Полезная информация

cc/td/doc/product/software/ios120/12supdoc
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

IP, IPX, and AppleTalk Dial-Up Environments

IP, IPX, and AppleTalk Dial-Up Environments

Remote node users are telecommuters and mobile users who need to dial in to a network from their PC or Macintosh computer, through an access server in to IP, IPX, or AppleTalk networks to access network resources. This chapter describes the following scenarios:


Note This guide does not describe how to configure SLIP. For more information about SLIP, refer to the Dial Solutions Configuration Guide. For popular configuration tips gathered by Cisco's Technical Assistance Center (TAC), go to the "Sample Configurations" home page at http://www.cisco.com/warp/public/700/tech_configs.html.

Each configuration in this chapter builds on preceding configurations from previous chapters. It presents the whole configuration required to enable dial-in and configure security for each of the scenarios. Thus far, this guide has described how to configure the following on your access server:

When a remote PC or Macintosh computer dials in to a network, it is considered a "node" on the LAN to which it is connecting. This is the case for each dial-in session, whether the device dialing in is a PC, Macintosh, or other computer. The IP address of a PC, for example, is selected from those available on the subnet assigned to the network that the PC is connecting to. In Figure 5-1, for example, the telecommuter's Macintosh is a node in the AppleTalk network 2500 in the zone Mac-dialup, and is treated like a local host.


Figure 5-1: Remote Macintosh as a Node on the Local Network


In router-to-router configurations (such as between a remote and central office), the remote device (PC or Macintosh computer) is not considered a node on the LAN that it is dialing in to. That is, the remote computer is on a different LAN and has an IP address that is not chosen from those available on the local network. These configurations are typically more complex and require use of the dial-on-demand routing (DDR) facility in the Cisco IOS software. For more information, refer to the chapter "Routing across Modem Lines" later in this guide.

Configuring Point-to-Point Protocol (PPP) Access

This section describes how to configure your access server to accept calls into IP and IPX networks from clients (PCs) using PPP to access resources such as file servers and printers. It also describes how to allow Macintosh or PC clients running a PPP application to dial in to an AppleTalk network.

Specifically, this section describes the following:

Accessing IP Resources

This section describes how to configure the access server to accept calls in to an IP network so that clients (remote PC computers) can access IP resources, such as a Windows NT server. It describes first the access server configuration, then presents some basic configuration information for the dial-in client. Figure 5-2 shows a typical dial-in scenario.


Figure 5-2: PC Dialing In to Access IP Network Resources


In Figure 5-2, a remote telecommuter dialing through the access server uses the Windows 95 client to access the Windows NT server. The client is considered a node on the same network as the NT server.

Enabling IP Network Protocol Support

To dial in to an IP network by using PPP, you first need to enable the network protocol support. IP routing is enabled by default in the Cisco IOS software. However, if you have a routing protocol running on the LAN to which the access server provides access, you must specify this protocol in the access server's configuration, as well. This guide and the following procedure assume you are configuring OSPF routing. If so, perform the following steps to enable IP network support:


Note If you are using a routing protocol other than OSPF, refer to the Network Protocols Configuration Guide, Part  1 in the Cisco IOS configuration guides and command references documentation.

Step 1 Enter privileged EXEC and global configuration mode on the access server named 2511.

Step 2 If you haven't done so already, specify the IP address of the Ethernet interface on the access server. This should be a valid, unique, and unused IP address for a subnet on a connected LAN.

Step 3 Enable OSPF routing (assuming a routing process is given the number 101):

Step 4 Define the IP address of the Ethernet interface on which OSPF runs and define the area ID for that interface:

Step 5 Configure an OSPF network type of point-to-multipoint on the Ethernet interface  0 on the access server:

Step 6 Identify the IP domain name and IP name server on the LAN segment:

To configure IGRP instead of OSPF routing, issue the router igrp process-id global configuration command, then associate the network with the IGRP process ID by issuing the network address router configuration command. For example, you enter the following commands to configure IGRP routing:

2511(config-if)# router igrp 101
2511(config-router)# network 172.16.42.0 

You can also configure a number of other routing protocols with IP, including RIP, IS-IS, BGP, EGP, GDP, IRDP, and IP multicast routing. For more information about configuring any of these routing protocols, refer to the Network Protocols Configuration Guide, Part  1 in the Cisco IOS documentation.

