V3PN: Redundancy and Load Sharing Design Guide - Small BranchDSL with Async Backup [Design Zone for IPv6]

Table Of Contents

Small Branch—DSL with Async Backup

Solution Characteristics

Topology

Failover/Recovery Time

V3PN QoS Service Policy

Performance Results

Implementation and Configuration

Remote Router SAA and Tracking

Head-end SAA Target Router

Remote Router—Cisco 1711

Debugging

Cisco IOS Versions Tested

Summary

Small Branch—DSL with Async Backup

This section describes the use of DSL with Async backup, and includes the following sections:

•Solution Characteristics

•Topology

•Failover/Recovery Time

•V3PN QoS Service Policy

•Performance Results

•Implementation and Configuration

•Debugging

•Cisco IOS Versions Tested

•Summary

Solution Characteristics

This design incorporates techniques described in the previous two chapters but now further reduces the costs associated with the backup link. With Basic Rate ISDN as the backup link, it is possible to transport encrypted voice traffic across the backup link. However, installing a Basic Rate ISDN line has installation costs and ongoing monthly charges as well as possible per-minute charges when the link is active.

A less costly alternative is to use the plain "old telephone service" (POTS) line that is necessary for provisioning the Asymmetric Digital Subscriber Line (ADSL) service to the branch. Rather than implement an access server at the enterprise head-end location, this design uses the access server of the ISP. This is a further cost reduction to the enterprise. Some ISPs provide access to their dial network at no additional cost as part of a DSL subscription. In some cases, 20 hours per month are provided with DSL service. In other cases, there may be a small fee (less than $10 USD a month) to include dial-up with the DSL plan. Alternatively, dial-up services can be ordered from a different service provider than the ISP providing the DSL service. If single-line DSL (SDSL) service is used (SDSL has no baseband POTS line), a separate POTS line can be installed.

There are two primary disadvantages associated with the cost savings of this design:

•Encrypted voice cannot be transported to the enterprise head-end over the Async interface because the bandwidth is insufficient.

•Local loop cable cut will likely take out both the ADSL and POTS line.

However, the integrated WIC-1AM of the Cisco 1711 includes two RJ11 ports: one for the line and the second for the analog phone handset. The analog line can be used for calls when the dial backup is not active.

Both the primary and backup links use PPP encapsulation and the IP address is dynamically (negotiated) assigned by the ISP. For the broadband path, this is through PPPoE; for the Async path, this is through PPP.

Topology

The topology consists of a Cisco 1711 router at the remote branch location, connected to a DSL bridge on the FastEthernet 0 interface. The POTS line for the ADSL service is separated using a DSL filter/splitter and connected to the Async 1 interface.

The ISP that provides DSL service also includes 20 hours of dial access per month at no additional charge. The same username and password for access to the DSL network is used for the dial backup. At the head-end location, a pair of IPSec routers are shown in the configuration files; one for the primary path and the second for the backup path. As in previous sections, a pair of IPSec head-end routers can be configured for both the primary and backup path and two separate addresses can be assigned.

An SAA target router is used at the head-end location.

Note This design uses the Cisco IOS feature, Reliable Static Routing Backup Using Object Tracking, to verify connectivity with SAA probes originating from the inside Ethernet LAN address of the remote router.

The SAA packets traverse the IPSec tunnel. If the tunnel is down and the SAA target is unreachable, dial backup is triggered. Because this design uses SAA to generate ICMP packets, the IP host can be used in place of the SAA target router. It is important that this device remains in service because a failure of the target device causes all branches to attempt a dial backup even though the IPSec tunnel remains available.

Figure 4-1 shows the devices used in this solution.

Figure 4-1 Small Branch DSL with Async Backup

The SAA packets are permitted to reach the head-end only via the DSL interface. This is controlled by a static host route. The backup crypto map advertises a /28 prefix to the head-end IPSec router and the primary IPSec router advertises the /29 prefix that is configured on the inside VLAN 1 interface. This ensures that the return path of the SAA packets uses the IPSec tunnel over the DSL interface if it is active.

Failover/Recovery Time

The following sample configuration uses 60-second track down delay, a polling frequency of 15 seconds for the SAA ICMP probe, and an IKE keepalive value of 10 seconds. To test the dial backup, the DSL cable was removed from the DSL modem. In this display, debug track is enabled. With these configuration options, connectivity is restored in approximately two minutes from the initial failure.
vpn-jk2-1711-1#show clock
15:17:07.189 est Thu Jan 8 2004            <-  Cable was removed at this time
vpn-jk2-1711-1#
Jan  8 15:17:11.577 est: Track: 21 Down change delayed for 60 secs
Jan  8 15:17:28.293 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 
xx.xxx.223.24:500       Id: rtp5-esevpn-gw4.cisco.com
Jan  8 15:17:56.465 est: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
Jan  8 15:17:56.485 est: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Jan  8 15:17:57.465 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, 
changed state to down
Jan  8 15:18:11.577 est: Track: 21 Down change delay expired 
Jan  8 15:18:11.577 est: Track: 21 Change #14 rtr 1021, state Up->Down
Jan  8 15:18:57.902 est: %LINK-3-UPDOWN: Interface Async1, changed state to up
Jan  8 15:18:58.906 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed 
state to up
Jan  8 15:19:04.710 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 
xx.xxx.223.25:500       Id: rtp5-esevpn-gw5.cisco.com
vpn-jk2-1711-1#show clock
15:19:11.954 est Thu Jan 8 2004            <- Connectivity restored via Async interface
During transition from the backup Async to primary DSL connection, the recovery is transparent to data applications. Following is an example of a continuous ping running from the PC behind the Cisco 1711 as the DSL cable was inserted back into the DSL modem. The transition from Async to DSL can be identified because the round trip time (RTT) of the ICMP packets decreases substantially from approximately 200ms to 90ms.
Reply from 172.26.129.252: bytes=32 time=231ms TTL=247
Reply from 172.26.129.252: bytes=32 time=160ms TTL=247
Reply from 172.26.129.252: bytes=32 time=200ms TTL=247   <- last ping on Async
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247    <- first ping on DSL
Reply from 172.26.129.252: bytes=32 time=100ms TTL=247
Reply from 172.26.129.252: bytes=32 time=111ms TTL=247
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247
Reply from 172.26.129.252: bytes=32 time=90ms TTL=247
The LCD display on the IP Phone changes to normal state after recovery because the phone is able to register with the Cisco CallManager over DSL.

