronous interfaces and local authentication for lines, because ARA, which is configured on lines, does not support RADIUS authentication. The login authentication in this configuration works as follows:

Users dialing in to the EXEC facility are first authenticated by a RADIUS server. If a RADIUS server is not accessible, local authentication is used.

Users dialing in with ARA are allowed to log in as guests only if they have already been authenticated to the EXEC facility.

Users dialing in with PPP are authenticated only if they have not already been authenticated at the EXEC facility. If they have not already been authenticated, the RADIUS server is polled. If the RADIUS server has no information about the user or it is not accessible, local username authentication is used. Users dialing in to group async interface 0 are authenticated using CHAP. Users dialing in to group async interface 1 are authenticated using PAP.

This sample configuration only contains security commands. It does not contain modem or protocol configuration commands. For modem and line commands, refer to the "Modem and Line Configuration" section. For protocol configuration commands, refer to the "Protocol Configuration" section. 

aaa new-model

aaa authentication login default radius local 

aaa authentication arap default auth-guest local

aaa authentication ppp default if-needed radius 

!

radius-server host 172.23.4.28

radius-server key s2imm3r

!

username pumba password 7 095E470B1110

username timone password 7 095E470B1110

username rafiki password 7 0215055500070C294D

username simba password 7 032A5K39068R1935 

username nala password 7 087X2G10385V8148 

username mufasa password 7 075V3W50429L2943 

username sarabi password 7 0215055500070C294D


enable secret 5 $1$Kv7T$yjdYBYi70X56gOpEtLj.Q.!

!

line 1 16

 arap authentication default

!

line con 0

 login authentication default 

!

interface Group-Async1

 ppp authentication chap default

 group range 1 8

!

interface Group-Async2

 ppp authentication pap default

 group range 9 16

Protocol Configuration

The following sample configuration enables remote clients to dial in and access IP, IPX, and AppleTalk resources. In this example, IP and IPX client connections are permitted on group asynchronous interface 1 to IP, IPX, and AppleTalk resources. The IPX network number of loopback interface 1 is assigned to the group asynchronous interface. Routing updates have been filtered on all asynchronous interfaces.

ARA has also been enabled on all lines. Macintosh clients can also dial in and access IP network resources. 

ip domain-name cisco.com

ip name-server scar

ipx routing 0040.0d05.c601

ip address-pool local

!

appletalk routing

appletalk virtual-net 2000 Mac-dialup 

arap network 2500 Mac-dialup

!

async dns-server 172.16.80.34

async nbns-server 172.16.80.35

!

interface loopback0

 no ip address

 ipx network 544

 ipx sap-interval 0

!

interface ethernet0

 ip address 172.21.14.64 255.255.255.0

 appletalk cable-range 110-110

 appletalk zone corporate

 ip tcp header-compression passive 

 ipx network AC150E00

 ipx encapsulation SAP

!

interface group-async1

 ip unnumbered ethernet0 

 encapsulation ppp

 async mode interactive 

 appletalk client-mode

 peer default ip address pool singi

 ipx ppp-client loopback0

 netbios nbf

 group-range 1 8

!

interface group-async2

 ip unnumbered ethernet0 

 encapsulation ppp

 async mode interactive 

 peer default ip address pool bonsai

 ipx ppp-client loopback0

 group-range 9 16

!

ip local pool singi 172.16.80.1 172.16.80.16

ip local pool bonsai 172.16.80.17 172.16.80.32

!

ipx router rip

 no network 544

!

line 1 16 

 arap enable 

 autoselect arap 

 autoselect during-login 

 autoselect ppp 

 arap timelimit 240 

 arap warningtime 15 


! the following commands enable Macintosh clients to access IP network resources

appletalk macip server 172.21.14.64 zone corporate

appletalk macip dynamic 172.21.14.65 172.21.14.81 zone corporate