Troubleshooting ISDN Misconfigurations


Configuring ISDN is fairly simple and there are only a few commands needed for the basic configuration. This process does require that you have some knowledge, though, on how ISDN works, the different line protocols, and the proper placement of the equipment. To explain configuring the ISDN router interfaces correctly, this section of the chapter takes a look at the following issues:

  • The Service Profile Identifier (SPID)

  • Challenge Handshake Authentication Protocol (CHAP)

  • Dialer mapping command

  • Access lists

  • Point-to-Point Protocol (PPP)

Service Profile Identifier

The phone-line identifier that is used in an analog phone environment is called a SPID (Service Profile ID). The SPID includes the actual seven-digit telephone number, including the area code and sometimes an extra few digits used by the service provider's switch. A SPID looks similar to this example:

80055515500100

The preceding example corresponds to the phone number 800-555-1550. The additional parameters, 0100, serve as an identifier for the local service provider's switch. If you don't have these numbers and you know the service has been connected, you may need to contact the local service provider to receive these numbers . The SPID can also contain a two digit prefix prior to the number, such as 0180055575500100.

graphics/caution_icon.gif

The SPID occasionally causes confusion because it isn't always necessary. When you configure the switch type, if you use Nortel DMS100 or Nation ISDN (basic-ni) switches, the SPID is required. If you are using Basic-5ess switches, the SPID may be optional. Your local service provider is the authority on this matter.


The ISDN SPID is a unique number that the local ISDN router must learn in order to successfully identify itself, but only in North America; the integration of the phone number into the SPID is usually only applicable in public telephone company ISDN installations. In a private ISDN network, the SPID can usually be any 10-digit or longer number.

graphics/note_icon.gif

You must verify that the IP addresses and subnets assigned to the interfaces connecting the two sides of an ISDN link are in their own network and subnet, just as any other point-to-point WAN connection must be.


Challenge Handshake Authentication Protocol

CHAP (Challenge Handshake Authentication Protocol) provides ISDN with the capability to control access to each router by forcing the ISDN routers to use an authentication technique. This safeguard enables a business to be confident that implementing ISDN is a low security risk.

CHAP is used to require a username and encrypted password on all inbound connections. One of the most important items in troubleshooting CHAP is to verify that the CHAP-configured username and passwords match on both interfaces connecting the ISDN routers. One advantage Cisco has over other ISDN routers is the ability to support Microsoft CHAP (MS-CHAP), which was implemented in version 12 of the Cisco IOS, and the Password Authentication Protocol (PAP), which is an earlier version of CHAP.

graphics/alert_icon.gif

Your knowledge of PPP and CHAP are tested extensively when taking this certification exam.


To use CHAP authentication, you must enable PPP by using the encapsulation ppp command and assigning an authentication method, as follows :

 Seans804(config-if)#  ppp auth ?  chap    Challenge Handshake Authentication Protocol(CHAP) ms-chap Microsoft Challenge Handshake Authentication Protocol(MS-CHAP) pap     Password Authentication Protocol (PAP) 

If you suspect a password might be the problem in authenticating, the best way to confirm this is by using the debug ppp authentication command. The following output shows the error you will receive when the authentication fails due to an incorrect password configuration:

 Seans804#  debug ppp authentication  PPP authentication debugging is on Seans804#ping 207.212.78.107 Type escape sequence to abort. 04:02:36: BR0:1 PPP: Phase is AUTHENTICATING, by both 04:02:36: BR0:1 CHAP: O CHALLENGE id 7 len 27 from "Seans804" 04:02:36: BR0:1 CHAP: I CHALLENGE id 7 len 24 from "Seans804" 04:02:36: BR0:1 CHAP: O RESPONSE id 7 len 27 from "Seans804" 04:02:36: BR0:1 CHAP: I FAILURE id 7 len 25 msg is "MD/DES compare failed" 04:02:36: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from                        18005551559, call lasted 1 seconds 04:02:38: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down. 04:02:38: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up. 04:02:38: BR0:1 PPP: Treating connection as a callout 04:02:38: BR0:1 PPP: Phase is AUTHENTICATING, by both 04:02:38: BR0:1 CHAP: O CHALLENGE id 8 len 27 from "Seans804" 04:02:38: BR0:1 CHAP: I CHALLENGE id 8 len 24 from "Seans804" 04:02:38: BR0:1 CHAP: O RESPONSE id 8 len 27 from "Seans804" 04:02:38: BR0:1 CHAP: I FAILURE id 8 len 25 msg is "MD/DES compare failed" 

As this output demonstrates , CHAP performs authentication by sending authentication packets that consist of an 8-bit Code field, an 8-bit Identifier field, a 16-bit Length field, and a Data field, which can vary in length. The Code field identifies the type of CHAP packet, which varies based on the type of packet being sent, and which may be any of the following four types:

  • Challenge (Type 1)

  • Response (Type 2)

  • Success (Type 3)

  • Failure (Type 4)

The following is the CHAP authentication process between the DCS1804 router and the DCS2804 router:

  1. DCS1804 (Challenge) sends a Challenge packet to the DCS2804 (remote ISDN router).

  2. The DCS2804 copies the identifier information into a new packet. It then sends a Response packet along with the hashed value, a value calculated from the encrypted password.

  3. The DCS1804 receives the Response packet and checks the hashed value against its own hashed value. If both hashed values match, DCS1804 sends a Success packet back. Otherwise, it sends a Failure packet back to DCS1804.