V3PN QoS Service Policy

The Async connection does not provide sufficient bandwidth to place a usable encrypted voice call. During testing, encrypted G.711 calls were placed over the Async connection. The latency across the Async connection is typically over 230 ms round trip and packet loss of the voice call was generally 50 percent of the G.711 voice stream. The goal is then to render the Cisco 7960 IP Phone unusable during dial backup. If measures are not taken, the phone registers with its call manager over the Async connection, and the phone display appears normal. However, if a call is successfully dialed, the voice quality is too poor to be usable.

The assumption then is that the primary DSL interface can service one voice call, but no calls can be supported when in dial backup mode.

Because the Context-Based Access Control (CBAC) of the Cisco IOS Firewall is configured on the remote router, applying a static ACL entry to block the Skinny Client Control Protocol (SCCP) packets is ineffective. The IP phone originating a TCP connection to the call manager causes CBAC to insert a temporary ACL entry, permitting the IP phone to register. Additionally, it is preferable to implement a method of blocking voice that does not require configuring specific call manager IP addresses.

To block the IP phone from communicating with the call manager, an input QoS service policy is configured, borrowing the voice and call-setup classes defined for applying uplink QoS on the primary interface. A policer is configured for each class, dropping packets if they either conform or exceed an arbitrary data rate. The data rate configured is immaterial, because packets are dropped if they are above or below the rate. In the following example, the lowest (8000 bps) configurable value was selected.

The service policy is applied on the input Async interface as follows:
!
policy-map ASYNC_IN
description Allows us to block voice on the Async
 class VOICE
   police 8000 conform-action drop  exceed-action drop
 class CALL-SETUP
   police 8000 conform-action drop  exceed-action drop
interface Async1
 bandwidth 24
 ip address negotiated
 ip access-group INPUT_ACL in
 service-policy input ASYNC_IN
The same input ACL applied to the primary interface is also applied to the backup interface because both interfaces connect to the Internet.

Performance Results

No specific QoS policy was applied to the output Async1 interface except for the default value of weighted fair queueing. Because encrypted voice was not attempted on the backup interface because of bandwidth constraints, no performance tests were run. During the time the dial backup was active, the workstation was able to send and receive text email, view web pages, and so on. Note from the previous section on failover and recovery time, the latency of the Async interface is higher than the broadband connection. The effective bandwidth of the dial backup link is approximately 24 kbps in these tests.

A specific QoS service policy can be applied on the output to the Async interface to guarantee bandwidth to mission-critical or transactional applications. However, weighted fair queueing may be sufficient for these low-volume applications.

Implementation and Configuration

This section describes the key configuration components, and includes the following topics:

•Remote Router SAA and Tracking

•Head-end SAA Target Router

•Remote Router—Cisco 1711

In the following examples, the addressing conventions are used:

•All subnets of 10.0.0.0 addressing represent enterprise internal address space.

•All subnets of 172.16.0.0 addressing represent enterprise internal address space.

•All subnets of xx.xxx.223.0 addressing represent Internet routable address space.

Remote Router SAA and Tracking

The IP address of the head-end SAA target router is 10.81.0.26. The inside LAN interface address remote Cisco 1711 router is 10.81.7.241. Sourcing the ICMP packets off this interface encrypts the ICMP packets in the IPSec tunnel. The IPSec tunnel must be active before the ICMP connectivity can be restored and data traffic can begin using the IPSec tunnel.
!
track 21 rtr 1021
 delay down 60 up 5
ip route 0.0.0.0 0.0.0.0 Dialer1 239 track 21     <- Primary Interface
ip route 0.0.0.0 0.0.0.0 Async1 240               <- Backup Interface
ip route 10.81.0.26 255.255.255.255 Dialer1       <- Force SAA ICMP out Primary Interface
ip route xx.xxx.223.24 255.255.255.255 Dialer1    <- Primary IPSec Peer
ip route xx.xxx.223.25 255.255.255.255 Async1     <- Backup IPSec Peer
rtr 1021
 type echo protocol ipIcmpEcho 10.81.0.26 source-ipaddr 10.81.7.241
 tos 192
 timeout 1000
 owner TRACK 21
 frequency 15
 lives-of-history-kept 1
 buckets-of-history-kept 20
 filter-for-history failures
rtr schedule 1021 start-time now life forever
!
Head-end SAA Target Router

Because the SAA configuration uses ICMP in this example, no SAA configuration is required on the head-end target router. In fact, you can use any IP host that reliably responds to ICMP (echo-request) pings.

