Configuring ISDN is fairly simple and there are only a few commands needed for the basic configuration. This process does require that you have some knowledge, though, on how ISDN works, the different line protocols, and the proper placement of the equipment. To explain configuring the ISDN router interfaces correctly, this section of the chapter takes a look at the following issues:
Service Profile IdentifierThe phone-line identifier that is used in an analog phone environment is called a SPID (Service Profile ID). The SPID includes the actual seven-digit telephone number, including the area code and sometimes an extra few digits used by the service provider's switch. A SPID looks similar to this example: 80055515500100 The preceding example corresponds to the phone number 800-555-1550. The additional parameters, 0100, serve as an identifier for the local service provider's switch. If you don't have these numbers and you know the service has been connected, you may need to contact the local service provider to receive these numbers . The SPID can also contain a two digit prefix prior to the number, such as 0180055575500100.
The ISDN SPID is a unique number that the local ISDN router must learn in order to successfully identify itself, but only in North America; the integration of the phone number into the SPID is usually only applicable in public telephone company ISDN installations. In a private ISDN network, the SPID can usually be any 10-digit or longer number.
Challenge Handshake Authentication ProtocolCHAP (Challenge Handshake Authentication Protocol) provides ISDN with the capability to control access to each router by forcing the ISDN routers to use an authentication technique. This safeguard enables a business to be confident that implementing ISDN is a low security risk. CHAP is used to require a username and encrypted password on all inbound connections. One of the most important items in troubleshooting CHAP is to verify that the CHAP-configured username and passwords match on both interfaces connecting the ISDN routers. One advantage Cisco has over other ISDN routers is the ability to support Microsoft CHAP (MS-CHAP), which was implemented in version 12 of the Cisco IOS, and the Password Authentication Protocol (PAP), which is an earlier version of CHAP.
To use CHAP authentication, you must enable PPP by using the encapsulation ppp command and assigning an authentication method, as follows : Seans804(config-if)# ppp auth ? chap Challenge Handshake Authentication Protocol(CHAP) ms-chap Microsoft Challenge Handshake Authentication Protocol(MS-CHAP) pap Password Authentication Protocol (PAP) If you suspect a password might be the problem in authenticating, the best way to confirm this is by using the debug ppp authentication command. The following output shows the error you will receive when the authentication fails due to an incorrect password configuration: Seans804# debug ppp authentication PPP authentication debugging is on Seans804#ping 207.212.78.107 Type escape sequence to abort. 04:02:36: BR0:1 PPP: Phase is AUTHENTICATING, by both 04:02:36: BR0:1 CHAP: O CHALLENGE id 7 len 27 from "Seans804" 04:02:36: BR0:1 CHAP: I CHALLENGE id 7 len 24 from "Seans804" 04:02:36: BR0:1 CHAP: O RESPONSE id 7 len 27 from "Seans804" 04:02:36: BR0:1 CHAP: I FAILURE id 7 len 25 msg is "MD/DES compare failed" 04:02:36: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 18005551559, call lasted 1 seconds 04:02:38: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down. 04:02:38: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up. 04:02:38: BR0:1 PPP: Treating connection as a callout 04:02:38: BR0:1 PPP: Phase is AUTHENTICATING, by both 04:02:38: BR0:1 CHAP: O CHALLENGE id 8 len 27 from "Seans804" 04:02:38: BR0:1 CHAP: I CHALLENGE id 8 len 24 from "Seans804" 04:02:38: BR0:1 CHAP: O RESPONSE id 8 len 27 from "Seans804" 04:02:38: BR0:1 CHAP: I FAILURE id 8 len 25 msg is "MD/DES compare failed" As this output demonstrates , CHAP performs authentication by sending authentication packets that consist of an 8-bit Code field, an 8-bit Identifier field, a 16-bit Length field, and a Data field, which can vary in length. The Code field identifies the type of CHAP packet, which varies based on the type of packet being sent, and which may be any of the following four types:
The following is the CHAP authentication process between the DCS1804 router and the DCS2804 router:
Configuring CHAP authentication is a straightforward process. Here is an example of configuring an ISDN router with a username, password, and PPP CHAP authentication: Seans804# config t Seans804(config)# username Sean password cisco Seans804(config)# interface bri0 Seans804(config-if)# encapsualtion ppp Seans804(config-if)# ppp authentication chap The dialer map CommandThe dialer map command permits the ISDN router to dial an associated number when data that is destined for the next -hop interface is received. When data is received for the identified protocol on the other side of the ISDN line, this command instructs the ISDN router which number to call. When using this command, you must make sure that the dialer map entries contain valid IP addresses and phone numbers, and that a dialer map statement exists for each protocol in the network. The following output walks you through using the dialer map command for the IP protocol: Seans804(config)# int bri0 Seans804(config-if)# dialer map ? bridge Bridging clns ISO CLNS ip IP ip IP ipx Novell IPX llc2 LLC2 netbios NETBIOS snapshot Snapshot routing support Seans804(config-if)#dialer map ip ? A.B.C.D Protocol specific address Seans804(config-if)#dialer map ip 172.16.1.1 ? WORD Dialer string broadcast Broadcasts should be forwarded to this address class dialer map class modem-script Specify regular expression to select modem dialing script name Map to a host spc Semi Permanent Connections speed Set dialer speed system-script Specify regular expression to select system dialing script Sean804(config-if)# dialer map ip 207.212.78.107 18005551001 Sean804(config-if)# The following example demonstrates the BRI0 interface using the show running-config command: interface BRI0 ip address 207.212.78.107 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache dialer idle-timeout 100000 dialer wait-for-carrier-time 120 dialer map ip 172.16.1.1 18005551001 dialer load-threshold 128 either dialer-group 1 isdn switch-type basic-ni isdn spid1 5551001401 ! The above shows the BRI0 interface configuration. It shows all the dialer settings, as well as the SPID used to dial the ISDN router on the other side of the link. Access ListsAccess lists are used with ISDN connections to keep certain types of traffic from being sent across the ISDN link and causing the ISDN router to make an unnecessary connection. Using the rule that the more calls you make, the more you pay, access lists save money. Some services offer Centrix ISDN and other options that circumvent higher costs. Cetrix ISDN is typically billed by the megabyte sent instead of by the minute or hour that the ISDN connection is used. Still, if you need a constant connection (more than 40 hours per month), Frame Relay, DSL, and many other permanent virtual connection (PVC) technologies are available with the same or greater bandwidth at a much lower cost. The following example demonstrates a configured access list, using the dialer-group command to apply it to an interface. This access list, shown here in the show running-config command, is configured to allow only IP protocols, allowing all IP protocols with the exception of HTTP, which uses port 80. interface BRI0 ip address 172.16.1.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache dialer idle-timeout 100000 dialer wait-for-carrier-time 120 dialer map ip 172.16.1.1 18008358664 dialer map ip 172.16.1.1 18005551002 dialer load-threshold 128 either dialer-group 1 isdn switch-type basic-ni isdn switch-type basic-ni ! router rip redistribute static network 63.0.0.0 network 172.16.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.1.1 ip route 63.78.39.0 255.255.255.0 172.16.1.1 ! access-list 155 deny tcp any any eq 80 access-list 155 permit ip any any dialer-list 1 protocol ip list 155 ! line con 0 transport input none stopbits 1 line vty 0 4 password sean login ! The bolded lines in the preceding code sample show the access list that is used to decide what is interesting traffic. The access list shows that every IP packet is considered interesting traffic except for Web-based traffic on port 80. Point-To-Point Protocol (PPP)The recommended choice for a secure connection with ISDN routers is PPP. Several other options are available that include a simulated serial connection using HDLC. When you are troubleshooting, PPP provides additional information regarding the connection, including the protocol type. This rarely presents itself in a manner that is usable to administrators, however. Rather, an understanding of the protocol and its capability to provide useful functions, including CHAP, is more often helpful to administrators. Note that the PPP protocol is the same for analog or ISDN connections, so the configuration of PPP on a workstation using an analog modem requires PPP encapsulation on the ISDN host router. PPP also supports compression. When using the debug ppp command, the output provides information about PPP. PPP contains a Protocol field in the output, which can be used to identify the upper-layer information included in the datagram. Table 12.1 lists the protocol values. Table 12.1. PPP Protocol Field Values
|