The Cisco IOS® Software dial backup feature uses dialup service over a regular telephone wire to provide backup Internet connectivity if the primary Internet service provider (ISP) connection fails. In the Cisco® Enterprise-Class Teleworker (ECT) solution, which encompasses a Dynamic Multipoint VPN (DMVPN) architecture for data gateway infrastructure, the dial backup feature provides connectivity to the data gateway using the dialup network if the primary ISP connection fails. The primary ISP connection is usually a broadband connection. The bandwidth and speed provided by a dialup network are low and should be used mainly to provide secondary connectivity. Whenever connection to the ISP is restored, the tunnel to the data gateway using dialup connectivity is torn down, and the tunnel using the ISP is restored.
This document explains how the dial backup feature works in a Cisco ECT environment.
TOPOLOGY
In a DMVPN deployment, dial backup is incorporated on spokes. The topology shown in Figure 1 indicates the connectivity between spoke and data gateways in the current Cisco ECT deployment.
Figure 1. Original Cisco ECT Topology
In Figure 2, a dialup server is introduced, and a new hub is created to handle all DMVPN tunnels originating from the dialup network.
Figure 2. Deploying Dial Backup in an Cisco ECT Environment
Initial connectivity to the internal network occurs by way of the data gateways VPN1 and VPN2, which provide redundant connectivity to the internal network. Although the primary path to reach the internal network is provided by one VPN gateway (for example, VPN1), gateway VPN2 takes over if gateway VPN1 is unusable because of system abnormality or router reload. Because dial backup is used, the redundancy is taken to the next level, in which connectivity to the internal network is provided transparently if an ISP failure occurs.
When the spoke recognizes that connectivity to gateways VPN1 and VPN2 is unavailable, the spoke triggers the dialup process and attempts to reach the dialup server. The spoke has two paths by which to reach the VPN gateways-the path using the ISP and the path using dialup service. On the spoke, the path using the ISP is given higher priority, and the path using dialup service is given lower priority. When the spoke does not find the path to the gateway using the primary path (because of a missing entry in a routing table or an Internet Control Message Protocol [ICMP] ping failure), it triggers the dialup process. The spoke gets a dynamic address from the dialup server and reaches the VPN gateway by way of the dialup server. The spoke then initiates Next Hop Resolution Protocol (NHRP) registration and subsequently brings up a DMVPN tunnel with gateway VPN3 and thereby provides connectivity to the internal network. When the ISP connection is up again, the DMVPN tunnel to gateways VPN1 and VPN2 is brought up, and the DMVPN tunnel to gateway VPN3 is torn down.
In testing dial backup in a Cisco ECT setup, only analog modems were used. In the spoke, platforms which have internal modems or modem WICs, such as the Cisco 1811/1841 Integrated Services Router, can be used; platforms that do not have internal modems, such as the 871 Integrated Services Router, require the user to use external modems. With an external modem, care must be taken to adjust the baud rate and other parameters on the spoke router to match the speed with which the modem is configured to work.
IMAGES
The dialup server is supported on many platforms. For the purpose of our testing, we have limited the dialup server and spoke platforms and images as follows:
• Dial Server Platform: Cisco 3640 Multiservice Platform; image c3640-ik9o3s-mz.123-9
• Spoke Platform: Cisco 871 Integrated Services Router; Image on Spoke: Cisco IOS Software Release 12.4 (4) T c870-adventerprisek9-mz.124-4.T
LIMITATIONS
• When a DMVPN tunnel is established using dial backup, only the hub-to-spoke topology is supported.
• The testing has been performed with an in-house dial server. The setup has not been tried with dialup service provided by ISPs.
• While configuring the Cisco 871 for dial backup, do not use the console. Always Telnet to the router and then configure the modem commands and other commands for dial backup feature. Since the Cisco 871 does not have an internal modem, connect the console port on the Cisco 871 with an external analog modem.
• Since the Cisco 1841 uses a modem WAN interface card (WIC), connect the phone cable to the ports on the WIC.
• Since the Cisco 1811 uses an internal modem, connect the phone cable to the V.92 port on the router itself.
CONFIGURATION
Figure 3 shows the sample topology with IP address corresponding to the node, to map with the configuration below.
Note: Figure 3 introduces a router in a DMZ. When a user uses track commands on the spoke, the spoke should be able to ping the IP address defined in the tracking feature. In Figure 3, we are assuming that the loopback address on DMVPN hubs cannot be reached via ping and that only the IP address defined in the DMZ router can be reached via ping. Alternatively, the user could use the default gateway provided by the ISP to track commands, as long as the default gateway address is not a Network Address Translation (NAT) address.