Remote Router—Cisco 1711

The following is the configuration of the remote router:
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname vpn-jk2-1711-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 [removed]
!
username [removed] privilege 15 secret 5 [removed]
clock timezone est -5
clock summer-time edt recurring
no aaa new-model
ip subnet-zero
!
!
!
ip dhcp pool Client
   import all
   network 10.81.7.240 255.255.255.248
   default-router 10.81.7.241 
   dns-server 64.102.6.247 171.68.226.120 
   domain-name cisco.com
   option 150 ip 64.102.2.93 
   netbios-name-server 171.68.235.228 171.68.235.229 
!
!
ip telnet source-interface Vlan1
ip tftp source-interface Vlan1
ip ftp source-interface Vlan1
no ip domain lookup
ip domain name cisco.com
ip host harry 172.26.129.252
ip host rtp5-esevpn-ca 10.81.0.18
ip name-server 64.102.6.247
ip name-server 207.69.188.185
ip cef
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip audit notify log
ip audit po max-events 100
ip ssh source-interface Vlan1
!
track 21 rtr 1021
 delay down 60 up 5
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
chat-script MODEM "" "atdt\T" TIMEOUT 60 CONNECT \c
!
!
crypto ca trustpoint ese-vpn-cert
 enrollment mode ra
 enrollment url http://10.81.0.18:80/certsrv/mscep/mscep.dll
 revocation-check none
 source interface Vlan1
 auto-enroll 70
!
!
crypto ca certificate chain ese-vpn-cert
 certificate 2ABC84E400000000002A
 certificate ca 36092145BAA631BF4763493E714CD857
! 
!
crypto isakmp policy 1
 encr 3des
 group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set REPLAY esp-3des esp-sha-hmac 
no crypto ipsec nat-transparency udp-encaps
!
crypto map RTP 1 ipsec-isakmp 
 description RTP Enterprise Class Teleworker 
 set peer xx.xxx.223.24
 set transform-set REPLAY 
 match address CRYPTO_MAP_ACL
 qos pre-classify
!
crypto map ASYNC_BACKUP 1 ipsec-isakmp 
 description For ASYNC backup interface
 set peer xx.xxx.223.25
 set transform-set REPLAY 
 match address CRYPTO_MAP_ACL_BACKUP
 qos pre-classify
!
!
!
class-map match-all VOICE
 match ip dscp ef 
class-map match-any CALL-SETUP
 match ip dscp af31 
 match ip dscp cs3 
class-map match-any INTERNETWORK-CONTROL
 match ip dscp cs6 
 match access-group name IKE
!
!
policy-map ASYNC_IN
description Allows us to block voice on the Async
 class VOICE
   police 8000 conform-action drop  exceed-action drop 
 class CALL-SETUP
   police 8000 conform-action drop  exceed-action drop 
policy-map V3PN-teleworker
description Note LLQ for ATM/DSL G.729=64K, G.711=128K
 class CALL-SETUP
  bandwidth percent 2
 class INTERNETWORK-CONTROL
  bandwidth percent 5
 class VOICE
  priority 128
 class class-default
  fair-queue
  random-detect
policy-map Shaper
 class class-default
  shape average 182400 1824
  service-policy V3PN-teleworker
!
!
!
interface FastEthernet0
 description Outside
 no ip address
 service-policy output Shaper
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet1
 no ip address
 vlan-id dot1q 1
  exit-vlan-config
 !
!
interface FastEthernet2
 no ip address
 vlan-id dot1q 1
  exit-vlan-config
 !
!
interface FastEthernet3
 no ip address
 vlan-id dot1q 1
  exit-vlan-config
 !
!
interface FastEthernet4
 no ip address
 vlan-id dot1q 1
  exit-vlan-config
 !
!
interface Vlan1
 description Inside
 ip address 10.81.7.241 255.255.255.248
 ip inspect CBAC in
 ip route-cache flow
 ip tcp adjust-mss 542
 hold-queue 40 out
!
interface Async1
 description EarthLink Dialup Service V34/LAPM/V42B/24000:TX/26400:RX
 bandwidth 24
 ip address negotiated
 ip access-group INPUT_ACL in
 service-policy input ASYNC_IN
 encapsulation ppp
 ip route-cache flow
 load-interval 30
 dialer in-band
 dialer string 6550070
 dialer-group 21
 async mode dedicated
 ppp authentication pap callin
 ppp pap sent-username [removed]@mindspring.com password 7 [removed]
 crypto map ASYNC_BACKUP
!
interface Dialer1
 description Outside
 bandwidth 256
 ip address negotiated
 ip access-group INPUT_ACL in
 ip mtu 1492
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username [removed]@mindspring.com password 7 [removed]
 ppp ipcp dns request accept
 crypto map RTP
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 239 track 21
ip route 0.0.0.0 0.0.0.0 Async1 240
ip route 10.81.0.26 255.255.255.255 Dialer1
ip route xx.xxx.223.24 255.255.255.255 Dialer1
ip route xx.xxx.223.25 255.255.255.255 Async1
no ip http server
no ip http secure-server
ip flow-export version 5
!
!
!
ip access-list extended CRYPTO_MAP_ACL
 permit ip 10.81.7.240 0.0.0.7 any
ip access-list extended CRYPTO_MAP_ACL_BACKUP
 permit ip 10.81.7.240 0.0.0.15 any
ip access-list extended IKE
 permit udp any eq isakmp any eq isakmp
ip access-list extended INPUT_ACL
 remark Allow IKE and ESP from the RTP headends
 permit udp xx.xxx.223.16 0.0.0.15 any eq isakmp
 permit udp xx.xxx.223.16 0.0.0.15 eq isakmp any
 permit esp xx.xxx.223.16 0.0.0.15 any
 remark Cisco Corporate Subnets (not complete)
 permit ip 161.44.0.0 0.0.255.255 10.81.7.240 0.0.0.7
 permit ip 171.68.0.0 0.3.255.255 10.81.7.240 0.0.0.7
 permit ip 172.16.0.0 0.15.255.255 10.81.7.240 0.0.0.7
 permit ip 192.168.0.0 0.0.255.255 10.81.7.240 0.0.0.7
 permit ip 128.107.0.0 0.0.255.255 10.81.7.240 0.0.0.7
 permit ip 64.100.0.0 0.3.255.255 10.81.7.240 0.0.0.7
 permit ip 64.104.0.0 0.0.255.255 10.81.7.240 0.0.0.7
 permit ip 10.0.0.0 0.255.255.255 10.81.7.240 0.0.0.7
 permit udp any any eq bootpc
 remark NTP ACLs
 permit udp 192.5.41.40 0.0.0.1 eq ntp any
 permit udp host 216.210.169.40 eq ntp any
 remark SSH from RTP Ridge
 permit tcp xx.xxx.87.0 0.0.0.255 any eq 22
 permit icmp any any
 deny   ip any any
logging source-interface Vlan1
access-list 88 remark cisco123@cisco.com IP Solutions Center rtp7-esevpn-isc 
access-list 88 permit 64.102.18.178
access-list 88 remark ------------ RTP Lab Subnet ---------
access-list 88 remark cisco456@cisco.com
access-list 88 permit 172.18.86.64 0.0.0.63
access-list 88 deny   any log
access-list 121 remark Define Interesting Traffic
access-list 121 permit ip any any
dialer-list 21 protocol ip list 121
snmp-server community [removed] RW 88
snmp-server trap-source Vlan1
snmp-server location  Home Office
snmp-server contact cisco789@cisco.com
snmp-server enable traps tty
!
!
control-plane
!
rtr responder
rtr 12
 type echo protocol ipIcmpEcho 172.26.129.252 source-ipaddr 10.81.7.241
 request-data-size 164
 tos 192
 frequency 90
 lives-of-history-kept 1
 buckets-of-history-kept 60
 filter-for-history all
rtr schedule 12 start-time now life forever
rtr 1021
 type echo protocol ipIcmpEcho 10.81.0.26 source-ipaddr 10.81.7.241
 tos 192
 timeout 1000
 owner TRACK 21
 frequency 15
 lives-of-history-kept 1
 buckets-of-history-kept 20
 filter-for-history failures
rtr schedule 1021 start-time now life forever
banner motd ^C
   C i s c o S y s t e m s
     ||               ||
     ||               ||       Cisco Systems, Inc.
    ||||             ||||      IT-Transport
 .:|||||||:.......:|||||||:..
  US, Asia & Americas support:    + 1 408 526 8888
 EMEA support:                   + 31 020 342 3888
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
 You must have explicit permission to access or configure this
 device. All activities performed on this device are logged and
 violations of this policy may result in disciplinary action.
^C
!
line con 0
 exec-timeout 60 0
 login local
 stopbits 1
line 1
 script dialer MODEM
 modem InOut
 modem autoconfigure discovery
 transport input all
 transport output pad udptn telnet rlogin ssh
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
!
exception memory minimum 786432
ntp clock-period 17179960
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 216.210.169.40
ntp server 10.81.254.202 source Vlan1
!
end
Debugging