Configuring PPP Encapsulation

To enable IP dial-in, configure PPP encapsulation on asynchronous interfaces, as follows:

Step 1 To conserve IP addresses, configure the asynchronous interfaces as unnumbered and assign the IP address of the Ethernet interface to them:

Step 2 Specify PPP encapsulation on asynchronous interfaces to which you will allow PPP connections:

Step 3 Enable interactive mode on asynchronous interfaces:

Step 4 Configure lines on the access server to detect incoming PPP packets and permit a PPP client to connect to the network automatically. The following example shows lines 1 to 8 on an access server being configured to autoselect incoming PPP packets:


Note You do not need to configure autoselect for incoming PPP packets. You can issue the async  mode  dedicated command in place of the async  mode  interactive command. If you use dedicated asynchronous mode on a set of interfaces, users are not automatically connected to the network. Rather, they are connected to the EXEC facility on the access server, and then they must issue the ppp command to connect to network resources. For more information, refer to the Dial Solutions Configuration Guide in the Cisco IOS documentation.

Assigning IP Addresses to Dial-In Clients

This section describes the methods you can use to assign IP addresses to dial-in clients. The methods are as follows:

This is the simplest mechanism for assigning IP addresses to dial-in clients and is most useful when there is only one access server providing access to the network. A set of IP addresses is defined in a database that exists inside the access server. If there is more than one access server providing access to the network, you should refer to method 2.
This is the next most convenient method, and is most useful for a medium to large-size pool of dial-in clients. A pool of IP addresses is defined inside of a centralized IP address server, called a Dynamic Host Configuration Protocol (DHCP) server. This central database can serve addresses to several different access servers at the same time. Although this method provides long-term flexibility, it requires that you configure a third-party host (such as a UNIX computer) as a DHCP server.
This is the least efficient most time-consuming method of assigning IP addresses to clients. As clients are added, removed, and moved in the network, IP addresses must be reassigned.
Method 1: Obtain Addresses from a Pool Configured in the Access Server

To configure the address pool locally on the access server, perform the following steps:

Step 1 Create a local IP address pooling mechanism in the access server:

Step 2 Assign a pool of specific IP addresses in a pool (addresses 172.16.80.0 through 172.16.80.16 in pool1):

The address pool named pool1 is applied automatically to each asynchronous interface configured for point-to-point access, so you do not have to apply it manually. If you need to apply this pool manually to asynchronous interfaces, issue the peer default ip-address pool pool1 interface configuration command.

For a comprehensive configuration example of PPP dial-in to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.

Method 2: Obtain Addresses from a Pool Configured in a DHCP Server

To configure the access server to obtain IP addresses from a DHCP server, perform the following steps:

Step 1 Configure asynchronous interfaces on an access server to assign IP addresses to dial-in clients from a DHCP server (in this example, a group async interface is configured):

Step 2 Configure the Cisco IOS software to query a DHCP server for IP addresses that can be supplied to IP clients as they dial in:

You also must configure the client software on client PCs to obtain IP addresses from a DHCP server. Refer to the documentation that accompanied the PC client software for more information about configuring IP addressing options.

For a comprehensive configuration example for PPP dialing to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.

Method 3: Assign Static IP Addresses to Each PC

To configure the access server to statically define IP addresses to each client dialing in to the network, enter interface configuration mode and issue the peer default ip address address command, as shown in the following example:

2511(config)# interface async 1
2511(config-if)# peer default ip-address 172.16.42.26 

Note To prevent duplicate IP addresses from being assigned on two or more interfaces, you cannot assign a static IP address to a group asynchronous interface. A single IP address on a group asynchronous interface permits assignment of the same address to more than one dial-in client. For the same reason, this command also cannot be applied to dialer rotary groups or to ISDN interfaces.

The IP address you assign must be the same as the address specified on the remote dial-in client. Refer to the documentation that accompanied the PC client software for more information about configuring IP addressing options.

For a comprehensive configuration example for PPP dialing to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.

Configuring Other IP Dial-in Parameters

Though optional, you generally identify the IP domain name and IP name server on the LAN segment, as shown in the following example:

2511(config)# ip domain-name eapp.com
2511(config)# ip name-server charlatan

Table 5-1 lists other parameters that are often useful for administrators configuring IP dial-in using PPP.