Configuring CHAP authentication is a straightforward process. Here is an example of configuring an ISDN router with a username, password, and PPP CHAP authentication:

 Seans804#  config t  Seans804(config)#  username Sean password cisco  Seans804(config)#  interface bri0  Seans804(config-if)# encapsualtion ppp Seans804(config-if)#  ppp authentication chap  

The dialer map Command

The dialer map command permits the ISDN router to dial an associated number when data that is destined for the next -hop interface is received. When data is received for the identified protocol on the other side of the ISDN line, this command instructs the ISDN router which number to call.

When using this command, you must make sure that the dialer map entries contain valid IP addresses and phone numbers, and that a dialer map statement exists for each protocol in the network. The following output walks you through using the dialer map command for the IP protocol:

 Seans804(config)#  int bri0  Seans804(config-if)#  dialer map ?  bridge    Bridging   clns      ISO CLNS   ip        IP   ip        IP   ipx       Novell IPX   llc2      LLC2   netbios   NETBIOS   snapshot  Snapshot routing support Seans804(config-if)#dialer map ip ?   A.B.C.D  Protocol specific address Seans804(config-if)#dialer map ip 172.16.1.1 ?   WORD           Dialer string   broadcast      Broadcasts should be forwarded to this address   class          dialer map class   modem-script   Specify regular expression to select modem dialing script   name           Map to a host   spc            Semi Permanent Connections   speed          Set dialer speed   system-script  Specify regular expression to select system dialing script Sean804(config-if)#  dialer map ip 207.212.78.107 18005551001  Sean804(config-if)# 

The following example demonstrates the BRI0 interface using the show running-config command:

 interface BRI0  ip address 207.212.78.107 255.255.255.0  no ip directed-broadcast  no ip route-cache  no ip mroute-cache  dialer idle-timeout 100000  dialer wait-for-carrier-time 120  dialer map ip 172.16.1.1 18005551001  dialer load-threshold 128 either  dialer-group 1  isdn switch-type basic-ni  isdn spid1 5551001401 ! 

The above shows the BRI0 interface configuration. It shows all the dialer settings, as well as the SPID used to dial the ISDN router on the other side of the link.

Access Lists

Access lists are used with ISDN connections to keep certain types of traffic from being sent across the ISDN link and causing the ISDN router to make an unnecessary connection. Using the rule that the more calls you make, the more you pay, access lists save money. Some services offer Centrix ISDN and other options that circumvent higher costs. Cetrix ISDN is typically billed by the megabyte sent instead of by the minute or hour that the ISDN connection is used. Still, if you need a constant connection (more than 40 hours per month), Frame Relay, DSL, and many other permanent virtual connection (PVC) technologies are available with the same or greater bandwidth at a much lower cost.

The following example demonstrates a configured access list, using the dialer-group command to apply it to an interface. This access list, shown here in the show running-config command, is configured to allow only IP protocols, allowing all IP protocols with the exception of HTTP, which uses port 80.

 interface BRI0  ip address 172.16.1.2 255.255.255.0  no ip directed-broadcast  no ip route-cache  no ip mroute-cache  dialer idle-timeout 100000  dialer wait-for-carrier-time 120  dialer map ip 172.16.1.1 18008358664  dialer map ip 172.16.1.1 18005551002  dialer load-threshold 128 either  dialer-group 1  isdn switch-type basic-ni  isdn switch-type basic-ni ! router rip  redistribute static  network 63.0.0.0  network 172.16.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.1.1 ip route 63.78.39.0 255.255.255.0 172.16.1.1 !  access-list 155 deny tcp any any eq 80   access-list 155 permit ip any any  dialer-list 1 protocol ip list 155 ! line con 0  transport input none  stopbits 1 line vty 0 4  password sean login ! 

The bolded lines in the preceding code sample show the access list that is used to decide what is interesting traffic. The access list shows that every IP packet is considered interesting traffic except for Web-based traffic on port 80.

Point-To-Point Protocol (PPP)

The recommended choice for a secure connection with ISDN routers is PPP. Several other options are available that include a simulated serial connection using HDLC. When you are troubleshooting, PPP provides additional information regarding the connection, including the protocol type. This rarely presents itself in a manner that is usable to administrators, however. Rather, an understanding of the protocol and its capability to provide useful functions, including CHAP, is more often helpful to administrators. Note that the PPP protocol is the same for analog or ISDN connections, so the configuration of PPP on a workstation using an analog modem requires PPP encapsulation on the ISDN host router. PPP also supports compression.

When using the debug ppp command, the output provides information about PPP. PPP contains a Protocol field in the output, which can be used to identify the upper-layer information included in the datagram. Table 12.1 lists the protocol values.

Table 12.1. PPP Protocol Field Values

Hex Value

Protocol

0021

IP

0029

AppleTalk

002B

IPX

003D

MultiLink

0201

802.1d Hello Packets

0203

Source Route Bridge Protocol Data Units

8021

IPCP

8029

ATCP

802B

IPXCP

C223

CHAP

C023

PAP



CCNP CIT Exam Cram 2 (642-831)
CCNP CIT Exam Cram 2 (Exam Cram 642-831)
ISBN: 0789730219
EAN: 2147483647
Year: 2003
Pages: 213
Authors: Sean Odom

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net