The Async line must reference a chat script. Chat scripts are text sent to the modem to provide initialization, configuration, and dialing commands. The chat-script MODEM is called by the script dialer MODEM command configured under line 1.
chat-script MODEM "" "atdt\T" TIMEOUT 60 CONNECT \c
... 
interface Async1
...
dialer string 6550070
... 
line 1
 script dialer MODEM
 modem InOut
 modem autoconfigure discovery
 transport input all
 transport output pad udptn telnet rlogin ssh
 stopbits 1
 speed 115200
 flowcontrol hardware
Note that the phone number to dial is 6550070, which is specified under the Async 1 interface configuration. When debug chat is enabled, you can see this string substituted for the \T command in the chat script. The following shows a successful dial attempt with debugging enabled:
Jan  8 16:52:35.289 est: CHAT1: Attempting async line dialer script
Jan  8 16:52:35.289 est: CHAT1: Dialing using Modem script: MODEM & System scrip
t: none
Jan  8 16:52:35.289 est: CHAT1: process started
Jan  8 16:52:35.293 est: CHAT1: Asserting DTR
Jan  8 16:52:35.293 est: CHAT1: Chat script MODEM started
Jan  8 16:52:35.293 est: CHAT1: Sending string: atdt\T<6550070>
Jan  8 16:52:35.293 est: CHAT1: Expecting string: CONNECT
Jan  8 16:52:55.597 est: CHAT1: Completed match for expect: CONNECT
Jan  8 16:52:55.601 est: CHAT1: Sending string: \c
Jan  8 16:52:55.601 est: CHAT1: Chat script MODEM finished, status = Success
It is also useful to use a reverse Telnet to the Async line to manually send the Hayes AT commands to the modem to initiate dialing and login during implementation to verify connectivity to the dial-up service of the ISP. The following example uses the internal WIC-1AM modem on the Cisco 1711:
vpn-jk2-1711-1#telnet 10.81.7.241 2001
Trying 10.81.7.241, 2001 ... Open
   C i s c o S y s t e m s
     ||               ||
     ||               ||       Cisco Systems, Inc.
    ||||             ||||      IT-Transport
 .:|||||||:.......:|||||||:..
  US, Asia & Americas support:    + 1 408 526 8888
 EMEA support:                   + 31 020 342 3888
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
 You must have explicit permission to access or configure this
 device. All activities performed on this device are logged and
 violations of this policy may result in disciplinary action.
ath OK
atdt6550070 CONNECT 115200/V34/LAPM/V42B/24000:TX/26400:RX
EarthLink Dialup Service
After you receive the login prompt, you can interactively enter the username and password or interrupt the modem with the +++ command and issue the ATH command to hang up the call. A control + shift + 6 x command reverts back to exec mode where the line can be cleared.
acn01.nc-greensbo1 login: +++
OK
ath OK
CTL SHIFT 6 x
vpn-jk2-1711-1#clear line 1
[confirm]y [OK]
vpn-jk2-1711-1#
Resuming connection 1 to 10.81.7.241 ... ]
[Connection to 10.81.7.241 closed by foreign host]Deleting login session
Note For more information on chat scripts, see Creating and Using Modem Chat Scripts at the following URL: http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_modem_chat_scpts_ps6350_TSD_Products_Configuration_Guide_Chapter.html.

Cisco IOS Versions Tested

The following code versions were used during testing:

•IPSec head-ends—c3725-ik9o3s-mz.122-15.T9

•Cisco 1711—c1700-k9o3sy7-mz.123-2.XE

•SAA target—c2600-adventerprisek9-mz.123-4.T

The IPSec head-end routers were Cisco 3725s with an AIM hardware VPN module. This testing was not intended to scale test head-end performance capabilities. In a customer deployment, IPSec head-ends with suitable performance characteristics aligned with the number of remote routers is advised.

The testing was completed using the DSL connection and dial-up account of the author. There is a Cisco 1760 V3PN bundle (product number: CISCO1760-V3PN/K9) that can be used instead of the Cisco 1711.

Reliable Static Routing Backup Using Object Tracking was first introduced in Cisco IOS Software version 12.3(2)XE.

Summary

The Object Tracking feature of Cisco IOS provides a means to deploy both DSL and Async modems to the same remote location for increased availability. Because this feature uses SAA, a network manager can use its protocols and applications in addition to ICMP for verifying connectivity. One advantage to this configuration is its scalability; a primary and backup IPSec head-end can be configured independently to the SAA head-end router, and additional SAA head-ends can be added as required. If ICMP is used as the SAA probe protocol, any IP host can be used at the head-end.

The use of a dial-up account associated with the ISP DSL account of the site is a very cost effective means of providing higher availability for low bandwidth transactions such as ATM machines and point-of-sale terminals while using a central call processing model for an IP phone over the primary broadband connection.