Table 5-1: Additional PPP Dial-in Parameters
Command Purpose

ip tcp header-compression passive (interface configuration command)

Instructs the access server port to perform compression of TCP headers if requested by the client.

asynchronous dynamic address (interface configuration command)

(IP only.) Enables the client to select an IP address dynamically when dialing in.

Caution If you have configured network protocol support, PPP encapsulation, and an IP addressing method, IP clients can dial in to your network. Ensure that you configure security, as described in the chapter "Security Configuration" in this guide. Also, the configuration examples at the end of this chapter show IP configuration examples with security.

Configuring NetBIOS over TCP

To enable clients running NetBIOS over TCP to dial in to IP network resources, perform the following tasks on the access server:

Step 1 Specify a hostname or IP address of your Wins server on the network:

Step 2 If you have one or more domain name servers on the network, specify a host name or IP address of that domain name server:

Make sure you have the following in your NetBIOS network:

For more information about configuring your Windows NT environment, refer to your Microsoft documentation or online resource, such as the World-Wide Web page "Microsoft TechNet" at the following URL: http://www.microsoft.com/TechNet/.

Enabling PPP Clients to Dial In and Access AppleTalk Resources

To enable PPP clients using PPP applications to access AppleTalk resources on a network, first perform the following tasks, as described in the earlier section "Accessing IP Resources."


Note AppleTalk routing is not supported on asynchronous interfaces configured for PPP that allow IP clients to access AppleTalk resources.

Next, perform the following steps:

Step 1 Create an internal network on the access server by issuing the appletalk virtual-net command. The internal network number and zone name also can be used for dial-in using ARA (but do not need to be the same).

Step 2 Enable AppleTalk client mode on asynchronous interfaces configured for PPP dial-in. The following example shows client mode configured on a group asynchronous interface.

At this point, PPP clients can dial in to a network and access AppleTalk resources, such as AppleShare servers and printers.

Accessing IPX Resources

This section describes how to configure the access server to accept calls in to an IPX network so that clients can access IPX resources, such as a Novell IPX server. It describes first the access server configuration, then presents some basic configuration information for the dial-in client. Figure 5-3 shows a typical dial-in scenario.


Figure 5-3: PC Dialing In to Access IPX Network Resources


In Figure 5-3, a remote telecommuter dialing through the access server uses the Novell IPX client to access the Novell IPX server. The client is a node on the same network as the IPX server.

Enabling IPX Network Protocol Support

For PPP dialing to an IPX network, you must first enable network protocol support. This includes enabling IPX routing on the access server. If the dial-in client will be a routing client, you also must specify the routing protocol running on the LAN to which the access server provides access. To enable IPX network protocol support, perform the following steps:

Step 1 Enable IPX routing on the access server.


Note In the preceding step, the MAC address (0060.3ef1.6f74) is added automatically, based on the MAC address of the Ethernet interface on the access server. You only need to issue the ipx routing command if you want to assign a different MAC address. The MAC address is shown in the preceding step only for illustrative purposes.

Step 2 If you are configuring IPX only and not IP, configure the Ethernet interface  0 as IP  unnumbered.

However, if you are configuring IP and IPX on the interface, you must provide an IP address for Ethernet interface  0. This must be a valid, unique, and unused IP address for a subnet on a connected LAN.

Step 3 Set the IPX network number and encapsulation to match your existing network. The following example shows network 123ABCD and an encapsulation type of SAP:

Step 4 If the client connecting to the network is not performing routing, you do not have to enable a routing protocol and can skip to the next step. If the client connecting to the network is performing routing, configure a routing protocol. RIP routing is enabled by default. To specify a different routing protocol, such as Enhanced IGRP or NLSP, enter the ipx router command, followed by the name of the routing protocol.

The first example shows how to enable Enhanced IGRP routing with an autonomous system number of 1205. Enhanced IGRP is usually used in large networks.

The next example shows how to enable NLSP routing with an NLSP process tag of 210. An NLSP tag is optional if there is only one NLSP process. The process of configuring NLSP is somewhat complex and you must add NLSP servers to the network.

Creating a Loopback Interface for Novell IPX Network Numbers

If you allow remote clients to dial in to IPX network resources, you should create a loopback interface, which is a "virtual" interface existing only in the router. Assign a Novell IPX network number to this loopback interface, then assign this network number to each asynchronous interface. The alternative is to assign a unique Novell IPX network number to each asynchronous interface, which could consume hundreds of Novell IPX network numbers. This section assumes that nonrouting clients are dialing in to access IPX network resources.