Figure 3. Modified Diagram of Figure 2, Giving IP Addresses of Interface
Configuring the Cisco 1841 for Dial Backup
Note: In the configurations below, tracking commands are used to track the route on the DMZ router connecting via the ISP. Dialer watch can also be used. An example of dialer watch configuration is given in the "Configuration on Cisco 1811" section. Since the Cisco 1841 uses a WIC modem, connect the phone cable to the ports on the WIC itself.
aaa new-model
aaa authentication ppp default local
! Define IP address that will be tracked. If 10.31.0.1 cannot be reached by ISP then dial process is
! triggered. FastEthernet 0/1 connects to ISP.
!
ip sla monitor 1
type echo protocol ipIcmpEcho 10.31.0.1 source-interface FastEthernet0/1
timeout 1000
threshold 100
frequency 3
ip sla monitor schedule 1 life forever start-time now
! The line "chat-script" must be configured in one line.
! Here primary tunnel is connected to vpn1 and vpn2 and secondary tunnel is connected to vpn3.
! Tunnel 20 is secondary tunnel and tunnel 12 is primary tunnel.
!
interface Tunnel20
description secondary tunnel via dial server
bandwidth 2000
ip address 10.7.8.226 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip multicast rate-limit out 128
ip nhrp map 10.7.8.5 10.2.0.67
ip nhrp map multicast 10.2.0.67
ip nhrp network-id 1234
ip nhrp holdtime 300
ip nhrp nhs 10.7.8.5
ip nhrp registration no-unique
ip tcp adjust-mss 1360
load-interval 30
delay 2000
qos pre-classify
tunnel source Async0/1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile dialprofile
!
! Tunnel 12 is the mGRE interface for dynamic GRE tunnels via the ISP
!
interface Tunnel12
description Tunnel to primary hubs vpn1 and vpn2
bandwidth 2000
ip address 10.7.10.226 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip multicast rate-limit out 128
ip nhrp map 10.7.10.1 10.2.0.66
ip nhrp map multicast 10.2.0.66
ip nhrp map 10.7.10.5 10.2.0.65
ip nhrp map multicast 10.2.0.65
ip nhrp network-id 2345
ip nhrp holdtime 300
ip nhrp nhs 10.7.10.1
ip nhrp nhs 10.7.10.5
ip nhrp registration no-unique
ip tcp adjust-mss 1360
load-interval 30
delay 2000
qos pre-classify
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 101
tunnel protection ipsec profile proftest
!
!
interface FastEthernet0/1
description outside interface
ip dhcp client route track 1
ip address dhcp client-id FastEthernet0/1
!
! Define async interface and define the dialer parameters.
!
interface Async0/1/0
ip address negotiated
encapsulation ppp
dialer in-band
dialer fast-idle 10800
dialer enable-timeout 6
dialer wait-for-carrier-time 75
dialer string 4441234
dialer hold-queue 100 timeout 75
dialer-group 1
async dynamic address
async dynamic routing
async mode dedicated
no fair-queue
ppp chap hostname dialuser
ppp chap password 7 1214TEST
!
! Define lower priority for the route learned from the async interface.
!
ip route 10.2.0.64 255.255.255.240 Async0/1/0 200
ip route 10.31.0.1 255.255.255.248 Null0 200
ip route 10.69.1.9 255.255.255.255 Async0/1/0
!
! The route via ISP has higher priority.
!
ip route 10.2.0.64 255.255.255.240 dhcp
!
!
access-list 102 permit ip any any
dialer-list 1 protocol ip list 102
!
! Define modem parameters.
!
line con 0
logging synchronous
stopbits 1
line aux 0
line 0/1/0
script dialer Dialout
modem InOut
modem autoconfigure type MyTest
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line 0/1/1
script dialer Dialout
modem InOut
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
logging synchronous
!
Configuring the Cisco 871 for Dial Backup
Note: In the configurations below, tracking commands are used to watch the ICMP pings from the spoke's default gateway. If the gateway cannot be reached, then the router will attempt to reach the DMVPN hub via the async interface, which has a lower priority. The async interface will be assigned an IP address by the dial server and the spoke will reach the DMVPN hub via the dial server.
While configuring the Cisco 871 for dial backup, do not use the console. Always Telnet to the router and then configure the modem commands and other commands for the dial backup feature. Since the Cisco 871 does not have internal modem, connect the console port on the Cisco 871 with an external analog modem using a cross cable.