	V3PN: Redundancy and Load Sharing Design Guide
	Small BranchDSL with Async Backup
V3PN: Redundancy and Load Sharing Design Guide V3PN: Redundancy and Load-Sharing Introduction Small BranchDSL with ISDN Backup Small BranchCable with DSL Backup Small BranchDSL with Async Backup Small BranchDial Backup to Cisco VPN 3000 Concentrator Small BranchLoad Sharing on Dual Broadband Links Small BranchWireless Broadband Deployment Small BranchDual Hub/Dual DMVPN Large BranchFrame Relay/Broadband Load Sharing and Backup Large Branch--Multilink PPP Large BranchInverse Multiplexing over ATM (IMA) Lab Topology References and Reading Acronyms and Definitions	Download this chapter Small BranchDSL with Async Backup Download the complete book V3PN_Red_Load.pdf (PDF - 4 MB) Table Of Contents Small Branch—DSL with Async Backup Solution Characteristics Topology Failover/Recovery Time V3PN QoS Service Policy Performance Results Implementation and Configuration Remote Router SAA and Tracking Head-end SAA Target Router Remote Router—Cisco 1711 Debugging Cisco IOS Versions Tested Summary Small Branch—DSL with Async Backup This section describes the use of DSL with Async backup, and includes the following sections: •Solution Characteristics •Topology •Failover/Recovery Time •V3PN QoS Service Policy •Performance Results •Implementation and Configuration •Debugging •Cisco IOS Versions Tested •Summary Solution Characteristics This design incorporates techniques described in the previous two chapters but now further reduces the costs associated with the backup link. With Basic Rate ISDN as the backup link, it is possible to transport encrypted voice traffic across the backup link. However, installing a Basic Rate ISDN line has installation costs and ongoing monthly charges as well as possible per-minute charges when the link is active. A less costly alternative is to use the plain "old telephone service" (POTS) line that is necessary for provisioning the Asymmetric Digital Subscriber Line (ADSL) service to the branch. Rather than implement an access server at the enterprise head-end location, this design uses the access server of the ISP. This is a further cost reduction to the enterprise. Some ISPs provide access to their dial network at no additional cost as part of a DSL subscription. In some cases, 20 hours per month are provided with DSL service. In other cases, there may be a small fee (less than $10 USD a month) to include dial-up with the DSL plan. Alternatively, dial-up services can be ordered from a different service provider than the ISP providing the DSL service. If single-line DSL (SDSL) service is used (SDSL has no baseband POTS line), a separate POTS line can be installed. There are two primary disadvantages associated with the cost savings of this design: •Encrypted voice cannot be transported to the enterprise head-end over the Async interface because the bandwidth is insufficient. •Local loop cable cut will likely take out both the ADSL and POTS line. However, the integrated WIC-1AM of the Cisco 1711 includes two RJ11 ports: one for the line and the second for the analog phone handset. The analog line can be used for calls when the dial backup is not active. Both the primary and backup links use PPP encapsulation and the IP address is dynamically (negotiated) assigned by the ISP. For the broadband path, this is through PPPoE; for the Async path, this is through PPP. Topology The topology consists of a Cisco 1711 router at the remote branch location, connected to a DSL bridge on the FastEthernet 0 interface. The POTS line for the ADSL service is separated using a DSL filter/splitter and connected to the Async 1 interface. The ISP that provides DSL service also includes 20 hours of dial access per month at no additional charge. The same username and password for access to the DSL network is used for the dial backup. At the head-end location, a pair of IPSec routers are shown in the configuration files; one for the primary path and the second for the backup path. As in previous sections, a pair of IPSec head-end routers can be configured for both the primary and backup path and two separate addresses can be assigned. An SAA target router is used at the head-end location. Note This design uses the Cisco IOS feature, Reliable Static Routing Backup Using Object Tracking, to verify connectivity with SAA probes originating from the inside Ethernet LAN address of the remote router. The SAA packets traverse the IPSec tunnel. If the tunnel is down and the SAA target is unreachable, dial backup is triggered. Because this design uses SAA to generate ICMP packets, the IP host can be used in place of the SAA target router. It is important that this device remains in service because a failure of the target device causes all branches to attempt a dial backup even though the IPSec tunnel remains available. Figure 4-1 shows the devices used in this solution. Figure 4-1 Small Branch DSL with Async Backup The SAA packets are permitted to reach the head-end only via the DSL interface. This is controlled by a static host route. The backup crypto map advertises a /28 prefix to the head-end IPSec router and the primary IPSec router advertises the /29 prefix that is configured on the inside VLAN 1 interface. This ensures that the return path of the SAA packets uses the IPSec tunnel over the DSL interface if it is active. Failover/Recovery Time The following sample configuration uses 60-second track down delay, a polling frequency of 15 seconds for the SAA ICMP probe, and an IKE keepalive value of 10 seconds. To test the dial backup, the DSL cable was removed from the DSL modem. In this display, debug track is enabled. With these configuration options, connectivity is restored in approximately two minutes from the initial failure. vpn-jk2-1711-1#show clock 15:17:07.189 est Thu Jan 8 2004 <- Cable was removed at this time vpn-jk2-1711-1# Jan 8 15:17:11.577 est: Track: 21 Down change delayed for 60 secs Jan 8 15:17:28.293 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer xx.xxx.223.24:500 Id: rtp5-esevpn-gw4.cisco.com Jan 8 15:17:56.465 est: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1 Jan 8 15:17:56.485 est: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down