Note Follow these steps only if you IPX clients are nonrouting clients. If they are routing clients, you must assign a unique IPX network number to each asynchronous interface and you cannot use group asynchronous interfaces, because there is no way to assign a unique IPX network number to each interface in a group.

Step 1 Create a loopback interface:

Step 2 Do not require an IP address on the Loopback interface  0:

Step 3 Assign a Novell IPX network number (in this case, 1F) to the loopback interface:

Configuring the Asynchronous Interfaces

This section assumes you are configuring group asynchronous interfaces.

After you configure IPX network support and a loopback interface, you then configure the asynchronous interfaces for PPP and assign the Novell IPX network number of the loopback interface to the asynchronous interface. You can also enable interactive mode on the interfaces.

Step 1 Assign the IP address of the Ethernet interface to a single master or each asynchronous interface:

Step 2 Specify PPP encapsulation on asynchronous interfaces to which you need to allow PPP connections:

Step 3 Assign the Novell IPX network number of the loopback interface to the group asynchronous interface.

Step 4 (Optional) Filter SAP routing updates on asynchronous interfaces. SAP updates take up a great deal of bandwidth, and asynchronous interfaces have low bandwidth.

Step 5 Enable interactive mode. Interactive mode enables you to support services other than PPP (such as EXEC sessions, SLIP, or ARA).

IPX Client Addressing

The Cisco IOS software assumes that all PCs dialing in have their own unique IPX address and that they send this address to the access server.

Configuring Other IPX Dial-in Parameters

For additional parameters that enable PPP dial-in to IPX networks, refer to Table 5-1.


Note At this point, IPX clients can dial in to your network. Ensure that you configure security, as described in the chapter "Security Configuration" in this guide. The configuration examples at the end of this chapter show IPX configuration examples with basic security.

Setting up Windows 95 on the Remote PC Side of the Connection

This section describes how to install and configure Windows 95 client software to dial in to and access network resources through a Cisco access server.

If you need information about configuring the CiscoRemote client software, you can receive a fax-back document from the Cisco Technical Assistance Center at 800 553-2447 or 408 526-7209 or call directly into the fax-on-demand service at 415 596-4408.

You can use virtually any other dial-in client applications to dial in to a network through access servers.

This configuration procedure is intended only as a starting point. The configuration requirements can change without warning because Cisco does not control the design and development efforts of other companies. This configuration information is only one of many ways of configuring a Win95 client application for dial-in using PPP. To set up the built-in PPP application in Win95 so that you can access the ISP's IP or NetBEUI network resources, perform the following steps:

Step 1 Double-click on the My Computer icon located either in your Applications window or on the desktop.

The My Computer window appears.

Step 2 If you are making a connection for the first time, double-click on the Make a New Connection icon. If you have already configured your connection profiles, additional icons exist in this window and you can double-click on them to use them.

Step 3 Give the connection session a name, such as MyConnection.

Step 4 Select the type of modem connected to your PC (or built in to the PC) from the list of modems.

Step 5 When the dialog box appears, click on the Configure button.

The General, Connection, and Options folders appear stacked on top of one another. You can select each tab to configure the appropriate parameters.

Step 6 Select the Connection tab. In the Connection folder, set data bits to 8, parity to No, and stop bits to 1, then click Apply.

The Advanced Connection Settings window appears.

Step 7 Modems usually perform all the data compress you'll ever need. However, if you have a very old modem, you should Select Data Compression and Hardware flow control and click OK.

Step 8 Select the Options tab. In the Options folder, select "Bring up terminal window after dialing" and click on the Next button.

The option "Bring up terminal window after dialing" means that when you dial in, the access server prompts you for your username and password, then logs you in to the EXEC facility.

A new dialog box appears that indicates you have finished configuring a dialup profile and the Myconnection connectoid appears.

Step 9 Click on the Next button.

Step 10 In the Phone Number field, enter the phone number, area code, and country of the access server you intend to dial and press Return.

You have configured preliminary parameters to enable the Win95 client to dial in to an access server. At this point, you need to define additional properties.

Step 1 Select the dialup profile connectoid, then click with the right mouse button, and pull down the menu. Select Properties.

Step 2 In the Properties dialog box, select Server_Type.

The ServerTypes dialog box appears, as shown in Figure 5-4.


Figure 5-4: Windows 95 Server Types Dialog Box


Step 3 Select PPP Windows 95 Windows NT 3.5 Internet.

Step 4 In the Allowed Network Protocols area of the dialog box, select TCP/IP if you intend to function as an IP client to access IP network resources.

Step 5 Select the TCP/IP Settings pull-down menu at the bottom right corner of the dialog box.

Step 6 Select Server assigned IP and Name server addresses if you are getting your addresses from a server. Otherwise, enter an IP address.

Step 7 Select Use default gateway on remote network. Click Apply. Select IP compression if you also intend to enable header compression of IP packets on the access server, which is enabled with the ip tcp header-compression passive interface configuration command.

Step 8 Go to the Control Panel and select Internet.

Step 9 Check the AutoDial checkbox if your PPP connection is the only modem or ISDN connection to the Internet. Uncheck this box if you have more than one outgoing connection.

Step 10 Select MyConnection and click on the Apply button.

When you start an application that requires network access, you are prompted for a username and password. This username and password must match the username and password on the access server. When you select Connect, the client dials the number you entered. In a status box, you can see the information dialing, verifying username/password, and the dial-in application should run without problems. Figure 5-5 shows a successful connection:


Figure 5-5: Windows 95 Connection Status Box


Configuring AppleTalk Remote Access (ARA) for Macintosh Access

This section describes how to configure the access server to accept calls in to an AppleTalk network so that clients can access AppleTalk resources, such as an AppleShare server, a colleague's Macintosh to retrieve files, or a printer. For information about configuring the ARA client, you can receive a fax-back document from Cisco's Technical Assistance Center at 800 553-2447 or 408 526-7209 or call directly into the fax-on-demand service at 415 596-4408.

For information about configuring the access server to enable IP clients to access AppleTalk resources, refer to the later section "Enabling PPP Clients to Dial In and Access AppleTalk Resources." Figure 5-6 shows a typical dial in scenario.


Figure 5-6: Macintosh Dialing In to Access AppleTalk Network Resources


Figure 5-6 shows a Macintosh with ARA 2.0 dialing in to a corporate network through an access server. The Macintosh client is a node on network 2500 in zone Mac-dialup.

After connecting to a corporate network with ARA, clients can also launch applications that enable them to communicate with IP devices, such as UNIX servers, although you must have configured a MacIP server on the network first.

Enabling Macintosh Users to Dial In and Access AppleTalk Resources

The following configuration provides a range of 16 IP addresses, which can be assigned to each of the dial-in remote nodes. The MacIP server resides in the same zone and IP subnet it is providing IP addresses for. This is highly recommended for a gateway server of this kind. The IP address under interface Ethernet 0 strengthens the correlation of subnet to server.

To enable ARA dial in on the access server, perform the following steps:

Step 1 Enable AppleTalk Routing.

Step 2 Create a new internal AppleTalk network in the access server. In the following example, the network number is 2500 and the zone name is Mac-dialup.


Note The nonextended AppleTalk network number used with the arap network command must be unique within the AppleTalk intranetwork.

Step 3 Bring up the interface Ethernet  0, assign it an IP address, and configure a cable range. In this example, the cable range is 110 to 110.

Step 4 Create an AppleTalk zone on the Ethernet interface  0. In the following example, the zone is given the name Corporate.

Step 5 Enter line configuration mode for the lines on which you need to allow ARA clients to dial in and enable ARA. The following example shows lines 1  through  16 being configured for ARA dial in (these are the physical asynchronous TTY lines) and disables guest access to the AppleTalk network.

Step 6 Configure an AppleTalk zone for ARA dial-in sessions. (In Step 4, the zone that was created was Corporate. This example uses the same zone.)

Step 7 Allocate IP addresses for Macintosh users if you are using dynamic addressing

Table 5-2 lists other useful dial-in parameters for ARA.


Table 5-2: Additional ARA Dial-In Parameters
Command Purpose

arap dedicated

Makes the line only available for ARA dial-in access. Do not issue this command if you are also allowing PPP users to dial in through the line or if you issue the autoselect ppp command on the line.

arap timelimit minutes

Sets a time limit on dial-in sessions. This prevents clients from staying connected indefinitely.

arap warningtime minutes

Sets the amount of time before which the connection is closed because of the arap timelimit command. A reasonable amount of time is 15 minutes.