Jan 8 15:17:57.465 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down Jan 8 15:18:11.577 est: Track: 21 Down change delay expired Jan 8 15:18:11.577 est: Track: 21 Change #14 rtr 1021, state Up->Down Jan 8 15:18:57.902 est: %LINK-3-UPDOWN: Interface Async1, changed state to up Jan 8 15:18:58.906 est: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up Jan 8 15:19:04.710 est: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer xx.xxx.223.25:500 Id: rtp5-esevpn-gw5.cisco.com vpn-jk2-1711-1#show clock 15:19:11.954 est Thu Jan 8 2004 <- Connectivity restored via Async interface During transition from the backup Async to primary DSL connection, the recovery is transparent to data applications. Following is an example of a continuous ping running from the PC behind the Cisco 1711 as the DSL cable was inserted back into the DSL modem. The transition from Async to DSL can be identified because the round trip time (RTT) of the ICMP packets decreases substantially from approximately 200ms to 90ms. Reply from 172.26.129.252: bytes=32 time=231ms TTL=247 Reply from 172.26.129.252: bytes=32 time=160ms TTL=247 Reply from 172.26.129.252: bytes=32 time=200ms TTL=247 <- last ping on Async Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 <- first ping on DSL Reply from 172.26.129.252: bytes=32 time=100ms TTL=247 Reply from 172.26.129.252: bytes=32 time=111ms TTL=247 Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 Reply from 172.26.129.252: bytes=32 time=90ms TTL=247 The LCD display on the IP Phone changes to normal state after recovery because the phone is able to register with the Cisco CallManager over DSL. V3PN QoS Service Policy The Async connection does not provide sufficient bandwidth to place a usable encrypted voice call. During testing, encrypted G.711 calls were placed over the Async connection. The latency across the Async connection is typically over 230 ms round trip and packet loss of the voice call was generally 50 percent of the G.711 voice stream. The goal is then to render the Cisco 7960 IP Phone unusable during dial backup. If measures are not taken, the phone registers with its call manager over the Async connection, and the phone display appears normal. However, if a call is successfully dialed, the voice quality is too poor to be usable. The assumption then is that the primary DSL interface can service one voice call, but no calls can be supported when in dial backup mode. Because the Context-Based Access Control (CBAC) of the Cisco IOS Firewall is configured on the remote router, applying a static ACL entry to block the Skinny Client Control Protocol (SCCP) packets is ineffective. The IP phone originating a TCP connection to the call manager causes CBAC to insert a temporary ACL entry, permitting the IP phone to register. Additionally, it is preferable to implement a method of blocking voice that does not require configuring specific call manager IP addresses. To block the IP phone from communicating with the call manager, an input QoS service policy is configured, borrowing the voice and call-setup classes defined for applying uplink QoS on the primary interface. A policer is configured for each class, dropping packets if they either conform or exceed an arbitrary data rate. The data rate configured is immaterial, because packets are dropped if they are above or below the rate. In the following example, the lowest (8000 bps) configurable value was selected. The service policy is applied on the input Async interface as follows: ! policy-map ASYNC_IN description Allows us to block voice on the Async class VOICE police 8000 conform-action drop exceed-action drop class CALL-SETUP police 8000 conform-action drop exceed-action drop interface Async1 bandwidth 24 ip address negotiated ip access-group INPUT_ACL in service-policy input ASYNC_IN The same input ACL applied to the primary interface is also applied to the backup interface because both interfaces connect to the Internet. Performance Results No specific QoS policy was applied to the output Async1 interface except for the default value of weighted fair queueing. Because encrypted voice was not attempted on the backup interface because of bandwidth constraints, no performance tests were run. During the time the dial backup was active, the workstation was able to send and receive text email, view web pages, and so on. Note from the previous section on failover and recovery time, the latency of the Async interface is higher than the broadband connection. The effective bandwidth of the dial backup link is approximately 24 kbps in these tests. A specific QoS service policy can be applied on the output to the Async interface to guarantee bandwidth to mission-critical or transactional applications. However, weighted fair queueing may be sufficient for these low-volume applications. Implementation and Configuration This section describes the key configuration components, and includes the following topics: •Remote Router SAA and Tracking •Head-end SAA Target Router •Remote Router—Cisco 1711 In the following examples, the addressing conventions are used: •All subnets of 10.0.0.0 addressing represent enterprise internal address space. •All subnets of 172.16.0.0 addressing represent enterprise internal address space. •All subnets of xx.xxx.223.0 addressing represent Internet routable address space. Remote Router SAA and Tracking The IP address of the head-end SAA target router is 10.81.0.26. The inside LAN interface address remote Cisco 1711 router is 10.81.7.241. Sourcing the ICMP packets off this interface encrypts the ICMP packets in the IPSec tunnel. The IPSec tunnel must be active before the ICMP connectivity can be restored and data traffic can begin using the IPSec tunnel. ! track 21 rtr 1021 delay down 60 up 5 ip route 0.0.0.0 0.0.0.0 Dialer1 239 track 21 <- Primary Interface ip route 0.0.0.0 0.0.0.0 Async1 240 <- Backup Interface ip route 10.81.0.26 255.255.255.255 Dialer1 <- Force SAA ICMP out Primary Interface ip route xx.xxx.223.24 255.255.255.255 Dialer1 <- Primary IPSec Peer ip route xx.xxx.223.25 255.255.255.255 Async1 <- Backup IPSec Peer rtr 1021 type echo protocol ipIcmpEcho 10.81.0.26 source-ipaddr 10.81.7.241 tos 192 timeout 1000 owner TRACK 21 frequency 