Dial-In Configuration Examples

The configuration examples in this section show comprehensive configurations that enable remote clients to dial in to networks and access resources. The configurations in this section borrow information from the previous chapters and present each component (such as modem configuration and security) as a separate piece. Examples in this section include the following:

IP Dial-In Example

The following example configures an access server to enable a PC running a Windows 95 PPP application to dial in to an IP network. It also enables the Windows 95 client to access AppleTalk resources. The example starts with the modem configuration, then moves on to the security configuration, then the protocol configuration. This example assumes that you are using a local username database that is set up inside the access server for authentication.

Modem and Line Configuration

The following sample configures lines 1 through 16 on a Cisco  2511 access server for modem control. It assumes you have a Telebit T3000 modem or one that can be automatically initialized using the Telebit_3000 initialization string.

line 1 16
  speed 115200
  flowcontrol hardware
  modem inout
  modem autoconfigure Telebit_t3000
!
  autoselect during-login
  autoselect ppp
!
interface group-async 0
  group-range 1 16
Security Configuration

The following sample configuration uses a local authentication database inside the access server. It prevents unauthenticated login to all vty lines. It assumes dial-in users rely on autoselect and do not log in to the EXEC on the access server, but have immediate access to the network when their connection session begins. No security is configured on the console port, which is physically secure. This configuration uses defaults in most cases, except that it uses CHAP authentication for PPP instead of the default of PAP (because CHAP is more secure). It uses the username command to populate the local authentication database. The password that appears has been automatically encrypted automatically.

aaa new-model
aaa authentication login default local 
aaa authentication ppp default local 
enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570
enable password cloudcity 
!
username hansolo password 7 095E470B1110
username leiaorga password 7 0215055500070C294D
username anakin password 7 032A5K39068R1935 
username jacen password 7 087X2G10385V8148 
username jaina password 7 075V3W50429L2943 
!
line vty 10 47 
  login authentication default
!
line 1 16
  arap authentication default 
!
interface Group-Async1
  ppp authentication chap default
  group-range 1 16
Protocol Configuration (Using a Local Pool of IP Addresses)

The following sample configuration enables an IP client to dial in to a network via an access server (with an IGRP routing process of 101) and be assigned an IP address from a locally defined pool (from 172.16.80.1 to 172.16.80.200). It also places all 16 asynchronous interfaces in a group interface and PPP encapsulation. IP clients (such as Windows 95 clients) dial in and automatically have a PPP session started (after the security dialog appears).

If you want to obtain IP addresses for dial-in clients from a Dynamic Host Configuration Protocol (DHCP) server, you must change the peer default ip address pool pool-1 command to peer default ip address dhcp. If you want to assign a static address to a remote client, you must change this command (for an address of 172.18.24.48, for example) to peer default ip address 172.18.24.48.

router igrp 101
  network 172.16.0.0
!
ip address-pool local
ip local pool pool-1 172.16.80.1 172.16.80.200
appletalk virtual-net 101 AT-zone
!
ethernet 0
  ip-address 172.16.42.24 255.255.255.0
!
group-async1
  ip unnumbered ethernet0
  encapsulation ppp
  async mode interactive
  peer default ip address pool pool-1
  ip tcp header-compression passive
  appletalk client-mode
  group-range 1 16
!
ip domain-name eapp.com
ip name-server charlatan

IPX Dial-in Example

The following configuration example enables a PC client running a PPP application to dial in to a network and access IPX resources. The modem attached to the access server is a Telebit T3000 modem. For security, the access server uses TACACS+ for lines and asynchronous interfaces and RADIUS for an ISDN interface (attached via an external ISDN terminal adaptor).

Modem and Line Configuration

The following sample configures lines 1 through 16 on a Cisco  2511 access server for modem control. It assumes you have a Telebit T  3000 modem.

line 1 16
  speed 115200
  flowcontrol hardware
  modem inout
  modem autoconfigure discovery
  modem autoconfigure type t_3000
!
  autoselect during-login
  autoselect ppp
!
Security Configuration

This configuration uses remote security. It uses TACACS+ security for lines and asynchronous interfaces, and RADIUS security for ISDN interfaces. This portion of the configuration only contains security commands. Modem and protocol configuration commands are presented in the sections "Modem and Line Configuration" and "Protocol Configuration."

aaa new-model
aaa authentication login default tacacs+ local 
aaa authentication con-special tacacs+ enable
aaa authentication ppp default if-needed tacacs+
aaa authentication ppp use-radius radius
!
enable secret 5 $1$Kv7T$yjdYBYi70X56gOpEtLj.Q.!
!
line 1 16
! Modem commands deleted
  autoselect ppp
  autoselect during-login
!
line con 0
  login authentication con-special
!
interface Group-Async1
  ip unnumbered ether 0
  encapsulation ppp
  async mode interactive
  ppp authentication chap pap default
  group range 1 16
! 
interface Group-Async2
  ip unnumbered ether 0
  encapsulation ppp
  async mode interactive
  ppp authentication chap use-radius
  group range 9 16
Protocol Configuration

The following sample configuration enables an IPX client to dial in to a network to access IPX resources (IPXCP). In this sample configuration, the IPX client connections are permitted on group asynchronous interface 8, which is associated with loopback interface 0. Loopback interface 0 is configured to run IPX. Routing updates have been filtered on all asynchronous interfaces.

ipx routing 0000.0c07.b509
!
loopback0
  no ip address
  ipx network 544
!
interface ethernet0
  ip address 172.21.14.64 255.255.255.0
  ipx network AC150E00
  ipx encapsulation SAP
!
interface group-async1 
  ip unnumbered ethernet0 
  encapsulation ppp
  async mode interactive 
  async default ip address 172.18.1.128
  ipx ppp-client loopback0
  ipx sap-interval 0
interface group-async2 
  ip unnumbered ethernet0 
  encapsulation ppp
  async mode interactive 
  async default ip address 172.18.1.128
  ipx ppp-client loopback0
  ipx sap-interval 0

ARA Example

The following example configures an access server to enable a Macintosh running ARA 2.0 to dial in to an AppleTalk network. It also permits IP clients to dial in and access AppleTalk resources. The example starts with the modem configuration, then moves on to the security configuration, then the protocol configuration. This example assumes you are using a local username database that is set up inside the access server for authentication.

Modem and Line Configuration

The following example configures lines 1 through 16 on a Cisco  2511 access server for modem control. It assumes you have a modem that uses an initialization string that corresponds to the Usr_sportster string that is used to configure a modem automatically.

line 1 16
  arap enable
  flowcontrol hardware
  modem inout
  modem autoconfigure Usr_sportster
  autoselect during-login
  autoselect arap
!
Security Configuration

The following example uses a TACACS+ security database. No security is configured on the console port, which is physically secure. This configuration uses default configuration parameters. ARA authentication permits guests to log in and access network resources.

aaa new-model
aaa authentication login default tacacs+ 
aaa authentication arap default guest tacacs+ 
enable secret 5 $17dd$VTNs4.BAfQMUU0Lrvw6570
!
line 1 16
  arap authentication default
  login authentication default
Protocol Configuration

The following example enables an ARA client to dial in with AppleTalk over PPP (ATCP). ARA clients dial in and automatically have an ARA session started (after the security dialog appears). In this example, IP is enabled on Ethernet interface  0 to allow basic IP connectivity.

appletalk routing 
arap network 108 dialin14
appletalk virtual-net 107 dialin14
!
ethernet 0
  ip-address 172.16.42.24 255.255.255.0
  appletalk cable-range 20-22
  appletalk zone marketing
!
line 1 16
  arap enable
  arap timelimit 180
  arap warningtime 15
  autoselect arap
  autoselect during-login 
!
ip domain-name eapp.com
ip name-server alices-diner
!
! the following commands enable IP clients to dial in and access AppleTalk resources
interface group-async1
  encapsulation ppp
  appletalk client-mode
  group-range 1 16

Combined IP-PPP, IPX-PPP, and ARA Example

The following configuration example enables remote clients to dial in to IP, IPX, AppleTalk networks and permits users to log in and connect to the EXEC facility.

Modem and Line Configuration

The following example configures lines 1 through 16 on a Cisco  2511 access server for modem control. It assumes lines 1 through 8 have Hayes Optima modems. (The Cisco IOS software can configure a Hayes Optima modem automatically.)

This configuration assumes that lines 9 through 16 have Practical Peripherals PC28800SA V.42bis modems. If you issue the modem autoconfigure discovery line configuration command, the Cisco  IOS software attempts to identify the modem string that initializes the Practical Peripherals modem. If it cannot find a string that automatically initializes the Practical Peripherals modems, you must initialize them manually, as specified in the following section, "Initializing the Practical Peripherals Modems."