15 lives-of-history-kept 1 buckets-of-history-kept 20 filter-for-history failures rtr schedule 1021 start-time now life forever ! Head-end SAA Target Router Because the SAA configuration uses ICMP in this example, no SAA configuration is required on the head-end target router. In fact, you can use any IP host that reliably responds to ICMP (echo-request) pings. Remote Router—Cisco 1711 The following is the configuration of the remote router: ! version 12.3 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname vpn-jk2-1711-1 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 [removed] ! username [removed] privilege 15 secret 5 [removed] clock timezone est -5 clock summer-time edt recurring no aaa new-model ip subnet-zero ! ! ! ip dhcp pool Client import all network 10.81.7.240 255.255.255.248 default-router 10.81.7.241 dns-server 64.102.6.247 171.68.226.120 domain-name cisco.com option 150 ip 64.102.2.93 netbios-name-server 171.68.235.228 171.68.235.229 ! ! ip telnet source-interface Vlan1 ip tftp source-interface Vlan1 ip ftp source-interface Vlan1 no ip domain lookup ip domain name cisco.com ip host harry 172.26.129.252 ip host rtp5-esevpn-ca 10.81.0.18 ip name-server 64.102.6.247 ip name-server 207.69.188.185 ip cef ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC ftp ip audit notify log ip audit po max-events 100 ip ssh source-interface Vlan1 ! track 21 rtr 1021 delay down 60 up 5 no ftp-server write-enable no scripting tcl init no scripting tcl encdir chat-script MODEM "" "atdt\T" TIMEOUT 60 CONNECT \c ! ! crypto ca trustpoint ese-vpn-cert enrollment mode ra enrollment url http://10.81.0.18:80/certsrv/mscep/mscep.dll revocation-check none source interface Vlan1 auto-enroll 70 ! ! crypto ca certificate chain ese-vpn-cert certificate 2ABC84E400000000002A certificate ca 36092145BAA631BF4763493E714CD857 ! ! crypto isakmp policy 1 encr 3des group 2 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set REPLAY esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto map RTP 1 ipsec-isakmp description RTP Enterprise Class Teleworker set peer xx.xxx.223.24 set transform-set REPLAY match address CRYPTO_MAP_ACL qos pre-classify ! crypto map ASYNC_BACKUP 1 ipsec-isakmp description For ASYNC backup interface set peer xx.xxx.223.25 set transform-set REPLAY match address CRYPTO_MAP_ACL_BACKUP qos pre-classify ! ! ! class-map match-all VOICE match ip dscp ef class-map match-any CALL-SETUP match ip dscp af31 match ip dscp cs3 class-map match-any INTERNETWORK-CONTROL match ip dscp cs6 match access-group name IKE ! ! policy-map ASYNC_IN description Allows us to block voice on the Async class VOICE police 8000 conform-action drop exceed-action drop class CALL-SETUP police 8000 conform-action drop exceed-action drop policy-map V3PN-teleworker description Note LLQ for ATM/DSL G.729=64K, G.711=128K class CALL-SETUP bandwidth percent 2 class INTERNETWORK-CONTROL bandwidth percent 5 class VOICE priority 128 class class-default fair-queue random-detect policy-map Shaper class class-default shape average 182400 1824 service-policy V3PN-teleworker ! ! ! interface FastEthernet0 description Outside no ip address service-policy output Shaper duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface FastEthernet1 no ip address vlan-id dot1q 1 exit-vlan-config ! ! interface FastEthernet2 no ip address vlan-id dot1q 1 exit-vlan-config ! ! interface FastEthernet3 no ip address vlan-id dot1q 1 exit-vlan-config ! ! interface FastEthernet4 no ip address vlan-id dot1q 1 exit-vlan-config ! ! interface Vlan1 description Inside ip address 10.81.7.241 255.255.255.248 ip inspect CBAC in ip route-cache flow ip tcp adjust-mss 542 hold-queue 40 out ! interface Async1 description EarthLink Dialup Service V34/LAPM/V42B/24000:TX/26400:RX bandwidth 24 ip address negotiated ip access-group INPUT_ACL in service-policy input ASYNC_IN encapsulation ppp ip route-cache flow load-interval 30 dialer in-band dialer string 6550070 dialer-group 21 async mode dedicated ppp authentication pap callin ppp pap sent-username [removed]@mindspring.com password 7 [removed] crypto map ASYNC_BACKUP ! interface Dialer1 description Outside bandwidth 256 ip address negotiated ip access-group INPUT_ACL in ip mtu 1492 encapsulation ppp ip route-cache flow dialer pool 1 no cdp enable ppp authentication pap callin ppp chap refuse ppp pap sent-username [removed]@mindspring.com password 7 [removed] ppp ipcp dns request accept crypto map RTP ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 239 track 21 ip route 0.0.0.0 0.0.0.0 Async1 240 ip route 10.81.0.26 255.255.255.255 Dialer1 ip route xx.xxx.223.24 255.255.255.255 Dialer1 ip route xx.xxx.223.25 255.255.255.255 Async1 no ip http server no ip http secure-server ip flow-export version 5 ! ! ! ip access-list extended CRYPTO_MAP_ACL permit ip 10.81.7.240 0.0.0.7 any ip access-list extended CRYPTO_MAP_ACL_BACKUP permit ip 10.81.7.240 0.0.0.15 any ip access-list extended IKE permit udp any eq isakmp any eq isakmp ip access-list extended INPUT_ACL remark Allow IKE and ESP from the RTP headends permit udp xx.xxx.223.16 0.0.0.15 any eq isakmp permit udp xx.xxx.223.16 0.0.0.15 eq isakmp any permit esp xx.xxx.223.16 0.0.0.15 any remark Cisco Corporate Subnets (not complete) permit ip 161.44.0.0 0.0.255.255 10.81.7.240 0.0.0.7 permit ip 171.68.0.0 0.3.255.255 10.81.7.240 0.0.0.7 permit ip 172.16.0.0 0.15.255.255 10.81.7.240 0.0.0.7 permit ip 192.168.0.0 0.0.255.255 10.81.7.240 0.0.0.7 permit ip 128.107.0.0 0.0.255.255 10.81.7.240 0.0.0.7 permit ip 64.100.0.0 0.3.255.255 10.81.7.240 0.0.0.7 permit ip 64.104.0.0 0.0.255.255 10.81.7.240 0.0.0.7 permit ip 10.0.0.0 0.255.255.255 10.81.7.240 0.0.0.7 permit udp any any eq bootpc remark NTP ACLs permit udp 192.5.41.40 0.0.0.1 eq ntp any permit udp host 216.210.169.40 eq ntp any remark SSH from RTP Ridge permit tcp xx.xxx.87.0 0.0.0.255 any eq 22 permit icmp any any deny ip any any logging source-interface Vlan1 access-list 88 remark cisco123@cisco.com IP Solutions Center rtp7-esevpn-isc access-list 88 permit 64.102.18.178 access-list 88 remark ------------ RTP Lab Subnet --------- access-list 88 remark cisco456@cisco.com access-list 88 permit 172.18.86.64 0.0.0.63 access-list 88 deny any log access-list 121 