In this example, the access server is configured to allow dial-in clients to launch ARA, PPP, or an EXEC session on lines 1 through 16.

version 11.2
!
hostname 2511
!
line 1 16
  modem autoconfigure type hayes_optima
  speed 115200
  flowcontrol hardware
  modem inout
  transport input all
  autoselect arap
  autoselect during-login
  autoselect ppp
  arap enabled
!
line con 0
  speed 9600
  flowcontrol software
Initializing the Practical Peripherals Modems

The following steps show how to initialize a Practical Peripherals modem to function with a Cisco  2509 access server.

Step 1 Connect with the modem, which is attached to asynchronous port 4. The IP address of the Ethernet interface is 172.18.2.24:

Step 2 Issue an at command to ensure the modem connection has been established:

Step 3 Configure the modem initialization string (the following is the string for a Practical Peripherals 28.8 modem):

Step 4 Store the modem settings in the modem NVRAM:

Step 5 Suspend and disconnect your Telnet session:

Security Configuration

This sample configuration uses a RADIUS security server for asynchronous interfaces and local authentication for lines, because ARA, which is configured on lines, does not support RADIUS authentication. The login authentication in this configuration works as follows:

This sample configuration only contains security commands. It does not contain modem or protocol configuration commands. For modem and line commands, refer to the "Modem and Line Configuration" section. For protocol configuration commands, refer to the "Protocol Configuration" section.

aaa new-model
aaa authentication login default radius local 
aaa authentication arap default auth-guest local
aaa authentication ppp default if-needed radius 
!
radius-server host 172.23.4.28
radius-server key s2imm3r
!
username pumba password 7 095E470B1110
username timone password 7 095E470B1110
username rafiki password 7 0215055500070C294D
username simba password 7 032A5K39068R1935 
username nala password 7 087X2G10385V8148 
username mufasa password 7 075V3W50429L2943 
username sarabi password 7 0215055500070C294D
enable secret 5 $1$Kv7T$yjdYBYi70X56gOpEtLj.Q.!
!
line 1 16
  arap authentication default
!
line con 0
  login authentication default 
!
interface Group-Async1
  ppp authentication chap default
  group range 1 8
!
interface Group-Async2
  ppp authentication pap default
  group range 9 16
Protocol Configuration

The following sample configuration enables remote clients to dial in and access IP, IPX, and AppleTalk resources. In this example, IP and IPX client connections are permitted on group asynchronous interface 1 to IP, IPX, and AppleTalk resources. The IPX network number of loopback interface 1 is assigned to the group asynchronous interface. Routing updates have been filtered on all asynchronous interfaces.

ARA has also been enabled on all lines. Macintosh clients can also dial in and access IP network resources.

ip domain-name cisco.com
ip name-server scar
ipx routing 0040.0d05.c601
ip address-pool local
!
appletalk routing
appletalk virtual-net 2000 Mac-dialup 
arap network 2500 Mac-dialup
!
async dns-server 172.16.80.34
async nbns-server 172.16.80.35
!
interface loopback0
  no ip address
  ipx network 544
  ipx sap-interval 0
!
interface ethernet0
  ip address 172.21.14.64 255.255.255.0
  appletalk cable-range 110-110
  appletalk zone corporate
  ip tcp header-compression passive 
  ipx network AC150E00
  ipx encapsulation SAP
!
interface group-async1
  ip unnumbered ethernet0 
  encapsulation ppp
  async mode interactive 
  appletalk client-mode
  peer default ip address pool singi
  ipx ppp-client loopback0
  netbios nbf
  group-range 1 8
!
interface group-async2
  ip unnumbered ethernet0 
  encapsulation ppp
  async mode interactive 
  peer default ip address pool bonsai
  ipx ppp-client loopback0
  group-range 9 16
!
ip local pool singi 172.16.80.1 172.16.80.16
ip local pool bonsai 172.16.80.17 172.16.80.32
!
ipx router rip
  no network 544
!
line 1 16 
  arap enable 
  autoselect arap 
  autoselect during-login 
  autoselect ppp 
  arap timelimit 240 
  arap warningtime 15 
! the following commands enable Macintosh clients to access IP network resources
appletalk macip server 172.21.14.64 zone corporate
appletalk macip dynamic 172.21.14.65 172.21.14.81 zone corporate


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.