remark Define Interesting Traffic access-list 121 permit ip any any dialer-list 21 protocol ip list 121 snmp-server community [removed] RW 88 snmp-server trap-source Vlan1 snmp-server location Home Office snmp-server contact cisco789@cisco.com snmp-server enable traps tty ! ! control-plane ! rtr responder rtr 12 type echo protocol ipIcmpEcho 172.26.129.252 source-ipaddr 10.81.7.241 request-data-size 164 tos 192 frequency 90 lives-of-history-kept 1 buckets-of-history-kept 60 filter-for-history all rtr schedule 12 start-time now life forever rtr 1021 type echo protocol ipIcmpEcho 10.81.0.26 source-ipaddr 10.81.7.241 tos 192 timeout 1000 owner TRACK 21 frequency 15 lives-of-history-kept 1 buckets-of-history-kept 20 filter-for-history failures rtr schedule 1021 start-time now life forever banner motd ^C C i s c o S y s t e m s \|\| \|\| \|\| \|\| Cisco Systems, Inc. \|\|\|\| \|\|\|\| IT-Transport .:\|\|\|\|\|\|\|:.......:\|\|\|\|\|\|\|:.. US, Asia & Americas support: + 1 408 526 8888 EMEA support: + 31 020 342 3888 UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary action. ^C ! line con 0 exec-timeout 60 0 login local stopbits 1 line 1 script dialer MODEM modem InOut modem autoconfigure discovery transport input all transport output pad udptn telnet rlogin ssh stopbits 1 speed 115200 flowcontrol hardware line aux 0 stopbits 1 line vty 0 4 login local transport input ssh ! exception memory minimum 786432 ntp clock-period 17179960 ntp server 192.5.41.41 ntp server 192.5.41.40 ntp server 216.210.169.40 ntp server 10.81.254.202 source Vlan1 ! end Debugging The Async line must reference a chat script. Chat scripts are text sent to the modem to provide initialization, configuration, and dialing commands. The chat-script MODEM is called by the script dialer MODEM command configured under line 1. chat-script MODEM "" "atdt\T" TIMEOUT 60 CONNECT \c ... interface Async1 ... dialer string 6550070 ... line 1 script dialer MODEM modem InOut modem autoconfigure discovery transport input all transport output pad udptn telnet rlogin ssh stopbits 1 speed 115200 flowcontrol hardware Note that the phone number to dial is 6550070, which is specified under the Async 1 interface configuration. When debug chat is enabled, you can see this string substituted for the \T command in the chat script. The following shows a successful dial attempt with debugging enabled: Jan 8 16:52:35.289 est: CHAT1: Attempting async line dialer script Jan 8 16:52:35.289 est: CHAT1: Dialing using Modem script: MODEM & System scrip t: none Jan 8 16:52:35.289 est: CHAT1: process started Jan 8 16:52:35.293 est: CHAT1: Asserting DTR Jan 8 16:52:35.293 est: CHAT1: Chat script MODEM started Jan 8 16:52:35.293 est: CHAT1: Sending string: atdt\T<6550070> Jan 8 16:52:35.293 est: CHAT1: Expecting string: CONNECT Jan 8 16:52:55.597 est: CHAT1: Completed match for expect: CONNECT Jan 8 16:52:55.601 est: CHAT1: Sending string: \c Jan 8 16:52:55.601 est: CHAT1: Chat script MODEM finished, status = Success It is also useful to use a reverse Telnet to the Async line to manually send the Hayes AT commands to the modem to initiate dialing and login during implementation to verify connectivity to the dial-up service of the ISP. The following example uses the internal WIC-1AM modem on the Cisco 1711: vpn-jk2-1711-1#telnet 10.81.7.241 2001 Trying 10.81.7.241, 2001 ... Open C i s c o S y s t e m s \|\| \|\| \|\| \|\| Cisco Systems, Inc. \|\|\|\| \|\|\|\| IT-Transport .:\|\|\|\|\|\|\|:.......:\|\|\|\|\|\|\|:.. US, Asia & Americas support: + 1 408 526 8888 EMEA support: + 31 020 342 3888 UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary action. ath OK atdt6550070 CONNECT 115200/V34/LAPM/V42B/24000:TX/26400:RX EarthLink Dialup Service After you receive the login prompt, you can interactively enter the username and password or interrupt the modem with the +++ command and issue the ATH command to hang up the call. A control + shift + 6 x command reverts back to exec mode where the line can be cleared. acn01.nc-greensbo1 login: +++ OK ath OK CTL SHIFT 6 x vpn-jk2-1711-1#clear line 1 [confirm]y [OK] vpn-jk2-1711-1# Resuming connection 1 to 10.81.7.241 ... ] [Connection to 10.81.7.241 closed by foreign host]Deleting login session Note For more information on chat scripts, see Creating and Using Modem Chat Scripts at the following URL: http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_modem_chat_scpts_ps6350_TSD_Products_Configuration_Guide_Chapter.html. Cisco IOS Versions Tested The following code versions were used during testing: •IPSec head-ends—c3725-ik9o3s-mz.122-15.T9 •Cisco 1711—c1700-k9o3sy7-mz.123-2.XE •SAA target—c2600-adventerprisek9-mz.123-4.T The IPSec head-end routers were Cisco 3725s with an AIM hardware VPN module. This testing was not intended to scale test head-end performance capabilities. In a customer deployment, IPSec head-ends with suitable performance characteristics aligned with the number of remote routers is advised. The testing was completed using the DSL connection and dial-up account of the author. There is a Cisco 1760 V3PN bundle (product number: CISCO1760-V3PN/K9) that can be used instead of the Cisco 1711. Reliable Static Routing Backup Using Object Tracking was first introduced in Cisco IOS Software version 12.3(2)XE. Summary The Object Tracking feature of Cisco IOS provides a means to deploy both DSL and Async modems to the same remote location for increased availability. Because this feature uses SAA, a network manager can use its protocols and applications in addition to ICMP for verifying connectivity. One advantage to this configuration is its scalability; a primary and backup IPSec head-end can be configured independently to the SAA head-end router, and additional SAA head-ends can be added as required. If ICMP is used as the SAA probe protocol, any IP host can be used at the head-end. The use of a dial-up account associated with the ISP DSL account of the site is a very cost effective means of providing higher availability for low bandwidth transactions such as ATM machines and point-of-sale terminals while using a central call processing model for an IP phone over the primary broadband connection.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks